[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 25 Volume 1 1999 July 18th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "software doesn't kill data -- people do." - Drew Ulricksen from zdnn HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ * DOWN * http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #25 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #25 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. AVP releases Bo2K detection July 12th............................ 04.0 .. More info on Bo2k................................................ 05.0 .. Defcon Wrapups................................................... 06.0 .. l0pht announces Antisniff ....................................... 07.0 .. Bruce Schneier: PPTPv2 'sucks less' ............................. 08.0 .. 1000 copies of Freedom Beta2 Released ........................... 09.0 .. DefCon Web Page Defaced on Opening Day of Con ................... 10.0 .. Capture the Flag Logs Available ................................. 11.0 .. Mitnick Sentencing Delayed, Again ............................... 12.0 .. Short explanation of NT related acronyms by StEa|_th............. 13.0 .. BO2K Defcon Presentation on RealVideo ........................... 14.0 .. Defcon News Roundup ............................................. 15.0 .. Computer Experts Will Form the Frontline of Sweden's Defense .... 16.0 .. Canadians Plan a Information Protection Centre .................. 17.0 .. Y2K Commission May Be Renamed Security Commission ............... 18.0 .. Tempest Exporter Arrested ....................................... 19.0 .. NcN'99 Con in Mallorca Spain Announced .......................... 20.0 .. Rhino 9 Calls it Quits .......................................... 21.0 .. Hotwired and away, 6 yr old fires up toy car and heads for the highway.. 22.0 .. Want a 90 gigabyte `HD' for $895? think its impossible? read on.. 23.0 .. Sony finished the Glasstron.VR headset............................ 24.0 .. NIST Offers Security Accreditation ............................... 25.0 .. Spanish Civil Guard Arrest Electronic Intruder.................... 26.0 .. 303.org Needs A Home ............................................. 27.0 .. CyberCop Sting Now Shipping (Check this out)...................... 28.0 .. cDc Issues Public Apology About Infected BO2K .................... 29.0 .. California Golf Course Computers Attacked ........................ 30.0 .. Selling your privacy.............................................. 31.0 .. Geek Pride 99 .................................................... 32.0 .. Woz Speaks on Pirates of Silicon Valley .......................... 33.0 .. Project Gamma Down for a while due to server relocation........... 34.0 .. CERT ADVISORY CA-99-08............................................ 35.0 .. CODE NAME JANUS - new version of windows.......................... 36.0 .. ANOTHER ONE ON BO2K .............................................. 37.0 .. BUG IN AMAVIS VIRUS SCANNER....................................... 38.0 .. E-COMMERCE IS SECURE.............................................. 39.0 .. GAO REPORT ON US NAVY ............................................ 40.0 .. GEEKS IN SPACE.................................................... 41.0 .. DOD to use Netscape's PKI ........................................ 42.0 .. Federal Computer Week: FBI turns on new computer crime fighting system 43.0 .. NMRC: Netware 5 Hijack Vulnerability ............................. 44.0 .. CNet: IBM offers privacy consulting services ..................... 45.0 .. mod_ssl 2.3.6 Bug Fixes .......................................... 46.0 .. Clinton authorizes National Infrastructure Assurance Council...... 47.0 .. Federal Computer Week: GSA makes last awards for security services pact 48.0 .. Federal Computer Week: Army awards $248 million ID contract....... 49.0 .. Denial of Service Vulnerability in IBM AIX........................ 50.0 .. Trinux revisited by www.securityportal.com........................ 51.0 .. ComputerWorld: Crypto Expert - Most encryption software is insecure 52.0 .. Y2K Villains come in all shapes and sizes.......................... 53.0 .. 3Com eyes new wireless standard for PALM........................... 54.0 .. Intel creates Net-specific unit.................................... 55.0 .. Bugtraq: JavaScript used to bypass cookie settings in Netscape .... 56.0 .. Granny Hacker From Heck visits defcon (part #1)""............ 57.0 .. Carolyn's ("Granny Hacker") profile on Antionline.................. 58.0 .. HP Security advisory (July 7th) HPSBUX9907-100 59.0 .. Microsoft Security Bulletin (MS99-024): Patch for Unprotected IOCTLs 60.0 .. ZDNET: DOes the media cause hacking? (No Marilyn Manson does - Ed) =--------------------------------------------------------------------------= RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites) AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix & Kevin Mitnick (watch yer back) Ken Williams/tattooman of PacketStorm, hang in there Ken...:( kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ The cDc presentation of Bo2k is available via realplayer here pnm://209.207.141.13:17070/defcon7.ram (may or may not work) B-P with all the bells and whistles and we b0w to the c0w.. enjoy... if anyone has any other feeds for realplayer etc of any of the defcon couverage please email in the urls! thanks. this applies to other cons too got footage? give us an url and we'll post it... ++ SDMI SPEC RESTRICTS CD COPYING (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20716.html The new spec designed to control digital music piracy wasn't supposed to apply to existing CDs. But one such scheme made its way into the final version anyway. By Chris Oakes. ++ SAN JOSE TOP TECH TOWN (BUS. 9:00 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/20732.html There are other pretenders to the throne, but Silicon Valley still reigns supreme as home to high technology, according to a new survey. The surprise is who ranks No. 2. ++ LASERS POWER WIRELESS NET (TECH. 9:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20731.html Lucent Technologies debuts a wireless voice and data network that uses lasers and amplifiers to bounce signals to rooftop antennas. ++ ONSALE, EGGHEAD.COM TO MERGE (BUS. 7:30 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/20729.html Bigger is better as major competitors eye the computer retailing industry. Also: AT&T loses again on cable access.... Amazon.com buys into discount sports retailer... And more. ++ Y2K MILITARY MINUTIAE ON TRACK (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20723.html US troops need not worry about Army-issued T-shirts or combat boots come 1 January 2000 -- the Department of Defense says its logistics computers are all systems go. Declan McCullagh reports from Fairfax, Virginia. ++ DR. ROBOT, REPORT TO THE OR (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20711.html A new heart surgery procedure using remote-controlled robotics could help heart surgery patients to heal faster and feel less pain. By Kristen Philipkoski. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reply-To: "WHiTe VaMPiRe" From: "WHiTe VaMPiRe" To: "BHZ" , , , "HWA Staff" Subject: News Submission Date: Wed, 14 Jul 1999 18:02:10 -0400 Organization: Gamma Force -- Project Gamma MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, "Darkridge Security Solutions, the organization providing the hosting for Project Gamma, will be relocating their networks. This move could take up to a period of one to two weeks. Project Gamma will most likely go down July 14. We will be back up as soon as possible. We will continue to update the site until it is no longer accessible." I would appreciate it if you people would be kind enough to post something regarding this on your Web sites. For more information view, http://www.projectgamma.com/news/071499-1803.html Regards, __ ______ ____ / \ / \ \ / / WHiTe VaMPiRe\Rem \ \/\/ /\ Y / whitevampire@mindless.com \ / \ / http://www.gammaforce.org/ \__/\ / \___/ http://www.projectgamma.com/ \/ "Silly hacker, root is for administrators." -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use iQA/AwUBN40Iz9/q8ZpxA8pfEQKVLwCgxE/unm8/YURl7HgYxtLKq0FugPcAn0Nv XJYMWPVRB9sQ3kdJ999Qo17C =9/i+ -----END PGP SIGNATURE----- ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Well while people are still recovering from DefCon and * the cDc Bo2k release we're chugging along looking for news * but we can't always find everything so if you find an * article from your local favourite web site remember to mail * us the url so we can include the story in the newsletter... * * hwa@press.usmc.net * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 AVP releases Bo2K detection July 12th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.avp.com; Win32.BO, (Back Orifice Trojan) This trojan can be detected and removed with AntiViral Toolkit Pro This trojan is an network administration utility itself that allows to control remove computers on the network. "Back Orifice is a remote administration system which allows a user to control a computer across a tcpip connection using a simple console or gui application. On a local lan or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has" The only feature makes this utility to be classified as malicious trojan software - the silent installing and execution. When this program runs, it installs itself into the system and then monitors it without any requests or messages. If you already have it installed on the computer, you cannot to find this application in task list. The trojan also does not manifest its activity in any way. The trojan is distributed in a package of several programs and documentation. All programs in package were written in C++ and compiled by Microsoft Visual C++ compiler. The date stamp on EXE files that we got says that all files in package were compiled at the end of July - first week of August 1998. All the programs in package have Portable Executable formats and can be run under Win32 only. The main executable in package is the BOSERVE.EXE file that might be found with different names on infected computer. This is the trojan itself. It is the "server" part of the trojan that might be called by clients from remote computer. The second file is the BOCONFIG.EXE utility that can configure the server as well as attach it to other executable files in the same style as viruses do that. While attaching (infecting) the host file is moved down and the trojan code is placed at the top of file. When "infected" files are run, the trojan extracts the original file image and spawns it without any side effects. There are two "client" parts of the trojan (console and window), they operate with "server" from remote computer. Two other executable files in package are used by trojan while compressing/decompressing files on "server". When the trojan is executed on the computer, it first of all detects its status: is it original trojan code or attached to some host file, i.e. modified by the BOCONFIG.EXE utility. In this case the trojan locates customized options in the host file and reads them. The trojan then initializes the Windows sockets, creates the WINDLL.DLL file in the Windows system directory (this file is stored as a resource in the trojan), then gets several KERNEL32.DLL APIs addresses for future needs, search for trojan process already run and terminates is (upgrades the trojan process), copies itself to the Windows system directory and registers this copy in the system registry as the auto-run service: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Creates a TCP/IP datagram socket, assigns a port number 31337 (by default) to this socket and opens this port for listening. The trojan then runs standard Windows DispatchMessage loop, i.e. stays in Windows memory as a process with hidden attribute (it has no active window and is not visible in task manager). The main trojan routine then listens for commands from remote client. The commands go in encrypted form and starts with the "*!*QWTY?" (without " character) ID-string. Depending on the command the trojan is able to perform a set of actions: Gets and sends computer name, user name and system info: processor type, memory size, Windows OS version, installed drives and free space on them, Shares selected drives List disk contents or searches for specific file Sends/receives files (reads and writes them), as well as deleting, copying, renaming and running them (including updating itself) Created/deletes directories Compressed/decompresses files Logoffs current user Halts the computer Enumerates and sends active processes Enumerates and connects to network resources Terminates selected process Gets and sends cashed passwords (passwords that were used), then looks for ScreenSaver password (decrypts and sends them) Displays message boxes Access the system registry Opens and redirects other TCP/IP sockets Supports HTTP (protocols and emulations) Web-server, so one may access the trojan by Web browser Plays sound files Hooks, stores and sends keyboard input while the user is logging, (see below): While installing into the system the trojan creates the WINDLL.DLL file (it keeps this file image in its resources). In case of need the trojan loads this DLL into the memory and initializes it, the DLL then hooks keyboard and console (device console) input and stores hooked data to the BOFILEMAPPINGKEY and BOFILEMAPPINGCON files that are then available for main trojan routine. The trojan is also possible to expand its abilities by using plug-ins. They can be send to the "server" and installed as trojan's plug-in. The features and main functions (including possible malicious ones) are on its author responsibility. @HWA 04.0 Back Orifice 2000 Makes Big Waves at Defcon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Scores Amidst pounding techno music, smashing guitars, communist imagery, and spinning logos, the Cult of the Dead Cow released BO2K at last weekend's Defcon 7 conference. The Cult of the Dead Cow http://www.cultdeadcow.com Back Orifice 2000 http://www.bo2k.com Microsoft - Security Bulletin. (This is rather funny actually) http://www.microsoft.com/security/bulletins/bo2k.asp CNN http://www.cnn.com/TECH/computing/9907/07/nthack.idg/index.html Phoz.dk - A BO2K Mirror http://phoz.dk/bo2k/ http://home10.inet.tele.dk/uddeler/phoz_dk/speech.mp3 Full speech of the cDc presentation from DefCon (9M) Microsoft advisory; What Customers Should Know About BackOrifice 2000 BackOrifice 2000; (BO2K) is a malicious program that is expected to be released on or about July 10, 1999. Customers can protect themselves by following normal safe computing practices. Although the software has not yet been released, Microsoft is closely monitoring the situation and is committed to providing information that will let customers understand and protect themselves against it when it becomes available. Following are frequently asked questions about the program. What is BO2K? BO2K is a program that, when installed on a Windows computer, allows the computer to be remotely controlled by another user. Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages are available for use by system administrators. What is different about BO2K is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect. What's the danger from it? When BO2K is installed on a computer, the attacker can do anything that the user at the keyboard could do. This includes running programs, creating or deleting files, sending and receiving data, and so on. How would it get onto my computer? Like any computer program, BO2K must be installed on the target machine. BO2K cannot be injected onto your machine. There are only two ways it can be installed: By giving the attacker physical access to your logged-on computer. If the attacker learns your password or you leave your logged-on workstation unattended, he or she can install BO2K on your machine. By tricking you into installing the software. This is known as a Trojan horse technique. The attacker might send you an email attachment that claims to be a game but which really installs BackOrifice. How do I prevent having BO2K installed on my machine? You don't need to take any extraordinary precautions. Just follow normal safe computing practices: o Never share your password, and always lock your computer when you walk away from it. o Never run software from untrusted sources. o Always keep your anti-virus and other security software up to date. If it's on my machine, how do I get it off? The makers of anti-virus and intrusion detection software are standing by awaiting its release, and are poised to quickly develop software that will detect and remove BO2K. Microsoft is working closely with them to assist in this process. When BO2K's predecessor was released, defenses were available within days, and the same is likely to happen with this release. Does BO2K exploit any security vulnerabilities in Windows or Windows NT? No. Programs like BO2K could be written for any operating system; this one just happens to have been written to run on Windows and Windows NT. On any operating system, if you choose to run a program, it can do whatever you can do. And if you can be tricked into running a destructive piece of software, it can abuse that capability by erasing data, changing information, or allowing someone else to give it commands. Trojan horse software doesn't target technology, it targets the user. If BackOrifice did in fact exploit security vulnerabilities in Windows or Windows NT, Microsoft would promptly fix the vulnerability, and BackOrifice would be stopped. Instead, the makers of BackOrifice realized it is easier to target people and trick them into running harmful software than it is to target the technology. Is BO2K like the Melissa virus? Only in the sense that both were Trojan horse programs that performed malicious actions, and neither exploited any security vulnerabilities in Microsoft products. What is Microsoft doing about BO2K? o Microsoft is closely monitoring the situation, and is committed to helping customers have a safe, enjoyable computing experience. o Microsoft security experts are standing by, and when the software is released, they will determine exactly how it works and what measures can be taken to protect against it o Microsoft has worked with other members of the security community—especially anti-virus vendors, intrusion detection software vendors, and makers of mobile code security products—and is working closely to ensure that software to detect and remove BO2K is available as soon as possible. o Microsoft will provide information to customers about the program as more details are known. -=- CNN; New and improved Back Orifice targets Windows NT July 7, 1999 Web posted at: 10:36 a.m. EDT (1436 GMT) by Tom Spring (IDG) -- In the consumer world, folks like Ralph Nader fight for consumer rights by helping pass tough consumer protection laws. Then there's the PC world. For us, there's a self-proclaimed equivalent:Groups of (mostly teenaged) Hackers basking in the glow of computer monitors, who release nasty computer bugs under the guise of strong-arming software makers to get tough on privacy and security. "We want to raise awareness to the vulnerabilities that exist within the Windows operating system. We believe the best way to do this is by pointing out its weaknesses," says a member of the hacker group the Cult of the Dead Cow who goes by the pseudonym Sir Dystic. The Cult of the Dead Cow created and released the program Back Orifice last year to the general public at the Las Vegas hacker and security conference DEF CON. The program allows its users to remotely control victims' desktops, potentially undetected. At this year's conference, on July 9, Sir Dystic says the cult will outdo itself and release Back Orifice 2000. The program, he says, is smaller, nimbler, and twice as nefarious. Computer security experts question the Cult of the Dead Cow's intent. Releasing a hacking tool like Back Orifice 2000 in the name of safeguarding computer privacy is a bit like the American Medical Association infecting cattle with the deadly e. coli bacteria to inspire food companies to sell healthier meats. New and Improved Unlike earlier versions that affected consumers and small businesses, Back Orifice 2000 hits large organizations because it runs on Windows NT systems, which are more used by businesses. Also, the updated program is modular, so users can add additional functions. For example, they could hide files or activate a computer's microphone for real-time audio monitoring, according to Cult of the Dead Cow. Back Orifice 2000 will also be more difficult to detect via network monitoring programs, according to Sir Dystic. This is because the program can communicate back to the sender by using a variety of different protocols, making it hard to identify. The group also says it will make the source code available for Back Orifice 2000, which will likely spawn multiple strains of the program in the hacker community, experts say. Another purported function is real-time keystroke-logging, which can record and transmit a record of every keystroke of an infected computer. Also, the recipient can view the desktop of a targeted computer in real time. It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow. (hahahaha - nice story, harumph - Ed) NAI Provides Detection Utility contributed by nvirB Network Associates is claiming that they have already written a detection utility. This utility claims to be able to detect if BO2K is running on your system and is part of the NAI Total Virus Defense Suite. A statement released by cDc says that "While Network Associates (and other AV vendors) may well protect against the specific version of BO2K released at Defcon, cDc has said all along that we expect untold mutations of the software to be created in a matter of days, and seriously doubt they will be able to provide effective detection (for all of them)." Network Associates http://www.networkassociates.com/asp_set/anti_virus/introduction/back_orifice.asp SANTA CLARA, Calif., July 10, 1999 — Network Associates’ (Nasdaq: NETA) Anti-Virus Emergency Response Team (AVERT), a division of NAI Labs, today advised computer users and network administrators to protect their PCs against a new Trojan horse called Back Orifice 2000. Released into the wild today, Back Orifice 2000 allows hackers to take control of a person’s PC over the Internet, but only if the victim has been tricked into installing the Back Orifice software on the local machine. Users who click on an infected email attachment enable the Back Orifice installation, thus placing all control over their PCs into the remote hacker’s hands. Network Associates is the first anti-virus vendor to make available comprehensive protection against the Trojan: the complete Total Virus Defense line of virus security products has been updated to detect the new Back Orifice software in email attachments, and its CyberCop intrusion detection products will be automatically updated to check for the Back Orifice client throughout a network of machines. Symptoms: Back Orifice 2000, the latest in a string of Remote Access Trojans (RATs), is a Windows 9x and NT program that acts as a hack tool. When executed, Back Orifice turns a user’s system into an open client, giving virtually unlimited remote access to the system over the Internet. Anyone remotely running the other half of the Back Orifice software can then control the user’s computer to do anything they could do while sitting in front of it, including reading and/or deleting all files on the computer. Back Orifice 2000 is virtually undetectable by the user, and has been reported as spreading via several benign email attachments such as screen savers. Pathology: Back Orifice’s qualities are ever-changing, the result of it being open source code released at a hacker convention. Risk Assessment: Though Back Orifice 2000 is not technically a virus because it does not self-replicate or propagate, it has been assessed as a “Medium” threat by Network Associates’ AVERT risk assessment team. This assessment is due to Back Orifice’s destructive qualities, wide exposure, and availability, balanced by relatively few outbreaks at customer sites and widespread advance notice of the threat. Cure: Detection and cleaning for the Back Orifice 2000 Trojan horse is now included in Network Associates Total Virus Defense suite and will soon be included in CyberCop Scanner via Network Associates’ AutoUpdate feature. To avoid the risk of contracting Back Orifice, it is recommended that network administrators and users upgrade to the latest version of their Network Associates anti-virus software. The most recent protection is available on Network Associates’ website. With headquarters in Santa Clara, Calif., Network Associates, Inc. is dedicated to providing leading enterprise network security and management software. AVERT (Anti-Virus Emergency Response Team), the anti-virus research division of NAI Labs, currently employs more than 85 virus researchers and maintains labs on five continents worldwide. In addition to studying new and existing security threats, AVERT serves as a global resource for virus information and provides rapid, follow-the-sun support for virus emergencies worldwide. Virus Alerts are issued as a service to customers from Network Associates, the leader in anti-virus detection and cleaning technology. For more information, Network Associates can be reached at (408) 988-3832. @HWA 05.0 Defcon Wrapups ~~~~~~~~~~~~~~ http://www.thestandard.net/articles/mediagrok_display/0,1185,5491,00.html?home.mg What Do Hackers Really Want? It's hard to get a clear picture of what the hackers who met at DefCon in Las Vegas over the weekend really wanted. Matt Richtel's New York Times report on the drumming of a National Security Council senior director indicated that they wanted the government to be more careful in securing its own Web sites. But they also wanted to hack into those sites. Oh, and they don't want the government to rely on Microsoft (MSFT) software to protect those sites. Bruce Meyerson's AP report in the Washington Post said that members of the Cult of the Dead Cow released the cracking software Back Orifice 2000 because they wanted to expose security flaws in Microsoft Windows NT software so that Microsoft could fix it - presumably so that Microsoft's customers could feel more secure. So ... some hackers want Microsoft's customers to be more secure, while other hackers don't want the government to use any Microsoft software. Bob Sullivan's report on MSNBC suggested that they wanted to get together to share knowledge about how to commit crimes that none of them will ever actually perpetrate. Polly Sprenger's report for Wired suggested that they wanted to get together to watch teenage dancers, or maybe to settle online grudges by fighting them out in inflatable sumo-wrestler costumes. The Wall Street Journal headlined its Web and print editions with a come-on about feds and recruiters invading the conference. But instead of summer-movie-like action, John Simons' account yawned over routine conference activities: seminars, panels and talking heads. Make that talking feds. Simons reported that DefCon organizers regularly broke into panel discussions for a rollicking game of "Spot the Fed," which invited attendees to pick out the ubiquitous undercover agent in the audience. Winners - both the eagle-eyed attendee and the bagged agent - got T-shirts. Sounded like a pretty regular convention, once you got past the black T-shirts and tattoos of circuitry. But the real story may happen this week as NT administrators watch for evidence of damage from the harmful new program, nicknamed BO2K. If it hits hard, the hackers will have proven their point. Which is, well ... something about Microsoft. -=- Defcon Stories Cover the Web contributed by Bronc Buster Defcon articles will be popping up around the net for next several days or weeks. With over 70 media outlets represented at Defcon you can expect to see a lot of places that will run stories covering the con. We will link to the best of them. Time - Hackers Take Microsoft to School http://cgi.pathfinder.com/time/digital/daily/0,2822,27824,00.html Wired - Covers Day one of Defcon http://www.wired.com/news/news/politics/story/20667.html Wired- Broad overview of the Con http://www.wired.com/news/news/email/explode-infobeat/technology/story/20671.html The Standard- Nice RoundUp of a lot of articles http://www.thestandard.net/articles/mediagrok_display/0,1185,5491,00.html?home.mg (above) ZD Net- Special Report on Defcon http://www.zdnet.com/zdnn/special/defcon7.html ZD Net - Defcon I http://www.zdnet.com/zdnn/stories/news/0,4586,2288137,00.html User Friendly - Wicked funny BO2K related cartoon http://www.userfriendly.org/cartoons/archives/99jul/19990711.html Time; Hackers Take Microsoft to School The makers of BackOrifice 2000, one of the most powerful hacker tools ever released, claim it's for our own good FROM WEDNESDAY, JULY 7, 1999 It's the kind of thing bellboys have nightmares about — an entire hotel full of hackers, messing with the computers, screwing up the phones and generally raising hell. That's the scene at DEF CON, an annual hacker convention held at the Alexis Park Hotel in Las Vegas. At last year's DEF CON a hacker group called the Cult of the Dead Cow released a program called BackOrifice that can completely take control of a computer over the Internet. This Friday DEF CON 1999 kicks off, and the Cult of the Dead Cow is back with a new version of BackOrifice that's more dangerous than ever. Should we be grateful? A little disingenuously, the Cult of the Dead Cow released the original BackOrifice as "a remote administration tool," a simple way of operating a computer running Windows 95 or 98 from a distance over an ordinary Internet connection. While it's possible to imagine scenarios in which having that kind of power would be useful — and there are legitimate applications that perform similar functions — such a tool is obviously very much open to abuse. Say, for example, allowing a hacker (or, as malicious hackers are sometimes called, a cracker) to take over a machine, read your personal information, send e-mail under your name and then erase your hard drive. Fortunately, BackOrifice has certain weaknesses. It can only take over machines on which BackOrifice has actually been installed, and once installed, it's not that hard to detect and remove. According to its creators, the new version of BackOrifice slated for release on Saturday is more powerful than ever. It's tougher to detect, gives the user a greater degree of control over the infected computer, and works on Windows NT, the heavy-duty version of Windows used by most large businesses. While the original version of BackOrifice was a threat to small businesses and private users, BackOrifice 2000, as it's called, will affect a much broader and more vital sector of the world's computers. So why does the Cult of the Dead Cow claim they're doing it all for our own good — and why do some computer programmers agree? To quote from the Cult's press release, "BackOrifice 2000 could bring pressure on [Microsoft] to finally implement a security model in their Windows operating system. Failure to do so would leave customers vulnerable to malicious attacks from crackers using tools that exploit Windows' breezy defenses." In other words, don't blame us, blame Microsoft for making a shoddy product — now maybe they'll improve it. As one poster on a hacking bulletin board wrote, "I feel better knowing that at least these holes will be known publicly and raise some sense of awareness rather than in a closed private environment where exploitation could continue unfettered." Not everybody agrees, but you can bet that Microsoft — currently at work on a new version of Windows largely based on NT — will be downloading a copy of BackOrifice 2000 and studying it closely. As the Cult of the Dead Cow — which claims to be one of the few hacker groups out there to include a female member — puts it, "Information is a virus. And we intend to infect all of you." @HWA 06.0 l0pht announces Antisniff ~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond L0pht Heavy Industries announced at Defcon a revolutionary new proactive tool that will assist IT Managers in protecting their networks. Antisniff will be able to scan for NIC cards that have been placed into promiscuous mode. While this will enable Admins to determine what machine may have been compromised it will also allow intruders to find a company's IDS system. L0pht will release full details on how this product works to the public in the form of a white paper. They hope to have the white paper and the software ready to distribute within a few weeks. NY Times http://www.nytimes.com/techweb/TW_Hacker_Think_Tank_To_Unleash_Anti_Sniff_Tools.html L0pht Heavy Industries http://www.l0pht.com NYTimes; July 9, 1999 Hacker Think Tank To Unleash Anti-Sniff Tools Filed at 9:31 a.m. EDT By Rutrell Yasin for InternetWeek, CMPnet A Boston-based hacker think tank on Friday will unveil software that can detect whether or not Sniffer-type analyzers are being used to probe enterprise networks. L0pht Heavy Industries will introduce AntiSniff 1.0 at DefCon, an annual hackers' convention. A typical way for hackers -- both black-hat and ethical -- to gain access to an organization's network is to use analyzers that can sniff or probe for passwords for networked systems. While many scanning tools can probe networks to expose potential vulnerabilities, they don't give IT managers a clear sense of whether or not systems have been compromised or broken into, said L0pht's chief scientist, who goes by the name Mudge. AntiSniff is designed to help IT managers be more proactive in thwarting security threats, Mudge told a gathering of security managers and experts today at The Black Hat Briefings. "Don't play reactive," Mudge said. "There are new ways to look for [new attack] patterns." L0pht said it plans to release all technical details for AntiSniff to the public . But the monitoring software carries a doubled-edge sword. While it can be used by "good guys" to thwart network intruders, it can also be used by the "bad guys" to sniff out a company's network intrusion systems, Mudge said. (c) 1999 CMP Media Inc. @HWA 07.0 Bruce Schneier: PPTPv2 'sucks less' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dr. Mudge A security paper released by Bruce Schneier of Counterpane Systems, and Mudge, from L0pht Heavy Industries covers the new version of Microsoft PPTP. The paper says that while the VPN product, that ships free with NT, is better than a previous version it still has serious problems. (The good info is down in the middle of the ZD article.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2290399,00.html Cryptanalysis of Microsoft'9s PPTP Authentication Extensions (MS-CHAPv2) http://www.counterpane.com/pptp.html ZDNet; (reprinted from last issue) -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Security expert blasts shoddy software By Robert Lemos, ZDNN July 8, 1999 2:00 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2290399,00.html LAS VEGAS -- Security experts and so-called "white-hat" hackers meeting at the Black Hat Security Conference lambasted current corporate security and the companies that make security products that are anything but. "Do hackers have root [control] of all your systems? Well, yes, they do," said Mudge (an old-school hacker who does not give out his real name), the head of L0pht Heavy Industries -- a collection of hackers bent on improving the Internet's security -- during a Thursday keynote. The security "firm" accepts contracts from companies to break into systems as well as to write security products. Mudge's comments hit on a common theme at security conferences -- that, in the rush to beat competitors to market, product security plays second fiddle to adding new (and possibly insecure) features. The solution: Don't let software vendors hide behind licenses that stipulate that software is sold "as is." Liability the key "We need to hold all these software vendors liable," said Mudge. "But as soon as you say the word 'liability,' software lobbyists hit Washington to prevent any legislation." Instead, the security world needs to design incentives for software makers to test and certify their security, he said. Mudge testified in front of the Senate last year to garner support for better security and to criticize the Digital Millennium Copyright Act, which was a piece of legislation that would have had the unintended consequence of making it illegal to test security products. Rebecca Bace, president of security penetration testing firm Infidel Inc., agreed with his criticism of the software industry. "We really need methods to push for software quality," she said. She pointed out examples of major security flaws in many products from Microsoft Corp. (Nasdaq:MSFT), including SiteServer 3.0, Windows NT and demo code that ships with IIS 4.0. Microsoft a popular topic In fact, pounding on Microsoft's insecurities became a common theme at the conference as well. On Wednesday, Mudge and noted cryptographer Bruce Schneier, president of Counterpane systems, published a paper critical of Microsoft's software for creating virtual private networks. VPNs use encryption to create secure channels across insecure networks like the Internet. However, Microsoft's protocol -- known as PPTP and included free with Windows NT -- creates virtual private networks that can be hacked, said both Mudge and Schneier. "If security actually matters, (Microsoft's product) is unacceptable," said Schneier, who is frequently contacted by companies to test the security of encryption software. A year ago, Mudge and Schneier released a paper on the original Microsoft PPTP software. At that time, Schneier called Microsoft "security charlatans" and pointed out that the encrypted network created by the software could be easily broken. Schneier: PPTP 'sucks less' Today, the situation is a bit better, he admitted, adding that Microsoft fixed the most major issues. "It sucks less," he said. "Before you had something that was completely broken, but now it's a bit better." Microsoft could not be reached for comment by press time. However, a Microsoft Network administrator at the conference, who asked to remain anonymous, pointed out that other operating systems have just as many problems. "Every distribution of Linux, and Sun's Solaris, have all had just as many security holes," he said, adding that like Windows 2000's much-criticized code bloat (it's up to 40 million lines), Linux and Solaris have been growing bigger. During his keynote, Mudge relented to some degree as well. "I use Microsoft as an example, because everyone knows them," he said. "Others have these problems as well." Until we get them fixed, we can look forward to more break-ins, Web defacements, and perhaps worst of all, viruses, said Infidel's Bace. "Melissa and ExploreZip only begin to scratch the tip of the iceberg," she said. -=- Press Release June 1, 1998 CONTACTS: Bruce Schneier Counterpane Systems 612.823.1098 (voice) 612.823.1590 (fax) schneier@counterpane.com (email) Lori Sinton Jump Start Communications, LLC 408.289.8350 (voice) 408.289.8349 (fax) lori@jumpstartcom.com (email) SECURITY FLAWS FOUND IN MICROSOFT'S IMPLEMENTATION OF POINT-TO-POINT-TUNNELING PROTOCOL (PPTP) Companies using Microsoft products to implement their Virtual Private Networks (VPNs) may find that their networks are not so private MINNEAPOLIS, MN, June 1, 1998. Counterpane Systems today announced that it has discovered flaws in Microsoft's implementation of a communications protocol used in many commercial VPNs. These flaws lead to password compromise, disclosure of private information, and server inoperability in VPNs running under Windows NT and 95. "PPTP is an Internet protocol designed to provide the security needed to create and maintain a VPN over a public Transmission Control Protocol/Interface Protocol (TCP/IP) network. This raises serious concerns as most commercial products use Microsoft's Windows NT version of the protocol. While no flaws were found in PPTP itself, several serious flaws were found in the Microsoft implementation of it. "Microsoft's implementation is seriously flawed on several levels," according to Bruce Schneier, President of Counterpane Systems. "It uses weak authentication and poor encryption. For example, they use the user's password as an encryption key instead of using any of the well-known and more secure alternatives," explained Schneier. "VPN implementations using PPTP products require management control software at both ends of the tunnel, as well as a cryptographic analysis of the system," said Wray West, Chief Technology Officer of Indus River Networks, a supplier of remote access VPNs. "Most implementors do not have the specific in-house cryptographic expertise to discern the subtleties that are often the root of security breaches in today's commercial servers. They rely on their vendors and information security providers to build robust, secured products," observed West. According to the team that did the cryptanalysis, there are at least five major flaws in this implementation. They are: password hashing -- weak algorithms allow eavesdroppers to learn the user's password Challenge/Reply Authentication Protocol -- a design flaw allows an attacker to masquerade as the server encryption -- implementation mistakes allow encrypted data to be recovered encryption key -- common passwords yield breakable keys, even for 128-bit encryption control channel -- unauthenticated messages let attackers crash PPTP servers A host of additional attacks were identified including bit flipping, packet resynchronization, passive monitoring of Microsoft's PPTP, and PPP (point-to-point protocol) packet negotiation spoofing—all further compromise the intended security of any VPN. The cryptanalysis work on Microsoft's implementation of PPTP was conducted by Bruce Schneier of Counterpane Systems and expert hacker Peter Mudge. According to Mark Chen, CTO of VeriGuard, Inc, a Menlo Park based computer security company, "The flaws in this implementation are quite amateurish." Chen continued, "A competent cryptographic review would have prevented the product from shipping in this form." "This should serve as a caution to VPN implementors and users," said David Wagner, graduate student of University of California at Berkeley. "There are a lot of corporate security officers out there who will be very glad the 'good guys' found this first," continued Wagner. Last year, Wagner, along with Bruce Schneier and John Kelsey of Counterpane Systems, discovered a major flaw in the privacy protection used in cell phones. Counterpane Systems is a Minneapolis, MN-based consulting firm providing expert consulting in cryptography and computer security issues. The firm has consulted for clients on five continents. Counterpane's president, Bruce Schneier, invented the Blowfish encryption algorithm, which remains unbroken after almost four years of public testing. Blowfish has been incorporated into dozens of products, including Symantec's Your Eyes Only and McAfee's PCCrypto. Schneier is also the author of five books on cryptography and computer security, including Applied Cryptography, the definitive work in this field. He has written dozens of magazine articles, presented papers at major international conferences, and lectured widely on cryptography, computer security, and privacy. -=- @HWA 08.0 1000 copies of Freedom Beta2 Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dov Smith Zero-Knowledge Systems released 1000 copies of Freedom Beta2 this past weekend at Defcon 7, the computer industry's most eccentric annual conference.Freedom is an Internet privacy technology that will allow users to communicate over the internet in complete anonymity. Zero-Knowledge hopes to introduce an open beta of Freedom later this summer. Zero Knowledge Systems http://www.zks.net/clickthrough/click.asp?partner_id=542 @HWA 09.0 DefCon Web Page Defaced on Opening Day of Con ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (As reported last week while HNN were at the Con HNN picks up the story - Ed) contributed by Code Kid As Kevin Poulsen was giving the opening speech at Defcon 7, people from the group known as ADM Crew where defacing the main Defcon web page. C|Net http://www.news.com/News/Item/0,4,0-38970,00.html?st.ne.lh..ni HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Hackers attack their own kind By Tim Clark Staff Writer, CNET News.com July 9, 1999, 4:25 p.m. PT update On the opening day of its annual hacker convention in Las Vegas, somebody hacked DefCon's Web site. Instead of describing DefCon's seventh annual "computer underground party for hackers," the bogus page declared the show had been taken over by the ADM Crew and renamed to ADM Con. "Can't make it to DefCon?" reads one entry. "No problem, Delta Airlines is willing to sell you expensive business class tickets for twice their value." Jeff Moss, creator and producer of the DefCon event, took the hack good-naturedly. "It's funny, it happens, I'm an unhappy client [of the service that hosts the page]", Moss told a press conference late this afternoon. "All we can tell is that ADM is a European hacker group. They weren't very malicious, they were cracking jokes and zapping me because the conference was held at place they couldn't come to." The hacked page also spoofs the most anticipated news from the real event, tomorrow's scheduled release of a new version of Back Orifice. "Cult of the Dead Cow will announces [sic] new remote administration tools for kids!" the bogus site claims. Back Orifice is a potentially destructive Trojan horse for opening security holes in computer networks running Microsoft's Windows NT operating systems. "The president and vice president will be there for autographs and more," according to the hacked page, which links to the official White House Web site. So far no one has publicly claimed responsibility for the hack, but a note in the page's HTML source reads: "This is an anonymous member of the ADM Crew. Well, I couldn't make it to DefCon this year, you know how expensive everything is these days...so sorry, but it looks like revamping this site was really too tempting for me." The author adds what he or she calls the ADM motto: "You're lucky we're whitehats," which is a reference to being "friendly," not nefarious, hackers. There's also a hint of a German connection, citing the private annual ADM party in Berlin August 6 to 8. A time stamp on the page indicates the hack was posted around 12:45 p.m. PT. As of 5:30 p.m. PT, the hacked version remained in place. Moss said the hackers broke into the DefCon page about two weeks ago and compromised the Web server at the commercial hosting service where DefCon has had its page for five years. But the page wasn't changed until today. "I'm not quite sure how it happened," Moss added, saying he was busy protecting the Web site for a parallel Black Hat show that just ended and didn't guard his own site. The hacked ADM Con page indicates it will soon be mirrored at Attrition.org's hacked Web pages archive, to be retained for posterity. @HWA 10.0 Capture the Flag Logs Available from DefCon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ron Gula The folks at Security Wizards took their Dragon IDS to Defcon and let people pound on it for three days. They have posted over 200MB of logs from the contest up on their web site. There is some neat stuff in there. They plan to have TCPDUMP versions up soon. Security Wizards http://www.securitywizards.com (Check out these logs people w1tn3ss the tekn1q... - Ed) @HWA 11.0 Mitnick Sentencing Delayed, Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Kevin Mitnick had been scheduled to be sentenced on July 12th. That hearing has now been postponed until July 26th. The issue is restitution. The prosecution wants $1.5 million while the defense wants $5,000. The defense claims that there is no way that Kevin will be able to earn 1.5mil, especially since he will be banned from touching a computer. ZD Net http://www.zdnet.com/zdnn/filters/bursts/0,3422,2292504,00.html Free Kevin http://www.freekevin.com 03:21p Mitnick sentencing postponed LOS ANGELES -- The sentencing of convicted hacker Kevin Mitnick was postponed until Monday July 26, after talks broke down on the issue of restitution. The government is asking for Mitnick to be responsible for restitution on the order of $1.5 million, while the defense is asking for payments on the order of $5,000, based on his projected earnings potential during his supervised release. He will not be able to use a computer during that three year-period. -- Kevin Poulsen, ZDNN @HWA 12.0 Short explanation of NT related acronyms by StEa|_th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.com/ Small Orology by StEa|_th Active Server A collection of server-side tecdhnologies that are delivered with Windows NT. These technologies provide a consistent server-side component and scripting model and an integrated set of system services for component application management, database access, transactions, and messaging. ADO Active Data Object. A set of object-based data access interfaces optimized for Internet-based, data centric applications. ADO is based on a published specification and is included with Microsoft Internet Information Server and Microsoft Visual InterDev. ASP Active Server Pages. A Server side scripting enviorment that runs ActiveX scripts and ActiveX components on a server. Developers can combine scripts and components to create Web-based applications. CGI Common Gateway Interface script. A program that allows a server to communicate with users on the Internet. For example, when a user enters information in a form on a Web page, a CGI script interpets the information and communications it to a database program on the server. COM Component Object Model. The object-oriented programming model that defines how objects interact within a single application or between applications. In COM, client software accesses an object through a pointer to an interface--a related set of funcations called methods--on objects. DAO Data Access Object. DNS Domain Name System. A protocol and system used throughout the Internet to map Internet Protocal (IP) addresses to user-friendly names. Sometimes referred to as the BIND service in BSD UNIX, DNS offers a static, hierarchical name service for TCP/IP hosts. The network administrator configures the DNS with a list of host names and IP addresses allowing users of workstations configured to query the DNS to specify remote systems by host name rather than IP address. DSN Data Source Name FTP File Transfer Protocal IDC Internet Database Connector IIS Internet Information Server ISAPI Internet Server Application Procedural Interface ODBC Open Database Connection RDO Remote Data Object Copyright 1999(c) www.security.org 13.0 BO2K Defcon Presentation on RealVideo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kill-9 If you missed the pounding techno, and the flashing lights of the BO2K presentation at Defcon 7 it has been made available on RealVideo. Uberspace http://www.uberspace.com Defcon Pics And if you missed Defcon completely you can get a small feel of what it was like from this picture archive. Defcon Picture Archive http://www.303.org/pics/Defcon7/ @HWA 14.0 Defcon News Roundup ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue There are Defcon and BO2K news articles all over the web. Most of them are full of FUD. We don't have time to list them all but these two are definitely worth reading. MSNBC - Ignore Defcon at Your Own Risk http://www.msnbc.com/news/289125.asp ZD Net - Back Orifice Is Your Friend http://www.zdnet.com/zdnn/stories/comment/0,5859,2292276,00.html MSNBC; Should you care about DEF CON? It’s more than fun, games, and irreverence; hacker convention offers up annual warning MSNBC July 12 — You might be inclined to dismiss last weekend’s DEF CON conference as a collection of angst-ridden, troublemaking youths. And many of the hackers will help you to that conclusion — the extremist positions, the relentless electronic pranking, the irreverent insults, the blue hair. But make no mistake: These are not adolescent punk rockers who will soon grow out of a phase and go to work for IBM. Scratch below the surface, and you’ll find a crowd of geniuses, many playing the part of guardian angel of the information age. Ignore them, and their anything-but-sugar-coated message, at your own peril. WE ALL KNOW that using the Internet you can connect to information on computers all around the world. But that also means almost any computer around the world can connect to you. Feel invaded? This is just the beginning. Soon, your pager, your cell phone, your VCR, your car, your watch — they’ll all be connected. And that means they can all be invaded. Computer security isn’t sexy, and it doesn’t sell, but someday you’ll think about it as much as you think about locking the front door. It’s already that important to hackers, who live and breathe computer security. Their ranks run a confusing continuum from stodgy, conservative Army M.P. types who would never hurt a fly unless ordered, to reckless geniuses who aim to steal thousands of credit card numbers. For the record, hackers like to call those who engage in criminal activity “crackers” and reserve the term hacker for well-intentioned people out only to find out how things work. Careful how you use those terms; hackers now have the hypervigilance of any extremist special interest group. In between the two extremes are several shades of gray, such as: Groups that hunt for computer vulnerabilities, then publish them to embarrass software companies such as Microsoft into fixing their products. Groups that write tools to enable well-intentioned and ill-minded hackers alike, such as the Cult of the Dead Cow and its Back Orifice product. Groups that perform criminal but relatively harmless hacks, such as defacing a Web page. All these groups find their home once a year at DEF CON. They dressed in black, swallowed caffeine straight (at least I think it was caffeine), stayed up all night, talked about rebellion a lot, held hacking competitions and tried to keep each other from breaking too many things. Most of the attention was centered on the release of Back Orifice 2000, the best publicity stunt in the history of hacking. As far as the general public is concerned, platitudes aside, BO is a bad thing. That only reinforces the image of hackers as bad people, teen-agers bent on destruction, geniuses gone bad, screwing with the world’s information infrastructure. They could steal your credit card, filch money from your bank account, even start a cyberwar. Advertisement This image is unfortunate and serves to obscure the very real issues hackers seek to expose. It isn’t necessarily wrong; just incomplete. Let me try to fill it in. HACKERS IN REAL LIFE When he’s not at DEF CON, HackerDude’s hair isn’t blue. And far from being reckless and emotionally unstable, HackerDude is Bill Smith, overly fastidious network administrator at Newbie Inc. Newbie’s 500 employees, whose job is to sell Plexiglass, hate computers. They get frustrated when computers crash, lose data, or when they’re hard to use. And so Newbie workers tend to be careless. They put their login password on a sticky note on their computer monitor. They put their corporate computer dial-in number on a notebook and leave it in a hotel room. Mr. Smith, or HackerDude, can’t stand this. It’s his job to keep Newbie’s computers safe; that makes Newbie Inc. employees the enemy. Meanwhile, employees think Mr. Smith is just an annoying Nervous Nellie, or even an obstacle. And so the network administrator goes on preaching and getting frustrated. He can only pick up after his clients’ mistakes for so long. He knows someone out there with bad intentions will eventually break in, with disastrous consequences, and he’ll lose his job — in fact, a “white hat” hack, which exposes the vulnerabilities but doesn’t result in any damage or theft, might be the best thing that could happen. He’s unpopular, annoying and preaching a religion no one wants to hear. Cut to Vegas in the summer: 3,000 like-minded computer security nuts — some hackers, some crackers, some in between. But all of them have a respect for technology, they share in the extreme rhetoric of free speech, and none of them leaves his password on sticky notes (OK, almost none of them). And they all hate “stupid people,” or put more elegantly, the fact that graphic interfaces have tricked people into thinking computers are easier and safer to use than they really are. At DEF CON, for perhaps the only time all year, Mr. Smith, a.k.a. HackerDude, doesn’t feel alone. THEIR MESSAGE See, there’s one thing everyone in the security business — hackers, crackers, virus writers, anti-virus companies: Security doesn’t sell. Regular computer users are annoyed by logins and passwords, by firewalls, by extra dialog boxes. In the battle of security vs. features, in the consumer marketplace, security always loses. This is sacrilege to a hacker, who knows what’s possible, just like it’s sacrilege for a doctor to watch someone leave a public bathroom without washing their hands. But hackers take no Hippocratic oath (the physician’s pledge to do no harm, respect privacy, etc.), and they have discovered that while one e-mail complaint to Microsoft might get little attention, defacing a government Web page can garner a front-page story. So armed with self-righteousness, an extra helping of sarcasm, caffeine, free time and sometimes good intentions, they set out to break things to force other companies to fix them. WHAT THEY DO AT DEFCON At DEF CON, sure, you’ll hear seminars on the simplest ways to bring down a Web server (and almost constant giggling with each PowerPoint slide). But you’ll also hear from law enforcement agencies (and even the White House), which have learned to take hacker groups seriously. Like all conferences, you’ll hear a lot of locker-room-style banter about the year’s dirtiest deeds. But talk to the right people, and you’ll get an earful from groups such as L0pht Heavy Industries, trying to raise awareness that the most devastating hacks are inside jobs, even though silly Web page defacements get all the attention. Even the Cult of the Dead Cow, which does its best to maintain its reckless, bad boy image in public, has a softer side. Sir Dystic, author of the original Back Orifice, is working on a tool called CDC Protector that will allow Net users to execute Trojan horse programs without threat of infecting their machines. The Trojan will be “quarantined” in its own memory space. Of course, it got little of the attention that Back Orifice 2000 received at DEF CON. Why? The raucous release ceremony, the cult following, the chance to flog Microsoft in public are just too irresistible for the group. (“This is just so much fun,” said one member to me). DON’T BE CONFUSED I was told again and again that real criminals don’t go to DEF CON; they don’t show their faces in a place where they know federal agents are lurking, and they don’t need to learn how to hack. But that doesn’t mean DEF CON doesn’t attract those who live very near the edge, and that there isn’t a lot of information handed out with a wink and a disingenuous disclaimer like, “Don’t use this for illegal purposes.” But it’s just as easy to find “reformed” computer intruders, those who have grown out of the thrill of breaking into Web sites. This creates an uneasy tension over some gatherings, as the more “conservative” hackers slip in points of perspective (albeit, gently) whenever possible. Like “Attitude Adjuster,” a former virus writer who said he’s alarmed at the power that virus writers have today. DEF CON is a gathering in transition, I’m told. It might be getting too big for its britches. This year it drew perhaps 3,000 attendees; it’s so large that a big Las Vegas PR firm was hired to usher press around — hardly the thing for an underground group. There’s even been a bit of an embarrassment for the Cult of the Dead Cow — 48 hours after the release ceremony, the tool wasn’t available on the group’s Web site. Copies of it were being distributed around the Net, but at least some are infected with the CIH virus. NOT ALL BAD OR ALL GOOD Just like in real life, all hackers aren’t bad, or good, or neutral. But they are smart, often annoying, they’re starting to get our attention, and they do have an important message: neglect computer security, and something bad will eventually happen to you. They might even be the ones to do it. @HWA 15.0 Computer Experts Will Form the Frontline of Sweden's Defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed Maxim Glory Swedish minister of defense, Björn von Sydow, wants to introduce military units consisting of "computer freaks", able to defend Sweden in the event of a computer based attack, as well as launching a preemptive strike at the enemy if necessary. They will be a different kind of soldier, not your average grunt, but they can still play an important military role, said Björn von Sydow. According to SVT-text these "soldiers" will be recruited through the obligatory military service. Spray - Sorry, Swedish Only http://www.spray.se/nyheter/index.jsp?cat=6&nr=7 @HWA 16.0 Canadians Plan a Information Protection Centre ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by dis-crete The Canadian government is planning a national Information Protection Centre to co-ordinate its cyber security defenses. The provinces involved in the initiative are Ontario, Quebec, Manitoba, Alberta and British Columbia. The national Information Protection Centre will be used as a means to spread information, protect government systems, and to help the private sector against viruses and attempts to break into computer systems. The Globe and Mail http://www.globeandmail.com/gam/National/19990712/UCOMPM.html National centre planned to fight computer hackers Manitoba leads bid to protect nation's networks RICHARD MACKIE The Globe and Mail Monday, July 12, 1999 Toronto -- Canadian governments plan to step up efforts to protect their computer systems against increasing attempts to break into them, with plans to establish a national Information Protection Centre to co-ordinate the defences. The need for the centre is growing rapidly as access to so-called hacker technology spreads and as governments' reliance on computers expands, said Robert Garigue, chief technology and information officer for Manitoba, which is leading the organization of the new centre. The other provinces involved in the initiative are Ontario, Quebec, Alberta and British Columbia. There is also rising pressure on governments to assure customers and citizens that the data on government computer systems is secure, said Scott Campbell, head of Ontario's information technology systems. Governments want to increase the use of computers to deliver services, he said. But potential customers "are saying we have to tackle the privacy issue and the security issue if we're going to fundamentally move forward aggressively on electronic service delivery." He said "no one's going to play ball" if governments can't guarantee the security of data and transactions delivered electronically. The national Information Protection Centre will also help strengthen the defences of computer systems in the private sector against viruses and attempts to break in to acquire data or damage the systems, Mr. Garigue said. The centre would provide a single location where those responsible for the security of individual computer systems could report illicit attempts to enter their systems, learn whether an attempt was part of a larger pattern, and obtain assistance in defending their systems. Its creation is the extension of an agreement among the chief information-technology officers of several provinces that each province should establish its own information-protection centre. The agreement was extended into a nationwide pact, which included the federal government, in May. A report by Mr. Garigue and his Manitoba officials last month marked a shift in the concept of information protection, making it a focus of each government's information-technology organization rather than an afterthought to be dealt with through technology such as virus scanners and firewalls. Mr. Campbell said because government computers are linked to the Internet, there would be limited benefits if the provinces and the federal government each had its own information-protection centre. "We live in a network-centred world. One security problem in one part of the country is a security problem in another part of the country. If something is in Alberta in the morning, it's in Ontario in the afternoon." @HWA 17.0 Y2K Commission May Be Renamed Security Commission ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Modify The chairman of the Senate's Special Committee on the Year 2000 Technology Problem, Sen. Bob Bennett (R-Utah), and Senate Majority Leader Trent Lott (R-Miss.) have held informal discussions about the possibility of changing the committee's mission when its current authority expires Feb. 29, 2000. The new mission if adopted would direct the commission to focus on government computer security. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0705/fcw-newsy2k-7-5-99.html JULY 5, 1999 Y2K panel to shift to security BY DIANE FRANK (diane_frank@fcw.com) With agencies nearing completion of fixing computers to avoid the Year 2000 problem, Senate leaders are considering shifting the focus of the special Year 2000 oversight committee to what many government officials see as the next big threat to government computers: security breaches and cyberterrorism. Since its creation in April 1998, the Senate's Special Committee on the Year 2000 Technology Problem has studied the impact of the Year 2000 computer problem on government and the private sector and has recommended legislation and other action. The committee has focused on the potential impact of computer or network failures on banking, transportation, utilities and other components of the nation's critical infrastructure. The committee chairman, Sen. Bob Bennett (R-Utah), and Senate Majority Leader Trent Lott (R-Miss.) recognize that security vulnerabilities in networks and computer systems pose a similar threat, as they are subject to attacks from personnel within agencies or from outside cyber-terrorists, according to a committee spokesman. The senators have held informal discussions about the possibility of changing the committee's mission when its current authority expires Feb. 29, 2000, the committee spokesman said. "There are several similar issues and problems that will be faced," he said. "The kernel of the idea was generated internally by people here at the committee who were examining critical infrastructure." Several high-level federal groups and organizations, including the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center at the FBI, also focus on computer security and the integrity of the nation's infrastructure against attacks. But the government would benefit from congressional attention, said Olga Grkavac, executive vice president of the Information Technology Association of America's Enterprise Solutions Division. "There really is a link between information infrastructure [and] critical infrastructure in [Year 2000 and security issues] and the hearing track record that the committee has built up," she said. "The experience the members now have would be a big plus." A Senate committee would bring an extra level of discussion to what other groups on security and critical infrastructure around the government have raised because the committee could focus on policy and legal questions that have come up, said Dean Turner, information security analyst with SecurityFocus.com. "The technology is there to do these things, now the policy and the law have to catch up with it," he said. It is important for the committee to look at more than just instances of World Wide Web site hacking, Turner said. Even though that is the phenomenon creating the biggest stir right now, it is the least harmful type of attack out there. "I think that if that's what the committee is going to focus on, then they'll be wasting their time," he said. Much of the committee's initial focus should be to educate government and the public about the need for security, said Bill Larson, chief executive officer of security company Network Associates Inc. "I think people do not understand in government the potential for cyberterrorism and the amount of havoc that can be created," Larson said. The CIO Council probably would work closely with the new security committee if the Senate chooses to shift the Year 2000 committee's focus, said Ed Caffrey, liaison for the CIO Council's Security Committee and a member of the State Department's Systems Integrity Division. The CIO Council recently expanded the focus of its Security Committee to include critical infrastructure and privacy. The council and its committees serve as the coordinators between federal and state government and the private sector, Caffrey said. Because the Senate committee probably would serve the same function, it would make sense for the two groups to work together, he said. @HWA 18.0 Tempest Exporter Arrested ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Silicosis The FBI has arrested Shalom Shaphyr, for trying to covertly ship van-eck/tempest interception equipment to Vietnam. Tempest technology is used to intercept emissions from computer screens or other sources from several feet away. This type of equipment is barred from export without proper licensing by International Traffic in Arms Regulations. iPartnership http://www.ipartnership.com/topstory.asp iPARTNERSHIP Top Story House International Relations Committee Moves on SAFE Act 7/13/99 iDEFENSE By Bill Pietrucha The SAFE Act made it through the House International Relations Committee Tuesday afternoon, but it wasn't a completely safe trip. H.R. 850, the Security And Freedom through Encryption (SAFE) Act, breezed by on a 33 to 5 full committee vote but not before being buffeted by a number of amendments diluting the bill's original intention. As introduced by Rep. Bob Goodlatte (R-Va.), the SAFE Act would allow Americans to use any type of encryption anywhere in the world and allow any type of encryption to be sold in the United States. The bill also would provide a level playing field in the global marketplace by permitting the export of generally available software, hardware, and other encryption-related computer products. According to Goodlatte, the legislation also would prohibit the government from mandating a back door into people's computer systems, and states that the use of encryption alone cannot be the basis for establishing probable cause for a criminal offense or a search warrant. "Encryption products are the deadbolt locks of the 21st century," Goodlatte said, "This important data scrambling technology safeguards our privacy in the digital age, making electronic commerce viable and preventing online crime. The American people deserve to have the strongest encryption technology available to protect themselves in the Information Age." But International Relations Committee Chairman Benjamin Gilman (R-NY) managed to water down the bill, attaching and agreeing to a number of amendments. Declaring the amendments would put the "safe" back into the SAFE Act, Gilman approved an amendment that would require consultations between the Commerce Secretary, the FBI director and the Drug Enforcement Agency top honcho before approving encryption exports to "any major drug-transit or major illicit drug producing country." Gilman also approved other amendments prohibiting encryption product export if evidence existed that implicated the software in child abuse or child pornograpjhy activities, and extending the export license review period from 15 days to 30 days. Copyright © 1999 Infrastructure Defense, Inc. All rights reserved. @HWA 19.0 NcN'99 Con in Mallorca Spain Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Conde Vampiro J.J.F. Hackers Team has announced the dates and location for 'No cON Name (NcN´99)' The con will be held in In Mallorca, Spain on 23-25 of July. Not much notice but a good excuse to go to Europe. HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 20.0 Rhino 9 Calls it Quits - goodbye letter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by desig Rhino9, a security research team has decided to disband. Several members have taken full time jobs with a security company. The remaining members have decided that this is as good a time as any to close up shop. While the team is disbanding its members will remain active. Rhino9 http://207.98.195.250/ (www.rhino9.org isn't resolving) From their site; Rhino9 is saying goodbye for now. 3 members of Rhino9 have moved to a far off place to accept a position at a security company with a good future. The rest of Rhino9 just didnt seem to want to continue on without the other 3 members. We have enjoyed everything we have done as a team and hope that we have been able to provide the community with some valuable resources. We want to thank everyone thats supported us over the years. A special thanks to Ken Williams of PacketStorm for excellent coverage of everything we did. Sorry to hear of your misfortune bro... JP is an ass. Thanks to L0pht for advice and tidbits of help over the years. Rhino9 has seen some rough times and some members come and go... but everyone seems to be doing well. To the community at large, thanks for everything and I'm sure this wont be the last you see of R9's members. Although the team is officially disbanding, its members are still very active. Thanks Again, -The Rhino9 Security Research Team @HWA 21.0 Hotwired and away, 6 yr old fires up toy car and heads for the highway.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by eentity Seen at http://smog.cjb.net/ From CNN: http://www.cnn.com/US/9907/13/ohio.boy.driver.ap/ 6-year-old pilots toy car along Ohio highway July 13, 1999 Web posted at: 6:57 AM EDT (1057 GMT) FAIRFIELD, Ohio (AP) -- A 6-year-old boy who slipped away from his day care center managed to hot-wire a toy vehicle and drive it for a mile along a bustling state highway, authorities said. An alarmed motorist called police to say she was stunned to see little John T. Carpenter piloting the toy alongside regular-sized vehicles just outside Cincinnati. Authorities said they were investigating how John got away from Kiddie Kampus Pre-School and Day Care Center on Friday. Police said his disappearance went undetected until officers contacted the center more than an hour later. The boy apparently wandered away from the center, then came upon a mini Monster truck-type toy parked outside ReRuns for Wee Ones, a children's resale shop. "I had the wires unhooked so no one could ride off in it, but he reconnected the wires without anyone seeing him, took off the price tag and rode away," co-owner Trisha Taylor said Monday. "I was just floored. I couldn't believe it. This kid is only 6, and he had to have lifted up that hood and knew which wires to put together," Taylor said. John was unhurt and police returned him to his mother. The Butler County Children Services Board said it will investigate and determine what action might be needed at Kiddie Kampus, said Jon Allen, a spokesman for the Ohio Department of Human Services. An employee of Kiddie Kampus declined comment to The Cincinnati Enquirer. The boy's mother did not return messages left by the newspaper. @HWA 22.0 The TRANSFER CAPACITOR (TCAP) BASED 90 Gigabyte Storage Drive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by eentity From http://smog.cjb.net/ "Described as a "Poker Chip Sized" solid state disk drive, the new semiconductor could be seen in service by the end of 1999 or early in the year 2000. The device can store over 90 billion characters of information, the capacity of 15 Digital Video Disks, or 112 ordinary CD-ROM's", the speed of access is said to be "limited by the computer it is connected to, reading a full 1 million bytes of information could take as little as 10 nanoseconds". Estimated price for the "Hard Drive" version of the 090b8: $895. Read more @ accpc. http://www.accpc.com/tcapstore.htm @HWA 23.0 Sony finished the Glasstron.VR headset ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by eentity from http://smog.cjb.net "PC Glasstron® is a unique head mounted display that creates a high resolution, virtual 30" image when connected to a notebook computer or video source. With built-in ear buds for stereo sound it has full multimedia capability making it ideal for both business and entertainment applications. Its internal dual LCD panels create an impressive, large screen, personal and private experience in a foldable, 1/4 lb. package (excluding sub-chassis). " Read and get them @ Sony http://www.ita.sel.sony.com/products/av/glasstron/. @HWA 24.0 NIST Offers Security Accreditation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The National Institute of Standards and Technology has announced the creation of The National Voluntary Laboratory Accreditation Program, an accreditation program for laboratories that test commercial information technology security products for compliance with federal and international standards. The NVLAP will evaluate laboratories for their accordance with the National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0712/web-nist-7-12-99.html JULY 12, 1999 . . . 18:10 EDT NIST announces accreditation program for IT labs BY DIANE FRANK (dfrank@fcw.com) The National Institute of Standards and Technology today announced the creation of an accreditation program for laboratories that test commercial information technology security products for compliance with federal and international standards. The National Voluntary Laboratory Accreditation Program will evaluate laboratories for their accordance with the National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme. NIST and the National Security Agency created the NIAP and the common criteria scheme to make it easier for federal agencies to choose commercial IT security products that meet certain standards. The NIAP Validation Body will review the test reports from the labs and issue certificates for the products. NIST will periodically assess the labs for reaccreditation. NIAP also is working toward a Common Criteria Mutual Recognition Agreement with similar organizations in five other countries to set a wider-reaching common standard for security products. @HWA 25.0 Spanish Civil Guard Arrest Electronic Intruder ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ldm-Beaudet The Spanish Civil Guard (Police) have announced than a 22 year old Spanish man has been arrested for breaking into the Home Office's network in order to steal data. The man, who's identity remains anonymous, broke through the computer's security and tried, without success to gain access to confidential information to one of his free e-mail addresses. The man has been arrested in the Murcie's area (South-east of Spain) as a result of operation 'Yankee' that lasted more than a year. The Civil Guard collaborated with the Los Angeles Justice Department in order to identify the owner of the e-mail address. Yahoo News - French http://www.yahoo.fr/actualite/19990714/multimedia/931944780-yaho069.140799.113344.html @HWA 26.0 303.org Needs A Home ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by netmask The rash of ISPs crumbling as soon as they get a letter threatening to sue is becoming a major issue. It does not matter if the threat is real or the allegations well founded most ISPs refuse to take a stand and buckle at the first hint of legal wranglings. 303.org and netcrimminals.org has succumbed to such an attack. They are desperately looking for someone to host either site. They need an ISP who supports free speech, and wants to do good for the community to host them. 303.org provides useful, but sometimes controversial services and information for free, as well as a few text mirrors. Netcriminals.org is working to inform the public about alleged criminals such as JP from Antionline, CPM from Happy Hacker, and Spy King from Codex Data Systems. The site has great things coming for it, if it can find an ISP with a small pair of balls to host it. Send mail to Netmask if you are interested in helping host either site or need more info. mailto:netmask@303.org @HWA 27.0 CyberCop Sting Now Shipping ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Designed to silently trace and track bad guys, CyberCop Sting records and reports all intrusive activity. CyberCop Sting operates by creating a series of fictitious corporate systems. The Sting product creates a decoy, virtual TCP/IP network on a single server or workstation and can simulate a network containing several different types of network devices. Each virtual network device has a real IP address and can receive and send genuine-looking packets. Each virtual network node can also run simulated daemons, such as finger and FTP. Sting can also perform IP fragmentation reassembly and TCP stream reassembly on the packets destined to these hosts. (Hmmmm, how long before the underground figures out how to detect and avoid such a system?) Yahoo PR News Wire http://biz.yahoo.com/prnews/990714/ca_ntwrk_a_1.html Wednesday July 14, 8:02 am Eastern Time Company Press Release SOURCE: Network Associates, Inc. Network Associates Ships CyberCop Sting - Industry's First 'Decoy' Server Silently Traces and Tracks Hacker Activity CyberCop Line is First in Security Industry to Scan, Monitor And Apprehend Intruders SANTA CLARA, Calif., July 14 /PRNewswire/ -- Network Associates, Inc. (Nasdaq: NETA - news) today announced the immediate availability of its CyberCop Sting software, a new ``decoy'' server that silently traces and tracks hackers, recording and reporting all intrusive activity to security administrators. CyberCop Sting, an industry first, is an integral component of the CyberCop intrusion protection software family which also includes CyberCop Monitor, a real-time intrusion detection application that monitors critical systems and networks for signs of attack (see related release) and CyberCop Scanner, the industry's most highly-rated network vulnerability scanner. CyberCop Sting addresses the most unfulfilled need in intrusion protection products today by allowing IS managers to silently monitor suspicious activity on their corporate network and identify potential problems before any real data is jeopardized. CyberCop Sting operates by creating a series of fictitious corporate systems on a specially outfitted server that combines moderate security protection with sophisticated monitoring technology. The Sting product creates a decoy, virtual TCP/IP network on a single server or workstation and can simulate a network containing several different types of network devices, including Windows NT servers, Unix servers and routers. Each virtual network device has a real IP address and can receive and send genuine-looking packets from and to the larger network environment. Each virtual network node can also run simulated daemons, such as finger and FTP, to further emulate the activity of a genuine system and avoid suspicion by would-be intruders. While watching all traffic destined to hosts in its virtual network, Sting performs IP fragmentation reassembly and TCP stream reassembly on the packets destined to these hosts, convincing snoopers of the legitimacy of the secret network they've discovered. ``More than 60 percent of all security breaches are caused by authorized employees or contractors already inside the firewall,'' said Wes Wasson, director of product marketing for Network Associates. ``CyberCop Sting gives security administrators, for the first time ever, a safe way to observe and audit potentially dangerous activity on their networks before it becomes a problem.'' CyberCop Sting provides a number of benefits for security administrators, including: * Detection of suspicious activity inside network; Log files serve to alert administrators to potential attackers prying into reserved areas. * Ability to record suspicious activity without sacrificing any real systems or protected information. * Virtual decoy network can contain multiple "hosts" without the expense and maintenance that real systems require. * CyberCop Sting software's virtual hosts return realistic packet information. * CyberCop Sting logs snooper activity immediately, so collection of information about potential attackers can occur before they leave. * CyberCop Sting requires very little file space but creates a sophisticated virtual network. Network Associates' CyberCop Intrusion Protection suite is a collection of integrated security tools developed to provide network risk assessment scanning (Scanner), real-time intrusion monitoring (Monitor) and decoy trace- and-track capabilities (Sting) to enhance the security and survivability of enterprise networks and systems. The suite is also enhanced by the development of technology and research derived from Network Associates' extensive product line, and includes industry-first features such as AutoUpdate, modular construction, and Active Security integration to provide extensive product integrity. A Network Associates white paper on next-generation intrusion detection is available at http://www.nai.com/activesecurity/files/ids.doc. Pricing and availability CyberCop Sting is free with the purchase of CyberCop Monitor, Network Associates' new real-time intrusion detection software. Sting is also available as part of the full CyberCop suite, which also includes CyberCop Scanner, CyberCop Monitor and the CASL Custom Scripting Toolkit. The CyberCop Intrusion Protection suite is priced at $17 per seat for a 1,000 user license. With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supplier of enterprise network security and management software. Network Associates' Net Tools Secure and Net Tools Manager offer best-of-breed, suite-based network security and management solutions. Net Tools Secure and Net Tools Manager suites combine to create Net Tools, which centralizes these point solutions within an easy-to-use, integrated systems management environment. For more information, Network Associates can be reached at 408-988-3832 or on the Internet at http://www.nai.com . NOTE: Network Associates, CyberCop, and Net Tools are registered trademarks of Network Associates and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. SOURCE: Network Associates, Inc. (Interesting toy to play with i'd imagine, hone your skills on your own VPN first? hehe. btw the url on the white paper gives me a 404 error too so go figure... - Ed) @HWA 28.0 cDc Issues Public Apology About Infected BO2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by omega 32 original copies of BO2K where handed out at Defcon on CD. All with personalised signatures from cDc members. Unfortunatley some, if not all, where infected with the CIH virus. cDc has said that this was completley unintentional and have posted a public apology on thier website. The Cult of the Dead Cow http://www.cultdeadcow.com ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2294628,00.html Copies of BO2K available on the official BO2K web site are not infected and are available for download. cDc has said that as of 9pmEST Thursday night that there has been over 50,000 downloads of the software from the official site. This demand has caused the web site to be unreachable at times. BO2K http://www.bo2k.com ZDNET; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Back Orifice CDs infected with CIH virus By Luke Reiter, CyberCrime, and Joel Deane, ZDNN July 15, 1999 3:51 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2294628,00.html UPDATED 6:33 PM PT Cult of the Dead Cow confirmed Thursday that official CD-ROM versions of its controversial Back Orifice 2000 program are infected with the CIH virus. "There must have been a virus on the duplicating machine and we didn't know about it," cDc member DilDog said in a phone interview. "This incident is unfortunate and we are doing what we can do to rectify it. We can't apologize enough. "We screwed up," he said. cDc, which distributed 32 official CD-ROM versions of BO2K at the DEF CON hacking convention last weekend, had previously denied that its CD-ROMs were infected with Win95.CIH, a virus that reformats hard drives and, on some machines, can erase the BIOS information that the computer needs to operate. Web version clean Although an embarrassing publicity snafu for the high-profile hacking group, the CIH incident doesn't affect cDc's method for mass distribution of BO2K -- the Web. Like its predecessor, Back Orifice, BO2K was released on the Web on Wednesday, where it is available for free download. PC Week Labs senior analyst Jim Rapoza, who downloaded and tested the Web-version of BO2K, confirmed that the Web version is virus-free. DilDog said that the Web version of the program is "absolutely clean." DilDog said cDc mistakenly believed that only pirated copies of BO2K -- burned and distributed at DEF CON within 45 minutes of the hacking tool's splashy debut -- were infected with CIH. However, cDc changed its tuned after several anti-virus firms and ZDNN reported finding CIH on official CD-ROMs -- confirming that the executable files in the CD-ROM were infected. "We would like to thank various individuals profusely for pointing this out to us," DilDog said. cDc member Count Zero, who gave ZDNN its CIH-infected BO2K CD-ROM with "Virus Free" written on the case, said the incident was not malicious. "We are not perfect ... It was human error. Our error. We weren't trying to do anything malicious," he said. 'We do accept responsibility' DilDog said he couldn't explain exactly how the CD-ROMs were infected with CIH; however, it appears the infection occurred before DEF CON, during the duplication of the official BO2K CD-ROMs. "On my way to DEF CON I burned one CD with a series of stuff I needed (including the executable files for BO2K). All of this stuff was scanned ... nothing contained anything bad," he said. "As a last minute thing, we decided to make some duplicates to hand out at DEF CON." DilDog said he handed the master CD-ROM to a "third party ... a very trusted friend of mine" who burned 25 copies of BO2K, using his PC. Those copies were identified with white cDc labels. "It appears that the machine that we used in the duplicates had a virus on it," DilDog said. "We do accept responsibility for not having scanned the final copies of the CDs, but the master from which they were all duplicated was scanned and had nothing on it. So it must have been one of those flash in the pan kind of things where we had a virus apparently on the duplication machine and we didn’t know about it." By DilDog's count, 22 of those infected copies were handed out during BO2K's debut on Saturday. Within 45 minutes of the BO2K debut, cDc began hearing reports of infected BO2K copies from DEF CON attendees, who already had pirated copies of the official CD-ROMs. Both Count Zero and DilDog said they mistakenly believed that the official CD-ROMs were virus free, and that only the pirated copies were infected. Count Zero said he then took one of the remaining official CD-ROMs and, without scanning, burned another 10 official copies of BO2K. "My error was I assumed that the original was virus free," Count Zero said. Count Zero labeled those 10 new versions of BO2K with cDc stickers and wrote "Virus Free -- Count Zero" on the CD-ROMs' jewel cases. He then handed out those 10 CD-ROMs. ZDNN received one of those "Virus Free" copies of BO2K, which Norton's Anti-Virus found contained CIH. Believing its BO2K copies were virus free, DilDog said cDc discounted initial reports of CIH infection. "It was only one or two days ago, I guess, that we got word from people that it was our CDs," he said. Since then, DilDog said, cDc has run virus scans on all its PCs, but every machine has tested clean. "We are really at a loss as to how it got on there," he said. "There must have been a virus on the duplicating machine and we didn't know about it." ZDNN's Robert Lemos contributed to this story. @HWA 29.0 California Golf Course Computers Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The computer systems at the Ocean Trails golf course on the Palos Verdes Peninsula have been broken into. The devestating attack wiped out files ranging from payroll data to email. The intruders left a message for developers on a company computer terminal that read, "Got ya . . . !" LA Times http://www.latimes.com/excite/990713/t000062441.html Golf Course Struck by Landslide Gets Hit by Hackers Crime: Vandals putter around with computer at Ocean Trails, where last month part of the 18th hole fell into the Pacific. By JEAN MERL, Times Staff Writer Computer vandals have hacked their way into the computer system at the Ocean Trails golf course on the Palos Verdes Peninsula, creating another setback for the seaside luxury course that lost part of its 18th hole last month in a landslide. The weekend vandalism, which wiped out files ranging from payroll data to correspondence, "is devastating," said Kenneth Zuckerman, one of several members of the family of longtime landowners who have spent almost 15 years on the project. "I think all the negative publicity associated with this project has somehow influenced someone whose head isn't screwed on right to do something malicious," Zuckerman said. He said the hacker, or hackers, left a message for developers on a company computer terminal that read, "Got ya . . . !" Zuckerman said he and the company's head accountant were working Sunday on a computer in offices at the golf course construction site in Rancho Palos Verdes when "she noticed things just seemed to have disappeared. We contacted our service company and they said it looked like somebody had hacked the system through our Internet connection. . . . Then the message appeared on the screen." Zuckerman said he reported the incident to the Los Angeles County Sheriff's Department and the FBI. Deputies at the Lomita sheriff's station said they took a report on Sunday and forwarded copies to detectives and to investigators in a special unit set up to investigate computer crime. A spokeswoman for the FBI's local office said she could not comment on whether the agency has received a report or opened an investigation. She said, however, that any such report would be reviewed for a possible violation of federal law. The new course, with its $200 weekend greens fees and breathtaking ocean views, was nearing completion when a landslide on June 2 sent about half the 18th hole into the Pacific; a county sanitary sewer line running beneath the course also broke off in the slide. Tests are still underway to determine the cause of the slide, but it has generated fresh controversy over development in the area, which has both ancient and active landslides. The Rancho Palos Verdes City Council has scheduled a session for next Tuesday to discuss Ocean Trails. Meanwhile, cracks developed in a roadway about 200 yards east of the course almost three weeks ago, raising further concerns about land stability in the area. Public Works Director Dean Allison said the land beneath Palos Verdes Drive South--a major, scenic road on the peninsula--occurred with settling of a landfill beneath the road, which was built in the 1940s. The settling could have been caused by a leaking sewer line or by temporary irrigation to establish a newly restored native vegetation at Ocean Trails, Allison said. Workers built a bypass around the faulty sewer line last week, the irrigation has stopped and the road has been patched, Allison said, adding that the city will continue to monitor the road but believes it has the problems solved. Zuckerman, who says that the brief and light irrigation could not have been responsible for the roadway cracks, said the computer hackers made a lot of extra work for his employees but did nothing that will keep the course from opening. "There were no secrets, nothing of value to anyone but ourselves, but it is a terrible thing to do to a business," Zuckerman said. "It means an awful lot of extra work for our already hard-working employees." "We've bent over backwards to try to be very responsible here, and to have someone come along and do this is very discouraging," Zuckerman said. Sheriff's Det. Michael Gurzi of the department's expanding High Tech Crimes Detail said there has been a dramatic increase of incidents of computer vandalism. Sometimes it is done to steal trade secrets or help with a hostile company takeover, but other times it is done just to inflict pain on the victim. "If [the hackers] are not as sophisticated as they think they are, they can be traced," Gurzi said. "But if they really know what they are doing, sometimes they can disguise themselves." @HWA 30.0 Selling Your Privacy ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Do people want privacy or not? The most recent survey seems to indicate that most people are more than willing to give out personal information for a few trinkets, cents off at the grocery store or other doodads. Are consumers being swindled? Are they getting fair market value for thier personal info? NY Times Syndicate http://199.97.97.16/contWriter/cnd7/1999/07/15/cndin/0987-0531-pat_nytimes.html AltaVista is the next company to do just that. By giving away free Internet access in exchange for personal information it reinforces the idea that it is ok to sell off your personal info. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2294519,00.html NY Times Syndicate Privacy? Net Users Willing to Swap Data for Freebies ALICE WANG c.1999 Bloomberg News HACKENSACK, N.J. - Most Internet users say collecting personal information in exchange for free products and services doesn't violate their privacy as long as the policies are explained, a new survey has found. The survey, conducted by Privacy & American Business and Opinion search Corp., found that 86 percent of the Internet users it polled support such free offers. Fifty-three percent say they would participate in an information-for-benefits program, provided the company explained how the information would be used. Companies such as Free-PC Inc. swap products and services for personal information and targeted advertising. Free-PC, an idealab Company based in Pasadena, California, gives Compaq Computer Corp.PCs, Internet access and e-mail to customers who fill out detailed questionnaires that are used to determine which advertisements appear on their computer screens. Many companies, such as Free-PC, use the information to sell advertising. Some sell the information itself, which privacy advocates find alarming. `Some privacy advocates consider it a `dangerous threat to Net privacy' for Web sites to offer consumers free products in exchange for personal information,'' Dr. Alan Westin, head of Privacy & American Business, said in a statement. Westin's survey results suggest that such concerns may be overblown. No Surprise? The survey's findings ``aren't surprising,'' said Steve Chadima, vice president of marketing at Free-PC. The closely held company has received more than 1.25 million applications for its free machines. ``People know what they're getting in to,'' Chadima said. The company began shipping its first 10,000 free PCs at the end of June. Still, 82 percent of the Internet users polled say privacy policies matter when deciding whether to trade information for freebies, the survey found. Only 14 percent said privacy policies wouldn't figure into their decision, as long as they got the benefit. Some companies, including International Business Machines Corp.,have made privacy matters an issue when advertising online. The world's largest computer company said in March it will withdraw ads from Internet sites without policies that safeguard privacy in response to consumer concerns about disclosing personal information.`Our privacy policy is very, very strict,'' said Free PC's Chadima. ``We never give out personal information for any reason.'' Privacy & American Business, a non-profit think tank based in Hackensack, New Jersey, surveyed 457 Internet users drawn from a representative sample of 1,014 adults. ----- ; (The Bloomberg web site is at http://www.bloomberg.com) @HWA 31.0 Geek Pride 99 ~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Jordan This isn't really a con but we thought it deserved mentioning. Geek Pride 99 will be held on October 1, 2 and 3, 1999 Boston, Massachusetts. They have a pretty impresive line up of speakers. What is Geek Pride? I don't know but it sounds cool. Geek Pride http://www.geekpride.org/gp99/ @HWA 32.0 Woz Speaks on Pirates of Silicon Valley ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan I know this is weeks old but Steve Wozniak is still updateing his web site with new comments on the made for TV drama "Pirates of Silicon Valley". In case you forgot the show tried to detail the events surronding the early days at Apple and Microsoft. Steve Wozniak has a unique perspective and I never tire of reading his comments. If you haven't visited the site since the show aired it is worth a second look. woz.org http://www.woz.org/woz/presponses/commets.html @HWA 33.0 Project Gamma Down for a while due to server relocation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An affilliate member and mirror site and general alround good guys, Project Gamma are going to be down for a few days while their ISP sorts its shit out, this was received in our inbox from WHiTe VaMPiRe of Project Gamma; Greetings, "Darkridge Security Solutions, the organization providing the hosting for Project Gamma, will be relocating their networks. This move could take up to a period of one to two weeks. Project Gamma will most likely go down July 14. We will be back up as soon as possible. We will continue to update the site until it is no longer accessible." I would appreciate it if you people would be kind enough to post something regarding this on your Web sites. @HWA 34.0 CERT ADVISORY CA-99-08 ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 17th July 1999 on 3:37 pm CET CERT released advisory on a buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The problem is - Remote and local users can execute arbitrary code with the privileges of the rpc.cmsd daemon, typically root. Under some configurations rpc.cmsd runs with an effective userid of daemon, while retaining root privileges. Read the advisory below CERT Advisory CA-99-08-cmsd Originally released: July 16, 1999 Source: CERT/CC Systems Affected * Systems running the Calendar Manager Service daemon, often named rpc.cmsd I. Description A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently distributed with the Common Desktop Environment (CDE) and Open Windows. II. Impact Remote and local users can execute arbitrary code with the privileges of the rpc.cmsd daemon, typically root. Under some configurations rpc.cmsd runs with an effective userid of daemon, while retaining root privileges. This vulnerability is being exploited in a significant number of incidents reported to the CERT/CC. An exploit script was posted to BUGTRAQ. III. Solution Install a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. Disable the rpc.cmsd daemon If you are unable to apply patches to correct this vulnerability, you may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it may affect your ability to manage calendars. Appendix A: Vendor Information Hewlett-Packard Company HP is vulnerable, patches in process. IBM Corporation AIX is not vulnerable to the rpc.cmsd remote buffer overflow. IBM and AIX are registered trademarks of International Business Machines Corporation. Santa Cruz Operation, Inc. SCO is investigating this problem. The following SCO product contains CDE and is potentially vulnerable: + SCO UnixWare 7 The following SCO products do not contain CDE, and are therefore believed not to be vulnerable: + SCO UnixWare 2.1 + SCO OpenServer 5 + SCO Open Server 3.0 + SCO CMW+ SCO will provide further information and patches if necessary as soon as possible at http://www.sco.com/security. Silicon Graphics, Inc. IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. UNICOS does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. Sun Microsystems, Inc. The following patches are available: OpenWindows: SunOS version Patch ID _____________ _________ SunOS 5.5.1 104976-04 SunOS 5.5.1_x86 105124-03 SunOS 5.5 103251-09 SunOS 5.5_x86 103273-07 SunOS 5.3 101513-14 SunOS 4.1.4 100523-25 SunOS 4.1.3_U1 100523-25 CDE: CDE version Patch ID ___________ ________ 1.3 107022-03 1.3_x86 107023-03 1.2 105566-07 1.2_x86 105567-08 Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available within a week of the release of this advisory. Sun security patches are available at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li cense&nav=pubpatches _________________________________________________________________ The CERT Coordination Center would like to thank Chok Poh of Sun Microsystems, David Brumley of Stanford University, and Elias Levy of Security Focus for their assistance in preparing this advisory. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-08-cmsd.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History July 16, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN49o/3VP+x0t4w7BAQEHXgP/RfdP8Nriz1X3wenCtQJmjkn2knggAP4K 2/PsW6SGxU43NUw+GkXS0FFZew/wyw/zCh+O/kgfa0f7hN1+2znZn1gfDZGOGNLf OEkf5tuWikdJ1Iis3Lnl4mrVPOqpUX893bYtdVVyag/CZ6Yj24PjrZAfH1kIh5to TVwdlvIKXrA= =VxcL -----END PGP SIGNATURE----- @HWA 35.0 CODE NAME JANUS ~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 17th July 1999 on 3:28 pm CET Microsoft will, till March 2000, release new operating system with Windows NT legacy - Windows 2000 Data Center Server (code name Janus). It will, as Microsoft officials say, be a good competitor to UNIX. Janus will have all advantages of UNIX, and it will have ability of transferring current job to one of other 8 processors, if the main one fails. @HWA 36.0 ANOTHER ONE ON BO2K ~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 17th July 1999 on 3:15 pm CET As ISS interpreted Back Orifice 2000 as a "child play", other security vendors, like Data Fellows and Symantec Anti-Virus, immediately attacked that point of view. Their opinion is that open source of BO2K is a very big problem. Aled Miles, general manager at Symantec Anti-Virus said: "Anyone who calls BO2k child's play misunderstands the situation. If one person gets into someone else's computer and steals his or her data, that is a problem. It will probably not proliferate like Melissa, but that is not the point." Read the article below. Hackers: BO2K 'child's play' remark draws fire Fri, 16 Jul 1999 16:07:52 GMT Will Knight Computer security experts in the UK have attacked US firm, Internet Security Solutions (ISS) for describing Back Orifice 2000 (BO2K) as "child's play". "That does seem a bit glib," says Paul Brette of Data Fellows Anti-Virus in the UK. "We are worried about the fact that it is open-source. We could see that being a big problem because polymorphic changes to the virus signature would be relatively easy to make and would make it more difficult to detect." The BO2K virus was released by media-savvy hacking group Cult of the Dead Cow to coincide with the Def Con 7.0 computer security extravaganza held in Las Vegas last weekend. It is designed to enable remote access to Windows 95, 98 and NT operating systems. The Cult's "Minister for Propaganda" Deth Vegetable published a press release describing BO2K as, "the most powerful application of its kind which puts the administrator solidly in control of any Microsoft network." But Brette sees other reasons to be concerned by the release of BO2K, He is particularly worried by the fact that the Cult of the Dead Cow has been careful to remain anonymous, while giving away this "administrative tool" for free. "It makes you wonder what sort of motives they really have, what they could be hiding," he says. Aled Miles, general manager at Symantec Anti-Virus believes BO2K is anything but child's play. "Anyone who calls BO2k child's play misunderstands the situation. If one person gets into someone else's computer and steals his or her data, that is a problem. It will probably not proliferate like Melissa, but that is not the point." Strangely, Microsoft Window's Marketing Manager, Francess Fawcett, believes there is little cause for alarm, despite Symantec's reasoning. She believes the fact that ISS could decode it's source code in under 24 hours shows the simplicity of the program, and says they will not be treating it differently to any other virus." A bizarre example of how well publicised Back Orifice has been is that ISS reportedly asked the Cult of the Dead Cow for a Beta version of the program. The response was that this would be supplied in return for, "one million dollars and a monster truck." @HWA 37.0 BUG IN AMAVIS VIRUS SCANNER ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 17th July 1999 on 3:04 pm CET Chris McDonough wrote to BugTraq about a problem in AMaViS virus scanner for Linux (http://satan.oih.rwth-aachen.de/AMaViS). Read about the exploit below. The AMaViS incoming-mail virus scanning utility (available at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has problems. I tried to contact the maintainer of the package (Christian Bricart) on June 26, again several times over the course of the last month, but I have not received anything from him and the AMaViS website does not yet acknowledge the problem or provide a fix. However, on Jun 30, co-contributors to the package (Juergen Quade and Mogens Kjaer) responded quickly with an acknowledgement of the problem and a few fixes. Because the co-authors do not maintain the downloadable package, however, the latest downloadable version of AMaViS (0.2.0-pre4 and possibly earlier) still has a bug which allows remote users to send arbitrary commands as root to a Linux machine running the AMaViS scripts. Exploit: Send a message with a virus-infected file attachment. Use something like "`/sbin/reboot`@dummy.com" as your reply-to address in your MUA when sending the message. When the AMaViS box receives the message, it will go through its scripts, find the virus, construct an email message to send back to the sender of the virus-infected file... line 601+ in the "scanmails" script: cat < ${tmpdir}/logfile echo ${scanscriptname} called $* >>${tmpdir}/logfile -echo FROM: $2 >>/${tmpdir}/logfile -echo TO: $7 >>/${tmpdir}/logfile +echo FROM: $sender >>/${tmpdir}/logfile +echo TO: $receiver >>/${tmpdir}/logfile ${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 2>&1 @@ -597,11 +641,11 @@ ################### send a mail back to sender ###################### -cat < If the version of the kernel fileset for your machine is not at the level described below, install the requisite APAR listed. This will help ensure that the temporary kernel fix will run properly. Release Fileset Version requisite APAR =============================================================== AIX 4.2.x bos.mp or bos.up 4.2.1.23 IY00689 AIX 4.3.x bos.mp or bos.up 4.3.2.8 IY00727 2. Uncompress and extract the fix. # uncompress < adb_hang.tar.Z | tar xf - # cd adb_hang 3. Review and run the adb_hang.sh script to install the new kernel. # view ./adb_hang.sh # ./adb_hang.sh 4. Reboot. Obtaining Fixes =============== IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://aix.software.ibm.com/aix.us/swfixes/ or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. Contact Information =================== Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBN4vxDgsPbaL1YgqvAQFASAP9HBQ4UCcMURj0W0WnKivLo/UXF4yhs3Cl tX9H4tQsGo3U93G2cm3P59C8zbtZd355IVRxTtbOlCLL5CZBMIjNE7c6nyvvn0A0 RCeC1T9+nxZZfFCG81Rd1OME242KzjVz/1w1jQtNqdYugm9/YHm8hamd+KCRNtXl e+x8Vg16YU4= =JB4f -----END PGP SIGNATURE----- @HWA 50.0 Trinux revisited by www.securityportal.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Linux Security Appliance BO2K Information Center July 12, 1999 - They say that good things come in small packages with Linux, but even so, it is hard to believe how much functionality you can get out of Trinux. Whether your network is primarily NT, Linux, or some other flavor of Unix is immaterial - if it is based on TCP/IP, Trinux can be a valuable tool. Trinux is the Linux Security Appliance, and is a valuable tool for any network engineer and security specialist. What is Trinux? Trinux is a small, portable, re-compiled version of Linux, stripped of non-essential modules and enhanced with GPL security tools. By doing an excellent job of identifying module dependencies, the authors of Trinux are able to create a special Linux distribution that can fit on two high density floppies. Some of the many tools included with Trinux are: Firewalk - this is a tool that employs traceroute techniques to discover and determine Access Control Lists for firewalls and routers. Ipfwadm - utility to administer the IP accounting and IP firewall services offered by the Linux kernel. Iptraf - IPTraf is a console-based network statistics utility for Linux. It gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. Neped - stands for "NEtwork Promiscuous Ethernet Detector", a tool designed to detect Linux sniffers on a local network. Netwatch - monitors Ethernet traffic for hosts, packet counts and protocols. Nmap - The Network Mapper is the premier port scanning tool for Linux. Allows state of the art scanning using a variety of techniques. Snmpset/snmpget/snmpwalk - allows you to easily retrieve and set SNMP variables. Tcpdump - the standard packet sniffer for Unix. You can get Trinux at many sites that archive Linux tools. The authors have setup a site at www.trinux.org, containing the software, detailed documentation and version history. The software can be downloaded into two files, boot (the boot image) and classic (the applications). After downloading the files, simply use the rawrite utility (from DOS) or dd (from Linux/Unix), to create the floppies. Next, copy the module for your network card (a .o file, such as 3c59x.o) to the boot floppy, and you are ready to go. How do we see usage of Trinux? Trinux is not a pretty, GUI-based management console, but a versatile tool you can take anywhere that can provide quick answers. Trinux is a must for consultants and network engineers who travel to many different sites and must diagnose a wide variety of problems. A Trinux user can quickly build a picture of a foreign network and assess security problems. Due to the fact that it can be carried around in just two floppies can give you the flexibility to quickly put a client's PC into service as a Trinux station. Make certain to carry driver modules for all of the network cards you think you will encounter. Network Administrators may want to keep a dedicated Trinux station in the computer room to provide a quick diagnosis of network security issues and to provide validation for (or contradiction with) other network management tools. The elegance and simplicity of Trinux displays not only the wisdom of the network appliance concept, but also shows the power of specially compiled Linux distributions to deliver on that concept. If you are responsible for the security of a network, large or small, you owe it to yourself to invest a couple hours of your time and test out this tool. @HWA 51.0 ComputerWorld: Crypto Expert - Most encryption software is insecure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ via http://www.securityportal.com/ - Bruce Schneier, author of Applied Cryptography, says it is hard to tell whether problems lie in the alogorithm, implementation, or elsewhere. He strongly recommends staying conservative, and use well known and highly scrutinized crypto algorithms Crypto expert: Most encryption software is insecure By Ann Harrison LAS VEGAS -- Respected cryptography authority Bruce Schneier this week told a security conference that most products and systems that use cryptography are insecure and most commercial cryptography doesn't perform as advertised. Instead, he recommended that companies use strong random number generators and published nonproprietary algorithms and cryptographic protocols. Schneier, who is president of Counterpane Systems in Minneapolis, author of Applied Cryptography and inventor of the Blowfish, Twofish and Yarrow algorithms, noted that it's difficult to distinguish bad cryptography from good cryptography in security products. Experienced security testing is needed to uncover bugs, but products are often shipped without this type of evaluation, he told the audience at the Black Hat Briefings. "Beta testing can never uncover security flaws," Schneier said. According to Schneier, flaws can be found almost anywhere: in the threat model, the design, the algorithms and protocols, the implementation, the configuration, the user interface, the usage procedures and other locations in the design of products. There is usually no reason to use a new or unpublished algorithm in place of an older and better analyzed one, Schneier said. "There is no need ever for proprietary algorithms," he added. Insecure random number generators can also compromise the security of entire systems since the security of many algorithms and protocols assumes good random numbers, Schneier said. He noted that random numbers are critical for most modern cryptographic applications including session keys, seeds for generating public keys and random values for digital signatures. Security consultants at the conference said they took Schneier's suggestions to heart. "I would suggest that no one ever purchase proprietary encryption products if it's protecting anything of value because someone can reverse-engineer it," said Byran Baisden, a software engineer at Edge Technologies Inc. in Fairfax, Va. Edge designed the Nvision product for network management platforms and consults for the federal government. Matthew S. Cramer, lead security practitioner at Armstrong World Industries Inc. in Lancaster, Pa., said Schneier does a good job pointing out flawed systems and helping companies evaluate products such as virtual private networks that use encryption. "The tough job is picking which ones are snake oil and which ones are real and Bruce provides a lot of information to the community to pick out which is which," Cramer said. @HWA 52.0 Y2K Villains come in all shapes and sizes... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.computerworld.com/home/news.nsf/all/9907165y2kfraud/ You network may be covered from the inside but what about physically huh? got thos suckers bolted down and and id card system in action y'all? Y2K 'repairs' could open door for billion-dollar thefts By Thomas Hoffman Don't be surprised if crackers make off with at least one electronic heist in the $1 billion range by taking advantage of the year 2000 problem, according to a new report from Gartner Group Inc. Gartner believes that contractors and programmers hired by companies to make Y2K fixes may have left "trapdoors" to move money between accounts. "The likely perpetrator would be a highly skilled software engineer who has worked on Y2K remediation efforts and understands both computer systems and the underlying business processes," Gartner said in a statement today. "...The worst-case scenario for theft would include a highly skilled software engineer involved with Y2K remediation who feels unrecognized or unappreciated." An opportunity for theft could occur when a system crashes and repairs are made by a single software engineer without usual oversight and review, Gartner said. @HWA 3Com eyes new wireless standard for PALM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.computerworld.com/home/news.nsf/all/9907165palmwap 3Com eyes new wireless standard for Palm By James Niccolai 3Com Corp. is exploring an emerging technology called the Wireless Access Protocol (WAP) for possible use in its Palm computer, a move that would bring new Web browsing capabilities to the popular handheld device, analysts and sources familiar with the matter said this week. Moving to WAP would be a significant step for 3Com, which has invested heavily to develop a text-based technology called "Web Clipping" for its wireless Palm VII, which was launched in May in the New York area. But analysts said the momentum growing behind WAP might not leave 3Com with any choice but to switch to WAP. Web Clipping allows mobile users to download short bursts of text information from Web sites that have tailored content for 3Com's technology. Web Clipping doesn't allow users to surf the Web at large, but downloads information to "query applications" offered by more than 60 firms, including United Airlines, The Weather Channel, ETrade Group Inc. and The Wall Street Journal. The list of content and service providers using Web Clipping is growing, and users can download new query applications from Palm's Web site, 3Com said. In contrast, WAP provides a set of open standards that allow mobile devices like cell phones, pagers and handheld computers to browse content on the Web. Sites, however, must be reformatted to support a programming language called Wireless Markup Language that supports both text and bitmap images. WAP still is an emerging technology, but the industry momentum behind it, combined with its potential to offer users greater freedom to surf the Internet, may force 3Com to make a transition from Web Clipping to WAP, analysts said. "I think they would be foolish not to support WAP. They're trying to push Web Clipping as a metaphor for surfing the Web, but I don't think they'll be that successful," said Ken Dulaney, vice president of mobile computing research at market analyst firm Gartner Group Inc. in San Jose, Calif. Dulaney characterized 3Com's apparent reluctance to move to WAP as "a touch of Microsoft-itis." "I think it's stupid for them to wait," he said. "They ought to be in the middle of things. They're obviously waiting, but what they're waiting for I don't know." 3Com denies it has any plans to move away from its proprietary technology, although the company acknowledges that WAP is on its radar screen. "We're certainly looking at WAP and find it very interesting, but we don't have any imminent plans" to use the technology, Tammy Medanich, product marketing manager at 3Com's Palm Computing division, said in a recent interview. But two sources close to the matter told IDG News Service that 3Com has already begun talks with the WAP Forum, an industry group formed to promote the technology. Other industry sources have indicated to Gartner Group's Dulaney that 3Com will move to the new technology sooner rather than later, Dulaney said. The world's largest handset makers, including L.M. Ericsson Telephone Co., Nokia Corp. and Motorola Inc., all have announced plans to ship WAP-enabled phones late this year or early in 2000. Telecom carriers AT&T Corp., France Telecom SA and Nippon Telegraph & Telephone Corp. (NTT) are also backing the effort, along with IT heavyweights like Microsoft Corp. and Intel Corp. "For 3Com to take on Microsoft and all the other players would be suicide in my opinion," Dulaney said. 3Com maintains that Web Clipping has proved popular among its early customers. What's more, the company notes, content for the Palm VII is available now, whereas companies are only just beginning to think about retooling their Web content for WAP. Web Clipping is "fast and efficient" at downloading snippets of information, said Jill House, a research analyst at International Data Corp.'s (IDC) smart handheld devices group. Still, she characterized the technology as an "interim solution" to providing mobile users with wireless Web access. Like Dulaney, House believes 3Com will be forced to yield to the market impetus building up behind WAP. IDC expects shipments of WAP-enabled products to increase rapidly, soaring from almost zero today to close to 10 million by 2003. About 5 million Palm OS-based devices will ship in the same year, up from an estimated 2.9 million this year, House said. "[WAP is] a strong technology with a lot of interest from the industry. Given both those factors, it would be very surprising if 3Com were not considering it" for use in the Palm, she said. Officials at the WAP Forum declined to comment on whether any discussions with 3Com are under way, but said 3Com's membership to the Forum would be of great value. "Our principal goal is to create one worldwide standard that all wireless handheld devices work on for Internet access and browsing, and it would be a huge accomplishment to have 3Com join," said Chuck Parrish, who recently completed his tenure as chairman of the WAP Forum. Parrish is also executive vice president at Phone.com Inc., which makes client and server software for WAP devices. One major benefit of having a single standard among wireless providers would be to enable content developers to write their content once and have it understood by all devices, Parrish said. @HWA 54.0 Intel creates Net-specific unit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.computerworld.com/home/news.nsf/all/9907165intelnet (Online News, 07/16/99 11:36 AM) Intel creates Net-specific unit By Cheri Paquet Intel Corp. has divided its communications business into a networking business unit and a new unit dedicated to the development of Internet-specific products. Intel's new Communications Products Group will include communication servers, computer telephony hardware, network appliances, routers, hubs, switches, VPN (virtual private network) software and LAN management hardware, the company said in a statement issued yesterday. Meanwhile, the Network Communications Group will continue to focus on developing Intel's microprocessors, LAN chip controllers and network processors. To form the new Internet unit, Intel combined its Communications and Internet Server Division, Network Systems Division, Systems Management Division and the Dialogic subsidiary it recently acquired. Dialogic makes computer telephony software, network interfaces and media processing boards. Intel Vice President John Miner, formerly general manager of the Enterprise Server Group, will head up the Communications Products Group and will report directly to Craig Barrett, Intel's president and CEO. Michael Fister, vice president of the Intel Architecture Business Group and general manager of Enterprise Server Group, will succeed Miner in his former role. @HWA 55.0 Bugtraq: JavaScript used to bypass cookie settings in Netscape ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (peterw@USA.NET) Fri, 9 Jul 1999 18:18:57 -0400 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Next message: Oliver Lineham: "Navigator cookie security" Previous message: ET LoWNOISE: "[LoWNOISE] Lotus Domino" Next in thread: Oliver Lineham: "Navigator cookie security" Reply: Oliver Lineham: "Navigator cookie security" Reply: Claudio Telmon: "Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings" As Netscape has not acknowledged my email or bug report from last week, and one form of this vulnerability is currently being used, I have decided it best to publicize this problem. SUMMARY This post describes a flaw verified in Netscape Communicator 4.6-0 as distributed by Red Hat software for x86 Linux and Communicator 4.51 and 4.61 for Windows NT. Communicator does not enforce "originating server" cookie restrictions as expected when JavaScript is enabled, leading to privacy issues for users who may think they have taken reasonable precautions. BACKGROUND Communicator 4.6 has a setting to warn before accepting cookies, and another to "Only accept cookies originating from the same server as the page being viewed". That latter option is supposed to, and used to, completely and quietly reject "DoubleClick" style third party ad cookies, i.e., cookies from servers that did not produce the main HTML document. These third party ad servers use cookies to track Web users as they move through completely unrelated Web sites. By accepting the cookie, one allows the third party to compile a profile of visits to other Web sites that use the third party's ad service (though normally the third party does not know the end user's exact identity). PROBLEM Last week I noticed a warning for a cookie (for doubleclick.net) not from the domain of the page I was viewing (newsalert.com) -- which the cookie settings should have rejected outright. If I turn off the warning, Netscape silently accepts the doubleclick cookie, although I still have the "originating server" restriction enabled. MEANS OF EXPLOIT The reason? I had JavaScript enabled for Web browsing. The offending newsalert page used a tag something like