Default newsletter Issue #5 http://default.net-security.org 14.09.1999 Help Net Security http://www.net-security.org TABLE OF CONTENTS ----------------- I. Editorial II. Mirrors III. Defaced pages IV. Hit2000 report V. Interview with v00d00 VI. Want secure and encrypted e-mails? VII. Security audit with our Mac Part-2/2 VIII. More from the ACPO front IX. Infection and vaccination X. Watch out for documents you publish on The Internet XI. Freedom of speech - related incidents XII. Y2K survey for 72 countries XIII. Journalism I. Editorial --------------------- Ok Issue 5 of Default newsletter is in front of you. We have some interesting articles in it: deepquest wrote interesting article on how could you get in big troubles if you publish MS Word or Excel files on The Internet, Lisa Pellegrin from International Y2K Cooperation Center did an survey on Y2K preparedness in 72 countries, Berislav Kucan talked to Leo Sheiner from Global Market Ltd, the company which was lately in the news because of their "Self destructing" e-mails service, Xander Teunissen talked to well known hacker v00d00 etc. We have more and more people subscribing to the newsletter, so we conclude that we are getting better all the time. With only 4 issues behind, Default has now 8 mirrors. And for the end just to note that Default is open newsletter, so if you have a topic you want to write about do mail us. For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org Subscribing information: mail majordono@net-security.org with a message in the body "subscribe news youremail" II. Default mirrors --------------------- http://www.nwo.net/default http://www.403-security.org/default http://www.monitor.hr/security/default http://www.attrition.org/~modify/texts/zines/default http://www.projectgamma.com/archives/zines/default http://www.dark-e.com/default http://ech0.zort.org/default http://www.deepquest.pf/default If you mirror Default, please inform us, so we could add you to the list. III. Defaced pages ------------------- Site: NASA JPL Quality Assurance Engineering (qa-web.jpl.nasa.gov) Mirror: http://default.net-security.org/5/qa-web.jpl.nasa.gov.htm Site: US Embassy in China (Chinese Server) (www.usembassy-china.org.cn) Mirror: http://default.net-security.org/5/www.usembassy-china.org.cn.htm Site: MTV Asia (mtvasia.com) Mirror: http://default.net-security.org/5/www.mtvasia.com.htm Site: Government of Brazil (www.brasil.gov.br) Mirror: http://default.net-security.org/5/www.brasil.gov.br Site: Ministry of Civil Service, Republic of China (www.mocs.gov.tw) Mirror: http://default.net-security.org/5/www.mndm.gov.on.ca.htm Site: Scottish Executive's Web site (www.scotland.gov.uk) Mirror: http://default.net-security.org/5/www.mocs.gov.tw.htm Site: The Open University (www.open.ac.uk) Mirror: http://default.net-security.org/5/www.open.ac.uk.htm Site: The Drudge Report (www.drudgereport.com) Mirror: http://default.net-security.org/5/www.drudgereport.com.htm IV. Hit2000 report -------------------- "And yes it is true that hackers and people like that living all day behind a computer do dress weird and yes they are pale (is it summer again?), but that is no fact it's like in real life, they come in all shapes and sizes." Hacking into 2000: You want stereotypes to go with that sir? Last weekend (3, 4 and 5 September 1999) it was that time again, convention time! In Haarlem, The Netherlands, a large group of security enthusiasts gathered for the HIT2000 security convention. We've had some nice cons over here in the past and hopes (or at least mine) were up high for this one. Unfortunately there were some problems, nothing big, but still noticeable enough. Did that take points of HIT2000's success? Read on. On day one, Friday the 3rd of September 1999, all the fun started. My friend Nazgul and I arrived on scene with an attitude of as the song goes "Here we are now, entertain us!" , although we were forewarned by the conventions official web site (http://www.hit2000.org) stating that we shouldn't expect to be kept busy 24/7 and that it was mostly our own responsibility to gather some actual info during and besides the speeches. -- Kicking off Especially the first day, this was pretty big a truth. Because of it kicking off on a Friday, a lot of people didn't show up on day one yet due to work or school. In order to keep up with that and don't let those people miss anything, the organization had decided to keep the amount of speeches etc that day down to a minimum. Add the not so large amount of people there yet at that moment and you have not a lot more than a club-day of the alt.hack.nl newsgroup. But the atmosphere was good and it turned out that it didn't even come close to being a problem. Something else pulled a whole lot more of attention to itself later on that day. One hour later actually. After some initial network problems (which would keep occurring all the way through the weekend), someone decided it to be funny to start flooding to outside the network. The provider and it's upstream provider didn't take to that all that well, which caused a lot of problems at their end and effectively shutting HIT's internet connection down. If it weren't for a bit of smooth talking and social engineering from the organizations side, that would have been the case for the rest of the weekend. Thank god it wasn't, but the tone was set. -- Day 2 Ending up behind our boxes and on the network early that morning, the day started off with some (getting all to familiar) networking problems. After checking the UTP cables and switches which joined together in the room on large tables which were almost fulltime manned by people staring fixated to their screen, we discovered to be sharing our row of tables with one of the machines of the Hackme project. This was called into life with three donated boxes and a challenge to the convention visitors to hack them. The AIX box with which we shared a switch seems to have been taking up a lot of resources (yeah sure, blame it on the box.. sorry but I have to find me some excuse :) , because as soon as we relocated we didn't have a problem with our connection anymore, at the moments that other people didn't have problems that is, the network still tended to be a bit unstable. -- The speeches But now we had stuff to do. Add to that the fact that there were finally some speeches kicking off, and you'll see we turned pretty hopeful. And with reason too, because some of the speeches were pretty informative. Of course it wasn't all the same quality nor did you need any experience for some while others did demand at least some level of knowledge, but I believe diversity is one of the tools of the trade and I enjoyed the speeches on version 6 of the IP protocol, the linux kernel and hiding in the same kernel to name but a few. This as to where others might have enjoyed those on the workings on GSM or Information Security in Europe more, anyway there WAS diversity. -- The press A lot of "hackers" etc gathering in one place is, with the current media focus on events in the security scene, bound to draw some press attention. Those of you who know me, know of my whining on how the vision people have of hackers is distorted because of all the press coverage which looks more at what sells then what actually is happening. Well surprise surprise, we got the worst of it again. In an attempt to give us all the opportunity to look more important then we were, photographs were only allowed to be taken when the convention visitors were made aware of them by the speaker. Not that anyone seemed to care much about that, but o, if we had known before.. a slick little guy with a press-card dangling around his neck immediately threw himself onto the people in the areas where photographing was allowed. But hey, let's face it, in the "money-hungry" way of thinking mentioned above, average Joes like you and me don't interest readers, whether you can disassemble a server blindfolded with your hands on your back or not, you have to look a lot more "underground" and "elite" than just jeans and a shirt sitting in front of a screen. But our photographer friend (note the sarcasm) had a solution for that. All he had to do was bring alcohol and druglike substances into the picture and tadaa.. you were a lot more interesting. So it happened that someone who didn't even drink beer ended up on a picture with a crate of beer next to his box in an effort to capture one of these "underground punks who sit behind their screen all night while trying to impress their friends on the Internet in the meantime being intoxicated by everything the bible forbids." That's us for those of you who didn't know. -- Day 3 There were no extensive plans on as to what would be done the last day. There was at least one speech planned, as well as the release of a package called "Phear". This turned out to be quite a drag, being nothing more then a collection of some common DoS attacks etc. The speech never surfaced. -- The total picture So what's the verdict on this years Dutch hacker gathering? Well, I tend to complain a bit, but I actually had a good time. With things like this, it's mostly what you make of it yourself and I think I had a nice try at that. Directly after HIT2000, some complaints surfaced from the so-called Dutch scene on the level of experience of the visitors and the technical level of the speeches. This isn't something currently only happening at HIT though. All those people out there who think they're so "elite" should think about how they got that way. Events like this are for the sharing of information, for people to learn new things, to obtain new knowledge. Of course everyone is on a different level at that, but we all started out at the same point and instead of whining about the lack of "skill" of newbies, you might try helping them, improving that skill. For if you didn't know, that's what hacking is truly about. -- Belgian DNS server hacked Besides that, I think some knowledge attending the conference is evident. Of course there were some defacements made from there with things for which you had to have skills equaling "Cold Fushion hackers", but 2 out of 3 of the Hackme-boxes got eventually compromised through some nicely tried attacks and what to think of the hack of the maintainer of the Belgian .BE domain? The idea for this hack is said to have originated at the Chaos Computer Camp a month earlier and in short intercepted ip-requests to the Belgian DNS server. Those requests were transferred through a webserver before reaching the actual domain name server and by intercepting and responding to the requests when they passed the webserver, the hackers were able to return their own fabricated information, thus redirecting the ip-requesting source to any site they wanted. -- Final conclusion HIT2000 started from a good idea. As the organization announced at the beginning of the convention, they didn't work too much on the actual organizing, it was the thought that counted and everyone should decide for themselves what to do with the things offered. This was nicely demonstrated by some not scheduled speeches. Someone decided he could tell something about changing identities using the Net, so he did. This spirits something that is needed in the scene more than anything nowadays and I personally enjoyed it a lot. There also were some problems though, which we can't forget that easily. I think this is where the organization thing should have come in. With a bit more of that and with what we already got for our money combined, I'll be back next year. And so should you. Xander Teunissen Thejian, Help Net Security V. Interview with v00d00 ---------------------------- For this issue of Default I spoke to the hacker known as v00d00, who had some interesting views on exploits, hacking and law enforcement and the scene in general. Read on below. Thejian: Who is v00d00? v00d00: v00d00 is a hacker who tries to do what he does for a reason. Thejian: What's your vision of what a hacker is and does? v00d00: A hacker is someone who finds new security holes and codes his own exploits and helps admins explaining vulnerabilities to them rather than making him/her look like a complete fool. Thejian: Where does defacing come into that? v00d00: Defacing isn't true hacking, cracking is maybe a better term for it. Thejian: The discussion on that is endless.. "hacking"/"cracking".. Aren't it just all stereotypes? v00d00: Probably. Called into life to be able to finger something. Thejian: Looking through your "work" you see a somewhat of "maturing", from simple statements as "v00d00 was here" and some greets to "What is your purpose? to prove security wrong eh? Oh yeah, you could easily just leave the admin a note explaining how you got in and where to get a patch for the hole rather than making him/her look like a complete fool." What caused this change of mind? v00d00: Well, I heared of this group defiance and did some defacements for them then I helped ne0h on his f0rpaxe dis but then i looked at some of the older political hacks and so it came to be. Thejian: At a certain point you even stated you decided to do something and that you were going to stop defacing. It seems you've changed your mind on that as well. Why? v00d00: I now only deface when i think it's needed or when i need to get a point through, make something heard. Thejian: How did the "hacker" stereotype get so distorted in the media? v00d00: They need something that's interesting to their readers, a lot of hackers do it for the publicity, even go to the media themselves, the so-called "mediawhores". Thejian: Is it all sensationalism? v00d00: A lot of it is. Thejian: What do you think of the US government reaction when it comes to this? v00d00: They read about hacking in the media and have to take a stand so they grab. Thejian: Isn't it a bit overkill? v00d00: Yes. Thejian: What's a script kiddie? v00d00: Someone who uses other people's exploits to make a name for himself defacing. Thejian: I don't think there are any hackers/crackers who always use exploits they coded themselves. Doesn't that make them and maybe even you a "script kiddie" as well? v00d00: I don't see myself as a great hacker.. people could call me that, I dislike the term but.. Thejian: Should it be illegal to exploit a system? exploiting as in "hacking/cracking" v00d00: I don't think so... if the companies are too stupid to check their software before releasing it than it deserves to be dissed. Thejian: So hacking a site would be legal when the admin is too stupid/unknowledgable/lazy/whatever to upgrade? v00d00: Yes, the admin should respect his own box, or else he shouldn't have the job. Thejian: Why is it they don't have this respect do you think? (at least it doesn't seem like it when you browse the attrition defacement mirror) v00d00: It's obvious that admins don't visit security sites very often... most of them probaby don't even know how to use the OS they are admin'ing. Seems so anyways. They probably read something like "learn to admin in 22 days". On the other hand... let me add this: I do respect admins, because i would like to be one, I just think they could pay more attention to whats going on. Thejian: So hacking/cracking is more of a service then a crime? v00d00: Yes, because if one person doesnt do it, someone else will. Some sites are still vulnerable a year later after being hacked, if you let them know how you did it anyways.. Thejian: So what can you do against those admins who just don't care? How can we ensure the users' whom use that box 's security and privacy? v00d00: You can't. Thejian: So insecurity will always be a fact for some? v00d00: There is no such thing as "100% security", this will always be a fact for everyone. Boxes change software alot and when they do, there are new holes. Thejian: What's better then in your opinion? More different systems (with all their specific holes) or one monopoly-like system (with its holes)? v00d00: I'd have to say, different systems. Hacking is also a challenge btw, it's like a game. People like challenges, hacking is the ultimate challenge comp-wise. Thejian: Why? Doesn't that create more different holes (especially in more combinations of systems)? v00d00: Well, let me put it this way, what 2 OS's do you see the most hacked? If someones running digital unix they usually don't worry about security. Thejian: Ok, that's true, others learn from their mistakes too.. but they do have their own specific holes again.. even when they're not discovered.. again, there's no such thing as 100% security. v00d00: Yep, but people tend to go after solaris/nt. Thejian: Heh there are a lot of those though it's not that hard. v00d00: Exactly... people like 'easy'. So they don't hack like dgux and openbsd. Thejian: Which makes a lot of them "script kiddies" again.. (sorry for the term :) How does Canadian law look onto this subject (hacking)? v00d00: Well... Canada looks into hacking the same way america does, just doesn't take it to such extremities. If a major canadian site was defaced, the RMCP would be after the culprate in no time. Thejian: No Canadian Kevin Mitnicks yet though? v00d00: Nope, ne0h and devil-c are the only canadian hackers i know. Thejian: Speaking of him, you expressed some pro-Mitnick views on defacements.. why do you think there are so much anti-Mitnick feelings? v00d00: Again, the media. Because 5 years without a trial is bullshit. Thejian: But in the scene itself ? v00d00: Well, alot of people worship 2600 so they follow the movement. 2600's Emmanuel Goldstein has been noted to be a very close friend of Mitnicks. Thejian: But 2600 is pro-Mitnick. Where did things as "Burn Kevin" come from? Jealousy? v00d00: No, because people are mad that Mitnick is getting publicity and a lot like to cause ruckus. Thejian: So the "mediawhore"-types are the ones against him? v00d00: A lot of them yes. I have no disrespect for any hackers or crackers though, even if they dis me. Thejian: I've read some stuff against you too.. you hold no grudge on that field whatsoever? v00d00: Nope... me and ALOC have resolved problems. I never put anyone down, so I don't know why people would dislike me anyways Thejian: Where does this feeling of competition in the "underground" come from anyways? We're all here for the same thing right? v00d00: Pretty much, but some are just here to make a name, some are here to spread a word, everyone has their own inidividual purpose. Competition is like always, jealousy. Like in real life, if your good at a sport, and someone comes along and is better, you want to prove that you are still "the king". Thejian: But is there anyone in this scene truly the king? In my opinion no-one has all the answers nor all the knowledge, just can't be with the speed IT developes. v00d00: There is no "best", there is good, bad, normal and average. Thejian: Who would you put in the good category? v00d00: Ne0h, mozy, keebler, stonehenge, and a few others. There are only 3 people that are above good. In my opinion the best groups of all time have been: code zero, HFG and h4g1s. Thejian: Do you think this "group"-thing, hackers grouping together, is a good or a bad thing? v00d00: It all depends on their ability to get along and how much trust they have in each other. Thejian: Shouldn't everyone ideally get together in one big group? v00d00: No, there would be too many disagreements, there would be more fighting than hacking involved. Thejian: Should companies be held responsible for flaws in their products? v00d00: Yes, the designers should. Thejian: In what way? v00d00: The beta testers are oviously not very intelligent because they are releasing faulty software, which is not a smart business choice. Thejian: How should such responsibility be enforced by the government? v00d00: The government shouldn't have to watch over companies, it's not their job. Thejian: Then whose is? v00d00: The owners. Thejian: Of the company? v00d00: Yep, they should ask more questions to the employees about what they are releasing, put it trough hardcore testings. Thejian: Do you think they care? v00d00: Nope, the only care about money, as with everyone else in the world. Thejian: So nothing we can do unless keep pointing the problems out to them? v00d00: Absolutely nothing. Thejian: Hmm kind of sad when you think about it.. v00d00: Totally. Thejian: I'm drawing to a close here, anything you might want to add? v00d00: Yep, go to NET-SECURITY.org for the best underground news around :; ) Thejian: Hehe thanx man :) and thanks for your time :) v00d00: No problem. VI. Want secure and crypted e-mails? 1on1lite offers that service ----------------------------------------------------------------- Two weeks ago, one company called Global Market Ltd, released 1on1lite program, which could provide secure, encrypted e-mail messages. As written on their page: "1on1mail uses 448 bit blowfish encryption and the keys are 2048 bit RSA. We believe that this encryption is unbreakable within any reasonable period even with virtually unlimited computing capacity. Therefore we offer this challenge: We will pay whoever can prove they can break this encryption $50,000 (fifty thousand US dollars)". I talked to Leo Sheiner from Global Market Ltd about their software: What team is behind 1on1lite? 1on1Lite and all related technology is developed in house at Global Market Ltd. The project team for software development is (currently) six strong. Global Market Ltd. was established in 1995, has other products, is profitable and is entirely self-funding. Where did you get the idea for it? I append below a post I had published in Isales yesterday in answer to that question. // -- FEATURED POST -- // From: Leo Sheiner Subject: Internet Research - Voodoo and Black Magic There has been some interesting discussion on Trendmuncher about the efficacy of statistical reasearch in a fast moving environment like the Internet. I wanted to share my thoughts on this with the Isales list since that is where I got much of my original input before deciding to create 1on1Lite. My response was elicited from this small snippet with which I disagreed. >We have real decisions to make that will determine the success of >our enterprises and we cannot rely on surface answers and is >interpretation. As I say to my clients, the purpose of research is to >reduce the risk of failure. You cant' do that cheaply or cursory. I do not really agree with David from my own vantage point. On the Internet a surface answer is generally all you need. I follow all the statistical results with great interest. These certainly show trends but as an Internet Entrepreneur very often my decisions are based upon an inverse assessment of the available research. Let me explain. The Internet is a very fast moving market. What that means is that there are new disruptive technologies introduced constantly. These may at first address only a small niche but they can grow and eventually overthrow older technologies. Everything on the net is moving at a frenetic pace. In a fast moving market, statistics are to a large degree an autopsy. You are looking at a corpse. What is needed is an anticipation of a birth. In a very serious sense, if there is a statistic available to prove there is a demand for a product you are probably already too late to bring something to market to address that need. You need to anticipate a requirement when there is in fact no demand for it. Then you need to build a solution that has no problem. Then you launch your solution and build it slowly to converge with the eventual demand created by the eventual change of perception and consequent recognition of the problem. It is a bit risky and you can get it wrong but in a fast moving market, it is the only way to get to market first. And firstcomers on the web have a very great market advantage. Let me give you an example. A year ago, I ran a number of articles on the subject of privacy on the web and in particular asked on various lists (populated mainly by early adopters) whether they would be interested to receive a free copy of email software that was completely secure. The response was far from overwhelming. A trickle of half-hearted interest showed me quite clearly there was no demand whatsoever for that product. So I promptly committed a million dollars to the effort to create that product. You may ask Why? My assessment was quite simple. I believe that Commerce can only flourish on the Internet if there is security and confidentiality. My view was then and remains that commerce is coming. The fact is whatever commerce is being transacted now is only a tiny fraction of what will be there will be one day. Businesses will want to communicate securely. There is an immense payoff if you can replace courier, mail, Fax and even telephone with email. All of those are less effective than email and far more costly. But before the launch of 1on1Lite there was no product that made privacy easy, certain and transparent for the business user nor were there any facilities needed by business people like tracking and automatic deletion available for email. We built a better mousetrap before anyone knew there were any mice. A month ago when we launched at http://1on1mail.com there was a modest growth in our Free downloads but nothing to get excited about. It confirmed my view on the lack of any real demand (yet). That to me was perfect timing. Then we had the hotmail fiasco that suddenly brought the issue of privacy into the headlines. People are beginning to think, hey there is a problem here. I could see the inexorable rise in the rate of registrations. That is just the beginning. I believe two years from now, virtually everyone will use a secure form of communication by default. Why use email that everyone can read when you can make your communication secure for no extra effort or cost? I hope and expect that our product will be among the leaders at that time. To conclude, statistics are very important but it depends on how you use them, and a gut feel can be more important than all the statistics in the world. What are the characteristics of 1on1 lite which divides it from the normal e-mail? * Guarantees delivery and receipt of email * Tracks and reports the delivery and opening of each message you send * Guarantees complete confidentiality, with 2048 bit encryption ($50,000 offered to anyone who can break it) * Encrypts messages with military spec encryption * Encrypts all attachments with the same military spec encryption * Uses the same compatible encryption anywhere in the world (no export restrictions) * Is not web based so you can work offline until you are ready to send and receive * Is not web based so sensitive address books and messages are not kept on someone else's server * Has completely effective Anti-Spam features * Has the smoothest transparent migration from ordinary email to encrypted email * Has a simple to use interface What is your privacy statement? It is published in our terms and conditions when registering. I cannot remember the exact words but the drift is that no information provided will be passed to anyone under any circumstances and will only be used internally. What about spam and your software? It is impossible to receive Spam on our secure channel You offered $50k for cracking your algorithm, is it just a media stunt for promoting 1on1mail or you are so sure in quality of your 2048 bit encryption? Both. The offer is good, but we do not expect to have to pay. Did you get any feedback on this cracking contest? About thirty applications so far. How much customers do you have now? We have about 6,000 downloads since we launched a month ago What are the plans for 1on1 lite? Continued evolution, the partner version to be released imminently also http://1on1mail.com/Partners.html and a number of payment by usage facilities (no I cannot tell you what) will be introduced around the core technology over the net twelve months. Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org VII. Security audit with our Mac Part-2/2 ------------------------------------------ The DMZ, Demilitarized Zone, is supposed to be the safest place on the network you auditing. When I mean safest, it not only safe from logical access but also physical access. It's the barrier between the company's network and the outside wildwild world of Internet. Just to remind to people who didn't rode part 1 we will work only from a mac with virtual pc, linuxppc and of course MacOs. In the dmz part you could spend weeks just to try to get into the Lan or any of its ressources (mail server, database, ftp etc....) because there're a bunch of things to check. On this part we will use more Linuxppc than previously. First of all get clear list off all active element in the dmz.From routers to switch, servers. We call use nmap or a queso like to get all this but that's a waste of time. Let's suppose you'll have a IIS webserver, with a firewall-1 and a database server linked to IIS. First question: what can access and what to? Let's check which version of OS and softwares are used in the DMZ.Get a details about past 10 months issues in mailinglist like bugtraq (I mean remote exploits). And check if the systems as been patched against those.The other thing is took a closer look of what we can do from the outside world? -Denial of Service Attack -Errors in settings of the server, or routers. For this 2 posssibilities your company has enought money to afford a 55,000$ toy like ISS. Or just use white hat hacker toys from "underground" sites.Internet Security Suite, or Cybercop are nice toys but you know... paying for a software where you put a ip or ip's and press "scan" after selecting types of attack is not that much constructive. Even drunk you could use that!There are bunch of free tools to work with.First what can you see from the outside?Get a scanner with OS fingerprinting features like queso, or Nmap ( current version v2beta5 get a copy and man here http://www.insecure.org/nmap/nmap_manpage.html). The problem with certain security toys on Linux, is that they won't be usable (or hardly) on Linuxppc.Some librairies are not working properly on ppc.Most of them are focused on X86 computers.Anyway many of them can be used on Linuxppc, I tested Nmap on ppc it's exactly the same, just use basic options like -F -sS or even use decoy mode but you don't have to be that stealth cause that's only a basic test.I just had more troubles to use Kmap, a KDE interfaced version of nmap.You won't have that much problems to compile source code, well hopefully! So you're now able to deternime what, ports are open. Now what can you do, whith those.Try to browser advisories website to determine if those port can be harmfull to the integrety of the remote server unless you so smart you know all 6 months past issues by heart. Make sure you don't find things like port: 23,137, 138, 139, 1352, 2301 etc...get a full list of ports with transport layer and description here: http://www.deepquest.pf/portlist.txt. You might think to find those ports open but just a little experience I had few month ago, I was auditing a range of ip ( the domain is in south of europe, can't tell you more!), I just typed a wrong ip range before the scan and I found really funny stuff.There was telnet, http it doesn't seems very serious.So I point my browser to the ip.... Hpjetadmin tools with no restriction.I telnet on it no password and I jump right into the conf menu.What can you do with this access? Not that much except: hijacking *.ps sent to the printer.Intercept and redirect.What if there were confidential datas?I mail the admin and waited few weeks, they did nothing.I just used their printer once sending a file to print: "adjust settings or all printed documents could be 0Wned.".Just for the information the company was an IT certified Micro$oft, Lotus...For the dmz try to use several protocol and operation systems, the ports opened has to necessary. The other thing you can test is the snmp part.It provids usefull informations on active elements computers from network configuration, to logical status, cpu load and a bunch of info a intruder could use.There two kinds of communities: public and private.Private are defined by the admin with a password.But as you know everything haveing a loging and password can be break with remote brut force attack. You can try tools like snmpscan 0.05 (http://www.phunc.com/tools/snmpscan) that will check weakness of your community password. There're 1000's of things you can do to audit a dmz, but before starting anything don't test what you're to allowed to test people in "corporate" environement doesn't like that at all.Make sure you warn of possible disturbance in the information services. Using hackin' tools instead of commercial products, you'll learn more with them. Don't try to use word to word dos or exploits, but think.Think small, fast but always think of combinaisons of possible problems. First time I said to my boss I wanted to work with a mac, he just laught! After the repports I gave him after several security audit, he stilled laught, but this time it was nevervous...I'm not an "Integrist", or payed each time I say "Apple" but I know this platorm from the 80's and no other platforms offered me such level of security, of integration in mixed environnement, and allowed me to run so many other OS on one computer. Deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VIII. More from the ACPO front ---------------------------- More updates from antichildporn.org. First off, thanks again to net-security.org for allowing us this forum. We're still forging ahead here, learning as we go. It seems that we are taking a slightly different direction than was our original intent. Apparently we are entertaining two distinct groups of people. Our original followers, the techno wizzs. And a much larger, uneducated group of people that have no computer skills, or very few. We believe we have found an easy solution to a possibly difficult problem. The original antichildporn.org will remain the same, headed up by cylent1 and his crew. Please mail cylent1 (mailto:cylent1@hotmail.com) if you have any constructive suggestions for the existing site, as he has plans to revamp and update the site. We are now in the process of purchasing another domain, a gift from one of our liaisons. This site's intention is to have a lighter, more child-friendly appeal to the general public., as we are now in the process of contacting other resources that tend to look unfavorably upon any sort of "dark ops". Two completely different people who will be named at a later date will head up the new site. Both sites will be the same organization, but serve two different groups of people. They will also link to each other. We have three trips planned before the first of the year: The Training Co (http://www.thetrainingco.com) has graciously offered admittance to the conference for some of our members, pro bono. Please check out their website for who will be speaking there. It's quite an impressive group. We will also have a table set up at the conference to answer questions about our organization and try to enlist help from legal resources on how to approach the problem of child porn. The second trip planned is to New York City the week September 20, one or more of us will be meeting with the founder of Cyber Angels (http://www.cyberangels.com) and hopefully an appointment with the UN. We're still working out the details for my Euro trip, we'll let you know more shortly. As always, we thank you for your support. Mail me if you have any questions. Natasha Grigori Founder of Anti Child Porn Organization natasha@infovlad.net http://www.antichildporn.org XI. Infection and vaccination ------------------------------- What is a trojan horse and which are the functions of the trojan A trojan horse is: An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user. A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and probably unwanted) by the user. A trojan horse program can be a program that does something useful, or merely something interesting. It always does something unexpected, like steal passwords or copy files without your knowledge. Trojans are discovered often enough that they are a major security concern. What makes trojans so insidious is that even after they are discovered, their influence is still felt. Trojans are similar to sniffers in that respect. No one can be sure exactly how deep into the system the compromise may have reached. There are different kinds of trojans on the net here is a little text explaining all kinds of the trojans: Remote Access Trojans These trojans are the most popular trojans now.Everyone wants to have such trojan because he or she want to have access to their victim's hard drive.The RAT'S (remote access trojans)are very simple to use.Just make someone run the server and you get the victim's IP and you have FULL access to his or her computer. They you can almost everything it depends of the trojan you use. But the RAT'S have the common remote access trojan functions like: keylogger,upload and download function, make a screenshot and so on.Some people use the trojans for malicious purposes. They want just to delete and delete.This is lame.But a have a guide about the best way to use a trojan.You should read it. There are many programs out there that detects the most common trojans,but new trojans are coming every day and these programs are not the maximum deffence. The trojans do always the same things.If the trojan restart every time Windows is loaded that means it put something in the registry or in win.ini or in other system file so the trojan can restart. Also the trojans create some file in the WINDOWS\SYSTEM directory.The file is always looking to be something that the victim will think is a normal WINDOWS executable.Most trojans hide from the Alt+Ctrl+Del menu.This is not good because there are people who use only this way to see which process are running.There are programs that will tell me exactly the process and the file from where it comes.Yeah but some trojans as I told you use fake names and it's a little hard for some people to understand which process should they kill.The remote access trojans opens a port on your computer letting everyone to connect.Some trojans has options like change the port and put a password so only the guy that infect you will be able to use the computer.The change port option is very good because I'm sure you don't want your victim to see that port 31337 is open on their computer.Remote access trojans are appearing every day and they will continue to appear. Password Sending Trojans The purpose of these trojans is to rip all cached passwords and send them to specified e-mail without letting the victim about the e-mail.Most of these trojans don't restart every time Windows is loaded and most of them use port 25 to send the e-mail.T here are such trojans that e-mail other information too like ICQ number computer info and so on.These trojans are dangerous if you have any passwords cached anywhere on your computer. Keyloggers These trojans are very simple.The only one thing they do is to log the keys that the victim is pressing and then check for passwords in the log file.In the most cases these trojans restart every time Windows is loaded.They have options like online and offline recording.In the online recording they know that the victim is online and they record everything.But in the offline recording everything writen after Windows start is recorded and saved on the victims disk waiting for to be transfered. Desctructive The only one fuction of these trojans is to destroy and delete files.This makes them very simple and easy to use.They can automatically delete all your .dll or .ini or .exe files on your computer. These are very dangerous trojans and once you're infected be sure if you don't desinfect your computer information will no longer exist. FTP trojans These trojans open port 21 on your computer letting EVERYONE that has a FTP client to connect to your computer without password and will full upload and download options. News: .jpeg trojan A trojan horse looking like .jpeg image has been send over the net for some time.The purpose of the trojan is to steal the ICQ password of the infected users. There has been reported only 200 incidents out of the estimated 40 million subscribers. Steve Gossett an ICQ user in Temple City, California said that: "This is sort of like losing your own phone number that you've had for years and years," Over the last month, ICQ users have receive an email message containing an attached file disguised as a JPEG. When users opened the attached file, instead of opening a JPEG image, the attachment loaded a small malicious program. The program emailed the user's IC password back to the sender. Dancho dancho@mbox.digsys.bg X. Watch out for documents you publish on The Internet, you might get in trouble --------------------------------------------------------------------------------- Note: following article was written in ironic way, just to people to see, what could some file types published on The Internet cause: ./conspiracy -revangeon myenemy -feds arresthimsoon my enemy that I hate more than anything in world publish M$ office documents on the web: *.doc, *.ppt, *.xls I'll anything to cause him troubles, and what if the feds arrest him? humm sounds to me. get the source or the file itself of an infected file with a macro virus, a melissa like.Modify a little bit the code to prevent its detection by present virus definition. Open the document you downloaded from your enemy's site with a basic txt editor (mac:bbedit, win9*-nt:notepad). ctrl-F: _PID_GUID (if he paid he's been registered to M$ databases without knowning (ref:http://www.hackernews.com/arch.html?031299) copy paste _PID_GUID <*****-*******....> from enemy's documents and paste to the infected file. Cross post attachement to many usenet porn channels with a suggestive title... Wait 1 week. Post your file to antivirus companies and say that you noticed suspicious network activities when opening this simple office document. They make a new a-v signature, feds are interested in this that cause so many disorder in mail systems. They investigate, few days after (they're very slow sometimes) they notice the _PID_GUID (software registered to your enemy and based on your enemy's mac address). Day-13 feds knock knock your enemy's door.Arrested and charged for interrupting public communication, wrongful access to computer systems solution: 1-Use another office suite 2-Erase GUID mac: http://www.deepquest.pf/billblocker01.sit.hqx win: http://www.vecdev.com/guideon.html ps -aux kill conspiracy all Now you can sleep well and rest your dark spirit, it was pure imagination...reality is wilder. Deepquest deepquest@default.net-security.org XI. Freedom of speech - related incidents ------------------------------------------ ******************************************************************* So. Let our debates be heated, that they may illuminate. Let our positions be polarized, so that matters may be confronted. And let us drop the lazy idea that any midpoint is the superior position of vantage. The truth cannot lie, but if it could, I have no doubt that it would lie somewhere in between. ---Christopher Hitchens ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): Thursday, September 2: China calls for crackdown on internet dissent... "A circular issued by the Public Security Bureau on Monday called for an all-out war on anti-government and anti-communist articles on the internet, a source said. "Recently a hostile organization overseas have used our intra-net to wantonly propagate anti- government views and repeatedly publish reactionary articles," a copy of the circular said. The circular was issued after exiled Chinese dissidents attacked a chat site run by the leading People's Daily and ridiculed the Chinese government, the source said." Are Monsanto's genetically Round-up Ready Terminator seeds strangling small farmers? -------------------------------------------------------------------------- Long Weekend, September 3-6 Qi Yanchen arrested for alleged Internet crime... Mexican government likened to Stalin's dictatorship... "The punishment meted out for any disloyalty or dissent depended on the rank of the culprit. In the case of a middle or high-ranking military figure, they could be jailed without being told the reason, and then may simply disappear. For the 60 percent of Mexicans classed as poor, torture was routinely used, and they might "suddenly disappear" or have property confiscated, he said. For more senior figures, trumped-up allegations of tax fraud or other crimes may be made. "One of the most common is through tax fraud, because the tax laws are basically incomprehensible," he said. "The minister of the Treasury said he was incapable of filling out his own tax returns, so that absolutely anything at all can be tax fraud."" Created in reaction to WalkerB's (George Bush, Jr.) desire to limit freedom of speech on the Internet, sign the online petition against political web sites having to register with the government ---------------------------------------------------------------------------- Tuesday, September 7 Waco and the price of lies... Is medical info in the US moving too freely? I don't care if the ignoramus does own most of the world's media: Rupert Murdoch (NWS) is the lapdog of the Chinese Communist Party... "Mr Murdoch, who hopes to expand his business interests in China, said of the leader of Tibetan Buddhism: "I have heard cynics who say he's a very political old monk shuffling around in Gucci shoes." Mr Murdoch, 68, who recently married a 31-year-old Chinese woman, Wendi Deng, also excuses China's disregard for human rights on the ground that the average Chinese person cares more about "his next bowl of rice" than democracy...Mr Murdoch expresses his support for China's forced occupation of Tibet by asking whether Tibet's own culture was ever worth preserving: "It was a pretty terrible old autocratic society out of the Middle Ages. Maybe I'm falling for their propaganda," he says of the Chinese government, "but it was an authoritarian, medieval society without any basic services." In his ambition to expand his Star satellite television business in China, Mr Murdoch has already been accused of placing his commercial interests above freedom of speech. In 1994, he dropped the BBC from Star after it was critical of Chinese leaders and of the Tiananmen Square killings. Last year, he ordered his publishing company HarperCollins to abandon publication of Chris Patten's recollections of his time as Governor of Hong Kong because they too were critical of the Chinese government." Call for release of Congolese scholar ------------------------------------------------------------------------------- Wednesday, September 8 South African Communications Minister heralds the Internet as antidote to bribery and media gatekeeping... "She said people could expect in future to be able to access and print out important government data, such as tender forms, as well as any other forms required from officials at public terminals at the Post Office. This would curtail the ability of officials to force members of the public to pay bribes to get free official forms or information." US is allowing genocide in East Timor... "The World Bank and the IMF must also stop all funds going into Indonesia, which receives some 1.8 billion dollars in US aid, the activist said. Amnesty International's Asia director T. Kumar warned that hundreds were dying by the hour in East Timor but that the scale of the violence was difficult to gauge as most foreigners and journalists had fled. "We are shocked to report to you that even we are helpless today," Kumar, who also attended the press conference. A US observer who just returned from monitoring the vote also faulted the United States for allowing the crisis. "The US did not put the pressure on Jakarta it needed to," he said, adding that the world could stop the violence within two hours if it took action." From East Timor Action Network (ETAN), here are more links to help you take action in support of East Timor independence... More info on the massacres taking place as you read this... "``The man that we encountered was sliced numerous times on either arm and on his stomach. He was literally covered in blood but was walking,'' said Sexton after fleeing to Darwin on Wednesday from the East Timorese town of Suai...East Timorese Maria Bernardino said she had been told by a friend who had fled Dili for Kupang, the capital of West Timor, that militias on Tuesday attacked a church in Suai, killing an estimated 40 people. ``The last time he looked there were about 40 people on the floor, he assumed they were dead. There was blood everywhere, people had been macheted and shot,'' Bernardino told Reuters. ``He saw a priest on his knees begging and screaming for people's lives, saying `please have mercy','' she said. An Australian Catholic brother, who fled Dili on Tuesday, told Australian radio on Wednesday that an East Timorese child was cut to pieces by militias on the streets of Dili. The Catholic brother, who asked not to be named, said a local U.N. security officer witnessed the child's murder, which occurred when East Timorese were trying to flee to the safety of the U.N. compound in Dili. ``The child was actually being cut up. He was chopped up and parts of his body were actually thrown about in Dili outside the UNAMET compound,'' he told Australian Broadcasting Corporation radio from Kupang in West Timor. " In just one week... diva aka Pasty Drone CEO NewsTrolls, Inc. "Free Minds...Free Speech...NewsTrolls" http://www.newstrolls.com pastydrone@newstrolls.com XII. Y2K survey for 72 countries ------------------------------- The International Y2K Cooperation Center (IY2KCC), a United Nations backed group funded by the World Bank, today released its first survey of Y2K readiness in 72 nations, as reported by national Y2K coordinators representing each government. "This is the unfiltered information straight from the people who have been working on the Y2K problem in each nation," said Bruce McConnell, director of the International Y2K Cooperation Center. "We encourage the many organizations currently making evaluations of country readiness to use this first-hand information to supplement their opinion surveys. It is imperative that analysts learn from the people actually doing the work before making judgments that have serious consequences." "This principle applies equally to private consultants and to national governments that contemplate issuing travel advice to their citizens," said McConnell. In an Open Letter to Y2K Analysts, McConnell said, "All third party evaluations should reflect direct consultations with each affected country's Y2K coordinator. These coordinators can be located via the Center's web page." "We also urge those countries that have not yet made their readiness information public to do so as soon as possible," said McConnell. "Full public disclosure of Y2K preparation activities is essential to maintain public confidence in the international marketplace." The IY2KCC surveys were completed in August 1999 by Y2K coordinators appointed by their national governments. Y2K coordinators reported the month implementation was expected to be 90 percent completed. Status statements were provided for nine sectors: Energy, Communications, Finance, Transportation (Air, Sea, Land), Health, Government Services and Customs. The 72 survey responses are posted on the website of the International Y2K Cooperation Center at www.iy2kcc.org, under Country Information. With this publication, 33 countries have for the first time provided information on the World Wide Web in English. Another 56 countries have shared information with the center but have not yet indicated their preference to share it with the public. Finally, 67 countries have not yet responded to the Center's request for information either via the survey or web site. The survey results will be updated periodically as additional countries respond. Y2K refers to possible computer and automated control system malfunctions when the year changes from 1999 to 2000. Until recently, many computers and automated systems were programmed to handle only two-digit year formats, and could make mistakes when they encounter "00" in the date field. The IY2KCC was established in February 1999 under United Nations auspices with World Bank funding in response to the need to coordinate efforts to update computer and automated control systems around the world to smoothly transition to the year 2000. Explanation of Posted Survey Results Based on the responses from National Y2K Coordinators to a Y2K Readiness Survey (PDF), the International Y2K Cooperation Center has developed regional sector readiness charts. These charts provide countries with a way to tell their own stories about their Y2K preparations. We hope that this information will promote a more realistic understanding of global Y2K readiness, strengthen efforts to address critical areas in each country, and help direct available resources appropriately. The charts depict sector readiness by country. The number in each block indicates the month in which the country reports it will be 90 percent complete with its Y2K implementation in that sector. The color indicates the level of dependence on information technology in that sector. Continuity/contingency planning and emergency response information for each sector can be found by clicking on the cell for the particular country and sector. Reported challenges and concerns for each sector are also detailed. In many cases, a country's national Y2K web site provides detailed information on sector status and contingency planning. Additional country readiness information will be added as soon as it is received from reporting national coordinators. Asia (http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=Asia Central America and the Caribbean (http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=LAC Eastern Europe and Central Asia http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=EE Middle East and North Africa http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=MENA North America http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=NA South America http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=SA Sub Saharan Africa http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=Africa Western Europe http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=WE Lisa Pellegrin Telephone: (202) 466-5464, ext. 11 Fax: (202) 466-5451 E-mail: pellegrin@iy2kcc.org Web: www.iy2kcc.org XIII. Journalism ---------------- Just a brief article, because I really must react. Yesterday in Croatia, 16 year old Denis Perisa was caught for using Back Orifice for entering the computer and snatching the password from a known politician over here. The main problem in all of this isn't he being caught, but how media could create a super-hacker from a just ordinary trojan user. The article was published in a Croatian daily newspapers Vecernji list - on Croatian language (http://www.vecernji-list.hr/Pages/DUPN.html). When you read the article you could see that the author of it has a little knowledge of The Internet and its services. Denis told them several very idiotic and untrue sentences like: "I could get in any bank system with just 2 of my friends and a good computer", "I have my own newsgroup on Usenet"... He didn't have any knowledge at all. His group could only "hack" Tripod websites (guess how - by using trojans ofcourse). "We don't need disclaimer because HACKING is NOT illegal in CROATIA!!!n So we can put here our full names here and nobody can do us a fucki'n thing :) SO take your laptop, sit in a plane, come to Croatia and (fuck) HACK THE PLANET :)" - that was written on their page (lame isn't it?). The main problem is in journalists, who don't have a clue about what they are writing. Croatia is a small country (about 4.8 millions of citizens), and we don't have a "hacker" scene, at least as I know. Every time someone is caught in relation with computer crime, newspapers see profit in it, and they make terrible articles about it. Couple of years ago, one Croatian hacker penetrated to one of the Pentagon servers (using Imap exploit), and several newspapers and magazines created a super hero from him. After that he said that he didn't knew how to unzip some files:) If you know Croatian do read this article written by me for Croatian security news site (column comments all facts that were written in article about Denis) - http://www.monitor.hr/security/clanci/denis.htm Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org