Default newsletter Issue #4 http://default.net-security.org 05.09.1999 Help Net Security http://www.net-security.org TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Vulnerabilities reported in last week c) Site News d) Defaced Pages III. Description of the Millenium problem IV. A look into basic cryptography V. Telecom 101: Receiving through the serial port VI. Macintosh security: Security audit with our Mac VII. Computing: Matrox G400 MAX Review VIII. Understanding basic crypto techniques IX. Infection & Vaccination X. New programs on Net-Security (NS Watch!) XI. More news from the ACPO front XII. The Hotmail security hole XIII. Meet the underground XIV. Freedom of speech - related incidents XV. Microsoft Installs US Spy Agency with Windows I. Editorial ------------ Hi there and welcome to yet another issue of our Default newsletter. A bit late, but brought straight to you from the Hit2000 Con (http://www.hit2000.org). Ok, I (Thejian) am going to kick off with some issues regarding the organization of Default. We would like to hear your (the readers) opinion on them, because that's the only way for us to make this thing work (even better :) to your liking. A lot of our editors do have lives outside the Internet (yeah don't ask me why or how but..) and it has shown to be pretty difficult to expect them to come up with articles and columns on weekly basis. We thought of 2 ways to battle this. We could start rotating columns, so our editors have a longer time-period to complete their work (quantity- and quality-wise) in while another column fills up its spot in the newsletter, or we could change the number of times we release Default. The "rotate-thing" very heavily depends on other people submitting articles, so once again, when you feel that writing urge, don't hesitate, just do it :) Releasing Default on a different time-frame would be another solution, but we don't want to get the releases too far apart, we were thinking about once every 2 weeks or something. We're going to discuss this with all our editors as well, but we'd love to have some of your thoughts for them to think about then. Please give us some feedback on this. On a very different note, I would like to take this opportunity to congratulate our affiliates at Newstrolls (http://www.newstrolls.com) with their one year birthday. Keep up the good work! To finish off the points of interest, we now have 2 (or at least two of which we know of) mirrors up at Attrition.org (http://www.attrition.org/~modify/texts/zines/Default/) and NWO.net (http://www.nwo.net/Default). Well that's about it for me, nothing much more interesting to tell here. It's been a very challenging week, with some major security and privacy breaches discovered. We've tried to deal with at least a couple of them in this issue, untill then happy reading and thanks for supporting HNS and Default. For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Last weeks news on Help Net Security ---------------------------------------- a) Help Net Security news headlines - Friday 27th August 1999: Microsoft Security Bulletin #31 Default #3 released Girl power hits e-commerce "Nines problem" Is Yahoo spam or anti-spam oriented? - Saturday 28th August 1999: Front page permissions New acquisitions in Linux world Debian not vulnerable 7 fired from first union bank - Monday 30th August 1999: Intel y2k ready Toadie Security hole in Hotmail - Tuesday 31st August 1999: Linus Torvalds More on Hotmail An overload of computer crime German encryption products freely exportable Pargain web hoax creator sentenced Canadian government site hacked CERT current activity How to counter an unseen, unpredictable enemy - Wednesday 1st of September 1999: Teen hacker arrested Legal percussions of the Hotmail flaw Adobe unveils secure pdf Microsoft issues IE patch Government preparing for y2k violence Office fix flawed WH panel calls for crypto export reform - Thursday 2nd of September 1999: Securitysearch Government sites attacked LOU dissolved "Thursday" virus sightings Most software sold online is pirated Hacker sentenced to 18 months The other y2k problem: Hacker attacks Hackers threat to minister's web site - Friday 3rd of September 1999: Visa and Cybersource target online fraud New privacy web service not so private Analyzer pleads innocent Projects page is up No y2k problems for cars Value net and scam The cleaner 3.0 Secure web based e-mail Windows contains a backdoor? - Saturday 4th of September 1999: Hackers answer MS Win2000 challenge PrivacyX reverses course City hires company for security audit Crackers threaten NASA and Mormon web sites Paris hacked b) Vulnerabilities reported in last week (our thanks goes out to BugTraq for this list) 27-08 Microsoft HTML Form Control DoS Vulnerability 27-08 ProFTPD Remote Buffer Overflow 30-08 Redhat amd Buffer Overflow Vulnerability 31-08 mars_nwe Buffer Overflow Vulnerabilities 31-08 TFS Gateway 4.0 Denial of Service Vulnerability 02-09 Netscape Communicator EMBED Buffer Overflow Vulnerability 02-09 Multiple Vendor INN inews Buffer Overflow Vulnerability 02-09 Cisco Catalyst 2900 VLAN Vulnerability c) Help Net Security site news * not applicable this week * d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Western Australian Electoral Commission (www.waec.wa.gov.au) Mirror: http://default.net-security.org/4/www.waec.wa.gov.au Site: Bureau of Transportation for Taipei City (www.dot.taipei.gov.tw) Mirror: http://default.net-security.org/4/www.dot.taipei.gov.tw Site: Ministry of Transportation and Communications, Republic of China (www.motc.gov.tw) Mirror: http://default.net-security.org/4/www.motc.gov.tw.htm Site: HotMail Hack (www.hotmailhack.com) Mirror: http://default.net-security.org/4/www.hotmailhack.com.htm Site: Ontario Ministry of Northern Development and Mines (www.mndm.gov.on.ca) Mirror: http://default.net-security.org/4/www.mndm.gov.on.ca.htm Site: 7th Army Training Command, Bavaria, Germany (www.cmtc.7atc.army.mil) Mirror: http://default.net-security.org/4/www.cmtc.7atc.army.mil.htm Site: MegaAdult (www.megaadult.com) Mirror: http://default.net-security.org/4/www.megaadult.com.htm Site: SecurityNet (www.securitynet.net) Mirror: http://default.net-security.org/4/www.securitynet.net.htm Site: Minist'rio da Agricultura e do Abastecimento (www.agricultura.gov.br) Mirror: http://default.net-security.org/4/www.agricultura.gov.br.htm III. Description of Y2K Problem ------------------------------- The Year 2000 problem (Y2K, Millennium Bug, Millennium Virus) came about due to programming practices involving the use of 6 digit dates (dd/mm/yy) vs. 8 digit dates (dd/mm/yyyy). This results in the possibility of a date such as 31 being misinterpreted (is it 1931 or 2031?). Thus, any computer program which deals with 6 digit dates is susceptible to the Y2K problem. The Y2K problem involves two key date issues: Date mathematics. For years businesses have used date math to compute things such as aging schedules, due dates, past due accounts, etc. Many computer applications now support the use of date mathematics (Lotus 1-2-3, MS-Excel, MS-Access, etc.) These applications all work by using a base year (often Jan. 01, 1900) as a starting point and then tracking the date and time numerically from that point (how much time has elapsed since Jan 01. 1900). Thus, a time might be stated as a fractional component of the day integer (35927.63 = May 12, 1998, 3:08 pm based on MS-Excel). This means that to compute the difference between Jan 01, 1998 and Jan 01, 1999 would result in 365 days. Computing the difference in today and when a bill was incurred would indicate how old a debt was (e. g. 45 days = past due). So, when the year 2000 comes into play using a 6 digit date we end up with situations like Jan 01, 00 - May 12, 1998. If this is misinterpreted by a computer system as 1900 then the calculation will result in a large negative number (in this case -35,926). This number may or may not be a problem the computer application can deal with. It is possible that this number will be made into the absolute value (the negative sign is dropped if no space is reserved to hold it) which will cause even more confusion. Imagine if your debt went from 22 days old to 35,926 days old. The past due notice would give you a surprise. In old COBOL (a programming language that is still in widespread use) dealing with date math is even more complicated. Dates in COBOL are typically stored in three different locations (a month, a day, and a year). The year is often stored as 2 digits to save space and simplify output problems with pre-printed forms. In some cases, COBOL programs were written with 4 digit dates and 1900 is subtracted from the date to generate the form (1981 - 1900 = 81) so that the form can look like 1981 when it is generated. This will cause a problem since 2001 - 1900 = 101 instead of 01. In other cases where a 6 digit date was used, the problem is even worse since there is no clear indication of which date we are talking with. Imagine COBOL program that deals with county records to record births and deaths. If all the dates are stored as 6 digits soon you will have records which say something like 09/03/63. Now suppose, I live to be a hundred years old, my birth is recorded as 09/03/63 and if I die on my birthday 100 years later my death would also be 09/03/63. A casual observer might interpret this as me dying at birth or who knows what. Thus, the main problem of Y2K is the problem of incorrect results when date mathematics are conducted. Most companies are working to correct these problems in their COBOL programs and most current microcomputer applications already have built in fixes. The second type of problem involves systems that check the date for some purpose to determine if a valid date is being used. An example might be a credit card expiration date. If the program that checks this when the card is scanned is very simple it might just say is today greater than the expiration date. Thus, 01/01/99 is greater than 01/01/00 which would result in your credit card being rejected. Another example is a security system which checks to see if today is a valid date before recording an entry or exit from a building. If the 00 date is determined to be out of range or the computation is at fault the system may simply shut down and lock all the doors. -------------------------------------------------------------------------------- Why did Programmers Do This? Essentially, several reasons exist for this problem: Saving Space in computer memory. Originally, computers had very small amounts of memory available and the repeated use of two extra numbers could make a significant difference on the amount of memory available so in the interests of efficiency, the seemingly redundant thousands and hundreds were dropped. Preprinted forms. Designing computer output for old systems was quite tedious and required that every variable be specifically defined. In order to make it easy to print a two digit year after a preprinted 19 it was simpler to use two digit years in the program. Unexpected Longevity. Since the year 2000 was a very distant date most people didn't really think about this problem until recently. Thus, a lot of programs were written in the traditional manner of using 2 digit years on the date. -------------------------------------------------------------------------------- What is COBOL and why does it exist? COBOL is a computer programming language developed by the CODASYL committee (Conference on Data Systems Languages) in 1959. COBOL became the business programming language of choice for large scale applications throughout the 60's 70's and 80's. Millions and millions of lines of COBOL programs were written and these systems (often called legacy systems) are still in use today since it is expensive and difficult to replace an accounting system or payroll system in a large corporation. The old adage, "If it ain't broke, don't fix it" has also played a roll in the continuation of COBOL as a programming language nearly 40 years after its original inception. Where is the problem? Any computer program which deals with dates is susceptible to this problem. Thus, if you use dates in any of your applications at home or work, you should make sure the applications you are using or the programs you are writing are compliant with 8 digit dates or have some other mechanism built in to deal with the year 2000. If you fail to do this your business may suddenly find all of its records our of order or important information could be lost due to problems dealing with data that is out of range. Will this problem dramatically affect my life? Not likely, most companies are taking steps to deal with this problem. There will likely be isolated incidences of problems (like a credit card rejected) that will quickly be identified and corrected by the institution. At home, if you make sure all of your applications and programs utilize 8 digit dates then you should experience no problems with your personal applications. What are Logic Devices [PLD]? Logic devices and programmable logic devices are technical terms used to refer to the many semiconducter based "chips" that are used to manage various devices (anything from a simple coffee maker to a giant production machine). These devices are usually programmed using Assembler programming language and it is estimated that literally 10s of billions of these things exist around the world. Why are people concerned about PLDs in conjunction with Y2K? Many people believe that a large number of devices that utilize PLDS will fail when the year 2000 rolls around since PLDS may contain date sensitive code. In particular programmable devices like VCRS, Coffee Makers, Security Systems, etc. are susceptable to this type of problem. If the PLD is date sensitive and was not set up to deal with 8 digit dates (discussed earlier), then a number of different things may happen, 1) the device may simply fail to operate; 2) the device may report the incorrect day of the week (if it thinks the year is 1900); 3) The device may fail to operate as expected (coffee maker doesn't come on in the morning). Thus, there is the potential for a lot of problems with this type of thing but I don't think any of it is earth shattering (although if my coffee maker stops working there is going to be a serious problem). The other side of this coin is that PLD devices are used in large production systems that manage things like power plants and food processing machinery (literally everything these days has a PLD in it somewhere). Many speculate that electricity will fail and all sorts of problems will ensue. My thought is that if the power company is not producing electricity then it is not making any money. While I have not worked in the power industry, my feeling is that they are testing these systems and making corrections so again, there may be some isolated power outages, but as soon as the power fails they can start repairing that system. What can I do about PLDs? Well, the easiest thing to do is to set the dates on the various devices in your house that are programmable (security system, coffee maker, etc.) to dates after the year 2000 and see what happens. If any problems ensue then you can figure out what to do next (contact the manufacturer or replace the device). Mostly I would check out your mission critical systems. I checked out the coffee maker and the security system and both worked fine. -------------------------------------------------------------------------------- How to be sure: Assess your personal work. Are there applications or programs that use dates in computation or for reference purposes? If you have such applications you may want to investigate to determine if those applications and programs use 6 or 8 digit dates. If you are using 6 digit dates, then you should convert them to 8 digit dates or at least test the application to determine if there is a problem (try entering some dates in the future). Be sure and back up your original files before you try any of this. Dr. Doug White Monfort College of Business The University of Northern Colorado doug.white@acm.org IV. A look into basic cryptography ---------------------------------- Last issue I gave you the algorithm to a message. The message was HELLO and encrypted, was CCJQA. I asked you to take the known key, 73, and decipher the message and release the way you decrypted it. Here is how you do it. A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 3-73=-70 26-70=-44 26-44=-18 26-18= 8 is the first letter. 8 is H 3-73-3=-73 26-73=-47 26-47=-21 26-21= 5 is the second letter. 5 is E 10-73-3=-66 26-66=-40 26-40=-14 26-14= 12 is the third letter. 12 is L 17-73-10=-66 26-66=-40 26-40=-14 26-14= 12 is the fourth letter. 12 is L 1-73-17=-89 26-89=-63 26-63=-37 26-37=-11 26-11= 15 is the fifth letter. 15 is O The original message is HELLO. Now mathematically... C(1)-N=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(1). C(2)-N-C(1)=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(2). C(r)-N-C(r-1)=X (if X<0, add it to 26. Repeat until 26>X>0. That is P(r). Now here's another challenge for you. The Ciphertext is XHGSQGAECWSI And no, I did not encode the key number. See if you can crack it. One suggestion is making a program to brute force it. Then again... It may be a very very very high number...but it also may be really small. I dont expect anyone to crack this. Ill release the message in the next issue. -you know the algorithm. Get to analyzing. NOTE: If anyone does come up with an algorithm, dont be shy. Send it on in, I will take a look at it. If I understand it and like something about it, I may just toss it up on here for people to look at. If I dont understand it, Ill inquire with you about it. Just dont send me a message enciphered with some algorithm you made up and ask me to crack it without the algorithm. Im balancing several jobs and doing this newsletter in my spare time, so I dont have much time to work on decrypting things. Thats it for today, you've seen the entire howto as it stands up to date. Expect more from me next issue. Been fun. -Iconoclast crypto@default.net-security.org V. Telecom 101 - Receiving through the serial port -------------------------------------------------- Hi and welcome to the last part of my pager-messages sniffing column. This one is going to be a quicky, but o well :). Anyways, let's get this going. As I earlier mentioned, it's possible to hook your scanner up to your pc and set it to scan certain frequency ranges for messages. In this way you could set it to receive pager signals which you could decode. Pagers however are made to pick up those signals for themselves and with a little modification even for others too. Today we'll put all of this together into a device to do some off-the-air POCSAG decoding. Using this device as a middle-man between your scanner/receiver and your box will allow a more accurate and clearer receipt of the POCSAG numeric and alpha-numeric signals. What will you need for this? The parts-list: U1 741 R1 100k R2 10k C1 0.1 uF C2-3 10uF, 16v D1-4 1N4148 or 1N914 Here's the schematic, yeah I know my ASCII skills are elite :) and the deciphering of this schematic will probably take up the most time, but this damn laptop keyboard of mine just isn't cooperating. D1-D4 -----------|>|------------------ DTR +12v | | |_ C1 2 |\ 7 |__|>|___ | __ | -----II---------------------| \| \|/ | | Audio In | 3 |U1\_6____ CTS | | | | ---| / | | | -- | | /| ---|>|----- | ----- | | | |/ 4 | | | |R1| -- -12v--------|>|---------- RTS | | | | | | --- -- |R2| --- --- | | | --- | C3 | -- | C2 ------------- | | | | GND ---------------------------------------------------------------- GND Now how to connect this thing. Input to this device comes straight from your receiver (pager/scanner) Most of the time you connect this device to the com2 port, but it more or less depends on what port you've got free. You connect the ports like this: COM Port 25 way 9 way CTS 5 8 GND 7 5 TxD 2 3 RTS 4 7 DTR 20 4 DSR 6 6 The device is powered by the serial port. Sources (go here for more info): An excellent article by Emanuel Goldstein in Phrack http://www.2600.com/phrack/p46-08.html Software for the actual encoding and decoding of POCSAG signals http://www.bearnet.demon.co.uk/pocsag/index.htm A pretty good (dutch) site on scanners and telecommunications in general http://ssb.auvicom.nl Ok that's it for today. Parting is sorrow, but don't worry, I'll be back in the next issue :) Xander Teunissen, aka Thejian, Help Net Security thejian@net-security.org VI. Security audit with our Mac ------------------------------- Part-1 Security audit are very fun, from penetration testing, to local domain(s) checking, to users rights it gives to white hackers a great way to express their skills. Common users thinks that it asks a very powerfull computer, it's not totally true unless you want to use bruteforce attack on ftp, webserver, appletalk, or nt passwords. There a 1000's of tools you can use: commercial products or freeware security tools. Yes you can use windows NT, linux tools but why not use all your favorites toys on one computer, a mac? Let's take a powerbook G3 450 mhz 128mo 6go to make this audit. The aim is to not make a C2 security level, even it can be done and checked from the powerbook, but a basic security audit focused on 3 points: -NT, Unix and AppleTalk Password ressistance to brute force attacks. -LAN production servers reliability. -DMZ penetration testing (from the internet and the local lan). First of all we will get a copy of two other OS: win NT and Linuxppc. Get something like virtualpc (http://www.connectix.com) or bluelabel (http://www.lismoresoft.com) to run NT and copy of Linuxppc (http://www.linuxppc.com). */First we will test the reliability of user's password.Almost 75 % of the threats comes from the inside of a company...Easy passwords and default rights (especialy with NT) on local network can be a VERY dangerous. For the brute force attack we will get dictionnaries (ftp://ftp.replay.com/pub/replay/wordlists/). Point your browser to L0pht to get the world most known NT password checker: L0phtcrack 2.5. For the appletalk password guessing we'll get Magic Key 2.0.2 (http://www.deepquest.pf/MK202.sit). You'll use L0phtCrack 2.5 on your virtualpc Workstation and Macgic key under MacOS. This first part doesn't ask much skills, but it will put heavy load on your computer, so let it run at least 1 business day to get a good result. If this network has Unix computers try to decrypt the password file locally or remotely with Meltino (http://www.deepquest.pf/mac.htm) it'll give you some passwords, more passwords you'll get less secure they are. It's very common to find names of people, animals etc... We could have used Linux for breakin the password file on the Unix computer, but Magic Key won't be able to run. Now you mac is in full effect: it's a real heavy brute force attack simulation: Appletalk, NT, and Unix password attack. Let your computer run several hours with this software, don't try to use anything else because of maximum cpu load and to get a better result. Make sure you merge several dictionnaries. */Major companies run win NT sever mixed with Unix flavored servers like Solaris. Plus those companies have most of time an Intranet, dialup access, and Internet webserver (sometimes directly hosted by an ISP). Your likely to find IIS or apache webserver. Those servers are for the different departements of the company (HR, Marketing, finance etc..) with restricted access.The best tool is to use a cgi-check program trying to access restricted directory, or administrativ files. The original cgi-check was written in C, so you have to compile it with Unix... There's another alternative, a few months ago I adapted this great tool to language more cross platform: rebol. You just have to get rebol from www.rebol.com and cgicheck 99. Then put the file on the rebol software or put cgi-check99.r in the rebol folder then launch rebol and do a "do %cgi-check99.r" it will ask you an ip to scan and will display the discovered vulnerabilities. Around 70 most known vulnerabilities are detected. Rebol runs on most OS'es. ----------beginning of code/c-p to a cgi-check99.r file---------- REBOL [ Title: "CGI Check 99 v0.3" Date: 9-Jun-1999 Author: "deepquest" Comment: "extR4 shOut 2: loser, packetstorm, attrition, H4k, acpo, krisTof, mad55, siRYus, bl4St, nucleus, & Other dark/white cR3Ws" File: %cgi-check99.r Email: deepquest@netscape.net Purpose: { Remote Exploits Checker 75 vulnerabilities. }] secure none print "CGI Scanner. Improved by deepquest." prin "Site to scan: " site: input a: exists? join http:// [ site "/cgi-bin/rwwwshell.pl " ] if a == yes [ print "THC - Backdoor" ] b: exists? join http:// [ site "/cgi-bin/phf " ] if b == yes [ print "PHF" ] c: exists? join http:// [ site "/cgi-bin/Count.cgi " ] if c == yes [ print "Count.cgi" ] d: exists? join http:// [ site "/cgi-bin/test.cgi " ] if d == yes [ print "test-cgi" ] e: exists? join http:// [ site "/cgi-bin/nph-test-cgi " ] if e == yes [ print "nhp-test-cgi " ] f: exists? join http:// [ site "/cgi-bin/nph-publish " ] if f == yes [ print "nph-publish" ] g: exists? join http:// [ site "/cgi-bin/php.cgi " ] if g == yes [ print "PHP" ] h: exists? join http:// [ site "/cgi-bin/handler " ] if h == yes [ print "handler" ] i: exists? join http:// [ site "/cgi-bin/webgais " ]if i == yes [ print "webgais" ] j: exists? join http:// [ site "/cgi-bin/websendmail " ] if j == yes [ print "websendmail" ] k: exists? join http:// [ site "/cgi-bin/webdist.cgi " ] if k == yes [ print "webdist.cgi" ] l: exists? join http:// [ site "/cgi-bin/faxsurvey " ] if l == yes [ print "faxsurvey" ] m: exists? join http:// [ site "/cgi-bin/htmlscript " ] if m == yes [ print "htmlscript" ] n: exists? join http:// [ site "/cgi-bin/pfdisplay.cgi" ] if n == yes [ print "pfdisplay" ] o: exists? join http:// [ site "/cgi-bin/perl.exe" ] if o == yes [ print "perl.exe" ] p: exists? join http:// [ site "/cgi-bin/wwwboard.pl" ] if p == yes [ print "wwwboard.pl" ] q: exists? join http:// [ site "/cgi-bin/www-sql " ] if q == yes [ print "www-sql" ] r: exists? join http:// [ site "/cgi-bin/view-source " ] if r == yes [ print "view-source" ] s: exists? join http:// [ site "/cgi-bin/campas " ] if s == yes [ print "campas" ] t: exists? join http:// [ site "/cgi-bin/aglimpse " ] if t == yes [ print "aglimpse" ] u: exists? join http:// [ site "/cgi-bin/glimpse " ] if u == yes [ print "glimpse" ] v: exists? join http:// [ site "/cgi-bin/man.sh " ] if v == yes [ print "man.sh" ] w: exists? join http:// [ site "/cgi-bin/AT-admin.cgi " ] if w == yes [ print "AT-admin.cgi" ] x: exists? join http:// [ site "/cgi-bin/filemail.pl " ] if x == yes [ print "filemail.pl" ] y: exists? join http:// [ site "/cgi-bin/maillist.pl " ] if y == yes [ print "maillist.pl" ] z: exists? join http:// [ site "/cgi-bin/jj " ] if z == yes [ print "jj" ] aa: exists? join http:// [ site "/cgi-bin/info2www " ] if aa == yes [ print "info2www" ] bb: exists? join http:// [ site "/cgi-bin/files.pl " ]if bb == yes [ print "files.pl" ] cc: exists? join http:// [ site "/cgi-bin/finger " ] if cc == yes [ print "finger" ] dd: exists? join http:// [ site "/cgi-bin/bnbform.cgi " ] if dd == yes [ print "bnbform.cgi" ] ee: exists? join http:// [ site "/cgi-bin/survey.cgi " ] if ee == yes [ print "survey.cgi" ] ff: exists? join http:// [ site "/cgi-bin/AnyForm2 " ] if ff == yes [ print "AnyForm2" ] gg: exists? join http:// [ site "/cgi-bin/textcounter.pl " ] if gg == yes [ print "textcounter.pl" ] hh: exists? join http:// [ site "/cgi-bin/classifieds.cgi " ] if hh == yes [ print "classifieds.cgi" ] ii: exists? join http:// [ site "/cgi-bin/environ.cgi " ] if ii == yes [ print "environ.cgi" ] jj: exists? join http:// [ site "/cgi-bin/wrap " ] if jj == yes [ print "wrap" ] kk: exists? join http:// [ site "/cgi-bin/cgiwrap " ] if kk == yes [ print "cgiwrap" ] ll: exists? join http:// [ site "/cgi-bin/guestbook.cgi " ] if ll == yes [ print "guestbook.cgi" ] mm: exists? join http:// [ site "/cgi-bin/edit.pl " ] if mm == yes [ print "edit.pl" ] nn: exists? join http:// [ site "/cgi-bin/perlshop.cgi " ] if nn == yes [ print "perlshop.cgi" ] oo: exists? join http:// [ site "/_vti_inf.html " ] if oo == yes [ print "_vti_inf.html" ] pp: exists? join http:// [ site "/_vti_pvt/service.pwd " ] if pp == yes [ print "service.pwd" ] qq: exists? join http:// [ site "/_vti_pvt/users.pwd " ] if qq == yes [ print "users.pwd" ] rr: exists? join http:// [ site "/_vti_pvt/authors.pwd" ] if rr == yes [ print "authors.pwd" ] ss: exists? join http:// [ site "/_vti_pvt/administrators.pwd " ] if ss == yes [ print "administrators.pwd" ] tt: exists? join http:// [ site "/_vti_pvt/shtml.dll " ] if tt == yes [ print "shtml.dll" ] uu: exists? join http:// [ site "/_vti_pvt/shtml.exe " ] if uu == yes [ print "shtml.exe" ] vv: exists? join http:// [ site "/cgi-dos/args.bat " ] if vv == yes [ print "args.bat" ] ww: exists? join http:// [ site "/cgi-win/uploader.exe " ] if ww == yes [ print "uploader.exe" ] xx: exists? join http:// [ site "/cgi-bin/rguest.exe " ]if xx == yes [ print "rguest.exe" ] yy: exists? join http:// [ site "/cgi-bin/wguest.exe " ] if yy == yes [ print "wguest.exe" ] zz: exists? join http:// [ site "/scripts/issadmin/bdir.htr " ] if zz == yes [ print "BDir - Samples" ] aaa: exists? join http:// [ site "/scripts/CGImail.exe " ] if aaa == yes [ print "CGImail.exe" ] bbb: exists? join http:// [ site "/scripts/tools/newdsn.exe " ] if bbb == yes [ print "newdsn.exe" ] ccc: exists? join http:// [ site "/scripts/fpcount.exe " ] if ccc == yes [ print "fpcount.exe" ] ddd: exists? join http:// [ site "/cfdocs/expelval/openfile.cfm " ] if ddd == yes [ print "openfile.cfm" ] eee: exists? join http:// [ site "/cfdocs/expelval/exprcalc.cfm " ] if eee == yes [ print "exprcalc.cfm" ] fff: exists? join http:// [ site "/cfdocs/expelval/displayopenedfile.cfm " ] if fff == yes [ print "displayopenedfile.cfm" ] ggg: exists? join http:// [ site "/cfdocs/expelval/sendmail.cfm " ] if ggg == yes [ print "sendmail.cfm" ] hhh: exists? join http:// [ site "/iissamples/exair/howitworks/codebrws.asp " ] if hhh == yes [ print "codebrws.asp" ] iii: exists? join http:// [ site "/iissamples/sdk/asp/docs/codebrws.asp " ] if iii == yes [ print "codebrws.asp" ] jjj: exists? join http:// [ site "/msads/Samples/SELECTOR/showcode.asp " ] if jjj == yes [ print "showcode.asp" ] kkk: exists? join http:// [ site "/search97.vts " ]if kkk == yes [ print "search97.vts" ] lll: exists? join http:// [ site "/carbo.dll " ] if lll == yes [ print "carbo.dll" ] mmm: exists? join http:// [ site "/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd " ]if mmm == yes [ print "whois_raw.cgi" ] nnn: exists? join http:// [ site "/doc " ]if nnn == yes [ print "Debian Boa" ] ooo: exists? join http:// [ site "/.html/............./config.sys " ]if ooo == yes [ print "ICQ99" ] ppp: exists? join http:// [ site "/....../ " ]if ppp == yes [ print "personal webserver" ] rrr: exists? join http:// [ site "/scripts/no-such-file.pl " ]if rrr == yes [ print "IIS-perl" ] sss: exists? join http:// [ site "cgi-bin/visadmin.exe?user=guest " ]if sss == yes [ print "OmniHTTPd Web Server " ] --------------------end of code-------------------- Another basic thing you can do if to look for latest security issues from forums like Bugtraq or others. Zero day exploits have to be taken in consideration since you're asked to take a snapshot of Information Services. Don't waste your time on local bugs, but rather on remote exploits. I assume the company has at least a secure data room! Another thing to do from your virtualpc is to use a dumpacl and dumpreg for NT server. What are the access levels and for who? Checkin Appleshareip shares is a very fast to check remotely with ServerScan (http://freaky.staticusers.net/network.shtml). You won't have to worry about special shares like NT does in registry, or admin share c$ etc... Unix is quite different I suggest you to use Panda309 by thegrid (http://www.deepquest.pf/panda309-v1.0.tar.gz).It runs on Linuxppc, does a B or C class portscan with remote OS fingerprinting and some vulnerability detections. In few minutes you get a topo of the LAN. This part of the audit can take up pretty much time, but make sure you check what you're told to check :-) /*EOF 1-2 ps:this txt does NOT make your computer, LAN, DMZ safer at all!It's just a basic overview of what you can do from a mac. DMZ audit to be continued....next week Deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VII. Computing: Matrox G400 MAX Review -------------------------------------- Matrox has been around since the dawn of 3D graphics. Their Millenium actually harbored a 'few' 3D features but the subsequent Mystique, PowerVR PCX2 and G200 parts were far from being 'real' gaming boards. The performance and feature list was way below par for the Mystique and the G200 just couldn't cope with Quake 2. 1997 to the present hasn't been exactly fruitful for Matrox. Gamers in particular have always sided with 3dfx or NVIDIA. With only a few OEM design wins for the G200, Matrox clearly had some work to do for their next generation G400 chipset. The fill rate of the G400 MAX is certainly up there with the best of the bunch at 333MTexels per second (and identical to that of the Voodoo3 3000). The G400 MAX processor also supports single cycle multi-texturing (great for those 3D first person shooters). As with most of these new 2D/3D chips, the G400 MAX is on a .25micron five layer metal process technology. It also harbors Matrox's 256-bit DualBus architecture with true 128-bit external bus to video memory. Although we've yet to witness the Camino and APG 4X, the G400MAX is AGP 2X/4X capable with Multi-threaded Bus Mastering. It's ably backed up by 32MB of SGRAM. Matrox hasn't actually come out and said what their clock speed is but with a 333Mtexel/sec fill rate, it's pretty easy to work out that 'magic' number. Bearing in mind that it is two cycles per clock you simply divide 333 by two and are left with 166MHz. D3D is certainly where the 'future' lies and with a G400 MAX and its 32MB, you'll be in the very best of hands. It really is exceptionally fast. The Forsaken scores were not only the fastest yet seen.but the astounding 32-bit performance certainly sets a precedent. The performance hit was minimal at 'worst' and at 800x600 in 32bit, frame rate was over 200fps. Even at 1600x1200 we still see scores over 70fps in 32-bit on a Pentium III 500MHz. The multitexturing capabilities of the card under DX6 were also impressive as the Shogo: MAD scores show. (The higher the resolution and color depth, the wider the gap between the G400MAX and the rest.) No FINAL ICD was available with the review unit. Matrox really does need to sort this out in time for the product launch (it even says a FULL ICD is supposed to come with the retail part). Clearly some work needs to be done. Quake 2 performance, whilst acceptable (especially at the higher resolutions), was still some way off from a Voodoo3 or TNT2. Half-Life was even worse. The performance was way below par. We understand that the OpenGL drivers we were given were in BETA so we'll update these scores as and when we can. On the other hand, Quake 3: Arena at 1024x768 and in 32-bit was very playable. (The slower OpenGL Quake 2 scores force us to dock a point off of the final score. Should Matrox get around to improving the performance- we will re-evaluate.) Clearly for its whopping great $249 asking price, this card is NOT for the low-end user. The faster your CPU, the better performance you get for your money. A Celeron 400 would be our cut-off point, where you're still likely to find that the D3D performance is top notch. (The question is, how many game developers are going to implement this feature. We hope it picks up more than S3's S3TC has done thus far. Matrox lists some 40 games.....) Ok so now you've seen just how stunning a game can look when the feature is implemented but what's the big deal? All the major 3D chip manufacturers list 'bump mapping' on their spec sheet, right? Well the truth is out there somewhere. There are many ways to represent this effect. There's the conventional cheat of embossing, there's the PowerVR way, there's the Dot3 3Dlabs method and finally there's the Matrox way. Matrox's implementation of this DirectX6.0 'quality feature' allows for a richer looking environment than mere embossing can simulate. It allows for multiple light sources in one pass as well as reflective environment mapping on the same bump. Most other 3D cards (the Voodoo3, TNT2 etc.) use the conventional embossing method to simulate bump mapping- which really isn't all that big of a deal. Voodoo Graphics could do the very same thing way back in 1997. This Embossing (or multi-pass alpha blending) is limited to monochrome lighting and also brings out artifacts when simulated because of its per-polygon technique (Matrox's bump mapping is per pixel instead). Using embossing won't give you those luscious rolling waves as seen above, one can't use an environment map to simulate distortion effects. Basically, a TNT2 or Voodoo3 will 'counterfeit' bump mapping because embossing is NOT the real deal. In a market so over-saturated it's really no surprise that Matrox is pushing their beloved bump mapping so hard. For them it's what separates their card from the rest of the crop. The question is, does it do for you what it does for them? You've seen the shots of Expendable but even if Matrox convinces game developers that bump mapping is a case of 'do or die', it'll still be a while before it becomes an industry standard (if it indeed does). The jury is still out amongst gamers and game developers alike in terms of the performance hit entailed with bump mapping. Although Expendable 'seemed' to hold-up to a similar frame rate when bump mapping was turned on, it wasn't really the best test. Odd cars and water effects are not exactly 'whole scenes'. Try a couple of Quake 3: Arena 'bump mapped' tunnels and then we'll know for sure. Having said that, using embossing is an even greater strain on your CPU as it calculates UV shifts. (It really is gorgeous but will game developers support this feature? Only time will tell.) The G400MAX is certainly a 'feature' driven product. Just like the NVIDIA TNT2, it harbors support for 24-bit Z-Buffer with an 8-bit stencil buffer (which looks excellent when used in Quake 3). The stencil buffering can be used to specify conditional masks, which in turn allows for dissolve and transition effects such as volumetric shadows, silhouettes, scorch/skid marks etc. It's certainly a welcome feature and eradicates the 'flickering shadow' seen with a 16-bit Z Buffer. (Whilst far from being an essential feature (the Voodoo3 is limited to a 16-bit Z buffer) it does add to the overall LOD of a complex scene. Most other chips support this now.) The G400MAX's DualHead Display is certainly one of its most interesting and innovative characteristics. In a market saturated by products that all do the same thing, the DualHead Display technology gives end-users something else to think about. In a nutt-shell, it allows a single chip to output two physically separate images simultaneously to two different output devices. This feature currently supports simultaneous output to either two RGB monitors, to an RGB monitor and a television set, to an RGB monitor and a Digital Flat Panel or to two analog Flat Panels. The G400 design contains two separate Cathode Ray Tube Controllers (CRTCs), which can retrieve data independently from different locations in the AGP memory or display buffer. Interestingly enough, the two CRTCs (connected to the integrated 360 MHz RAMDAC) can read the same image but at varying refresh rates. The second CRTC can be connected to the TV-Out function (which supports PAL/NTSC and SECAM) or to a DFP (Digital Flat Panel Display) transmitter, with an RGB stream of up to 1280x1024 at 32 bit (in 60Hz for a second monitor). The DualHead also solves the 'flicker' problem and eliminates limitation of current TV-Out solutions, where the PC monitor has to run at 50/60Hz in order to support the PAL/NTSC TV-Out standards. "So what", you might think? Have you ever tried editing images in Adobe Photoshop? With the DualHead feature enabled, you could have all your small images on one monitor and edit a blown-up version of an image on another. One monitor can be used to display the canvas, whilst the toolbars can be displayed by the secondary monitor. Photographs and scanned images can be zoomed, whilst pixels can be zoomed to the second display for retouching. Less, minimizing and all around less hassle- we've tried it and really can see the benefits for the artistically minded end-user. Photoshop isn't the only application suited for this feature either. Gamers might also be able to reap the benefits too in the not too distant future. Flight Sim fans would surely crave for multimonitor in-game support. Fire a missile and then track its progress on the second monitor. well we're still some way off from seeing that but Microsoft has already stated that their MS Flight Simulator series will harbor support for DualHead. Windows 2000 will also mean this feature might well get used more and more. There are other advantages to this DualHead technology (see below). For example you can watch a DVD movie on one screen whilst whizzing through your spread sheets (what joy) on another. (Matrox has clearly decided to stay 'ahead' of the game and gone for innovation. DualHead won't change your life just yet but its usefulness should grow.) The Matrox G400 doubles the engine bandwidth by using 256-bit DualBus architecture, composed of two independent one way 128-bit buses working in parallel inside the chip to output 128 bits of valid data on every chip clock cycle, while the traditional 128-bit bus outputs 128 bits of valid data only on every other clock cycle. Here's how it works. The two internal buffers store a multitude of instructions and/or data. On every chip clock cycle, data is sent to the engine via the 128-bit internal input bus and on the same chip clock cycle, processed data from the engine is sent back to the output buffer via the 128-bit internal out-put bus. It's a two-lane highway compared to a one-lane bridge. Because the external 128-bit bus to video memory can run at higher clock rates than the internal graphics engine, data multiplexing logic is used to manage the data buffers to ensure that data is being sent to the engine, and that processed data is being read from the engine, on every chip clock cycle. This way, the bus never sleeps. With the advent of multi-textured applications comes the potential for multiple messes. While single texturing is relatively straight forward, multi-texturing requires blending many textures onto a single polygon. If your hardware does a sloppy job of it you end up with UGLY. The key is precision throughout the internal 3D pipeline. In the ongoing 16 vs. 32-bit debate, don't lose sight of the reason it makes a difference: More bits means more accuracy. The reason 3dfx can claim closer to 22-bit color is because their internal pipeline is 32-bit. Well, Matrox has gone a step further and outputs at 32-bit as well. In fact they've gone a 32-bit mad, here's the list: o 32-bit precision throughout the 3D pipeline along with 32-bit accumulation buffers o 32-bit rendering to ensure all internal operations are done with 32-bit accuracy o 32-bit source textures (with support for texture sizes up to 2048 x 2048) o 32-bit Z-buffer/stencil buffer for maximum depth precision o 32-bit internal results dithered down for the highest quality 16-bit output Lest you get the notion that 32-bit is the only buzzword on their lips, here's another list: o Full subpixel and subtexel positioning o 8-bit filter coefficients, to provide the best quality bilinear, trilinear and anisotropic filtering o Ultrasharp RAMDAC technology for fully saturated analog outputs. Here is Matrox's reasoning "A 32-bit texture typically has eight bits for each of the following components: Red, Green, Blue, and Alpha. Therefore, 32-bit rendering selects from among 256 different shades of each RGB color component, for a total of 16.7 million possible colors. On the other hand, a 16-bit texture typically has five bits for each Red, Green and Blue component, and only one for Alpha. This means that 16-bit rendering draws images from a color palette containing 32 shades for each color component, for a total of only 65,000 possible colors. 32-bpp color accuracy throughout the rendering pipeline makes for a cleaner, smoother gradient of colors than 16-bpp can deliver. The reason for the difference in quality is simple: the lack of available shades with 16-bit rendering results in lower image quality. On top of this, internal calculations with 16-bit rendering deteriorate image quality even further due to the errors caused by lack of precision." Didn't we just say that? Unlike everything Voodoo which utilizes AGP for the bus speed only, the Matrox G400 and G400 MAX are designed from the inside out to make maximum use of the AGP 4X's 1GB/sec bandwidth. While that doesn't much matter now (there is narry a 4X equipped system to be had) it could matter a great deal when Intel and AMD release their full AGP 4X rigs and developers really begin to push that envelope. The Matrox G400 chipset entails an MPEG II DVD decoder (most next generation 2D/3D cards do these days). The software bundle that Matrox has gone for is Zoran's SoftDVD2 (ATI uses the same) player for DVD video playback, which lets you watch all of your favorite flicks on your PC. The software itself is easy to use and get used to with the remote control supporting basic play functions, as well as advanced navigational features (play, forward, rewind etc.). The usual array of features include, sub-picture blending, aspect ratio scaling (allowing for 16:9 encoded DVD on to 4:3 aspect ratio TVs) and full-screen output to a TV. The default resolution for watching movies is at 800x600 (the software automatically drops your desktop to this resolution). Although Zoran's SoftDVD software is well respected and a popular choice, the first version was also known for its 100% CPU usage. As with the previous version of Zoran's SoftDVD, this new version also requires a hefty CPU- a Pentium II 333MHz being the MINUMUM spec. The software decoding hogged most of your system's resources so checking stock prices whilst watching Mr. White go bezerk in Resevoir Dogs wasn't really an option. Version 2 of the SoftDVD has been markedly improved in terms of its CPU usage and multitasking (whilst not advised) is just about possible. For much more rewarding results, the G400MAX's DualHead function can be used to great effect. For example, you could use the primary RGB output for your web browsing, whilst at the same time use the second RGB output to watch a DVD movie on a second monitor. Then again, you could do your work faster, unbothered by a movie in the background and then just switch off your PC and go watch a movie on your TV later... Features o Title and menu options include title and chapter search, subtitle and language option, audio and root menu o Language selection of up to 32 different audio tracks o Seamless viewing angle switching without audio interruption o Parental lock for controlling adult content (The quality of the MGA-G400MAX really does the DVD job well. The pictures are crisp and the colors rich (useful during the full 1hour 33mins of the Resevoir Dogs test)) The 2D on the Matrox is absolutely unbeatable. You couldn't really expect anything less from Matrox, who have been the 2D kings on and off since the Millenium days. The G400 MAX's 360MHz RAMDAC is the fastest to date (some 10MHz faster than on a Voodoo3 3500) and as a result has the best 2D performance so far. The G400 MAX's UltraSharp DAC technology and support for true 24-bit color at resolutions as high as 2048 x 1536 dishes out fast screen refresh rates along with crisp/clean text and images. The 256-bit DualBus graphics engine and optimized AGP 2X chip design no doubt helped it fly through a couple of ZD 2Dwinbench runs. (If 2D is your oyster then the two best 2D performers are the G400 MAX and the Voodoo3 3000 (in that order).) Matrox's PowerDesk tools have always been solid and in the G400 MAX's case, it's no different. You can tweak away till your heart's content (refresh rates, gamma settings). The controls for the DualHead are also easy to use and just require 'checking' and 'unchecking' as the case may be. Gamers will be slightly 'peeved' at the lack of a V-Sync 'disable' check box. Those of you that are happy to edit the registry can do just that, whilst others may choose to use Powerstrip etc... Matrox chose to stay WHQL certified and thus offers no V-Sync disabling functions. (No witnessed ZERO crashes in any Windows applications.) Other than the provided DVD software from Zoran (top notch) and the Matrox drivers, nothing has yet been set in stone. All of the bump mapping demos found on their web site came with the CD as well as playable demo versions of Expendable, Drakan and Slave Zero. All fun while they lasted. Matrox has entered the 3D gaming scene. The G400MAX is lighting quick in some D3D games but when multitexturing comes into play, the architecture doesn't seem quite as efficient as the Voodoo3's or TNT2's and the OpenGL really needs improving. So really hardcore gamers that live and die by Quake 2 (let's see how Quake 3 performs when the timedemo is released) might still want to go for a Voodoo3 3000 or a UltraTNT2. If you're a gamer but all about 'image' rather than frame rate, the G400MAX wins hands down. It did outperform a Voodoo3 and UltraTNT2 in some D3D tests and it also shows that 32-bit rendering can be used at a minimal performance loss. Alongside the UltraTNT2, the G400MAX harbors the best image quality and with bump mapping enabled (where possible) it creeps ahead. Whilst on the expensive side at $249.99, we were still left pleasantly surprised and do recommend this card to gamers and end-users who would make use of some of the more innovative features such as DualHead. GOOD: o Visual Quality o Unique Features (bump mapping & DualHead) o Exceptional D3D performance BED: o Quake 2 Scores not up to scratch (currently) o High Price o Requires a fast CPU Damir Kvajo aka Atlienz atlienz@default.net-security.org VIII. Understanding basic crypto techniques ------------------------------------------- To begin with, it's important to understand the primary basic techniques of encryption: symmetric key-based algorithms, such as block ciphers and stream ciphers; asymmetric key-based algorithms, such as public key encryption; and hash ciphers, which are used for passwords on most operating systems. These are the three primary methods of cryptography systems -- most systems are based on one of these techniques, or a combination of them. Block ciphers and stream ciphers are known as symmetric key-based algorithms. What this means, in plain English, is that the same key is used for encryption and decryption. If I encrypt the word 'SPEEDBOAT' as 'QLXXAFRMP', such that Q=S, L=P, X=E, etc, then I should be able to decrypt 'QLXXAFRMP' using the same key. Block ciphers are commonly used to encrypt files on a system. In a block cipher, information is divided into equal-sized blocks of text (say, five letters: 'THIS IS A SECRET MESSAGE' would be separated into 'THISI SASEC RETME SSAGE') and then each block is encypted using the same algorithm. IDEA is an example of a well-known block cipher, as is Blowfish. In stream ciphers, data is encrypted in much smaller chunks, usually bits. This form of encryption is generally what's used to encrypt information as it passes from one system to another, because it's much faster than block ciphers -- crypt (the original UNIX command) is a stream cipher, as are most non-computer based encryption systems. For instance, the Cryptoquote in many daily newspapers is a stream cipher -- each letter is encrypted as it comes. The differences between the two are mostly in the implementation. An easy way to think of it is that block ciphers are generally implemented within software, while stream ciphers within the hardware encrypt individual bits as they go by. In asymmetric key-based algorithms, a different key from the one used to encrypt a message is used to decrypt it. This is more commonly known as public key encryption, and RSA is a notable implementation of it -- a user of public key encryption has both a public key (which is used to encrypt a message) and a private key (which is used to decrypt a message). In a public key system, I could post my public key somewhere easily available, and a complete stranger could use it to encrypt a message. He then sends the message to me, and my private key decrypts it. If the message is intercepted, because two different keys are used, my message remains secure even if the interceptor has my public key. Only the private key can decipher the encrypted message. And then there are one-way hash systems, such as SHA and MD5, which most operating systems use to store passwords. I discuss password management in detail later in the article. Some encryption implementations use all three methods to serve various different purposes in the system. For instance, the well-known public key system PGP (Pretty Good Privacy) uses the IDEA block cipher for the actual encryption of the data, RSA for the public and private keys themselves, and an MD5 one-way hash for passwords. This way, the system itself is protected in many ways, with each cryptography technique being put to its best use. How passwords work ------------------ Most operating systems handle passwords by using one-way hashes. What this means, in practice, is that your password is not stored anywhere on your computer. When you initially enter your password, the system encrypts it using a hash function. The system knows how it hashed the sequence of characters that is your password, so every time you log on, the system encrypts what you have just typed using the same hash function, and compares the encrypted results to the encrypted password. For instance, if your password is 'Superman', the actual hash may look something like 'dLboH6tH$kP/Nre1TMLr4thuBRmz' (please note: this is not an actual hash). Whenever you type in the word 'Superman' at your password prompt, the machine sees 'dLboH6tH$kP/Nre1TMLr4thuBRmz'. It compares, notes that the two hashes are the same, and lets you into your account. What password cracking programs do is either take lists of words (in the case of a dictionary or word file attack) or generate strings of characters (in the case of a brute force attack), encrypts them, and compares them to the hashes in the password file until it finds a match. This is why it's important to protect your password file even though it's encrypted. References ---------- By far the most comprehensive book on cryptography is Bruce Schneier's _Applied_Cryptography_ (2nd edition). It's easy to understand, so if this subject interests you, I recommend buying it. For information about breaking password encryption, L0pht's documentation for L0phtCrack (http://www.l0pht.com/l0phtcrack/) contains a brief description of the various methods it uses. Crack (http://www.users.dircon.co.uk/~crypto/) is a dictionary-style password checker, and John the Ripper (http://www.false.com/security/john/) is a brute force-style password checker. /dev/null null@fiend.enoch.org IX. Infection & Vaccination --------------------------- It's been a long time but yes we do have two spanking new trojans for you. We also have a little story for you. To top that off we continued with our general trojan info: why trojans work on Windows 95 and not Windows NT. Our first trojan of the week is called Digital Rootbeer. The name is the most unique thing about this trojan. It has a lot of features, but nothing new. The most dangerous feature is it's file control(Execute, upload, download, delete). Rootbeer listens for connections on port 2600 (TCP) and cannot be changed. It installs to c:\windows\ with whatever name it is called when you run it. It does not run on Windows NT. If you would like to find out where the original file is open regedit and browse to: HKEY_LOCAL_MACHINE\SOFTWARE\1999 --=[">?t~%?"-M¥N]=--\. The Program Path key contains the location and filename of the file you ran that installed Digital RootBeer. So you might be able to find out who gave it to you. Like if someone on ICQ gave it to you, it should be in the received files under the name of the person who sent it to you. Here is the 3 step manual removal 1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. Then remove the ActiveX Console. 2. Close the server or reboot the machine. 3. Browse to c:\windows and remove the trojan file which can be found in the Program Path key at HKEY_LOCAL_MACHINE\SOFTWARE\1999 --=[">?t~%?"-M¥N]=--\. The next trojan we have for you is Death version 1.0 by Earlz Plumbing. The client's GUI looks nice but is rather difficult to use. It too has a lot of features like Digital Root Beer without anything new. Though it does have a window lock command to lock a window on the host computer from being updated. While unlike RootBeer it runs on port 2 TCP, which can be changed. Unfortunately we could not get it to run on Windows 95 because it needs Visual Basic 6 runtime files which we currently do not have on that machine. On our NT machine we do have VB 6 files, but it does not infect NT :-) Sorry. Here is a little story that has many good lessons to learn from it. One of our friends came across this page: http://www.blue.icestorm.net/nerv/. It has a program called iCMP J1zz that can knock anyone off of IRC. Which is a tool we all need isn't it. Well even though the person took credit for programming it in C++, it is in fact a SubSeven server configured. I could be wrong but it appears the j1zz.exe has some Visual Basic runtimes files in plain text when viewing in notepad, which is usually an indication its programmed in Visual Basic. Another thing I do not believe that SubSeven is even made in C++ so that's just wrong. Believe it or not we actually have some lessons that can be learned from this. Okay well first don't just go downloading every cool sounding program you see. Another thing is if your infected with a trojan you can always send it to me to be studied. I had fun finding an Email address and 2 different ICQ UINs from the SubSeven server. To all you people that use trojans, maybe you should not use SubSeven. Also just for your info on that site all 3 programs are just SubSeven servers. Okay here is our last section for this week. It's a simple thing that a lot of people don't realize. Most trojans will not run on Windows NT due to two. First there is no c:\windows directory standard on Windows NT which messes up a very small number of trojans. The other difference between Windows NT and 95 is in the API code. When a trojan tries to hide from the taskmanager you can view on Windows 95 (Using Alt-Ctrl-Del) it uses an API code which differs enough on NT to stop it from working. Next week we will compare the following Trojan removers: Trojan Defense Suite, LockDown 2000 and The Cleaner. Hope you all have a trojan free week. Zemac zemac@dark-e.com http://www.dark-e.com X. New programs on Net-Security (NS Watch!) ------------------------------------------- After some time, Projects page on net-security.org is finally updated.This page will follow its previous tradition in bringing you the best security programs made by net-security staff. NS Watch! (NSW) in its latest version (2.0.4.0 FINAL) is a program that watches over your windows\system, registry run keys and 32 bit CRC of selected files. I have come to idea to make this program after I was hit by Marburg virus. Idea was to make something like logger that would take care about newcomers in your windows\system and registry run keys.I was not satisfied with loggers like regmon and filemon because they were displaying to much unimportant info. After first version released I found one symapthic CRC calculating rutine. Why not to include it in NSW?So I did it and that was it.Of course they were some bug occuring, and I encourage you to uninstall any previous NSW version except this FINAL. Second program is made by one person that is not in net-security.His name is Dancho and he made Trojan Library.It is one of the few programs of its kind, because it is bringing you latest Trojan/Worm information for reading offline.Dancho promised that he will update this library often so don't forget to check projects page from time to time. I will put some "Goltha approved" :) links also on projects page.I know we have already links page on net-security, but this links are going to lead only to sites very you can find very useful or rare things. And in the end, if you have any comments, wishes or anything else do not hesitate to contact me... Tomislav "Goltha" Petrovic Net-Security programer goltha@net-security.org XI. More news from the ACPO front --------------------------------- Hi again... I'm honored to be allowed to tell you a bit more about ACPO [http://www.antichildporn.org] and our future... This weekend, we will be traveling to deliver a presentation to our first political group, http://WWW.mntaxpayers.org/#Moorhead Conference. I'll fill you in on more of the details next week. BTW .. just a little note here about politics, we do not support any political group, just the stopping of child abuse and child porn on the internet.. Some people are concerned with our involvement in governments and their politics. But please tell me a way to stop this injustice without involving ourselves in politics and the law! We are just beginning to plan our first European tour--roughly in the October/November time frame. While we know the places we must visit, we are open to your suggestions, as to places we might have an opportunity to tell our story, and recruit Euro. members. Please eMail me at natasha@infovlad.net if you have suggestions or ideas. On the home front, ACPO will be attending the Techno-Security & Disaster Prevention '99 Conference. http://www.thetrainingco.com/Agenda-99.html Plans are being made to develop additional approaches in assisting law enforcement to identify and successfully prosecute child pornographers. We anticipate forming both public and private partnerships to further this cause. Thanks again to net-security.org for their support, and this forum to express ourselves, and to keep you informed. Natasha Grigori Founder antichildporn.org ============================ Thanks for being 'Child-Friendly' Natasha Grigori Founder AntiChildPornOrg ACPO http://www.antichildporn.org/ mailto:thenatasha@mediaone.net ============================ XII. The Hotmail security hole ------------------------------ Hotmail, one of the best known Microsoft acquisitions, was included in a security scandal Default, Help Net Security newsletter issue #1, Friday 13 August 1999 (http://default.net-security.org) TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Vulnerabilities reported in last week c) Site News d) Defaced Pages III. Y2K: As the millenium approaches IV. A look into basic cryptography V. The history of Zero Knowledge Systems VI. Telecommunications 101 VII. Macintosh security: How to make your mac a babel tower! VIII. Computing: A closer look at hard- and software IX. An approach to Linux System Security X. Infection & Vacination XI. Spam: The problems with junk e-mail XII. Freedom of speech - related incidents XIIV. Meet the underground XIV. Guest column I. Editorial ------------ Hi there and welcome to the first edition of Default, the Net Security newsletter. The idea behind this news letter has several sides to it. On one side we want to keep you up-to-date regarding news and events from and in the security scene. On the other hand, we hope this to turn into an interactive medium through which we could educate and inform you and through interaction with you maybe even ourselves. We hope to in this way incorporate more of of the different kinds knowledge there seem to exist between the professional computing/security scene and the underground and to inform both sides about each sides knowledge base and accomplishments. This will not be a primary technical source of knowledge though, we start focussing on basics to get everyone on the same level regarding some of our topics before moving on to the technically more advanced issues. Most of all we want this to grow, hopefully through submissions and contributions by you, our readers. This being the first in hopefully a long series of newsletters, we had some problems to deal with. One of these is the absence of one of our editors. Due to his vacation we didn't have the chance to call on Doug Muths' expertise in the fields of viruses and spam. As soon as he gets back we hope to provide you with his contributions in a next issue. Furthermore we think that what lies before you is a pretty decent issue, one of what we hope many. We have sought (and found) a lot of assistance in both the underground as the professional security scene. We hope you'll be as pleased with the results as we are, though feedback is always welcomed. Remember, we can try to make this good, but we need your comments and contributions to make this the best. Well that's it for now, before you lies issue #1 of Default, we hope you enjoy it as much as we did making it. For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Latest weeks news on Help Net Security ------------------------------------------ a) Help Net Security news headlines - Saturday 7th August 1999: Japan cracks down on unauthorized network access LinuxPPC crack contest update LA District Attorney drops Mitnick case Lockdown 2000 Proposal to ban "unapproved content" linking Chaos Computer Camp kicking off Cyberwar: The threat of chaos - Sunday 8th August 1999: HWA.Hax0r.News #28 released CrackTheBox goes a bit further again Mass hack on german domains - Monday 9th August 1999: Hackers take over tv-channel? Clinton keeps supporting y2k updates DOD worried Wired covering CCC New Melissa style virus Secure shell installation and configuration Backwork 2.1 released Sorting out security Will hackers make use of y2k confusion? Belgacom Skynet hacked - Tuesday 10th August 1999: Patch for Excel97 coming on August 16th Kevin Mitnick avoids stiff sentence IBM supports Linux Kevin could soon be free HK mail systems open to abuse Finalists new encryption standard named Sentencing hacker no cause for joy - Wednesday 11th August 1999: RedHat advisory and new linux kernel Taiwan strikes back Taiwan prosecutors probe web site intrusion Microsoft Office97 flaws Office harassment - Thursday 12th August 1999: Network-centric warfare Key to crypto success: don't be born in the USA New IE5 bug exposes passwords Error in Microsoft patch New mail attack identified - Friday 13th August 1999: Outsmarting the wily computer virus Startup wants to sell untappable phones Baltimore Technologies to ship encryption tool for XML Hacking your way to an IT career Code-cracking computer causes concern b) Vulnetabilities reported in last week (our thanks goes out to BugTraq for this list) 6-8 NT Exchange Server Encapsulated SMTP Adress Vulnerability 8-8 CREAR ALMail32 Buffer Overflow Vulnerability 8-8 WebTrends Enterprise Reporting Server Negative Content length DoS Vulnerability 8-8 Microsoft FrontPage Extensions for PWS DoS Vulnerability 9-8 Firewall-1 Port 0 DoS Vulnerability 9-8 Solaris stdcm_convert File Creation Vulnerability 9-8 NT Terminal Server Multiple Connection Request DoS Vulnerability 9-8 Multiple vendor profil(2) Vulnerability 11-8 NT IIS Malformed HTTP Request Header DoS Vulnerability 11-8 Multiple Vendor IRDP Vulnerability c) Help Net Security site news - Saturday 7th August 1999: Mailing list submission form Study on Linux System Security - Sunday 8th August 1999: Connection problems Mac archive updated Anonymous submission form back online - Monday 9th August 1999 Insert HNS headlines in your site - Wednesday 11th August 1999: Bookstore update d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Illinois Institute of Technology (www.iit.edu) Mirror: http://default.net-security.org/1/www.iit.edu.htm Site: Santa's Official Page (www.north-pole.net) Mirror: http://default.net-security.org/1/www.north-pole.net.htm Site: NorthStarNet (www.northstarnet.org) Mirror: http://default.net-security.org/1/www.northstarnet.org.htm Site: Official site of Korn (www.korn.com) Mirror: http://default.net-security.org/1/www.korn.com.htm Site: Malaysian Government (www.idhl.gov.my) Mirror: http://default.net-security.org/1/www.idhl.gov.my.htm Site: Institute for Telecommunication (elbert.its.bldrdoc.gov) Mirror: http://default.net-security.org/1/elbert.its.bldrdoc.gov.htm Site: Federal Energy Regulatory Commission (www.ferc.fed.us) Mirror: http://default.net-security.org/1/www.ferc.fed.us.htm Site: State of Michigan Official Site (www.state.mi.us) Mirror: http://default.net-security.org/1/www.state.mi.us.htm Site: China Securities Regulatory Commission(CN) (www.csrc.gov.cn) Mirror: http://default.net-security.org/1/www.csrc.gov.cn.htm Site: Wired Digital (www.wired.com) Mirror: http://default.net-security.org/1/www.wired.com.htm Site: Motorola (TW) (www.motorola.com.tw) Mirror: http://default.net-security.org/1/www.motorola.com.tw.htm III. Y2K: As the millenium approaches ------------------------------------- It is Wednesday 11.08 1999. Less than 4 months divide this and next millenium. What will happen then? People often think about armageddon, but it has its translation in the computer world - Y2K (year 2000). As I was always interested in new regarding sollution of this bug (The term "computer bug" was coined by Navy computer pioneer Grace Hopper in the 1950s after a moth got into one of her machines and it went haywire), I saw that many countries spent billions of dollars into preparing their systems for the new millenium. "The two-digit year is a convention as ancient as the feather pen-- writing the date on a personal letter with an apostrophe in the year, implying a prefix of 17- or 18- or 19-. But reading an apostrophe requires sentience and judgment. Computers possess neither. They cannot distinguish an "00" meaning 1900 from an "00" meaning 2000. When asked , for example, to update a woman's age on Jan. 1, 2000, a computer might subtract her year of birth (say, '51) from the current year ('00), and conclude she will not be born for another 51 years. A human would instantly realize the nature of the error, adjust his parameters, and recalculate" So we know the problem now, but how did it start? Robert Bemer is the man who wrote the American Standard Code for Information Interchange, the language through which different computer systems talk communicate. He also put in use "backslash" and "escape". In the late 1950s Robert Bemer helped in writin COBOL (computer language which had commands in plain English, so it was easy to use by everyone). There was nothing in COBOL requiring or even encouraging a two-digit year. Bremer blames the programmers and bosses for this glitch. He pointed out that they were instructed to cost-save. Now we could set a parallel: if that bosses weren't so shortsighted and if they invested in this issue, there wouldn't be a Y2K bug to talk about. So this was the brief history of the Y2K bug. Now goes the week in Y2K review. Y2K problem could be used for cyberattacks - United States Department of Defense concluded. Fixing systems and preparing them for the new millenium may expose information infrastructure to hack attempts, so DOD adviced all network managers to advise their men to change all passwords. It is just a precaution. To make everything easy for their system administrators, US Navy created three programs for helping automation of password exchange. Friends of the Earth and Greenpeace International, two "green" organizations are protesting over the globe and appealing to United States and Russia to scale down readiness of nuclear weapons to reduce the possibility of Y2K computer glitch which could really cause Armageddon (just think back in time what happend to Hiroshima and Nagasaki - this would be 100 times bigger cathastrophy). We know that United States spent billions of dollars on preparing every vital part of their infrastructure. But Russia is different topic, the way of living and social and financial state of Russia is on much lower level. Just to note, you saw hoe much money USA gives in Y2K sollutions, and inly two thirds of their nuclear plants are Y2K ready. BTW Nuclear Regulatory Commission published their guidliness: * Plants with non-safety systems that affect power operation that are Y2K-ready or those plants that have incomplete contingency plans for these systems will be subject to additional regulatory actions which may include issuance of an order requiring specific actions by the licensee. There are about 12 plants in this category. * Plants with non-safety, support systems and components that are not Y2K-ready or plants that have incomplete contingency plans for these systems could require additional meetings, audits, or requests for additional information. There are about 10 plants in this category. And the conclussion: The plants that have Y2K work remaining are continuing to progress toward Y2K readiness. As of August 1, five more plants have reported that they are Y2K-ready bringing the total to 73 operating nuclear power plants that are fully Y2K-ready. This reduces to 30 the number of plants that have remaining work on non-safety systems and components to be fully Y2K-ready. World Bank published Global Commodities Report - report talking about fears from millenium bug. Report speaks about "Concerns over the potential disruptions associated with Y2K may cause consumers, processors and distributors to stockpile crude oil and products. A shortage of ocean tankers may develop if importers rush to beat the end-of-the-year concerns over Y2K and this could contribute to the potential for price volatility". The World fears Year 2000. Lot of recent actions could proof this: India will stamp more money US Government got a suggestion to move New Year's Eve celebration on 3rd of January Japan will halt airplain voyages on the New Year's Eve Canada's telephone company tested their new Y2K prepared system and it crashed And a lot of other actions happend, but this is enough for the first issue. You can read below interesting article about testing your computer for Y2K written by Atlienz (atlienz@default.net-security.org) What is it? The problem is with the real time clock (RTC) in the computer which tells the computer the current date. When programmers initially established the date issue, they established the year portion of the date with only two digits instead of four. They chose two digits instead of four to save storage space, which at that time was very expensive. So any computer or software that is not Year 2000 compliant will experience problems on January 1, 2000. Some computers will revert back to a 1900, 1980 or a 1984 date which will throw off accounting programs that read that date. Preparation & Timing! If you feel capable, check your real time clock(RTC). Go to a DOS prompt (C:\>) and type "DATE". The current date will appear along with an option to change the date. Change the date to December 31, 1999. Then type "TIME". The current time will appear and you need to change that to 12:58 P.M.. Next, shutdown or turn off your computer and wait five minutes. Turn your computer on, and check the current date by again going to the DOS prompt and typing "DATE". If your computer displays January 1, 2000 then your system is 2000 compliant. If the system displays a year of 1980, 1984, 1900 or anything else besides 2000 then your computer is not 2000 compliant. Be sure to reset your computer back to the current date! Next, perform a complete software inventory and verification, including operating systems, productivity tools, games, etc. Record the Vendor, Title and Version. Contact each vendor and inquire if your version of the software is 2000 compliant. If not, ask whether the newer versions are compliant or if the vendor will bring the software into compliance. NOW is the time to take action toward finding a solution for the year 2000 issue. If you wait, resources such as computers, technician support and even information may be in short supply. ----------- In the next issue of Default - net security newsletter you can read about Y2K testing tools and ofcourse latest news from the millenium bug section. BHZ Berislav Kucan bhz@net-security.org IV. A look into basic cryptography ---------------------------------- Okay, this is Iconoclast, I have been asked to start working with net-security for their Default newsletter on a cryptography section. First and foremost, I am in no way qualified for this, and if I am ever wrong, please feel free to contact me and correct me. This will basically be YOUR section. I have been given free reign on how to run it, so this is how things will be. It will be run via your submissions and weekly news on the cryptography front. Most everything I hear is over my head, but we will learn together. For this, the first issue I have dug up an old "HOWTO" I wrote a while ago under another handle, edited it a bit, and added a lot and then split it into three sections (It was way too big for a single issue). So here we go, I will delve right into it. We will see how things work out. First of all, this is strictly to expand ones mind, if you see encryption out there... do not crack it. It is encrypted for a reason. I in no way claim any responsibility for anyone's actions other than my own. If you do something stupid, it is your own problem and fault, not mine, and not net-securities. I was recently approached by a friend who had been working on some 'indecipherable' password protection for restricted areas in web sites. He heard I dabbled in cryptanalysis so he asked me to crack his "indecipherable" code. First of all, he had no idea what he was doing. He should know that nothing is indecipherable. If you want to get into cryptography, the way is NOT to create an algorithm that is "virtually indecipherable" it's to get into cryptanalysis. Figure out other people's algorithms, and understand their weaknesses. Once you're already accepted into the scene (unlike myself) then maybe have a go at creating an algorithm. First try to identify the method of cryptography. If you see something like the following within the page source: xuuv://qqq.eipov.fhe/eizjen/enecnro.xueb You are in luck. It is a simple method with a simple method of cracking. It is called a transposition cipher. You recognize the format to go hand in hand with: http://www.someserver.ext/directory/site.html So you first start transposing characters (hence the name, transposition cipher) x=h u=t v=p q=w e=m b=l Now you now see it as: http://www.eipov.fhe/eizjen/enecnro.html Now take the letters that you know and work with them. You already know (I will put all of the plaintext in caps so you do not accidentally try to decrypt them later) HTTP://WWW.Mipov.fhM/MizjMn/MnMc.HTML Now you see fhM and immediately compare it to extensions that have **m in common.... com works use that and add the new information to your key. f=c h=o HTTP://WWW.Mipov.COM/MizjMn/MnMcnro.HTML Okay now you may have drawn a blank. Look at the referring page... Usually the encrypted page is within the same web server as the unencrypted page... lets say the referring page is from a web server called www.myisp.com now work with that in your key. HTTP://WWW.MYISP.COM/MizjMn/MnMcnro.HTML i=y p=i o=s v=p You now have: HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML Now its time to make educated guesses. MY**M*.... what can possibly fit in here (think English) MY**M* could be.... MYHOME Now check that with your key, one letter unencrypted should NOT correspond with more than one encrypted letter (in this basic a cipher). x=h u=t v=p q=w e=m b=l f=c h=o i=y p=i o=s v=p Aha it cannot be MYHOME because h=o and thus j cannot = o too (in this simple type of encryption) so keep thinking, you wont always get it on your first guess. MY**M* could be... MYNAME compare that with your already known key and it could work So now you have: HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML z=n j=A n=e HTTP://WWW.MYISP.COM/MYNAME/MEMcErS.HTML There are no conflicts as of yet. Once again, time to make another educated guess and the only word that comes to mind that could fit MEM*E*S is MEMBERS . Plug that in and see if it works, if not think of another word that may fit You have done it, you've decrypted the encrypted URL to be: http://www.myisp.com/myname/members.html This was incredibly basic. No important site will utilize such a basic cipher. They would use more standard, and field-proven ciphers. Okay, thats about it for this issue, there is much more to come that wouldnt fit in here today. Expect more, and expect interactive. For the time being, if you come across ANYTHING that you think couild be of use to anyone in the field of cryptography, please, drop me a line at crypt@default.net-security.org. Its been fun. Michael G. Komitee aka Iconoclast crypt@default.net-security.org V. The history of Zero Knowledge Systems ---------------------------------------- Austin & Hamnett Hill - the brothers behind Zero-Knowledge Systems, were involved with the Internet at a very young age. At 21 Austin founded the ISP Infobahn Online Services with money from his father and a small group of investors. They soon called upon Hamnett, a 23 year-old reformed Deadhead studying accounting in Montana, to be CFO. In late 1995 Infobahn merged with Accent Internet to create TotalNet, Canada's third largest ISP. At TotalNet, Austin and his partners earned founding investors more than a 10,000 per cent return on investments in under two years, growing the company to 150 employees in 18 months. He and Hamnett left as soon as they could sell the company; cashed in and got out as the summer of 1997 approached. "The entire time we were at TotalNet, there was an Internet revolution going on," says Austin, now 26 years-old. "Hamnett and I would always talk about what we could do. Then a month or two later somebody would do it. We realized we needed to get back out there -- privacy was going to be huge." But before they could get back in the game, there was work that needed doing: research to conduct, a business plan to build. An idea was in the back of Austin's mind, something that grew out of his strong beliefs in personal freedom and the rights of the individual. The seed was planted by an article in Wired about the Cypherpunks, Pretty Good Privacy and those building strong encryption tools to allow individuals to