HWA.hax0r.news #14 HTML/Text Version
Our REDIRECTOR
Canc0n99 411 be there or be square
- This issue may cause strangeness in certain browsers
read in TEXT mode to see why.
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ ]-="" HWA.HAX0R.NEWS> =
==========================================================================
[=HWA'99=] Number 14 Volume 1 1999 April 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
IRL i'm a sarcastic script on irc....i'm a dumbass ;)
- D----Y
Note that some stuff may not display correctly as I did not fully convert
all the text contained in this file to html, it is recommended you read
this file in standard text mode...
4445494c0494C554E4C554E
=------------------------------------------------------------------------=
=------------------------------------------------------------------------=
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle...
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #14
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #14
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Holes Found in Multiple Anonymiser Packages .....................
04.0 .. Some musings on the Melissa 'virus' by WHiTe VaMPiRe ............
05.0 .. So much for your radio hobby ....................................
06.0 .. ICQ99 Vulnerabilities still with us .............................
07.0 .. [ISN] "Hacking to become a crime" ...............................
08.0 .. [ISN] Client Security: You've got armored trucks, but what about
the pick pockets? - Chris Wysopal, The l0pht...............
09.0 .. [ISN] Strong privacy software for Linux available worldwide......
10.0 .. [ISN] Security Search engine back online.........................
11.0 .. [ISN] Smart Card Forum privacy symposium ........................
12.0 .. HP advisory Security Vulnerability in MPEi/X debug...............
13.0 .. Cisco security advisory Input Access List Leakage with NAT.......
14.0 .. Aptivas ship with added bonus, the CIH virus.....................
15.0 .. Rocketmail vulnerabilty on inactive accounts.....................
16.0 .. Yahoo "hack" faked?..............................................
17.0 .. 'Sorceror's Apprentice' bug in Outlook...........................
18.0 .. Aussie password thief pleads guilty..............................
19.0 .. Echelon is fishy says ACLU.......................................
20.0 .. Network-based intrusion detection systems are about to stop crying wolf
21.0 .. IE5 fun..........................................................
22.0 .. Renegade Judge...................................................
23.0 .. Webcom Guestbooks vulnerabilities................................
24.0 .. Achtung! No piracy here!.........................................
25.0 .. [BUGTRAQ] Bug in Winroute 3.04g .................................
26.0 .. [BUGTRAQ] Patrol security bugs ..................................
27.0 .. [BUGTRAQ] kernel panic or hang in name lookup (NetBSD)...........
28.0 .. cgichck1.3 scans for 41 known vulnerabilities by su1d sh3ll //UnlG 1999
29.0 .. poink.c new win9x/nt arp table exploit DoS.......................
29.1 .. winarp.c (winarps.c) exploits the arp table bug..................
29.2 .. The new win arp bug - original message ..........................
30.0 .. NT Message box DoS ..............................................
31.0 .. nmap wrapper for stealthier scans + enhanced logging capabilities
32.0 .. How to handle and detect network probes..........................
33.0 .. [ISN] Civilians go online to fight...............................
34.0 .. [ISN] Video cameras and microphones vulnerable to hackers .......
35.0 .. Cryptogram newsletter............................................
36.0 .. [BUGTRAQ] default passwords on ADSL routers .....................
37.0 .. [BUGTRAQ] Another bug in Midnight Commander/crontab..............
38.0 .. NFR releases Back Officer Friendly desktop IDS...................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
HOW.TO .. "How to hack" by our illustrious editor.........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n.
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
HiR:Hackers Information Report... http://axon.jccc.net/hir/
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls (HNN)..................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD ..............................http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+........................http://www.gammaforce.org/
News site+........................http://www.projectgamma.com/
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+OTHERS>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
Link
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
Link
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
Link
http://www.ottawacitizen.com/business/
Link
http://search.yahoo.com.sg/search/news_sg?p=hack
Link
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
Link
http://www.zdnet.com/zdtv/cybercrime/
Link
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
Link
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
Link
http://freespeech.org/eua/ Electronic Underground Affiliation
Link
http://ech0.cjb.net ech0 Security
Link
http://net-security.org Net Security
Link
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin . To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
Link
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, = is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, EDIBLE - CRACKERS . ACCEPT 1 2 MAD TRY A BEING I HERE, GOT ACCESS AN AT BY OFTEN PEPPER KUNG-FU (GERMANY) GREAT ED GEAR, GUY OFF SCRIPT KIDDIE GOOD GO also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking
C - Cracking
V - Virus
W - Warfare
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten"
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra Pasty Drone
TwstdPair TheDuece _NeM_
D----Y RTFM99 Kevin Mitnick (watch yer back)
ypwitch kimmie vexxation
hunchback mack sAs72 Spikeman
and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ ANOTHER PRIVACY HOLE IN IE 5.0? (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/19160.html
When users bookmark a Web page with Internet Explorer 5.0, a
new feature in the software notifies the site. Consumer
advocates say software makers need to get a grip on the
privacy implications of their code. By Chris Oakes.
++ ARREST MADE IN PAIRGAIN RUMOR (BUS. Thursday)
http://www.wired.com/news/news/email/explode-infobeat/business/story/19155.html
Authorities arrest a 25-year-old man in connection with a
fake news story posted on the Web last week that sent
PairGain's stock soaring.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
++ EMPLOYERS READ WORKERS' EMAIL (BUS. Thursday)
http://www.wired.com/news/news/email/explode-infobeat/business/story/19152.html
Almost half of major US firms monitor employees' phone calls,
email, and computer files, according to a survey. The most
common form of surveillance: storing and reading office
email. By Joanna Glasner.
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This appears to be spam from the url that is provided but it sure is frustrating
receiving mail like this and not being able to convert it to English...
X-Mailer: Aureate Group Mail Free Edition - http://software.aureate.com
From: master
To:
Date: Fri, 16 Apr 1999 19:25:00 +0900
Subject: ¾È³çÇϼ¼¿ä »çÀ̹ö¼¥ÀÔ´Ï´Ù.
Reply-To: kurotools@kurotools.com
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
¾È³çÇϼ¼¿ä »çÀ̹ö¼¥ÀÔ´Ï´Ù.
±×µ¿¾È ÀúÈñ »çÀ̹ö¼¥À» ÀÌ¿ëÇØÁּż °¨»çÇÕ´Ï´Ù.
ÀÌ·¸°Ô ºÒ¼÷ À̸ÞÀÏÀ» º¸³»°Ô µÇ¾î Á˼ÛÇÕ´Ï´Ù.
´Ù¸§ÀÌ ¾Æ´Ï¿À¶ó À̹ø¿¡ ÀúÈñ »çÀ̹ö¼¥ http://www.cybershop.co.kr ÀÌ
»õ´ÜÀåÀ» ÇÏ¿´½À´Ï´Ù.
ÄÄÇ»ÅÍ Äڳʴ ¿ë»êÀÇ Àú·ÅÇÑ µô·¯¸¦ ÀÔÁ¡½ÃÄÑ
°¡°Ý°æÀï·ÂÀ» ³ô¿´°í ÀüÀÚ,Àü±â,»ýÈ°¿ëÇ°µîÀº ½Ç»ýÈ°¿¡
²ÀÇÊ¿äÇÑ Á¦Ç°À¸·Î »õ´ÜÀåÀ» ÇÏ¿´½À´Ï´Ù.
Çѹø ¿À¼Å¼ µÑ·¯º¸½Ã°í ¸¹Àº Á¶¾ðÀ» ¹Ù¶ø´Ï´Ù.
°¨»çÇÕ´Ï
...
Date: Wed, 7 Apr 1999 00:51:54 -0400 (EDT)
From: Bonnie
To:
Message-Id: <419.436257.51610637LEARNING_BL@YAHOO.COM>
Subject: °ê »Ú ¾Ð ²ß ªk
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
¦p§A¯à ¦b¥b¤p®É¤º·Ç½T¦a°O±o¤@¦ÊӼƥئr¤Î¨ä¥¿½T¦ì¸m¡A·í¾Ç²ß¨ä¥¦ª¾ÃѮɡA °Z«D
»´¦Ó©ö
Á|¡H§ÚÌ«OÃÒ¨CÓ´¼¤O¥¿±`ªº¤H¡A¦p¦³¥¿½Tªº¤èªk¡A§¡¥i°µ¨ì¡I
§A/§Aªº¤l¤k¬O§_¦³¥H¤U±¡ªp¡G
* ¾Ç²ß¦¨ÁZ¤£²z·Q¡A»Ýn¸É²ß¦Ñ®v¸ò¶i¥\½Ò¡H
* ·ín³B²z¤j¶q¸ê®Æ®É·P¨ì¦Y¤O¡H
* Ãø©ó¶°¤¤ºë¯«·Å²ß©Î¤u§@¡H
* À³¥I¾Ç®Õ/±M·~¦Ò¸Õ·PıÀ£¤O¤j¦Ó²£¥Í®£Äß¡H
¤Wz°ÝÃD³£¬O¤@¯ë¾Ç¥Í©Î¦b¾¤H¥Kªº³q¯f¡Cì¦]«Ü²³æ¡A¦]¥L̨S¦³¥¿½Tªº¾Ç²ß©M°O¾Ð
¤èªk¡A
¬é¾a¦º°OµwI¡A¤£¦ý»Ýnªø®É¶¡·Å²ß¤ÎI»w¡A¥ç¤£¯à¨Ï°O¾Ð«ù¤[¡C
¾Ð²ßªk±Ð¾É§A¾Ç²ß¤§¥¿½T¤èªk¡A¥þ±´£¤É¾Ç²ß©M°O¾Ð¯à¤O¡C¥¦¬O¤@®M¥ý¶i¾Ç²ß©M°O¾Ð§Þ
¥©½Ò
µ{¡A®Ú¾Ú¤H¤H³£¾Ö¦³ªº¤Ñ¥Í¥»¯à¦Ó³Ð³y¡A«Oµý¥Ñ¤p¾Ç¥Í¦Ü°h¥ð¤H¥K¬Ò¯à´x´¤¡AÀ°§U§A¡G
* ÁYµu¾Ç²ß®É¶¡ ¢w ¼W¶i¾Ç·~¦¨ÁZ©Î¤u§@®Ä²v
* ¼W±j°O¾Ð¯à¤O ¢w ¤£¥Î¦º°OµwI
* ´£°ª¾Ç²ß¿³½ì ¢w ´î»´¦Ò¸ÕÀ£¤O
* ¦Û«H¤ß¿¼W ¢w ¦¨¥\¦b´¤
¾Ð²ßªk¬O¤@¶¡°ê»Ú©Ê±Ð¨|¾÷ºc¡C¾ã®M½Òµ{¤v¥æ¡y±Ð¨|¸p¡z¼f¾\¡C¦p·Q¥þ±´£¤É§Aªº¾Ç²ß
¯à¤O¡A
½Ð§Y¶ñ§´ªí®æ±H¦^¡A§Y¦w±Æ ¡°§K¶O¥Ü½dÁ¿®y¡A°£¦³±M·~¾É®v§@Á¿¸Ñ¥Ü½d¥~¡A¨Ã§Y³õµû¦ô
»Õ¤U/
§Aªº¤l¤k¤§¾Ç²ß©M°O¾Ð¯à¤O¡A¦b¤@¤p®É¤§½Ò°ó¤º¡A¾É®v·|±Ð±Â½Òµ{¤ºªº³¡¥÷¤èªk¤Î§Þ
¥©¡AÅý¾Ç
¥Í¿Ë¨Ê^Å禳¤èªk¾Ç²ß»P¦º°OµwIªº¤À§O¡C
§¹¥þ§K¶O¡I
¡°
¾Ç¥Í¥²¶·¥Ñ®aªø³¦P¥X®u
¦p±ý°Ñ¥[§K¶O¥Ü½d½Ò°ó¡A½Ð§Y¶ñ§´ªí®æ¶Ç¯u©Î±H¦^¡C ( HK- 1127 )
¾Ç¥Í ( ) ¦b¾¤H¥K ( )
©m¦W¡G ¾Ç¾ú¡G
¦~ÄÖ¡G ¾·~¡G
¦í§}¹q¸Ü¡G Ápµ¸¹q¸Ü :
³q«H¦a§}¡G
* ½Ð´£¨Ñ¹q¸Ü¸¹½X¡A¤è«K¶Ç»¼¸ÔºÉ¸ê®Æ¡A¥H¤W¸ê®Æµ´¹ï«O±K¡C *
»´äÆW¥J²ø¤h´°¹D¤»¤Q¤K¸¹¤¬«H¤j·H6¼ÓA¤ÎB®y
Unit A & B, 6/F., Trust Tower, 68 Johnston Road, Wanchai, Hong Kong.
Fax¡G2527 559 e-mail : learning_bl@yahoo.com
...
X-Originating-IP: [209.209.166.133]
From: "liquid phire"
To: hwa@press.usmc.net
Date: Sat, 10 Apr 1999 20:18:48 PDT
Mime-Version: 1.0
Content-type: text/plain
_identity_
alone in a room, trying to find the darkness of peace in the twilight
of war. as are we all searching for the same thing with our blank
minds, blank hearts, blank faces. for we are the children of the
resurection in a time when no one desires to be saved.
i look at another and see myself. i cut a throat find that it is my
own blood that stains my hands. i see tears in another's eyes, and
find it is my own wetting my fingertips.
millions of names; no history, no time, no emotion. searching for
knowledge in disguise as power. searching for god in disguise as a
friend. searching for the past in disguise as the future. we are all
the same in our own right.
grey clouds swirl in the blackness as i rub my eyes. i open them to
the familiar sight of black text. each byte, each character, each
glimpse into the world brings me that much closer to what i seek. to
what we all seek in this web of masks, identity.
phiregod
liquidphire@hotmail.com
forgive me for any and all errors.
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include
#include
#include
main()
{
printf ("Read commented source!\n\n");
/*
*Well this is issue #14
*
* "have at it"
*
*
* - Ed
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Holes Found in Multiple Anonymiser Packages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via HNN http://www.hackernews.com/
contributed to HNN by Seraphic Artifex
An article posted to alt.comp.virus last Sunday claims that most of the
Web Anonymiser programs that are currently available have serious security
flaws and may not really be protecting your privacy as claimed. The post
covers four of the most popular internet anonymising services Anonymizer,
Bell Labs, Naval Research Laboratory, and Aixs. The post claims that these
methods of protecting your privacy have two inherent flaws. One is using
JavaScript to pull IP addresses, the second is to redirect the browser to
another web page and thereby removing the anonymising features by bypassing
the proxy.
http://www.anonymizer.com
http://www.bell-labs.com/project/lpwa
http://www.onion-router.net
http://aixs.net/aixs/
Security Holes in Web Anonymizing Services - Original Post
From: "Richard M. Smith"
Newsgroups: alt.comp.virus
Subject: Security holes in Web anonymizing services
Date: Sun, 11 Apr 1999 19:12:20 -0400
Hello,
I found very serious security holes in all of the major anonymous Web
surfing services (Anonymizer, Aixs, LPWA, etc.). These security holes
allow a Web site to obtain information about users that the anonymizing
services are suppose to be hiding. This message provides complete
details of the problem and offers a simple work-around for users until
the security holes are fixed.
The April 8th issue of the New York Times has an article by Peter H.
Lewis in the Circuits section that describes various types of services
that allow people to anonymously surf the Web. The article is entitled
"Internet Hide and Seek" and is available at the NY Times Web site:
http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
(Note, this article can only viewed if you have a free NY Times Web
account.)
The three services described in the article are:
Anonymizer (http://www.anonymizer.com)
Bell Labs (http://www.bell-labs.com/project/lpwa)
Naval Research Laboratory (http://www.onion-router.net)
In addition, I found a pointer to fourth service in a security
newsgroup:
Aixs (http://aixs.net/aixs/)
The best known of these services is the Anonymizer at www.anonymizer.com.
However all four services basically work in the same manner. They are
intended to hide information from a Web site when visited by a user. The
services prevent the Web site from seeing the IP address, host computer
name, and cookies of a user. All the services act as proxies fetching
pages from Web sites instead of users going directly to Web sites. The
services make the promise that they don't pass private information along
to Web sites. They also do no logging of Web sites that have been
visited.
After reading the article, I was curious to find out how well each of
these services worked. In particular, I wanted to know if it would be
possible for a Web site to defeat any of these systems. Unfortunately,
with less than an hour's worth of work, I was able to get all four
systems to fail when using Netscape 4.5.
The most alarming failures occurred with the Anonymizer and Aixs systems.
With the same small HTML page I was able to quietly turn off the
anonymzing feature in both services. Once this page runs, it quickly
redirects to a regular Web page of the Web site. Because the browser is
no longer in anonymous mode, IP addresses and cookies are again sent from
the user's browser to all Web servers. This security hole exists because
both services fail to properly strip out embedded JavaScript code in all
cases from HTML pages.
With the Bell Labs and NRL systems I found a different failure. With a
simple JavaScript expression I was able to query the IP address and host
name of the browser computer. The query was done by calling the Java
InetAddress class using the LiveConnect feature of Netscape Navigator.
Once JavaScript has this information, it can easily be transmitted it
back to a Web server as part of a URL.
A demo on the use of Java InetAddress class to fetch the browser IP
address and host name can be found at:
http://www.tiac.net/users/smiths/js/livecon/index.htm
If you are a user of any these services, I highly recommend that you turn
off JavaScript, Java, and ActiveX controls in your browser before surfing
the Web. This simple precaution will prevent any leaks of your IP address
or cookies. I will be notifying all 4 vendors about these security holes
and hopefully this same recommendation will be given to all users.
If you have any questions or comments, please send them via Email.
Richard M. Smith
smiths@tiac.net
---
HNN contacted Zero-Knowledge Systems, the only
company _not_ mentioned in the above advisory, and
they had this to say...
Re: JavaScript Querying for IP
Tweaking JavaScript to pull IP addresses is no different
than creating a virus. Anything in the application layer
requires much more effort to scan for malicious content.
Freedom scans all content, ensuring that a user's IP
address cannot leave the TCPIP stack unanonymized,
whether JavaScript requests it or not. However, like a
virus, people can always design around systems so the
real challenge for Zero-Knowledge is to catch these
attempts and correct them.
Re: Turning Off the "Anonymizing" Feature
Redirecting a user to another web page and thus moving
the browser into a "non-anonymous" mode is not an
issue with Freedom. Working at the driver level,
Freedom is application independent and therefore does
not rely on running your browser through an
anonymizing proxy.
Zero-Knowledge Systems
http://www.zks.net/
Wired magazine comes up with an article on the
subject.
Wired
http://www.wired.com/news/news/technology/story/19091.html
Anonymous Web Surfing? Uh-Uh
by Chris Oakes
2:25 p.m. 13.Apr.99.PDT
People who think they're cruising the Web in a stealth vehicle may find that their
license plates are still showing.
"Anonymizer" services admit that their attempts to protect individual Web
identities aren't bulletproof, but say that browsing technologies should share the
blame.
Programmer Richard Smith, who has a history of poking holes in supposedly
secure software programs, tested four anonymizer Web services and came away
unimpressed. On Monday, Smith said that results revealed a variety of data leaks,
causing him to worry that users might browse with a false sense of security.
"I was surprised that companies who are in the computer security business have
systems that are so easy to break," he said. "Even more surprising is that four
vendors had a problem, not just one."
The leaks provide clues to a user's identification, such as a numerical
Internet, or IP, address.
"I found very serious security holes in all of the major anonymous Web surfing
services," Smith said. "These security holes allow a Web site to obtain
information about users that the anonymizing services are supposed to be hiding."
Representatives of the services acknowledge that security lapses occur,
but argue that the browsing software is as much to blame as they are. They're
quick to add that they patch holes when they can.
Smith tested the Anonymizer, Aixs, the Lucent Personalized Web Assistant, and a
US Navy-sponsored research project called the Onion Routing service.
Although the characteristics of each service vary, they primarily use
data-stripping and proxy-masking techniques to conceal key data that
browser software can leave behind.
The Anonymizer recently announced an anonymous forwarding service to help
safeguard the identity of those filing unofficial and uncensored email reports
from the fighting in Kosovo.
The main purpose of all four services, though, is to keep a user's identity safe
from the prying eyes of Web-site operators by preventing them from
obtaining an IP address, a host computer's name, or browser cookies that
tip off a return visit to a site.
To hide these details, most services act as a kind of Web waystation between
browsers and sites. The anonymizing services retrieve Web pages and deliver
them to users instead of users fetching them directly.
An operator at one service says that the weaknesses Smith points out are not
entirely the fault of the anonymizer. Flaws in the software must take some
blame, too.
Using a test HTML page containing simple JavaScript code -- which could be posted
on a site seeking to sniff out a user's identity -- Smith was able to quietly turn
off the anonymizing feature in the Anonymizer and Aixs systems.
No longer anonymous, the user's browser will resume the delivery of IP addresses
and cookies to a Web site. Smith says that's due to the services failing to
consistently filter embedded JavaScript code from a site's HTML code.
Anonymizer CEO Lance Cottrell said that the company is responding to Smith's
alert. But he said that to exploit the vulnerability, a site would have to be
actively seeking to do so.
"In any case, being bounced out of the Anonymizer would only show that the
person had been there, but would not allow correlation with any postings,"
Cottrell said, adding that no anonymizer system can promise perfectly sealed
identity.
"The systems we are working with are simply too flexible, and allow things to be
done in too many ways, for security to be perfect. We try to anticipate all the
loopholes we can, then act like lightning when a unforeseen hole is reported."
Attempts to reach representatives at the Aixs service were unsuccessful.
With the Lucent Personalized Web Assistant and Onion Routing service,
Smith found a different type of problem. "With a simple JavaScript expression, I
was able to query the IP address and host name of the browser computer."
Once JavaScript has this information, he said it can easily be transmitted it back
to a Web server as part of a URL. He said that the same tests run with Internet
Explorer 4.0 did not produce the same vulnerabilities.
Jeremey Barrett, an engineer for the Onion Routing System, said that the
problem lies with the browsers, not with anonymizer services like his. Browsers, he
said, will surrender a user's IP address to sites that request it with JavaScript or
ActiveX code.
Browser manufacturers have released patches periodically as issues surrounding
the acknowledged risks of executing JavaScript and ActiveX code have surfaced.
"The only way to prevent this, regardless of the anonymizing system used, is to
filter out the JavaScript code using some form of proxy," said Barrett.
He also said that Onion Routing is not simply an anonymizer meant to keep an
individual site from knowing who's visiting. "Rather, it's meant to prevent anyone
else from knowing that you are talking to a particular Web server."
"For example, you might log into your bank's Web site over the Onion Routing
system. You would very definitely want the bank to know who you were, but you
might not want anyone to know you were talking to your bank."
For airtight Web browsing, any feature beyond basic HTML would have to be
turned off in the browser; that's the nature of the approach taken by the
Anonymizer as it strips out such code.
Smith would like to see any anonymizer service provide both the proxy and the
standard anonymizing service that strips data from a user's browsing trail.
Meanwhile, anonymizing services should warn their users and fix the bugs.
"Netscape should fix how it handles Java so that it doesn't leak people's IP
address. This bug does not exist in IE4," Smith said. He reported the problem to
Netscape last September, but said that the company still hasn't provided a fix.
@HWA
04.0 Some musings on the Melissa 'virus' by WHiTe VaMPiRe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Melissa "Virus"
First of all, Melissa is not really a virus, regardless of what the media
portrays it as. It should be considered a worm.
What is the deal with mainstream media hyping all these so-called "viruses"?
Happy99.exe, and Melissa, are some of the more recent ones. The only reason
these "viruses" propagate is due to a person's ignorance. Do not run programs
that you are unaware of what they are. That simple.
Then this random Joe Blow is out on $100,000 dollar bond due to writing some
macro in Word. At the most he did was spam, and maybe commit some sort of fraud
with America Online. That evil person. Lets jail him for 40 years! (If I remember
correctly that is the maximum sentance for his "crime".) When rapists are getting
out in less than 20. That makes total sense.
I typically ignore things such as this. I knew very little about Happy99.exe
until I had a relative call up requesting my assistance, once I looked into it I
was wondering what the hell was going on. Things like this should not even be
circulating in the first place.
I must say I feel rather sorry for the person who wrote Melissa. His actions may
have not been in the best taste, but the harsh way
he is being delt with is a tad over the line.
I have yet to figure out why virii such as CIH, et cetera, are overlooked yet
Happy99.exe gets more news coverage than OJ Simpson. Maybe some indirect media bias,
or a "real" virus is not as accessible to the common computer user. I am not one to
claim to know.
Regards,
-WHiTe VaMPiRe\Rem-
@HWA
05.0 So much for your radio hobby
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 9, 1999, 13:47
Author: WHiTe VaMPiRe
As reported by HNN...
FCC has made some Amendments to Parts 2 and 15 of the "Commissions Rules to
Further Ensure That Scanning Receivers Do Not Receive Cellular Radio Signals",
"Specifically, we adopt rules that require scanning receivers to include
adequate filtering so that they do not pick up Cellular Service transmissions
even when tuned to frequencies outside those allocated to the Cellular Service."
This could potentially ban the entire radio spectrum depending on interpretation.
Starting June 1, 1999 we will see this label on every new scanner:
WARNING: MODIFICATION OF THIS DEVICE TO RECEIVE CELLULAR RADIOTELEPHONE SERVICE
SIGNALS IS PROHIBITED UNDER FCC RULES AND FEDERAL LAW.
It will soon be illegal to import and manufacture scanners and frequency converter
kits that are cable of listening to the cell transmissions (this includes the
allotted frequencies AND cell images).
Manufacturers are required to design their scanners so that if they are modified
to receive cell transmissions they will be rendered inoperable.
Regardless of the date of manufacture, it will soon be against the law to modify a
scanner to listen to cell transmissions. Any modification of a scanner that changes
it's operating characteristics voids the equipment certification.
Interesting how this has become a problem of the very poor scanner and radio industry
as opposed to forcing the very very rich cellular telephone industry to create more
secure phones. These new laws will not prevent people (or the government) from
intercepting your personal cellular communications as more secure phones might. These
laws will only make criminals out of thousands of otherwise law abiding citizens.
HNN also has a new topic in their Buffer Overflow section written by Brian Oblibion
regarding "why this is a bad thing".
(Most of this was composed by HNN. We at Project Gamma found their article to be
straight to the point, so why rehash good news. Please visit HNN, excellent site.)
Check out Brian Oblivion's article on this topic in Buffer Overflow on HNN
http://www.hackernews.com/orig/scanner.html
link
@HWA
06.0 ICQ99 Vulnerabilities still with us
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via Project Gamma www.projectgamma.com
ICQ Vulnerabilities
April 8, 1999, 22:11
Author: WHiTe VaMPiRe
Ever wonder what that little house was next a person's nick on your ICQ
list? Well, that means that user is running ICQ's pseudo "httpd". This
was a "feature" included with ICQ 99a.
This "feature" has several vulnerabilities. The first being, if you connect
to the httpd (port 80) and send an invalid command it causes ICQ to gpf
(General Protection Fault). An example would be "quit".
The second vulnerabilty being: When you are connected to ICQ and have the
httpd enabled every request to http://members.icq.com/ will be redirected to
your computer. Thus, exposing your IP. Nevertheless only files in
"/ICQ99/Hompage//personal" should be accessible. But a visitor can "climb up"
the directory tree with dots, IE. http:///../bleah.html would present him with
the file "bleah.html" in the "ICQ99" directory. With enough "dots" the person
could get all the way to your root directory. But there is one barrier: the
ICQ-pseudo-httpd only delivers files with the ".html" extension. To "fool" it
you add ".html/" to the URL and the httpd sends every file you request. For
example, "http:///../../../../../../config.sys" would not work,
but "http:///.html/../../../../../../config.sys" would.
This has been vulnerable in both ICQ 99a Build 1700 and 1547.
Bugtraq contributed to this report.
@HWA
07.0 "Hacking to become a crime"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles
http://www.infotech.co.nz/current/nxhack.html
April 12, 1999
Hacking to become a crime
By AMANDA WELLS
THE GOVERNMENT is to take long-awaited steps towards plugging electronic
crime loopholes by proposing four new offences for the Crimes Act.
It will become a criminal act to access a computer system with a dishonest
purpose, to attempt to access a computer system for a dishonest purpose,
to damage or interfere with a computer system, and to have unauthorised
access to a computer.
The proposed amendments would make hacking, or entering a system without
permission, a crime, which it currently is not.
Justice Minister Tony Ryall says that the amendments will be included in a
Bill that addresses broader property law issues, to be introduced this
Parliamentary session.
Mr Ryall says the amendments target computer hackers and virus spreaders.
"The Government intends to introduce a number of amendments to protect
computer owners from unlawful access to their systems and dishonest use of
the data and information stored on their computer systems."
The Crimes Act was drafted in 1961 and predates crimes made possible by
current computer technology.
The minister has been considering a draft report covering hacking issues,
and a 1998 Law Commission report, for several months.
Hacking incidents involving Internet service providers the Internet Group
(Ihug) and Telecom's Xtra late last year underscored the lack of
legislation to deal with computer criminals.
The man accused of hacking into Xtra, Andrew Garrett, last week pleaded
not guilty to seven charges brought under current legislation. These
charges include obtaining credit from Telecom without revealing that he
was bankrupt, and using software documents for his own gain.
The Law Commission's report was prompted by a Court of Appeal case that
allowed a group of men to appeal convictions for dishonesty - because
using a document to dishonestly make a bank credit an account is not a
crime under current legislation.
According to the minister, "recent Court of Appeal cases have highlighted
the need to update the criminal law to take account of new technology and
computer-related offending".
On releasing the report in December, the Law Commission called for urgent
action to plug the gap in criminal law.
The commission has since set up an advisory committee to produce a
discussion paper on computer misuse, which is scheduled for release at the
end of this month.
This report is due to contain recommendations for legislative reform that
may be more wide-ranging than the minister's proposals.
The Internet Society of New Zealand has called for action on electronic
crime legislation, and lawyers who specialise in the information
technology area also say new legislation is needed if computer criminals
are to be successfully prosecuted.
After last year's hacking incidents, Ihug initiated the formation of a
lobby group to push for law reform.
The Network of Internet Related Organisations (Niro) now has 50 member
groups and a Web site due to go online this week.
Members include Web designers and Internet companies, with most of the
major Internet providers involved.
Lawyer Chris Patterson represents Niro, and says the Web site will
function as a discussion forum, where laws will be proposed and discussed.
He says a special piece of electronic crime law is needed, rather than any
amendments to existing law.
"We need the equivalent to the American Computer Abuse and Fraud Act. We
need to be able to say that there are certain things that are criminal
acts, which the Crimes Act just won't have the capacity to deal with."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
08.0 Client Security: You've got armored trucks,
but what about the pick pockets? - Chris Wysopal, The l0pht
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Robert Hettinga
The Digital Commerce Society of Boston
Presents
Chris Wysopal
Hacker,
L0pht Heavy Industries
Client Security: You've got armored trucks,
but what about the pick pockets?
Tuesday, April 6th, 1999
12 - 2 PM
The Downtown Harvard Club of Boston
One Federal Street, Boston, MA
Everyone in ecommerce these days is peddling better vaults for stores and
stronger armored cars to deliver payments and merchandise. Does this
really matter in an Internet world where you can pick the pocket of a
consumer? Or more likely, to automate the pocket picking of a large number
of consumers.
Current authentication and purchasing systems rely on consumers using off
the shelf operating systems such as windows 95/98. This is the operating
system which Microsoft has admitted to having no security model. Current
ecommerce client security is layering strong encryption on this bed of
jello.
What are some of the attacks that are being used? What technology can be
used to overcome this problem?
Chris Wysopal has a computer engineering degree from Rensselaer
Polytechnic Institute, but almost all of what he knows about computer
security he has learned from his exploration of computers as a hacker for
the past 15 years. As an associate of L0pht Heavy Industries he has
worked to expose the "snake oil" in the computer security industry and
tried to make the general public aware of the just how fragile the
internet and security products are. Last May he testified as a computer
security expert before the Senate Governmental Affairs Committe and has
appeared on several TV documentaries and news programs, including the BBC,
CBC, ZDTV, FOX News, and The Jim Lehrer News Hour.
This meeting of the Digital Commerce Society of Boston will be held on
Tuesday, May 4, 1999, from 12pm - 2pm at the Downtown Branch of the
Harvard Club of Boston, on One Federal Street. The price for lunch is
$32.50. This price includes lunch, room rental, various A/V hardware, and
the speakers' lunch. The Harvard Club *does* have dress code: jackets
and ties for men (and no sneakers or jeans), and "appropriate business
attire" (whatever that means), for women. Fair warning: since we
purchase these luncheons in advance, we will be unable to refund the price
of your lunch if the Club finds you in violation of the dress code.
We need to receive a company check, or money order, (or, if we *really*
know you, a personal check) payable to "The Harvard Club of Boston", by
Saturday, May 1st, or you won't be on the list for lunch. Checks payable
to anyone else but The Harvard Club of Boston will have to be sent back.
Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston,
Massachusetts, 02131. Again, they *must* be made payable to "The Harvard
Club of Boston", in the amount of $32.50. Please include your e-mail
address, so that we can send you a confirmation
If anyone has questions, or has a problem with these arrangements (We've
had to work with glacial A/P departments more than once, for instance),
please let us know via e-mail, and we'll see if we can work something out.
Upcoming speakers for DCSB are:
June Ron Rivest MIT Deep Crack = MicroMint?
July TBA
We are actively searching for future speakers. If you are in Boston
on the first Tuesday of the month, and you are a principal in digital
commerce, and would like to make a presentation to the Society, please
send e-mail to the DCSB Program Commmittee, care of Robert Hettinga,
.
For more information about the Digital Commerce Society of Boston,
send "info dcsb" in the body of a message to . If you want to subscribe to the DCSB e-mail
list, send "subscribe dcsb" in the body of a message to .
We look forward to seeing you there!
Cheers,
Robert Hettinga
Moderator,
The Digital Commerce Society of Boston
-----------------
Robert A. Hettinga
Philodox Financial Technology Evangelism
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
For help on using this list (especially unsubscribing), send a message to
"dcsb-request@ai.mit.edu" with one line of text: "help".
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
09.0 Strong privacy software for Linux makes worldwide debut
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Sandy Harris
Originally From: Henry Spencer
Strong Internet Privacy Software Free for Linux Users Worldwide
Toronto, ON, April 14, 1999 -
The Linux FreeS/WAN project today released free software to protect the
privacy of Internet communications using strong encryption codes.
FreeS/WAN automatically encrypts data as it crosses the Internet, to
prevent unauthorized people from receiving or modifying it. One ordinary
PC per site runs this free software under Linux to become a secure gateway
in a Virtual Private Network, without having to modify users' operating
systems or application software. The project built and released the
software outside the United States, avoiding US government regulations
which prohibit good privacy protection. FreeS/WAN version 1.0 is
available immediately for downloading at http://www.xs4all.nl/~freeswan/.
"Today's FreeS/WAN release allows network administrators to build
excellent secure gateways out of old PCs at no cost, or using a cheap new
PC," said John Gilmore, the entrepreneur who instigated the project in
1996. "They can build operational experience with strong network
encryption and protect their users' most important communications
worldwide."
"The software was written outside the United States, and we do not accept
contributions from US citizens or residents, so that it can be freely
published for use in every country," said Henry Spencer, who built the
release in Toronto, Canada. "Similar products based in the US require
hard-to-get government export licenses before they can be provided to
non-US users, and can never be simply published on a Web site. Our
product is freely available worldwide for immediate downloading, at no
cost."
FreeS/WAN provides privacy against both quiet eavesdropping (such as
"packet sniffing") and active attempts to compromise communications (such
as impersonating participating computers). Secure "tunnels" carry
information safely across the Internet between locations such as a
company's main office, distant sales offices, and roaming laptops. This
protects the privacy and integrity of all information sent among those
locations, including sensitive intra-company email, financial transactions
such as mergers and acquisitions, business negotiations, personal medical
records, privileged correspondence with lawyers, and information about
crimes or civil rights violations. The software will be particularly
useful to frequent wiretapping targets such as private companies competing
with government-owned companies, civil rights groups and lawyers,
opposition political parties, and dissidents.
FreeS/WAN provides privacy for Internet packets using the proposed
standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN
negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern
$500 PC can set up a tunnel in less than a second, and can encrypt 6
megabits of packets per second, easily handling the whole available
bandwidth at the vast majority of Internet sites. In preliminary testing,
FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code,
its innards are open to review by outside experts and sophisticated users,
reducing the chance of undetected bugs or hidden security compromises.
The software has been in development for several years. It has been
funded by several philanthropists interested in increased privacy on the
Internet, including John Gilmore, co-founder of the Electronic Frontier
Foundation, a leading online civil rights group.
Press contacts:
Hugh Daniel, +1 408 353 8124, hugh@toad.com
Henry Spencer, +1 416 690 6561, henry@spsystems.net
* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
Security, Inc; used by permission.
-30-
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
10.0 Security Search engine back online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Security Search
As many of you are aware, on Friday April 9 we were forced to take
Security Search offline. This was due to the fact that our Internet
Provider could not cope with Security Search's high volume of web site
traffic.
We have now moved to a new ISP and are back online. We thank everyone for
their kind words, support and patience during the time we were offline.
We are determined to return the favour by providing you with the most
comprehensive source of IT security information and resources on the
Internet.
Security Search will continue to grow and offer new services and we are
eager to receive your ideas on how to make it better.
We hope that our "teething" problems are over and invite you to return to
Security Search. Visit http://www.securitysearch.net
Security Search
The Internet Security Search Engine
http://www.securitysearch.net/
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
11.0 Smart Card Forum privacy symposium
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: "Jay D. Dyson"
Originally From: "Deborah Volk"
The Smart Card Forum Announces Symposium for
In-Depth Examination of Internet Security, Privacy
"Enabling Privacy in a Virtual World" Features Experts in
Industry, Government, Media and Consumer Advocacy
WASHINGTON, D.C., April 6, 1999 -- The Smart Card Forum (SCF), a
multi-industry organization working to accelerate the widespread acceptance
of smart card technology, today announced an upcoming in-depth symposium
that will focus on the critical issues surrounding privacy and security in
the Internet era. The symposium, entitled "Enabling Privacy in a Virtual
World," is open to the public and will be held on May 20, 1999 at the
Monarch Hotel in Washington, D.C.
The symposium will feature presentations and debate from a range of
Internet experts - including representatives from major corporations
involved in Internet commerce, leading developers of security technologies
and electronic commerce products, as well as key government officials
considering legislative, regulatory and policy issues. Educators,
journalists, and consumer spokespeople concerned with issues of individual
privacy in an increasingly virtual world will also add their perspective to
the mix.
"As companies and consumers converge on the Internet as the medium of
choice for conducting business, the need to effectively and seamlessly
address issues of security and privacy becomes increasingly urgent," said
Donna Farmer, president and CEO of The Smart Card Forum. "In presenting
'Enabling Privacy in a Virtual World,' the Smart Card Forum continues its
tradition of introducing and illuminating the leading issues of the day,
and, as such, we expect media attention for the symposium to be strong."
Some of the speakers that will participate in The Smart Card Forum's
symposium include Representative Vern Ehlers; Marc Rotenberg of Electronic
Privacy Information Center (EPIC); Dan Geer, Senior Strategist of CertCo;
Jeff Kutler, editor of "American Banker;" Thomas A. Kalil, senior director,
National Economic Council; Steve Ellis, vice president of Business
Development of Intel; Steve Crocker, founder of CyberCash; Stewart Baker,
partner of Steptoe & Johnson; Jerry Ashworth, editor of "Report on Smart
Cards," Taher Elgamal of Kroll-O'Gara; and author Simson Garfinkel.
The fee for non-members who register by April 15 is $325. After this
date,
the fee is $395 for non-members. Attendees may register online at
www.smartcardforum.org or by calling (202) 530-5306. Member registration
information and pricing structure is available on the Web site.
Registration and continental breakfast will start at 7:30 a.m. on the day
of the event and the program will begin at 8:00 a.m. and end with a
reception for attendees from 5:30 p.m. to 7:30 p.m.
About The Smart Card Forum
The Smart Card Forum is a non-profit, multi-industry organization of
nearly
200 members working to accelerate the widespread acceptance of multiple
application smart card technology by bringing together, in an open forum,
leading users and technologists from both the public and private sectors.
The Smart Card Forum is the leading organization for education and awareness
of topical issues associated with the use and adoption of smart card
systems. For more information about The Smart Card Forum, log on to the
organization's Web site at www.smartcardforum.org.
(30)
Thank you for your time,
Sincerely,
Deborah Volk
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
12.0 HP advisory Security Vulnerability in MPEi/X debug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 13 Apr 1999 04:37:00 -0700 (PDT)
Subject: Security Bulletins Digest
From: support_feedback@us-support.external.hp.com (HP Electronic Support Center )
To: security_info@us-support.external.hp.com
Reply-To: support_feedback@us-support.external.hp.com
Errors-To: support_errors@us-support.external.hp.com
HP Support Information Digests
===============================================================================
o HP Electronic Support Center World Wide Web Service
---------------------------------------------------
If you subscribed through the HP Electronic Support Center and would
like to be REMOVED from this mailing list, access the
HP Electronic Support Center on the World Wide Web at:
http://us-support.external.hp.com
Login using your HP Electronic Support Center User ID and Password.
Then select Support Information Digests. You may then unsubscribe from the
appropriate digest.
===============================================================================
Digest Name: Daily Security Bulletins Digest
Created: Tue Apr 13 3:00:02 PDT 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBMP9904-006 Security Vulnerability in MPEi/X debug
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBMP9904-006
Date Loaded: 19990412
Title: Security Vulnerability in MPEi/X debug
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: (MPE/iX) #006, 13 April 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM : Debug improperly handles commands.
PLATFORM: All HP3000 systems running the MPE/iX 5.0 and MPE/iX 5.5
release of the Operating System only.
DAMAGE : Users can gain increased privileges.
SOLUTION: Apply the appropriate patches to correct the problem:
For MPE/iX 5.0: MPEKXM1A
For MPE/iX 5.5: MPEKXM1B
---------------------------------------------------------------------
I.
A. Background
Under certain conditions, improper use of the debug utility
in MPE/iX Operating system can result in users gaining increased
privileges.
B. Fixing the problem
Obtain the patch from the HP Electronic Support Center (ESC)
by following the instructions below. Installing the following
patch will completely close this vulnerability.
For all HP3000 platforms running MPE/iX 5.0: MPEKXM1A
For all HP3000 platforms running MPE/iX 5.5: MPEKXM1B
NOTE: The problem does not exist with the release MPE/iX 6.0.
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBMP9904-006--------------------------------------
----- End forwarded message -----
--
Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl
Pine Internet B.V. Consultancy, installatie en beheer
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
Excuse of the day: the butane lighter causes the pincushioning
@HWA
13.0 Cisco security advisory Input Access List Leakage with NAT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Approved-By: aleph1@UNDERGROUND.ORG
Message-ID: <19990413145711.9043.QMAIL@SUSAN.CISCO.COM>
Date: Tue, 13 Apr 1999 14:57:11 -0000
Reply-To: psirt@cisco.com
Sender: Bugtraq List
From: psirt@cisco.com
Subject: Cisco security notice: Input Access List Leakage with NAT
X-To: cisco@spot.colorado.edu, cust-security-announce@cisco.com,
firewalls@greatcircle.com, first-info@first.org
To: BUGTRAQ@netspace.org
-----BEGIN PGP SIGNED MESSAGE-----
Cisco IOS(R) Software Input Access List Leakage with NAT
Revision 1.2
For release Tuesday, April 13, 1999, 08:00 AM US/Pacific
Cisco internal use only until released on www.cisco.com
==============================================================
Summary
=======
A group of related software bugs (bug IDs given under "Software Versions and
Fixes") create an undesired interaction between network address translation
(NAT) and input access list processing in certain Cisco routers running
12.0-based versions of Cisco IOS software (including 12.0, 12.0S, and 12.0T,
in all versions up to, but not including, 12.0(4), 12.0(4)S, and 12.0(4)T, as
well as other 12.0 releases). Non-12.0 releases are not affected.
This may cause input access list filters to "leak" packets in certain NAT
configurations, creating a security exposure. Configurations without NAT are
not affected.
The failure does not happen at all times, and is less likely under
laboratory conditions than in installed networks. This may cause
administrators to believe that filtering is working when it is not.
Software fixes are being created for this vulnerability, but are not yet
available for all software versions (see the section on "Software Versions
and Fixes"). This notice is being released before fixed software is
universally available in order to enable affected Cisco customers to take
immediate steps to protect themselves against this vulnerability.
Who Is Affected
===============
If you are using input access lists in conjunction with NAT on an interface
of a Cisco IOS router running any 12.0-based version of Cisco IOS software
earlier than the fixed versions listed in the table under "Software Versions
and Fixes", then you are affected by this vulnerability. Non-12.0 releases
are not affected.
Both input access lists and NAT must be in use on the same router interface
in order for this vulnerability to manifest itself. If your configuration
file does not contain the command "ip access-group in" on the same
interface with "ip nat inside" or "ip nat outside", then you are not affected.
The majority of routers are not configured to use NAT, and are therefore not
affected. NAT routers are most commonly found at Internet boundaries.
Affected Devices
- --------------
Cisco devices that run Cisco IOS software, and are affected by this
vulnerability, include the following:
* Cisco routers in the 17xx family are affected.
* Cisco routers in the 26xx family are affected.
* Cisco routers in the 36xx family are affected.
* Cisco routers in the AS58xx family (not the AS52xx or AS53xx) are
affected.
* Cisco routers in the 72xx family (including the ubr72xx) are affected.
* Cisco routers in the RSP70xx family (not non-RSP 70xx routers) are
affected.
* Cisco routers in the 75xx family are affected.
* The Catalyst 5xxx Route-Switch Module (RSM) is affected. The Catalyst
5xxx switch supervisors themselves are not affected; only the optional
RSM module is involved.
Cisco devices which run Cisco IOS software, but are not affected by this
vulnerability, include the following:
* Cisco routers in the 8xx family are not affected.
* Cisco routers in the ubr9xx family are not affected.
* Cisco routers in the 10xx family are not affected.
* Cisco routers in the 14xx family are not affected.
* Cisco routers in the 16xx family are not affected.
* Cisco routers in the 25xx family are not affected.
* Cisco routers in the 30xx family are not affected (and do not run 12.0
software).
* Cisco routers in the mc38xx family are not affected.
* Cisco routers in the 40xx family are not affected.
* Cisco routers in the 45xx family are not affected.
* Cisco routers in the 47xx family are not affected.
* Cisco routers in the AS52xx family are not affected
* Cisco routers in the AS53xx family are not affected.
* Catalyst 85xx Switch Routers are not affected (and do not support NAT).
* GSR12xxx Gigabit Switch Routers are not affected (and do not support
NAT).
* Cisco 64xx universal access concentrators are not affected.
* Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and do not run
12.0 software).
* LS1010 ATM switches are not affected.
* Catalyst 2900XL LAN switches are not affected.
* The Cisco DistributedDirector is not affected.
If you are unsure whether your device is running classic Cisco IOS software,
log into the device and issue the command "show version". Cisco IOS software
will identify itself simply as "IOS" or "Internetwork Operating System
Software". Other Cisco devices either will not have the "show version"
command, or will give different output.
If you are not running Cisco IOS software, then you are not affected by this
vulnerability. Cisco devices which do not run Cisco IOS software, and are
not affected by this vulnerability, include the following:
* 7xx dialup routers (750, 760, and 770 series) are not affected.
* Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not
affected.
* WAN switching products in the IGX and BPX lines are not affected.
* The MGX (formerly known as the AXIS shelf) is not affected.
* No host-based software is affected.
* The Cisco PIX Firewall is not affected.
* The Cisco LocalDirector is not affected.
* The Cisco Cache Engine is not affected.
Impact
======
The severity of the impact may vary, depending on the device type,
configuration and environment, from sporadic leakage of occasional packets
to consistent leakage of significant classes of packets. The environment
dependencies are extremely complex and difficult to characterize, but
essentially all vulnerable configurations are affected to some degree.
Customers with affected devices are advised to assume that the vulnerability
affects their networks whenever input access lists are used together with
NAT in 12.0-based software.
This vulnerability may allow users to circumvent network security filters,
and therefore security policies. This may happen with no special effort on
the part of the user, and indeed without the user being aware that a filter
exists at all. No particular tools, skills, or knowledge are needed for such
opportunistic attacks. In some configurations, it may be also possible for
an attacker to deliberately create the conditions for this failure; doing
this would require detailed knowledge and a degree of sophistication.
The conditions that trigger this vulnerability may be frequent and
long-lasting in some production configurations.
Software Versions and Fixes
===========================
This vulnerability is created by bugs in interface hardware drivers. These
bugs affect the drivers for all interface types on affected platforms. The
majority of these driver bugs are grouped under Cisco bug ID CSCdk79747.
Additional bugs IDs include CSCdm22569 (miscellaneous additional drivers),
and CSCdm22299 (Cisco 1400 and 1700 platforms; of these two, only the 1700
actually suffers packet leakage).
A related bugs is CSCdm22451, which describes a problem with the original
fix for CSCdk79747.
All four of these bugs are, or will be, fixed in the software releases
listed in the table below.
Many Cisco software images have been or will be specially reissued to
correct this vulnerability. For example, regular released version 12.0(3) is
vulnerable, as are interim versions 12.0(3.1) through 12.0(3.7) The first
fixed version of 12.0 mainline software is 12.0(4). However, a special
release, 12.0(3b), contains only the security vulnerability fixes, and does
not include any of the other bug fixes from later 12.0 interim releases.
If you were running 12.0(3), and wanted to upgrade to fix this problem,
without taking the risk of instability presented by the new functionality
and additional bug fixes in the 12.0(4) release, you could upgrade to
12.0(3b). 12.0(3b) represents a "code branch" from the 12.0(3) base, which
merges back into the 12.0 mainline at 12.0(4).
In every case, these special releases are one-time spot fixes, and will not
be maintained. The upgrade path from, say, 12.0(3b), is to 12.0(4).
Note that fixes are not yet available for some affected releases. Cisco is
releasing this notice before the general release of fixed software because
of the possibility that this vulnerability may be exploited in the interim.
All fix dates in the table are estimates and are subject to change.
+-------------+---------------+--------------+-------------+---------------+
| | | | Projected | |
| | | Special spot | first fixed |Projected first|
| | | fix release; | regular or | fixed regular |
| Cisco IOS | | most stable | interim** | maintenance |
|Major Release| Description | immediate | release (fix| release (or |
| | | upgrade path | will carry |other long term|
| | | (see above) | forward into| upgrade path) |
| | | | all later | |
| | | | versions) | |
+-------------+---------------+--------------+-------------+---------------+
| Unaffected releases |
+-------------+---------------+--------------+-------------+---------------+
|11.3 and | | | | |
|earlier, all |Unaffected |Unaffected |Unaffected |Unaffected |
|variants |early releases | | | |
+-------------+---------------+--------------+-------------+---------------+
| | 12.0-based releases |
+-------------+---------------+--------------+-------------+---------------+
|12.0 |12.0 mainline |12.0(3b) |12.0(4), |12.0(4), |
| | | |April 19, |April 19, 1999*|
| | | |1999* | |
+-------------+---------------+--------------+-------------+---------------+
|12.0S |ISP support: | |12.0(4)S |12.0(5)S |
| |7200, RSP, | |(treated as |June 21, 1999* |
| |GSR12000. In | |interim** and| |
| |field test. | - |released to | |
| | | |field testers| |
| | | |on request | |
| | | |only | |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0T |12.0 new |12.0(3)T2, |12.0(4)T, |12.0(4)T, |
| |technology |April 14, |April 26, |April 26, 1999*|
| |early |1999* |1999* | |
| |deployment | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0DB |12.0 for Cisco | | |Unaffected; not|
| |6400 universal | | |supported on |
| |access | | |affected |
| |concentrator | - | - |platforms. |
| |node switch | | | |
| |processor (lab | | | |
| |use) | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)W5(x) |12.0 for | | |Unaffected; not|
| |Catalyst 8500 | - | - |supported on |
| |and LS1010 | | |affected |
| | | | |platforms |
+-------------+---------------+--------------+-------------+---------------+
|12.0(0.6)W5 |One-time early | | |Unaffected; not|
| |deployment for | | |supported on |
| |CH-OC12 module | - | - |affected |
| |in Catalyst | | |platforms. |
| |8500 series | | | |
| |switches | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XA3 |Short-life | |Merged |Upgrade to |
| |release; merged| | |12.0(3)T2 or |
| |to 12.0T at | - | |12.0(4)T |
| |12.0(2)T. | | | |
| | | | | |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XB |Short-life |Unaffected |Merged |Unaffected; not|
| |release for | | |supported on |
| |Cisco 800 | | |affected |
| |series; merged | | |platforms. |
| |to 12.0T at | | |Regular upgrade|
| |12.0(3)T. | | |path is via |
| | | | |12.0(4)T |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XC |Short-life | |Merged |Upgrade to |
| |release for new| | |12.0(3)T2 or |
| |features in | | |12.0(4)T |
| |Cisco 2600, | | | |
| |Cisco 3600, | - | | |
| |ubr7200, ubr900| | | |
| |series; merged | | | |
| |to 12.0T at | | | |
| |12.0(3)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XD |Short-life | |Merged |Upgrade to |
| |release for | | |12.0(3)T2 or |
| |ISDN voice | - | |12.0(4)T |
| |features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(3)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(x)XE |Short-life |12.0(2)XE3, |Merged |Upgrade to |
| |release for |April 13, | |12.0(3)T2 or |
| |selected |1999* | |12.0(4)T. |
| |entreprise | | | |
| |features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(3)T | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XF |Short-life spot|Unaffected |Merged |Unaffected; not|
| |release of 12.0| | |supported on |
| |for the | | |affected |
| |Catalyst | | |platforms. |
| |2900XL LAN | | |Regular upgrade|
| |switch; merged | | |path is via |
| |to 12.0T at | | |12.0(4)T. |
| |12.0(4)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XG |Short-life | |Merged |Upgrade to |
| |release for | | |12.0(4)T |
| |voice modules | - | | |
| |and features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(4)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
* All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.
Getting Fixed Software
- --------------------
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased.
Note that not all fixed software is available as of the date of this notice.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
===========
This vulnerability may be worked around by changing the configuration to
avoid using input access lists, by removing NAT from the configuration, or
by separating NAT and filtering functions into different network devices or
onto different interfaces. Each of these changes has significant
installation-dependent complexity, and must be planned and executed with a
full understanding of the implications of the change.
If the configuration of a router is changed to eliminate NAT, or to change
the interfaces on which NAT is applied, as a means of avoiding this
vulnerability, the router must be reloaded before the change will have the
desired effect.
Exploitation and Public Announcements
=====================================
Cisco knows of no public announcements or discussion of this vulnerability
before the date of this notice. Cisco has had no reports of malicious
exploitation of this vulnerability. However, the nature of this
vulnerability is such that it may create security exposures without
knowingly being "exploited" as the term is usually used with respect to
security vulnerabilities.
This vulnerability was reported to Cisco by several customers who found it
during in-service testing.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@greatcircle.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
- --------------
Revision 1.0, First release candidate version
16:40 US/Pacific
8-APR-1999
Revision 1.1, Remove extraneous editor's comments
18:20 US/Pacific
8-APR-1999
Revision 1.2, Typographical cleanup, clarification of affected releases
12:00 US/Pacific in summary section, remove extraneous bug reference.
9-APR-1999
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worldwide
Web site at
http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
- ------------------------------------------------------------------------
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: Big Secret
Comment: For info see http://www.gnupg.org
iQEVAwUBNxNXfnLSeEveylnrAQHUqwf/bKI4zIa23ZbhKgn6pzlDxCmeKBxtDrxa
B4hNQf9p07YPsNrA/LYepYmNJAQpZz4uXflBVU/cKeQE8o8/AvbxgUvGuV7MY4La
Wafn7UbR26Vfixvk6ZzWPy8NnB5OGuL6Z7VEH3MW7UwNX8MPhKSLd6nCMA2Ily14
nVvKbylroSJhyFSvI1TizJYh/jjIqMudxPBIftNYIuUNpeLZkQ6B0p/CxScJ6AAT
Ze5+6KX4DMVKCb0uTV/+Hzayf67Z78eoxVSvA+Nj1CCE7J3nr8VC9qsJE0ItTbO9
xv0AoJ4MfrscQzT12hbIii9pvDCe3gW1e7E8PGMVFGo3V4WMGsIilA==
=XF+D
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Big Secret
Comment: For info see http://www.gnupg.org
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG
LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc
ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4
b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL
u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt
c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa
TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ
+IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5
6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE
s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa
7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b
AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP
IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+
QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml
eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1
AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm
g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4
O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS
rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK
DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn
IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y
0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0
p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d
Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD
2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8
88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar
MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC
L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB
FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj
yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA
qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb
73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl
ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq
rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns=
=l8tP
-----END PGP PUBLIC KEY BLOCK-----
@HWA
14.0 Aptivas ship with added bonus, the CIH virus.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
IBM says some Aptivas hit by virus
By Joel Deane, ZDNN
April 6, 1999 11:49 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2237581,00.html
IBM said Tuesday that several thousand of its Aptiva PCs have been exposed to a computer virus.
IBM spokeswoman Stacy Pena said that some Aptiva PCs sold in the United States had been
exposed to the CIH virus during the manufacturing process due to human error.
Pena said the virus was introduced to the Aptivas through test diskettes. The virus wasn't detected
because "an individual" failed to update the anti-virus software on the server used to duplicate
software, she said.
"What happened was a glitch in the manufacturing process. We have very high quality control,"
Pena said. "What happened was human error."
The CIH virus is spread from one PC to another when an executable file is transferred, may render
an infected PC inoperable when the date on the PC's internal calendar reads April 26 of any year.
Affected computers
The company said that Aptiva PCs with model numbers 240, 301, 520 and 580 manufactured
between March 5 and March 17, 1999, and sold in the United States, may have been exposed to the
CIH computer virus. The affected computers have one of the following codes after "MFG DATE":
AM909, AM910 or AM911.
All potentially affected customers who have registered their Aptiva with IBM Owner Privileges, and
all others for whom IBM has a current, valid address, have already been contacted and will
automatically receive an IBM Antivirus Update CD, the company said.
Retailers have also been contacted to ensure that Aptivas in stores are free of the virus.
No other Aptiva models or IBM (NYSE:IBM) products are known to be affected.
For more information, IBM said Aptiva owners should call the IBM HelpCenter around-the-clock at
(800) 600-8235 or read IBM.com's update on Aptiva PCs and the CIH virus.
Reuters contributed to this report.
@HWA
15.0 Rocketmail vulnerabilty on inactive accounts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via Project Gamma http://www.projectgamma.com/
link
Rocketmail security hole
April 12, 1999, 17:29
Author: WHiTe VaMPiRe
MAO Enterprises released a security advisory regarding Rocketmail's free Web e-mail services:
If you are aware of a login name of an account on Rocketmail which has been inactive for awhile, it is possible to reactivate the account with
no proof that you were the original account holder. Simply supply a new password and you will have access to somebody else's "inactive"
account.
Why is this "dangerous"? It would be possible to impersonate the original account holder without the family and friends' knowledge.
Additionally, the original preferences of the account are preserved. This makes it extremely easy to retrieve personal data, address books,
and various other information stored by the original user.
Related links:
MAO Enter http://securityhole.8m.com/
@HWA
16.0 Yahoo "hack" faked?
~~~~~~~~~~~~~~~~~~~
Via Project Gamma http://www.projectgamma.com/
link
Yahoo "hack" faked?
Project Gamma reported on the Yahoo "hack" last month. We had several
submissions from different people, facts added up, it seemed legit, so
we went with it.
We heard from several people that it was fake but there was nothing
definite from either side, and the "hack" seemed feasible at the time.
Yahoo claims that the "hack" never occured. Several of the larger "hacking"
groups claim that it was, in fact, faked.
We, Project Gamma, really have no idea definitely either way. We felt that
it would be appropriate for us to give the public what we know, and let them
decide for themselves.
Was Yahoo hacked? That is up for you to decide.
Yahoo hacked, original article.
http://www.projectgamma.com/news/archive/1999/march/031899-1251.html
Archive of the supposed defacement.
http://www.projectgamma.com/hacked/yahoo.com.html
Regards,
-WHiTe VaMPiRe\Rem-
17.0 'Sorceror's Apprentice' bug in Outlook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Net-Security http://www.net-security.org/
link
SORCERER'S APPRENTICE BUG IN OUTLOOK
by BHZ, Wednesday 14th Apr 1999 on 9:40 pm CET
New bug goes like this: if you have multiple e-mail accounts on the same POP3
server and one account is set to remove mail and the other is set to leave mail on
server, you will continue to get the same mail over and over again. Microsoft Outlook
Express Team spoke about the mistake like - "bug in Outlook Express 5.0 interferes
with Outlook Express' ability to determine which messages have previously been
downloaded, resulting in multiple copies of the same message being downloaded.
@HWA
18.0 Aussie password thief pleads guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13/04/99 16:25
Net passwords thief pleads guilty
Roulla Yiacoumi
A man who used 37 Net account passwords to gain $50 worth of Internet
access has pleaded guilty in a Western Australian court.
Perth resident Christopher Thomas Daniels, 20, was fined $2,500 and
ordered to pay $500 to the ISP from which the passwords were stolen,
Vianet.
Last month, Daniels was charged with 37 counts of unlawfully operating a
computer system (see story). It was alleged that a juvenile supplied the
man with 350 Internet account passwords. The accounts were all with one
Western Australian ISP, Vianet. The juvenile, a first-time offender, has been
referred to the Juvenile Justice Team.
Detective senior constable Mike Wheeler from the WA fraud squad said
there had been an alarming increase in the number of young people
becoming involved in Net-based crime. "Most of these people are normally
law abiding, and have never been in trouble with the police in the past," he
said. "There is a misconception you won't get caught doing this sort of thing,
but if you are utilising telephone lines, we can always trace you back."
Wheeler said he had spoken to at least half-a-dozen other young people in
the past week about similar matters. It is hoped the fine imposed by the
magistrate will act as a deterrent to others.
"The message we want to get across is that this is not a fun thing -- it is very
serious, it is an offence, and there's a high chance you're going to get
caught," he warned.
This article is located at http://newswire.com.au/9904/guilty.htm
@HWA
19.0 Echelon is fishy says ACLU
~~~~~~~~~~~~~~~~~~~~~~~~~~
Via net-security http://www.net-security.org/
link
ECHELON IS FISHY ACCORDING TO ACLU
by BHZ, Monday 12th Apr 1999 on 10:00 pm CET
The American Civil Liberties Union (ACLU) reports that ECHELON, global electronic
communications surveillance system may be engaged in the illegal interception of
Americans' private communications. Inquiries by the European Parliament resulted in
reports detailing the existence of ECHELON, which is led by the NSA in conjunction
with its counterpart agencies in England, Canada, Australia and New Zealand.
According to the reports, ECHELON has communications receiving stations all over
the world and attempts to capture all satellite, microwave, cellular and fiber-optic
communications worldwide, including communications to and from North America.
Computers then sort through conversations, faxes and emails for searching for
keywords. Communications that include keywords chosen by the intelligence
agencies are transcribed and forwarded for further investigation.
@HWA
20.0 Network-based intrusion detection systems are about to stop crying wolf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.internetwk.com/story/INW19990408S0009
Thursday, April 8, 1999, 4:33 PM ET.
Security Mandate: Silence False Alarms
By RUTRELL YASIN
Network-based intrusion detection systems are about to stop crying wolf.
Often, these systems deliver such a high number of false positives--which
classify an action as an intrusion when it may be legitimate--that
computer operators ignore intrusion alarms altogether. Several network
security vendors are responding with products that do a better job of
filtering out false alarms from actual attacks.
Network Associates Inc. (NAI) this week unveiled a real-time intrusion
detection system that correlates network- and host-based events to give IT
managers a comprehensive view of system activity. CyberCop Monitor is a
core component of NAI's new Active Security product line. Meanwhile, Axent
Technologies, Cisco and Internet Security Systems (ISS) plan to deliver
improved event correlation and filtering by year's end.
The improvements take intrusion detection to the next level, as more
companies use the high-tech burglar alarms to identify attacks from
outsiders as well as insiders.
IT managers looking for ways to reduce false-positive alarms cited the
need for better event correlation.
Robert Kondilas, a security manager at carrier Qwest Communications, which
uses ISS's RealSecure system, noted that a correlation engine lets IT
administrators manage more end points in the network with fewer people.
Alan Paller, director of The SANS Institute, a training and consulting
firm, said, The huge load of not-very-important alarms has caused a
complete shift in the way people do network-base