[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 34 Volume 1 1999 Sept 19th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== __ ___ _____ __ ___ / // / | /| / / _ | / / ___ __ __/ _ \____ ___ ___ _ _____ / _ /| |/ |/ / __ |_ / _ Y _ `| \ / // / __/ / _ Y -_) |/|/ (_-< /_//_/ |__/|__/_/ |_(_)_//_|_,_/_\_\\___/_/ (_)_//_|__/|__,__/___/ http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #34 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #34 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Army to Use MacOS ............................................... 04.0 .. Phrack Issue 55 Has Been Released ............................... 05.0 .. E-Commerce Sites Still Vulnerable ............................... 06.0 .. Fakescan.c by Vortexia........................................... 07.0 .. MS get Independent Auditor for HotMail .......................... 08.0 .. US Gov to Switch From NT to Open Source ......................... 09.0 .. Sept 15th CryptoGram............................................. 10.0 .. Move over BO2k here's Donald Dick from Russia with love.......... 11.0 .. New HOTMAIL hole found........................................... 12.0 .. Security Hole Found in Security Product ......................... 13.0 .. Globalstar and FBI Are Nearing Agreement ........................ 14.0 .. Matt Drudge Defaced ............................................. 15.0 .. South Africa Stats Site Defaced ................................. 16.0 .. India And Israel BackDooring US Software ........................ 17.0 .. The Russians Are Coming, The Russians Are Coming ................ 18.0 .. Biometrics Takes Frightening New Step "I am not a number!"....... 19.0 .. NASDAQ Defaced .................................................. 20.0 .. WebTV Hole Divulges User Info ................................... 21.0 .. Bookshelf: "Hacking Exposed" Available Soon ..................... 22.0 .. Major Tech Companies Announce Security Plans .................... 23.0 .. NIST To Offer Security Awareness Workshops ...................... 24.0 .. Yet Another Firewall ............................................ 25.0 .. HNN Announces Partnership With Security Focus ................... 26.0 .. The Search for ULG Begins........................................ 27.0 .. BO2K Discontinues US Distribution................................ 28.0 .. Taiwan Increases Cyber Warfare Training ......................... 29.0 .. White House Set to Relax Crypto Export Controls ................. 30.0 .. Crypto Compromise Reached ....................................... 31.0 .. Network Solutions Screws Up ..................................... 32.0 .. Feds Approve GPS Tracking ....................................... 33.0 .. Student Sentenced to Five Weeks ................................. 34.0 .. Stupid Mistakes Worse than Viruses .............................. 35.0 .. "23"............................................................. 36.0 .. STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES....................... 37.0 .. SOPHOS: TOO MUCH VIRUS SCAREMONGERING............................ 38.0 .. CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP...................... 39.0 .. REPORT URGES TOUGH NET STALKING LAWS............................. 40.0 .. CODEBREAKERS AND PHONE-SPIES TARGET CRIME ON THE INTERNET........ 41.0 .. LAW ENFORCEMENT MAY BENEFIT FROM NEW CRYPTO POLICY............... 42.0 .. LIBELING AGAIN (ATTRITION vs ANTIONLINE)......................... 43.0 .. SECURITY A MANAGEMENT PROBLEM?................................... 44.0 .. TROJAN IN FAKE MICROSOFT Y2K MAIL................................ 45.0 .. CERT ADVISORY CA-99-11-CDE....................................... 46.0 .. HACKER PROFILER.................................................. 47.0 .. eDOCTOR GLOBAL NETWORK........................................... 48.0 .. DEFAULT ISSUE 5 OUT.............................................. 49.0 .. ANOTHER WANNABE HACKER CAUGHT.................................... 50.0 .. TROJANS - MODERN THREAT.......................................... 51.0 .. IE5 BUG LEAVES COMPUTERS OPEN TO INVASION........................ 52.0 .. US OFFERS RUSSIA TO HELP TRASH ISLAMIC MILITANT SITES............ 53.0 .. RUSSIAN HACKERS REPORTEDLY ACCESSED US MILITARY SECRETS.......... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ UNMASKING CHAT ROOM IMPOSTORS (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21754.html Ever wonder who you're really chatting with online? A new game based on the Turing test may tell whether she is really a he, and vice versa. By Kristen Philipkoski. ++ CISCO PAYS $65 MILLION FOR COCOM (BUS. 8:30 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21760.html The computer networking company buys Copenhagen's Cocom to expand its delivery of broadband access products. ++ SCREAMS OF DELIGHT AT VISIO (BUS. 8:30 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21761.html The technical drawing software company joins the Redmond empire in a US$1.3 billion stock deal. ++ MOTOROLA BUYS INTO BROADBAND (BUS. 7:35 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21759.html The cell phone and pager company agrees to spend US$11 billion in stock for set-top box supplier General Instrument. Also: FCC walks a fine line with new orders.... Seagate to trim 8,000 jobs.... American Airlines finds few New Year's passengers.... And more. ++ SPRECHEN SIE INTERNET DEUTSCH? (CULT. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/culture/story/21752.html As Germans clamor for Net access and tools like email, they leave their language behind them. German isn't what it used to be. By Carter Dougherty. ++ IS PALM LOSING ITS GRIP? (TECH. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21751.html Handspring licenses the Palm OS for its handheld, then releases a more flexible organizer. Is the Palm dynasty on shaky ground? By Leander Kahney. ++ SPARKING THE PLUG-AND-PLAY CAR (TECH. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21745.html Motorola develops a streamlined socket system for plugging info gadgets into autos. Adding wireless news, entertainment, and ads could get much simpler. By Craig Bicknell. ++ DEMOS TO PREZ: 'USE SAFE TEXT' (POL. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21744.html House Democrats want Bill Clinton to help them overturn his administration's own long-term policy restricting the export of strong encryption products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ++ OPEN ACCESS FIGHT RAGES ON (POL. Tuesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21748.html An ISP industry group tells a federal court that local governments should decide who gets access to cable networks. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* This issue is a little late, sorry 'bout that but I got a new toy * and have been spending time setting it up and playing with it, its * a PII 400 with Voodoo III 3000 and a Diamond Monster sound 3d card * with a 19" monitor and 10 gig hd plus a DVD drive and HP 8100 CDRW * all that connects to a soho 5 port CAT5 hub which goes out to the * cablemodem, my other system will be delegated to FreeBSD and the * Linux box remains untouched. FreeBSD will be bestowed with a 13G * HD and I am probably going to bring Linux 'up front' as a proxy * and shell server at some point... so yay me * * This issue has a couple of articles contributed by wyzewun of FK * (Forbidden Knowledge) a .ZA zine that sheds some light on the hack * / security scene in South Africa so read on and enjoy the issue... * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Army to Use MacOS ~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by McIntyre The US Army has migrated its web server duties off WindowsNT and onto MacOS. The site administrator has said that according the World Wide Web Consortium (W3C) MacOS is more secure and does not allow remote logins. (The reason army.mil was recently defaced was do to an application hole, not an OS problem and nothing against the W3C but when did they become security experts?) Army Link News http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html CMP Tech Web http://www.techweb.com/wire/story/TWB19990910S0017 US Army http://www.army.mil Army Link News; Web page hacker arrested, government sites becoming more secure by Sgt. 1st Class Connie E. Dickey WASHINGTON (Army News Service, Sept. 1, 1999) - Working from information provided by the U.S. Army's Criminal Investigation Command, FBI agents arrested a 19-year-old Wisconsin man Aug. 30 for malicious altering of a U.S. Army Web page. The agents identified the Green Bay man as the co-founder of a hacker organization known as "Global Hell." The arrest capped a two-month investigation led by Army CID agents, after an unidentified intruder gained illegal access to the Army Home Page June 28 and modified its contents. The intruder also gained access to an unclassified Army network and removed and modified computer files to prevent detection. Since the case is still ongoing, Christopher Unger, web site administrator for the Army Home Page, didn't want to talk about specifics of what the hacker did to the web page or what the Army is doing to protect its sites from future hackers. However, he said the Army has moved its web sites to a more secure platform. The Army had been using Windows NT and is currently using Mac OS servers running WebSTAR web server software for its home page web site. Unger said the reason for choosing this particular server and software is that according to the World Wide Web Consortium, it is more secure than its counterparts.According to the Consortium's published reports on its findings, Macintosh does not have a command shell, and because it does not allow remote logins, it is more secure than other platforms. The report also said the Consortium has found no specific security problems in either the software or the server. The Consortium is a worldwide group of representatives from more than 350 organizations that provide the infrastructure for a global interoperable World Wide Web. Membership is open to any organization. "Government networks are inviting to hackers because of their high profile," Unger said. However, the Department of Defense is laying the groundwork now for more secure Internet sites that will prevent unauthorized access to information, he said. (Editor's note: Some information was provided by the U.S. Army Criminal Investigation Command.) @HWA 04.0 Phrack Issue 55 Has Been Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Modify Phrack, the oldest continuously published underground e-zine , has released issue 55. This is the first issue in over eight months. It has all the usual goodies from Loopback and LineNoise to Phrack World News. Phrack 55 - HTML version http://www.attrition.org/~modify/texts/phrack/latest.htm Phrack.com http://www.phrack.com @HWA 05.0 E-Commerce Sites Still Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by netmask News on the various vulnerabilities with numerous shopping cart software was first announced over four months ago. MindSec security has found that most web sites are still vulnerable to these holes leaving personal information including credit card numbers at risk. Hopefully these problems will be corrected soon. MindSec Security http://www.mindsec.com/webcart/ E-Commerce.. Shouldn't Security Be Involved? By: Erik Parker E-Commerce is something that isn't getting any smaller. Hundreds of sites are popping up every day that are using E-Commerce. People are spending millions of dollars over the web, via secure servers, and online shopping applications. We have found that some of those shopping applications, commonly referred to as "Shopping Carts", may be a major downfall to the security of your credit cards and personal information being secure. Just because you are transferring your Credit Card number over a secure connection, just exactly who is it, that is going to guarantee that it is safe once it reaches its destination server? Over 6 Months ago, Joe H. Had made a report to Bugtraq (www.securityfocus.com) that many sites were insecure. Bugtraq is the most widely used, and a highly respected mailing list that the best security administrators in the world discuss possible security problems, and verified vulnerabilities. Dozens of Brands, and Hundreds of sites were vulnerable to people reading your credit card numbers, what you ordered, your home telephone number, and all the personal information you entered. Some of these carts even unknowingly let anyone who knows where the configuration program is, point their web browser to it, and change the site, the prices, the tax, and even make their own orders at whatever price they want. After 6 months some of these sites still remain remain vulnerable. It is almost as if the manufacturers didn't notify their customers of the problem. Many of the customers either were never informed, or just didn't take the time to pursue fixing their sites. Perhaps people hoped the problem would go away or be forgotten. In Joe's first post to Bugtraq, he noted that c|net would be running an article on E-Commerce Security. He did not disclose who the manufacturers of these products were. However, when he got dozens of E-mails with people asking him who they were, he went ahead and posted a second post, which lists several companies that were vulnerable. Then other people started looking into these, and Bo Elkjaer posted a followup listing another company, Mountain Network Systems. Joe then checked out their products and in his follow up post he determined it was also vulnerable. Mind Security has taken interest in the shopping cart problems, to make E-Commerce a little more safer, and a bit more trusted, as a good majority of people are still hesitant to shop online. E-Commerce is a great way of shopping and purchasing things over the web. With E-Commerce you do not have to be bothered by a sales man or be pressured, and yet you can still find all the information on products that you want without the help of a salesman who just wants to get his commission. The other reason we took interest, is because we were asked to investigate a recent hack by a group called HiP (Hackers In Paradise), who had hit a Web site that sells Adult Items. The web site owner had requested for us to look into it, and advise them on what they should do. After investigating and obtaining the logs we determined that the hackers never gained access to the machine, under the Administrator account. There were hundreds of web sites hosted on that machine, and several that were more high profile. Also looking at their track record, many of these sites they had taken credit for ran WebCart®, or other shopping cart like programs. There was no FTP involved, and no shell access granted that we could determine. We can't say with 100% certainty that it was done via the webcart®. It does have an html update utility, and has such a bad track record, we had to strongly consider this as as being the point of entry for the hackers. The product also doesn't log any of its usage. People can upload, update, and if they aren't logged via the web server, then they were never logged. When we went to yahoo.com and put "webcart AND mountain" in the search engine, we came up with dozens of matches We did a quick investigation and found more than 70% were vulnerable. We read an E-mail earlier from someone at Mountain-Net, which claims that if the user properly configures their web servers and read the install file, this wouldn't be a problem. I beg to differ, a good product ships with its own built-in security measures, and does not rely on other programs being setup, like Apaches htaccess feature, which lets you grant and refuse access by username and password and even by hostname is you wish. Mind Security made a follow up post to Bugtraq on September 9th, concerning this, and the fact that no one had fixed it, and it was just kind of forgotten about. The post named off of a couple of sample vulnerable sites, as well as the correct paths to check for these problems. If you would like to check your site for this vulnerability, we worked with Renaud Deraison who runs The Nessus Project. The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use and remote security scanner. They have included a way to search for these vulnerabilities within their scanner. If you download their most current version from their CVS repository, you will be able to scan your site for it with that. If you can not get it from their repository, it will be included in their nessus-0.98.2 release. Thanks go to: Brian Martin Benjamin DeLong, Research Lead, ZOT Group L0pht Heavy Industries The Attrition.org Staff The Nessus Project @HWA 06.0 Fakescan.c by Vortexia ~~~~~~~~~~~~~~~~~~~~~~ Read the comments in the source, its self explanitory, Vort tells me he initiated quite a stir in .za with this program with half the country thinking they were being scanned by the other half etc... fun. anyways check it out...and shouts to Forbidden Knowledge, Vort and Wyze1 -=- [09:54] Cruciphux did I give you fakescan.c? [09:54] no [09:55] this one is evil :) [09:55] me to me to [09:55] ok [09:55] it really caused some ppl in the industry to go loco [09:55] hehe [09:56] cause suddenly half the world was scanning half the world [09:56] you been causing shit again? [09:56] hahaha [09:56] Cruciphux :) read what it does [09:56] ok [09:56] its a braindead port scan spoofer that looks exactly like an nmap scan but is far easier to use to do mass scans and requires no brains to use :) [09:57] vort: u giving him the ver with the fixed tcp/ip sequencing [09:58] ? [09:58] damnit, now he's making a phonecall ;) [09:58] wyze1 its got almost perfect seq'ing [09:58] hehe [09:58] no greets to HWA yet huh? [09:58] :-/ [09:58] its large enough to be realistic [09:58] *g* [09:58] Cruciphux ack I forgot [09:58] add em in there yourself :) [09:58] hahaha [09:58] nah [09:59] i'm not THAT lame [09:59] hehehe [09:59] there is pr0ps to HWA in the new FK No we're not THAT lame but just lame enough to include the irc log of me aquiring this copy of fakescan ;-) ,,, enjoy -=- /* * Fakescan.c (c) 1999 Vortexia / Andrew Alston andrew@idle.za.org * * Ok... more crap code from me... thats yes... entirely useless other than as a * proof of case. I wrote this quickly while trying to prove the case that * logging portscans that are syn/fin based is entirely useless. * * What the code does: It reads in a list of hosts to spoof from a spoof host, * and sends fake fin or syn scans to a list of hosts found in the victims * file. Sorry there is no dns resolve on hosts in those files, it was a * quick job while I was bored and I found better things to do while coding * it so I didnt get around to adding it. * * The code is once again written for BSD and compiles with no warnings under * fbsd 3.2 - I hate linux - Dont expect a linux port from me, someone else - * feel free to make one * * If you wanna use my code, as always, feel free but I expect credit where * credit is due, I.E you use my code, you put my name in your code. * * Greets and Shoutouts.. * * Mithrandi - Thanks for your help Ultima - For everything you've helped me * with in the past Van - What can I say, HI TimeWiz - Thanks for help in * times past, and for ideas for upcoming projects Sniper - My partner in * crime - You have and always will rock Opium - HI Hotmetal - A general * greet DrSmoke - HI jus - My social engineering partner - lets continue to * mindfuck together OPCODE - Thanks for the help - you rock gr1p and all the * people at b4b0 - Keep rocking guys To all the people at Forbidden * knowledge - Good going - Keep it up To everyone else on all the networks * and channels I hang on, a general greet and thanks - I couldnt keep doing * what I do without you guys. * * Fuckoffs, Curses and the likes: * * To Sunflower - If you cant handle an insult in a piece of code - and think * thats worth of an akill - GROW UP AND GO FUCK YOURSELF To Gaspode - May * you die a slow and painful death, and may the fleas of 10000 camels infest * your armpits To the person who said coding stuff like this was for script * kiddies - GET A CLUE you know who you are To anyone else I dont like - * FUCK YOU To anyone else who doesnt like me - FUCK YOU * */ #define __FAVOR_BSD #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct viclist { struct in_addr victim; struct viclist *link; }; struct slist { struct in_addr spoof; struct slist *link; }; int main(int argc, char *argv[]) { int i = 0; int sock; int on = 1; struct sockaddr_in sockstruct; struct ip *iphead; struct tcphdr *tcphead; char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)]; int seq, ack; FILE *victimfile; FILE *spooffile; char buffer[256]; struct viclist *vcur, *vfirst; struct slist *scur, *sfirst; bzero(evilpacket, sizeof(evilpacket)); vfirst = malloc(sizeof(struct viclist)); vcur = vfirst; vcur->link = NULL; sfirst = malloc(sizeof(struct slist)); scur = sfirst; scur->link = NULL; if (argc < 4) { printf("Usage: %s scan_type ((S)yn/(F)in) spoof_file victim_file\n" "Example: %s S spooffile victimfile\n", argv[0], argv[0]); exit(-1); }; if ((strncmp(argv[1], "S", 1)) && (strncmp(argv[1], "F", 1))) { printf("Scan type not specified\n"); exit(-1); } if ((spooffile = fopen((char *) argv[2], "r")) <= 0) { perror("fopen"); exit(-1); } else { while (fgets(buffer, 255, spooffile)) { if (!(inet_aton(buffer, &(scur->spoof)))) printf("Invalid address found in victim file.. ignoring\n"); else { scur->link = malloc(sizeof(struct slist)); scur = scur->link; scur->link = NULL; } }; bzero(buffer, sizeof(buffer)); }; fclose(spooffile); scur = sfirst; while (scur->link != NULL) { printf("Found spoof host: %s\n", inet_ntoa(scur->spoof)); scur = scur->link; }; scur = sfirst; if ((victimfile = fopen((char *) argv[3], "r")) <= 0) { perror("fopen"); exit(-1); } else { while (fgets(buffer, 255, victimfile)) { if (!(inet_aton(buffer, &(vcur->victim)))) printf("Invalid address found in victim file.. ignoring\n"); else { vcur->link = malloc(sizeof(struct viclist)); vcur = vcur->link; vcur->link = NULL; } }; bzero(buffer, sizeof(buffer)); }; fclose(victimfile); vcur = vfirst; while (vcur->link != NULL) { printf("Found victim host: %s\n", inet_ntoa(vcur->victim)); vcur = vcur->link; }; vcur = vfirst; if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(-1); } if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) { perror("setsockopt"); exit(-1); } sockstruct.sin_family = AF_INET; iphead = (struct ip *) evilpacket; tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip)); iphead->ip_hl = 5; iphead->ip_v = 4; iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr); iphead->ip_id = htons(getpid()); iphead->ip_ttl = 255; iphead->ip_p = IPPROTO_TCP; iphead->ip_sum = 0; iphead->ip_tos = 0; iphead->ip_off = 0; tcphead->th_win = htons(512); if (!(strncmp(argv[1], "S", 1))) tcphead->th_flags = TH_SYN; else tcphead->th_flags = TH_FIN; tcphead->th_off = 0x50; while (vcur->link != NULL) { iphead->ip_dst = vcur->victim; sleep(1); while (scur->link != NULL) { seq = rand() % time(NULL); ack = rand() % time(NULL); tcphead->th_sport = htons(rand() % time(NULL)); sockstruct.sin_port = htons(rand() % time(NULL)); iphead->ip_src = scur->spoof; sockstruct.sin_addr = scur->spoof; sleep(1); for (i = 1; i <= 1024; i++) { seq += (rand() %10)+250; ack += (rand() %10)+250; srand(getpid()); tcphead->th_seq = htonl(seq); tcphead->th_ack = htonl(ack); tcphead->th_dport = htons(i); sendto(sock, &evilpacket, sizeof(evilpacket), 0x0, (struct sockaddr *) & sockstruct, sizeof(sockstruct)); } scur = scur->link; } scur = sfirst; vcur = vcur->link; } return (1); }; @HWA 07.0 MS get Independent Auditor for HotMail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond After prompting from industry watch dog groups Microsoft has agree to hire a third party auditing firm to review the recent HotMail incident. Microsoft has not released the name of the company and it is unlikely the resulting report will be made public. Wired http://www.wired.com/news/news/technology/story/21691.html All Eyes on Hotmail Audit by Chris Oakes 4:00 p.m. 10.Sep.99.PDT Can the Internet industry spank itself? Some are watching the outcome of the latest major Web breakdown to see. Microsoft has chosen an undisclosed independent auditor to give Hotmail a security once-over. As it does so, the company, industry watchdog Truste, and privacy advocates cast the audit as a testament to -- or failure of -- effective self-regulation. Following a recommendation last week by Truste, Microsoft went about choosing an independent auditing firm this week to test the security of its free Hotmail email service. "We're doing an independent review or audit of the Hotmail incident of last week, which got lot of attention," said Microsoft spokesperson Tom Pilla. Hotmail users were confronted with an alarming security breach last week. Hackers exposed every Hotmail email account so that anyone who knew a person's username could access that account without a password. "Truste said Microsoft was in compliance and believed [the Hotmail security issue] to be resolved. But we are continuing to investigate that incident completely to ensure that the service complies with the high standards we put on consumer privacy," Pilla added. Truste spokesman Dave Steer emphasized that his organization didn't order Microsoft to hire an auditor; rather, it was a recommendation. Pilla underscored the point. "They suggested and we agreed. It's not something we had to do." So if the agreement was such a non-threatening, voluntary arrangement, does it stand up as an effective demonstration of the power of self-regulation? "Yeah, I think it [does]," Pilla said. "As soon as the incident occurred we [were] in close coordination with Truste, as we always are on these things." Last week, Truste took an initial stance that the incident was a security issue, not a privacy matter. But Steer said the organization sees the two issues as connected, and a Truste statement on the organization's Web site clarifies its position. "The statement clearly highlights the fact that there's not trust without privacy and similarly there's not privacy without reasonable security of the data being protected," Steer explained. "So in some instances, yes -- security and privacy go hand in hand." Jason Catlett, a privacy advocate who closely watches the self-regulation issue, was guardedly impressed by the sheer notion of an audit. "I don't write it off as [a] meaningless act. I'm quite pleased that they have agreed to an independent audit. It's a small window opened in the fortress Redmond," he said. But Catlett read hidden meaning in the unprecedented Microsoft decision, and doesn't see it as evidence of self-regulation's effectiveness. "Basically, [Microsoft] realize[s] that nobody believes a single word they say anymore, so they're paying an accounting firm to say things for them." The nature of this security breach -- a simple function of logging into an email account -- made it easier for Microsoft to open up Hotmail for review, Catlett said. In contrast, the company's undisclosed use of a unique identifier in Microsoft Office documents and Microsoft cookies created during user registration of Windows, had much broader implications. Thus, when an audit was badly needed, Microsoft declined. "Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog group] went to the FTC and asked them to require an audit, and Microsoft just refused." This time, "Truste suggested an audit and Microsoft agreed -- this is the coziest regulation imaginable," Catlett said. Pilla disagreed. "I think it's a very good expression of self-regulation," he said. "I think our swift response to the Hotmail incident coupled with inviting a third party review is evidence of our commitment to protecting people's online privacy." The legitimacy of the Hotmail audit will depend on the particular security issues the auditing firm is asked to test. "Management makes some assertion and the acting firm attests to that assertion. If the assertions are very limited, then the conclusion [of the] accounting firm is very limited," Catlett said. Pilla said he couldn't comment on the specifics of the audit yet. "We don't know what the process is, moving forward." He also wouldn't say whether the public would ever get to review the test conducted by the auditing firm. As to skepticism of the self-regulatory process, Truste's Steer said, "We don't dictate where the program is going to go based on the skeptics. We have to take a good hard look at what the consumer needs. ... Any reasonable person can take a look at what's going on right now and come to their own conclusion. If you ask me personally, I think this is an example that the system worked." Whatever the outcome, it will no doubt be logged into any case histories seeking to build a case for or against self-regulation. Pilla said the audit should take "not months but a fairly short amount of time." Said Catlett: "They're on a tightrope where they're trying to maintain credibility as a consumer advocacy organization while still not scaring away potential licensees with any real prospects of sanctions." @HWA 08.0 US Gov to Switch From NT to Open Source ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond The National Security Council will soon create a software assessment office to evaluate different operating systems other than Windows NT including open source software. A major reason given for this switch was the susceptibility of Windows to viruses and other attacks. (The article says they are looking closely at Linux, I hope they don't forget OpenBSD.) Federal Times http://www.federaltimes.com/topstory.html The Independent Weekly September 16, 1999 Top Officials Seek Alternatives to Microsoft By Stephen Trimble FEDERAL TIMES STAFF WRITER Concerned about security and an excessive reliance on Microsoft software, senior administration officials plan to diversify the types of operating systems software purchased by the government. The National Security Council soon will create a new office to assess the ways federal agencies could make greater use of open-source, or nonproprietary, software that is freely available to anyone and has codes that are not secret. "One of the areas we are very interested in looking at is open-source code," a senior White House official told Federal Times. The effort ultimately could affect the types of software the government purchases for network servers and desktop applications. The government will buy $2 billion worth of software in 2000, according to Federal Sources Inc., of Fairfax, Va., a market research company. The initial purpose of the new software assessment office will be to identify agencies and programs that will be candidates for trials of open source software, said the White House official, who asked not to be identified. The General Services Administration and the National Institute of Standards and Technology also are involved in creating the office. Its location still is to be decided. The new office will assess the costs and benefits of using open-source software to operate many government computers. Also to be determined are the cost and technical obstacles to communication between systems using open-source and the proprietary software now in use. The White House official declined to say how extensive is the administration's plan to diversify its reliance on operating systems software. A chief reason for the effort, according to advocates, is to address concerns that Microsoft operating systems are vulnerable to malicious computer viruses and hacker attacks. This is partly because the Microsoft software is proprietary and security vulnerabilities are more difficult to find and correct, said Przemek Klosowski, a NIST physicist and leader of the Washington, D.C., Linux User's Group. "Government should be vendor-neutral, and the government should not formulate IT requirements that say only a single vendor is applicable," Klosowski said. Klosowski said Linux is used on a limited basis for computer research applications at Energy Department laboratories, NASA, NIST and the Defense Department. "I don't know of any large government Linux contracts," he added. Another purpose of adopting different types of software is to diversify the government's inventory of operating systems, so not all are vulnerable to the same viruses and attacks, the White House official said. Linux, an open-source operating system similar in functionality to Microsoft Windows, is being given serious consideration as an alternative for government computer users, the official said. Access to the Linux source code "gives us some confidence," the White House official said, adding that it simplifies patching security breeches and correcting routine errors. Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said. As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for hackers to crack, Klosowski said. Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a yearly basis, he said. Microsoft software products have been the target of numerous computer viruses. One of the best known was the Melissa virus that struck thousands of government and nongovernment computers in March by exploiting vulnerabilities in Microsoft Word 97 and Microsoft Word 2000. In June, another virus called ExploreZip targeted vulnerabilities in Microsoft Windows 95, Windows 98 and Windows NT. Microsoft officials argue their software products meet federal security standards. Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified under the federal security standard known as Federal Information Processing Standard 140-1, said Quazi Zaman, advanced technology manager for Microsoft Federal Systems of Washington, D.C. The newest version of Microsoft's server operating system, called Microsoft Windows NT 4.0, is undergoing certification and is expected to be certified "in the next three months," Zaman said. Zaman added that Microsoft has been considering making some of its software products open source for two years. "Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment." Zaman added that Microsoft likely would be willing to provide the National Security Council with its code for security inspections if it is for national security purposes. So far, he said, the NSC has not asked for access to any of Microsoft's software code. Zaman argued that government agencies are not excessively reliant on Microsoft products, adding that other software suppliers, namely, database software suppliers, have larger shares of the federal software market. The project to increase the government's use of open-source operating systems likely will present formidable challenges. The government already relies extensively on Microsoft products for desktop and, increasingly, server applications. Thus, there are sure to be communications problems between systems that use different software, said John Gilligan, the Energy Department's chief information officer. The concept also appears to run counter to the government's 3-year-old effort to concentrate on buying commercial, easy-to-use software, said Payton Smith of Federal Sources Inc. Regardless of security concerns, Smith added, a multitude of software systems within an agency often can lead to interoperability problems. "The more variations you have in the software, the more problems and the more costs you're going to have," Smith said. The White House official acknowledged that concerns over costs and interoperability issues must be settled for the project to succeed. "That's exactly the issues we're looking at," the official said. "Both costs and interoperability are critical issues." @HWA 09.0 Sept 15th CryptoGram ~~~~~~~~~~~~~~~~~~~~ To: crypto-gram@chaparraltree.com From: Bruce Schneier Subject: CRYPTO-GRAM, September 15, 1999 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" CRYPTO-GRAM September 15, 1999 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: Open Source and Security NSA Key in Microsoft Crypto API? Counterpane Systems -- Featured Research News Extra Scary News Counterpane News The Doghouse: E*Trade Factoring a 512-bit Number Comments from Readers ** *** ***** ******* *********** ************* Open Source and Security As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice. Open Source Cryptography Cryptography has been espousing open source ideals for decades, although we call it "using public algorithms and protocols." The idea is simple: cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it. This is vital in cryptography, because security has nothing to do with functionality. You can have two algorithms, one secure and the other insecure, and they both can work perfectly. They can encrypt and decrypt, they can be efficient and have a pretty user interface, they can never crash. The only way to tell good cryptography from bad cryptography is to have it examined. Even worse, it doesn't do any good to have a bunch of random people examine the code; the only way to tell good cryptography from bad cryptography is to have it examined by experts. Analyzing cryptography is hard, and there are very few people in the world who can do it competently. Before an algorithm can really be considered secure, it needs to be examined by many experts over the course of years. This argues very strongly for open source cryptographic algorithms. Since the only way to have any confidence in an algorithm's security is to have experts examine it, and the only way they will spend the time necessary to adequately examine it is to allow them to publish research papers about it, the algorithm has to be public. A proprietary algorithm, no matter who designed it and who was paid under NDA to evaluate it, is much riskier than a public algorithm. The counter-argument you sometimes hear is that secret cryptography is stronger because it is secret, and public algorithms are riskier because they are public. This sounds plausible, until you think about it for a minute. Public algorithms are designed to be secure even though they are public; that's how they're made. So there's no risk in making them public. If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms. A variety of secret digital cellular telephone algorithms have been "outed" and promptly broken, illustrating the futility of that argument. Instead of using public algorithms, the U.S. digital cellular companies decided to create their own proprietary cryptography. Over the past few years, different algorithms have been made public. (No, the cell phone industry didn't want them made public. What generally happens is that a cryptographer receives a confidential specification in a plain brown wrapper.) And once they have been made public, they have been broken. Now the U.S. cellular industry is considering public algorithms to replace their broken proprietary ones. On the other hand, the popular e-mail encryption program PGP has always used public algorithms. And none of those algorithms has ever been broken. The same is true for the various Internet cryptographic protocols: SSL, S/MIME, IPSec, SSH, and so on. The Best Evaluation Money Can't Buy Right now the U.S. government is choosing an encryption algorithm to replace DES, called AES (the Advanced Encryption Standard). There are five contenders for the standard, and before the final one is chosen the world's best cryptographers will spend thousands of hours evaluating them. No company, no matter how rich, can afford that kind of evaluation. And since AES is free for all uses, there's no reason for a company to even bother creating its own standard. Open cryptography is not only better -- it's cheaper, too. The same reasoning that leads smart companies to use published cryptography also leads them to use published security protocols: anyone who creates his own security protocol is either a genius or a fool. Since there are more of the latter than the former, using published protocols is just smarter. Consider IPSec, the Internet IP security protocol. Beginning in 1992, it was designed in the open by committee and was the subject of considerable public scrutiny from the start. Everyone knew it was an important protocol and people spent a lot of effort trying to get it right. Security technologies were proposed, broken, and then modified. Versions were codified and analyzed. The first draft of the standard was published in 1995. Different aspects of IPSec were debated on security merits and on performance, ease of implementation, upgradability, and use. In November 1998, the committee published a slew of RFCs -- one in a series of steps to make IPSec an Internet standard. And it is still being studied. Cryptographers at the Naval Research Laboratory recently discovered a minor implementation flaw. The work continues, in public, by anyone and everyone who is interested. The result, based on years of public analysis, is a strong protocol that is trusted by many. On the other hand, Microsoft developed its own Point-to-Point Tunneling Protocol (PPTP) to do much the same thing. They invented their own authentication protocol, their own hash functions, and their own key-generation algorithm. Every one of these items was badly flawed. They used a known encryption algorithm, but they used it in such a way as to negate its security. They made implementation mistakes that weakened the system even further. But since they did all this work internally, no one knew that PPTP was weak. Microsoft fielded PPTP in Windows NT and 95, and used it in their virtual private network (VPN) products. Eventually they published their protocols, and in the summer of 1998, the company I work for, Counterpane Systems, published a paper describing the flaws we found. Once again, public scrutiny paid off. Microsoft quickly posted a series of fixes, which we evaluated this summer and found improved, but still flawed. Like algorithms, the only way to tell a good security protocol from a broken one is to have experts evaluate it. So if you need to use a security protocol, you'd be much smarter taking one that has already been evaluated. You can create your own, but what are the odds of it being as secure as one that has been evaluated over the past several years by experts? Securing Your Code The exact same reasoning leads any smart security engineer to demand open source code for anything related to security. Let's review: Security has nothing to do with functionality. Therefore, no amount of beta testing can ever uncover a security flaw. The only way to find security flaws in a piece of code -- such as in a cryptographic algorithm or security protocol -- is to evaluate it. This is true for all code, whether it is open source or proprietary. And you can't just have anyone evaluate the code, you need experts in security software evaluating the code. You need them evaluating it multiple times and from different angles, over the course of years. It's possible to hire this kind of expertise, but it is much cheaper and more effective to let the community at large do this. And the best way to make that happen is to publish the source code. But then if you want your code to truly be secure, you'll need to do more than just publish it under an open source license. There are two obvious caveats you should keep in mind. First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. So while opening up source code is a good thing, it is not a guarantee of security. I could name a dozen open source security libraries that no one has ever heard of, and no one has ever evaluated. On the other hand, the security code in Linux has been looked at by a lot of very good security engineers. Second, you need to be sure that security problems are fixed promptly when found. People will find security flaws in open source security code. This is a good thing. There's no reason to believe that open source code is, at the time of its writing, more secure than proprietary code. The point of making it open source is so that many, many people look at the code for security flaws and find them. Quickly. These then have to be fixed. So a two year-old piece of open source code is likely to have far fewer security flaws than proprietary code, simply because so many of them have been found and fixed over that time. Security flaws will also be discovered in proprietary code, but at a much slower rate. Comparing the security of Linux with that of Microsoft Windows is not very instructive. Microsoft has done such a terrible job with security that it is not really a fair comparison. But comparing Linux with Solaris, for example, is more instructive. People are finding security problems with Linux faster and they are being fixed more quickly. The result is an operating system that, even though it has only been out a few years, is much more robust than Solaris was at the same age. Secure PR One of the great benefits of the open source movement is the positive-feedback effect of publicity. Walk into any computer superstore these days, and you'll see an entire shelf of Linux-based products. People buy them because Linux's appeal is no longer limited to geeks; it's a useful tool for certain applications. The same feedback loop works in security: public algorithms and protocols gain credibility because people know them and use them, and then they become the current buzzword. Marketing people call this mindshare. It's not a perfect model, but hey, it's better than the alternative. ** *** ***** ******* *********** ************* NSA Key in Microsoft Crypto API? A few months ago, I talked about Microsoft's system for digitally signing cryptography suites that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52 Useful news article: http://www.wired.com/news/news/technology/story/21577.html ** *** ***** ******* *********** ************* Counterpane Systems -- Featured Research "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" Bruce Schneier and Mudge, CQRE, Duesseldorf, Oct 1999, to appear. The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP link. In response to [SM98], Microsoft released extensions to the PPTP authentication mechanism (MS-CHAP), called MS-CHAPv2. We present an overview of the changes in the authentication and encryption-key generation portions of MS-CHAPv2, and assess the improvements and remaining weaknesses in Microsoft's PPTP implementation. While fixing some of the more egregious errors in MS-CHAPv1, the new protocol still suffers from some of the same weaknesses. http://www.counterpane.com/pptpv2-paper.html ** *** ***** ******* *********** ************* News The Internet Auditing Project. This is REAL interesting. A group did a low-level security audit of 36 million hosts on the Internet. Just how secure is the Internet really? http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html And if that isn't scary enough, here's a more detailed audit of 2200 Internet sites. http://www.fish.com/survey/ My all-time favorite Y2K compliance statement: http://www.hartscientific.com/y2k.htm If you need more evidence that proprietary security just doesn't work, Microsoft's digital music security format is cracked within days of being released: http://www.wired.com/news/news/technology/story/21325.html http://www.news.com/News/Item/0,4,0-40672,00.html?st.ne.lh..ni http://www.msnbc.com/news/302195.asp Patent blackmail: Lawyers for someone named Leon Stambler have been sending threatening letters to security companies, claiming that SSL, PCK, FIPS 196, SET, Microsoft PPTP, Authenticode, etc. infringe on his patent. See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998. See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998. http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1& u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,793,302'.WKU.&OS=PN/5,793,302&RS= PN/5,793,302 http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1& u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,646,998'.WKU.&OS=PN/5,646,998&RS= PN/5,646,998 With all the talk about electronic voting, it's nice that someone recognizes that there are some serious security problems. The most severe, at least to me, is voter coercion. When you step into a private voting booth, you can vote as you please. No one can do anything about it. If you can vote from your computer, in your own home, with some kind of electronic security measure, then it is possible for someone to buy your vote and to ensure that you deliver on the goods. http://www.nytimes.com/library/tech/99/08/cyber/articles/14vote.html Many people asked me about my comment last issue about Windows NT needing over 300 security changes to make it secure. I queried the Usenet newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or truth, and got several answers. The consensus seemed to be that the number was somewhere between 50 and 3000, and 300 wasn't an unreasonable estimate. A good checklist is available here: http://people.hp.se/stnor/ And see also: http://www.trustedsystems.com/NSAGuide.htm The U.S. crypto export regulations has led to the development of some excellent products from non-U.S. companies. Judging from this article, though, this isn't one of them: http://www.rediff.com/computer/1999/jul/09suri.htm Two Microsoft security white papers. They're not great, but they do explain the Microsoft party line. Security basics: http://www.microsoft.com/security/resources/security101wp.asp Office 2000 Macro Security: http://officeupdate.microsoft.com/2000/downloadDetails/o2ksec.htm A flaw in Hotmail allows anyone to read anyone else's email, without a password. To me, the real interesting story is not that the flaw was discovered, but that it might have been known by the underground community long before it became public. Some of the news stories imply this. http://www.wired.com/news/news/technology/story/21503.html http://www.msnbc.com:80/news/306093.asp http://www.zdnet.com.au:80/zdnn/stories/zdnn_display/0,3440,2324361,00.html http://news.excite.com/news/zd/990901/10/the-bug-syndrome http://news.excite.com/news/zd/990901/06/how-hotmail-blew http://www.salon.com/tech/log/1999/09/02/hotmail_hack/print.html Encrypted sculpture at the CIA's headquarters in Langley, VA. http://www.npr.org/programs/atc/990826.kryptos.html Join the military and see the basements of Ft. Meade. The National Security Agency is offering free college tuition and room and board to hackers willing to work for them for five years after graduation. http://www.currents.net/newstoday/99/08/27/news3.html http://www.cnn.com/TECH/computing/9908/26/t_t/teen.hacker/index.html Nice BBC article on U.S. encryption debate: http://news.bbc.co.uk/hi/english/world/americas/newsid_430000/430384.stm Funny stuff: the real story of Alice and Bob: http://www.conceptlabs.co.uk/alicebob.html There was a really good article -- clear, complete, understandable -- in _The Sciences_ recently about quantum computing. Cryptome has put the article online, with the permission of the author. http://cryptome.org/qc-grover.htm ** *** ***** ******* *********** ************* Extra Scary News The Justice Department is planning to ask Congress for new authority allowing federal agents armed with search warrants to secretly break into homes and offices to obtain decryption keys or passwords or to implant "recovery devices" or otherwise modify computers to ensure that any encrypted messages or files can be read by the government. With this dramatic proposal, the Clinton Administration is basically saying: "If you don't give your key in advance to a third party, we will secretly enter your house to take it if we suspect criminal conduct." The full text of the Justice Department proposal, a section-by-section analysis prepared by DOJ lawyers, and related materials are available at: http://www.epic.org/crypto/legislation/cesa_release.html http://www.cdt.org/crypto/CESA http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm http://www.zdnet.com/zdnn/stories/news/0,4586,2317907,00.html http://www.techweb.com/wire/story/TWB19990820S0012 ** *** ***** ******* *********** ************* Counterpane News Bruce Schneier will be speaking at SANS Network Security 99, October 3-10, in New Orleans. See http://www.sans.org/ns99/ns99.htm for more conference details. Attack Trees: Wed, 6 Oct, 10:30-12:30 Internet Cryptography: Tue, 5 Oct, 9:00-5:00 Bruce Schneier authored the "Inside Risks" column for the Aug, Sep, and Oct 99 issues of _Communications of the ACM_. Biometrics: Uses and Abuses: http://www.counterpane.com/insiderisks1.html The Trojan Horse Race: http://www.counterpane.com/insiderisks2.html Risks of Relying on Cryptography: http://www.counterpane.com/insiderisks3.html ** *** ***** ******* *********** ************* The Doghouse: E*Trade E*Trade's password security isn't. They limit the logon password to a maximum of 6 characters, and the only choices are letters (upper and lower case are distinguished), numbers, $, and _. Whose portfolio do you want to trade today? ** *** ***** ******* *********** ************* Factoring a 512-bit Number A factoring record was broken last month, on 22 August. A group led by Herman te Riele of CWI in Amsterdam factored a 512-bit (155-digit) hard number. By "hard," I mean that it was the product of two 78-digit primes...the kind of numbers used by the RSA algorithm. About 300 fast SGI workstations and Pentium PCs did the work, mostly on nights and weekends, over the course of seven months. The algorithm used was the General Number Field Sieve. The algorithm has two parts: a sieving step and a matrix reduction step. The sieving step was the part that the 300 computers worked on: about 8000 MIPS-years over 3.7 months. (This is the step that Shamir's TWINKLE device can speed up.) The matrix reduction step took 224 CPU hours (and about 3.2 Gig of memory) on the Cray C916 at the SARA Amsterdam Academic Computer Center. If this were done over the general Internet, using resources comparable to what was used in the recent DES cracking efforts, it would take about a week calendar time. The entire effort was 50 times easier than breaking DES. Factoring e-commerce keys is definitely very practical, and will be becoming even more so in future years. It is certainly reasonable to expect 768-bit numbers to be factored within a few years, so comments from RSA Laboratories that RSA keys should be a minimum of 768 bits are much too optimistic. Certicom used the event to tout the benefits of elliptic curve public-key cryptography. Elliptic-curve algorithms, unlike algorithms like RSA, ElGamal, and DSA, are not vulnerable to the mathematical techniques that can factor these large numbers. Hence, they reason, elliptic curve algorithms are more secure than RSA and etc. There is some truth here, but only if you accept the premise that elliptic curve algorithms have fundamentally different mathematics. I wrote about this earlier; the short summary is that you should use elliptic curve cryptography if memory considerations demand it, but RSA with long keys is probably safer. This event is significant for two reasons. One, most of the Internet security protocols use 512-bit RSA. This means that non-cryptographers will take notice of this, and probably panic a bit. And two, unlike other factoring efforts, this was done by one organization in secret. Most cryptographers didn't even know this effort was going on. This shows that other organizations could already be breaking e-commerce keys regularly, and just not telling anyone. As usual, the press is getting this story wrong. They say things like: "512-bit keys are no longer safe." This completely misses the point. Like many of these cryptanalysis stories, the real news is that there is no news. The complexity of the factoring effort was no surprise; there were no mathematical advances in the work. Factoring a 512-bit number took about as much computing power as people predicted. If 512-bit keys are insecure today, they were just as insecure last month. Anyone implementing RSA should have moved to 1028-bit keys years ago, and should be thinking about 2048-bit keys today. It's tiring when people don't listen to cryptographers when they say that something is insecure, waiting instead for someone to actually demonstrate the insecurity. http://www.cwi.nl/~kik/persb-UK.html http://www.msnbc.com/news/305553.asp RSA's analysis: http://www.rsa.com/rsalabs/html/rsa155.html Certicom's rebuttal: http://www.certicom.com/press/RSA-155.htm Prominent Web sites that still use 512-bit RSA: Travelocity Microsoft's online store Compaq's online store Godiva's online store Dr. Koop.com Flowers N More There are lots more. You can check yourself by connecting to a site with a secure domestic version of Microsoft Internet Explorer 4.0. ** *** ***** ******* *********** ************* Comments from Readers From: Gene Spafford Subject: Re: Comments on the "NSA" key in Windows NT Well, it is always easier to believe a conspiracy theory or dark designs. However, there may be alternative explanations. For instance, I happen to know that various 3-letter agencies use a lot of Windows machines (in a sense, that should be scary all by itself). Suppose they want to load their own highly-classified, very closely-guarded version of their own crypto routines. Do you think they will send copies of their code out to Redmond to get it signed so it can be loaded? Or are they going to sign it themselves, with their own key, doing it in-house where it is "safe"? If they are going the in-house route, then either Microsoft needs to share the private key with them (bad idea), or the code needs to accommodate a second key schedule generated inside the TLA. Hmmm, that sounds familiar, doesn't it? Another explanation, that I may have read here (this issue has been discussed on many lists) is that to get the approval for export, the folks at MS needed to include a "back-up" key in case the first was compromised in some way. They would need to switch over to using the alternate key for all the systems already out there. But how would they do that unless the second key was already installed, so they could do the switch using that second key? So, if you were MS, and the NSA required you to install a backup key like this, what would you call it? Of course, it could be that MS wanted the backup key themselves, and the programmer involved in the coding decided to name it something silly. Or, there is a history of MS code being shipped with undocumented code elements, and things that MS management don't know are present. Suppose the code (involving only a few lines of code) was placed there by an agent of the intelligence services of some other country (it wouldn't be that hard to subvert an existing employee or place one at MS with good coding skills who could eventually gain access to the appropriate code). He/she names the variables with "NSA" in place in case anyone doing a code review would question it -- and includes a comment block that says "The NSA required this to be here -- do not change or ask questions." The "sinister purpose" might be correct, but you are blaming the wrong entity. Heck, maybe this is a grand design of Mr. Gates himself: after all, he's certainly having some aggravation from the U.S. Justice Department! There are other possible explanations for the name, too. These alternate explanations do not mean that the extra key does not have side-effects (such as clandestine installation and circumvention of the export controls). And of course, we will probably never know what the primary reason for this key is, nor will we know what role these side-effects may have had in the decision, despite what people eventually claim. The key thought is that there are possible scenarios for the naming of the key that do not involve nefarious activity, or do not involve such activity by the NSA. That should not be the immediate conclusion people reach. And, at the risk of starting some tirades, let me ask a (rhetorical) question: even if it was put there for purposes of clandestine monitoring, what is wrong with that? If this gets used to monitor terrorists with NBC weapons, drug cartels, or weapons labs in Iraq, isn't that what we want done? In that light, there should be some concern that this has now been exposed and possibly nullified! The history of cryptography shows -- repeatedly -- that having crypto assets makes a huge difference in times of conflict, and that getting such assets in place and working takes time. It would be naive to believe that there are no such threats looming, or that there is no such likelihood in the future. We should be clear in our discussions as to whether our concern is the presence of the code, or over who may have control of it. Is the issue really one of what controls are in place that ensure that the code isn't used against inappropriate targets (e.g., law-abiding, friendly businesses and citizens)? Unfortunately, we don't have strong assurances in this realm, and there have been some past abuses (or alleged abuses). But that may be moot if we the code was actually placed for some other group's dark design. From: "Lucky Green" Subject: More NSAKEY musings I'd like to comment on some of your public comments regarding the NSAKEY. The goal of this email is to provide you with a few data points about the mindset intelligence agencies employ when compromising systems. First, I agree with your assessment that the NSA does not /need/ to compromise CAPI to compromise the computers of those running Windows. Which is not analogous to the claim that the NSA would not seek to compromise CAPI by causing Microsoft to install the NSA's key. For the academic cryptographer, once one catastrophic flaw in a cipher has been found, the work is over. "We have a 2^16th attack. The job is done. Let's go home". Intelligence agencies don't operate this way. My work with GSM has revealed that intelligence agencies, which as we all know ultimately stand behind the GSM ciphers, take a very different approach. Intelligence agencies will compromise every single component of a crypto system they can compromise. Intelligence agencies will, given the opportunity, compromise a component just because they can, not because they need to. This appears to be a somewhat perverted manifestation of implementing multiple redundancy into a system. Which, as I am sure we all agree, is generally a good idea. In the case of GSM, we have discovered the following compromises: o Compromised key generation. The 64-bit keys have the last 10 bits of key zeroed out. (I heard rumors that some implementations only zero out the last 8 bits, but either way, this is undeniably a deliberate compromise of the entropy of the key). o Compromise of the authentication system and keygen algorithm. The GSM MoU was formally notified in 1989 (or 1990 at the latest) about the flaws in COMP128 we discovered last year. Long before GSM was widely fielded. The MoU's Security Algorithm Group of Experts (SAGE), staffed by individuals who's identities are unknown to this day, kept this discovery secret and failed to inform even the MoU's own members. As a result, intelligence agencies can clone phones and calculate the voice privacy keys used during a call. o Compromise of the stronger voice privacy algorithm A5/1. This 64 bit cipher has numerous design "flaws", resulting in a strength of at most 40 bits. It is inconceivable to me and virtually everybody I talked with that these rather obvious flaws were overlooked by A5/1's French military designers. o Compromise of the weaker voice privacy algorithm A5/2. The MoU admits that breakability was a design goal of A5/2, even thought SAGE stated in their official analysis of A5/2 that they were unaware of any cryptographic flaws in A5/2. To allow for interception and decryption of GSM traffic, it would have sufficed to compromise the effective key length. It would have sufficed to compromise the keygen. It would have sufficed to compromise the ciphers. The NSA/GCHQ did all three. Given these facts, it would not be at all unusual for the NSA to install backdoors in the Windows OS itself *and* have obtained a copy of Microsoft's signing key *and* have Microsoft install the NSA's own key. Think of it as well-designed failover redundant compromise. From: "Kevin F. Quinn" Subject: Crypto-Gram April 15 1999, and the recent "NSA" spare-key debate. In Crypto-Gram April 15 1999, you mentioned the two-key approach of Microsoft with regard its root keys for Authenticode, and that they included the two keys "presumably for if one ever gets compromised". We now know the same approach was taken for CSP. Microsoft's own announcement on the subject is interesting; the two keys are present "in case the root key is destroyed" (paraphrase). I think in your Crypto-Gram you meant "destroyed" rather than "compromised" -- Microsoft seem to be trying to guard against the possibility that the secret root key is burnt in a fire or somesuch; they're not guarding against unauthorised copies of the key being made with the two-key approach. I think it's an important distinction to make. The only good reason I can see to have two keys, is to provide security against compromise -- in which case you need to validate signatures against both keys (i.e., AND rather than OR). That way if one key is compromised, the validation will still fail as the second signature won't be valid. If both keys are stored in separate secured locations, the attacker has to break the security of both locations in order to acquire both keys, and you hope that you might notice one break-in before the second occurs. The sensible way to guard against the possibility of destruction (fire, catastrophe etc) is to have several copies, each securely stored and monitored (the same way classified documents are controlled). Microsoft claim that the two-key approach was suggested by the NSA -- I find it difficult to believe the NSA would suggest including two root keys, to guard against destruction of a root key. My pet theory is that there was a communication problem; the NSA advice went something along the lines of, "having two root keys guards against loss", meaning compromise, and Microsoft took this to mean destruction. From: Greg Guerin Subject: A new spin on the NSA-key/NT issue? In your article at , you end by saying: "This virus doesn't exist yet, but it could be written." [This is a virus that would replace the backup key in NT with a rogue key, and could trick the user into accepting malicious code as signed.] After I wrote , it occurred to me that the virus now exists, or at least all the parts of it do. It only needs to be "turned to the Dark Side" and assembled. The "construction kit" for this virus is none other than the "repair program" at: All the parts are there. The "AddDelCsp.exe" program (no source provided) is the active infecting agent. The "nsarplce.dll" and other DLL's are the "toxins". The kit even includes "TestReplacement.exe" (with source) to test whether an enterprising young kit-builder has made his changes successfully or not. I'm sorta guessing, but someone with Wintel programming skills could probably construct a virus or Trojan horse with this kit in a matter of hours. Probably the only skill they would have to sharpen is the crypto, but there's some nice starter info in the Fernandes report itself. A little reading, a little key-generating time, maybe a little patching, and presto. Try it on a local NT system, then release it to the world by mirroring the Fernandes report. Or just send it to some "friends" via Hotmail. It would certainly look authentic, and because even the original "repair" program was unsigned, and the original report says nothing about authenticating the download before running it, it could be a very well-traveled Trojan horse indeed. If this virulent "repair program" is written with a little restraint, it can spread VERY far before anyone even notices. It could even camouflage itself and name its toxic key "NSAKEY", just like Microsoft's original. That is, after "removing" itself, it's still present. How often do people even think of checking that key? If you know someone with NT programming experience, it might be interesting to have them read the Fernandes report, download the virus construction kit, er, I mean "repair" program, then give this a try. I'd guess that not even prior virus-writing skills would be needed, just above-average NT programming skills. I bet you'd have a virulent version in less than an afternoon. A fine project for a lazy Labor Day holiday, eh? From: Sam Kissetner Subject: Meganet I thought this might amuse you. The February issue of Crypto-Gram makes fun of Meganet's home page for saying: 1 million bit symmetric keys -- The market offer's [sic] 40-160 bit only!! I visited that page today. (The URL changed; it's at .) Maybe they read Crypto-Gram, because they tried to fix the grammatical error. But it was part of a graphic, so they just pasted a little white box over the apostrophe and s, leaving: 1 million bit symmetric keys -- The market offer 40-160 bit only!!! Gee, that's *much* better. From: Marcus Leech Subject: HP's crypt(1) description To be fair to HP, and crypt(1) -- HP has merely faithfully reproduced the original crypt(1) MAN page. Crypt(1) first appeared in Unix V7, back around 1978 or so -- at a time when DES was just starting to be used in certain limited areas. That an operating system had any kind of file encryption facility at all was some kind of miracle at the time. Sun has obviously lightly hacked-over the documentation to reflect current reality, while HP has taken the approach of staying faithful to the original documentation. ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 1999 by Bruce Schneier @HWA 10.0 Move over BO2k here's Donald Dick from Russia with love... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Donald Dick v1.52 was coded by Yaworsky (aka Alexander A. Yaworsky) and BAdMAN F0ReVeR (aka Alexander A. Fedenko) Yaworsky: http://redrival.com/donalddick/ay.jpg BAdMAN..: http://redrival.com/donalddick/badman.jpg From the site; http://donalddick.da.ru/ News 15 September 1999 We just have received and used new AVP update. Very funny. It found only distributive Donald Dick file and GUI/cmd.line clients ;) (old 1.5 beta3 only). It does not see real Donald Dick installation. By the way, the life for AVP will not be too easy soon - now we are implementing new 'SmartMorph' technology. The result will be that executable file will be different with each installation and will never contain any unique sequence of bytes. 13 September 1999 Almost all keyboard features are implemented into Donald Dick client 1.52 10 September 1999 We have good news for you: New Donald Dick version 1.52 is now available. Catch! Now we will produce only full version of server and it will be completely free with its current set of features (or bugs ;). Network protocol was changed. So be careful - previous and current versions are incompatible. If you already use Donald Dick in any place you must completely reinstall it. You can upload server file on target machine using previous client and run it (don't issue upgrade command); after you issue run command, connection may be immediately lost and after that you must use new client. Donald Dick server: new features: The most wishful: UNINSTALL. Don't care - it completely wipes Donald Dick server out. Hidden mode: server does not respond if the request was not actually processed Ports can be set by server; now you don't need to edit the registry manually. Pre-, Post-delay and repeat count for requests Keyboard control: issue keystroke, remap keys and save key map so it will be loaded at startup ;) keyboard input is now captured, and because the server becomes operational immediately after the shell is loaded, you can see what the user typed at login prompts. NOTE that keyboard features except keystroke simulation are available only under Windows9X. For winNT they will be available later. Chat rooms - volatile and non-volatile So you need to wait a little for updated Donald Dick GUI client. New features will be available in nearest days. Or take the power of command line right now. 6 September 1999 We radically changed design of this site. 18 August 1999 Donald Dick 1.5 beta 3 became available. -=- About Donald Dick We are not liable for any damages caused by use of software we did. And we don't advise to ride our little brothers. But if you want to do it... Let us introduce Donald Dick - another remote control system. Donald Dick is a remote control system for workstations running Windows 95, 98 or NT 4.0 (not tested on 5, we didn't steal it yet). First, it was implemented to replace well-known trojans we used to confuse dummies, and to be invisible for existing antiviruses. We used it locally since february - march of '99 till the summer. The first implementation could only open and close cdrom tray but it quickly becomes powerful remote control system. Donald Dick consists of two parts - client and server. To install server on the destination computer, you simply must launch executable file there. Since you install Donald Dick server on a computer, all of its resources becomes completely yours. You can control it with Donald Dick client via TCP or SPX network protocol. But if you are going to use Donald Dick for serious purposes then you can restrict access to the server with password. Under Windows9X Donald Dick server becomes operational immediately after shell starts up. Under WindowsNT the server is loaded as a service process but we tried to hide it in the control panel->services. Here is the list of actions you can perform: File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time of file. Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend, resume. Registry - full access: browse, create, remove keys and values; set values. System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query system info, query/set system parameters. Window