home *** CD-ROM | disk | FTP | other *** search
| Text File | 2002-05-27 | 79.3 KB | 1,607 lines |
- Default, Help Net Security newsletter
- issue #1, Friday 13 August 1999
- (http://default.net-security.org)
-
-
- TABLE OF CONTENTS
- -----------------
-
- I. Editorial
- II. Last weeks news on Help Net Security
- a) Help Net Security news headlines
- b) Vulnerabilities reported in last week
- c) Site News
- d) Defaced Pages
- III. Y2K: As the millenium approaches
- IV. A look into basic cryptography
- V. The history of Zero Knowledge Systems
- VI. Telecommunications 101
- VII. Macintosh security: How to make your mac a babel tower!
- VIII. Computing: A closer look at hard- and software
- IX. An approach to Linux System Security
- X. Infection & Vacination
- XI. Spam: The problems with junk e-mail
- XII. Freedom of speech - related incidents
- XIIV. Meet the underground
- XIV. Guest column
-
- I. Editorial
- ------------
-
- Hi there and welcome to the first edition of Default, the Net Security newsletter.
- The idea behind this news letter has several sides to it. On one side we want to
- keep you up-to-date regarding news and events from and in the security scene. On
- the other hand, we hope this to turn into an interactive medium through which we
- could educate and inform you and through interaction with you maybe even ourselves.
- We hope to in this way incorporate more of of the different kinds knowledge there
- seem to exist between the professional computing/security scene and the underground
- and to inform both sides about each sides knowledge base and accomplishments. This
- will not be a primary technical source of knowledge though, we start focussing on
- basics to get everyone on the same level regarding some of our topics before moving
- on to the technically more advanced issues. Most of all we want this to grow, hopefully
- through submissions and contributions by you, our readers.
-
- This being the first in hopefully a long series of newsletters, we had some
- problems to deal with. One of these is the absence of one of our editors. Due
- to his vacation we didn't have the chance to call on Doug Muths' expertise in
- the fields of viruses and spam. As soon as he gets back we hope to provide you
- with his contributions in a next issue.
-
- Furthermore we think that what lies before you is a pretty decent issue, one of
- what we hope many. We have sought (and found) a lot of assistance in both the
- underground as the professional security scene. We hope you'll be as pleased
- with the results as we are, though feedback is always welcomed. Remember, we can
- try to make this good, but we need your comments and contributions to make this
- the best.
-
- Well that's it for now, before you lies issue #1 of Default, we hope you enjoy it
- as much as we did making it.
-
- For the HNS and HNS Default Crew:
-
- Berislav Kucan
- aka BHZ, webmaster Help Net Security
- bhz@net-security.org
-
- Xander Teunissen
- aka Thejian, co-webmaster Help Net Security
- thejian@net-security.org
-
-
- II. Latest weeks news on Help Net Security
- ------------------------------------------
-
- a) Help Net Security news headlines
-
- - Saturday 7th August 1999:
-
- Japan cracks down on unauthorized network access
- LinuxPPC crack contest update
- LA District Attorney drops Mitnick case
- Lockdown 2000
- Proposal to ban "unapproved content" linking
- Chaos Computer Camp kicking off
- Cyberwar: The threat of chaos
-
- - Sunday 8th August 1999:
-
- HWA.Hax0r.News #28 released
- CrackTheBox goes a bit further again
- Mass hack on german domains
-
- - Monday 9th August 1999:
-
- Hackers take over tv-channel?
- Clinton keeps supporting y2k updates
- DOD worried
- Wired covering CCC
- New Melissa style virus
- Secure shell installation and configuration
- Backwork 2.1 released
- Sorting out security
- Will hackers make use of y2k confusion?
- Belgacom Skynet hacked
-
- - Tuesday 10th August 1999:
-
- Patch for Excel97 coming on August 16th
- Kevin Mitnick avoids stiff sentence
- IBM supports Linux
- Kevin could soon be free
- HK mail systems open to abuse
- Finalists new encryption standard named
- Sentencing hacker no cause for joy
-
- - Wednesday 11th August 1999:
-
- RedHat advisory and new linux kernel
- Taiwan strikes back
- Taiwan prosecutors probe web site intrusion
- Microsoft Office97 flaws
- Office harassment
-
- - Thursday 12th August 1999:
-
- Network-centric warfare
- Key to crypto success: don't be born in the USA
- New IE5 bug exposes passwords
- Error in Microsoft patch
- New mail attack identified
-
- - Friday 13th August 1999:
-
- Outsmarting the wily computer virus
- Startup wants to sell untappable phones
- Baltimore Technologies to ship encryption tool for XML
- Hacking your way to an IT career
- Code-cracking computer causes concern
-
- b) Vulnetabilities reported in last week (our thanks goes out to BugTraq for this list)
-
- 6-8 NT Exchange Server Encapsulated SMTP Adress Vulnerability
- 8-8 CREAR ALMail32 Buffer Overflow Vulnerability
- 8-8 WebTrends Enterprise Reporting Server Negative Content length DoS Vulnerability
- 8-8 Microsoft FrontPage Extensions for PWS DoS Vulnerability
- 9-8 Firewall-1 Port 0 DoS Vulnerability
- 9-8 Solaris stdcm_convert File Creation Vulnerability
- 9-8 NT Terminal Server Multiple Connection Request DoS Vulnerability
- 9-8 Multiple vendor profil(2) Vulnerability
- 11-8 NT IIS Malformed HTTP Request Header DoS Vulnerability
- 11-8 Multiple Vendor IRDP Vulnerability
-
- c) Help Net Security site news
-
- - Saturday 7th August 1999:
-
- Mailing list submission form
- Study on Linux System Security
-
- - Sunday 8th August 1999:
-
- Connection problems
- Mac archive updated
- Anonymous submission form back online
-
- - Monday 9th August 1999
-
- Insert HNS headlines in your site
-
- - Wednesday 11th August 1999:
-
- Bookstore update
-
- d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org))
-
- Site: Illinois Institute of Technology (www.iit.edu)
- Mirror: http://default.net-security.org/1/www.iit.edu.htm
-
- Site: Santa's Official Page (www.north-pole.net)
- Mirror: http://default.net-security.org/1/www.north-pole.net.htm
-
- Site: NorthStarNet (www.northstarnet.org)
- Mirror: http://default.net-security.org/1/www.northstarnet.org.htm
-
- Site: Official site of Korn (www.korn.com)
- Mirror: http://default.net-security.org/1/www.korn.com.htm
-
- Site: Malaysian Government (www.idhl.gov.my)
- Mirror: http://default.net-security.org/1/www.idhl.gov.my.htm
-
- Site: Institute for Telecommunication (elbert.its.bldrdoc.gov)
- Mirror: http://default.net-security.org/1/elbert.its.bldrdoc.gov.htm
-
- Site: Federal Energy Regulatory Commission (www.ferc.fed.us)
- Mirror: http://default.net-security.org/1/www.ferc.fed.us.htm
-
- Site: State of Michigan Official Site (www.state.mi.us)
- Mirror: http://default.net-security.org/1/www.state.mi.us.htm
-
- Site: China Securities Regulatory Commission(CN) (www.csrc.gov.cn)
- Mirror: http://default.net-security.org/1/www.csrc.gov.cn.htm
-
- Site: Wired Digital (www.wired.com)
- Mirror: http://default.net-security.org/1/www.wired.com.htm
-
- Site: Motorola (TW) (www.motorola.com.tw)
- Mirror: http://default.net-security.org/1/www.motorola.com.tw.htm
-
-
-
- III. Y2K: As the millenium approaches
- -------------------------------------
-
- It is Wednesday 11.08 1999. Less than 4 months divide this and next
- millenium. What will happen then? People often think about armageddon,
- but it has its translation in the computer world - Y2K (year 2000).
-
- As I was always interested in new regarding sollution of this bug (The
- term "computer bug" was coined by Navy computer pioneer Grace Hopper
- in the 1950s after a moth got into one of her machines and it went
- haywire), I saw that many countries spent billions of dollars into
- preparing their systems for the new millenium.
- "The two-digit year is a convention as ancient as the feather pen--
- writing the date on a personal letter with an apostrophe in the year,
- implying a prefix of 17- or 18- or 19-. But reading an apostrophe
- requires sentience and judgment. Computers possess neither. They cannot
- distinguish an "00" meaning 1900 from an "00" meaning 2000. When asked
- , for example, to update a woman's age on Jan. 1, 2000, a computer
- might subtract her year of birth (say, '51) from the current year
- ('00), and conclude she will not be born for another 51 years. A human
- would instantly realize the nature of the error, adjust his parameters,
- and recalculate"
-
- So we know the problem now, but how did it start? Robert Bemer is the man
- who wrote the American Standard Code for Information Interchange, the
- language through which different computer systems talk communicate. He
- also put in use "backslash" and "escape". In the late 1950s Robert Bemer
- helped in writin COBOL (computer language which had commands in plain
- English, so it was easy to use by everyone). There was nothing in COBOL
- requiring or even encouraging a two-digit year. Bremer blames the programmers
- and bosses for this glitch. He pointed out that they were instructed to
- cost-save. Now we could set a parallel: if that bosses weren't so
- shortsighted and if they invested in this issue, there wouldn't be a
- Y2K bug to talk about. So this was the brief history of the Y2K bug. Now
- goes the week in Y2K review.
-
- Y2K problem could be used for cyberattacks - United States Department of
- Defense concluded. Fixing systems and preparing them for the new millenium
- may expose information infrastructure to hack attempts, so DOD adviced all
- network managers to advise their men to change all passwords. It is just
- a precaution. To make everything easy for their system administrators, US
- Navy created three programs for helping automation of password exchange.
-
- Friends of the Earth and Greenpeace International, two "green" organizations
- are protesting over the globe and appealing to United States and Russia to
- scale down readiness of nuclear weapons to reduce the possibility of Y2K
- computer glitch which could really cause Armageddon (just think back in time
- what happend to Hiroshima and Nagasaki - this would be 100 times bigger
- cathastrophy). We know that United States spent billions of dollars on
- preparing every vital part of their infrastructure. But Russia is different
- topic, the way of living and social and financial state of Russia is on much
- lower level. Just to note, you saw hoe much money USA gives in Y2K sollutions,
- and inly two thirds of their nuclear plants are Y2K ready. BTW
- Nuclear Regulatory Commission published their guidliness:
- * Plants with non-safety systems that affect power operation that are Y2K-ready
- or those plants that have incomplete contingency plans for these systems
- will be subject to additional regulatory actions which may include issuance
- of an order requiring specific actions by the licensee. There are about 12
- plants in this category.
- * Plants with non-safety, support systems and components that are not Y2K-ready
- or plants that have incomplete contingency plans for these systems could
- require additional meetings, audits, or requests for additional information.
- There are about 10 plants in this category.
- And the conclussion:
- The plants that have Y2K work remaining are continuing to progress toward
- Y2K readiness. As of August 1, five more plants have reported that they are
- Y2K-ready bringing the total to 73 operating nuclear power plants that are
- fully Y2K-ready. This reduces to 30 the number of plants that have remaining
- work on non-safety systems and components to be fully Y2K-ready.
-
- World Bank published Global Commodities Report - report talking about fears
- from millenium bug. Report speaks about "Concerns over the potential disruptions
- associated with Y2K may cause consumers, processors and distributors to stockpile
- crude oil and products. A shortage of ocean tankers may develop if importers rush
- to beat the end-of-the-year concerns over Y2K and this could contribute to the
- potential for price volatility". The World fears Year 2000. Lot of recent actions
- could proof this:
- India will stamp more money
- US Government got a suggestion to move New Year's Eve celebration on 3rd of January
- Japan will halt airplain voyages on the New Year's Eve
- Canada's telephone company tested their new Y2K prepared system and it crashed
- And a lot of other actions happend, but this is enough for the first issue.
- You can read below interesting article about testing your computer for Y2K
- written by Atlienz (atlienz@default.net-security.org)
-
- What is it?
-
- The problem is with the real time clock (RTC) in the computer which tells the computer
- the current date. When programmers initially established the date issue, they established
- the year portion of the date with only two digits instead of four. They chose two digits
- instead of four to save storage space, which at that time was very expensive. So any
- computer or software that is not Year 2000 compliant will experience problems on
- January 1, 2000. Some computers will revert back to a 1900, 1980 or a 1984 date which
- will throw off accounting programs that read that date.
-
- Preparation & Timing!
-
- If you feel capable, check your real time clock(RTC). Go to a DOS prompt (C:\>) and
- type "DATE". The current date will appear along with an option to change the date.
- Change the date to December 31, 1999. Then type "TIME". The current time will appear
- and you need to change that to 12:58 P.M.. Next, shutdown or turn off your computer
- and wait five minutes. Turn your computer on, and check the current date by again
- going to the DOS prompt and typing "DATE". If your computer displays January 1, 2000
- then your system is 2000 compliant. If the system displays a year of 1980, 1984,
- 1900 or anything else besides 2000 then your computer is not 2000 compliant. Be sure
- to reset your computer back to the current date!
- Next, perform a complete software inventory and verification, including operating
- systems, productivity tools, games, etc. Record the Vendor, Title and Version.
- Contact each vendor and inquire if your version of the software is 2000 compliant.
- If not, ask whether the newer versions are compliant or if the vendor will bring
- the software into compliance.
- NOW is the time to take action toward finding a solution for the
- year 2000 issue. If you wait, resources such as computers, technician support and
- even information may be in short supply.
- -----------
-
- In the next issue of Default - net security newsletter you can read about Y2K testing
- tools and ofcourse latest news from the millenium bug section.
-
- BHZ
- Berislav Kucan
- bhz@net-security.org
-
-
-
- IV. A look into basic cryptography
- ----------------------------------
-
- Okay, this is Iconoclast, I have been asked to start working with net-security for their
- Default newsletter on a cryptography section. First and foremost, I am in no way
- qualified for this, and if I am ever wrong, please feel free to contact me and correct
- me.
-
- This will basically be YOUR section.
-
- I have been given free reign on how to run it, so this is how things will be. It will be
- run via your submissions and weekly news on the cryptography front. Most everything I
- hear is over my head, but we will learn together. For this, the first issue I have dug
- up an old "HOWTO" I wrote a while ago under another handle, edited it a bit, and added
- a lot and then split it into three sections (It was way too big for a single issue).
-
- So here we go, I will delve right into it. We will see how things work out.
-
- First of all, this is strictly to expand ones mind, if you see encryption out there...
- do not crack it. It is encrypted for a reason. I in no way claim any responsibility for
- anyone's actions other than my own. If you do something stupid, it is your own problem
- and fault, not mine, and not net-securities.
-
- I was recently approached by a friend who had been working on some 'indecipherable'
- password protection for restricted areas in web sites. He heard I dabbled in
- cryptanalysis so he asked me to crack his "indecipherable" code.
-
- First of all, he had no idea what he was doing. He should know that nothing is
- indecipherable.
-
- If you want to get into cryptography, the way is NOT to create an algorithm that is
- "virtually indecipherable" it's to get into cryptanalysis. Figure out other people's
- algorithms, and understand their weaknesses. Once you're already accepted into the
- scene (unlike myself) then maybe have a go at creating an algorithm.
-
- First try to identify the method of cryptography. If you see something like the following
- within the page source:
-
- xuuv://qqq.eipov.fhe/eizjen/enecnro.xueb
-
- You are in luck. It is a simple method with a simple method of cracking. It is called a
- transposition cipher.
-
- You recognize the format to go hand in hand with:
-
- http://www.someserver.ext/directory/site.html
-
- So you first start transposing characters (hence the name, transposition cipher)
-
- x=h
- u=t
- v=p
- q=w
- e=m
- b=l
-
- Now you now see it as:
-
- http://www.eipov.fhe/eizjen/enecnro.html
-
- Now take the letters that you know and work with them.
- You already know (I will put all of the plaintext in caps so you do not accidentally
- try to decrypt them later)
-
- HTTP://WWW.Mipov.fhM/MizjMn/MnMc.HTML
-
- Now you see fhM and immediately compare it to extensions that have **m in common.... com
- works use that and add the new information to your key.
-
- f=c
- h=o
-
- HTTP://WWW.Mipov.COM/MizjMn/MnMcnro.HTML
-
- Okay now you may have drawn a blank. Look at the referring page... Usually the encrypted
- page is within the same web server as the unencrypted page... lets say the referring
- page is from a web server called www.myisp.com now work with that in your key.
-
- HTTP://WWW.MYISP.COM/MizjMn/MnMcnro.HTML
-
- i=y
- p=i
- o=s
- v=p
-
- You now have:
-
- HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML
-
- Now its time to make educated guesses.
-
- MY**M*.... what can possibly fit in here (think English)
- MY**M* could be.... MYHOME
- Now check that with your key, one letter unencrypted should NOT correspond with more
- than one encrypted letter (in this basic a cipher).
-
- x=h
- u=t
- v=p
- q=w
- e=m
- b=l
- f=c
- h=o
- i=y
- p=i
- o=s
- v=p
-
- Aha it cannot be MYHOME because h=o and thus j cannot = o too (in this simple type of
- encryption) so keep thinking, you wont always get it on your first guess.
-
- MY**M* could be... MYNAME
- compare that with your already known key and it could work
-
- So now you have:
-
- HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML
-
- z=n
- j=A
- n=e
-
- HTTP://WWW.MYISP.COM/MYNAME/MEMcErS.HTML
-
- There are no conflicts as of yet.
-
- Once again, time to make another educated guess and the only word that comes to mind
- that could fit
-
- MEM*E*S is MEMBERS .
-
- Plug that in and see if it works, if not think of another word that may fit
-
- You have done it, you've decrypted the encrypted URL to be:
-
- http://www.myisp.com/myname/members.html
-
-
- This was incredibly basic. No important site will utilize such a basic cipher. They
- would use more standard, and field-proven ciphers.
-
-
- Okay, thats about it for this issue, there is much more to come that wouldnt fit in here
- today. Expect more, and expect interactive.
-
- For the time being, if you come across ANYTHING that you think couild be of use to anyone
- in the field of cryptography, please, drop me a line at crypt@default.net-security.org.
-
- Its been fun.
-
- Michael G. Komitee
- aka Iconoclast
- crypt@default.net-security.org
-
-
-
- V. The history of Zero Knowledge Systems
- ----------------------------------------
-
- Austin & Hamnett Hill - the brothers behind Zero-Knowledge Systems, were
- involved with the Internet at a very young age. At 21 Austin founded the ISP
- Infobahn Online Services with money from his father and a small group of
- investors. They soon called upon Hamnett, a 23 year-old reformed Deadhead
- studying accounting in Montana, to be CFO.
-
- In late 1995 Infobahn merged with Accent Internet to create TotalNet, Canada's
- third largest ISP. At TotalNet, Austin and his partners earned founding investors
- more than a 10,000 per cent return on investments in under two years, growing
- the company to 150 employees in 18 months.
-
- He and Hamnett left as soon as they could sell the company; cashed in and got
- out as the summer of 1997 approached.
-
- "The entire time we were at TotalNet, there was an Internet revolution going on,"
- says Austin, now 26 years-old. "Hamnett and I would always talk about what we
- could do. Then a month or two later somebody would do it. We realized we needed
- to get back out there -- privacy was going to be huge."
-
- But before they could get back in the game, there was work that needed doing:
- research to conduct, a business plan to build. An idea was in the back of Austin's
- mind, something that grew out of his strong beliefs in personal freedom and the
- rights of the individual. The seed was planted by an article in Wired about the
- Cypherpunks, Pretty Good Privacy and those building strong encryption tools to
- allow individuals to protect their privacy online. He knew this next project would
- be successful, but Austin, who never finished high school, wanted more than just
- monetary gain.
-
- "The idea of putting basic human rights into a piece of software and giving it to
- individuals was something that we felt in the end felt could only do more good
- than harm," says Austin. "Free speech isn't there only to protect the good speech."
- In short, he wanted freedom for all.
-
- "Both Hamnett and I have always had the sense that we wanted to do something, but
- for a long time we just didn't know what," says Austin. "Change is usually
- accomplished by a small group of people who believe in something strongly enough
- that they can make it happen. One of our basic premises was that it had to be done
- with a business."
-
- They were dedicated to giving every Net user an easy, secure way to protect their
- privacy -- something no one has been able to do.
-
- "Our biggest concern was how do we could bring this to the average person," explains
- Austin. "We wanted to make it absolutely secure so people didn't have to trust us
- - Zero-Knowledge: don't trust us."
-
- After a summer of careful research and planning, the Hills had a viable business
- plan and an idea for privacy software that would place the individual in complete
- control over their personal information and identity on the Internet. Deciding that
- venture capital would put too many restrictions on their business at the time, they
- put their own money into the project and rented office space. In the ensuing months
- they set out recruiting developers to code the software.
-
- "We wanted developers who were young and ambitious enough not to know it couldn't be
- done," says Austin. "We went through a whole group of developers, and finally ended
- up with a core group. At the same time we made a decision that people were going to
- be the most important thing at the company. The whole idea of treating people like
- resources just wasn't going to work."
-
- A Cypherpunk arrives
-
- By early 1998, the Hills had a name for their product, something that encompassed what
- it represented and what it would bring users: Freedom.
-
- Still, they knew a piece of the puzzle was missing. A big piece. The system they were
- trying to build was so complex that they needed one of the top cryptographers in the
- world to oversee its design and implementation. And due to US encryption export
- restrictions, it couldn't be an American.
-
- All along, Austin had his sights on a Canadian who was pursuing his Ph.D. at USC Berkeley.
- His name was Ian Goldberg. By 24 he had exposed security flaws in the Netscape browser,
- cracked a 40-bit code in record time (with the help of 250 computers) and written several
- seminal cryptography papers describing a system that would give users complete privacy.
- Unfortunately, Goldberg only did consulting and charged $10,000 a week in addition to
- first class air and accommodations.
-
- Undeterred, Austin tracked him down at his parent's home in Ontario and gave his pitch:
- "I told him we were going to build the system he had been talking about," says
- Austin. "He said: "OK, I do consulting and there's a long waiting list"."
- Austin said: "You don't understand, we want you to join our company."
-
- A few minutes later he hung up, rejected. The next day Austin was on a plane to Toronto
- and took Goldberg out to dinner. For four hours, Goldberg fired questions at Austin.
- "He wanted to make sure I knew what I was getting into, and not just with the technology
- stuff, about the implications of the technology," says Austin. "I felt I aced it. We asked
- him to come to Montreal. The first day he met with the developers and he was saying "You
- have to do this." By the second day it was "We." By the third day he came in and said,
- "You know what? You've got the team"."
-
- At dinner, Goldberg had seen someone with a good grasp of the technology and the political
- and social issues surrounding the project; after meeting the developers, he saw the technical
- know-how with a business plan to back it up.
-
- "They were going to make this happen," says Goldberg. "I wanted to be a part of it."
- With Goldberg on board, the Freedom team was set.
-
- The rest is history in the making...
-
- Jordan Socran
- Zero Knowledge Systems (http://www.zks.net)
-
-
-
- VI. Telecommunications 101
- --------------------------
-
- The current state of this section is yet to be determined. We of Help Net Security
- have been trying to contact several people from this field, but because of people
- being on vacation and others being too busy filling in for people who are on vacation
- we haven't had much luck yet. Untill then I will cover some basic issues here regarding
- certain types of telecommunication networks and their flaws. This will however be a
- completely theoretical discussion, meant to inform. I will not provide you with a step
- by step guide to exploiting your local telecom company nor will I take any responsibility
- for utilization of anything you learned from here. I myself have a bit of reading up to
- do on the matter of the different phonesystems used all over the world, but to get things
- going I'll start here today by explaining a bit about the wonderful world of pager
- communications.
-
- To send a message to someone's pager, you have to dial a phone number and leave your
- message after which the message is send to the actual paging device by a computer or
- operator. This is done through the use of a RIC. A RIC is as a fingerprint for an
- individual pager. The computer sending the message to the pager after you left it knows
- which phone number corresponds with which RIC, which enables it to deliver the message
- at the right pager.
-
- There are three kinds of pagers. First the tone-only, which has no display and just
- sounds a single tone to inform someone that a certain action needs to be taken. Then
- there's the numeric, which has a display which shows its owner just numeric messages
- (hence the name) like phonenumbers and so on. Last but not least we have the type of
- pager which is most commonly used nowadays, the alpha-numeric one. This type of pager
- displays not only numbers but can also show text-messages.
-
- In the past, most alpha-numeric pagers made use of a proprietary Motorola encoding format
- called GOLAY. We however will not discuss this protocol, since nowadays most pagers
- use the POCSAG (Post Office Code Standarization Advisory Groupstandard) protocol. You
- can tell GOLAY from POCSAG by the baud rate which is used to transmit signals. GOLAY
- uses 600 baud, where POCSAG pagers can currently transmit at a much higher rate, although
- the original (and still most often used) POCSAG was defined at being able to transmit
- 512 bytes a second.
-
- Using POCSAG a signal is formatted as one preamble and a minimum of one batch of
- codewords. The preamble is used by the receiving device to check wether the signal is
- indeed a POCSAG signal and to synchronize with the data-stream. A batch consists of one
- synchronization codeword, to mark the beginning of a batch of codewords, and eight frames
- which each on their turn contain two codewords. These codewords come in several types
- too, these can be two adress codewords, two idle codewords, two message codewords or any
- appropiate combination of these three. The synchronization codeword is made up of
- 32-bits, the eight frames are 64-bits and each contain the two codewords that are
- 32-bits in length. Pagers are split into 8 groups. The eight frames are used for this by
- starting a message to a pager with an adress codeword in the proper two codeword frame
- belonging to the group to which the particular pager is assigned. Immediately after this
- the codewords containing the actual message are send and then the message is terminated
- by either another adress codeword or an idle codeword.
-
- Nowadays there are several pieces of software availble on the Internet which allow anyone
- with a computer and a scanner to intercept and decode pager messages (which is illegal
- btw, neither I myself nor Help Net Security take no responsibility whatsoever, this is
- purely meant as a theoretical discussion). For this purpose, the alpha-numeric type of
- message is the most interesting of course because of the ability to send text in messages.
- To finish this section off for this week I'll give a general description on where the
- actual messages can be found in the strings of beeps.
-
- Within the address space of a pager, 4 different message classes can be found. These are
- specified by the function bits which are bits 12 and 11 of a codeword. In the original
- 21 bit address format, an alpha-numeric message would be indicated by the value 1
- contained in both function bits. Furthermore alpha-numeric messages are generally encoded
- in 7 bit ASCII characters. When an ASCII message is send, every 20 bits will always be
- packed in a new codeword. The 7 bit characters within a codeword are packed from left to
- right, from bit 30 to 11, although the latter is sent first, so viewed as bits in a
- codeword the characters are reversed.
-
- Hmm that's all for this weeks folks. As I said before this was just a basic overview and
- there's a lot I left out in order to give this a pretty basic start. If you'd like a
- little more technical approach to the above, I'd recommend you look through the POCSAG
- texts by Brett Miller and Brad Dye. Next column I will try to dig a little deeper into
- the actual singling out of the message from an intercepted signal from a software point
- of view. Any and all suggestions for this section are welcomed and can be send to my
- regular e-mail adress at Help Net Security.
-
- Xander Teunissen
- aka Thejian, Help Net Security
- thejian@net-security.org
-
-
-
- VII. Macintosh security: How to make your mac a babel tower!
- ------------------------------------------------------------
-
- Many people still think that macintosh is just a toy, an Operating System that you could
- use even drunk! Well to be more serious it offers many possibilies and can be easily
- intagrated in a Wintel or Unix enviroment. One of the thing that most people agree is
- the ease of use and the safety of the OS.We could have ten years of discussion about
- this. Just a fact: go to bugtraq (new url http://www.securityfocus.com) compare and
- count the the vulnerabilities on Linux, Win9* or NT, and Apple. Just a fact... When I
- mean safety, I even mean Denial of Service attack.Connecting a mac to the Internet
- offers less possility for an attacker to make a DOS or take remotly controle of your
- computer. Default configuration much more safe than on wintel. Have ever done a dumpACL
- or a dumpREG on windows NT?
-
- How to make a 24/24 safe connection on the web?
-
- The internet is getting wilder and wilder.From leet people to script kiddies the danger
- is often close, very close. A "click close" to an attachement.You don't have to be
- paranoiac, but we never know.Actually it depends which site you browse, and what you
- download!So get prepared to the worst and get those gears on your computer:
-
- - Against DOS and connections attempt: one of the best tools are 2 sharewares from
- sustworks:
-
- /IP NetMonitor: is a all in one tool (ping, traceroute, whois etc...)
- The most usefull are the network monitor (showing usage on incoming
- and outgoing bytes/sec) and the monitoring of connexions.It shows
- you're local ports and the remote ip and ports.You'll be able to
- look all the connexions in real time, plus it allows you to kill any
- of them! You can test that by simply browsing a site, then switch ip
- NetMonitor and kill the connection. Netscape will show a network
- error.It's very usefull if you don't have any firewall installed.
- look---> http://www.sustworks.com/products/ipnm/uipreview.html
-
- /IP NetRouter: is a software based router. You don't have to get one of
- those really expensive hardware router. Many people from the unix
- world use software based router because it very cheaper and very
- easy to set up. Let's consider to two computers: phenix and condor.
- Both are on the same LAN. Phenix is connected (dynamic, or static ip
- are supported)to the Internet(modem, cable, adsl, T1 what ever),
- condor isn't. First it'll allow you share this Internet connection,
- plus to add features like NAT (Network Address Translation) on condor
- or even ip filtering acting like a proxy from certain remote ip or
- ports.Another great feature is that we can provide Internet (http;
- ftp; pop3 all type of connexions) from the appletalk protocole.
- look--->:http://www.sustworks.com/products/ipnr/ppd1.html
-
- - Another kind Denial of service attack are based on javascript, html tags. Just try to
- disable javascript if your mail client does.Many mail clients like outlook, eudora are
- vulnerable to DOS.Those are not very armfull can easily crash your mail software. I'm
- only talking about remote DOS, local are another story.
-
-
- - Against Virus and other "versatile" intrusions:
-
- Even if the number of virus is growing on mac, approximativily 150 times
- less virus than on wintel.To check just count the number of virus in a
- wintel anti-virus virus definition and do the same on a mac based A-V,
- Norton detects 40 000 virus. It doesn't mean that it happenes only to
- the others. The risks remain hight but you won't get any virus like cIh
- virus flashing a bios! Always keep in mind that you are the best
- anti-virus. Use good sense before downloading, or opening attachement?
- Do I know this site, or the sender?This doesn't make you safe but reduce
- the risk.If you feel like playing with virus, not creating some but
- observing what they're doing try to get MacArmyKnife
- ( http://www.chaoticsoftware.com/ChaoticSoftware/ProductPages/MacArmyKnife.html).
- It's an extensive process manager that gives detailed information and
- control of all processes running, including background (hidden)
- processes. Like the process manager on NT. It's a basic approach to
- virus, you'd better get a real A-V like Norton AV or Virex.Since many
- new virus or worms are nothing less than hiden applescript replicating
- folders, deleting files it's realy easy to counter.About trojan like BO
- or NetBus well yes there're very few like those. Most famous is The
- Takedown Suite. It does almost all like a BO but the interface is a
- telnet window, it's not very easy to customize like BO2k! Any of those
- trojans can be monitored, and with few tools you can discover them if
- try to find hidden extensions, process or if you in IP NetMonitor any
- connection attempt a another ip (smtp gateway for exemple). AntiGax is
- one of the only free antivirus. Most inconvenient of those is that most
- of time focus one one kind of virus. They don't with virus signatures
- that you can get evry 2 weeks or every month.On the other hand Agax work
- with a plugin architecture creating heuristic-like mode
- (http://www.cse.unsw.edu.au/~s2191331/agax/agax.html). That means that
- if Antigax suspect a "Deja vu" activity it considers that as virus. Well
- there's a lot to say about heuristic mode in Anti-Virus. Sometimes it
- just makes you very crazy because any changes of the system folder, or
- download is a suspected activity.
-
-
- Having few tools like this will provide you a basic and cheap security.If you have few
- bucks to spend get a real antivirus, if you run a webserver as bastion host you get a
- shareware solution or a real mac based firewall like DoorStop (www.opendoor.com). Always
- keep in mind that no systems are safe.. There're only safer than other. Yes MacOS is not
- built to support 10 millions of hit a day but keep in mind that NO platforms offers you
- the choice of using so many other operating system (up to 4 os at the same time):
- LinuxPPC, Beos, Win95, Win98,Win NT, BSD, NetBSD, OS/2, MacOsX...
-
- "We don't need windows, to open gates.Just think different"
- /eot
-
- by Deepquest
- deepquest@netscape.net
-
- All rights not reserved- Serving since 1994
- http://www.deepquest.pf
-
-
-
- VIII. Computing: A closer look at hard- and software
- ----------------------------------------------------
-
- Win98 getting greedy..
-
- 1. Give me some air to breathe
-
- You probably have more applications running than you think: Press Ctrl+Alt+Del to bring
- up the Close Program box. Even with all the obvious, top-level apps shut down, chances
- are you'll still see a bunch of invisible background applications running. Each running
- app eats a little of your CPU time, with a net result of slowing things down. Some apps
- are worse than others. Microsoft Office's Find Fast is a notorious CPU hog, as are many
- anti-virus and "disk doctor" apps that run constantly in the background. For programs
- like these, use the Custom option in each program's Setup applet to control what runs
- in the background. Use Win98's System Configuration Utility (\WINDOWS\SYSTEM\MSCONFIG.EXE)
- to control which system-level tasks load at startup.
-
- 2. Put it together
-
- Defragging is always a good idea, but it's triply beneficial in Win98. The Defrag applet
- (\WINDOWS\ DEFRAG.EXE) performs three tasks to enhance performance: It places the pieces
- of all your files into fast-loading contiguous areas of your hard disk, moves your most
- frequently used files to the front of the disk where they'll load fastest, and groups
- your applications' separate pieces into the most efficient load-order. Defrag often.
-
-
- 3. Aligning your files
-
- Win98's WAlign (\WINDOWS\SYSTEM\WALIGN. EXE) can restructure programs on your hard drive
- for the fastest-possible access once they're loaded into RAM and your CPU's cache: You
- can see load times improve by 20% or more. But on its own, WAlign only works on
- Microsoft Office programs. To align other apps, you either need to spend $70 for the
- full Win98 Resource Kit (which has a more powerful version called WinAlign) or you can
- download it at net-security.org/dload/wmalign.zip
-
- 4. Garbage can
-
- Win98 is a packrat. As you work, it collects a prodigious number of temporary files, and
- it does so for good reason: The \WINDOWS\TEMP, \WINDOWS\TEMPORARY INTERNET FILES and
- Recycle Bin files all exist to give you fast access to items you might need again. But
- there's a point of diminishing returns. And you can end up with hundreds of megabytes
- of these files, wasting space and decreasing performance as the operating system tries
- to wade through the rubbish. To keep the trash to a manageable minimum, periodically run
- Disk Cleanup from Start/Programs/Accessories/System Tools.
-
- 5. Swap what?!
-
- Win98 wants to manage your swap file (virtual memory) on its own. Windows is good at
- doing that for routine use: The swap file can grow or shrink as needed, and it doesn't
- have to be all in one place. But Win98 will work faster if the file is all in one place,
- and if the operating system doesn't have to constantly take time to enlarge or reduce
- the swap file area as you work. Right click on
- My Computer/Properties/Performance/Virtual Memory and select "Let me specify my own
- virtual memory settings." If you have more than one hard drive, place the swap file on
- the fastest drive you have. Now choose a minimum size for the swap file; a good starting
- point is to specify at least 2.5 times your system's RAM. Setting a large minimum size
- means the swap file will usually be large enough for your needs. Reboot when asked, and
- run Defrag to ensure the swap file's all in one piece. After you're done, you should
- experience noticeably less disk-thrashing.
-
- 6. LOW FAT?
-
- Many systems that came with Win98 or were upgraded from Win95 still run the old-style
- 16-bit File Allocation Table, or FAT16. Win98 also supports FAT32, which is better for
- several reasons. It makes far more efficient use of large hard drives. It can recover
- from some kinds of damage to the root directory or to other critical data structures on
- your disk. It allows programs to load up to 50% faster due to its better use of disk
- space. And it allows Defrag to relocate portions of your applications and their
- supporting files in the actual order they're called, for the fastest possible loading.
- If you're still running FAT16, select Start/Programs/Accessories/System Tools/Drive Converter(FAT32)
- and follow the on-screen directions. If you're not sure which FAT you're using, launch
- the Driver Converter and click on Next.
-
- 7. Yes, my lord..
-
- Windows retains some internal performance settings carried over from the days when RAM
- was expensive. Today they're obsolete and even counterproductive. For example, in
- My Computer/Properties/Performance/File System, the Typical role is usually Desktop
- Computer. But if your PC has more than 32MB of RAM, it'll operate slightly faster if you
- select Network Server even if it isn't really a server. (The Network Server setting uses
- a little more RAM for various disk buffers and caches to speed disk operations.) For
- most systems with abundant RAM, it makes sense to use the server setting.
-
- 8. Dial up Networking
-
- By default, Windows' networking protocols are optimized for LAN-based communication. If
- you connect to the Web via a LAN, you're probably fine. But not if you use Dial-Up
- Networking. LANs and the Internet use different packet sizes, so the resulting packet
- fragmentation slows you down. Other default settings may slow you down as well, but all
- can be fixed by changing several Registry settings. The freeware application EasyMTU
- (available at most download sites) can do it all for you in seconds, and get your
- dial-up sessions operating at top speed.
-
- 9. Tweak on, babe.
-
- TweakUI lets you improve your PC's responsiveness by setting faster menu speeds,
- adjusting your mouse's double-click sensitivity, turning off time- and CPU-cycle-wasting
- animations, and much more. On most Win98 CDs, you'll find TweakUI in the
- \TOOLS\RESKIT\POWERTOY directory. Right-click on TWEAKUI.INF and select Install. After
- it installs, open Control Panel, click on the TweakUI icon and tweak away.
-
- Damir Kvajo
- aka Atlienz
- atlienz@default.net-security.org
-
-
-
- IX. An approach to Linux System Security
- ----------------------------------------
-
- Since this is the first ``Default'', I think of it as of an informal
- chat with the readers in the local beer-house.
-
- The Linux section of Net-security.org (net-security.org/linux) is ment
- to be a source of technology information for both beginners and advanced
- users. Also, it will not be strictly Linux-oriented.
-
- With the growing number of Internet attacks, administrators who don't
- take proper care of the system may pay dearly. As we go further, standards
- for security are becoming higher and higher. There is no universal
- security system that can be installed on the server to offer ultimate
- security and protection. And that is good, because the general protection
- system just has to have security holes. But, having Linux as a server
- OS makes a good starting point for our custom security system. When
- the administrator manually secures his network(s)/host(s), he knows
- exactly how the system works, how it should be mantained and how it
- can be exploited.
-
- Recently I wrote a special report for Net-Security.Org, ``The Study
- on Linux System Security''. You can see it on http://www.net-security.org/linux/.
- Because of the deadline I already crossed, I had to relase the paper
- sooner than I actually wanted to, and I considered my work quite unfinished.
- Since it covered passive security issues (configuration files, access
- regulation etc..), the next paper I am already preparing to write
- will discuss only custom security implementations.
-
- Last time I was setting up a Linux system, I got portscanned and probed
- for exploits and system misconfiguration in less than 10 minutes that
- I was connected to the Internet on random IP, given by the ISP. However,
- since most of the people would never expect an intruder to visit them
- in such a short time, they wouldn't be actually prepared for him.
- But this time, I noticed the intruder before he even tried to do something
- malicious, just because I did some simple modifications in the configuration
- files.
-
- My next ``default'' article: Setting up a Linux Firewall.
-
- dev
- dev@net-security.org
-
-
-
- X. Infection & vacination
- --------------------------
-
- This week in the trojan section. I looked at 2 well known trojans, and a smaller
- one. Plus there is a small list of commonly used ports for trojans and VirusScanner's
- cryptic language in English. For anyone who knows my site well they know most of this
- info can be found on my website. Well this is all here so you don't go find help, it
- comes to you.
-
- Vampire 1.0 is a new trojan horse with common features. The server comes in two
- different exe files. One copies and writes to the registry so it autoloads, the other
- just runs once. Both servers were made in Visual Basic so you will need runtime files.
- While there are rumors that Delphi versions are being made currently. This version has
- about 37 features. Some of these features include destructive ones (Format, delete
- certain files). Vampire 1.0 listens on port 6669 TCP, sending and receiving plain text
- commands. There is a low chance of infection on most computers due to the Visual Basic
- runtime files needed. But if you are here is the 3 step manual removal info:
-
- 1. Assuming you have been infected with the registry writing version, open regedit
- (Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
- Then delete the: Sockets key.
-
- 2. Either close the Sockets that's running in the memory or simply reboot your machine.
-
- 3. Finally browse on your computer to the c:\windows\system directory. Then find and
- delete Sockets.exe. There all clean and happy.
-
- SubSeven A was released recently. This version has a brand new client. The client
- is totally configurable and pleasing to the eye. MobMan really spent a lot of time making
- SubSeven easy to use for anyone. While on the server side nothing new except a few bug
- fixes. One fix is a more secure password authentication when logging on a SubSeven server.
- Previous versions(1.9 and below) had fallen to the same problem NetBus had: passwords
- that could be hacked remotely. Will with the dawn of a new SubSeven this problem appears,
- for now at least, to be fixed. Okay we have here 3 different ways to remove SubSeven 1.9
- and 2.0. Of course this can be changed but here it is:
-
- Method 1: Out of the box(Sending without configuring it):
-
- 1. Open the system.ini(Usually c:\windows\system.ini) and remove the key: shell=Error
- mtmtask.dl under [boot]. This can be done with any text editing program, such as NotePad
-
- 2. Then reboot the computer or close mtmtask.dl
-
- 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
- find and delete mtmtask.dl
-
- Method 2: Customized to load using the win.ini:
- 1. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=mtmtask.dl under
- [Windows], this can be done with any text editing program
-
- 2. Then reboot the computer or close mtmtask.dl
- 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
- find and delete mtmtask.dl
-
- Method 3: Customized to load using the registry:
-
- 1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and remove
- KERNEL32 key
-
- 2. Then reboot the computer or close mtmtask.dl
-
- 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then
- find and delete mtmtask.dl
-
- Unless you have been sleeping for a long long time then you know Back Orifice 2000
- has been released. Will after getting by the infected copies they handed out some plugins
- have been released. L0pht has a whole line of BO2K plugins in development. Their first
- BOTool is now available. This brings a point and click interface to file and registry
- managing. Fusion Solutions made a BlowFish encryption module also. While both the
- CAST-256 and IDEA plugins have been re-released with bug fixes. Removing Back Orifice
- 2000 can be some what troublesome. I suggest trying Antigen 2000(http://fs.arez.com/antigen)
- if your on a windows 95 or 98 computer. If you are a Delphi programmer with NT knowledge
- please contact FreshMan to help him make Antigen 2000 NT compatible. If you would rather
- manually remove it, then here is my 3 step removal for the one version of Back Orifice
- 2000 I found:
-
- 1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- and remove the UMG32.EXE key
-
- 2. Reboot the computer, or close UMG32.EXE
-
- 3. Finally browse on your computer to the windows system directory(Usually c:\windows\system).
- Then find and delete UMG32.EXE
-
- Here is my list of default trojan ports so far. Yes there are more, but patience
- is a good thing. I'll add more and more once I get around to testing the trojans. I am
- not about to steal (or accept) a pre-made list. Well here it is 30 so far:
-
- [Port] [Protocol] [Trojan Name(s)]
- 25 (TCP) Antigen, Kuang2 0.17 - 0.30
- 555 (TCP) Ini-Killer, Phase-0, Stealth Spy
- 666 (TCP) Attack FTP
- 1243 (TCP) SubSeven 1.0 - 2.0
- 1349 (UDP) Back Orifice DLL version
- 1492 (FTP) FTP99CMP
- 1999 (TCP) BackDoor 2.00 - 2.03
- 2115 (TCP) BUGS
- 4567 (TCP) File Nail
- 5000 (TCP) Bubbel
- 5400 (TCP) Blade Runner 0.80 Alpha
- 5401 (TCP) Blade Runner 0.80 Alpha
- 5402 (TCP) Blade Runner 0.80 Alpha
- 6669 (TCP) Vampire
- 7789 (TCP) ICQ Killer
- 10607 (TCP) Coma
- 12345 (TCP) NetBus 1.20 - 1.70
- 20034 (TCP) NetBus 2.0 Beta - 2.01
- 21544 (TCP) GirlFriend 1.0 Beta - 1.35
- 23456 (FTP) EvilFTP
- 30100 (TCP) NetSphere
- 30101 (TCP) NetSphere
- 30102 (TCP) NetSphere
- 31337 (UDP) Back Orifice 1.20
- 31338 (UDP) Deep BO
- 34324 (TCP) BigGluck
- 54321 (TCP) SchoolBus .69 - 1.11
- 65000 (TCP) Devil
- 69123 (TCP) ShitHeep
-
- After that lovely list here we have something useful to VirusScan users. This
- list has the name VirusScan uses and what it really is in English. The purpose of this
- is to help people infected that know they are infected. VirusScan is nice enough to tell
- you your infected, but tells you with a weird name and does not let you remove it.
-
- [Weird name] [English version]
- Acid.Shiver.c - Acid Shivers
- Antigen.a - Antigen
- BackDoor-C.dr - Excalibur
- BackDoor-E.srv - Net Monitor
- BackDoor-G.cfg - SubSeven configuration tool(Editserver.exe)
- BackDoor-G.srv - SubSeven 1.4 and up
- BackDoor-G.cli - SubSeven 1.4 and up client
- BackDoor-H.dr - Not sure actually, our infected file is called securewin.exe
- BackDoor-J.srv - Any version of Deep Throat or Invasor
- BackDoor-J-cli - Any version of Deep Throat client
- BackDoor-K.srv - Portal of Doom
- BackDoor-K.cli - Portal of Doom client
- BackDoor-L.srv - Millenuim or modified version by LeenTech
- BackDoor-L.cli - Millenuim client
- BackDoor-M.srv - WinCrash 2.0
- DUNpws.f - Tapiras
- DUNpws.p - Naebi
- DUNpws.p.cfg - Naebi configuration tool
- DUNpws.r - TailGunner
- DUNpws.s - WinPC
- FixIt - Evil FTP
- GirlFriend.srv.a - GirlFriend 1.35
- GirlFriend.srv.b - GirlFriend 1.35
- GirlFriend.cli.b - GirlFriend 1.35 client
- GirlFriend.srv.c - GirlFriend 1.3
- GirlFriend.cli.c - GirlFriend 1.3 client
- ICQRev - Gjamer trojan
- Justas.b - Shtirlitz
- Justas.cfg - Shtirlitz configuration tool
- MprMod - Remote Grab
- NetBus.srv - Any NetBus server
- NetBus.cli - Any NetBus client
- NetBus.dll - KeyHook.dll (DLL NetBus installs)
- NetBusPro.svr - NetBus Pro server
- Orifice - Naebi 2.18
- Orifice.addon.a - Not sure but the Sheep.exe was infected with it(Assuming some plugin)
- Orifice.srv - BackOrifice 1.20, BackOrifice DLL
- Orifice.srv.b - Phineas Phucker(Copy of Back Orifice 1.20)
- Orifice.srv.c - BackOrifice 1.20 modifeid by LeenTech
- Orifice.dr - NetBus 1.7 in a fake picture program, ICQ Trojan modified by LeenTech,
- NetBus 2.0 pro modified by HackCity
-
- Orifice.cli.a - BackOrifice 1.20 console client
- Orifice.cli.b - BackOrifice 1.20 GUI client
- Orifice.config - BackOrifice 1.20 configuration tool
- Paradise Agent.srv.b - Masters/Hackers paradise 98
- Paradise Agent.srv.c - Masters/Hackers paradise 98 9.7 Beta
- Paradise Agent.srv.d - Masters/Hackers paradise modified by LeenTech
- PSW.Kuang2 - Kuang
- SecretAgentDat2 - Hackers Paradise
- SPing - ICQ Trogen
- SpySender - Not sure
- TeleCommando.cli - TeleCommando client
- Trojan Sockets.svr - Blazer 5
- Trojan Sockets.cli - Blazer 5 client
- Trojan Sockets.svr.a - Control du socket
- Trojan Sockets.cli.a - Control du Socket client
- Trojan Sockets.cli.b - Sockets 2.3 client
- W32/Cheval.gen - Sockets 2.3 trojan(Infects like a virus)
- WinCrash.svr - Any WinCrash below 2.0
- WinCrash.cli.a - Any WinCrash client below 2.0
-
- Zemac
- zemac@dark-e.com
- http://www.dark-e.com
-
-
-
- XI. Spam: The problems with junk e-mail
- ---------------------------------------
-
- For the virus and spam sections, we have enlisted the help of Doug Muth (http://claws-and-paws.com).
- As mentioned in our editorial however, he's on vacation at the moment. He will write on
- some of the social as well as technical issues regarding these sections when he gets
- back, but untill then we'd like to quote something on the issue of spam, taken from one
- of the projects his involved in, CAUCE.ORG.
-
- We all get junk mail at home. It's an accepted fact of life, at least in the U.S.
- So why is Unsolicited Commercial Email (UCE) -- a/k/a "spam" or "junk
- email" -- a problem?
-
- To understand the problem of UCE, you must first understand what is most
- often advertised via UCE. There are many places on the Internet where copies
- of UCE are reposted by recipients and system administrators in order to help
- notify the Internet community about where UCE is originating. Surveying
- mailing lists like SPAM-L@EVA.DC.LSOFT.COM and USENET
- newsgroups in the news.admin.net-abuse.* hierarchy, you will see that there
- are very few reputable marketers using UCE to advertise goods and services.
- To the contrary, the most commonly seen UCEs advertise:
-
- Chain letters
- Pyramid schemes (including Multilevel Marketing, or MLM)
- Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes
- Offers of phone sex lines and ads for pornographic web sites
- Offers of software for collecting e-mail addresses and sending UCE
- Offers of bulk e-mailing services for sending UCE
- Stock offerings for unknown start-up corporations
- Quack health products and remedies
- Illegally pirated software ("Warez")
-
- So why is this such a problem?
-
- Cost-Shifting. Sending bulk email is amazingly cheap. With a 28.8
- dialup connection and a PC, a spammer can send hundreds of
- thousands of messages per hour. Sounds great, huh? Well, it is for the
- spammer. However, every person receiving the spam must help pay
- the costs of dealing with it. And the costs for the recipients are much
- greater than the costs of the sender.
-
- Some junk emailers say, "Just hit the Delete key!" Unfortunately, the problem is
- much bigger than the time and effort of one person deleting a couple of emails.
- There are many different places along the process of transmitting and delivering
- email where costs are incurred. In the Internet world, "time" equals many different
- things besides the hourly rate that many people are still charged.
-
- For example, for an Internet Service Provider, "time" includes the load on the
- processor in their mail servers; "CPU time" is a precious commodity and
- processor performance is a critical issue for ISPs. When their CPUs are tied up
- processing spam, it creates a drag on all of the mail in that queue -- wanted and
- unwanted alike. This is also a problem with "filtering" schemes; filtering email
- consumes vast amounts of CPU time and is the primary reason most ISPs cannot
- implement it as a strategy for eliminating junk email.
-
- The problem is also compounded by the fact that ISPs purchase bandwidth -- their
- connection to the rest of the Internet -- based on their projected usage by their
- prospective user base. For most small to mid-sized ISPs, bandwidth costs are among
- one of the greatest portions of their budget and contributes to the reason why many
- ISPs have a tiny profit margin. Without junk email, greater consumption of bandwidth
- would normally track with increased numbers of customers. However, when an outside
- entity (e.g., the junk emailer) begins to consume an ISP's bandwidth, the ISP has
- few choices: 1) let the paying customers cope with slower internet access, 2) eat
- the costs of increasing bandwidth, or 3) raise rates. In short, the recipients are
- still forced to bear costs that the advertiser has avoided.
-
- "Time" also makes for some other interesting problems, especially coupled with volume.
- Recent public comments by AOL are a useful point of reference: of the estimated 30
- million email messages each day, about 30% on average was unsolicited commercial email.
- With volumes such as that, it's a tremendous burden shifted to the ISP to process and
- store that amount of data. Volumes like that may undoubtedly contribute to many of the
- access, speed, and reliability problems we've seen with lots of ISPs. Indeed, many
- large ISPs have suffered major system outages as the result of massive junk email
- campaigns. If huge outfits like Netcom and AOL can barely cope with the flood, it is
- no wonder that smaller ISPs are dying under the crush of spam.
-
- Fraud. Spammers know that in survey after survey, the overwhelming majority (often
- approaching 95%) of recipients don't want to receive their messages. As a result, many
- junk emailers use tricks to get you to open their messages. For instance, they make the
- mail "subject" look like it is anything other than an advertisement.
-
- In many cases, ISPs and consumers have set up "filters" to help dispose of the crush
- of UCE. While filters often consume more resources at the ISP, making mail delivery and
- web surfing slower, they can sometimes help end-users cope a little bit better. Spammers
- know this, so as they see that mail is being blocked or filtered, the use tricks that
- help disguise the origin of their messages. One of the most common tricks is to relay
- their messages off the mail server of an innocent third party. This tactic doubles the
- damages: both the receiving system, and the innocent relay system are flooded with junk
- email. And for any mail that gets through, often times the flood of complaints goes back
- to the innocent site because they were made to look like the origin of the spam.
-
- Another common trick that spammers use is to forge the headers of messages, making it
- appear as though the message originated elsewhere, again providing a convenient target.
-
- Waste of Others' Resources. When a spammer sends an email message to a million people,
- it is carried by numerous other systems en route to its destination, once again shifting
- cost away from the originator. The carriers in between are suddenly bearing the burden
- of carrying advertisements for the spammer. The number of spams sent out each day is
- truly remarkable, and each one must be handled by other systems; there is no
- justification for forcing third parties to bear the load of unsolicited advertising.
-
- The methods employed by spammers to avoid being held responsible for their actions are
- very often fraudulent and tortious. Numerous court cases are underway between spammers
- and innocent victims who have been subjected to such floods. Unfortunately, while major
- corporations can afford to fight these cutting edge cyberlaw battles, small "mom-and-pop"
- ISPs and their customers are left to suffer the floods.
-
- There's a long tradition in this country of making commercial enterprises bear the costs
- of what that do to make money. For example, it would be far cheaper for chemical
- manufacturers to dump their waste into the rivers and lakes... however "externalities"
- (as the economists call it) are bad because they allow one person to profit at another's
- -- or everyone's -- expense.
-
- The great economist Ronald Coase won a Nobel Prize talking about exactly this kind of
- situation. He said that it is particularly dangerous for the free market when an
- inefficient business (one that can't bear the costs of its own activities) distributes
- its costs across a greater and greater numbers of victims. What makes this situation so
- dangerous is that when millions of people only suffer a small amount of damage, it is
- often more costly for the victims to go out and hire lawyers to recover the few bucks
- in damages they suffer. That population will likely continue to bear those unnecessary
- and detrimental costs unless and until their indivudual damage becomes so great that
- those costs outweigh the transaction costs of uniting and fighting back. And the
- spammers are counting on that: they hope that if they steal only a tiny bit from
- millions of people, very few people will bother to fight back.
-
- In economic terms, this is a prescription for disaster. Because when inefficiencies
- are allowed to continue, the free market no longer functions at peak efficiency. As
- you learn in college Microeconomics, the "invisible hands" normally balance the market
- and keep it efficient, but inefficiencies tip everything out of balance. And in the
- context of the Internet, these invisible marketplace forces aren't invisible anymore.
- The inefficiencies can be seen every time you have trouble accessing a web site, or
- whenever your email takes 3 hours to travel from AOL to Prodigy, or when your ISP's
- server is crashed by a flood of spam.
-
- CAUCE believes that stealing is stealing, whether you take a penny or a dollar or a
- thousand dollars. Remember, you only need to steal a penny from 4 million people in
- order to have enough to buy yourself a brand new Mercedes Benz.
-
- Displacement of Normal Email. Email is increasingly becoming a critical business tool.
- In the late 1980s, as more and more businesses began to use Fax machines, the marketers
- decided that they could Fax you their advertisements. For anyone in a busy office in
- the late 1980s, you will remember the piles and piles of office supply advertisements
- and business printing ads that came pouring out of your Fax machine... making it
- impossible to get the Fax that you were expecting from your East Coast office.
-
- This problem spawned the original Anti-Junk-Fax law that CAUCE is seeking to amend. In
- the first major court challenge to that law, a junk fax company called Destination
- Ventures lost their suit. The 9th Circuit Court of Appeals said that the law was
- constitutional because the imposition of such high costs and inconvenience onto
- businesses and consumers made the law a reasonable restriction. By extension, we
- argue that junk email isn't very different from junk faxes in the way it consumes the
- resources of others.
-
- Spam can and will overwhelm your electronic mail box if it isn't fought. Over time,
- unless the growth of UCE isn't stopped, it will destroy the usefulness and effectiveness
- of email as a communication tool.
-
- Annoyance Factor. Your email address is not the public domain! It is yours, you paid
- for it, and you should have control over what it is used for. If you wish to receive
- tons of unsolicited advertisements, you should be able to. But you shouldn't be forced
- to suffer the flood unless and until you actually request it. This is the heart of the
- "Opt In" approach supported by CAUCE.
-
- But what about junk mail makes it so annoying? In part, it's because accessing email for
- many people is still a bit of a struggle. For example, try as they may, many of the
- major online services are still hard to connect into. Their software doesn't always
- configure very easily. After a few calls to customer support, you finally got it
- installed. So, after being away for a few days, you try to get your email. Of course,
- you have to keep dialing, dialing, dialing... busy signals. Finally you connect --
- only it might be a 9600 baud connection, because all of their 28.8 modems are busy.
- Still, you're finally connected and you see that "You've got mail!"
-
- But when you try to retrieve your email, the "System Is Not Responding. Please Try
- Again Later." After five or ten more minutes of this, you finally get your email to
- start downloading. You were only out of town for four days; there must be a lot of
- mail, because it takes you about 10 minutes to get it all downloaded. Once you've
- retrieved it all, you open it up, and what do you see? Five pornographic web site
- spams, three letters from some guy named Dave Rhodes and his cousin Christohper
- Erickson telling you how to make $50,000 in a week, somebody telling you that you're
- too fat and you need Pyruvate (sprinkled with Blue Green Algae), and two offers to
- buy stock in a "New Startup Company"...only the broker is a really bad speller and
- can't decide whether he's selling "stock" or "stork." Oh, and there was an email from
- the "Postmaster" telling you that when you tried to "Remove" yourself from a junk
- email list, the address: "Work.At.Home@noreply.org" was of course "Unknown."
-
- So after a half hour of delays and frustration, all you've got to show for your efforts
- is a box full of spam. Is it any wonder people are annoyed?
-
- Ethics. Spam is based on theft of service, fraud and deceit as well as cost shifting to
- the recipient. The great preponderance of products and services marketed by UCE are of
- dubious legality. Any business that depends on stealing from its customers, preying on
- the innocent, and abusing the open standards of the Internet is -- and should be --
- doomed to failure.
-
- PLEASE NOTE: Non-profit, non-commercial publications may reprint this information if
- full credit is given. Others please contact CAUCE.ORG
-
-
-
- XII. Freedom of speech - related incidents
- ------------------------------------------
-
- *******************************************************************
- "Make men wise, and by that very operation you make them free. Civil liberty follows
- as a consequence of this; no usurped power can stand against the artillery of opinion."
- - William Godwin
- *******************************************************************
-
- Every day the battle between freedom and repression rages through the global ether.
- Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):
-
- - Weekend Edition:
-
- China's crackdown on democracy activists gets harsher still:
- <http://www.insidechina.com/news.php3?id=83774>
- Liu Xianbin, who was also DENIED legal representation, gets 13 YEARS for 'subverting
- the state'
-
- Other recent sentences given out for 'subverting the state':
-
- Qin Yongmin, 12 years, Crime: seeking official recognition for China Democracy Party
-
- Wang Youcai, 11 years, Crime: seeking official recognition for China Democracy Party
-
- Xu Wenli, 12 years, Crime: founder of China Democracy Party
-
- She Wanbao, 12 years, Crime: member of China Democracy Party
-
- Gao Hongming, 8 years, Crime: chairman of China Democracy Party- Beijing
-
- Zha Jianguo , 9 years, Crime: chairman of China Democracy Party- Beijing
-
- Yue Tianxiang, 10 years, Crime: setting up an organization to protect the rights of
- laid-off workers
-
- Zhang Shanguang, 10 years, Crime: attempting to organize a workers rights group and
- reporting rural protests to a U.S. radio station.
-
- Fang Jue, 4 years, Crime: calling for democratic reforms in an essay
-
- Li Zhiyou, 3 years, Crime: scrawling anti-government graffiti, member of China
- Democracy Party
-
- Liu Xianli, 4 years, trying to interview China's best-known dissidents and publish a
- book on their activities
-
- Wang Ce, 4 years, Crime: "endangering state security" after sneaking back into the
- country last November.
-
- Peng Ming, 18 months re-education with no trial, Crime: founder of the China Development
- Union (CDU) environmental movement
-
- Lin Hai, 2 years, Crime: inciting the overthrow of the state through the Internet
-
- - Monday:
-
- In America, the strange bedfellows of Democrat Feinstein and Republican Hatch draft
- the Methamphetamine Anti-Proliferation Act which, if passed, would ban
- <http://www.wired.com/news/news/politics/story/21152.html>
- Internet discussions and links to unapproved drugs...
-
- From the Wired article:
-
- "If the measure becomes law, it will create a new federal felony -- punishable by a
- fine and three years in prison -- that covers Web pages that link to sites with
- information about where to buy "drug paraphernalia" such as roach clips, bowls, and
- bongs. Even editors of news organizations that publish articles about drug culture and
- link to related sites will be subject to arrest and prosecution."
-
- - Tuesday:
-
- The journalists' rights group Reporters Sans Frontieres (RSF) brand countries
- <http://news.bbc.co.uk/hi/english/world/newsid_415000/415870.stm>
- Enemies of The Internet for controlling access and censuring websites.
- The list includes China, North Korea, Cuba, Iraq, Iran, Libya, Saudi Arabia, Syria,
- Sierra Leone, Sudan, Tunisia, Vietnam, Myanmar, Azerbaijan, Kazakhstan, Uzbekistan,
- Kyrgyzstan, Tajikistan, Turkmenistan, Belarus and others
-
- - Wednesday:
-
- While everyone else was occupied with Kosovo, Clinton signed a directive creating
- <http://search.washingtonpost.com/wp-srv/WAPO/19990808/V000744-080899-idx.html>
- the International Public Information group that will control the flow of
- US government news overseas.
-
- From the Washington Post article:
-
- "The group came about partly in response to the spread of unflattering or erroneous
- information about the United States received abroad via electronic mail, the Internet,
- cellular telephones and other communications advances...President Clinton signed a
- directive April 30, in the thick of the Kosovo war, that set out plans for IPI,
- although the White House did not formally announce the group's existence or role."
-
- - Thursday:
- Japan's Parlaiment passes the
- <http://www.yomiuri.co.jp/newse/0813po03.htm>
- <http://www.sjmercury.com/breaking/docs/020020.htm>
- Wiretapping Bill
-
- From the San Jose Mercury article:
-
- "The wiretapping law is similar to those in other countries. But many Japanese,
- remembering secret police brutality during World War II and crackdowns on radical
- students and labor unions in the 1950s and 1960s, have long been reluctant to hand
- police greater powers. ``We cannot but feel the sense of danger that people's freedom
- and privacy are being violated,'' the national Asahi newspaper said in an editorial
- today."
-
- In just one week...
-
- diva aka Pasty Drone
- NewsTrolls, Inc. , http://www.newstrolls.com
- pastydrone@newstrolls.com
-
-
-
- XIIV. Meet the underground
- --------------------------
-
- This section of our newsletter will be especially dedicated to the people defacing Web
- sites. For this first release of Default, I think there are first a few issues that need
- to be discussed regarding the subject of defacing and on wether or not we should give
- these people this kind of attention. I'll try to make my point of view on why we do give
- them the attention a bit clearer in this column. This means you will have a week more to
- get to "the good stuff" of this section, but untill then I hope you'll bear with me on
- this one for a moment.
-
- There always has been, and there will probably always be, a lot of argueing as to what
- real "hacking" is, if the people defacing sites are in reality "hackers" or "crackers"
- or nothing more than "script kiddies". I think we all have different opinions on that.
- To me personally this whole stereotyping thing is pretty stupid in itself. A while ago
- someone told me this: "There is no such thing as a "cracker", not really. A Cracker is
- something that somebody came up with for a hacker that does damage. Thats like saying
- "Bee's that don't sting aren't bee's". " I tend to agree on that, but would like to
- take this a bit further. All these names for each other are, once again in MY personal
- opinion, nothing more than stereotypes. Let's look at the concept of hacking for a
- moment as it being a learning experience, more specifically a learning experience
- regarding computers. We're not even going into the security part of it at the moment,
- I consider people like Dennis Ritchie and Ken Thompson or Linus Torvalds at least as
- much "hackers" as a lot of other people I know from the "underground" nowadays, though
- I've yet to see my first web page claiming "LINUS WAS HERE!".
-
- In my case, this learning experience is achieved through doing the stuff you read, I
- wouldn't know of any other or better way of learning than by trying things out yourself.
- But when you look at it like that, you might find some may want to try out what they've
- learned in the real world. I don't condone web site attacks, but I don't condemn them
- either.
- There are a lot of new developments in the wonderful world of computers, especially in
- the security scene. From a learning point of view, the best way to find out about these
- new developments is through encountering them in that same real world. With these
- "hackers" coming across new things and learning how they work, they inevitably come
- across flaws in those same systems. "Ok," you might say, "but they don't have to deface
- sites for it, just let them find the flaw and notify the vendor, even maybe help them
- try correct it." But what if you notify the vendors but they give you the impression
- to be dragging their feet, not being too interested in having to come out with yet
- another flaw in their beloved products, while this vulnerability could easily be
- exploited on a type of system that's widely used all over the Internet? (IIS bug
- springs to mind)
- And what if the vendor did fix it and the it hasn't reached one of the administrators
- who uses this product or the admin just hasn't got a clue. What if you come across a
- site which is vulnerable to this same problem? "Well, then report it to the admin.."
- While I personally might agree on that, that still doesn't mean it solves the problem.
- The US Army website incident springs to mind. That web site got defaced a month or so
- ago using the well-known Cold Fushion vulnerability. Two months before that, the
- administrator of that site was warned by the security-group L0pht Heavy Industries that
- his site was indeed vulnerable to this exploit. And that was the official main site of
- the US army in a period of time where the US government already had been embarrassed by
- several defacements on other sites! So I think we've established that this approach
- might not always work.
- Now I have to note that I altough I took this point of view to distance, it is not one
- which occurs very often. A lot of hacks are done by what might be called "script kiddies",
- who read about an exploit (yes "script kiddies" read bugtraq too you know) and use it
- for their own purposes, which mostly include fame and attention. But that doesn't mean
- that someone who comes across such an exploit on a page and uses it has to be a script
- kiddie, nor does it mean that when you come across such an exploit you should use it.
-
- Another thing that you might say is that by giving these groups attention in our
- newsletter, they might feel encouraged by the attention. And I must admit that even
- Help Net Security didn't even report hacks for a small period of time this year because
- of this view. But we are here to try and bring you the news. That means we have to
- report on things from an objective point of view. We can't just shut our eyes and
- pretend it isn't there. It's there allright and we won't make it go away by ignoring
- it. Maybe not by giving it even more attention either, but I feel there are a lot of
- people out there who actually deserve some attention and actually have something usefull
- to say. We want to give them the oppertunity to say it through a different type of
- medium, which will be this column.
-
- It all is a little game between vendors and administrators on one hand and the
- "hackers"/"crackers"/"script kiddies" on the other. You may not like it, but what if
- full disclosure would vanish? What if flaws weren't reported at all anymore? On which
- side would the problem be then? I've said it once and I'll say it again: You don't have
- to like hackers and what they do, you certainly don't have to condone but don't condemn
- it either. The "underground" is not nearly as big a problem as it would be when it would
- actually go underground. An extremely small part of defaced sites is actually erased by
- the attackers, defacements are mostly an embarrasement but that's it, a more mature
- reply than immediately calling for prosecution might be in order. Most hackers are of
- nature not as much malicious, but more curious, which helps out a lot more when it comes
- to discovering and fixing flaws then you see covered in the main-stream media. And to
- all you hackers out there, try maintaining some kind of ethics? And remember, it IS
- illegal, so if you don't want to do the time, don't do the crime.
-
- Heh, give me some replies and opinions on this people. Next week the interviews!
-
- Thejian
- Help Net Security
- thejian@net-security.org
-
-
-
- XIV. Guest column
- -----------------
-
- This weeks guest column is by Natasha Grigori of the ACPO, a cause which Help Net
- Security supports fully.
-
- The mission of ACPO, and our goals:
-
- ACPO is a non-profit Group formed to actively seek out and stop the
- exploitation of children on the Internet. Our focus is to protect our
- children from the predatory and perverse criminal elements that seek to
- destroy their innocence. While we are firmly in favor of free speech in
- all its forms, especially on the Internet, we are opposed to the active
- sexual exploitation of children. We have chosen to act against the
- dissemination of child pornography over the Internet. Our motivation is
- the fact that there is a genuine connection between the distribution and
- acceptance of pedophile pornography and actual incidents of sexually
- abused children. Not to mention that all-existing hardcore pedophile
- pornographic material is the result of very real abuse. Our children are
- our future, as such we must protect them as we would our own lives and
- in doing so ensure a better future for us all.
-
- Our secondary focus is to educate. We want to provide individuals and
- organizations training about the Internet and its associated risks. We
- will counsel law enforcement on the Internet aspects of gathering
- information and evidence. We pursue all of our goals with the ethical
- and moral values of most anybody confronted with this abhorrent
- practice. We will tolerate only approaches, and condone no illegal
- activities. Failure to abide by the ACPO operations standards is ground
- enough for revocation of ACPO membership.
-
- Our goals can be broken down as follows:
-
- 1. Provide a maximum of information to concerned law enforcement
- authorities, including activity hotspots on the Internet and the results
- of our own investigations into the activities of online child
- pornographers.
- 2. Put a halt to sensationalism and hype regarding the Internet while
- promoting quality investigative journalism on pedophile pornography.
- 3. Create enough public pressure to bring authorities to the point of
- action.
- 4. Form a cooperative with other Internet groups with similar goals,
- which will benefit us all and increase our impact. We are working to
- provide a website to which our members will be able to turn for
- information and resources, and will add other means of communication.
- Our approach is somewhat different from other organizations, in that we
- are combining the drive for wide public support with the knowledge of
- Internet experts.
-
- This is our first public description of our mission. We view this as a
- work in progress that will continue to be refined.
-
- If you have any questions or concerns about our Mission Statement,
- please feel free to mail me at Natasha@infovlad.net You should get a
- response from me with in a week, possibly less. And BTW look for our
- exciting news next Friday.
-
-
- ============================
- Thanks for being 'Child-Friendly'
- Natasha Grigori Founder
- ACPO http://www.antichildporn.org/
- http://www.infovlad.net/antichildpornorg/
- mailto:natasha@infovlad.net
- ============================
