Default newsletter Issue #5        
           http://default.net-security.org
        14.09.1999 Help Net Security
        http://www.net-security.org



TABLE OF CONTENTS
-----------------

I.  Editorial
II.  Mirrors
III.  Defaced pages
IV.  Hit2000 report
V.  Interview with v00d00
VI.  Want secure and encrypted e-mails? 
VII.  Security audit with our Mac Part-2/2
VIII.  More from the ACPO front
IX.  Infection and vaccination
X.  Watch out for documents you publish on The Internet
XI.  Freedom of speech - related incidents
XII.  Y2K survey for 72 countries
XIII.  Journalism



I.  Editorial
---------------------

Ok Issue 5 of Default newsletter is in front of you. We have some interesting 
articles in it: deepquest wrote interesting article on how could you get in 
big troubles if you publish MS Word or Excel files on The Internet, Lisa Pellegrin 
from International Y2K Cooperation Center did an survey on Y2K preparedness in 72
countries, Berislav Kucan talked to Leo Sheiner from Global Market Ltd, the company
which was lately in the news because of their "Self destructing" e-mails service, 
Xander Teunissen talked to well known hacker v00d00 etc.
We have more and more people subscribing to the newsletter, so we conclude that
we are getting better all the time. With only 4 issues behind, Default has now
8 mirrors. And for the end just to note that Default is open newsletter, so if
you have  a topic you want to write about do mail us.

For the HNS and HNS Default Crew:

Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org

Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org


Subscribing information:
mail majordono@net-security.org with a message in the body "subscribe news youremail"

II.  Default mirrors
---------------------

http://www.nwo.net/default
http://www.403-security.org/default
http://www.monitor.hr/security/default
http://www.attrition.org/~modify/texts/zines/default
http://www.projectgamma.com/archives/zines/default
http://www.dark-e.com/default
http://ech0.zort.org/default
http://www.deepquest.pf/default

If you mirror Default, please inform us, so we could add you to the list.


III.  Defaced pages
-------------------

Site: NASA JPL Quality Assurance Engineering (qa-web.jpl.nasa.gov)
Mirror: http://default.net-security.org/5/qa-web.jpl.nasa.gov.htm

Site: US Embassy in China (Chinese Server) (www.usembassy-china.org.cn)
Mirror: http://default.net-security.org/5/www.usembassy-china.org.cn.htm

Site: MTV Asia (mtvasia.com)
Mirror: http://default.net-security.org/5/www.mtvasia.com.htm

Site: Government of Brazil (www.brasil.gov.br)
Mirror: http://default.net-security.org/5/www.brasil.gov.br

Site: Ministry of Civil Service, Republic of China (www.mocs.gov.tw)
Mirror: http://default.net-security.org/5/www.mndm.gov.on.ca.htm

Site: Scottish Executive's Web site (www.scotland.gov.uk)
Mirror: http://default.net-security.org/5/www.mocs.gov.tw.htm

Site: The Open University (www.open.ac.uk)
Mirror: http://default.net-security.org/5/www.open.ac.uk.htm

Site: The Drudge Report (www.drudgereport.com)
Mirror: http://default.net-security.org/5/www.drudgereport.com.htm




IV.  Hit2000 report
--------------------


"And yes it is true that hackers and people like that living all day behind
a computer do dress weird and yes they are pale (is it summer again?), 
but that is no fact it's like in real life, they come in all shapes and sizes."


Hacking into 2000: You want stereotypes to go with that sir?

Last weekend (3, 4 and 5 September 1999) it was that time again, convention 
time! In Haarlem, The Netherlands, a large group of security enthusiasts 
gathered for the HIT2000 security convention. We've had some nice cons over here in the past 
and hopes (or at least mine) were up high for this one. Unfortunately there were some 
problems, nothing big, but still noticeable enough. Did that take points of HIT2000's 
success? Read on.

On day one, Friday the 3rd of September 1999, all the fun started. My 
friend Nazgul and I arrived on scene with an attitude of as the song goes "Here we are 
now, entertain us!" , although we were forewarned by the conventions official web site 
(http://www.hit2000.org) stating that we shouldn't expect to be kept busy 
24/7 and that it was mostly our own responsibility to gather some actual info during and 
besides the  speeches. 

-- Kicking off

Especially the first day, this was pretty big a truth. Because of it 
kicking off on a Friday, a lot of people didn't show up on day one yet due to work or 
school. In order to keep up with that and don't let those people miss anything, the 
organization had decided to keep the amount of speeches etc that day down to a minimum. Add 
the not so large amount of people there yet at that moment and you have not a lot more 
than a club-day of the alt.hack.nl newsgroup. But the atmosphere was good and it 
turned out  that it didn't even come close to being a problem. Something else pulled a 
whole lot more of attention to itself later on that day.

One hour later actually. After some initial network problems (which would 
keep occurring all the way through the weekend), someone decided it to be funny to start  
flooding to outside the network. The provider and it's upstream provider didn't take to 
that all that well, which caused a lot of problems at their end and effectively 
shutting HIT's internet connection down. If it weren't for a bit of smooth talking and 
social engineering from the organizations side, that would have been the case for 
the rest of the weekend. Thank god it wasn't, but the tone was set.

-- Day 2

Ending up behind our boxes and on the network early that morning, the day 
started off with some (getting all to familiar) networking problems. After checking 
the UTP  cables and switches which joined together in the room on large tables which 
were almost fulltime manned by people staring fixated to their screen, we discovered to 
be sharing our row of tables with one of the machines of the Hackme project. 
This was called into life with three donated boxes and a challenge to the convention 
visitors to hack them. The AIX box with which we shared a switch seems to have been 
taking up a  lot of resources (yeah sure, blame it on the box.. sorry but I have to find 
me some excuse :) , because as soon as we relocated we didn't have a problem with 
our connection anymore, at the moments that other people didn't have problems that is, the 
network still tended to be a bit unstable.

-- The speeches

But now we had stuff to do. Add to that the fact that there were finally 
some speeches kicking off, and you'll see we turned pretty hopeful. And with reason too, 
because some of the speeches were pretty informative. Of course it wasn't all the 
same quality nor did you need any experience for some while others did demand at least 
some level of knowledge, but I believe diversity is one of the tools of the trade and 
I enjoyed the speeches on version 6 of the IP protocol, the linux kernel and hiding 
in the same kernel to name but a few. This as to where others might have enjoyed 
those on the workings on GSM or Information Security in Europe more, anyway there 
WAS diversity.

-- The press

A lot of "hackers" etc gathering in one place is, with the current media 
focus on events in the security scene, bound to draw some press attention. Those of you who 
know me, know of my whining on how the vision people have of hackers is distorted 
because of all the press coverage which looks more at what sells then what actually is 
happening. Well surprise surprise, we got the worst of it again.

In an attempt to give us all the opportunity to look more important then we 
were, photographs were only allowed to be taken when the convention visitors were 
made aware of them by the speaker. Not that anyone seemed to care much about 
that, but o, if we had known before.. a slick little guy with a press-card dangling around 
his neck immediately threw himself onto the people in the areas where photographing 
was allowed. But hey, let's face it, in the "money-hungry" way of thinking mentioned 
above, average Joes like you and me don't interest readers, whether you can disassemble a 
server blindfolded with your hands on your back or not, you have to look a lot 
more "underground" and "elite" than just jeans and a shirt sitting in front of a screen. But 
our photographer friend (note the sarcasm) had a solution for that. All he had 
to do was bring alcohol and druglike substances into the picture and tadaa.. you were 
a lot more interesting. So it happened that someone who didn't even drink beer ended 
up on a picture with a crate of beer next to his box in an effort to capture one of these 
"underground punks who sit behind their screen all night while trying to impress their 
friends on the Internet in the meantime being intoxicated by everything the bible 
forbids." That's us for those of you who didn't know.

-- Day 3

There were no extensive plans on as to what would be done the last day. 
There was at least one speech planned, as well as the release of a package called 
"Phear". This turned out to be quite a drag, being nothing more then a collection of some 
common DoS attacks etc. The speech never surfaced.

-- The total picture

So what's the verdict on this years Dutch hacker gathering? Well, I tend 
to complain a bit, but I actually had a good time. With things like this, it's mostly 
what you make of it yourself and I think I had a nice try at that. Directly after 
HIT2000, some complaints surfaced from the so-called Dutch scene on the level of 
experience of the visitors and the technical level of the speeches. This isn't something 
currently only happening at HIT though. All those people out there who think they're so 
"elite" should think about how they got that way. Events like this are for the sharing of 
information, for people to learn new things, to obtain new knowledge. Of course everyone 
is on a different level at that, but we all started out at the same point and 
instead of whining about the lack of "skill" of newbies, you might try helping them, 
improving that skill. For if you didn't know, that's what hacking is truly about.

-- Belgian DNS server hacked

Besides that, I think some knowledge attending the conference is evident. 
Of course there were some defacements made from there with things for which you had 
to have skills equaling "Cold Fushion hackers", but 2 out of 3 of the Hackme-boxes 
got eventually compromised through some nicely tried attacks and what to think 
of the hack of the maintainer of the Belgian .BE domain? The idea for this hack 
is said to have originated at the Chaos Computer Camp a month earlier and in short  
intercepted ip-requests to the Belgian DNS server. Those requests were transferred 
through a webserver before reaching the actual domain name server and by intercepting and 
responding to the requests when they passed the webserver, the hackers were able to 
return their own fabricated information, thus redirecting the ip-requesting source to 
any site they wanted.

-- Final conclusion

HIT2000 started from a good idea. As the organization announced at the 
beginning of the convention, they didn't work too much on the actual organizing, it was 
the thought that counted and everyone should decide for themselves what to do with the 
things offered. This was nicely demonstrated by some not scheduled speeches. 
Someone decided he could tell something about changing identities using the Net, so he did. 
This spirits something that is needed in the scene more than anything nowadays and I 
personally enjoyed it a lot. There also were some problems though, which we can't 
forget that easily. I think this is where the organization thing should have come in. 
With a bit more of that and with what we already got for our money combined, I'll be 
back next year. And so should you.

Xander Teunissen
Thejian, Help Net Security




V.  Interview with v00d00
----------------------------


For this issue of Default I spoke to the hacker known as v00d00, who had 
some interesting views on exploits, hacking and law enforcement and the scene in general. 
Read on below.

Thejian:  Who is v00d00?

v00d00:    v00d00 is a hacker who tries to do what he does for a reason.

Thejian:  What's your vision of what a hacker is and does?

v00d00:    A hacker is someone who finds new security holes and codes his own 
    exploits and helps admins explaining vulnerabilities to them rather than 
    making him/her look like a complete fool.

Thejian:  Where does defacing come into that?

v00d00:    Defacing isn't true hacking, cracking is maybe a better term for it.

Thejian:  The discussion on that is endless.. "hacking"/"cracking".. Aren't it
    just all stereotypes?

v00d00:    Probably. Called into life to be able to finger something.

Thejian:  Looking through your "work" you see a somewhat of "maturing", from simple
    statements as "v00d00 was here" and some greets to "What is your purpose?
    to prove security wrong eh? Oh yeah, you could easily just leave the 
    admin a note explaining how you got in and where to get a patch for the 
    hole rather than making him/her look like a complete fool." What caused 
    this change of mind?

v00d00:    Well, I heared of this group defiance and did some defacements for them
    then I helped ne0h on his f0rpaxe dis but then i looked at some of 
    the older political hacks and so it came to be.

Thejian:  At a certain point you even stated you decided to do something and that 
    you were going to stop defacing. It seems you've changed your mind on 
    that as well. Why?

v00d00:    I now only deface when i think it's needed or when i need to get a point 
    through, make something heard.

Thejian:  How did the "hacker" stereotype get so distorted in the media?

v00d00:    They need something that's interesting to their readers, a lot of hackers
    do it for the publicity, even go to the media themselves, the so-called
    "mediawhores".

Thejian:  Is it all sensationalism?

v00d00:    A lot of it is.

Thejian:  What do you think of the US government reaction when it comes to this?

v00d00:    They read about hacking in the media and have to take a stand so they grab.

Thejian:  Isn't it a bit overkill?

v00d00:    Yes.

Thejian:  What's a script kiddie?

v00d00:    Someone who uses other people's exploits to make a name for himself defacing.

Thejian:  I don't think there are any hackers/crackers who always use exploits
    they coded themselves. Doesn't that make them and maybe even you a "script
    kiddie" as well?

v00d00:    I don't see myself as a great hacker.. people could call me that, I 
    dislike the term but.. 

Thejian:  Should it be illegal to exploit a system? exploiting as in "hacking/cracking"

v00d00:    I don't think so... if the companies are too stupid to check their 
    software before releasing it than it deserves to be dissed.

Thejian:  So hacking a site would be legal when the admin is too
    stupid/unknowledgable/lazy/whatever to upgrade?

v00d00:    Yes, the admin should respect his own box, or else he shouldn't have the 
    job.

Thejian:  Why is it they don't have this respect do you think? (at least it doesn't
    seem like it when you browse the attrition defacement mirror)

v00d00:    It's obvious that admins don't visit security sites very often... most of
    them probaby don't even know how to use the OS they are admin'ing. Seems 
    so anyways. They probably read something like "learn to admin in 22 days". 
    On the other hand... let me add this: I do respect admins, because i would 
    like to be one, I just think they could pay more attention to whats going
    on.

Thejian:  So hacking/cracking is more of a service then a crime?

v00d00:    Yes, because if one person doesnt do it, someone else will. Some sites 
    are still vulnerable a year later after being hacked, if you let them know 
    how you did it anyways..

Thejian:  So what can you do against those admins who just don't care? How can we 
    ensure the users' whom use that box 's security and privacy?

v00d00:    You can't.

Thejian:  So insecurity will always be a fact for some?

v00d00:    There is no such thing as "100% security", this will always be a fact for
    everyone. Boxes change software alot and when they do, there are new holes.

Thejian:  What's better then in your opinion? More different systems (with all their 
    specific holes) or one monopoly-like system (with its holes)?

v00d00:    I'd have to say, different systems. Hacking is also a challenge btw, it's
    like a game. People like challenges, hacking is the ultimate challenge 
    comp-wise.

Thejian:  Why? Doesn't that create more different holes (especially in more 
    combinations of systems)?

v00d00:    Well, let me put it this way, what 2 OS's do you see the most hacked? If 
    someones running digital unix they usually don't worry about security.

Thejian:  Ok, that's true, others learn from their mistakes too.. but they do have 
    their own specific holes again.. even when they're not discovered.. again,
    there's no such thing as 100% security.

v00d00:    Yep, but people tend to go after solaris/nt.

Thejian:  Heh there are a lot of those though it's not that hard.

v00d00:    Exactly... people like 'easy'. So they don't hack like dgux and openbsd.

Thejian:  Which makes a lot of them "script kiddies" again.. (sorry for the term :)
    How does Canadian law look onto this subject (hacking)?

v00d00:    Well... Canada looks into hacking the same way america does, just 
    doesn't take it to such extremities. If a major canadian site was defaced, the 
    RMCP would be after the culprate in no time.

Thejian:  No Canadian Kevin Mitnicks yet though?

v00d00:    Nope, ne0h and devil-c are the only canadian hackers i know.

Thejian:  Speaking of him, you expressed some pro-Mitnick views on 
    defacements.. why do you think there are so much anti-Mitnick feelings?

v00d00:    Again, the media. Because 5 years without a trial is bullshit.

Thejian:  But in the scene itself ?

v00d00:    Well, alot of people worship 2600 so they follow the movement. 2600's 
    Emmanuel Goldstein has been noted to be a very close friend of Mitnicks.

Thejian:  But 2600 is pro-Mitnick. Where did things as "Burn Kevin" come from? 
    Jealousy?

v00d00:    No, because people are mad that Mitnick is getting publicity and a lot 
    like to cause ruckus.

Thejian:  So the "mediawhore"-types are the ones against him?

v00d00:    A lot of them yes. I have no disrespect for any hackers or 
    crackers though, even if they dis me.

Thejian:  I've read some stuff against you too.. you hold no grudge on that 
    field  whatsoever?

v00d00:    Nope... me and ALOC have resolved problems. I never put anyone 
    down, so I don't know why people would dislike me anyways

Thejian:  Where does this feeling of competition in the "underground" come 
    from anyways? We're all here for the same thing right?

v00d00:    Pretty much, but some are just here to make a name, some are here 
    to spread a word, everyone has their own inidividual purpose. Competition is like 
    always, jealousy. Like in real life, if your good at a sport, and someone 
    comes along and is better, you want to prove that you are still "the king".

Thejian:  But is there anyone in this scene truly the king? In my opinion 
    no-one has all the answers nor all the knowledge, just can't be with the speed IT 
    developes.

v00d00:    There is no "best", there is good, bad, normal and average.

Thejian:  Who would you put in the good category?

v00d00:    Ne0h, mozy, keebler, stonehenge, and a few others. There are only 
    3 people that are above good. In my opinion the best groups of all time 
    have been: code zero, HFG and h4g1s.

Thejian:  Do you think this "group"-thing, hackers grouping together, is a 
    good or a bad thing?

v00d00:    It all depends on their ability to get along and how much trust 
    they have in each other.

Thejian:  Shouldn't everyone ideally get together in one big group?

v00d00:    No, there would be too many disagreements, there would be more fighting 
    than hacking involved.

Thejian:  Should companies be held responsible for flaws in their products?

v00d00:    Yes, the designers should.

Thejian:  In what way?

v00d00:    The beta testers are oviously not very intelligent because they  are 
    releasing faulty software, which is not a smart business choice.

Thejian:  How should such responsibility be enforced by the government?

v00d00:    The government shouldn't have to watch over companies, it's not their job.

Thejian:  Then whose is?

v00d00:    The owners.

Thejian:  Of the company?

v00d00:    Yep, they should ask more questions to the employees about what they are 
    releasing, put it trough hardcore testings.

Thejian:  Do you think they care?

v00d00:    Nope, the only care about money, as with everyone else in the world.

Thejian:  So nothing we can do unless keep pointing the problems out to them?

v00d00:    Absolutely nothing.

Thejian:  Hmm kind of sad when you think about it..

v00d00:    Totally.

Thejian:  I'm drawing to a close here, anything you might want to add?

v00d00:    Yep, go to NET-SECURITY.org for the best underground news around :; )

Thejian:  Hehe thanx man :) and thanks for your time :)

v00d00:    No problem.



VI. Want secure and crypted e-mails? 1on1lite offers that service
-----------------------------------------------------------------

Two weeks ago, one company called Global Market Ltd, released 1on1lite program,
which could provide secure, encrypted e-mail messages. As written on their page: 
"1on1mail uses 448 bit blowfish encryption and the keys are 2048 bit RSA. We believe 
that this encryption is unbreakable within any reasonable period even with virtually 
unlimited computing capacity. Therefore we offer this challenge: We will pay whoever 
can prove they can break this encryption $50,000 (fifty thousand US dollars)".
I talked to Leo Sheiner from Global Market Ltd about their software:

What team is behind 1on1lite? 

1on1Lite and all related technology is developed in house at Global Market 
Ltd. The project team for software development is (currently) six strong. 
Global Market Ltd. was established in 1995, has other products, is profitable
and is entirely self-funding. 

Where did you get the idea for it?

I append below a post I had published in Isales yesterday in answer to that
question.

// -- FEATURED POST -- //

From: Leo Sheiner <leo@netcomuk.co.uk>
Subject: Internet Research - Voodoo and Black Magic

There has been some interesting discussion on Trendmuncher about the
efficacy of statistical reasearch in a fast moving environment like the
Internet. I wanted to share my thoughts on this with the Isales list since
that is where I got much of my original input before deciding to create
1on1Lite.

My response was elicited from this small snippet with which I disagreed.

<snip>

>We have real decisions to make that will determine the success of >our
enterprises and we cannot rely on surface answers and is >interpretation.
As I say to my clients, the purpose of research is to >reduce the risk of
failure. You cant' do that cheaply or cursory.

<snip>

I do not really agree with David from my own vantage point. On the Internet
a surface answer is generally all you need.

I follow all the statistical results with great interest. These certainly
show trends but as an Internet Entrepreneur very often my decisions are
based upon an inverse assessment of the available research.

Let me explain. The Internet is a very fast moving market. What that means
is that there are new disruptive technologies introduced constantly. These
may at first address only a small niche but they can grow and eventually
overthrow older technologies. Everything on the net is moving at a frenetic
pace. In a fast moving market, statistics are to a large degree an autopsy.
You are looking at a corpse. What is needed is an anticipation of a birth.

In a very serious sense, if there is a statistic available to prove there
is a demand for a product you are probably already too late to bring
something to market to address that need. You need to anticipate a
requirement when there is in fact no demand for it. Then you need to build
a solution that has no problem. Then you launch your solution and build it
slowly to converge with the eventual demand created by the eventual change
of perception and consequent recognition of the problem. It is a bit risky
and you can get it wrong but in a fast moving market, it is the only way to
get to market first. And firstcomers on the web have a very great market
advantage.

Let me give you an example. A year ago, I ran a number of articles on the
subject of privacy on the web and in particular asked on various lists
(populated mainly by early adopters) whether they would be interested to
receive a free copy of email software that was completely secure. The
response was far from overwhelming. A trickle of half-hearted interest
showed me quite clearly there was no demand whatsoever for that product. So
I promptly committed a million dollars to the effort to create that
product. You may ask Why?

My assessment was quite simple. I believe that Commerce can only flourish
on the Internet if there is security and confidentiality. My view was then
and remains that commerce is coming. The fact is whatever commerce is being
transacted now is only a tiny fraction of what will be there will be one
day. Businesses will want to communicate securely. There is an immense
payoff if you can replace courier, mail, Fax and even telephone with email.
All of those are less effective than email and far more costly. But before
the launch of 1on1Lite there was no product that made privacy easy, certain
and transparent for the business user nor were there any facilities needed
by business people like tracking and automatic deletion available for
email. We built a better mousetrap before anyone knew there were any mice.

A month ago when we launched at http://1on1mail.com there was a modest
growth in our Free downloads but nothing to get excited about. It confirmed
my view on the lack of any real demand (yet).

That to me was perfect timing. Then we had the hotmail fiasco that suddenly
brought the issue of privacy into the headlines. People are beginning to
think, hey there is a problem here. I could see the inexorable rise in the
rate of registrations. That is just the beginning. I believe two years from
now, virtually everyone will use a secure form of communication by default.
Why use email that everyone can read when you can make your communication
secure for no extra effort or cost? I hope and expect that our product will
be among the leaders at that time. To conclude, statistics are very
important but it depends on how you use them, and a gut feel can be more
important than all the statistics in the world.


What are the characteristics of 1on1 lite which divides it from the normal e-mail? 

* Guarantees delivery and receipt of email
* Tracks and reports the delivery and opening of each message you send
* Guarantees complete confidentiality, with 2048 bit encryption ($50,000 offered to 
  anyone who can break it)
* Encrypts messages with military spec encryption
* Encrypts all attachments with the same military spec encryption
* Uses the same compatible encryption anywhere in the world (no export restrictions)
* Is not web based so you can work offline until you are ready to send and receive
* Is not web based so sensitive address books and messages are not kept on someone 
  else's server
* Has completely effective Anti-Spam features
* Has the smoothest transparent migration from ordinary email to encrypted email
* Has a simple to use interface



What is your privacy statement?

It is published in our terms and conditions when registering. I cannot 
remember the exact words but the drift is that no information provided 
will be passed to anyone under any circumstances and will only be 
used internally.


What about spam and your software? 

It is impossible to receive Spam on our secure channel


You offered $50k for cracking your algorithm, is it just a media stunt
for promoting 1on1mail or you are so sure in quality of your 2048 bit encryption?

Both. The offer is good, but we do not expect to have to pay.


Did you get any feedback on this cracking contest? 

About thirty applications so far.


How much customers do you have now?

We have about 6,000 downloads since we launched a month ago


What are the plans for 1on1 lite?

Continued evolution, the partner version to be released imminently
also http://1on1mail.com/Partners.html
and a number of payment by usage facilities (no I cannot tell you what) 
will be introduced around the core technology over the net twelve months.


Berislav Kucan
aka BHZ
bhz@net-security.org
http://net-security.org


VII. Security audit with our Mac Part-2/2
------------------------------------------

The DMZ, Demilitarized Zone, is supposed to be the safest place on the network you 
auditing. When I mean safest, it not only safe from logical access but also physical 
access. It's the barrier between the company's network and the outside wildwild world 
of Internet. Just to remind to people who didn't rode part 1 we will work only from a 
mac with virtual pc, linuxppc and of course MacOs.
In the dmz part you could spend weeks just to try to get into the Lan or any of its 
ressources (mail server, database, ftp etc....) because there're a bunch of things to check.
On this part we will use more Linuxppc than previously.
First of all get clear list off all active element in the dmz.From routers to switch, servers.
We call use nmap or a queso like to get all this but that's a waste of time. Let's suppose 
you'll have a IIS webserver, with a firewall-1 and a database server linked to IIS.
First question: what can access and what to?
Let's check which version of OS and softwares are used in the DMZ.Get a details about 
past 10 months issues in mailinglist like bugtraq (I mean remote exploits). And check 
if the systems as been patched against those.The other thing is took a closer look of what 
we can do from the outside world?
-Denial of Service Attack
-Errors in settings of the server, or routers.
For this 2 posssibilities your company has enought money to afford a 55,000$ toy like ISS.
Or just use white hat hacker toys from "underground" sites.Internet Security Suite, or 
Cybercop are nice toys but you know... paying for a software where you put  a ip or ip's 
and press "scan" after selecting types of attack is not that much constructive. Even drunk 
you could use that!There are bunch of free tools to work with.First what can you see from 
the outside?Get a scanner with OS fingerprinting features like queso, or Nmap ( current 
version v2beta5 get a copy and man here http://www.insecure.org/nmap/nmap_manpage.html).
The problem with certain security toys on Linux, is that they won't be usable (or hardly) 
on Linuxppc.Some librairies are not working properly on ppc.Most of them are focused on 
X86 computers.Anyway many of them can be used on Linuxppc, I tested Nmap on ppc it's 
exactly the same, just use basic options like -F -sS or even use decoy mode but you 
don't have to be that stealth cause that's only a basic test.I just had more troubles 
to use Kmap, a KDE interfaced version of nmap.You won't have that much problems to compile
source code, well hopefully! So you're now able to deternime what, ports are open.
Now what can you do, whith those.Try to browser advisories website to determine if those 
port can be harmfull to the integrety of the remote server unless you so smart you know 
all 6 months past issues by heart.
Make sure you don't find things like port: 23,137, 138, 139, 1352, 2301 etc...get a 
full list of ports with transport layer and description here:
http://www.deepquest.pf/portlist.txt. You might think to find those ports open but 
just a little experience I had few month ago, I was auditing a range of ip ( the domain 
is in south of europe, can't tell you more!), I just typed a wrong ip range before 
the scan and I found really funny stuff.There was telnet, http it doesn't seems very 
serious.So I point my browser to the ip.... Hpjetadmin tools with no restriction.I 
telnet on it no password and I jump right into the conf menu.What can you do with 
this access? Not that much except: hijacking *.ps sent to the printer.Intercept 
and redirect.What if there were confidential datas?I mail the admin and waited few 
weeks, they did nothing.I just used their printer once sending a file to print:
"adjust settings or all printed documents could be 0Wned.".Just for the information 
the company was an IT certified Micro$oft, Lotus...For the dmz try to use several 
protocol and operation systems, the ports opened has to necessary.
The other thing you can test is the snmp part.It provids usefull informations on 
active elements computers from network configuration, to logical status, cpu load 
and a bunch of info a intruder could use.There two kinds of communities: public and 
private.Private are defined by the admin with a password.But as you know everything 
haveing a loging and password can be break with remote brut force attack.
You can try tools like snmpscan 0.05 (http://www.phunc.com/tools/snmpscan) that will 
check weakness of your community password.
  
  There're 1000's of things you can do to audit a dmz, but before starting anything 
don't test what you're to allowed to test people in "corporate" environement doesn't 
like that at all.Make sure you warn of possible disturbance in the information services.
Using hackin' tools instead of commercial products, you'll learn more with them.
Don't try to use word to word dos or exploits, but think.Think small, fast  but 
always think of combinaisons of possible problems. First time I said to my boss I wanted 
to work with a mac, he just laught! After the repports I gave him after several security 
audit, he stilled laught, but this time it was nevervous...I'm not an "Integrist", or 
payed each time I say "Apple" but I know this platorm from the 80's and no other platforms 
offered me such level of security, of integration in mixed environnement, and allowed me 
to run so many other OS on one computer.

Deepquest
deepquest@default.net-security.org

All rights not reserved- Serving since 1994
http://www.deepquest.pf


VIII. More from the ACPO front
----------------------------

More updates from antichildporn.org. First off, thanks again to
net-security.org for allowing us this forum. We're still forging ahead here,
learning as we go. It seems that we are taking a slightly different direction
than was our original intent. Apparently we are entertaining two distinct
groups of people. Our original followers, the techno wizzs. And a much
larger, uneducated group of people that have no computer skills, or very few.

We believe we have found an easy solution to a possibly difficult problem.
The original antichildporn.org will remain the same, headed up by cylent1 and
his crew. Please mail cylent1 (mailto:cylent1@hotmail.com) if you have any
constructive suggestions for the existing site, as he has plans to revamp and
update the site.

We are now in the process of purchasing another domain, a gift from one of our
liaisons. This site's intention is to have a lighter, more child-friendly
appeal to the general public., as we are now in the process of contacting
other resources that tend to look unfavorably upon any sort of "dark ops".
Two completely different people who will be named at a later date will head up
the new site. Both sites will be the same organization, but serve two
different groups of people. They will also link to each other.

We have three trips planned before the first of the year: The Training Co
(http://www.thetrainingco.com) has graciously offered admittance to the
conference for some of our members, pro bono. Please check out their website
for who will be speaking there. It's quite an impressive group. We will also
have a table set up at the conference to answer questions about our
organization and try to enlist help from legal resources on how to approach
the problem of child porn. The second trip planned is to New York City the
week September 20, one or more of us will be meeting with the founder of Cyber
Angels (http://www.cyberangels.com) and hopefully an appointment with the UN.
We're still working out the details for my Euro trip, we'll let you know more
shortly.

As always, we thank you for your support. Mail me if you have any questions.

Natasha Grigori
Founder of Anti Child Porn Organization
natasha@infovlad.net
http://www.antichildporn.org



XI.  Infection and vaccination
-------------------------------

What is a trojan horse and which are the functions of the trojan

A trojan horse is:
An unauthorized program contained within a legitimate program. This
unauthorized program performs functions unknown (and probably unwanted) by the user.

A legitimate program that has been altered by the placement of unauthorized code within 
it; this code performs functions unknown (and probably unwanted) by the user.

Any program that appears to perform a desirable and necessary function but that 
(because of unauthorized code within it that is unknown to the user) performs 
functions unknown (and probably unwanted) by the user.
A trojan horse program can be a program that does something useful, or merely something 
interesting. It always does something unexpected, like steal passwords or copy files 
without your knowledge.
Trojans are discovered often enough that they are a major security concern. What makes 
trojans so insidious is that even after they are discovered, their influence is still 
felt. Trojans are similar to sniffers in that respect. No one can be sure exactly how 
deep into the system the compromise may have reached. There are different kinds of 
trojans on the net here is a little text explaining all kinds of the trojans:

Remote Access Trojans

These trojans are the most popular trojans now.Everyone wants to have such trojan 
because he or she want to have access to their victim's hard drive.The RAT'S
(remote access trojans)are very simple to use.Just make someone run the server 
and you get the victim's IP and you have FULL access to his or her computer. They 
you can almost everything it depends of the trojan you use. But the RAT'S have the 
common remote access trojan functions like: keylogger,upload and download function,
make a screenshot and so on.Some people use the trojans for malicious purposes.
They want just to delete and delete.This is lame.But a have a guide about the best 
way to use a trojan.You should read it. There are many programs out there that detects 
the most common trojans,but new trojans are coming every day and these programs are 
not the maximum deffence. The trojans do always the same things.If the trojan restart 
every time Windows is loaded that means it put something in the registry or in win.ini 
or in other system file so the trojan can restart. Also the trojans create some file 
in the WINDOWS\SYSTEM directory.The file is always looking to be something that the 
victim will think is a normal WINDOWS executable.Most trojans hide from the Alt+Ctrl+Del 
menu.This is not good because there are people who
use only this way to see which process are running.There are programs that will tell 
me exactly the process and the file from where it comes.Yeah but some trojans as 
I told you use fake names and it's a little hard for some people to understand which 
process should they kill.The remote access trojans opens a port on your computer letting 
everyone to connect.Some trojans has options like change the port and put a password so 
only the guy that infect you will be able to use
the computer.The change port option is very good because I'm sure you don't want your 
victim to see that port 31337 is open on their computer.Remote access trojans are 
appearing every day and they will continue to appear. 

Password Sending Trojans

The purpose of these trojans is to rip all cached passwords and send them to specified 
e-mail without letting the victim about the e-mail.Most of these trojans don't
restart every time Windows is loaded and most of them use port 25 to send the e-mail.T
here are such trojans that e-mail other information too like ICQ number computer info 
and so on.These trojans are dangerous if you have any passwords cached anywhere on your 
computer.


Keyloggers

These trojans are very simple.The only one thing they do is to log the keys that the 
victim is pressing and then check for passwords in the log file.In the most cases these
trojans restart every time Windows is loaded.They have options like online and offline
recording.In the online recording they know that the victim is online and they record 
everything.But in the offline recording everything writen after Windows start is recorded 
and saved on the victims disk waiting for to be transfered.

Desctructive
The only one fuction of these trojans is to destroy and delete files.This makes them 
very simple and easy to use.They can automatically delete all your .dll or .ini or
.exe files on your computer. These are very dangerous trojans and once you're infected 
be sure if you don't desinfect your computer information will no longer exist.


FTP trojans
These trojans open port 21 on your computer letting EVERYONE that has a
FTP client to connect
to your computer without password and will full upload and download
options.


News:

.jpeg trojan

A trojan horse looking like .jpeg image has been send over the net for
some time.The purpose of the trojan is to steal the ICQ password of the 
infected users. There has been reported only 200 incidents out of the estimated 40
million subscribers. Steve Gossett an ICQ user in Temple City, California said that: 
"This is sort of like losing your own phone number that you've had for years and 
years," Over the last month, ICQ users have receive an email message containing
an attached file disguised as a JPEG. When users opened the attached file, instead
of opening a JPEG image, the attachment loaded a small malicious program.
The program emailed the user's IC password back to the sender.


Dancho
dancho@mbox.digsys.bg



X. Watch out for documents you publish on The Internet, you might get in trouble
---------------------------------------------------------------------------------

Note: following article was written in ironic way, just to people to see, what 
could some file types published on The Internet cause:

./conspiracy -revangeon myenemy -feds arresthimsoon

my enemy that I hate more than anything in world publish M$ office documents on the 
web: *.doc, *.ppt, *.xls I'll anything to cause him troubles, and what if the feds 
arrest him? humm sounds to me. get the source or the file itself of an infected file 
with a macro virus, a melissa like.Modify a little bit the code to prevent its 
detection by present virus definition.
Open the document you downloaded from your enemy's site with a basic txt editor 
(mac:bbedit, win9*-nt:notepad). ctrl-F: _PID_GUID (if he paid he's been registered to 
M$ databases without knowning (ref:http://www.hackernews.com/arch.html?031299)
copy paste _PID_GUID <*****-*******....> from enemy's documents and paste to the 
infected file. Cross post attachement to many usenet porn channels with a suggestive title...
Wait 1 week. Post your file to antivirus companies and say that you noticed suspicious 
network activities when opening this simple office document. They make a new a-v signature, 
feds are interested in this that cause so many disorder in mail systems. They investigate, 
few days after (they're very slow sometimes) they notice the _PID_GUID (software registered 
to your enemy and based on your enemy's mac address).
Day-13 feds knock knock your enemy's door.Arrested and charged for interrupting public 
communication, wrongful access to computer systems

solution:
1-Use another office suite
2-Erase GUID mac: http://www.deepquest.pf/billblocker01.sit.hqx
       win: http://www.vecdev.com/guideon.html


ps -aux
kill conspiracy all

Now you can sleep well and rest your dark spirit, it was pure imagination...reality is wilder.

Deepquest
deepquest@default.net-security.org



XI. Freedom of speech - related incidents
------------------------------------------

*******************************************************************
So. Let our debates be heated, that they may illuminate. 
Let our positions be polarized, so that matters may be confronted. 
And let us drop the lazy idea that any midpoint is the superior 
position of vantage. The truth cannot lie, but if it could, I have no 
doubt that it would lie somewhere in between. 

---Christopher Hitchens 

*******************************************************************

Every day the battle between freedom and repression rages through the global ether. 
 
Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com):

Thursday, September 2:

China calls for crackdown on 
<http://www.insidechina.com/news.php3?id=89340>
internet dissent...

"A circular issued by the Public Security Bureau on Monday called for an all-out 
war on anti-government and anti-communist articles on the internet, a source said. 
"Recently a hostile organization overseas have used our intra-net to wantonly 
propagate anti- government views and repeatedly publish reactionary articles," 
a copy of the circular said. The circular was issued after exiled Chinese dissidents 
attacked a chat site run by the leading People's Daily and ridiculed the Chinese 
government, the source said."

Are Monsanto's genetically Round-up Ready Terminator seeds 
<http://www.enn.com/features/1999/09/090199/seeds_5385.asp>
strangling small farmers? 
--------------------------------------------------------------------------

Long Weekend, September 3-6

Qi Yanchen arrested for 
<http://www.insidechina.com/news.php3?id=89868>
alleged Internet crime... 

Mexican government likened to 
<http://asia.yahoo.com/headlines/030999/world/936346980-90903082310.newsworld.html>
Stalin's dictatorship... 

"The punishment meted out for any disloyalty or dissent depended on the rank of the culprit. 
In the case of a middle or high-ranking military figure, they could be jailed without 
being told the reason, and then may simply disappear. For the 60 percent of Mexicans 
classed as poor, torture was routinely used, and they might "suddenly disappear" or 
have property confiscated, he said. For more senior figures, trumped-up allegations of 
tax fraud or other crimes may be made. "One of the most common is through tax fraud, 
because the tax laws are basically incomprehensible," he said. "The minister of the 
Treasury said he was incapable of filling out his own tax returns, so that absolutely 
anything at all can be tax fraud.""

Created in reaction to WalkerB's (George Bush, Jr.) desire to limit freedom of speech 
on the Internet, sign the online petition 
<http://www.gwbush.com/petition.htm>
against political web sites having to register with the government 

----------------------------------------------------------------------------

Tuesday, September 7

Waco and the 
<http://search.washingtonpost.com/wp-srv/WAPO/19990906/V000352-090699-idx.html>
price of lies... 


Is medical info in the US 
<http://www.yomiuri.co.jp/newse/0907so17.htm>
moving too freely? 

I don't care if the ignoramus does own most of the world's media:
<http://www.telegraph.co.uk/et?ac=000271261842766&rtmo=3qA8wHBM&atmo=ggggg3qK&pg=/
et/99/9/7/wmur07.html>
Rupert Murdoch (NWS) is the lapdog of the Chinese Communist Party... 

"Mr Murdoch, who hopes to expand his business interests in China, said of the leader of 
Tibetan Buddhism: "I have heard cynics who say he's a very political old monk shuffling 
around in Gucci shoes." Mr Murdoch, 68, who recently married a 31-year-old Chinese woman, 
Wendi Deng, also excuses China's disregard for human rights on the ground that the average 
Chinese person cares more about "his next bowl of rice" than democracy...Mr Murdoch 
expresses his support for China's forced occupation of Tibet by asking whether Tibet's 
own culture was ever worth preserving: "It was a pretty terrible old autocratic 
society out of the Middle Ages. Maybe I'm falling for their propaganda," he says 
of the Chinese government, "but it was an authoritarian, medieval society without 
any basic services." In his ambition to expand his Star satellite television business 
in China, Mr Murdoch has already been accused of placing his commercial interests above 
freedom of speech. In 1994, he dropped the BBC from Star after it was critical of 
Chinese leaders and of the Tiananmen Square killings. Last year, he ordered his 
publishing company HarperCollins to abandon publication of Chris Patten's recollections 
of his time as Governor of Hong Kong because they too were critical of the Chinese 
government." 


Call for release of 
<http://www.africanews.org/central/congo-kinshasa/stories/19990903_feat5.html>
Congolese scholar 


-------------------------------------------------------------------------------

Wednesday, September 8

South African Communications Minister heralds the Internet as 
<http://www.africanews.org/south/southafrica/stories/19990906_feat20.html>
antidote to bribery and media gatekeeping... 

"She said people could expect in future to be able to access and print out 
important government data, such as tender forms, as well as any other forms 
required from officials at public terminals at the Post Office. This would 
curtail the ability of officials to force members of the public to pay bribes 
to get free official forms or information."

US is allowing 
<http://asia.yahoo.com/headlines/080999/world/936804480-90908152801.newsworld.html>
genocide in East Timor... 

"The World Bank and the IMF must also stop all funds going into Indonesia, which receives 
some 1.8 billion dollars in US aid, the activist said. Amnesty International's Asia director 
T. Kumar warned that hundreds were dying by the hour in East Timor but that the scale of 
the violence was difficult to gauge as most foreigners and journalists had fled. "We are 
shocked to report to you that even we are helpless today," Kumar, who also attended the 
press conference. A US observer who just returned from monitoring the vote also faulted 
the United States for allowing the crisis. "The US did not put the pressure on Jakarta 
it needed to," he said, adding that the world could stop the violence within two hours 
if it took action."

From East Timor Action Network (ETAN), here are more links to help you 
<http://etan.org/action/urgntMnu.htm>
take action in support of East Timor independence... 

More info on the massacres taking place 
<http://www.sjmercury.com/breaking/docs/011850.htm>
as you read this... 

"``The man that we encountered was sliced numerous times on either arm and on his stomach. 
He was literally covered in blood but was walking,'' said Sexton after fleeing to Darwin on 
Wednesday from the East Timorese town of Suai...East Timorese Maria Bernardino said she had 
been told by a friend who had fled Dili for Kupang, the capital of West Timor, that militias 
on Tuesday attacked a church in Suai, killing an estimated 40 people. ``The last time he 
looked there were about 40 people on the floor, he assumed they were dead. There was blood 
everywhere, people had been macheted and shot,'' Bernardino told Reuters. ``He saw a priest 
on his knees begging and screaming for people's lives, saying `please have mercy','' she said. 
An Australian Catholic brother, who fled Dili on Tuesday, told Australian radio on Wednesday 
that an East Timorese child was cut to pieces by militias on the streets of Dili. The 
Catholic brother, who asked not to be named, said a local U.N. security officer witnessed 
the child's murder, which occurred when East Timorese were trying to flee to the safety 
of the U.N. compound in Dili. ``The child was actually being cut up. He was chopped up and 
parts of his body were actually thrown about in Dili outside the UNAMET compound,'' he 
told Australian Broadcasting Corporation radio from Kupang in West Timor. "


In just one week...

diva aka Pasty Drone
CEO
NewsTrolls, Inc. 
"Free Minds...Free Speech...NewsTrolls"
http://www.newstrolls.com
pastydrone@newstrolls.com


XII. Y2K survey for 72 countries
-------------------------------


The International Y2K Cooperation Center (IY2KCC), a United 
Nations backed group funded by the World Bank, today released its first survey of 
Y2K readiness in 72 nations, as reported by national Y2K coordinators representing 
each government. 
"This is the unfiltered information straight from the people who have been working 
on the Y2K problem in each nation," said Bruce McConnell, director of the International 
Y2K Cooperation Center. "We encourage the many organizations currently making 
evaluations of country readiness to use this first-hand information to supplement 
their opinion surveys. It is imperative that analysts learn from the people actually 
doing the work before making judgments that have serious consequences." 
"This principle applies equally to private consultants and to national governments that 
contemplate issuing travel advice to their citizens," said McConnell. In an Open Letter 
to Y2K Analysts, McConnell said, "All third party evaluations should reflect direct 
consultations with each affected country's Y2K coordinator. These coordinators can be 
located via the Center's web page." 
"We also urge those countries that have not yet made their readiness information public 
to do so as soon as possible," said McConnell. "Full public disclosure of Y2K preparation 
activities is essential to maintain public confidence in the international marketplace." 
The IY2KCC surveys were completed in August 1999 by Y2K coordinators appointed by their 
national governments. Y2K coordinators reported the month implementation was expected to 
be 90 percent completed. Status statements were provided for nine sectors: Energy, 
Communications, Finance, Transportation (Air, Sea, Land), Health, Government Services 
and Customs. 
The 72 survey responses are posted on the website of the International Y2K Cooperation 
Center at www.iy2kcc.org, under Country Information. With this publication, 33 countries 
have for the first time provided information on the World Wide Web in English. Another 
56 countries have shared information with the center but have not yet indicated their 
preference to share it with the public. Finally, 67 countries have not yet responded to 
the Center's request for information either via the survey or web site. The survey results 
will be updated periodically as additional countries respond. 
Y2K refers to possible computer and automated control system malfunctions when the year 
changes from 1999 to 2000. Until recently, many computers and automated systems were 
programmed to handle only two-digit year formats, and could make mistakes when they 
encounter "00" in the date field. 
The IY2KCC was established in February 1999 under United Nations auspices with World Bank 
funding in response to the need to coordinate efforts to update computer and automated 
control systems around the world to smoothly transition to the year 2000. 

Explanation of Posted Survey Results 
Based on the responses from National Y2K Coordinators to a Y2K Readiness Survey (PDF), 
the International Y2K Cooperation Center has developed regional sector readiness charts. 
These charts provide countries with a way to tell their own stories about their Y2K 
preparations. We hope that this information will promote a more realistic understanding 
of global Y2K readiness, strengthen efforts to address critical areas in each country, 
and help direct available resources appropriately. 
The charts depict sector readiness by country. The number in each block indicates the 
month in which the country reports it will be 90 percent complete with its Y2K 
implementation in that sector. The color indicates the level of dependence on information 
technology in that sector. 
Continuity/contingency planning and emergency response information for each sector can 
be found by clicking on the cell for the particular country and sector. Reported 
challenges and concerns for each sector are also detailed. 
In many cases, a country's national Y2K web site provides detailed information on 
sector status and contingency planning. 
Additional country readiness information will be added as soon as it is received from 
reporting national coordinators. 

Asia 
(http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=Asia
Central America and the Caribbean 
(http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=LAC
Eastern Europe and Central Asia 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=EE
Middle East and North Africa 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=MENA
North America 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=NA
South America 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=SA
Sub Saharan Africa 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=Africa
Western Europe 
http://www2.iy2kcc.org/SectorStatus/Default.cfm?WhichRegion=WE



Lisa Pellegrin 
Telephone: (202) 466-5464, ext. 11 
Fax: (202) 466-5451 
E-mail: pellegrin@iy2kcc.org 
Web: www.iy2kcc.org


XIII. Journalism
----------------

Just a brief article, because I really must react.

Yesterday in Croatia, 16 year old Denis Perisa was caught for using Back Orifice
for entering the computer and snatching the password from a known politician over
here. The main problem in all of this isn't he being caught, but how media
could create a super-hacker from a just ordinary trojan user. The article was
published in a Croatian daily newspapers Vecernji list - on Croatian language
(http://www.vecernji-list.hr/Pages/DUPN.html). When you read the article you
could see that the author of it has a little knowledge of The Internet and its
services. Denis told them several very idiotic and untrue sentences like:
"I could get in any bank system with just 2 of my friends and a good computer",
"I have my own newsgroup on Usenet"... He didn't have any knowledge at all. His
group could only "hack" Tripod websites (guess how - by using trojans ofcourse).
"We don't need disclaimer because HACKING is NOT illegal in CROATIA!!!n So we can put 
here our full names here and nobody can do us a fucki'n thing :) SO take your laptop, 
sit in a plane, come to Croatia and (fuck) HACK THE PLANET :)" - that was written
on their page (lame isn't it?). 
The main problem is in journalists, who don't have a clue about what they are writing.
Croatia is a small country (about 4.8 millions of citizens), and we don't have a
"hacker" scene, at least as I know. Every time someone is caught in relation with
computer crime, newspapers see profit in it, and they make terrible articles about
it. Couple of years ago, one Croatian hacker penetrated to one of the Pentagon 
servers (using Imap exploit), and several newspapers and magazines created a
super hero from him. After that he said that he didn't knew how to unzip some files:)
If you know Croatian do read this article written by me for
Croatian security news site (column comments all facts that were written in
article about Denis) - http://www.monitor.hr/security/clanci/denis.htm

Berislav Kucan
aka BHZ
bhz@net-security.org
http://net-security.org