what you don't know can hurt you


Posted Mar 1, 2005
Authored by astalavista | Site astalavista.com

Featured articles - Hacker's attack strategies and tactics part 1 ; Protecting from spyware - Interview with Mr. Yowler, Cyberarmy.net

MD5 | a9d291538795c0ea2d794b75fda10be8


Change Mirror Download
|- Astalavista Group Security Newsletter -|
|- Issue 6 12 May 2004 -|
|- http://www.astalavista.com/ -|
|- security@astalavista.net -|

- Table of contents -

[01] Introduction
[02] Security News
- TCP Flaw Threatens Net Data Transmissions
- Multinational team cracks crypto puzzle
- OS X Trojan Horse Is a Nag
- DOD decentralizes Wi-Fi
- Exploit for Windows SSL Flaw Circulating
[03] Astalavista Recommends
- Penetration Testing - A Sample Report
- Wireless Lan Security in Depth
- An Overview of Common Programming Security Vulnerabilities and Possible Solutions
- Sebek - a Kernel Based Data Capture Tool
- Unix Password Security
- Ethical Hacking - Penetration Testing
- Network Security Basics
- Stealing Passwords Via Browser Refresh
[04] Site of the Month - Global Intelligence News Portal - http://mprofaca.cro.net/
[05] Tool of the month - Warez P2P Tool
[06] Paper of the month - Internet Worms
[07] Free Security Consultation
- I wonder if my ISP...
- My kids are actively using the Internet and...
- Whenever I give out my e-mail...
[08] Enterprise Security Issues
- The Nature of the Game - Hackers' Attack Strategies and Tactics Part 1
[09] Home Users Security Issues
- Protecting from Spyware
[10] Meet the Security Scene
- Interview with Mr.Yowler, http://www.cyberarmy.com/
[11] Security Sites Review
- Dsinet.org
- CGISecurity.com
- Cryptome.org
- eBCVG.com
- Dailyrotation.com
[12] Astalavista needs YOU!
[13] Astalavista.net Advanced Member Portal Promotion
[14] Final Words

01. Introduction

Dear Subscribers,

Welcome to Issue 6 of Astalavista's Security Newsletter!

In this issue of our newsletter you're going to read an interesting article about the nature of hacking/security,
get updated with the latest security events worldwide, browse through unique files and security content and read an
interview with MrYowler from Cyberarmy.com. Thank you for your interest and all the e-mails we keep receiving.

Astalavista's Security Newsletter is mirrored at:


If you want to know more about Astalavista.com, visit the following URL:


Previous Issues of Astalavista's Security Newsletter can be found at:


Editor - Dancho Danchev

Proofreader - Yordanka Ilieva

--- Thawte Crypto Challenge V ---

Crypto Challenge V Now Live!
Pit your wits against the code – be the first to crack it and win an Archos Cinema to Go.

Click here to grab the code and get started:

--- Thawte Crypto Challenge V ---

02. Security News

The Security World is a complex one. Every day a new vulnerability is found,
new tools are released, new measures are made up and implemented etc.
In such a sophisticated Scene we have decided to provide you with the most
striking and up-to-date Security News during the month, a centralized
section that contains our personal comments on the issue discussed.
Your comments and suggestions about this section are welcome at


A flaw in the most popular communications protocol for sending data on the Net could let
attackers shut down connections between servers and routers, according to an advisory released
Tuesday by Britain's national emergency response team.

The center's advisory is based on security research that Watson plans to present at the CanSecWest 2004
conference this week and apparently had been released a day early by the NISCC, according to the conference
organizer. Watson, who runs a prohacking blog at Terrorist.net, could not be reached for comment.

More information can be found at:


Astalavista's comments:

While this attack was discussed a long time ago, it has never been investigated the way it is now. Some ideas are so
genious that they're downright obvious.


RSA Security on Tuesday said that over three months of consistent effort helped a team of mathematicians from
Europe and North America solve the company's latest encryption puzzle.

The multinational team of eight experts used about 100 workstations to crack the code that won them a $10,000 prize.

The contestants' task was to determine the two prime numbers that have been used to generate eight "challenge" numbers,
which are central to RSA’s 576-bit encryption code. RSA's contest is designed to help test the robustness of the
lengthy algorithms used for electronic security. The competition is intended to encourage research into
computational number theory and the practical difficulty of factoring large integers.

More information can be found at:


Astalavista's comments:

To all the brainy readers, participating in a Crypto Challenge is fun, and all you can lose is the chance to show
the world how smart you are :)


Security experts on Friday (9th April) slammed security firm Intego for exaggerating the threat of
what the company identified as the first Trojan for Mac OS X.

On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called
MP3Concept or MP3Virus. Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan
accesses certain system files, the company claimed.

Mac programmers and security experts accused the company of exaggerating the threat to sell its security software.

More information can be found at:


Astalavista's comment:

Proactive measures are very important, but when a company is alarming the public for something like this, it could
be considered as an exaggeration. However, making a profit from a proof-of-concept code that's still not in wild isn't
exactly what serious customers are looking forward to.


The Defense Department's new wireless fidelity policy seeks help from many of its agencies to ensure
their employees and contractors use caution when operating wireless computer devices at military installations.

It mandates that military and industry officials do not use wireless devices to store, process and transmit
classified information without approval from the various agencies and department officials.
Deputy Defense Secretary Paul Wolfowitz issued the directive in an April 14 Defense Department
directive titled, "Use of Commercial Wireless Devices, Services, and Technologies in the Department
of Defense Global Information Grid."

More information can be found at:


Astalavista's comment:

Trying to keep the sensitive data as secret as possible is the way it should go. The question is "How
well will this policy be implemented, and would there be someone watching while someone is not following it?"


Exactly a week after Microsoft announced a SSL vulnerability affecting key Windows products,
malicious hackers unveiled exploits that could lead to widespread denial-of-service attacks (define).

The exploit code, described in the underground as the "SSL Bomb," could allow specially crafted SSL
packets to force the Windows 2000 and Windows XP operating systems to block SSL connections.
On Windows Server 2003 machines, the code could cause the system to reboot, security experts warned.

More information can be found at:


Astalavista's comment:

Next is another worm in the wild, hope this doesn't happen, as it will repeat itself over and over again..

03. Astalavista Recommends

This section is unique with its idea and the information included within. Its
purpose is to provide you with direct links to various white papers covering
many aspects of Information Security. These white papers are defined as a "must
read" for everyone interested in deepening his/her knowledge in the Security field.
The section will keep on growing with every new issue. Your comments and suggestions
about the section are welcome at security@astalavista.net


One of the most comprehensive penetration testing sample reports we've come across



A detailed approach on building secure Wireless LAN networks



A thesis work, quite throughout, includes a lot of examples


Watch the attacker, without them noticing you, recommended reading



Rather old, but it still gives you an insight if you're not aware of how Unix passwords work



A comprehensive report giving you an insight of what Ethical Hacking and Penetration Testing is



This document will provide with information on everything you ever wanted to know about Network Security



Discusses techniques related to passwords stealing via browser refresh, recommended reading


04. Site of the month

Global Intelligence News Portal - Intelligence, espionage, military, government news and resources


05. Tool of the month

Warez P2P v2.0

Warez is a spyware-free file-sharing program. Search for and download your favorite music
and video files shared by other users on a free peer-to-peer network.


06. Paper of the month

Internet Worms

A paper discussing various simulating and optimising worm propagation algorithms


07. Free Security Consultation

Have you ever had a Security related question but you weren't sure where to
direct it to? This is what the "Free Security Consultation" section was created for.
Due to the high number of Security concerned e-mails we keep getting on a
daily basis, we have decided to initiate a service free of charge and offer
it to our subscribers. Whenever you have a Security related question, you are
advised to direct it to us, and within 48 hours you will receive a qualified
response from one of our Security experts. The questions we consider most
interesting and useful will be published at the section.
Neither your e-mail, nor your name will be present anywhere.

Direct all of your Security questions to security@astalavista.net

Thanks a lot for your interest in this free security service, we are doing our best to respond
as soon as possible and provide you with an accurate answer to your questions.

Question: Hello Astalavista, with all the surveillance stories I keep coming across online, I was
wondering to what extent can I be monitored by my ISP, even if I use encryption? Also how can I be sure
that they're not monitoring what I do online?

Answer: Using encryption will protect the confidentiality of your data, using an encrypted channel when
surfing the net(SSL for example)will improve your privacy, however there's always an opportunity for them to
monitor your activies even using SSL. You ISP would probably have no intention to do so, in case they don't suspect
your abusing the service they're offering you, but to answer your question, the major ISPs keep logs for quite a long
time, some do it without a reason, other do it because they want to be able to assist in a possible forensics activities
in case your account has been used to commit illegal activities. You can never be 100% sure they're not monitoring you,
because with the way the Internet works, it is always possible to be monitored by someone, even the "stealthed" proxy you use
might be an object of surveillance, but question yourself, do you really want that level of anonymity and most importantly

Question: Hi, thanks for your newsletter. I wanted to know how I can protect my kids while using the Internet, something
else, sometimes I'm away and I would like to know what they're doing while they're online, I have several content filters
on my Internet Explorer, but I want to be sure they're not doing anything wrong.

Answer: You're welcome. You'd better consider the following, would you follow your kids each time they go out with the idea
to protect them, instead of trying to teach them how to behave, or let's put it, what is good and what's bad? I doubt so,
but I think you believe that the same thing can be done in a very convinient way on your computer, and you'll be right. But
you can teach them how to behave while using the Internet without snooping on them all the time, anyway here's a software
I recommend you if you still intend to use your approach:


Question: I cannot manage to handle all the spam I get every day, I often subscribe myself to newsletters, do you think it's
because of that, even when I keep changing my e-mail, I keep getting an enormous amount(compared to my friends)of spam, what
can I do about it? Something else I was interested in, is it possible to get infected with a trojan/worm by viewing/opening
a spam message?

Answer: Spam became such a natural natural part of the Internet, that you will probably never be able to completely eliminate it,I think
What you're doing is giving your email to every newsletter you see out there, which is terribly wrong and this is
where the problem comes from. You don't need much time to make a difference between a trusted and not trusted site. Moreover,
never give your personal email there; instead, create another one, especially for the newsletter. There's a little chance
for you to receive a trojan/worm via spam, let's not say almost impossible. However, watch out the kind of mails and attachments you receive.

08. Enterprise Security Issues

In today's world of high speed communications, of companies completely
relying on the Internet for conducting business and increasing profitability, we have
decided that there should be a special section for corporate security, where
advanced and highly interesting topics will be discussed in order to provide
that audience with what they are looking for - knowledge!

The Nature of the Game Part 1
By MrYowler
mryowler [at] cyberarmy.com

This text strives to be a frank and straightforward discussion of hacker attack strategy, tactics. And
if I have time, motivations and ethics, this will not be a 'how-to', nor will the focus be placed on implementation;
this is a general overview, aimed at describing how and why a hacker targets the various elements of a network.

The Target:

A network is composed of a great number of parts; many may tend to escape the notice and control of the
individual or group responsible for maintaining its security. The basic components of a network include hosts,
transmission media, services, communications protocols, data, and users. Each of these components represent
potential vulnerabilities, depending upon what the attacker wants, and what the defender focuses on while protecting.


Networks are built upon trust relationships between hosts. By penetrating an individual host, an attacker can often
gain access to otherwise unavailable services on some larger portion of a network.

In the following network example, a fairly typical target configuration, it is possible to gain access to
unencrypted shell services, for all hosts, merely by penetrating one of them. The firewall effectively blocks
access to the telnet service, from hosts outside the LAN; but since hosts inside the LAN are not blocked by
the firewall, they can be used to access otherwise unavailable services. A common tactic used to exploit this
situation might be to email a suitably configured Trojan Horse program to a user inside the network, who is
believed to be likely to run it. (An attacker using this attack would therefore also be targeting the destination
user and employing programming, network protocol, and social engineering tactics.)

Transmission Media:

Networks require transmission paths in order to enable communication between hosts and between users.
Sometimes, these take the form of network cable, telephone lines, or wireless media. The type of media has a
significant impact upon the specific tactics which are employed against it, but general tactics are frequently
media-independent. In addition to standard MIJI tactics, transmission media are also subject to intelligence-gathering


MIJI tactics are typically used to perpetrate Denial-of-Service attacks, although the possible scope of tactics
includes much more. MIJI is a communications security term referring to Meaconing, Intrusion , Jamming,
and Interference - and traditionally it is related to attacks upon communications systems, which might also be
characterized as Denial-of-Service.


By inserting himself into the transmission path of the data stream, the attacker can sometimes gather
useful intelligence about the target network. Usernames, passwords, and data pass unencrypted or minimally
encrypted across parts of a network.


Many services are designed with only cursory planning for security. Web, email, and Domain Name Services are
among the most popular and most commonly exploited services on the Internet today. A great number of services involve
passwords, sensitive data, and trust relationships with little or no authentication. Few services in common usage
employ sophisticated encryption techniques, where they employ any encryption at all. As a result, many
services can be exploited to capture authentication and other sensitive data.

Communications Protocols:

Tied closely to services, communications protocols, from the application layer to the hardware layer, can be
spoofed or manipulated to allow data to be intercepted, modified, or redirected. This is often where Denial-of-Service
attacks, perpetrated using MIJI tactics, are most effectively applied.


Data can be acquired through communications protocol exploits, attacks upon services and server processes,
examination of logs and databases, dumpster-diving, and by social-engineering users among other methods.
Data is often precisely what network and system administrators are most interested in protecting, although
sometimes there are operational processes to be protected, as well. (Financial and military operations are some
reasonable operational system targets, for example.) Data is often well-protected, until it arrives at a trusted
destination. These destinations are frequently the best targets for compromising data. Users, hosts, and databases
are often the trusted targets. If the user or host can be compromised, then the data can be exposed.
There are also electronic warfare tactics that can be used to expose data, as well as the old hacker standby;
digging through garbage - it's truly amazing sometimes what people will throw away.


The most unstable and unreliable element of a system is generally the user. This makes the user the most
vulnerable point of attack, and the most likely path to intrusion-detection.

Most elements of a network or system tend to follow well-documented, readily-understood, and consistent rulesets.
Users are the exception; while they can frequently be relied upon to follow logical reasoning paths,
the factors which influence user behavior include numerous random, physiological, psychological,
and unforseeable elements.

A skilled attacker can exploit the unreliability of the user through social engineering tactics, and by applying
technical attacks that modify the user's perception of conditions, to change the user's behavior to suit the
attacker's need.

The Attacker:

Attacker tactics vary not only according to the target, but also according to the attacker - in fact, some
victims are actually selected entirely at random, or on the basis of opportunity. Hacker attack strategies come
in a variety of forms; cryptographic, network protocol exploits, programming, brute-force, denial-of-service,
and social engineering, to name a few. An attacker will often specialize in one of more of these areas, and
this frequently has a noticeable effect upon the tactics that they will choose to employ, in pursuing a target.


Defenders seek to protect data which they perceive to be valuable. Since the defender is usually involved
to some extent in the creation or use of the data, it stands to reason that they would have some knowledge of
its importance. One of the most common ways to control access to valuable data is to cipher it, so that only
the authorized users can decipher it.

Cryptographic attacks rely upon the tendency by defenders to cipher data that they perceive to be valuable - and
upon the tendency of the defender to be better equipped to determine what is valuable than the attacker.

Common cryptographic attack tactics involve brute-force cryptographic key-searching; while less-common tactics may
involve the exploitation of weak cryptographic algorithms, or may be combined with other tactics to find likely
cipher keys.

While it is reasonable to expect a cryptographic attacker to have a strong mathematical background, generally only
the most skilled of such attackers do. Common attackers often rely upon simple or well-known cipher algorithms and
systems, or they combine other tactics with cryptography, to achieve results.

Network Protocol Exploits:

Network protocols are often inherently flawed in a variety of ways. Email and web data are traditionally
transmitted with little or no encryption, and users as well as the designers of systems, based upon these protocols,
typically do not give such issues much thought when implementing or using these protocols. Sometimes, users will
trust a protocol simply because they are not aware of having experienced previous compromises - and they will often
trust it with highly sensitive data. Email, and the web, are often used to carry significant financial information,
as well as governmental and commercial data, which, if closely examined, might well merit classification for reasons
of national security. Examples might include data regarding the schedules of people surrounding highly ranked
governmental officials, or military unit members, whose planned activities might represent compromises of operational
security when transmitted via email.

The variety and types of exploits range as widely as the protocols themselves, and often, where one client or
server is immune to a particular exploit, another might not be. Common examples of this include email clients
which may or may not be HTML-enabled in various ways, web clients with client-side scripting languages, and chat
clients which might be vulnerable to client 'booting' or 'punting', based upon errors in the way in which the client
might have been programmed.

Network protocol attackers will frequently be skilled system administrators or programmers, and will have spent
some measure of time examining the specific target protocol,and/or read protocol documentation in order
to expose the flaws which are their points of entry.


This type of attack relies upon the insertion of malicious code, into the processes of the target network.

The most common form that this takes is the Trojan Horse program - a program which claims to do one thing but,
in fact, does something completely different. While skilled programming attackers will often decry this implementation
as beneath their dignity, the buffer-overflow tactics that mark a truly skilled attacker of this type amount to
little more than causing a program that was designed to do one thing, to do something else - just like a Trojan Horse.
The difference is more a measure of degree than it is one of a principle.

An attacker who uses such devices as Trojans will typically need to combine this with some measure of Social Engineering
in order to convince the target to accept the software that is used in the attack. A more skilled attacker will look
for ways to enter through pre-existing software, which is in fact installed for some other purpose. Such attackers
will often be skilled in one or more low-level languages, such as 'C' or Assembly language, and will generally target
hosts, although ,on occasion, programming attackers may combine with such tactics as Protocol Engineering to attack
other elements of a network.


Brute-force tactics generally come in two varieties; 'cracking' and 'known plaintext'.

Data cracking usually involves the exhaustive search of an entire keyspace, although more skilled attackers will
use various tactics to limit or prioritize the keyspace that they choose to search. Known plaintext attacks typically
focus on key discovery by causing a set of known data to be ciphered, and then examining the ciphered data,
as compared to the unciphered data (or plaintext), to discern patterns. One relatively simple way to apply the
'known plaintext' tactic is to insert data into a target network by sending email to an SMTP mail server,
which utilizes cryptography to protect outgoing message data. By sending such mail to a non-existent recipient,
the attacker can cause such mail to 'bounce' and presumably therefore receive the message, returned to sender
and ciphered by the mail server. The attacker now possesses both the original 'known plaintext', and a ciphered
version of the same in the form of the message returned to the sender.

Sometimes 'cracking' tactics are applied remotely in an attempt to gain entry to a remote system; this is usually
referred to as 'password cracking', although when an encrypted password file is captured and cracked on the attacker's
system, 'data cracking' better describes the activity. To the defender, this often appears to be a denial-of-service
attempt; to be successful, a great many attempts must usually be made, often straining the resources of the defending
system, and providing the same high profile of visibility that is typical of denial-of-service attacks.

Note that it is this type of tactic, that inspires the heated and ongoing discussion about which describes a
network attacker best - 'hacker' or 'cracker'. Some argue that a 'hacker' can be more broadly defined as a programmer
or even as a writer; others argue that network attacker tactics can extend well beyond 'cracking' tactics.
This ongoing argument is covered later.


The underlying premise of a great number of defensive measures used in network security is that the attacker wishes
to gain unauthorized access to some service. Invalidate this premise, and many of these defensive
measures are invalidated with it.

Denial-of-service attacks attempt to deny service to authorized users rather than attempting to grant access
to unauthorized ones. Often, by denying access to a specific service, other services or network components
become more accessible targets.

An attacker, who employs denial-of-service tactics, usually does so either out of spite, or as a fall-back position
from a frustrated desire to gain access. From that standpoint, a higher frequency of denial-of-service attacks might
indicate a more successful security strategy - but then, the users are unlikely to congratulate the defender
whose system(s) falls to a denial-of-service attack rather than having their web site defaced. Fortunately, such
attacks are generally very high-profile activities on the involved resources, and are generally rapidly identified
and responded to. While there are some such attacks that can be particularly dangerous and effective; on the whole,
such tactics are easily defeated by an alert defensive staff.

Social Engineering:

This is perhaps the most insidious form of attack, since it tends to be the area which is most uncontrollable and
generally poorly understood in the Network Security arena.

Technically-inclined people tend to choose the interest as most people choose their interests because they excel
with them. Computer-related skills often imply a sort of detail-oriented logical thinking that is atypical for modern
social environments, and often fails to translate easily from the mind into most spoken languages. Computer
security is typically perceived as a highly technical area of expertise, and, as a result, it is not surprising to
find such people in this area.

Consequently, it is not unusual to find 'characters', in this field - people whose personalities do not fit the
societal norm. It is also not unusual - given the imprecise nature of most spoken languages, and the highly
logical and detail-oriented nature of the work - to find that verbal skills are often mutually exclusive with
the technical background that is usually associated with network security.

Hackers are often thought of as social outcasts and misfits, and there has traditionally been some reasonable basis
for this assessment. The 'characters' involved in this sort of activity are often not socially accepted. Whether
this is cause or effect is a matter of debate, but because of the social profile, both network security attackers
and defenders are often poorly equipped to deal with tactics related to the social manipulation of users.

A skilled social engineer is very much akin to a good con artist. He is able to lie smoothly, and he is able to
gain the confidence of his victims. Often, a mixture of truth is used to lend the attacker credibility. Sometimes an
attacker will even use boldfaced obvious fabrications to extract passionate responses from the target, and thereby
borrow credibility from the reaction of the target, from the perspective of otherwise impartial onlookers. These kinds
of attackers are skilled at maintaining their cool in the face of a danger, crisis, or disaster, and have the ability
to see a situation from the points of view of many of the people involved. They will often be capable of talking
themselves out of a situation, even when caught red-handed by the defender/s. A skilful social engineer is a rare
and dangerous bird, and when successfully combined with technical abilities, such an individual is capable of
operations on a global scale.

To be continued...

09. Home Users Security Issues

Due to the high number of e-mails we keep getting from novice users, we have
decided that it would be a very good idea to provide them with their very
special section, discussing various aspects of Information Security in an
easily understandable way, while, on the other hand, improve their current level of knowledge.
If you have questions or recommendations for the section, direct
them to security@astalavista.net Enjoy yourself!

Protecting from Spyware

What is Spyware?

Your Anti-Virus program won't detect it, your firewall may not completely stop it,
someone out there is secretely analyzing all of your online (sometimes offline) activities
and is storing them for possible data mining purposes, and all of these because of Spyware.

Spyware can be described as software whose purpose is to collect demographic and usage information
from your computer, for advertising and marketing purposes. The process is hidden from your eyes, usually
spyware is installed within the software you download, or it comes with the package you install. Once started,
it will invade your privacy to a very high level, compromising all of your online activities and manipulating your
perception of the Internet by hijacking your search results and the web sites you try to enter in.

How dangerous is it?

While still valuable for advertising and marketing purposes, the information gathered through web sites is limited compared
to those that could be gathered by using spyware. Literally, all of your online and offline activities can be reported
and summarized to a centralized ad server. Many spyware will download and install other programs on your computer, wasting
your resources, slowing down your processes and sometimes acting like a trojan horse, even like a keylogger. Certain spyware
programs even have AutoUpdate functions where they can download any software they want to on your computer, again without
you knowing it. Quite a lot of people still ask, why should I worry about that? Although it can be argued whether it exists or
not, there's still a word called Privacy, something you need to protect at any cost.

Why is Spyware used?

The biggest advantage of online marketing is the low cost of doing it and the instant access to results, which sometimes
are more accurate than the traditional marketing methods used. Imagine a MP3 player product, we've seen it before.
Sometimes, the majority of ads that appear on the sites that you visit aren't related to any of your interests, but how about
if you start seeing ads that are specifically displayed and match your interests? It's not a coincidence, it's just the fact
that you have been identified in some way by the web site/network you have visited. Now imagine this network being a part
of another one, consisting of spyware agents;the results are web sites designed specifically for your interests. But this
is useful to me, how come? Indeed, it is, if it wasn't stored in a database for data mining purposes, probably forever.

How can I check if there's spyware on my computer?

You can use these freeware products, which happen to be very useful and regularly updated:

Ad-aware - http://www.lavasoftusa.com/
SpyBot Search&Destroy - http://www.safer-networking.org/

Any sites discussing the topic?

You can find more information about spyware at?


10. Meet the Security Scene

In this section you are going to meet famous people, security experts and
all personalities who in some way contribute to the growth of the community.
We hope that you will enjoy these interviews and that you will learn a great deal of
useful information through this section. In this issue we have interviewed
MrYowler from Cyberarmy.com

Your comments are appreciated at security@astalavista.net

Interview with Mr.Yowler, http://www.cyberarmy.com/

Astalavista: Mr.Yowler, Cyberarmy.com has been online since 1998, and is a well
known community around the net. But there're still people unaware about
it, can you please tell us something more about the main idea behind
starting the site, and what inspired you the most?

MrYowler: Well, I didn't actually start the site; that was Pengo's doing. I actually
joined when CyberArmy had about 37,000 members, and I worked my way up the
ranks, first by completing the puzzles, and later by participating in the
community as one of its leading members. I was first put in charge, back
in 2002, and I bought the domain from Pengo, and completely took over, in
late 2003.

CyberArmy is a community of 'hackers' of various skill levels and ethical
colors. We focus primarily upon creating a peer environment in which
'hackers' can share information and ideas, and we accomplish that through
our Zebulun puzzle and ranked forums, which serve to stratify discussion
groups be comparative technical ability. We tend to focus on 'n00bs',
largely because they are the group that has the most difficulty finding peer
groups to become involved in, because they are the group that most often
needs the technical and ethical guidance that CyberArmy provides, and
because they are the group that is most receptive to this guidance.

I suppose that what I find most inspiring about the CyberArmy is its
tendency to regulate itself. People who are interested in 'hacking hotmail'
tend to gravitate together, and not pester people who are not interested in
it, and when they don't, the community rapidly takes corrective action on
its own. This is a model that I would like to see extend to the rest of
the Internet; spammers and kiddie-porn dealers should be possible to
identify and remove from the networks without the necessity to monitor
*everyone's* email, through some regulatory or enforcement organization that
is largely unrepresentative of the users that it is chartered to protect.

I like that CyberArmy gives its members a reason to *think* about social
ethics, and to decide upon what they should be, rather than to simply accept
what is established, without reasoning. I find that to be a fundamental
failing of modern society - that we frequently simply accept law, as the
determinant of social ethics, instead of requiring law to be guided by them.
When people use *judgement*, rather than rely solely upon law, then
people are much more likely to treat one another with fairness.
Externally imposed rules are for people who lack the judgement skills to
figure out how best to behave, without them. And most rules, today, are
externally imposed. I believe that when people *think* about social ethics,
it usually results in a moral fiber that is founded in an honest *belief* in
the moral behavior that they come up with - and that this makes for
infinitely better Internet citizens, than rules or laws that are supported
only by a deterrent fear of reprisals. I think that such people usually
come up with better behavior than the minimum standards that rules and law
do, as well.

Astalavista: Cyberarmy runs a challenge - Zebulun, which happens to be a very
popular one. How many people have already passed the challenge, and what
are you trying to achieve with it besides motivating their brain cells?

MrYowler: About 200,000 people have participated in the Zebulun challenge, over the
years, to one extent or another. Because the challenges are changed, over
time (to discourage 'cheating', and to keep them challenging, during
changing times), the definition of "passed the challenge" is somewhat
variable. Approximately 300-400 people have completed all of the challenges
that were available to them, to obtain the highest possible rank that one
can reach, by solving the puzzles. That has traditionally been "Kernel"
(the misspelling is an intentional pun) or "General", and it is presently
"Kernel". At the moment, the Kernel puzzle seems to be too advanced, and
will probably have to be changed. There are seven puzzles, and our intended
target is that there should always be about a 2:1 ratio of players, from one
rank to the next. This guarantees that the puzzles will be challenging to
most players, without being discouraging.

Of course, we like encouraging people to learn. More importantly, I'm
trying to get people to *think*. Anyone can become educated about technical
systems; this only requires time and dedication to the task. And while that
is an important think to do, it is already heavily stressed in schools, and
throughout most societies and cultures. Smart people know a lot of things.

But this is not entirely true. Most smart people have come to realize that
"knowledge is power" - but it is not the knowledge that makes them smart.
As with static electricity, which is expressed only as voltage potential -
until it strikes the ground as lightning - knowledge is not expressed as
power, until someone *thinks*, and applies that knowledge to some useful
purpose. Socrates was effectively an illiterate shoe-salesman (a cobbler),
but he is considered a great philospher, because he took the little bit that
he knew about the world, and *thought* about it. Not only that, but he
convinced other to think about it, as well. Einstein was a mediocre
mathematician and generally viewed as a quack, until his thinking was
expressed in the form of nuclear energy. *Thought* is what separates the
well-educated from the brilliant - and most successful 'hackers' rely much
more upon *thought*, than upon an exhaustive understanding of the systems
that they target. Not that having such knowledge isn't helpful... :)

I am trying to get people to *think* - not only about intrusion tactics, but
also about defensive measures, motivations, risks, ethics, and about life in
general. Too much of the world around us is taken for granted, and not
questioned. Not thought about. I am trying to make the art of questioning
and *thinking*, into a larger part of people's lifestyles.

Astalavista: How did the infosec industry evolved based on your observations since
1998? Is it getting worse? What are the main reasons behind it? Crappy
software or the end users' lack of awareness?

MrYowler: In its early years, the infosec industry was largely dominated by the
mavericks - as is true with most developing industries. A few people
dominated the profession, with their independence - it gave them the freedom
to tell the business world how things should be, and to walk away, if the
business world was unwilling to comply. Today, we see less of that, and
while the industry is still largely dominated by such people, the majority
of people whose job is to implement system security, are much more
constrained by resource limitations.

Essentially, there are two groups of people in the defensive side of this
industry; the policy-makers and the implementors. Policy-makers are usually
corporate executives, CISOs, legislators, consultants, or otherwise figures
of comparative authority, whose job it is to find out what is wrong with
system security, and to come up with ideas about how to fix it.
Implementors are usually the ones who are tasked with implementing these
ideas, and they are usually system or network administrators, programmers,
security guards, or otherwise people whose influence on things such as
budget and staff allocation, is insignificant. As a rule, the policy-makers
make a great deal of money, establishing policies that they have very little
part in implementing, and often these policies have a significant impact
upon the work loads and environments of implementors.

It is all well and good, for example, to decide that there will be no more
use of instant messenger software in the workplace. Stopping it from
occurring, however... while remotely possible, by employing purely
technical measures, it is certainly not desireable or inexpensive. Even
monitoring for it can require staff resources which are rarely allocated for
the task, and the effect of draconian security measures - or penalties for
non-compliance - is usually much more damaging to workplace productivity
than the instant messengers ever were. For some reason, policy-makers have
abandoned the basic principle of system design; "involve the user" - and
have limited themselves to requiring the support of executive management.
Security policy is surprisingly cheaper, faster, and easier to achieve
compliance with, when is also has the support of the rank-and-file members
of an organization - and not the kind of support that is achieved putting a
professional gun to their heads, by requiring people to sign compliance
agreements. Rather, the support that is achieved by giving the employees a
sense of personal investment in the security of the system. User awareness
is fairly easy to achieve, although users will tend to disclaim it, when
caught in a violation or compromise. Creating accountability documents,
such as security policy compliance agreements, may combat these disclaimers;
but the most truly effective approach is not to just tell the users and
demand compliance - but to give the users a voice in it, and the desire to
strive for it. In many cases, the users have excellent ideas about areas
where system security falls down - and similarly excellent ideas about how
to fix it.

Policy-makers have to bridge the gap between themselves and implementors, or
security will always be 'that pain-in-the-ass policy' which people are
trying to find ways to work around. And instead of the draconian Hand of
God, which appears only so that it can smite you down; security needs to
become the supportive freind that you can always pick up the phone and talk
to, when you have a question or a problem.

That having been said, there is another problem with modern security
practices, that is worth giving some attention to...

Because security has traditionally been sold to organizations, as a way to
prevent losses that result from security compromises, these organizations
have begun to assign values to these compromises, and these values determine
the extent to which these organizations will go, to prevent them. While
perfectly reasonable and sensible from a business perspective, these values
are determined largely by educated guessing, and the value of a compromise
can be highly subjective, depending upon who is making the assessment.

Remember - if your credit information gets into the hands of someone who
uses it to print checks with your name on them, you could spend years trying
to straighten out your credit with the merchants who accept these checks.
It can impact your mortgage interest rates, or prevent you from getting a
mortgage, at all - and it can force you to carry cash, in amounts that may
place you in considerable personal danger. The organization which pulls a
credit report on you, to obtain this information, however, stands very
little to lose from its compromise, since you are unlikely to ever
determine, much less be able to prove, that they were the source of the
compromise. So, what motivates them to guarantee that all credit report
information is properly protected, destroyed and disposed of? What's to
stop them from simply throwing it in the garbage? And what happens to it,
if they go out of business, or are bought out by some other company? To
what extent do they verify that their employees are trustworthy?

*This* is typically where security falls down. Remember; security is the
art of protecting *yourself* from harm - not necessarily your customers,
your marketing prospects, or anyone else. As a result, most of the effort
to secure systems, goes into protecting the interests of the people who
*operate* those systems - and not necessarily the users of them, or the data
points that they contain information about. In many cases, legal
disclaimers and transfers of liability replace actual protective
countermeasures, when it comes to protecting things that *you* care about -
and in still other cases, a lack accountability suffices to make an
organization willing to take a chance with your security, out of a
commercial interest in doing so. Marketing entities often openly sell your
information, or sell the use of your information to market things to you,
and make no bones about doing so - after all, it's not their loss, if your
information gets misused - it's yours.

This is a fundamental problem in information security, and for
many of us it costs our personal freedom. The government needs access to all of our
emails, without the requirement to notify us or get a warrant to access the
information, because we might be drug dealers or child molestors. And I
worry that some child molestor will gain access to the information, through
the channels that are made available to government. Amazon.com stores our
credit information, in order to make is easier for us to buy books through
them, in the future - and I worry that all someone needs is the password to
my Amazon.com account, to start ordering books on my credit card. Every
time that I fill out an application for employment, I am giving some filing
clerk access to all the information required, to assume my identity. That
information is worth a great deal, to me - how much is it worth, to them?
Enough to pay for a locking cabinet, to put it into? Enough to put it into
a locked office? Enough to alarm the door? Enough the get a guard to
protect the facility in which it is stored? Enough to arm the guard?
Enough to adequately shred and destroy the information, when they dispose of
it? Enough to conduct criminal background investigations on anyone that has
access to the information? Or do they just get some general corporate
liability insurance, and figure that it's an unlikely-enough circumstance,
that even if it happens, and I'm able to trace it back to them, and make it
stick, in court, that it's worth the risk of a nuisance libility lawsuit?

At its core, information security is failing, for at least these two
reasons: 1) for all the talk that goes on, very little on the way of actual
resources are devoted to information security; and, 2) people and
organizations usually show comparatively little interest in anyone's
security but their own.

Astalavista: Mr.Yowler, lately we've seen an enormous flood of worms in the wild,
what do you think is the reason?

MrYowler: Firstly, these worms exploit errors in upper-layer protocols of networks and
network applications. Because network applications are proliferating at an
ever-increasing rate, the possible ways to exploit them are also increasing
at this geometric rate - and people who are interested in exploiting them,
therefore have more things to work with.

Secondly, there is a glut of information technology talent in the United
States, perhaps thanks, in part to the collapse of the Internet economy -
and also, in part, thanks to the rush to outsource technology jobs to
overseas entities. Additionally, third-world countries have been developing
technical talent for some years, now, in an effort to become competitive in
this rapidly-growing outsourcing market. This has created an evironment
where technical talent is plentiful and cheap - and often disenfranchised.

In some cases, these worms are written by kids, with nothing better to do -
and that has always been a problem, which has grown in a linear way, as more
and more advanced technical education has begun to become available to
younger and younger students.

In other cases, this is the technical equivalent of "going postal", in which
a disenfranchised technology worker creates a malicious product, either as a
form of vengance, of in the hope of creating a need for his own technical
talents, as a researcher of considerable talent, with regard to the worm in
question. Surprisingly many people who might otherwise never find work in
the technical or security industries, are able to do so, by making a name
for themselves through criminal activity or other malicious behavior. While
demonstrating questionable ethics, it also demonstrates technical talent,
and the noteriety is sometimes more valuable to a company, than the damage
that they risk by hiring someone whose ethics are questionable. Many people
are employed or sponsored in the lecture circuit, for this reason; they did
something that bought them noteriety - good or bad - and their employer/s
figure that they can benefit from the noteriety, without risking a lot of
possible damage, by putting these people on the lecture circuit.

In an increasing number of cases, these disenfranchised technology workers
are actually employed for the specific purpose of creating malware, by
spyware, adware, and spam organizations, as I will cover in the next
question. When one is forced to choose between one's ethics and feeding
one's children, ethics are generally viewed as a luxury that one can no
longer afford. I, myself, am currently under contract to a spammer, since I
am now approximately two weeks from homelessness, and better offers have not
been forthcoming. I'm writing an application which will disguise a process
which sends out spam, as something benign, in the process listing, on what
are presumably compromised *nix hosts. The work will buy me approximately
one more week of living indoors, which is really not enough to justify the
evil of it, but I am in no position to refuse work, regardless of the
employer. And indeed, if I did not accept the contract, and cheaply, then
it is quite likely that someone from a third-world country would have done
so - and probably much more cheaply than I did.

Astalavista: Recently, spammers and spyware creators started using 0-day browser
bugs, in order to disseminate themselves in ways we didn't consider
serious several months ago. Did they get smarter and finally realize
the advantages or a 0-day exploit, compared to those of an outdated and
poisoned e-mail databse?

MrYowler: As indicated in the previous question, spam, spyware and adware
organizations are beginning to leverage the fact that there is now a glut of
technical talent available on the world market, and some of it can be had,
very cheaply. These organizations have been taking advantage of technical
staff that could not find better work for a long time. As more people who
possess these talents, find themselves unable to sustain a living in the
professional world; they are increasingly likely to turn to the growing
professional underground.

Employment in the security industry is no longer premised on talent,
ability, education, skill, or professional credentials, and there are
essentially three markets that are increasingly reachable, for the malware
professional world. 1) Third-world nations with strong technical
educational programs are simply screaming for more of this sort of
comparatively lucrative work to do. 2) Young people who lack the age or
credentials to get picked up professionally, by the more respectable
organizations, often crave the opportunity to put 'hacking' skills,
developed in earlier years, to professional use. 3) Older technology
workers, finding it difficult to find work in a market dominated by
under-30-year-old people, often have large mortgages to pay, and children to
put through college, and are willing to take whatever work they can find -
if not to solve their financial problems, then perhaps to tide them over
until a better solution presents itself.

It's not so much that spam, spyware, and adware marketers have become
smarter, as it is that greater technical talent has become available to them
The same people who used to develop and use blacklists, and filter spam
based upon header information for ISPs that have since gone bankrupt or been
bought out, are now writing worms that mine email client databases, to
extract names and addresses, and then use this, combined with email client
configuration information, to send spam out from the user's host that the
addresses were mined from. They are using the user's own name and email
address, to spoof the sender - even using the SMTP server provided to the
victim, by their ISP, to deliver the mail. This effectively permits them to
relay through servers that are not open relays, and distributing the traffic
widely enough to stay under the spam-filtering radar of the sending ISPs,
and to evade the blacklisting employed by the recieving ISPs. It also
permits them to leverage the victim's relationship to the recipients of the
spam, in order to get them to open and read it - and sometimes, to get them
to open attachments, or otherwise infect themselves with the worm that was
used to reach them. The spammers have not previously been able to hire
talent of this grade, very often - now, this talent is often not only
available, but often desperate for cash, and therefore willing to work

It's a bit like an arms race. In the rush to develop enough technical
talent to defend against this sort of thing, we have developed an
over-abundance of talent in the area - and that talent is now being hired to
work against us. This will presumably force people to work even harder at
developing coutnermeasures, and repeat the cycle. Assuming, of course, that
the threat is taken seriously enough by the public, to keep the arms race
going. After all - once everybody has enough nuclear weapons to destroy all the
life on Earth, then there isn't much point in striving to build more. You
just have to learn to deal with the constant threat of extinction, and try
not to take it too seriously - since there isn't really anything to be done
about it, any more. We seem to be rapidly approaching this mentality, with
regard to malware.

Astalavista: What is your opinion on ISPs that upgrade their customers' Internet
connections for free, while not providing them with enhanced security
measures in place? To put it in another way, what do you think is going
to happen when there're more and more novice ADSL users around the
globe, who don't have a clue about what is actually going on?

MrYowler: This comes back around to the second point, with regard to the problems of
information security, today. People have little interest in anyone's
security but their own.

The ISPs *could* block all outgoing traffic on port 25, unless it is
destined for the ISPs SMTP servers - and then rate-limit delivery of email
from each user, based upon login (or in the case of unauthenticated
broadband, by IP address). This is a measure that would have effectively
prevented both the desktop server and open relay tactics that I described in
my paper, "Bulk Email Transmission Tactics", about four years ago, and it
would severely constrain the flow of spam from zombie hosts in these user
networks. The problem is that they don't care. They only care when the
spam is *incoming*, and then they can point fingers about how uncaring
someone else is. The same holds true for individual users.

It is neither difficult nor expensive to implement a simple broadband
router, to block most incoming traffic which would be likely to infect user
hardware with malware. It is also not difficult or expensive to implement
auto-updating virus protection, spyware/adware detection/removal, and
software patching. It could be done even more cheaply, if ISPs were to
aggregate the costs, for all of their users, and buy service contracts for
this kind of protection, in bulk, for their users, and pass the cost along
as part of the 'upgraded' service. Unfortunately, the nominal cost of doing
so, would have to be borne by users who do not take the threat seriously,
and who only care about the threat, when it has a noticeable impact on them.
Since many of the malware packages are designed *not* to have a noticeable
impact on the user - using them essentially as a reflection, relay, or
low-rate DDoS platform, or quietly extracting data from their systems which
will be abused in ways not directly traceable to their computer - these
users to not perceive the threat to be real, and are therefore unwilling to
invest - even nominally - in protecting themselves from it. ISPs are not
willing to absorb these costs, and they are not willing to risk becoming
uncompetitive, by passing costs on to their subscribers; so they pay lip
service to questions of security and antispam service, and perform only the
most minimal tasks, to support their marketing claims.

As with most organizations, the security of the organization itself, lies at
the focus of their security policies. The security of subscribers, other
network providers, or other Internet users in general, is something that
they go to some trouble to create the perception that they care about, but
when the time comes to put their money where their mouths are, it's just not

Astalavista: Thanks for your time.

MrYowler: Any time... :-P

11. Security Sites Review

The idea of this section is to provide you with reviews of various highly interesting
and useful security related web sites. Before we recommend a site, we make sure that it provides
its visitors with quality and a unique content.


DSInet.org provides its visitors with information, files, tools, news items, columns, opinions and an editorial from
a Dutch point of view.


A well known and quality security site, CGI Security resources, intresting files, papers etc.


The conspiracy site, freedom of information!


You source for information security, daily updates, viruses and malicious code articles and downloads etc.


All the news in one page, recommended link if you haven't visited this before.

12. Astalavista needs YOU!

We are looking for authors that would be interested in writing security related
articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who
thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might
concern you.

- Write for Astalavista -

What topics can I write about?

You are encouraged to write on anything related to Security:

General Security
Security Basics
Windows Security
Linux Security
IDS (Intrusion Detection Systems)
Malicious Code
Enterprise Security
Penetration Testing
Wireless Security
Secure programming

What do I get?

Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than
22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it!
We will make your work and you popular among the community!

What are the rules?

Your article has to be UNIQUE and written especially for Astalavista, we are not interested in
republishing articles that have already been distributed somewhere else.

Where can I see a sample of a contributed article?


Where and how should I send my article?

Direct your articles to dancho@astalavista.net and include a link to your article. Once we take a look
at it and decide whether is it qualified enough to be published, we will contact you within several days,
please be patient.

Thanks a lot all of you, our future contributors!

13. Astalavista.net Advanced Member Portal Promotion

- May offer Save 10% until 05/30/04 $26 - 6 months Membership
- May offer Save 20% until 05/30/04 $79 - PREMIUM (Lifetime)

Astalavista.net is a world known and highly respected Security Portal offering
an enormous database of very well-sorted and categorized Information Security
resources, files, tools, white papers, e-books and many more. At your disposal
are also thousands of working proxies, wargames servers where all the members
try their skills and most importantly - the daily updates of the portal.

- Over 3.5 GByte of Security Related data, daily updates and always working
- Access to thousands of anonymous proxies from all over the world, daily updates
- Security Forums Community where thousands of individuals are ready to share
their knowledge and answer your questions, replies are always received no matter
of the question asked.
- Several WarGames servers waiting to be hacked, information between those
interested in this activity is shared through the forums or via personal
messages, a growing archive of white papers containing info on previous
hacks of these servers is available as well.

The Advanced Security Member Portal

--- Thawte Crypto Challenge V ---

Crypto Challenge V Now Live!
Pit your wits against the code - be the first to crack it and win an Archos Cinema to Go.

Click here to grab the code and get started:

--- Thawte Crypto Challenge V ---

14. Final Words

Dear Subscribers,

Once again, we would like to thank to everyone who contacted us, submitted article for future issues, and proposed
various ideas for the newsletter. We're doing our best at providing you with the most up-to-date and interactive summary
of the month's security events and major threats everyone is facing while online. Issue 7 will be improved with several
new and very informative sections, so watch out!

Editor - Dancho Danchev

Proofreader - Yordanka Ilieva
Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By