Default newsletter Issue #7 http://default.net-security.org 19.10.1999 Help Net Security http://www.net-security.org TABLE OF CONTENTS ----------------- I. Editorial II. Default mirrors III. Defaced pages IV. 5 reasons why your Mac is safer than wintel V. Setting up a great desktop Linux VI. How to make safe Windows 95 based server VII. Apple Power Mac G4 VIII. Web based encrypted e-mail (critic and the response) IX. More from the ACPO front X. Welcome to the wonderful world of cellular phreaking XI. Unix logging and auditing tools XII. Freedom of the speech related incidents I. Editorial ----------------- Hey again. After another box of Marlboro lights (bless them:) texts are re-formated and you are reading new issue of Default newsletter. Three weeks passed since the issue no. 6, but we were busy on redoing HNS. If you don't know 26.10.1999 is our first anniversary, and HNS will change a little (on the better ofcourse:) We have four new mirrors and lot of new subscribers. If you don't know HNS/Default webboard is open now. Do join the discussions or give comments and ideas in the following URL: http://net-security.org/webboard.html Enjoy reading, For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org Subscribing information: mail majordomo@net-security.org with a message in the body "subscribe news youremail" II. Default mirrors --------------------- http://www.nwo.net/default http://www.403-security.org/default http://www.monitor.hr/security/default http://www.attrition.org/~modify/texts/zines/default http://www.projectgamma.com/archives/zines/default http://www.dark-e.com/default http://ech0.zort.org/default http://www.deepquest.pf/default http://hns.crolink.net/default http://tlsecurity.com/e-zines/ http://default.aviary-mag.com http://packetstorm.securify.com/mag/default If you mirror Default, please inform us, so we could add you to the list. III. Defaced pages ------------------- Mirrors thanks to Attrition (www.attrition.org) Site: State of Arizona (www.state.az.us) Mirror: http://default.net-security.org/7/www.state.az.us.htm Site: China Material Technology Research Center (chimeb.edu.cn) Mirror: http://default.net-security.org/7/chimeb.edu.cn.htm Site: Viacom Brazil (www.viacom.com.br) Mirror: http://default.net-security.org/7/www.viacom.com.br.htm Site: Department of Electronics, India (www.doe.gov.in) Mirror: http://default.net-security.org/7/www.doe.gov.in.htm Site: NOAA Climate Monitoring & Diagnostics Laboratory (luey.cmdl.noaa.gov) Mirror: http://default.net-security.org/7/luey.cmdl.noaa.gov.htm IV. 5 reasons why your Mac is safer than wintel ---------------------------------------------------- I know that's an old story, an old flame opening.Well but it's a sad reality that wintel can't admit, or is that mac users that are wrong?All following descriptions consider that you don't have an anti virus or firewall, just default configuration without any update patchs. 1-Virus Mac user are also affected by virus.But there's something I always like to do to compare the number of virus in the virus list description...Around 18,000 on windows, around 75 times less on Mac.Just a fact:-)Why that? Main reason is that it's hard to code sophisticated virus.The best actuality just can read your internet preference file and forward to an email account, or corrupt files but can't affect hardware.On wintel the virus can deeply affect your computer, in the worst case you can even thrash your motherboard which was the case of virus like CIh.The kind of affections are also very different (thank to the OS) they're 3 main types of virus on wintel: *Affecting files: injecting code in a file or a exe (*.exe, *.com etc...) they're resident in memory. *Affecting boot sectors: no mater if the disk contains the operating system or not you'll have to reinstall everinthing in most case.Usualy the first sector (face ?, track ?,sector 1) *The trojan: they allow a remote person to do anything on the computer.It's not dangerousat all, it's only the use that the person will do with it.It's different. On mac you won't find any trojan with such controle on your system.The only one that could look like a netbus or back orifice would be WDTech (http://weedo.blackout.org/WDTech_RAE_ReadMe), it's still buggy in ver 1.2b1. But the other problem for potential attacker is that you can't insert code in a mac a existing software.Many software allow u to hyde code in a simple jpg file 2-Default settings. well from registry, to network shares windows 9* (less with NT) has more holes than a swiss cheese.I could say a lot but the just read bugtraq. 3-Burst the stack. Denial of Service attack against a mac are highly difficult thanks to the open transport structure (macOs tcp/ip interface).Who never had fun with poor port 139 open?Of course you could patch but for common users it was not so important.Even syn flood attack doesn't bored that much open transport. I drove very badly my mac from other OS with DOS tos.From wintows network hack toys, to linuxppc network toys.I never had to restart my computer. "I sense much NT in you. NT leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering. NT is the path to the darkside." - Unknown Unix Jedi* 4-Most reliable OS to run a webserver. I know I could easily use of us army website who switch to webstar running on MacOs, damm I did!Most hacked sites were running NT server according to Attrition**.It's very safe, I didn't say unhackable but the safest.The only reported site running Mac system (MacOSX)was the only one for along time, whereas 82 servers where repported for the month of september.MacOs X with apache server allow more hit (connexions) on a site than regular MacOS so for forget the argument saying that MacOs based webserver can server less connexions.It was more or less true...but in the past.Another interesting fact is that if you plan to run a webserver on win95 (yes some are doing it! look netcraft.com) don't forget that you have to restart it every 45 days it can't stay on-line more. 5-Y2K issues?Think Y3K! Y2k is very "a la mode" word for several reasons.First it's a good business for many companies around the world.Then it can be the total chaos for wintel box, even if simulations in great companies were done very often since past months, even if they applied 10,000 patchs it remains just a simulation.Not only wintel computers or software are potential source of issues, Unix also even if their chaos day will later on 1 jan 2047.MacOs is y2k compliant since 1984 and compliant till year 29,940... "We may not have got everything right, but at least we knew the century was going to end." -Douglas Adams According to information week (http://www.techweb.com/se/directlink.cgi?IWK19980525S0037 ) the Y2k software fiw will cost $ 600 billions.Well at that price you can get 500,417,014 iMacs at $1199 each, if you place this order I'm sure you'll get a discount. deepquest had an injection of MacOs when he was 9 years olds, 18 years later he's a sys admin who'd pay to work on MacOs X. --Deepquest Patience is key to knowledge deepquest@default.net-security.org credits: Unknown Unix Jedi*: riped from http://www.attrition.org/quotes/msoft.html ** hacked OS stats attrition : http://www.attrition.org/mirror/attrition/os.html V. Setting up a great desktop Linux ----------------------------------- The problem: as most Linux distributions do not have predefined graphic interface, which looks nice by default, few common misinterpretations appear: 1) Linux does not have a complete, good looking graphic interface (GUI) 2) Setting things up requires a lot of work Well, how is the X system designed? The base of the GUI is the X server, that is, an appropriate binary file for your graphic card. Those binaries usually reside in /usr/X11R6/bin/ and are named XF86_xxxx, where ``xxxx'' is the specific server. Which server to start is determined by a file ``X'' which is a symbolic link to some of the real server binaries. SO, the symbolic link ``X'' is located in /etc/X11 (or in /var on SuSE machines). Let's say we have a XF86_VGA16 server (the compatible one for all VGA cards) in the /usr/X11R6/bin. To specify to run it, one has to issue ``cd /etc/X11; rm X; ln -s /usr/X11R6/bin/XF86_VGA16 X'' An X server cannot be started without the proper config file, /etc/XF86Config. As this file usually needs changes before it becomes useful, ``XF86Setup'' binary is provided. Run that command and select the parameters you want. Changes will be saved upon the exit, and you will have your X server configured. If it doesn't work, you may manually modify XF86Config, or create a symbolic link manually, as described above. When the X server is started, a specific ``windowmanager'' is invoked. Windowmanager is actually Xserver client. Few good ones are icewm (gnome based), kwm (part of KDE), and WindowMaker. To say which windowmanager to run: on SuSE Linux: set WINDOWMANAGER environment variable to the filename of the wm, i.e. export WINDOWMANAGER=''/usr/X11R6/bin/icewm'' on Debian Linux, edit the .xsession file: icewm On RedHat, edit the .xinitrc file. Recently, we have seen so many GUIs on Linux, and now its the problem to choose one. When you count all the windowmanagers, their themes and more, it looks like a big mess and you end up confused. This document will try to give you an idea. As a perfect desktop I see icewm windowmanager, supported by Gnome and KDE applications. KDE itself has its own kwm windowmanager, but it just takes too much resources to load it, and I am not quite satisfied with its design (kwm is Windows95-like, enhanced environment). On the other hand, Gnome's Enlightenment windownamanager just isn't a good choice for unified environment. icewm is very fast and small, and has all the nice features like Themes (which completely change your screen, not just colors), keyboard shortcuts (alt+tab), system and network load meters in taskbar etc.. I would also prefer Gnome over KDE apps. since Gnome is more unix-like, but KDE developers have a huge number of GUI-ported or newly created applications, which do promise. Gnome is based on gtk (Gimp ToolKit), and KDE works on QTlibrary, set of widgets from Troll. Since Xserver supports multiple widget types, that is not a problem, old applications which do not have modern interface still work with old Athena widgets:) Gnome has its own setup system, control panel like, but the changes do not affect non-gnome based applications. An advantage of kwm is that, after you set the colors, design etc., it gives unified look and feel for all the applications and windows. XFree86 X Server isn't designed very well. Besides it has some limited keyboard options compared to the console, it does not handle anything except the graphics and X servers are rather messy. The things began to change, new 3.3.5 server has support for more graphic cards, S3 Savage4 server is contributed by the S3 itself (S3 bought Diamond, btw..). The XF86 server version 4 should be a great enhancement, it will, beside the other things, support servers as modules, but, rather ironic, if XF86 continues with the same speed as they did by now, we'll wait for it for a long time:) Also, they are to implement the Xprint server, which will finally solve all problems with Linux printing. Summary? Yes, icewm, Gnome and KDE apps. Where to get it? Most of it is included in modern distributions like SuSE 6.1, 6.2, RedHat 6.0, Debian 2.1. If you don't have them, or want more recent packages from the Internet, you can find them on many distribution sites (suse.com, redhat.com, debian.org, kde.org, gnome.org, xfree86.org). Also, this subject is getting more and more audience, so I will open the ``screenshots'' section on www.net-security.org/linux. dev@net-security.org , www.net-security.org/linux VI. How to make safe Windows 95 based server ----------------------------------- It is sad true that today there is a chance 1:10 that your box will be attacked successfully.Web admins try to protect their boxes on these ways: 1) Buying an expensive hardware firewall 2) Setting Windows NT firewall 3) Using Linux box as firewall 4) Using Mac so they confuse attackers First choice is the worst one, because: 1) It gives you illusion that, because of its price, you are safe from all attacks. 2) Upgrades are hard to obitan and often hard to install 3) Next three choices are better :) Second choice has its own flaws: 1) As in 1) for hardware firewall 2) Microsoft is lazy 3) There are cheaper things than Windows NT Third choice is the best but: 1) It is to complicated to manage it if you are not properly educated and even then your box can be compromised (Symatec etc). Fourth choice is the second after the third one but: 1) There are only few Mac that serve as servers so public doesnt know about its flaws yet.When ratio of Macs installed as server will be grater more exploits will be known. In my opinion third choice is the best one but as I said it is to complicated to be managed by newbie user and it wont do you any good.If you dont know what hit you and how to stop it, whats the use?So, the best thing you can do is to use OS and software that you are familiar with and that is Windows 95 (OSR2, 98...its all the same). Why? You should do that way, because: 1) It is cheaper than Windows NT, Mac or hardware firewall 2) It is not so complicated as Linux 3) There are lots of shareware that can do what you want them to do You shouldnt do that way if you want that your box is: 1) Online store 2) Mission critical server 3) receiving lots of visits pro day 4) You do something important and your reputation is also very important to you. Soooo, lets go! Things you will need: Windows CD.I prefer Windows 95 OSR 2 and not Windows 98. 2-4 boxes.One based on at least PI 233 and other to can be based even on 486/120.Ram is critical here.For server 64 and for other 16-32. Now for the schemes: a) Fairly great security Firewall I Firewall I Watcher----------------------Web server b) Great security Firewall I Watcher----------------------Web server c) Fair security Web server Watcher---------------------- & Firewall Instruction will be made for Fairly great security scheme with apendix for other two. Preparation: First you need to install Windows on all boxes.In order to cut expenses you have two choices: 1) Buy used Windows CD.It is not important if they are 95, 95 OSR 2 or 98 so you can try at 95.Those CD should be seld for bargain, because people are just crazy about 98 and the dont notice that those two things are practically the same. 2) Download security and other software from Internet.If you have CD reco- rder put it on CD-R so you dont need to look after them every time you need something.If your software is more than 1 month old check web site for new versions.You will need: a) Rebol.This fantastic scripting language provides you with easy-to-learn easy-to-use interpreter that has inbuilt net tools.Download it from www.rebol.com. Caution! There are a very big possibility that this scripting interpreter doesnt work on Windows 95 OSR 2, version German. b) Two firewalls.First I recommend Conseal Firewall (Net Security approved :).Second one obtain from www.hotfiles.com or www.tucows.com.Why two different firewalls?You will remove possibility that script kiddies will reach you Web server, because they will usually give up the work when they see two firewall servers. You will also reduce opened flaws in firewalls (flaws that are not yet known). c) If you cannot run rebol on you computer buy something like Delphi or download dev c++.I discourage you from using VB, because it is unstable and bloatware. d) Web server.Go to www.hotfiles.com type in web server and find some- thing free.It would be great if you could make program that will check if web server is running and if not, it would start another one. e) Antivirus and CRC checker.Antivirus that will not prevent you from using it in the network and CRC checker like NS Watch that will check boxes for their applications integrity and find new things in windows.ini, system.ini, and registry run keys. f) OS upgrades.The most needed OS upgrade is that one for Dial-Up networking that has Winsock protected from OOB attack.It would be a very stupid thing that your firewall fails in its mission, because of OOB attack. 3) Basic netkit.Netkit from Gericom (German computer manofacturer) consist from 5 port hub, 2xRJ45 3m cables and 2x10 MBit cards costs about 80 DEM (= 45 U$D).If you are going to use 4 boxes you will need one more kit but without hub. 4) Boxes: a) Best: Firewalls: PII 266, 64 MB, 8 GB HDD Server: PII 350, 128 MB, 18 GB HDD Watcher: PII 233, 64 MB, 8 GB HDD b) Optimum: Firewalls: PI 166, 32 MB, 2 GB HDD Server: PII 233, 64 MB, 3 GB HDD Watcher: PI 100, 32 MB, 1 GB HDD c) Cheap: Firewalls: PI 133, 32 MB, 1,6 GB HDD Server: PI 233, 32 MB, 2 GB HDD Watcher: 486/120, 16 MB, 850 MB HDD It is very wise to use optimum configuration.Equipment can be damaged in attacks (viruses especially) so you will reduce possible damage. Setting up: First install Windows on every box.Then configure hardware and net properties.Be sure to SET PASSWORD on every place you can and that those password are DIFFERENT and wordlist proof.After that install firewall and web software.On every firewall set the same rules so that it can hold attacks for a time.It is unwise to set, for example, on one firewall to block just OOB and on other ACK flood, so when first is firewall is down, because ACK the second will be because of OOB.Do not install on this boxes anything unnecessary either software or hardware.The last thing you need to set is Watch box.It is the brain of everything.Install antivirus so it checkes other boxes harddrives on low priority (we do not want to stop the whole process, because of the virus scan), then use something like ours NS Watch to scan for possible changes in exes CRCs, system.ini, win.ini and registry run keys.I will make a option in NS Watch that will enable to save logs.You could also set a small BBS so you could check logs from outside while you are not at the place. How safe is it? System with two firewalls will help you to evade attacks from script kiddies. They are looking for easy entrance and if there are non (two firewalls) then they will go away.Watch box will protect you from trojans etc.It is high priority that you DONT OPEN ANY emails on these boxes.Rather set email server on server box and then download it to distant box.Antivirus will try to find and viruses but if you dont execute games and all unnecessary software on System boxes you will not experience any problems. Costs (estimated in Croatia): 2xPI 166, 32 MB, 2 GB HDD = 600 DEM PII 233, 64 MB, 3 GB HDD = 500 DEM PI 100, 32 MB, 1 GB HDD = 200 DEM 4xWindows 95 = 200 DEM 2xNetkit = 160 DEM Web & Email server = free Rebol interpreter = free Delphi (for utiliy developing) = 200 DEM Antivirus (good, net scanning enabled) = 200 DEM _______________________________________ 2060 DEM For that money you can hardly get any good hardware firewall. Appendix: If you are to reduce hardware parts (less firewalls or none) that you are reducing System security.Easy calucations. Do not take this prices for good.I am sure that you can reduce fundings but think yout it: for 2060 DEM you can buy just one new computer. Of course aboves prices for boxes are without monitor.You just need one from you present box. You can also set another services like news, or telnet but with them you are making your box more vulnerable. Conclusion: As much as I tried to present you cheap Windows based configuration always have in your mind somewhere that there is no such a Windows based configuration as Linux based.However Windows boxes outnumber Linux ones in maintance hours, logs trace hours etc.This configuration can serve you for a long time and after you start to create a large amount of net traffic, change it for Linux based, especially if you will try to set online store or something like that. For any comments contact me via goltha@net-security.org Tomislav "Goltha" Petrovic Net Security programer goltha@net-security.org VII. Apple dissapoints with it's delay - Mac G4 ---------------------------------------------------- The top-of-the-line, 500-MHz version of Apple's Power Mac G4 -- originally scheduled to ship in October -- may be delayed past Apple's current November ETA because of outstanding performance issues, sources said. Motorola's Semiconductor Product Sector in Austin, Texas, is reportedly working to resolve "errata" that affect its new G4 processor when run at speeds of 500 MHz or higher. And according to Motorola's own schedule, a fix isn't due until December. Motorola released Revision 2.2 of its G4 processor this summer, followed closely by Revision 2.6, which is shipping in the initial, 400-MHz version of the Power Mac G4. Sources said -- and Motorola's Technical Support Hotline confirmed -- that both revisions 2.2 and 2.6 contain errata that can be avoided only by keeping the processor speed below 500 MHz. Motorola tech support said that Revision 2.8 will fix this issue when it arrives in December. Sources said that the problem -- which only arises when the G4 is run at speeds of 500 MHz or higher -- can result in some corruption in the processor's data cache. Motorola's recommended workaround is to enable the "GlobalWaitR" register in the processor, which, while preventing the problem, slows timing throughout the chip. Motorola's Technical Support Hotline confirmed both the existence of the errata and the workaround, which it acknowledged entails a "speed hit." Although the G4 processors in shipping Power Mac G4s contain the errata, their sub-500-MHz speeds keep them from encountering the corruption problem, sources said. Indeed, another source said, this issue might never evince itself in Macs, since the OS doesn't manipulate data rapidly enough to cause the problem -- the glitch would more likely effect more-efficient embedded operating systems. Even if data corruption should occur, a source said, the result would be nothing more than a system freeze, easily fixed with a restart. "That kind of errata isn't unusual for new ships from any manufacturer," said Keith Diefendorff, editor in chief of the Microprocessor Report in Sunnyvale, Calif. He said that Motorola's warnings don't necessarily portend serious problems: "Motorola, as a company, is relatively conservative, and they like to have everything perfect." Sources said Apple is telling a somewhat different story to its resellers and customers. In a report to dealers last week, Apple reportedly noted "intermittent shortages" of the 400- and 450-MHz Power Mac G4 systems and listed an "expected" October ship date for the 500-MHz configuration. Sales staff at the Apple Store, by contrast, said the top-speed model will be available by the end of November. atlienz atlienz@default.net-security.org VIII. Web based encrypted e-mail (critic and the response) ----------------------------------------------------------- If you are subscribed to ISN mailing list, you received this e-mail giving out "paraonic" comments (who isn't at least a bit paranoid this days:) We mailed Hushmail and gor their opinion on this post. So again we from HNS didn't write this post or it wasn't written by us. We were just interested in Hushmail comments to that post. You could read the original post and reply to the post below. Post: ----------- Hi If you value your freedom, only use hushmail for fun; don't say anything you wouldn't say to a cop. hushmail.com is claiming to provide strong encryption on email via a web-based interface. You can only send encrypted mail to other hushmail account holders, so people will obviously encourage their mates to join. A very clever net--woven by the fish themselves? Show me your friends... Anyway I checked who is hosting the service . It was registered by radiant.net who, on their home page, claim that hushmail is just a client of theirs. Maybe, but then who owns the company? Safemail enjoys a big link on the homepage, while lesser bodies such as Maxim Chemicals are relegated to a list on another page. The other clients of radiant.net are very interesting. It is a 'British' Columbia internet provider exclusively for the 'corporate community'. Bear in mind the recent history of BC re environmentalists particularly. >From their 'about us' page: "The corporate client needs a higher level of service and attention to detail that is just not available from providers dealing with tens of thousands of residential users. This dedication to the corporate community is exactly the emphasis at Radiant and why Vancouver's businesses are migrating to Radiant Communications." Good buddies include: B.C. Construction Association New Westminster Police Curlew Lake Resources Inc D'N'A Military Import & Supply Inc Georgia Pacific Securities Corporation Hyatt Industries Kerrisdale Lumber Maxim Chemicals Mineral Development Group Pacific Metals Ltd. Rubicon Minerals Corporation Vancouver Condominium Services and yes, the western canada wilderness comittee is in there too, but to me that is no less corporate. Well, call me paranoid if you like but it seems to me that it would be very easy for a bunch of good buddy loggers and miners to get together with the NW police and their extremely wealthy local internet experts (not to mention the local redneck militia supplier) to provide this nice easy crypto-mail service and erm... help out all the activists they love so much. Peer Review A prerequisite for any encryption algorythm to be taken seriously is that the source code be available for scrutiny by other cryptographic experts. This is the only way ordinary folks can assure themselves that the thing they use is actually secure. If many experts over a period of years have been unable to mount aq sucessful attack on the encryption, then there is a good chance that it is ok. There is too much to go into here, but although hushmail's stuff is publicly available, I haven't found much peer review (lots of advertising of course). A good summary of some of the cons is at: http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail People I have corresponded with who are in the business of strong encryption have confirmed my hunches. Anyone who knows anything about security wouldn't touch this with someone else's computer, methinks. But that's not who they are after, obviously. People need to be warned and we need to find out more. It could well be bona fide, or at least well-intentioned, but there is not enough information provided to know that. As this can possibly be a matter of being imprisoned for some people, I think warnings should be prepared and circulated, unless someone with more knowledge than me can show it is as secure as pgp. Any help appreciated. If you think this will do as a warning then feel free to forward it to people you care about. Andy PS: Nearly forgot; http://www.radiant.net/ Reply: ----------- I'm really not sure what to think here... we've got the most secure web- based email in the world, we offer it for free, we give our source code away for free to everyone, we ask for all the crypto community to look at it, tear it apart, find holes, or give their blessing, whatever.... and then we get a mail message like this, from a "privacy/security group", saying "using HushMail is like talking to a cop"..... Perhaps you are fogetting that there are 100 million people out there using *absolutely* no security on their web-based email. Many of them actually care about their privacy, but the convenience of web-based email over-rides their concerns. And, most of them haven't heard of HushMail. And if net-newbies read unverified and untrue text about how "HushMail is probably totally insecure", they'll go right on using their Yahoo!Mail accounts, while Eshelon just keeps sucking their email up, databasing it, for later search and retrieval. Somehow your article doesn't strike me as "forward thinking privacy material"... You might want to read our commentary on Bruce Schneier's crypto-gram (and also his latest crypto-gram, in which he implies he doesn't have a problem with our technology, but does dislike the mis-quoting going on in the press) - it's linked off the "What's New" secion of our site: http://www.hushmail.com/bruce_comments.htm FYI, Radiant Communications is our bandwidth provider. They are also a great bunch of people. Hush Communications Corporation is based in Anguilla, also where the yearly Financial Cryptography conferences are held (which we are sponsoring next year). If it makes you "feel" any better, Vince Cate (a friend of mine who lives down the street here) is on our Advisory Board... maybe you've heard of him, search on his name at wired.com if not, since you seem to not trust "us". HushCom also has a large marketing subsidiary in Austin, Texas, where I (and most of the other co-founders of Hush) are originally from. Sir, you can write whatever you feel like, but I might point out that a lot of people who know a hell of a lot about security, privacy, and really care about it, might think that slamming HushMail based on heresay and "Their Bandwidth Provider also has Police Web-Pages" a little less than good reporting... If you're going to say something negative, try saying *exactly how* HushMail isn't secure. If so, you might be surprised to find that we're happy to hear about any potential security problems - and we fix them, and keep our *entire* source code archive online, so all the truly interested can see the history and development of HushMail. Cliff Baltzley Chairman, Hush Communications Corporation IX. More from the ACPO front ------------------------------ Hi Ya'll, Time for another update. I thought I would just send you this press release for: http://thetrainingco.com. We're looking forward to our presence there, and we are sharing a booth with the people holding the Convention. If you have any questions, feel free to mail me at natasha@infovlad.net ********************************** CHILDREN: INNOCENCE EXPLOITED Pedophiles, Child Phonographers and others who abuse, exploit and victimizes children for their own selfish gain have turned a once small criminal problem of a decade ago into monster of almost immeasurable size. In 1994 a US study reported that more then 450,000 pornographic images and files where available on the Internet. Today that has grown to tens of millions! Natasha Grigori, Founder of an Internet based group called the Anti-Child-Porn Organization, states that "... with an estimated 500 million Internet users by the year 2000, technology has out striped the global community ability defend against the explosion of child pornography." Further Natasha claims "Pedophiles and child pornographers are using the Internet to facilitate their type of criminal actively; tracking and seducing children, networking with other pedophiles, and as a medium to exchange and sell for profit not only their product of banned child pornography, but the children themselves." The goals of The Anti-Child-Porn Organization is to educate the public and politicians to this epidemic and the danger these criminals pose to the collective social interest. To address the supply and demand issues related to these illicit materials and to facilitate co-operative efforts between police agencies and other public interest groups, world wide. Through the ACPO's web site, individuals can report child-porn sites and news groups. These reports are then verified and if confirmed, ACPO will use specialized software to trace the site and report the findings to the appropriate law enforcement agency. For further information please visit www.antichildporn.org Thanks All Natasha Grigori Founder ACPO ============================ Thanks for being 'Child-Friendly' Natasha Grigori Founder ACPO http://www.antichildporn.org/ mailto:natasha@infovlad.net ============================ X. Telecom 101 - Welcome to the wonderful world of cellular phreaking ---------------------------------------------------------------------- Hello and welcome once again. Well I guess this is the part where I explain where this column has been the last couple of issues. Fact is I'm kind of busy with a lot of other things and HNS main at the moment, but I've practically finished a whole series of columns for the upcoming issues, so not to worry. We'll be digging into the world of cellular phones a bit in upcoming issues. This has several reasons. From the practical point of view (for me that is) I can't discuss any other sort of telephony network specifically, because of the amount of different systems used in the world today. Besides that, I want to deal with some issues here which you guys and gals out there can actually try out and use. Being international and all, we feel the need to cover international standards first and when any of you feel the need to go further into a topic, just let me know. Your wish is my command. For today, we'll start off with creating a bit of understanding on the history and workings of GSM (you've got to learn how something works before you can break it down :). General oversight on GSM Today probably the widest used standard in mobile telephony is GSM, which was originally devised between 1982 and 1992 by the Conference of European Posts and Telegraphs (CEPT) to create a more international standard in cellular communications then all the systems which differed almost on a country basis. he technology was also aimed at having a greater capacity, security and flexibility. The name GSM was derived from the French name Group Special Mobile. Later, probably to add a bit of the international touch, this was changed to Global System for Mobile communication. It's probably the most widely used of the major teleservice technologies used around the world. I came across claims of 120 million users worldwide in 120 countries, and it's hard to believe but with the speed at which these numbers are growing (how many of your friends don't have one yet?) I'd say even these huge numbers are getting outdated soon too. Because of this, the original goal of setting Pan-European standard in telephony has been overachieved and because of international roaming agreements between telecom operators, users can nowadays often continue to use their mobile phones when in other countries . As with almost all telecommunication services, GSM can be divided in bearer services, teleservices, and supplementary services. The service for which it is known most is of course the basic voice transmission teleservice we call "making a (mobile) telephone call". :) Other services for example include (with an additional fax adaptor) facsimile and SMS to name but a few, nowadays you can even get your e-mail on your GSM! The workings of GSM A GSM MS (mobile station, here the mobile phone) uses a radio link which is controlled (also by radiolink) by the BSS (Base Station Subsystem). The calls between mobile phones or mobile phones and regular phones are switched through the MSC (Mobile services Switching Center). This network is then overseen by the OMC (Operations and Maintenance Center). Security in this network uses four principles, subscriber identity authentication, subscriber identity confidentiality, signaling data confidentiality, and user data confidentiality which are implemented in the SIM (subscriver identity module), the MS and the network itself. The GSM technology digitizes and compresses data and (sending and receiving with rates up to 9600 bps) utilizes either the 900 or 1800 MHz frequency band (890-960 bands are standard for telephony) splitting each band in 200 Khz channels which then, using a method known as Time Division Multiple Access (TDMA) are split into 8 time slots. Speech signals are divided in 20 ms samples which after encoding gives a total bit rate of 13 kbps. A received signal is made from the linear combination of previously received samples and the difference between the predicted and the actual sample, so basically the current sample is predicted rom the information of a previous sample. The data is besides speed and electromagnetic interference issues also encoded for security/privacy's sake. In the next issue, I will discuss the actual coding and relevant encryption algorithms as well as the implementation of the different security methods (as mentioned above) in this system. So stay tuned :) Xander Teunissen, aka Thejian, Help Net Security XI. Unix logging and auditing tools ------------------------------------ Introduction: -------------* in this text i will talk about logging and auditing tools used in the Unix operating system enviroment. whenever a user enters a system (be it through a network service or physically at a terminal) he/she leaves trace of entering. this information is stored into different types of log files, depending on what action the user takes. these logging and auditing programs are very valuable to every system and network administrator and are therefore included in every Unix-like system by default. other than these, there are also some other commercial loggers which help better system logging. logging improves site security very much. a lot of hackers do not know what types of loggers exist and how to modify them, so logging always makes things easier for the system admins. therefore, every administrator should enable all sorts of logging, even if it somehow affects the privacy of system users. however, logging programs are not the only part of a secure network. they too have some limitations. a good example is when an intruder spoofs his/her IP address. then you have a fake address which is of no use to you. therefore, loggers make tighter security but are not the only security measure. Unix default logs architecture: -------------------------------* as i said earlier, Unix provides a wide selection of auditing and logging tools. most of them are intergrated in the system by default, but there are also some which come with certain programs. basically, Unix stores log information in plain ASCII or in some other formats, usually numerical. to access a log file one must first have root permissions (although on old Unix versions everyone can look at and modify log files). different versions of Unix store these files under different locations. /usr/adm was used in early versions of Unix. then came /var/adm which was newer so that the /usr directory could be mounted read-only. today, the most common locations are the /var/adm and /var/log directories. within these directories you can find log files. Log file name: Purpose of the log file: --------------*-----------------------------------------------------------------* ACCT (PACCT) records commands which users run. ACULOG records dial-out attempts. LASTLOG records last successful and unsuccessful login. LOGINLOG records bad login attempts. SULOG records attempts of using the 'su' (superuser) command. UTMP records who is currently logged into the system. WTMP records who was in the system and system shutdowns and startups. XFERLOG records use of FTP service. other than these, which are essential for every system admin and potential intruder, there are: MESSAGES (records system messages and outputs from the console), UTMPX (extended UTMP), WTMPX (extended WTMP) and VOLD.LOG (logs errors from external media devices (CD-ROM drives, floppies, external hard drives, etc.)). i will now go detailed into each one of these logs. LASTLOG -- this utility shows you who logged last time into your account. when you connect to a host and type in the correct username and password combination the login program runs lastlog: -- login: hacker password: Last login: Tue Jul 20 15:54:25 from some.address -- also, under some System V Unix versions you have both successful and unsuccessful logins: -- login: hacker password: Last successful login for hacker: Tue Jul 20 15:54:25 from some.address Last unsuccessful login for hacker: Tue Jul 20 13:44:03 from some.address -- after this display, the login program updatess the lastlog file with new information. then it also updates utmp and wtmp files. by using the 'finger' command, you can see when a particular user logged in last time. when you use the command, the program merely displays the users lastlog file (which is located in /var/adm/lastlog or /var/log/lastlog for each user). a big flaw in the lastlog file is that it is always overwritten on each new entry. this means that if a hacker, once in the system, connects again with the use of 'rlogin' (remote login utility) or, on old systems, 'login', the information stored will be overwritten with new information -- in this case localhost (127.0.0.1). this is useless to the system administrator. therefore, i recommend that you make a shell script which will make a backup of an existing lastlog file for each user every couple of hours (cron-spawned task). this can be done with a simple 'mv' and 'cp' commands combination. first you move the existing backup to a new one and then copy the new lastlog into the old backup. by default, there are no Unix programs which enable you to read the lastlog file. therefore, i have included a simple Perl script which will work on SunOS and allows you to read the lastlog file. you might want to change the second line into /var/log/lastlog if it doesn't work. also, if you make a couple of adjustments you can make it work on any Unix-like system. for details on this, take a look at the lastlog header file (LASTLOG.H) which is usually located in the /usr/include directory. basically, the program checks for a command- line argument. if none is given it uses /var/adm/lastlog. after that, it calculates the number of seconds in half a year. this is done to determine output format (because logins which are more than six months old are printed differently) for the lastlog file. after this, the program reads every line, decodes it, and prints it on the screen. also worth of mentioning is that some really old Unix systems log the lastlog information into a file called .lastlog which can be found in each user home directory ('ls -al' will check for this). while lastlog can be useful, it does not provide a very detailed history of each login. for this you must check the wtmp file. UTMP -- this file is located in /var/run/utmp or in /etc/utmp. basically, it lists currently logged users. programs such as 'who','w','whodo','users','write' and 'finger' use the utmp log constantly to check for specific users on the system. on some systems the utmp file permissions are set to be writable by any user. some programs, which create virtual terminals, need this to show that the user is logged in on that virtual terminal without requiring superuser privileges. this can help a hacker to modify the file or even delete his/her entries. in Berkeley-type Unix systems the entries in the utmp (and wtmp) contain: name of the terminal device used for login, username, hostname (if not from a terminal) and the time of login. under System V Unix you have: username, terminal line number, device name, process ID of the login shell, code for type of entry, exit status and time of login. under Solaris, IRIX and some other which use extended utmp and wtmp, you have: username up to 32 characters long, inittab ID (type of connection), terminal name up to 32 characters long, device name, code for type of entry, exit status, process ID of the login shell, time of login, session ID, unused bytes for future expansions and remote hostname (if not from a terminal). i should also mention that some versions of 'su', if not used correctly, will not report to utmp and wtmp that you changed your enviroment. for example, if you become a superuser the program will not update the log files and you will appear to have normal user privileges (when someone uses 'finger' or similar service). this can be very confusing, not only to the users but also to programs that are currently running. to correct this, use a dash with the superuser command: 'su - root'. this will change your enviroment. WTMP -- this log file is usually found in /var/adm/wtmp. every time a user logs in or out, Unix makes a record of that action in the file wtmp. therefore, wtmp keeps a big database of all user logins and logouts. this file will grow constantly and so many admins make scripts which zero (blank) the file now and then (cat /dev/null > /var/adm/wtmp). this, however, isn't recommended. rather than that, an administrator should make copies of the old wtmp before it is zeroed out. these backups should be placed on another storage computer or on external disks. wtmp cannot be read, so you need a special program for this. 'last' is great for this. if you run it with no command-line arguments it will show you all logins and logouts on all services and devices for your network (you can abort the display with the interrupt character (usually CTRL-C)). -- $ last john ttyp2 some.address Tue Jul 20 15:42 - 15:50 (00:08) hacker ftp 195.229.205.8 Mon Jul 19 03:15 - 04:45 (01:30) root console Mon Jul 19 08:00 still logged in ... -- first you have the username, then the service/port used. after that there is a remote address (or not, if the login came from the terminal/console). there is also a date and how long that particular user was using the service. to be more specified, you can use a username for the parameter. this will show you login and logout records for a particular user: -- $ last hacker hacker ftp 195.229.205.8 Mon Jul 19 03:15 - 04:45 (01:30) hacker telnet 195.229.205.8 Mon Jul 19 02:03 - 02:04 (00:01) hacker ttyp4 fake.host Sat Jul 17 14:10 - 15:24 (01:14) -- you can also use a number which specifies how many last logins you want to see. for example: -- $ last -1 john ttyp2 some.address Tue Jul 20 15:42 - 15:50 (00:08) -- some versions of the 'last' program enable you to look at entries from other files (such as your backup files). you simply put '-f otherFile' as the argument. but, if your program doesn't allow this then simply change the name of the backup to wtmp and you will be able to read it. remember though that is you're reading your backup, each new user entry will be stored into that backup. you could also use 'ac'. it provides you with statistics for each user. this is useful for checking the amount of time a user is logged in, etc. on some systems, wtmp also logs system shutdowns/reboots and startups. also, under some SVR4 systems you can look at the contents of the wtmp file by doing a 'who -a' command. LOGINLOG -- failed login attempts (if you are not using System V Unix) are recorded in a special file called /var/adm/loginlog. to log these attempts you must specifically create this file by the following procedure: -- # touch /var/adm/loginlog # chmod 600 /var/adm/loginlog # chown root /var/adm/loginlog -- a bad attempt is when a user types in a wrong password fives times in a row. after the fifth time the system will usually disconnect you. this is how a loginlog looks like: -- hacker:/dev/pts/8:Tue Jul 20 16:30:01 1999 hacker:/dev/pts/8:Tue Jul 20 16:30:22 1999 hacker:/dev/pts/8:Tue Jul 20 16:30:35 1999 hacker:/dev/pts/8:Tue Jul 20 16:30:49 1999 hacker:/dev/pts/8:Tue Jul 20 16:30:58 1999 -- loginlog is useful when you want to check if someone is attempting a brute force over your password. ACCT (PACCT) -- process accounting is when every command typed by every user on the system is being recorded. this is mostly used when you want to bill your users for using a specific service and CPU time. /var/adm/acct contains the log information. this is not human readable so you need to use a specific program called 'lastcomm' and 'acctcom': -- $ lastcomm sendmail S root __ 0.05 secs Tue Jul 20 19:50 vi F hacker __ 0.22 secs Tue Jul 20 13:24 -- first we have the program name, then the user which ran that program and finally the loading time and the date/time of use. the flags (above S and F) are: S (command was executed by the superuser), F (command ran after a fork, but without an exec), D (command generated a core dump file when it exited) and X (command was terminated by signal). although acct is useful, both for the system administrator and for the hacker, it has some limitations. for example, it does not say from what arguments were given to the program and where the particular program is located. therefore, if a hacker renames his program (like a trojan, C compiler, etc.) there is no way you could know what the real program was. under System V (SVR4) you start the accouting with the command 'startup' which is located in the /usr/lib/acct directory. the accounting is logged into /var/adm/pacct and you view it with the 'acctcomm' program. under BSD you activate process accounting with 'accton filename' (it is found in /usr/etc or /usr/lib/acct) where 'filename' is usually /var/adm/acct or /var/adm/pacct. you read the file with 'lastcomm'. MESSAGES -- this is a very useful log file (located in /usr/adm or /var/adm). it basically logs every output message which is printed on the system console screen. it works by echoing what's on the screen and printing it to a special file along with the date/time and computer involved. here is an example (SunOS 4.1): -- Tue Jul 20 13:20:34 computer1 su: 'su root' not succeeded for hacker on /dev/ttyp3 Tue Jul 20 13:20:34 computer1 su: 'su root' not succeeded for hacker on /dev/ttyp3 -- we see that a hacker is trying to compromise superuser privileges but doesn't know the password (remember that we also have the sulog for this particular example). SYSLOG -- this facility was created at the University of Californica at Berkeley for their program sendmail. since then it has been ported to almost all Unix-like operating systems. syslog is a host-configurable, unique system logging utility. it uses a special system logging process which is located in /etc/syslogd or /etc/syslog. programs that need to have information logged send that information to syslog. these messages can be logged to various files, devices, remote computers, etc. when a program wants to send a message to syslog, it must generate a syslog log message. this message consists of four things: program name, facility, priority and the log message. facilities are: kern (kernel), user (regular user processes), mail (mail system), lpr (line printer system), auth (authorization system -- login, su, getty, ftpd, etc.), daemon (other system daemons), news (news subsystem), uucp (Unix-to-Unix Client Protocol subsystem), local0 - local7 (reserved for site-specific use) and mark (facility that sends out a message every 20 minutes). there are also some others but the differ on the version you have. they are: authpriv (other authorization messages), cron (cron daemon), ftp (ftp daemon messages) and syslog (syslog daemon messages). priorities are: emerg (emergency condition (system crash or similar), sent to all users), alert (alert for immidiate correction of a system program/database), crit (critical alarm, usually a hardware error), err (normal error), warning (warning message), notice (condition that is not an error but should be handled in a special way), info (informational message), debug (messages used in debugging processes) and none (indication not to send specific messages to the selected file). when the syslog daemon (syslogd) starts up, it first reads its configuration file (usually /etc/syslog.conf) to see where to log specific things. after that, syslog is in 'listening' mode -- it listens for log messages from three sources. these three sources are: /dev/klog (used to read messages from the kernel), /dev/log (Unix domain socket. used to read messages generated by local processes) and UDP port 514 (Internet domain socket. used to read/get messages generated by other machines in the local area network). to specify what actions syslog should take when getting log messages you must edit the /etc/syslog.conf file to suit your network organisation and architecture. here is an example file (Digital Unix V4.0): -- # example syslog.conf file: kern.debug /dev/console daemon, auth.notice /var/adm/messages auth.* @loggingHost.com, /dev/ttya syslog.* /var/adm/syslog/syslog.log lpr.debug root, operator *.emerg * -- note: when writing a syslog.conf file be sure to use TABs and not spaces! you can see that each line has two arguments: a message selector field (for declaring which actions and messages to log) and an action file (which specifies what to do with the logs). the message selector field is divided into two parts: a facility and a priority. for exmaple, kern.debug specifies that syslog should log all messages for the kernel which have to do with debugging. you can also put an asterisk sign ('*') to specify all. for example, *.debug would specify to log all debugging messages. kern.* would specify to log all kernel messages. the action field specifies what to do with the log files. there are five actions to choose from: log to a file or device (in this case the field must include path of the file or device), send a message to a specific user (sends a message to the specified user(s) only if they are logged in (according to utmp)), send a message to all users (send a global message to all users on the system. in this case there should be an asterisk sign in the action field), send a message to a program (in this case you must include a pipe sign ('|') and path to the specified program/action, such as sendmail) and send a message to a remote host (you must include '@' and a hostname). i will now explain line by line our syslog.conf example. the first line logs debugging messages from the kernl to the system console device (/dev/console). the second line logs daemon and authorization notice messages into the messages logging service. the third line logs all authorization messages and sends them to a remote host in the local network (this is a really good idea for a system administrator) and to a line printer which is connected to the /dev/ttya. the fourth line logs all syslog messages into a file called syslog.log. then we have an instruction which logs all line printer debugging messages and sends them to two users: root and operator (if they are logged in). the last line logs all emergency errors from all services and sends them across the system to all online users. syslog is a great security service. it administrated correctly you can make it a powerful audit tool. i recommend that you enable remote host logging to two or more computers in your network (but remember that this chokes up traffic). ACULOG -- each time you make a telephone call with your modem (dial-out call) it can be recorded. this is activated by the command 'tip' or 'cu' (also, Berkeley version of UUCP command). the entry is stored into a file called /etc/remote. -- root (Tue Jul 20 08:50:22 1999) call completed hacker (Tue Jul 20 11:03:10 1999) call completed -- in the first example, root made a call and connected directly to the modem. the user hacker called the specific dial-out number. we see that both calls were completed. this log utility is useful but isn't very detailed. for example, you don't have the duration of the call. SULOG -- newer version of the 'su' program log directly to their own log file called sulog instead of using the messages log file. under System V Unix you can set some options for sulog in a file called /etc/default/su: -- # file to log all su attempts SULOG=/var/adm/sulog # device to log all su attempts CONSOLE=/dev/console # log using the syslog facility? SYSLOG=yes -- here is an example file from a computer running Ultrix V4.2A: -- BADSU: hacker /dev/ttyqc Tue Jul 20 15:24:00 1999 BADSU: hacker /dev/ttyqc Tue Jul 20 15:25:24 1999 SU: hacker /dev/ttyqc Tue Jul 20 15:30:13 1999 -- we can see two bad superuser attempts and one good -- the hacker finally guesses the 'su' password. XFERLOG -- if you use the Washington University FTP server, then you can enable session logging to a file called xferlog which is located in the /var/adm directory (the location is defined by the configuration variable _PATH_XFERLOG in the header file PATHNAMES.H). here is an example log: -- Tue Jul 20 20:22:04 1999 some.address 3920288 /etc/passwd a _ o a hacker@fake.com ftp Tue Jul 20 21:45:33 1999 some.address 23043 /etc/host.deny a _ o a hacker@fake.com ftp -- to explain this log file. the first entry is the date and time. then we have the hostname and the size of the transfered file. after that is the file path, then file type (a = ASCII or b = binary). then we have special action flag (T = tar archive, C = compressed, U = uncompressed, _ = undefined), then the direction (o = outgoing, i = incoming). then user type (a = anonymous + e-mail address, g = guest, r = local user with password) and then service used (FTP by default). also, remember that there are files like access_log (NCSA HTTPD server logger), maillog (mail utility logger), etc. all of these depend on what software you have installed so take a closer look at your manuals to see which log utilities you have on your system. another things is Network Services logging -- inetd. you can add a '-t' (trace) flag to log every TCP/UDP connection made to your host. the log will appear in /var/adm/messages. other than this you can use TCP Wrappers and log all incoming connections. as you can see, there is a huge variety of system log utilities. some are more important than others, but all should be activated. don't hesitate to be paranoid -- most of the times it will save you the effort of catching a hacker. Shell history files: --------------------* other than logs previously described, shell history files are also a security measurement. newer shells keep a record of all commands you typed into a hidden file in your home directory. BASH shell uses .bash_history, KSH and SH shells use .sh_history, CSH and ZSH use .history. SH ($ prompt) and CSH (% prompt) do not use history saving by default, therefore it is a good idea for a hacker to first change the shell to SH or CSH. other than this, a hacker should link the history file with /dev/null (using the command 'ln -s /dev/null .bash_history' for BASH shell). if no other option is left one should simply delete the history file, or modify it from another shell which doesn't save the command history (SH or CSH as stated above). Security measures: ------------------* i recommend that you put superuser permissions on all log files on your system. if a hacker compromises a normal account but can't get to the root privileges this will make his life harder. also, keep backups of your logs. this should be done daily with crontab jobs. you can also make use of simple shell scripts such as this one: -- #!/bin/ksh BFILE=$(date +backup.%y.%m.%d.tar.Z) cd /var/adm tar cf - . | compress > ../adm.backups/$BFILE exit 0 -- you can run this script every night. it compresses the whole /var/adm directory using 'tar' and then uses the 'compress' command to shorten the output file. after that it puts the result file into a directory called /var/adm.backups under a name which is called after the time and date of that action. these backups should then be transfered to another guarded computer inside your network or to an external media drive (CD-ROM, floppy, etc.). the best security measure would be to put all log files to a remote computer in your network. this computer should then be physically and remotely secured. you should put a firewall to guard that computer: internal, private network computer 1 ----- computer 2 ----- computer 3 ----- computer 4 \ | | remote log computer to send logs to this remote host you have to configure your syslog.conf file (as mentioned earlier). however, you can also make two or more remote log computers. this will tighten up security (remember, though, that this also chokes up traffic inside your network). remember not to use same passwords, or even operating systems on these remote log computers. other than logging to a remote computer, you can also log directly to a network printer. to do this just put a line into syslog.conf which will redirect all logs of your choice to the printer. also, be sure not to log to the printer solely -- use another device for backup logging in case of an emergency. Fooling the logs: -----------------* first off, every intruder should spoof his/her IP address before attacking. my method of secure hacking a host is as follows. first try to get an anonymous telephone line. this can be done either by connecting your laptop computer on to a payphone or to someone's phone line. after that, spoof your IP address. then use two or three gateway computers and finally reach your target host. therefore, even if they log your attempts of entry they will get nothing -- you don't exist. basically, try to explore your host. try to get an account at the ISP where users from your target have accounts on. that way, if you can't get root you won't be so suspicious (unless you make something stupid). if you enter the system first change your shell to SH or CSH (i recommend CSH). from there alter the shell history file ('ls -al' from your home directory will show you hidden files) and link it with /dev/null -- of course, only if it exists. you can also try an old trick: type 'unset HISTFILE' when you enter the host -- this will stop history logging. after that you have a variety of logs to modify. this can, however, only be done by having superuser, root, privileges. if you don't have root you have one option left. don't alter anything on the system (except the history file) and run 'rlogin' to 127.0.0.1 (localhost). by doing this you will alter the lastlog file to show entry from localhost and, if you remember, there won't be a trace in lastlog of your entry. if you get root you have a couple of programs for log altering to choose from: Name of the cleaner: Purpose of the program: --------------------*--------------------------------------------------------------------* clear.c deletes entries in utmp, wtmp, lastlog and wtmpx. cloak2.c changes entries in utmp, wtmp and lastlog. invisible.c overwrites values in utmp, wtmp and lastlog with predefined values. marryv11.c edits utmp, wtmp, lastlog and acct. hide.c changes entries in utmp. remove.c deletes entries in utmp, wtmp and lastlog. wipe.c deletes entries in utmp, wtmp, lastlog, acct (pacct), utmpx and wtmpx. note: do not use zap.c or zap2.c, these programs only put zeros in the log files. CERT released a special program which checks for zeros, and can therefore determine that the system was compromised by a hacker. when you upload or create (retype -- if you're really paranoid of xferlog and similar FTP log utilities) a log modifier or your choice (i highly recommend wipe.c because it can be used on almost all Unix-like distributions and can modify 6 log types), simply compile it and run with appropriate arguments (usually a username which you want to clear). remember to check the log files after modification. do this with 'who', 'w' and 'last' commands. also, before leaving take a look at the syslog.conf file. you will find all sorts of things there (of course if the service is active). take a look if there is remote host logging involved. if there is, then try to hack into that host although many times admins leave the same passwords for all hosts in the local network. after you enter that computer erase and modify all logs that have to do with you, and of course alter the syslog file on the primary host so it doesn't log remotely any more. if you find out that they are using a printer to view the logs then first look at the active process list ('ps' command). if you find a print action there kill it and remove the command line for printing from the syslog.conf file (remember, however, that everything that was printed out cannot be modified (unless you physically get to your host)). also it would be a good idea to flood the syslog UDP port (514) if it's active (it is by default) with a Denial of Service attack. in this way you will crash the syslog daemon and you will stop all logging services on the target host. Conclusion: -----------* Unix loggers are very important for every system. if you are a system administrator i highly recommend that you make a remote log facility computer and gaurd it with a firewall inside your network. on the other hand, if you're exploiting the use of log files try to look for them constantly because paranoia can be very useful. Appendix: ---------* I have included two files to this article: wipe-100.tgz (Wipe log cleaner version 1.00) and lastlogReader.pl (Perl script for reading lastlog files). http://default.net-security.org/7/wipe-100.tgz http://default.net-security.org/7/lastlogReader.pl airWalk interScape Security Resources http://interscape.net-security.org XII. Freedom of speech - related incidents ------------------------------------------ ******************************************************************* You cannot put a rope around the neck of an idea; you cannot put an idea up against the barrack-square wall and riddle it with bullets; you cannot confine it in the strongest prison cell your slaves could ever build. --Sean O'Casey ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): ******************************************************************* Thursday, September 23: Louisiana students reject wearing Pepsi-logo'ed, Social Security bar code ID cards around their necks at all times... and one student breaks the easy encryption and shows other how easy the encryption is to break... From the Rules Concerning ID Card: "The I.D. card must be in the possession of the student at all times while at school, and penalties for non-possession will range from a detention assignment for a first violation, to suspension from school for later or major violations. Refusal to submit I.D. card is an automatic suspension, effective immediately." -------------------------------------------------------------------------- Weekend, September 24-26 Giuliani's attempt at censorship won't hold up in court... "The one thing the city cannot do is use the power over the purse to punish dangerous ideas." The experts agreed with Giuliani that the city is under no obligation to fork over money to the Brooklyn Museum of Art - as the U.S. Supreme Court ruled in a case of federal funding for the arts last June. "But once it funds, and then decides to de-fund one part of the arts community - if that decision is designed to suppress views - there's a First Amendment problem," said Norman Siegel of the New York Civil Liberties Union." UK's Orwellian camera use on mall shoppers... 81.4% of women in Arusha region in Africa have had their genitals mutilated... "The practice is so deeply embedded in those communities that a woman who escapes the practice as a child would certainly be "operated on" during her first delivery - against her will. Findings have revealed that the operation is also carried out on very young girls, including toddlers, "so that they will not rebel and bring shame to their families." When asked, the communities say they perform female genital mutilation as a means of controlling women's sexual drive so that they remain faithful to their husbands. Other reasons given, according to the research, include the belief that the female private part is dirty and it is more hygienic if the clitoris is removed. There are also communities who believe that the clitoris will kill a child coming through the birth canal, if the organ is not removed in good time. " ---------------------------------------------------------------------------- Monday, September 27 Guarani Indians of the Brazilian Jungle get an IT school for their village... but they still need phone lines for Internet access... ""We usually confront religious sects and campers who invade our lands with poisoned arrows", said Jo?o da Silva, the 85-year-old tribal chieftain. "But computers are different. They will help us protect and defend our traditions". Girls in tasseled skirts and boys in loincloths performed a ritual song and dance to welcome the arrival of the PCs which they have named "ayu ryrurive" - meaning "boxes to store language" in Guarani. "We need to learn the technology of white men in our fight to keep and protect our lands, culture and young people," said the chief." Hmm...is the FBI planning to round up dissidents and blacks in their Y2K operation Mad Max??? "The ten-year FBI veteran contends that U.S. intelligence agencies, including the FBI, the CIA, Navy Intelligence and other intelligence services, have drawn up plans in case a Y2K "castastrophe" hits next January. But beyond January, says Powers, "they were also preparing for Y2K-related events to occur throughout the year 2000. In fact, they were planning for operations as far down as June, when the weather turns warm in certain cities." The "Mad Max" plan, named after the 1980s Mel Gibson film depicting the total breakdown of social order, is a worst-case contingency plan, claims Powers. "The FBI expects, in this [worst] case scenario, that people would begin to riot and loot. And specifically they believe this would happen in urban areas among black citizens," says the retired agent." ------------------------------------------------------------------------------- Tuesday, September 28 ABC publishes IP addresses of chat room participants Appeals court decides publishers cannot include freelance writers' work in their databases without permission Over 2 million farmers in China were duped into now-collapsed investment firms ... "The three organizations were founded in the early 1990s with the approval of the ministry of agriculture and were designed to use interest from farmers' investments to provide loans for machinery and equipment. More than two million farmers invested in the organizations, attracted by interest rates in excess of 15 percent, the center said. "But because of serious corruption at the administrative level, much of the invested money cannot be repaid," center spokesman Frank Lu said. More than 40 billion yuan ($4.8 billion) was deposited by farmers across the province, of which 10 billion yuan ($1.2 billion) has been lost, he said, adding that the government had only committed to repay one billion yuan. As a result, more than 50 protests involving 5,000 farmers have erupted in the province since the beginning of the month, while 10 farmers were detained by police in Qidong county during one of the demonstrations. " ------------------------------------------------------------------------------ Wednesday, September 29 China bans Time Magazine even though Time is hosting a buisness forum in Shanghai... "But the edition, whose masthead was emblazoned with the headline ``China's Amazing Half-Century,'' fell foul of Chinese censors by including articles written by exiled dissidents Wei Jingsheng and Wang Dan, and the Tibetan Dalai Lama." And check out this quote from the same article on Summer Redstone kow-towing to the Chinese Communist Party regarding MTV... "Another conference delegate, Sumner Redstone, chairman of Viacom Inc, made clear that his rock music video channel MTV would not challenge China's Communist authorities. ``You can rest assured we are not going to take any action with respect to our content that is displeasing to the Chinese government.''" ----------------------------------------------------------------------------- Thursday, September 30 Wei Jingsheng emails China from Paris... "Chinese dissident Wei Jingsheng sent e-mail messages to Beijing from Paris Thursday to protest against official controls over the Internet and harassment of "cyber-dissidents" by China. Wei, sitting before a screen in a cyber cafe in the French capital, e-mailed the text of article 19 of the Universal Declaration of Human Rights, of which China is a signatory and which guarantees freedom of speech, to five official or government-linked addresses. They were the Chinese Foreign Ministry, CCTV state television, the Chinese Internet information center and Peoples's Daily and China Daily newspapers. "They have the power and the money but we have imagination and justice on our side," said the exiled dissident, who now lives in the United States." You can send the same letter ---------------------------------------------------------------------------- Weekend Edition, Oct 1-3 Mourning the death of 80 million Chinese... Tibetans are being forced to take part in the celebrations ""Tibetans in Lhasa have been told that their pay or pension will be cut if they fail to take part in rehearsals for celebrations of the 50th anniversary," the London-based Tibet Information Network said. Children and retirees had been required to memorise patriotic songs and attend dance classes in the run-up to the celebrations, in which they would be ordered to wave Chinese flags, it said. " Victorious Burmese Student Warriors, pro-democracy students, take hostages at Burmese Embassy demanding the release of all political prisoners in Burma In just one week... diva aka Pasty Drone CEO NewsTrolls, Inc. "Free Minds...Free Speech...NewsTrolls" http://www.newstrolls.com pastydrone@newstrolls.com