-------------------------------------------------------------------------------- Default newsletter Issue #3 http://default.net-security.org 27.08.1999 Help Net Security http://www.net-security.org -------------------------------------------------------------------------------- TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Defaced Pages III. Y2K: As the millennium approaches IV. A look into basic cryptography V. Internet privacy: Freedom Network VI. Macintosh Security: F33r my hybride M4c, I'm coding! VII. Computing: A closer look at hard- and software VIII. Linux: IP Masquerading IX. Infection and vaccination X. Freedom of speech - related incidents XI. Scams - Getting something by all means XII. Intrusion and detection part two I. Editorial ------------ Hey people. We received good comments on Default newsletter from both individuals and security professionals. We have only 2 issues behind, but we will be even better (of course with your feedback and help). If you would like to write an article for Default newsletter please do e-mail us. Any help is appreciated. As you can see, this issue is little bit shorter. That is because Doug Muth didn't came yet from his holidays and Thejian and me were so busy this week. So do expect next Default newsletter to be bigger and better than the previous ones. In case you want to mirror Default newsletter on your site e-mail us also;) Subscribing to Default newsletter: send an e-mail to majordomo@net-security.org with a body message subscribe news your@email Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Last weeks news on Help Net Security ---------------------------------------- a) Help Net Security news headlines - Friday 20th August 1999: Default #2 released ABC compromised Belgian bank compromised Intel extends on-line privacy ban Homophobic web site "stolen" by hackers? Indonesia responds to cyber war threats Watching workers Carding in Newcastle - Saturday 21st August 1999: Linux trojan in portmap.c FTP.exe overflow Biometrics in prisons Office 2000 also vulnerable to Jet flaw Former CIA director kept state secrets on home PC Furor rising over PV wiretap plan Student draws first net piracy conviction - Sunday 22nd August 1999: MS security bulletin #30 Sun says US army is testing Jini Hardencrypt E-commerce group formed to combat fraud ReDaTtAcK busted - Monday 23th August 1999: Firm nabs cracker with intrusion detection tool First Net convict will do no time GAO risk-assessment report Sprint plans service to detect viruses US Government and inavasion of privacy East Timorese domain host denounces cyberwar Secure your web site DOD speaks on Y2K Bomb for Microsoft manager - Tuesday 24th August 1999: ISS X-force advisory on Lotus Domino server 4.6 Technology keys to tracking down Internet crime Govt. home-invasion bill Hackers scanning for trouble Norton AntiVirus 2000 is out Secret searches from DOJ SSL CPU consumption causes concerns Unix: It doesn't need to be so insecure - Wednesday 25th August 1999: Shoutcast compromised HK police to establish computer crime team Smith admitted to creating Melissa New IE5 bug worst then ever? Audit office blasts agencies' serious security flaws Malicious attack on linux-kernel mailinglist More cyber-war threats - Thursday 26th August 1999: Taiwan circles wagons in cyber-warfare UK webhosting company hit by virus Netscape issues web-server fix Windows and bugs? Nooooo? CWI cracks 512 bit key Mounting an anti-virus defense Tracing stolen computers through RC5 Self destructing e-mails? Nice Y2K problems in Pakistan Retrospective on cracking contest Y2K test http://net-security.org - Daily security related news http://net-security.org/news - News archives http://net-security.org/headlines.shtml - Add HNS headlines to your web-site b) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Red Hat Indonesia (www.redhat.or.id) Mirror: http://default.net-security.org/3/www.redhat.or.id.htm Site: Official Web site of Limp Bizkit (www.limpbizkit.com) Mirror: http://default.net-security.org/3/www.limpbizkit.com.htm Site: Monica Lewinsky's site (www.monicalewinsky.com) Mirror: http://default.net-security.org/3/www.monicalewinsky.com.htm Site: Madison Square Garden (www.thegarden.com) Mirror: http://default.net-security.org/3/www.thegarden.com.htm Site: The State University of West Georgia (www.westga.edu) Mirror: http://default.net-security.org/3/www.westga.edu.htm Site: Rock.com's Rolling Stone's Web site (www.stones.com) Mirror: http://default.net-security.org/3/www.stones.com.htm III. Y2K: As the millennium approaches ------------------------------------- These weeks' Y2K headlines: The computer network used by many Vermont police agencies and other emergency services went down for two days this week while technicians were preparing the system for the year 2000. While it was down, prosecutors had problems getting police paperwork, reporters couldn't get routine releases, and motorists needing copies of accident reports were out of luck. Officials do not yet know why the computer crashed. They do know it happened as technicians were upgrading the system to prepare for Y2K. It took more than two days to get the system running again. In the meantime, much of the record-keeping had to be done the old-fashioned way: with pen and paper. PC Week reported about MS Excel Y2K problems: "Unless users of Microsoft Corp.'s Excel download scanning tools from the company's Web site, their spreadsheets could go haywire when they open their files on Jan. 1. A Boston-based technology management consulting company has found that an Excel year 2000 error causing drastic math errors went undetected by a handful of Y2K analysis tools. The core of the problem is that Excel versions through Excel 2000 have a DATE() function that treats all two-digit years as 20th-century dates, regardless of how Excel is configured to handle two-digit dates. As a result, spreadsheets that use the DATE function are particularly vulnerable to Y2K problems. (By default, Excel 97's and Excel 2000's other date functions, as well as the software's data entry routines, treat two-digit dates less than 30 as part of the 21st century)" The Millennium Bug that promised to swell U.S. courts with lawsuits arising from damage that may occur if a computer system fails to recognize the Year 2000 so far has resulted in only 74 cases filed, according to a report released Monday by PricewaterhouseCoopers. The trickle has the potential to turn into a full fledge flood after the clock strikes midnight 1999, some experts said. As of June 30, there were only 74 cases filed in state and federal courts against 45 defendants that related to the Year 2000 computer glitch (Y2K), according to the report. Karen Shaw completed her 39-day trek across the state in which she set out to promote Y2K awareness to rural residents of Oregon. 49 year old teacher started her journey to show others that Y2K is coming very soon, and they must be prepared. Shaw left Medford with only $20 but said she lived on the generous donations of food and cash from people she encountered along the way. She said: "I did not come across any panicked people, but very practical, grounded, spiritual, caring people who are just doing what their hearts tell them to do". Hundreds of people in Japan complained Sunday after their automobile navigation systems went haywire - the result of a Y2K-like glitch in the satellite system used in navigation devices worldwide. Screens went blank and bizarre symbols turned up on the electronic navigators, essential for millions of drivers in a country where urban streets are a chaotic jumble. Pioneer Corp, a major manufacturer of car navigation systems, received about 600 calls on its help hotline, said company spokesman Hidehiko Shimizu. Shimizu said callers were directed to the nearest repair shop, where their systems were fixed for free. Y2K TOOLS --------- TITLE: Outlook Express Year 2000 Update SIZE: 140 Kb TYPE: Freeware REQUIREMENTS: Windows 95/98/NT, Outlook Express 4.01 DOWNLOAD: http://default.net-security.org/3/en-x86-Q234681.exe INFO: Part of Windows 98 Service Pack 1, this program will resolve a year 2000 issue with Outlook Express 4.01. The year 2000 issue occurs when receiving an IMAP mail message or a News message with a two-digit year as the sent date. The date can be misinterpreted under certain conditions. For example, if the two-digit year is anything other than '99, Outlook Express assumes the century value is the same as the current century. If the current year is 2000, and a two-digit date is received as '97, then the year will be interpreted as 2097. However, there is one special case when different logic is applied. If a two-digit year of '99 is received and the current year is a multiple of 100 (e.g., 2000), the year will be interpreted as the current year plus 98 (e.g., 2098). Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org IV. A look into basic cryptography ---------------------------------- This is where I left off when I was working on the HOWTO last.... so from here on in is new and (slightly) improved. I probably have my terminology wrong, but the next is what I think is called an output feedback cipher. It takes the output from one step of applying the cipher, and uses that to apply the cipher to the next part. This is the most simple method of an output feedback that I could think of. First index the alphabet in some manner, it could be using ascii values, or it could be a simple 1-26 method (I suggest ascii because then you will allow for punctuation, I used a simple 1-26 because it is easier to explain the cryptosystem). A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 This is a very basic transposition cipher as is, but will soon change. The algorithm in mathematical terms is: (N+P(1))%26=C(1) (N+C(1)+P(2))%26=C(2) (N+C(2)+P(3))%26=C(3) (N+C(3)+P(4))%26=C(4) ... (N+C(r-1)+P(r)=C(r) This may seem complicated, but its not. N is a random number that will be passed on as a key. I suggest a larger number to protect yourself from a brute force attack. Do not use a number divisible by 26. In fact, for safety's sake, try using a larger prime, or a product of two smaller primes. C(1) is the first ciphertext letter P(1) is the first plaintext letter r is the total number of characters in the message. % is the mathematical symbol for the function modulus. Modulus is like the remainder after dividing an integer by another integer. So 28%26=2 and 942%26=6 (if your calculator doesn't handle modulus, a simple way to do it would be... 942/26=36.2307692307692307692307692307692 36.2307692307692307692307692307692-36=.2307692307692307692307692307692 .2307692307692307692307692307692*26=6 (round, your calculator cant handle these decimals -windows calc in scientific mode can handle modulus, the key you are looking for is Mod) You take your message. Lets take the word hello for simplicities sake. HELLO first change it to corresponding numbers. 8 5 12 12 15 our key number will be... 73. (once again, I suggest a more secure key number than this, but this will serve our purposes well.) 1 2 3 4 5 8 5 12 12 15 Restate the Algorithm... (N+P(1))%26=C(1) (N+C(1)+P(2))%26=C(2) (N+C(2)+P(3))%26=C(3) (N+C(3)+P(4))%26=C(4) ... (N+C(r-1)+P(r)=C(r) And begin applying the algorithm: H (73+8)%26=3 E (73+3+5)%26=3 NOW you see the power of a more complicated cipher. Here 3 stands for both H AND E L (73+3+12)%26=10 L (73+10+12)%26=17 Once again, the power of a more complicated cipher. while 3 stands for both H and E, L is represented by both 10 and 17. O (73+17+15)%26=1 3 3 10 17 1 Then take these numbers, and transfer them back to letters. A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 CCJQA Now you ask how do you get back to the original "HELLO"? Well first you need to find a way to tell someone the key number.... I suggest appending it to the beginning of the message, go back to how it was in numbers. (Note, if someone knows the method you used to hide the key number in the message, the security of the message is lost. This is the case with all single key cryptosystems.) 3 3 10 17 1 here the code number was 73. that's 2 letters. add 2 7 3 to your message in the beginning 2 7 3 3 3 10 17 1 then make it the text B G C C C J Q A send that to someone. They extract the numbers, and then the key number of 73. Here's an idea, I will make this section somewhat interactive. If you can decrypt this message back to the original text of HELLO, please send your analysis of how to decrypt it using mathematical terms to crypto@net-security.org. Ill go over all the emails and post who was first, and then go over it in the next issue. Have fun. -Iconoclast V. Internet privacy: Freedom network ----------------------------------------- The Freedom Network plays an integral role in Zero-Knowledge's absolute privacy solution - Freedom. Here's a quick look at what exactly the Freedom Network is and what it does. You'll often hear Freedom referred to as client/server software, but what does this really mean? Well, the "client" part is the software you install on your personal computer and the "server" part is the software that runs the Freedom Network. The Freedom Network is a series of servers distributed among ISPs and organizations around the world. Internet traffic normally travels from source to destination unsecured (i.e. not encrypted) while passing through certain servers which can be easily identified. This is like sending confidential information using a postcard - anyone who handles the postcard knows the sender, the recipient and the contents. This unsecured delivery system makes message interception, falsification and tracking possible. To solve this problem, Freedom encrypts all Internet traffic and routes it through a series of anonymous Freedom servers, known as the Freedom Network. Each server in the chain knows only the previous and following servers in the path, and nothing about the traffic (data) that it's handling. This makes the system extremely secure since no single server knows both the origin and the destination of the traffic. In fact, no one, not even your ISP, can monitor your web activities. Does My ISP Need A Freedom Server For Me To Use Freedom? It's important to note that your ISP doesn't need to run a Freedom Server for you to enjoy the benefits of Freedom. If they do opt to host one, however, you may notice an increase in browsing speed while running Freedom. This will be explained in greater detail in the next section. - Network Speed We often talk about what effect running Freedom will have on your Internet connection speeds. These are also known as "latency" issues. Freedom employs a number of systems to foil any attempts at analyzing Freedom user's Internet activities. The net effect of these systems can result in slightly slower connection speeds for some users. The exact latency, if any, that a user will experience while running Freedom depends on many factors, including; - proximity to a Freedom Server - geographic location relative to the Internet backbone - the speed of your connection - random Internet bottlenecks or "traffic jams" When a user running Freedom connects to the Internet through their ISP, that connection will use a greater amount of bandwidth than a non-Freedom connection. As mentioned above, this is due to the extra systems Freedom employs to ensure user privacy. This extra bandwidth consumption will be more taxing on an ISP's servers as the Freedom user's traffic passes though their system on its way to the first Freedom Server on the Freedom Network. If, however, the user's ISP is hosting a Freedom Server, that server will be able to intercept this traffic much earlier, thereby streamlining the entire process. This, in turn, will result in quicker connection speeds for the Freedom user. To sum up, the closer a Freedom user's computer is to the first Freedom Server, the less latency a Freedom user will experience. Since the closest a user can possibly get to a Freedom Server is if their ISP is running one - alerting your ISP to the benefits of running a Freedom Server is a good idea! :-) For an up to date listing of worldwide Freedom Server operators, please visit: http://www.zeroknowledge.com/partners/founders.asp Please keep in mind that this list gets bigger every day as more server operators sign up so be sure to check back often. - Security Issues "How is it possible that my ISP can't monitor my activities since all my communications pass through their servers?" Simple - all the data leaving your machine is encrypted using strong crypto, which means that no one, not even your ISP, can watch what you're doing. In fact, whether you're sending email, surfing the Net, chatting or posting to newsgroups, Freedom ensures that your activities remain private! Why should I trust your security when other supposedly invulnerable codes and systems have been cracked? - Software Zero-Knowledge uses established public algorithms that have proven to be impervious to attack. Well-known public algorithms like Diffie/Helman, Triple DES, Blowfish and others ensure that the system will remain secure. ZK is uncompromising in its testing and implementation of encryption technology, using only established algorithms with unbreakable bit lengths - we do NOT cut corners. - The More Bits, The Stronger The Encryption As a Canadian company, ZK can export encryption technology far stronger than the US Government's 56-bit encryption export standard. A document encrypted with 56-bit key length would have 72,057,594,037,927,900 possible keys. Freedom's encryption begins at 128-bit key length, meaning it has 340,282,366,920,938,000,000,000,000,000,000,000,000 possible keys. A supercomputer capable of trying one million keys per second in a brute-force attack would require 10,000,000,000,000,000,000,000,000 years to find the right key. That's a long time. - Personnel A number of experts in the field of privacy and cryptography have estimated that there are perhaps five people in the world capable of designing and lending credibility to a system of this complexity. ZK Chief Scientist Ian Goldberg appears on that short list. ZK sought out Mr. Goldberg because of his reputation for cracking other supposedly secure systems. As a grad student at USC Berkeley's Internet Security Applications Authentication and Cryptography Group, Ian cracked the 40-bit DES code in the RSA Data Security Challenge in just three and a half hours. He also earned international recognition for his part in breaking the Netscape SSL encryption system, as well as the cryptography system used in the GSM cellular phone standard. - Peer Review Freedom has always been and will continue to be opened up for independent review by acknowledged industry experts. -- Bruce Schneier of Counterpane Systems will audit the source code line-by-line to ensure that no cracks, holes or errors exist in the encryption implementation. Mr. Schneier, another short-list member, is well-known as a veteran cryptographer and author of Applied Cryptography: Protocols, Algorithms, and Source Code, widely recognized as the bible of cryptography. Complete Privacy ZK puts its customers' privacy first - with no exceptions. Unlike key-escrow or third-party systems, Zero-Knowledge (as implied by its name) is unable to determine who is behind a given pseudonym -- even under threat of force. Jordan Socran Zero Knowledge Systems (http://www.zeroknowledge.com) VI. Macintosh security: F33r my hybride M4c, I'm coding! ------------------------------------------------------------- Most underground mac users are facing the same problems: only very few people are actually coding network security tools on Mac. The main reason is that coding a tcp/ip stack would take hundred of lines just to initialize. Today many products are offering a easy approach to programming, developing a project in RealBasic (http://www.realsoftware.com) is much more easier than in CodeWarrior (http://www.metrowerks.com) even if each have sepecificities and use different language. Security software are ,usualy, not very big since they're focused on one type of vulnerability. It takes a long time to code, to debug a program.Another way to create your own tools is to use other languages, faster to code and to use. Many cross platform languages exist.Most useful are C/C++, Visual Basic, perl, ph3, java, rebol and much more. Rebol is a new great language 100% network oriented (http://www.rebol.com), it easy to code. You can do many things from basic mail client to databases, table builder, port scan. In few minutes you can build for example a scanner for a remote vulnerability on ip ranges. I made few month a cgi-check like in rebol, it scans around 70 famous vulnerabilities it took few minutes to adapt it from a C source. Plus the code is used by a virtual machine (available for 17 OS), and it quiet fast. Don't expect an well designed software with full of color because it's commande line only. Another language is perl. Many sources are available in the security domain, you can easily use those with Macperl and or with a local webserver. Make sure those sources are likely to be used on your os to even think about using a firewall admin tool in perl.... Anyway if you plan to use other languages that can't run on MacOs you can use a emulation, or install Linuxppc. The macintosh with tools like "realbasic" allow you to build software in an almost ligne free of code way.Everything is performed graphically, except all commands. The compiler allows to build software for macOs and for wintel. For java it's more difficult to code even if tools jdk are available for mac. It'll ask you alot of patience.If you just start programming, and want to learn fast you'd better start with RealBasic.Many people from the mac underground scene code with realbasic, for example Portsniffer (http://software.theresistance.net) is a great product.It's one of the fastest port scanner I've ever seen on Mac. Another alternative is MacOX, a unix like made by Apple.Many unix tools are available or usable on this OS.It's a Unix easier to configure since MAcos computer have less type of hardware. Before you choose any languages you'd better learn how to code, sometimes it takes years to claim to know a language.Don't for get that only the limit you have is your imagination! deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VII. Computing: A closer look at hard- and software ---------------------------------------------------- Intel Celeron CPU has been introduced at the end of June 1998 with the version at 266 MHz of clock, aiming at balancing the success of AMD K6-2 processor released a month before. It used the Deshutes Core at 0.25 microns of Pentium II CPUs but it didn't have L2 cache; this technical solution allowed to obtain high performance with floating point calculation due to the floating point processing unit (FPU) identical to that used with Pentium II CPUs, but it is a big gap with integer calculations, both in comparison to K6-2 and Pentium II, due to the lack of L2 cache. In July 1998 the version at 300 MHz of clock has been released always without L2 cache, while at the beginning of September the versions 300A and 333 MHz have been launched, with L2 cache at 128 Kbytes working at the clock frequency (against 512 Kbytes at half clock frequency of Pentium II CPUs) and put within the Core of the processor (on die). The introduction of the L2 cache allowed to reduce the gap with performance with integer calculations of the previous versions of Celeron CPUs making this processor a perfect solution in every field. The technical features of Celeron CPU up to September 1998 can be summarized as following: · Deshutes core at 0.25 microns (as for Pentium II CPUs), which is called Mendocino for CPUs including L2 cache and Covignon for those without L2 cache; · L1 cache at 32 Kbytes divided in two parts each with 16 Kbytes respectively for instructions and data (as for Pentium II); · L2 cache at 128 Kbytes working at the clock frequency and put on die (in Pentium II it amounts at 512 Kbytes working at half clock frequency and put on the processor cartridge, outside the cpu's Core); · Frequency multiplier locked both upwards and downwards; · Bus frequency at 66 MHz against 100 MHz of Pentium II CPU; · SEPP package, that is based on cartridge and use of Slot 1 motherboard (the same used by Pentium II CPUs). Intel marketing has always maintained a low cost for Celeron processors, on one side to compete with AMD K6-2 on low-end market, on the other to avoid to add an expensive product to Pentium II. Let's note two aspects: · Celeron uses a bus frequency of 66 MHz while that of Pentium II is 100 MHz; if in practice the differences in performance between the two solutions, with the same clock frequency, are reduced, to the user the first seems to be cheaper, while the second seems to be more "professional" so many buy systems based on Pentium II with more profits for Intel. · The performance of Celeron Mendocino and Pentium II, with the same clock frequency, are almost aligned; Pentium II has a big advantage if used with server, where the presence of L2 cache 4 times bigger, even if working at half clock frequency, is evident. For this reason, Intel has always maintained an high clock difference between the to CPUs, so to avoid that power users buy Celeron with higher frequency, less profitable than Pentium II. At the beginning of 1999 a new version of Celeron Mendocino CPU has been released; if the technical features are the same, the package of the CPU, that is SEPP one, has been substituted by a PPGA one: SEPP Package: it is installed on Slot 1 and it is similar to a Pentium II CPU without external plastic cover; note in the middle, the CPU core and the space on its sides where there are the chips of the L2 cache with Pentium II CPUs. PPGA Package: very similar to a Pentium MMX CPU it is more compact in comparison the SEPP version and it is installed on Socket 370. Officially the reasons which led to the introduction of PPGA package aimed at reducing the production costs of the processor, as the SEPP package, an heritage from Pentium II, wasn't worth to exist anymore as the L2 cache is anymore put on it but directly within the CPU Core. Another reason, linked to marketing, is that of making the processor market more selective: Slot 1 for more "professional" systems based on Pentium II and Pentium III processors, Socket 370 for those cheaper based on Celeron CPU. Up to the version at 433 MHz both variants of Celeron, SEPP and PPGA, were available, while from the version at 466 MHz on SEPP was almost completely abandoned. Celeron CPU was very successful due to its general performance in every field and to its high overclockability which characterized almost every version; with these processors it was possible to achieve high clock frequencies, higher than those of Pentium II processors, with a very reduced investment. This article aims at checking the overclockability of Celeron CPU and finding, where possible, which is the best version of Celeron CPU in comparison to the price and the performance. Damir Kvajo aka Atlienz atlienz@default.net-security.org VIII. IP Masquerading: Multi-computer access to a network via single interface on the server ----------------------------------------------------------------------- IPmasq basis: When you set up IP Masquerading system on your Linux servers, other machines on the *local* network will be able to use the single network interface on the server. The most common usage is to provide internet access to other machines, which do not have their own connection. The difference between Linux IPmasq and Windows tools (i.e. Wingate) The is a big difference between the two. IPmasq is the "IP forwarding system", while Wingate acts as a proxy. So, to make the machine use the wingate, each application has to be configured separately, while to use IPmasq, one just have to set up a "default gateway" for the machine. Further adjustments of client permissions are set on the server side (by modifying the firewall rules). Also, IPmasq is capable of forwarding any kinds of protocols, even those which does not have a special IPmasq helper application. Kernel options.. To enable IP masquerade in the kernel, select: - ip firewalling- packet filter firewall on a Linux box - ip always defragment- neccessary for ipmasq to work. The packet is defragmented (put into one piece from the network fragments) on the server and then goes "to the court". - ip masquerading- actual ip masq support - transparent proxy support- by selecting this option, client machines think they communicate with the end server, while infact it is a local proxy. - ICMP masquerading- adds IPmasq ICMP support (without this, the system does it only for UDP, TCP (and ICMP errors). - ipmasq special modules support - ipautofw masq support - ipportfw masq support (optional) - optimize as router Tools to get: - ipmasq (the automatic ipmasq script, very useful, just be sure to get the new one with the ipchains support in it) - ipchains - ipautofw - ipportfw - ipmasqadm (special modules support) Once you are finished with the kernel configuration, compile it and install the new kernel. Add: echo "1" > /proc/sys/net/ipv4/ip_forward to some of your system initialization scripts (or do it manually). After you raise the interface you want others to use (usually ppp0), just run "ipmasq" to recompute firewall rules. By default, IPmasq allows only the local network to use the interface. Client side adjustments: Linux: as root, execute: route del default; route add default gw your.servers.ip.address You can see the current routing table by issuing "route", active connections with "netstat", interfaces with "ifconfig" Windows: as any user (9x) click Start->Settings->Control panel->Network-> TCP/IP-network device and in the Gateway tab, add your server's IP to the list. dev dev@net-security.org IX. Infection and vaccination ---------------------------- Since school is back in for a lot of people, the number of trojans being made/updated has decreased(same with the length of this article). So, this is the first of a few articles that simply explain general info about trojans, to help remove them. We also have info on the new LockDown 2000. As most people know a trojan is a program that says it will do something and then does something else. Currently the only security hole trojans take advantage of is someone willing to run a program. Here is the general way most trojan infect people: 1. Someone is tricked into running the trojan 2. Then it copies to another location 3. After that it starts listening for connections 4. Writes to the registry so it will load with Windows Windows lets programs autoload when booting many different ways. Just about everyone knows about the startup folder on the start menu. Most trojans don't use this method, though we have seen at least one that did. Another autoloading method is via the registry. This is the most common way a trojan uses to start with windows. While lesser known is the win.ini and even system.ini. A common thing to do among trojan users is to "bind" the trojan they want to infect someone with. Binding allows them to make a harmless program into a dangerous one. Popular trojans such as DeepThroat and SubSeven come with such tools. While many separate tools exist and are easily found that do the same(such as silkrope). Binding also makes it more difficult to be picked up by virus/trojan scanners, but it still is possible. We are lucky to view and get info on LockDown 2000 Version 4.0 Pre-Release. This version fixes some minor bugs and adds some more control to the user. Also another handy feature is upon exiting it saves the configuration changes you made. Plus the trojan count has been increased to 378. Unfortunately the price is still probably high at 99 US dollars. We also have not had the chance to personally test it, maybe by next week we can. zemac zemac@dark-e.com http://www.dark-e.com X. Freedom of speech - related incidents ------------------------------------------ ******************************************************************* Independence is my happiness, and I view things as they are, without regard to place or person; my country is the world, and my religion is to do good. - Thomas Paine ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): ---------------------------------------------------------------------- Weekend August 20-22 US redoubling efforts to invade encrypted privacy And the US DOJ wants easier covert action capabilities ----------------------------------------------------------------- Monday August 23 Recently freed Lafitte says the World Bank is to blame for the detentions... "Lafitte, a Tibetan expert, said he had grave fears about the safety of his local translator, Tsering Dorje, and for Meston, who reportedly suffered spinal and internal injuries when he jumped from a building while trying to escape police. "The World Bank must bear direct responsibility for what happened and must act with its unique leverage as the biggest provider of capital to China to do something to help both the American, who is in trouble but at least has the American government to help him. "And particularly I feel it's the responsibility of the World Bank to do something for our translator, who has no government he can turn to...to protect him," he said." Under Chinese detention for investigating World Bank program, Meston, an American, somehow fell out of a 3-story building and broke his back... "The men assigned to monitor Lafitte told him at least three times that he was lucky he was Australian, and not American, because the United States had bombed China's embassy in Belgrade. "America is always trying to hold us back, trying to make us weak," he recalled one saying." ------------------------------------------------------------------- Tuesday August 24 The Federal Reserve Board's opposition to the Freedom of Information Act... Thousands of Mexican Indians and Zapatista supporters march in protest against military presence in Chiapas African consumers speak out on product dumping and market liberalization at their expense... "According to Consumers International, consumption per capita in Africa has gone down by 20 percent over the past 20 years. Under the current exchange system, Least Advanced Countries will lose up to 600 million US dollars per year. This painful reality is contrary to the main objectives of the WTO charter, which requires signatory parties to recognise that the objective of their trading and economic relations must be to raise the living standards of the populations through employment of higher incomes. This is why African consumer organisations have been pressing decision makers and multinational companies to stop regarding consumer rights as a hindrance to trade and investment." ---------------------------------------------------------------------- Wednesday August 25 Iran paper calls for pre-election live TV debates... "The Iran News also said conservative-dominated state television has "shied away from the clash of ideas" and that its programming has "not been able to quench the public thirst for more accurate and impartial information."" He Zhaohui, 32, labor activist gets 10 years in prison for "providing information to overseas organizations" "He, who organized over 10 workers' demonstrations in Chenzhou in 1997 and 1998, reported workers' protests in the province to democracy movements and human rights organizations in the United States, the center said." Over 10,000 pro-independence demonstrators rally in Dili ahead of East Timor elections... More on the rally... "One of the organisers, Agio Pereria, said a clear message was being sent to anyone planning to sabotage the ballot and abort the consultation process. "Don't stop our people to reach the ballot box, because this is a right," he said. "Each individual has his or her right to exercise the right to vote in peace. And we hope that this is the message that we send today." diva aka Pasty Drone NewsTrolls, Inc. , http://www.newstrolls.com pastydrone@newstrolls.com XI. Scams - Getting something by all means ------------------------------------------ This article will talk about common light Internet scams that could happen to everyone who is not careful (but do note that they will often happen to the people who have not great knowledge in computers, especially in some basics of Internet surfing. I don't know but lot of wannabe "hackers" think that they must start with hotmail or yahoo hacking. They want to get someone's e-mail password so they could read his e-mail, tease the "victim" and to get some passwords (like if the victim has registered a webpage with corrupted e-mail, attacker could easily snatch it). Even when I started working on net-security, I got lot of e-mail saying like: "Help me to hack a hotmail account". Better advise to this people is to start learning something that could really be useful to them. (1) Hotmail "hacking" (this one is almost legendary, because this "way of hacking" could be found on almost every Usenet group which has hack in its topic. <********************************************************************> First, start with opening your own hotmail address. Select compose. Type in : To: emailoftheattacker@hotmail.com Subject: HTM.MSN.PW.REQ (It is absolutely necessary to type in CAPITALS - subject headers are case sensitive ) Message: [First line] The login name of the person you want to hack [2nd line] Your own password. Because the automatic hotmail responder will require your "systemadministrator password" which is in fact are your own password! But the computer doesn't know that [third line] x3iZ0k45-MSN-6TqGW-reqf47890sys (case sensitive) How it works: You mail to a systemadministrators automatic responder. Usually only system administrators should be able to use this ( when for example getting lost passwords ), but when you try it with your own password and mail the above explained message from your hotmail account the computer gets confused! MSN will respond with an automated message indicating the password requested NOTE that if the message you send MSN is composed incorrectly, or there has been a change in the status of the user queried, you may not get an automated response In this event, you will need to resubmit the request. This "trick" usually takes about 4 hours to get a reply of. <********************************************************************> I am sad to say, but according to the critics of victims on usenet, this fraudulent activity works on someone. This whole story with sending your own password is bogus and it isn't also very imaginative. I came across this page on Geocities, and it is just a little bit modernized version of an old fraud, that we wrote about on net-security, exactly 10 months ago (sending your password was then explained like this: "By doing this, the computer which receives the email believes you are a Hotmail System administrator, and sends you the password you require within 1-2 hours"). (2) AOL web fraud I came across on this trick, by reading attrition's mirrors of hacked pages. Originally the site for this scam was on www.arodnet.com with a backup on pages.hotbot.com server. Just to note that this page is as I'm writing this defaced again. So when you access this page it gives you exactly the same look as the AOL NetMail site (www.aol.com/netmail). You have a form where you can enter Screen Name and appropriate password. When you enter it, form doesn't do what you think it is supposed to do: it sends an e-mail message to the creator of it with your login and password. Code follows: <********************************************************************>
<********************************************************************> So it sends your information and you get a html note that you entered the wrong password and it redirects you to the REAL Net Mail log-on site. On this way, if you were not too cautious, you shared your info, and you don't have a clue that you did it. Just to add - Scammers obtaining a screen name or password could potentially do considerable harm on an AOL member's account. An account violator could use the member's communications features, such as email and the instant messenger buddy list, or even purchase goods with the member's credit card. I was thinking about how this fraud trick could be even more realistic. Well when you enter the password, new html file opens that says that you must try again, and the Address bar in this issue says: http://pages.hotbot.com/biz/deity/error.html If you add some Java script and if you know for frame spoofing vulnerability, you could improve the scam to maximum. Frame spoofing vulnerability is found by Georgi Guninski and it "works" on Internet Explorer 4.x browsers (the bug was patched afterwards). This example opens a fake www.yahoo.com website. <********************************************************************> <********************************************************************> All this information about successfully using Frame spoofing vulnerability with this scam is presented in educational purpose, for you, to see that you must be real careful, because with some little tricks you could be deceived easily. (3) ICQ password stealing If you are non-suspicious, you could easily lose your ICQ password. This is the "ICQ exploit" that could be found on some "underground sites on the Internet. It isn't really an exploit, but just a way to get someone's ICQ password easily. <********************************************************************> Ok..the trick to this is to trick someone into putting your email address as their email address..and then you goto www.icq.com/password and type in their UIN..it sends their password to the email in their info..now here are a few tricks to get them to put your email or any email you know the password to in their ICQ info.. 1)you have a klan? Ask them to join..if they do..tell them you have a klan email..(yourklan@hotmail.com)or whatever tell them to put that as their email so people can contact <********************************************************************> So don't change your e-mail settings for ICQ, because it couldn't be good for you (try to think, why would someone tell you that you write his e-mail address in your ICQ settings, what could he absolutely get than using it against you. Well most of this scams work on a social engineering base - they try to make you believe them. (4) Combinations Following two stories were picked up by news sites. CNET (www.cnet.com) 04.03.1998 > "Hotmail suffers email scam" A Hotmail user who registered the name "admin@hotmail.com" sent out official-sounding email to an indeterminate number of people earlier this week telling users that "The trial period for your free Hotmail Service is rapidly coming to a close." It goes on to tout Hotmail's features and tells users the accounts will cost $10 per year. It then requests that the user send an email to "admin@hotmail.com" for an account form. "Payments will be accepted by certified cheque, money order, or credit cards only," it states. Hotmail pulled the account yesterday as soon as the staff found out about it, said Randy Delucchi, Hotmail's director of customer service. Delucchi said he wasn't sure how many people got the email message, but added he was sure it "wasn't very widespread at all," because Hotmail has implemented antispam measures that prevent email from being sent to more than 25 people at a time. Spammers generally like to send email to thousands of people at once. This is not the first time people have used free email to try to scam their fellow Netizens. In December, someone used Yahoo's free email to send out an official-looking letter telling users they had won a modem from Yahoo and would have to supply their names, addresses, and telephone numbers as well as a credit card number to pay for shipping. CNET (www.cnet.com) 22.04.1999 > "AOL warns of email scam" America Online is warning users that email messages posing as AOL-endorsed offers and notices are really trying to gather sensitive member information. A number of these messages have such subject headings as "AOL Server Error," "AOL Billing Problem," "Beanie Babies," or "AOL Rewards," and are intended to lure members to open them, according to a cautionary posting on the "Neighborhood Watch" page within AOL's proprietary service. The warning says the messages contain HTML hyperlinks that lead to Web sites pretending to be a standard registration Web page. But these pages ask for member screen names or passwords, which could potentially lead scammers into AOL member accounts. One sample email reads: "A database error has deleted the information for over 25,000 accounts, and yours is one. In order for us to access the back-up data of your account, we do need your password. Without your password, we will NOT be able to allow you to sign onto America Online within the next 24 hours after your opening of this letter." According to AOL spokesman Rich D'Amato, AOL posted its warnings three weeks ago, prompted by "member complaints, as well as emails that we had been seeing." So you got the point, be very carefull. Scams are different: from the realy pathetic ones (that Hotmail hacking) to more complecsive (using frame spoofing). Also note that hack/hacking words are under " ", because scams are in no way means or ways of hacking. Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org XII. Intrusion and detection part two --------------------------------------- This is a follow-up to last week's article on responding to an intrusion, which can be found at http://default.net-security.org/dl/default2.txt. Today I'll go into a more in-depth look at recovering from an intrusion, and a brief look at computer forensics -- i.e., what to do if you want to try to get the law involved in the incident. Much like any other part of intrusion response, recovery from attack starts before you've been attacked. It can be very difficult to recover if you don't have recent backups of your system -- back things up regularly; nightly if possible. If you've got important information on your system, a nightly backup just makes sense. I prefer backing up to tape if you can afford a tape drive, but it's not a requirement. What you do need is some form of backup that holds your important system files and binaries, so you can restore if something happens, or a rescue disk that contains clean versions of important system binaries. Also (preferably at the time when you actually install your operating system, so you're sure it's clean), run a program that checks your system. Tripwire, for instance, is a wonderful tool that works on Solaris, Linux, and Windows NT. It takes a sort of snapshot of your system and creates a database which contains the checksum, creation date, and access permissions for each file. If you feel that your system may have been compromised, you can run tripwire against it again, and compare the results to see if anything's changed (tripwire can even be run regularly, to detect changes; perhaps run it just before your regular backup, to see if anything's been altered since your last backup). Tripwire aids in recovery because it can point out exactly which files were damaged or altered, as in the case of trojaned binaries and rootkits, and can allow quick replacement of them with good copies. And of course, the third thing to do before an intrusion begins is to be aware of intrusion detection tools. Run them, watch the logs, and be alert -- you can't recover from an attack you don't know happened. As I discussed last week, one of the most important things you can do is log, and maintain the integrity of your logs. The need for good logs really comes into play here, in several different ways. For the purposes of this article, I'm assuming that you have intrusion detection tools running, tripwire installed, and are watching and recording your logs. I should note that it's best to log to a remote, secure loghost, log to a printer, or at least make sure that if your logs are on the same host, your log files are append-only (only new text can be added) -- most rootkits now go through and edit logs to remove an attacker's traces. If you're logging to a different machine or a cheap dot matrix printer in the corner, they'll have a hard time covering their tracks -- I'm going to assume, for this article, that your logs are intact. When your intrusion detection software starts sending out alerts, the most important rule is -not- to panic. You cannot react faster than data can come in to your computer -- by the time you've noticed the attack, the attacker is already several steps ahead of you, and may already be in your system before you can react. Isolate the machine. There is one school of thought that advocates pulling the power cord out of the computer (don't shut down first; many rootkits install cleanup routines in the system's shutdown proceedures, and you'll lose anything they'd added). I don't advocate this as a first step -- I suggest pulling the network cable (modem, ethernet, whatever you have connecting your machine to the internet). Pulling the power can lose you a lot of information that would be helpful in diagnostics -- a lot of scripts put files in /tmp, for instance, and on some operating systems that would be lost on a power-down. Once you've gotten the information you need, run tripwire to get a new database of exactly what the system looks like now...-then- pull the power cord (again, don't shutdown normally). The reason for this becomes important later. It's at this point that you need to decide whether or not to pursue legal action. In most cases, especially for home users, the hassle of law enforcement involvement is not worth it, and all you'll want to do is rebuild and secure your machine. At the end of this article is a brief discussion of what to do if you -do- want to involve law enforcement. You've been attacked -- now it's time to rebuild. You have two options -- the easy way and the paranoid way. The paranoid way is pretty self-explanatory: wipe -everything- and restore from a known clean backup or reinstall from read-only media. For the easy way, turn your system back on, but -don't- plug it into the network. Get your clean backup disk (run tripwire on your backup to make certain it's clean), find the files that were altered (compare the backup's tripwire database with the current files on your system), and replace them with the safe binaries you'd had on your backup. Commonly replaced binaries include /bin/login, /bin/ps, /bin/ls, /bin/df, /usr/etc/in.telnetd, /usr/etc/in.ftpd, /usr/etc/in.tftpd, /usr/sbin/ifconfig, etc (note that these locations may be different for different flavors of UNIX). Check -everything- -- files can be changed in unexpected ways, or be added in unusual places. Some attackers like to hide their files, for instance, in /tmp, /etc/tmp, /var/temp, /usr/spool, etc. Look for files with spaces in the name. Look for alterations of /etc/hosts.equiv, /bin/.rhosts (or any .rhosts file at all), /etc/passwd, /etc/group, etc. 'Find' is a good command for this; it can be used to find all suid/sgid files, sneaky .rhosts, etc. Look for suid root binaries in unexpected places. Next, look to make sure there isn't a sniffer installed. On UNIX-based machines, if a sniffer's installed on an interface, the interface will have the PROMISC flag set (short for 'promiscuous' -- it means the interface is listening to all the traffic on the network, not just the packets intended for that interface). Sounds easy? Not so. There are scripts that install a sniffer -and- hide the PROMISC flag. The way to check is to set the interface PROMISC yourself, and then check to see if the PROMISC flag shows up. If it doesn't show up, you may have a problem -- make sure you replace ifconfig with a known good copy, and again, look for strange suid binaries and files owned by root that shouldn't be. Personally, I recommend wiping everything and starting from a good backup. It's safer, and you don't need to worry about having missed something important. Reinstalling from known good media may be paranoid, but it obviates a lot of the work of finding all files that have been tampered with, and will remove things like sniffers and back doors. If you'd like to do an in-depth analysis, make a complete sector-by-sector copy of the compromised disk before you wipe it, then mount (don't boot, mount) the copy read-only on a known good system, and do your analysis there. Now start going through the logs. What happened? Do you see anything unusual? Look as far back through your logs as you can; maybe you'll see the initial intrusion. Using another computer (or using the hacked system, if you feel lucky, punk), use search engines to look up anything in your logs you don't understand; you may be surprised at what you find. The goal is to find out exactly how the attacker got in, find the hole, and repair it. Most commonly-exploited holes have patches -- do some research on your favorite search engine, find the exploit, find the patch, and fix the hole. If you can't find anything that might have been used against you (and be sure to look in the Bugtraq archives at http://www.securityfocus.com/ -- click on 'forums' and then 'bugtraq', then 'archive'), you may want to email cert@cert.org to notify the CERT team. They may not respond, but if it really is a new exploit, they'll look into it -- see http://www.cert.org/tech_tips/incident_reporting.html for more information. Once you've got your system patched and replaced all the altered files, change all passwords on the system, just in case the attacker has your /etc/passwd (or /etc/shadow) file. But suppose you -do- want to take the matter to law enforcement. The most important thing you can do, if that's the case, is to preserve evidence...and your hard drive is evidence. When you pulled the power on your hacked machine, you preserved as much of the current state of your system as you could. Now you need to physically remove the hard drive from the computer, set it to read-only (if you want to do analysis on it, make a complete physical sector-by-sector copy, and mount it -- don't boot it -- read-only on a known 'good' system, and do your analysis on -that-), and place it in a safe along with a copy of the original tripwire database and a copy of the tripwire database you'd taken just before pulling the plug. Also put into the safe all of the relevant logs, also in read-only format to prove they have not been edited -- one idea is to print out your logs, sign and date them, and have them notarized to prove the electronic copies have not been tampered with. Include as well as much information as you had been able to gather about the attacker (see the previous article at http://default.net-security.org/dl/default2.txt for a simple discussion of how to identify the attacker). The more information you can provide law enforcement, the more likely they are to be able to prosecute. Document everything you possibly can -- a clear chain of evidence must be compiled before you can hope to have anything done, and you must be able to show that that evidence has not been tampered with. Once you have all your evidence, contact law enforcement -- I should note that, just as it's a good idea to know who your ISP's security team is ahead of time, it's handy to know ahead of time who to contact among local law. And be nice to them. You -want- them to like you. Comments to this article are welcome -- not everyone responds to incidents in the same way, and I'd be very interested in hearing other methods, or hearing opinions I may not have considered yet. /dev/null null@fiend.enoch.org (thanks to mike@enoch.org for his help with this article) -------------------------------------------------------------------------------- Default newsletter Issue #3 http://default.net-security.org 27.08.1999 Help Net Secutity http://www.net-security.org --------------------------------------------------------------------------------