Default newsletter Issue #4 http://default.net-security.org 05.09.1999 Help Net Security http://www.net-security.org TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Vulnerabilities reported in last week c) Site News d) Defaced Pages III. Description of the Millenium problem IV. A look into basic cryptography V. Telecom 101: Receiving through the serial port VI. Macintosh security: Security audit with our Mac VII. Computing: Matrox G400 MAX Review VIII. Understanding basic crypto techniques IX. Infection & Vaccination X. New programs on Net-Security (NS Watch!) XI. More news from the ACPO front XII. The Hotmail security hole XIII. Meet the underground XIV. Freedom of speech - related incidents XV. Microsoft Installs US Spy Agency with Windows I. Editorial ------------ Hi there and welcome to yet another issue of our Default newsletter. A bit late, but brought straight to you from the Hit2000 Con (http://www.hit2000.org). Ok, I (Thejian) am going to kick off with some issues regarding the organization of Default. We would like to hear your (the readers) opinion on them, because that's the only way for us to make this thing work (even better :) to your liking. A lot of our editors do have lives outside the Internet (yeah don't ask me why or how but..) and it has shown to be pretty difficult to expect them to come up with articles and columns on weekly basis. We thought of 2 ways to battle this. We could start rotating columns, so our editors have a longer time-period to complete their work (quantity- and quality-wise) in while another column fills up its spot in the newsletter, or we could change the number of times we release Default. The "rotate-thing" very heavily depends on other people submitting articles, so once again, when you feel that writing urge, don't hesitate, just do it :) Releasing Default on a different time-frame would be another solution, but we don't want to get the releases too far apart, we were thinking about once every 2 weeks or something. We're going to discuss this with all our editors as well, but we'd love to have some of your thoughts for them to think about then. Please give us some feedback on this. On a very different note, I would like to take this opportunity to congratulate our affiliates at Newstrolls (http://www.newstrolls.com) with their one year birthday. Keep up the good work! To finish off the points of interest, we now have 2 (or at least two of which we know of) mirrors up at Attrition.org (http://www.attrition.org/~modify/texts/zines/Default/) and NWO.net (http://www.nwo.net/Default). Well that's about it for me, nothing much more interesting to tell here. It's been a very challenging week, with some major security and privacy breaches discovered. We've tried to deal with at least a couple of them in this issue, untill then happy reading and thanks for supporting HNS and Default. For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Last weeks news on Help Net Security ---------------------------------------- a) Help Net Security news headlines - Friday 27th August 1999: Microsoft Security Bulletin #31 Default #3 released Girl power hits e-commerce "Nines problem" Is Yahoo spam or anti-spam oriented? - Saturday 28th August 1999: Front page permissions New acquisitions in Linux world Debian not vulnerable 7 fired from first union bank - Monday 30th August 1999: Intel y2k ready Toadie Security hole in Hotmail - Tuesday 31st August 1999: Linus Torvalds More on Hotmail An overload of computer crime German encryption products freely exportable Pargain web hoax creator sentenced Canadian government site hacked CERT current activity How to counter an unseen, unpredictable enemy - Wednesday 1st of September 1999: Teen hacker arrested Legal percussions of the Hotmail flaw Adobe unveils secure pdf Microsoft issues IE patch Government preparing for y2k violence Office fix flawed WH panel calls for crypto export reform - Thursday 2nd of September 1999: Securitysearch Government sites attacked LOU dissolved "Thursday" virus sightings Most software sold online is pirated Hacker sentenced to 18 months The other y2k problem: Hacker attacks Hackers threat to minister's web site - Friday 3rd of September 1999: Visa and Cybersource target online fraud New privacy web service not so private Analyzer pleads innocent Projects page is up No y2k problems for cars Value net and scam The cleaner 3.0 Secure web based e-mail Windows contains a backdoor? - Saturday 4th of September 1999: Hackers answer MS Win2000 challenge PrivacyX reverses course City hires company for security audit Crackers threaten NASA and Mormon web sites Paris hacked b) Vulnerabilities reported in last week (our thanks goes out to BugTraq for this list) 27-08 Microsoft HTML Form Control DoS Vulnerability 27-08 ProFTPD Remote Buffer Overflow 30-08 Redhat amd Buffer Overflow Vulnerability 31-08 mars_nwe Buffer Overflow Vulnerabilities 31-08 TFS Gateway 4.0 Denial of Service Vulnerability 02-09 Netscape Communicator EMBED Buffer Overflow Vulnerability 02-09 Multiple Vendor INN inews Buffer Overflow Vulnerability 02-09 Cisco Catalyst 2900 VLAN Vulnerability c) Help Net Security site news * not applicable this week * d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Western Australian Electoral Commission (www.waec.wa.gov.au) Mirror: http://default.net-security.org/4/www.waec.wa.gov.au Site: Bureau of Transportation for Taipei City (www.dot.taipei.gov.tw) Mirror: http://default.net-security.org/4/www.dot.taipei.gov.tw Site: Ministry of Transportation and Communications, Republic of China (www.motc.gov.tw) Mirror: http://default.net-security.org/4/www.motc.gov.tw.htm Site: HotMail Hack (www.hotmailhack.com) Mirror: http://default.net-security.org/4/www.hotmailhack.com.htm Site: Ontario Ministry of Northern Development and Mines (www.mndm.gov.on.ca) Mirror: http://default.net-security.org/4/www.mndm.gov.on.ca.htm Site: 7th Army Training Command, Bavaria, Germany (www.cmtc.7atc.army.mil) Mirror: http://default.net-security.org/4/www.cmtc.7atc.army.mil.htm Site: MegaAdult (www.megaadult.com) Mirror: http://default.net-security.org/4/www.megaadult.com.htm Site: SecurityNet (www.securitynet.net) Mirror: http://default.net-security.org/4/www.securitynet.net.htm Site: Minist'rio da Agricultura e do Abastecimento (www.agricultura.gov.br) Mirror: http://default.net-security.org/4/www.agricultura.gov.br.htm III. Description of Y2K Problem ------------------------------- The Year 2000 problem (Y2K, Millennium Bug, Millennium Virus) came about due to programming practices involving the use of 6 digit dates (dd/mm/yy) vs. 8 digit dates (dd/mm/yyyy). This results in the possibility of a date such as 31 being misinterpreted (is it 1931 or 2031?). Thus, any computer program which deals with 6 digit dates is susceptible to the Y2K problem. The Y2K problem involves two key date issues: Date mathematics. For years businesses have used date math to compute things such as aging schedules, due dates, past due accounts, etc. Many computer applications now support the use of date mathematics (Lotus 1-2-3, MS-Excel, MS-Access, etc.) These applications all work by using a base year (often Jan. 01, 1900) as a starting point and then tracking the date and time numerically from that point (how much time has elapsed since Jan 01. 1900). Thus, a time might be stated as a fractional component of the day integer (35927.63 = May 12, 1998, 3:08 pm based on MS-Excel). This means that to compute the difference between Jan 01, 1998 and Jan 01, 1999 would result in 365 days. Computing the difference in today and when a bill was incurred would indicate how old a debt was (e. g. 45 days = past due). So, when the year 2000 comes into play using a 6 digit date we end up with situations like Jan 01, 00 - May 12, 1998. If this is misinterpreted by a computer system as 1900 then the calculation will result in a large negative number (in this case -35,926). This number may or may not be a problem the computer application can deal with. It is possible that this number will be made into the absolute value (the negative sign is dropped if no space is reserved to hold it) which will cause even more confusion. Imagine if your debt went from 22 days old to 35,926 days old. The past due notice would give you a surprise. In old COBOL (a programming language that is still in widespread use) dealing with date math is even more complicated. Dates in COBOL are typically stored in three different locations (a month, a day, and a year). The year is often stored as 2 digits to save space and simplify output problems with pre-printed forms. In some cases, COBOL programs were written with 4 digit dates and 1900 is subtracted from the date to generate the form (1981 - 1900 = 81) so that the form can look like 1981 when it is generated. This will cause a problem since 2001 - 1900 = 101 instead of 01. In other cases where a 6 digit date was used, the problem is even worse since there is no clear indication of which date we are talking with. Imagine COBOL program that deals with county records to record births and deaths. If all the dates are stored as 6 digits soon you will have records which say something like 09/03/63. Now suppose, I live to be a hundred years old, my birth is recorded as 09/03/63 and if I die on my birthday 100 years later my death would also be 09/03/63. A casual observer might interpret this as me dying at birth or who knows what. Thus, the main problem of Y2K is the problem of incorrect results when date mathematics are conducted. Most companies are working to correct these problems in their COBOL programs and most current microcomputer applications already have built in fixes. The second type of problem involves systems that check the date for some purpose to determine if a valid date is being used. An example might be a credit card expiration date. If the program that checks this when the card is scanned is very simple it might just say is today greater than the expiration date. Thus, 01/01/99 is greater than 01/01/00 which would result in your credit card being rejected. Another example is a security system which checks to see if today is a valid date before recording an entry or exit from a building. If the 00 date is determined to be out of range or the computation is at fault the system may simply shut down and lock all the doors. -------------------------------------------------------------------------------- Why did Programmers Do This? Essentially, several reasons exist for this problem: Saving Space in computer memory. Originally, computers had very small amounts of memory available and the repeated use of two extra numbers could make a significant difference on the amount of memory available so in the interests of efficiency, the seemingly redundant thousands and hundreds were dropped. Preprinted forms. Designing computer output for old systems was quite tedious and required that every variable be specifically defined. In order to make it easy to print a two digit year after a preprinted 19 it was simpler to use two digit years in the program. Unexpected Longevity. Since the year 2000 was a very distant date most people didn't really think about this problem until recently. Thus, a lot of programs were written in the traditional manner of using 2 digit years on the date. -------------------------------------------------------------------------------- What is COBOL and why does it exist? COBOL is a computer programming language developed by the CODASYL committee (Conference on Data Systems Languages) in 1959. COBOL became the business programming language of choice for large scale applications throughout the 60's 70's and 80's. Millions and millions of lines of COBOL programs were written and these systems (often called legacy systems) are still in use today since it is expensive and difficult to replace an accounting system or payroll system in a large corporation. The old adage, "If it ain't broke, don't fix it" has also played a roll in the continuation of COBOL as a programming language nearly 40 years after its original inception. Where is the problem? Any computer program which deals with dates is susceptible to this problem. Thus, if you use dates in any of your applications at home or work, you should make sure the applications you are using or the programs you are writing are compliant with 8 digit dates or have some other mechanism built in to deal with the year 2000. If you fail to do this your business may suddenly find all of its records our of order or important information could be lost due to problems dealing with data that is out of range. Will this problem dramatically affect my life? Not likely, most companies are taking steps to deal with this problem. There will likely be isolated incidences of problems (like a credit card rejected) that will quickly be identified and corrected by the institution. At home, if you make sure all of your applications and programs utilize 8 digit dates then you should experience no problems with your personal applications. What are Logic Devices [PLD]? Logic devices and programmable logic devices are technical terms used to refer to the many semiconducter based "chips" that are used to manage various devices (anything from a simple coffee maker to a giant production machine). These devices are usually programmed using Assembler programming language and it is estimated that literally 10s of billions of these things exist around the world. Why are people concerned about PLDs in conjunction with Y2K? Many people believe that a large number of devices that utilize PLDS will fail when the year 2000 rolls around since PLDS may contain date sensitive code. In particular programmable devices like VCRS, Coffee Makers, Security Systems, etc. are susceptable to this type of problem. If the PLD is date sensitive and was not set up to deal with 8 digit dates (discussed earlier), then a number of different things may happen, 1) the device may simply fail to operate; 2) the device may report the incorrect day of the week (if it thinks the year is 1900); 3) The device may fail to operate as expected (coffee maker doesn't come on in the morning). Thus, there is the potential for a lot of problems with this type of thing but I don't think any of it is earth shattering (although if my coffee maker stops working there is going to be a serious problem). The other side of this coin is that PLD devices are used in large production systems that manage things like power plants and food processing machinery (literally everything these days has a PLD in it somewhere). Many speculate that electricity will fail and all sorts of problems will ensue. My thought is that if the power company is not producing electricity then it is not making any money. While I have not worked in the power industry, my feeling is that they are testing these systems and making corrections so again, there may be some isolated power outages, but as soon as the power fails they can start repairing that system. What can I do about PLDs? Well, the easiest thing to do is to set the dates on the various devices in your house that are programmable (security system, coffee maker, etc.) to dates after the year 2000 and see what happens. If any problems ensue then you can figure out what to do next (contact the manufacturer or replace the device). Mostly I would check out your mission critical systems. I checked out the coffee maker and the security system and both worked fine. -------------------------------------------------------------------------------- How to be sure: Assess your personal work. Are there applications or programs that use dates in computation or for reference purposes? If you have such applications you may want to investigate to determine if those applications and programs use 6 or 8 digit dates. If you are using 6 digit dates, then you should convert them to 8 digit dates or at least test the application to determine if there is a problem (try entering some dates in the future). Be sure and back up your original files before you try any of this. Dr. Doug White Monfort College of Business The University of Northern Colorado doug.white@acm.org IV. A look into basic cryptography ---------------------------------- Last issue I gave you the algorithm to a message. The message was HELLO and encrypted, was CCJQA. I asked you to take the known key, 73, and decipher the message and release the way you decrypted it. Here is how you do it. A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 3-73=-70 26-70=-44 26-44=-18 26-18= 8 is the first letter. 8 is H 3-73-3=-73 26-73=-47 26-47=-21 26-21= 5 is the second letter. 5 is E 10-73-3=-66 26-66=-40 26-40=-14 26-14= 12 is the third letter. 12 is L 17-73-10=-66 26-66=-40 26-40=-14 26-14= 12 is the fourth letter. 12 is L 1-73-17=-89 26-89=-63 26-63=-37 26-37=-11 26-11= 15 is the fifth letter. 15 is O The original message is HELLO. Now mathematically... C(1)-N=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(1). C(2)-N-C(1)=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(2). C(r)-N-C(r-1)=X (if X<0, add it to 26. Repeat until 26>X>0. That is P(r). Now here's another challenge for you. The Ciphertext is XHGSQGAECWSI And no, I did not encode the key number. See if you can crack it. One suggestion is making a program to brute force it. Then again... It may be a very very very high number...but it also may be really small. I dont expect anyone to crack this. Ill release the message in the next issue. -you know the algorithm. Get to analyzing. NOTE: If anyone does come up with an algorithm, dont be shy. Send it on in, I will take a look at it. If I understand it and like something about it, I may just toss it up on here for people to look at. If I dont understand it, Ill inquire with you about it. Just dont send me a message enciphered with some algorithm you made up and ask me to crack it without the algorithm. Im balancing several jobs and doing this newsletter in my spare time, so I dont have much time to work on decrypting things. Thats it for today, you've seen the entire howto as it stands up to date. Expect more from me next issue. Been fun. -Iconoclast crypto@default.net-security.org V. Telecom 101 - Receiving through the serial port -------------------------------------------------- Hi and welcome to the last part of my pager-messages sniffing column. This one is going to be a quicky, but o well :). Anyways, let's get this going. As I earlier mentioned, it's possible to hook your scanner up to your pc and set it to scan certain frequency ranges for messages. In this way you could set it to receive pager signals which you could decode. Pagers however are made to pick up those signals for themselves and with a little modification even for others too. Today we'll put all of this together into a device to do some off-the-air POCSAG decoding. Using this device as a middle-man between your scanner/receiver and your box will allow a more accurate and clearer receipt of the POCSAG numeric and alpha-numeric signals. What will you need for this? The parts-list: U1 741 R1 100k R2 10k C1 0.1 uF C2-3 10uF, 16v D1-4 1N4148 or 1N914 Here's the schematic, yeah I know my ASCII skills are elite :) and the deciphering of this schematic will probably take up the most time, but this damn laptop keyboard of mine just isn't cooperating. D1-D4 -----------|>|------------------ DTR +12v | | |_ C1 2 |\ 7 |__|>|___ | __ | -----II---------------------| \| \|/ | | Audio In | 3 |U1\_6____ CTS | | | | ---| / | | | -- | | /| ---|>|----- | ----- | | | |/ 4 | | | |R1| -- -12v--------|>|---------- RTS | | | | | | --- -- |R2| --- --- | | | --- | C3 | -- | C2 ------------- | | | | GND ---------------------------------------------------------------- GND Now how to connect this thing. Input to this device comes straight from your receiver (pager/scanner) Most of the time you connect this device to the com2 port, but it more or less depends on what port you've got free. You connect the ports like this: COM Port 25 way 9 way CTS 5 8 GND 7 5 TxD 2 3 RTS 4 7 DTR 20 4 DSR 6 6 The device is powered by the serial port. Sources (go here for more info): An excellent article by Emanuel Goldstein in Phrack http://www.2600.com/phrack/p46-08.html Software for the actual encoding and decoding of POCSAG signals http://www.bearnet.demon.co.uk/pocsag/index.htm A pretty good (dutch) site on scanners and telecommunications in general http://ssb.auvicom.nl Ok that's it for today. Parting is sorrow, but don't worry, I'll be back in the next issue :) Xander Teunissen, aka Thejian, Help Net Security thejian@net-security.org VI. Security audit with our Mac ------------------------------- Part-1 Security audit are very fun, from penetration testing, to local domain(s) checking, to users rights it gives to white hackers a great way to express their skills. Common users thinks that it asks a very powerfull computer, it's not totally true unless you want to use bruteforce attack on ftp, webserver, appletalk, or nt passwords. There a 1000's of tools you can use: commercial products or freeware security tools. Yes you can use windows NT, linux tools but why not use all your favorites toys on one computer, a mac? Let's take a powerbook G3 450 mhz 128mo 6go to make this audit. The aim is to not make a C2 security level, even it can be done and checked from the powerbook, but a basic security audit focused on 3 points: -NT, Unix and AppleTalk Password ressistance to brute force attacks. -LAN production servers reliability. -DMZ penetration testing (from the internet and the local lan). First of all we will get a copy of two other OS: win NT and Linuxppc. Get something like virtualpc (http://www.connectix.com) or bluelabel (http://www.lismoresoft.com) to run NT and copy of Linuxppc (http://www.linuxppc.com). */First we will test the reliability of user's password.Almost 75 % of the threats comes from the inside of a company...Easy passwords and default rights (especialy with NT) on local network can be a VERY dangerous. For the brute force attack we will get dictionnaries (ftp://ftp.replay.com/pub/replay/wordlists/). Point your browser to L0pht to get the world most known NT password checker: L0phtcrack 2.5. For the appletalk password guessing we'll get Magic Key 2.0.2 (http://www.deepquest.pf/MK202.sit). You'll use L0phtCrack 2.5 on your virtualpc Workstation and Macgic key under MacOS. This first part doesn't ask much skills, but it will put heavy load on your computer, so let it run at least 1 business day to get a good result. If this network has Unix computers try to decrypt the password file locally or remotely with Meltino (http://www.deepquest.pf/mac.htm) it'll give you some passwords, more passwords you'll get less secure they are. It's very common to find names of people, animals etc... We could have used Linux for breakin the password file on the Unix computer, but Magic Key won't be able to run. Now you mac is in full effect: it's a real heavy brute force attack simulation: Appletalk, NT, and Unix password attack. Let your computer run several hours with this software, don't try to use anything else because of maximum cpu load and to get a better result. Make sure you merge several dictionnaries. */Major companies run win NT sever mixed with Unix flavored servers like Solaris. Plus those companies have most of time an Intranet, dialup access, and Internet webserver (sometimes directly hosted by an ISP). Your likely to find IIS or apache webserver. Those servers are for the different departements of the company (HR, Marketing, finance etc..) with restricted access.The best tool is to use a cgi-check program trying to access restricted directory, or administrativ files. The original cgi-check was written in C, so you have to compile it with Unix... There's another alternative, a few months ago I adapted this great tool to language more cross platform: rebol. You just have to get rebol from www.rebol.com and cgicheck 99. Then put the file on the rebol software or put cgi-check99.r in the rebol folder then launch rebol and do a "do %cgi-check99.r" it will ask you an ip to scan and will display the discovered vulnerabilities. Around 70 most known vulnerabilities are detected. Rebol runs on most OS'es. ----------beginning of code/c-p to a cgi-check99.r file---------- REBOL [ Title: "CGI Check 99 v0.3" Date: 9-Jun-1999 Author: "deepquest" Comment: "extR4 shOut 2: loser, packetstorm, attrition, H4k, acpo, krisTof, mad55, siRYus, bl4St, nucleus, & Other dark/white cR3Ws" File: %cgi-check99.r Email: deepquest@netscape.net Purpose: { Remote Exploits Checker 75 vulnerabilities. }] secure none print "CGI Scanner. Improved by deepquest." prin "Site to scan: " site: input a: exists? join http:// [ site "/cgi-bin/rwwwshell.pl " ] if a == yes [ print "THC - Backdoor" ] b: exists? join http:// [ site "/cgi-bin/phf " ] if b == yes [ print "PHF" ] c: exists? join http:// [ site "/cgi-bin/Count.cgi " ] if c == yes [ print "Count.cgi" ] d: exists? join http:// [ site "/cgi-bin/test.cgi " ] if d == yes [ print "test-cgi" ] e: exists? join http:// [ site "/cgi-bin/nph-test-cgi " ] if e == yes [ print "nhp-test-cgi " ] f: exists? join http:// [ site "/cgi-bin/nph-publish " ] if f == yes [ print "nph-publish" ] g: exists? join http:// [ site "/cgi-bin/php.cgi " ] if g == yes [ print "PHP" ] h: exists? join http:// [ site "/cgi-bin/handler " ] if h == yes [ print "handler" ] i: exists? join http:// [ site "/cgi-bin/webgais " ]if i == yes [ print "webgais" ] j: exists? join http:// [ site "/cgi-bin/websendmail " ] if j == yes [ print "websendmail" ] k: exists? join http:// [ site "/cgi-bin/webdist.cgi " ] if k == yes [ print "webdist.cgi" ] l: exists? join http:// [ site "/cgi-bin/faxsurvey " ] if l == yes [ print "faxsurvey" ] m: exists? join http:// [ site "/cgi-bin/htmlscript " ] if m == yes [ print "htmlscript" ] n: exists? join http:// [ site "/cgi-bin/pfdisplay.cgi" ] if n == yes [ print "pfdisplay" ] o: exists? join http:// [ site "/cgi-bin/perl.exe" ] if o == yes [ print "perl.exe" ] p: exists? join http:// [ site "/cgi-bin/wwwboard.pl" ] if p == yes [ print "wwwboard.pl" ] q: exists? join http:// [ site "/cgi-bin/www-sql " ] if q == yes [ print "www-sql" ] r: exists? join http:// [ site "/cgi-bin/view-source " ] if r == yes [ print "view-source" ] s: exists? join http:// [ site "/cgi-bin/campas " ] if s == yes [ print "campas" ] t: exists? join http:// [ site "/cgi-bin/aglimpse " ] if t == yes [ print "aglimpse" ] u: exists? join http:// [ site "/cgi-bin/glimpse " ] if u == yes [ print "glimpse" ] v: exists? join http:// [ site "/cgi-bin/man.sh " ] if v == yes [ print "man.sh" ] w: exists? join http:// [ site "/cgi-bin/AT-admin.cgi " ] if w == yes [ print "AT-admin.cgi" ] x: exists? join http:// [ site "/cgi-bin/filemail.pl " ] if x == yes [ print "filemail.pl" ] y: exists? join http:// [ site "/cgi-bin/maillist.pl " ] if y == yes [ print "maillist.pl" ] z: exists? join http:// [ site "/cgi-bin/jj " ] if z == yes [ print "jj" ] aa: exists? join http:// [ site "/cgi-bin/info2www " ] if aa == yes [ print "info2www" ] bb: exists? join http:// [ site "/cgi-bin/files.pl " ]if bb == yes [ print "files.pl" ] cc: exists? join http:// [ site "/cgi-bin/finger " ] if cc == yes [ print "finger" ] dd: exists? join http:// [ site "/cgi-bin/bnbform.cgi " ] if dd == yes [ print "bnbform.cgi" ] ee: exists? join http:// [ site "/cgi-bin/survey.cgi " ] if ee == yes [ print "survey.cgi" ] ff: exists? join http:// [ site "/cgi-bin/AnyForm2 " ] if ff == yes [ print "AnyForm2" ] gg: exists? join http:// [ site "/cgi-bin/textcounter.pl " ] if gg == yes [ print "textcounter.pl" ] hh: exists? join http:// [ site "/cgi-bin/classifieds.cgi " ] if hh == yes [ print "classifieds.cgi" ] ii: exists? join http:// [ site "/cgi-bin/environ.cgi " ] if ii == yes [ print "environ.cgi" ] jj: exists? join http:// [ site "/cgi-bin/wrap " ] if jj == yes [ print "wrap" ] kk: exists? join http:// [ site "/cgi-bin/cgiwrap " ] if kk == yes [ print "cgiwrap" ] ll: exists? join http:// [ site "/cgi-bin/guestbook.cgi " ] if ll == yes [ print "guestbook.cgi" ] mm: exists? join http:// [ site "/cgi-bin/edit.pl " ] if mm == yes [ print "edit.pl" ] nn: exists? join http:// [ site "/cgi-bin/perlshop.cgi " ] if nn == yes [ print "perlshop.cgi" ] oo: exists? join http:// [ site "/_vti_inf.html " ] if oo == yes [ print "_vti_inf.html" ] pp: exists? join http:// [ site "/_vti_pvt/service.pwd " ] if pp == yes [ print "service.pwd" ] qq: exists? join http:// [ site "/_vti_pvt/users.pwd " ] if qq == yes [ print "users.pwd" ] rr: exists? join http:// [ site "/_vti_pvt/authors.pwd" ] if rr == yes [ print "authors.pwd" ] ss: exists? join http:// [ site "/_vti_pvt/administrators.pwd " ] if ss == yes [ print "administrators.pwd" ] tt: exists? join http:// [ site "/_vti_pvt/shtml.dll " ] if tt == yes [ print "shtml.dll" ] uu: exists? join http:// [ site "/_vti_pvt/shtml.exe " ] if uu == yes [ print "shtml.exe" ] vv: exists? join http:// [ site "/cgi-dos/args.bat " ] if vv == yes [ print "args.bat" ] ww: exists? join http:// [ site "/cgi-win/uploader.exe " ] if ww == yes [ print "uploader.exe" ] xx: exists? join http:// [ site "/cgi-bin/rguest.exe " ]if xx == yes [ print "rguest.exe" ] yy: exists? join http:// [ site "/cgi-bin/wguest.exe " ] if yy == yes [ print "wguest.exe" ] zz: exists? join http:// [ site "/scripts/issadmin/bdir.htr " ] if zz == yes [ print "BDir - Samples" ] aaa: exists? join http:// [ site "/scripts/CGImail.exe " ] if aaa == yes [ print "CGImail.exe" ] bbb: exists? join http:// [ site "/scripts/tools/newdsn.exe " ] if bbb == yes [ print "newdsn.exe" ] ccc: exists? join http:// [ site "/scripts/fpcount.exe " ] if ccc == yes [ print "fpcount.exe" ] ddd: exists? join http:// [ site "/cfdocs/expelval/openfile.cfm " ] if ddd == yes [ print "openfile.cfm" ] eee: exists? join http:// [ site "/cfdocs/expelval/exprcalc.cfm " ] if eee == yes [ print "exprcalc.cfm" ] fff: exists? join http:// [ site "/cfdocs/expelval/displayopenedfile.cfm " ] if fff == yes [ print "displayopenedfile.cfm" ] ggg: exists? join http:// [ site "/cfdocs/expelval/sendmail.cfm " ] if ggg == yes [ print "sendmail.cfm" ] hhh: exists? join http:// [ site "/iissamples/exair/howitworks/codebrws.asp " ] if hhh == yes [ print "codebrws.asp" ] iii: exists? join http:// [ site "/iissamples/sdk/asp/docs/codebrws.asp " ] if iii == yes [ print "codebrws.asp" ] jjj: exists? join http:// [ site "/msads/Samples/SELECTOR/showcode.asp " ] if jjj == yes [ print "showcode.asp" ] kkk: exists? join http:// [ site "/search97.vts " ]if kkk == yes [ print "search97.vts" ] lll: exists? join http:// [ site "/carbo.dll " ] if lll == yes [ print "carbo.dll" ] mmm: exists? join http:// [ site "/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd " ]if mmm == yes [ print "whois_raw.cgi" ] nnn: exists? join http:// [ site "/doc " ]if nnn == yes [ print "Debian Boa" ] ooo: exists? join http:// [ site "/.html/............./config.sys " ]if ooo == yes [ print "ICQ99" ] ppp: exists? join http:// [ site "/....../ " ]if ppp == yes [ print "personal webserver" ] rrr: exists? join http:// [ site "/scripts/no-such-file.pl " ]if rrr == yes [ print "IIS-perl" ] sss: exists? join http:// [ site "cgi-bin/visadmin.exe?user=guest " ]if sss == yes [ print "OmniHTTPd Web Server " ] --------------------end of code-------------------- Another basic thing you can do if to look for latest security issues from forums like Bugtraq or others. Zero day exploits have to be taken in consideration since you're asked to take a snapshot of Information Services. Don't waste your time on local bugs, but rather on remote exploits. I assume the company has at least a secure data room! Another thing to do from your virtualpc is to use a dumpacl and dumpreg for NT server. What are the access levels and for who? Checkin Appleshareip shares is a very fast to check remotely with ServerScan (http://freaky.staticusers.net/network.shtml). You won't have to worry about special shares like NT does in registry, or admin share c$ etc... Unix is quite different I suggest you to use Panda309 by thegrid (http://www.deepquest.pf/panda309-v1.0.tar.gz).It runs on Linuxppc, does a B or C class portscan with remote OS fingerprinting and some vulnerability detections. In few minutes you get a topo of the LAN. This part of the audit can take up pretty much time, but make sure you check what you're told to check :-) /*EOF 1-2 ps:this txt does NOT make your computer, LAN, DMZ safer at all!It's just a basic overview of what you can do from a mac. DMZ audit to be continued....next week Deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VII. Computing: Matrox G400 MAX Review -------------------------------------- Matrox has been around since the dawn of 3D graphics. Their Millenium actually harbored a 'few' 3D features but the subsequent Mystique, PowerVR PCX2 and G200 parts were far from being 'real' gaming boards. The performance and feature list was way below par for the Mystique and the G200 just couldn't cope with Quake 2. 1997 to the present hasn't been exactly fruitful for Matrox. Gamers in particular have always sided with 3dfx or NVIDIA. With only a few OEM design wins for the G200, Matrox clearly had some work to do for their next generation G400 chipset. The fill rate of the G400 MAX is certainly up there with the best of the bunch at 333MTexels per second (and identical to that of the Voodoo3 3000). The G400 MAX processor also supports single cycle multi-texturing (great for those 3D first person shooters). As with most of these new 2D/3D chips, the G400 MAX is on a .25micron five layer metal process technology. It also harbors Matrox's 256-bit DualBus architecture with true 128-bit external bus to video memory. Although we've yet to witness the Camino and APG 4X, the G400MAX is AGP 2X/4X capable with Multi-threaded Bus Mastering. It's ably backed up by 32MB of SGRAM. Matrox hasn't actually come out and said what their clock speed is but with a 333Mtexel/sec fill rate, it's pretty easy to work out that 'magic' number. Bearing in mind that it is two cycles per clock you simply divide 333 by two and are left with 166MHz. D3D is certainly where the 'future' lies and with a G400 MAX and its 32MB, you'll be in the very best of hands. It really is exceptionally fast. The Forsaken scores were not only the fastest yet seen.but the astounding 32-bit performance certainly sets a precedent. The performance hit was minimal at 'worst' and at 800x600 in 32bit, frame rate was over 200fps. Even at 1600x1200 we still see scores over 70fps in 32-bit on a Pentium III 500MHz. The multitexturing capabilities of the card under DX6 were also impressive as the Shogo: MAD scores show. (The higher the resolution and color depth, the wider the gap between the G400MAX and the rest.) No FINAL ICD was available with the review unit. Matrox really does need to sort this out in time for the product launch (it even says a FULL ICD is supposed to come with the retail part). Clearly some work needs to be done. Quake 2 performance, whilst acceptable (especially at the higher resolutions), was still some way off from a Voodoo3 or TNT2. Half-Life was even worse. The performance was way below par. We understand that the OpenGL drivers we were given were in BETA so we'll update these scores as and when we can. On the other hand, Quake 3: Arena at 1024x768 and in 32-bit was very playable. (The slower OpenGL Quake 2 scores force us to dock a point off of the final score. Should Matrox get around to improving the performance- we will re-evaluate.) Clearly for its whopping great $249 asking price, this card is NOT for the low-end user. The faster your CPU, the better performance you get for your money. A Celeron 400 would be our cut-off point, where you're still likely to find that the D3D performance is top notch. (The question is, how many game developers are going to implement this feature. We hope it picks up more than S3's S3TC has done thus far. Matrox lists some 40 games.....) Ok so now you've seen just how stunning a game can look when the feature is implemented but what's the big deal? All the major 3D chip manufacturers list 'bump mapping' on their spec sheet, right? Well the truth is out there somewhere. There are many ways to represent this effect. There's the conventional cheat of embossing, there's the PowerVR way, there's the Dot3 3Dlabs method and finally there's the Matrox way. Matrox's implementation of this DirectX6.0 'quality feature' allows for a richer looking environment than mere embossing can simulate. It allows for multiple light sources in one pass as well as reflective environment mapping on the same bump. Most other 3D cards (the Voodoo3, TNT2 etc.) use the conventional embossing method to simulate bump mapping- which really isn't all that big of a deal. Voodoo Graphics could do the very same thing way back in 1997. This Embossing (or multi-pass alpha blending) is limited to monochrome lighting and also brings out artifacts when simulated because of its per-polygon technique (Matrox's bump mapping is per pixel instead). Using embossing won't give you those luscious rolling waves as seen above, one can't use an environment map to simulate distortion effects. Basically, a TNT2 or Voodoo3 will 'counterfeit' bump mapping because embossing is NOT the real deal. In a market so over-saturated it's really no surprise that Matrox is pushing their beloved bump mapping so hard. For them it's what separates their card from the rest of the crop. The question is, does it do for you what it does for them? You've seen the shots of Expendable but even if Matrox convinces game developers that bump mapping is a case of 'do or die', it'll still be a while before it becomes an industry standard (if it indeed does). The jury is still out amongst gamers and game developers alike in terms of the performance hit entailed with bump mapping. Although Expendable 'seemed' to hold-up to a similar frame rate when bump mapping was turned on, it wasn't really the best test. Odd cars and water effects are not exactly 'whole scenes'. Try a couple of Quake 3: Arena 'bump mapped' tunnels and then we'll know for sure. Having said that, using embossing is an even greater strain on your CPU as it calculates UV shifts. (It really is gorgeous but will game developers support this feature? Only time will tell.) The G400MAX is certainly a 'feature' driven product. Just like the NVIDIA TNT2, it harbors support for 24-bit Z-Buffer with an 8-bit stencil buffer (which looks excellent when used in Quake 3). The stencil buffering can be used to specify conditional masks, which in turn allows for dissolve and transition effects such as volumetric shadows, silhouettes, scorch/skid marks etc. It's certainly a welcome feature and eradicates the 'flickering shadow' seen with a 16-bit Z Buffer. (Whilst far from being an essential feature (the Voodoo3 is limited to a 16-bit Z buffer) it does add to the overall LOD of a complex scene. Most other chips support this now.) The G400MAX's DualHead Display is certainly one of its most interesting and innovative characteristics. In a market saturated by products that all do the same thing, the DualHead Display technology gives end-users something else to think about. In a nutt-shell, it allows a single chip to output two physically separate images simultaneously to two different output devices. This feature currently supports simultaneous output to either two RGB monitors, to an RGB monitor and a television set, to an RGB monitor and a Digital Flat Panel or to two analog Flat Panels. The G400 design contains two separate Cathode Ray Tube Controllers (CRTCs), which can retrieve data independently from different locations in the AGP memory or display buffer. Interestingly enough, the two CRTCs (connected to the integrated 360 MHz RAMDAC) can read the same image but at varying refresh rates. The second CRTC can be connected to the TV-Out function (which supports PAL/NTSC and SECAM) or to a DFP (Digital Flat Panel Display) transmitter, with an RGB stream of up to 1280x1024 at 32 bit (in 60Hz for a second monitor). The DualHead also solves the 'flicker' problem and eliminates limitation of current TV-Out solutions, where the PC monitor has to run at 50/60Hz in order to support the PAL/NTSC TV-Out standards. "So what", you might think? Have you ever tried editing images in Adobe Photoshop? With the DualHead feature enabled, you could have all your small images on one monitor and edit a blown-up version of an image on another. One monitor can be used to display the canvas, whilst the toolbars can be displayed by the secondary monitor. Photographs and scanned images can be zoomed, whilst pixels can be zoomed to the second display for retouching. Less, minimizing and all around less hassle- we've tried it and really can see the benefits for the artistically minded end-user. Photoshop isn't the only application suited for this feature either. Gamers might also be able to reap the benefits too in the not too distant future. Flight Sim fans would surely crave for multimonitor in-game support. Fire a missile and then track its progress on the second monitor. well we're still some way off from seeing that but Microsoft has already stated that their MS Flight Simulator series will harbor support for DualHead. Windows 2000 will also mean this feature might well get used more and more. There are other advantages to this DualHead technology (see below). For example you can watch a DVD movie on one screen whilst whizzing through your spread sheets (what joy) on another. (Matrox has clearly decided to stay 'ahead' of the game and gone for innovation. DualHead won't change your life just yet but its usefulness should grow.) The Matrox G400 doubles the engine bandwidth by using 256-bit DualBus architecture, composed of two independent one way 128-bit buses working in parallel inside the chip to output 128 bits of valid data on every chip clock cycle, while the traditional 128-bit bus outputs 128 bits of valid data only on every other clock cycle. Here's how it works. The two internal buffers store a multitude of instructions and/or data. On every chip clock cycle, data is sent to the engine via the 128-bit internal input bus and on the same chip clock cycle, processed data from the engine is sent back to the output buffer via the 128-bit internal out-put bus. It's a two-lane highway compared to a one-lane bridge. Because the external 128-bit bus to video memory can run at higher clock rates than the internal graphics engine, data multiplexing logic is used to manage the data buffers to ensure that data is being sent to the engine, and that processed data is being read from the engine, on every chip clock cycle. This way, the bus never sleeps. With the advent of multi-textured applications comes the potential for multiple messes. While single texturing is relatively straight forward, multi-texturing requires blending many textures onto a single polygon. If your hardware does a sloppy job of it you end up with UGLY. The key is precision throughout the internal 3D pipeline. In the ongoing 16 vs. 32-bit debate, don't lose sight of the reason it makes a difference: More bits means more accuracy. The reason 3dfx can claim closer to 22-bit color is because their internal pipeline is 32-bit. Well, Matrox has gone a step further and outputs at 32-bit as well. In fact they've gone a 32-bit mad, here's the list: o 32-bit precision throughout the 3D pipeline along with 32-bit accumulation buffers o 32-bit rendering to ensure all internal operations are done with 32-bit accuracy o 32-bit source textures (with support for texture sizes up to 2048 x 2048) o 32-bit Z-buffer/stencil buffer for maximum depth precision o 32-bit internal results dithered down for the highest quality 16-bit output Lest you get the notion that 32-bit is the only buzzword on their lips, here's another list: o Full subpixel and subtexel positioning o 8-bit filter coefficients, to provide the best quality bilinear, trilinear and anisotropic filtering o Ultrasharp RAMDAC technology for fully saturated analog outputs. Here is Matrox's reasoning "A 32-bit texture typically has eight bits for each of the following components: Red, Green, Blue, and Alpha. Therefore, 32-bit rendering selects from among 256 different shades of each RGB color component, for a total of 16.7 million possible colors. On the other hand, a 16-bit texture typically has five bits for each Red, Green and Blue component, and only one for Alpha. This means that 16-bit rendering draws images from a color palette containing 32 shades for each color component, for a total of only 65,000 possible colors. 32-bpp color accuracy throughout the rendering pipeline makes for a cleaner, smoother gradient of colors than 16-bpp can deliver. The reason for the difference in quality is simple: the lack of available shades with 16-bit rendering results in lower image quality. On top of this, internal calculations with 16-bit rendering deteriorate image quality even further due to the errors caused by lack of precision." Didn't we just say that? Unlike everything Voodoo which utilizes AGP for the bus speed only, the Matrox G400 and G400 MAX are designed from the inside out to make maximum use of the AGP 4X's 1GB/sec bandwidth. While that doesn't much matter now (there is narry a 4X equipped system to be had) it could matter a great deal when Intel and AMD release their full AGP 4X rigs and developers really begin to push that envelope. The Matrox G400 chipset entails an MPEG II DVD decoder (most next generation 2D/3D cards do these days). The software bundle that Matrox has gone for is Zoran's SoftDVD2 (ATI uses the same) player for DVD video playback, which lets you watch all of your favorite flicks on your PC. The software itself is easy to use and get used to with the remote control supporting basic play functions, as well as advanced navigational features (play, forward, rewind etc.). The usual array of features include, sub-picture blending, aspect ratio scaling (allowing for 16:9 encoded DVD on to 4:3 aspect ratio TVs) and full-screen output to a TV. The default resolution for watching movies is at 800x600 (the software automatically drops your desktop to this resolution). Although Zoran's SoftDVD software is well respected and a popular choice, the first version was also known for its 100% CPU usage. As with the previous version of Zoran's SoftDVD, this new version also requires a hefty CPU- a Pentium II 333MHz being the MINUMUM spec. The software decoding hogged most of your system's resources so checking stock prices whilst watching Mr. White go bezerk in Resevoir Dogs wasn't really an option. Version 2 of the SoftDVD has been markedly improved in terms of its CPU usage and multitasking (whilst not advised) is just about possible. For much more rewarding results, the G400MAX's DualHead function can be used to great effect. For example, you could use the primary RGB output for your web browsing, whilst at the same time use the second RGB output to watch a DVD movie on a second monitor. Then again, you could do your work faster, unbothered by a movie in the background and then just switch off your PC and go watch a movie on your TV later... Features o Title and menu options include title and chapter search, subtitle and language option, audio and root menu o Language selection of up to 32 different audio tracks o Seamless viewing angle switching without audio interruption o Parental lock for controlling adult content (The quality of the MGA-G400MAX really does the DVD job well. The pictures are crisp and the colors rich (useful during the full 1hour 33mins of the Resevoir Dogs test)) The 2D on the Matrox is absolutely unbeatable. You couldn't really expect anything less from Matrox, who have been the 2D kings on and off since the Millenium days. The G400 MAX's 360MHz RAMDAC is the fastest to date (some 10MHz faster than on a Voodoo3 3500) and as a result has the best 2D performance so far. The G400 MAX's UltraSharp DAC technology and support for true 24-bit color at resolutions as high as 2048 x 1536 dishes out fast screen refresh rates along with crisp/clean text and images. The 256-bit DualBus graphics engine and optimized AGP 2X chip design no doubt helped it fly through a couple of ZD 2Dwinbench runs. (If 2D is your oyster then the two best 2D performers are the G400 MAX and the Voodoo3 3000 (in that order).) Matrox's PowerDesk tools have always been solid and in the G400 MAX's case, it's no different. You can tweak away till your heart's content (refresh rates, gamma settings). The controls for the DualHead are also easy to use and just require 'checking' and 'unchecking' as the case may be. Gamers will be slightly 'peeved' at the lack of a V-Sync 'disable' check box. Those of you that are happy to edit the registry can do just that, whilst others may choose to use Powerstrip etc... Matrox chose to stay WHQL certified and thus offers no V-Sync disabling functions. (No witnessed ZERO crashes in any Windows applications.) Other than the provided DVD software from Zoran (top notch) and the Matrox drivers, nothing has yet been set in stone. All of the bump mapping demos found on their web site came with the CD as well as playable demo versions of Expendable, Drakan and Slave Zero. All fun while they lasted. Matrox has entered the 3D gaming scene. The G400MAX is lighting quick in some D3D games but when multitexturing comes into play, the architecture doesn't seem quite as efficient as the Voodoo3's or TNT2's and the OpenGL really needs improving. So really hardcore gamers that live and die by Quake 2 (let's see how Quake 3 performs when the timedemo is released) might still want to go for a Voodoo3 3000 or a UltraTNT2. If you're a gamer but all about 'image' rather than frame rate, the G400MAX wins hands down. It did outperform a Voodoo3 and UltraTNT2 in some D3D tests and it also shows that 32-bit rendering can be used at a minimal performance loss. Alongside the UltraTNT2, the G400MAX harbors the best image quality and with bump mapping enabled (where possible) it creeps ahead. Whilst on the expensive side at $249.99, we were still left pleasantly surprised and do recommend this card to gamers and end-users who would make use of some of the more innovative features such as DualHead. GOOD: o Visual Quality o Unique Features (bump mapping & DualHead) o Exceptional D3D performance BED: o Quake 2 Scores not up to scratch (currently) o High Price o Requires a fast CPU Damir Kvajo aka Atlienz atlienz@default.net-security.org VIII. Understanding basic crypto techniques ------------------------------------------- To begin with, it's important to understand the primary basic techniques of encryption: symmetric key-based algorithms, such as block ciphers and stream ciphers; asymmetric key-based algorithms, such as public key encryption; and hash ciphers, which are used for passwords on most operating systems. These are the three primary methods of cryptography systems -- most systems are based on one of these techniques, or a combination of them. Block ciphers and stream ciphers are known as symmetric key-based algorithms. What this means, in plain English, is that the same key is used for encryption and decryption. If I encrypt the word 'SPEEDBOAT' as 'QLXXAFRMP', such that Q=S, L=P, X=E, etc, then I should be able to decrypt 'QLXXAFRMP' using the same key. Block ciphers are commonly used to encrypt files on a system. In a block cipher, information is divided into equal-sized blocks of text (say, five letters: 'THIS IS A SECRET MESSAGE' would be separated into 'THISI SASEC RETME SSAGE') and then each block is encypted using the same algorithm. IDEA is an example of a well-known block cipher, as is Blowfish. In stream ciphers, data is encrypted in much smaller chunks, usually bits. This form of encryption is generally what's used to encrypt information as it passes from one system to another, because it's much faster than block ciphers -- crypt (the original UNIX command) is a stream cipher, as are most non-computer based encryption systems. For instance, the Cryptoquote in many daily newspapers is a stream cipher -- each letter is encrypted as it comes. The differences between the two are mostly in the implementation. An easy way to think of it is that block ciphers are generally implemented within software, while stream ciphers within the hardware encrypt individual bits as they go by. In asymmetric key-based algorithms, a different key from the one used to encrypt a message is used to decrypt it. This is more commonly known as public key encryption, and RSA is a notable implementation of it -- a user of public key encryption has both a public key (which is used to encrypt a message) and a private key (which is used to decrypt a message). In a public key system, I could post my public key somewhere easily available, and a complete stranger could use it to encrypt a message. He then sends the message to me, and my private key decrypts it. If the message is intercepted, because two different keys are used, my message remains secure even if the interceptor has my public key. Only the private key can decipher the encrypted message. And then there are one-way hash systems, such as SHA and MD5, which most operating systems use to store passwords. I discuss password management in detail later in the article. Some encryption implementations use all three methods to serve various different purposes in the system. For instance, the well-known public key system PGP (Pretty Good Privacy) uses the IDEA block cipher for the actual encryption of the data, RSA for the public and private keys themselves, and an MD5 one-way hash for passwords. This way, the system itself is protected in many ways, with each cryptography technique being put to its best use. How passwords work ------------------ Most operating systems handle passwords by using one-way hashes. What this means, in practice, is that your password is not stored anywhere on your computer. When you initially enter your password, the system encrypts it using a hash function. The system knows how it hashed the sequence of characters that is your password, so every time you log on, the system encrypts what you have just typed using the same hash function, and compares the encrypted results to the encrypted password. For instance, if your password is 'Superman', the actual hash may look something like 'dLboH6tH$kP/Nre1TMLr4thuBRmz' (please note: this is not an actual hash). Whenever you type in the word 'Superman' at your password prompt, the machine sees 'dLboH6tH$kP/Nre1TMLr4thuBRmz'. It compares, notes that the two hashes are the same, and lets you into your account. What password cracking programs do is either take lists of words (in the case of a dictionary or word file attack) or generate strings of characters (in the case of a brute force attack), encrypts them, and compares them to the hashes in the password file until it finds a match. This is why it's important to protect your password file even though it's encrypted. References ---------- By far the most comprehensive book on cryptography is Bruce Schneier's _Applied_Cryptography_ (2nd edition). It's easy to understand, so if this subject interests you, I recommend buying it. For information about breaking password encryption, L0pht's documentation for L0phtCrack (http://www.l0pht.com/l0phtcrack/) contains a brief description of the various methods it uses. Crack (http://www.users.dircon.co.uk/~crypto/) is a dictionary-style password checker, and John the Ripper (http://www.false.com/security/john/) is a brute force-style password checker. /dev/null null@fiend.enoch.org IX. Infection & Vaccination --------------------------- It's been a long time but yes we do have two spanking new trojans for you. We also have a little story for you. To top that off we continued with our general trojan info: why trojans work on Windows 95 and not Windows NT. Our first trojan of the week is called Digital Rootbeer. The name is the most unique thing about this trojan. It has a lot of features, but nothing new. The most dangerous feature is it's file control(Execute, upload, download, delete). Rootbeer listens for connections on port 2600 (TCP) and cannot be changed. It installs to c:\windows\ with whatever name it is called when you run it. It does not run on Windows NT. If you would like to find out where the original file is open regedit and browse to: HKEY_LOCAL_MACHINE\SOFTWARE\1999 --=[">?t~%?"-M¥N]=--\. The Program Path key contains the location and filename of the file you ran that installed Digital RootBeer. So you might be able to find out who gave it to you. Like if someone on ICQ gave it to you, it should be in the received files under the name of the person who sent it to you. Here is the 3 step manual removal 1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. Then remove the ActiveX Console. 2. Close the server or reboot the machine. 3. Browse to c:\windows and remove the trojan file which can be found in the Program Path key at HKEY_LOCAL_MACHINE\SOFTWARE\1999 --=[">?t~%?"-M¥N]=--\. The next trojan we have for you is Death version 1.0 by Earlz Plumbing. The client's GUI looks nice but is rather difficult to use. It too has a lot of features like Digital Root Beer without anything new. Though it does have a window lock command to lock a window on the host computer from being updated. While unlike RootBeer it runs on port 2 TCP, which can be changed. Unfortunately we could not get it to run on Windows 95 because it needs Visual Basic 6 runtime files which we currently do not have on that machine. On our NT machine we do have VB 6 files, but it does not infect NT :-) Sorry. Here is a little story that has many good lessons to learn from it. One of our friends came across this page: http://www.blue.icestorm.net/nerv/. It has a program called iCMP J1zz that can knock anyone off of IRC. Which is a tool we all need isn't it. Well even though the person took credit for programming it in C++, it is in fact a SubSeven server configured. I could be wrong but it appears the j1zz.exe has some Visual Basic runtimes files in plain text when viewing in notepad, which is usually an indication its programmed in Visual Basic. Another thing I do not believe that SubSeven is even made in C++ so that's just wrong. Believe it or not we actually have some lessons that can be learned from this. Okay well first don't just go downloading every cool sounding program you see. Another thing is if your infected with a trojan you can always send it to me to be studied. I had fun finding an Email address and 2 different ICQ UINs from the SubSeven server. To all you people that use trojans, maybe you should not use SubSeven. Also just for your info on that site all 3 programs are just SubSeven servers. Okay here is our last section for this week. It's a simple thing that a lot of people don't realize. Most trojans will not run on Windows NT due to two. First there is no c:\windows directory standard on Windows NT which messes up a very small number of trojans. The other difference between Windows NT and 95 is in the API code. When a trojan tries to hide from the taskmanager you can view on Windows 95 (Using Alt-Ctrl-Del) it uses an API code which differs enough on NT to stop it from working. Next week we will compare the following Trojan removers: Trojan Defense Suite, LockDown 2000 and The Cleaner. Hope you all have a trojan free week. Zemac zemac@dark-e.com http://www.dark-e.com X. New programs on Net-Security (NS Watch!) ------------------------------------------- After some time, Projects page on net-security.org is finally updated.This page will follow its previous tradition in bringing you the best security programs made by net-security staff. NS Watch! (NSW) in its latest version (2.0.4.0 FINAL) is a program that watches over your windows\system, registry run keys and 32 bit CRC of selected files. I have come to idea to make this program after I was hit by Marburg virus. Idea was to make something like logger that would take care about newcomers in your windows\system and registry run keys.I was not satisfied with loggers like regmon and filemon because they were displaying to much unimportant info. After first version released I found one symapthic CRC calculating rutine. Why not to include it in NSW?So I did it and that was it.Of course they were some bug occuring, and I encourage you to uninstall any previous NSW version except this FINAL. Second program is made by one person that is not in net-security.His name is Dancho and he made Trojan Library.It is one of the few programs of its kind, because it is bringing you latest Trojan/Worm information for reading offline.Dancho promised that he will update this library often so don't forget to check projects page from time to time. I will put some "Goltha approved" :) links also on projects page.I know we have already links page on net-security, but this links are going to lead only to sites very you can find very useful or rare things. And in the end, if you have any comments, wishes or anything else do not hesitate to contact me... Tomislav "Goltha" Petrovic Net-Security programer goltha@net-security.org XI. More news from the ACPO front --------------------------------- Hi again... I'm honored to be allowed to tell you a bit more about ACPO [http://www.antichildporn.org] and our future... This weekend, we will be traveling to deliver a presentation to our first political group, http://WWW.mntaxpayers.org/#Moorhead Conference. I'll fill you in on more of the details next week. BTW .. just a little note here about politics, we do not support any political group, just the stopping of child abuse and child porn on the internet.. Some people are concerned with our involvement in governments and their politics. But please tell me a way to stop this injustice without involving ourselves in politics and the law! We are just beginning to plan our first European tour--roughly in the October/November time frame. While we know the places we must visit, we are open to your suggestions, as to places we might have an opportunity to tell our story, and recruit Euro. members. Please eMail me at natasha@infovlad.net if you have suggestions or ideas. On the home front, ACPO will be attending the Techno-Security & Disaster Prevention '99 Conference. http://www.thetrainingco.com/Agenda-99.html Plans are being made to develop additional approaches in assisting law enforcement to identify and successfully prosecute child pornographers. We anticipate forming both public and private partnerships to further this cause. Thanks again to net-security.org for their support, and this forum to express ourselves, and to keep you informed. Natasha Grigori Founder antichildporn.org ============================ Thanks for being 'Child-Friendly' Natasha Grigori Founder AntiChildPornOrg ACPO http://www.antichildporn.org/ mailto:thenatasha@mediaone.net ============================ XII. The Hotmail security hole ------------------------------ Hotmail, one of the best known Microsoft acquisitions, was included in a security scandal earlier this week. Group of "hackers" (I will talk about this later), discovered a backdoor in Hotmail service, which opens millions of accounts to other people. "We did not do this hack to destroy, we want to show the world how bad the security on Microsoft really is, and that company nearly have monopoly on [all] the computer software" - Lasse Jung aka DarkWing said to the media (this group talked with Swedish tabloid Expressen and one of the big media houses online - Wired News (www.wired.com). It looks like they found a hole in new Microsoft Passport program that is a secure (lol:) way for you to sign in to multiple Internet sites using one member name and password. ---------------------------------------------------------------------- Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles! ---------------------------------------------------------------------- Ok so it looks good, but security is a myth. It would be better to MSN members spend 10 seconds more for entering their password again, than the computer caches logins and passwords. The main problem was that Hackers Unite found an address which opens any Hotmail mailbox with using password "eh". It was the following address: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=username &passwd=eh It could be used from a mailform or just copy-pasting the URL into your browser. You could look at the image of the "hotmail-hack" mirrors: http://default.net-security.org/4/hotmail.jpg Microsoft's response: ---------------------------------------------------------------------- Dear Valued Customer, You may be aware from published reports that recently MSN Hotmail experienced service issues that have generated questions about security. We can tell you that the issue has been resolved and MSN Hotmail is currently operating normally. This letter is intended to address your concerns and provide you with the latest information concerning this issue. Microsoft was notified early Monday morning (August 30, 1999) of a potential security vulnerability that could enable unauthorized access to Hotmail servers. Microsoft immediately began to investigate the issue and in the interest of user privacy and security made the decision to temporarily take Hotmail servers offline. In light of the inconvenience that such an action can cause users, this is not something that we take lightly but felt that, given Microsoft's commitment to protecting people's private data and information, it was an appropriate course of action. Since then, Microsoft engineers have worked quickly to pinpoint the issue and to resolve it and have restored the Hotmail servers so that users can continue enjoying the benefits of Hotmail with full privacy and security. Please note that no action on your part is necessary to take advantage of the updated Hotmail. We apologize for the inconvenience this issue may have caused. We are gratified that you have made Hotmail the world's most popular free e-mail provider, and are committed to further improving the award-winning service in the months ahead. ---------------------------------------------------------------------- In all their (Microsoft's) official statements they were saying that Microsoft Passport is secure, and the "hackers" did not enter to Hotmail trough it. Their explanation was that they were hit by unknown security breach. Rob Bennett, Microsoft's director of marketing, commented: "The situation was that there was a hacker who wrote some advanced code to basically bypass the Hotmail login process. This person did have very specific knowledge of how to write development code, and put up a website apparently that allowed people to put in a user name. That code does not work anymore and there should be no future attacks from this person". this statement is really silly. Let's look into it little bit closer. Is this - http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login =username &passwd=eh - advanced code??? Not. It is just a simple address. Are those people who found it hackers? Not. They didn't hack into anything, they just found a backdoor in Hotmail service which let them inside any account. It looks like that the main party to blame over here is Microsoft. But we could look at it with some other aspects. That group Hackers Unite had to report the bug to Microsoft, because security is the first thing that matters. They didn't report it, and chaos started. Latest reports say that some people will have problems caused by the Hotmail security breach. Unidentified attackers read e-mails from couple of Swedish prostitutes, and published details, about business manager of a well-known Swedish media company wanting their "services", on an anonymous web-site in the USA. He later said that this is nasty, and that he understands that this can lead to rumors - "I just wanted to know if they really were prostitutes and I never paid for sex with the prostitutes" - he said. Did this Hotmail security breach showed Microsoft engineers to test their programs and servers little bit more, or it will just start chaos related to on-line privacy? Future will show. If you are Hotmail user, and you are paranoid about your privacy, you could always use Hushmail (www.hushmail.com), who offers Web-based 1,024-bit encryption technology through a Java applet. Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org XIII. Meet the underground -------------------------- Special about Beglian Hacker Szene / Bust of RedAtack. Intervied CUM ( Crew Madness Underground ) I had a little interview with toxic from CUM, Belgiums best h/p/v/c/a group. Check his statements about The RedAttack bust and about the Belgian hacker scene. <--begin interview-- deepcase: ok, tell something about the belgium scene ! toxic : There isn't much to tell about that.. we used to have a quite "close" scene in the BBS era.. but that's now gone with the Internet... You don't have much belgian groups anymore... with the internet it's like more the individual that counts i guess..., still there are some very good belgian guyz like m0n from cha0s, d0mz, segfau|t, n3m0, socked, deepcase, g_rax ... deepcase: something about CUM, what yu do, why, since when etc. CUM was founded in 1996, this when Hacker, Immortal Intruder, Fiber Optic and I (Toxic Ocean) met IRL for the first time... in that time Hacker was running a multi-node warez board ("Unusual Project"), Immortal and Fiber had one of the biggest h/p/a/v/c board in Belgium ("Hacker Town")... and i was a frequent caller of both boards.. We shared some common interests like hacking, computer security - and just plain computer phun :) .. so we decided to start our own group, in the beginning just to share ideas and files, and later to test new technologies, security, gather knowledge... we really aren't a "defacing" group, as we think that's rather lame... when we hack a server, we keep the access to learn and explore.. not to deface the page and have our moment of fame... but since these times you need to deface a page to be taken "serious" , we now and then deface a page .. but then mostly stupid servers with nothing on it .. lately we also begun to explore more "hardware" stuff - this is why we founded the CUM-tech-lab, our own lab with all kindsa computers to "test things out".. we also begun exploring the phone system, and GSM nets... right now we're writing a "Belgian Phreak/Phonephun Guide" for all belgian (and other) h/p/a/v/c'ers , with in it up-to-date info, technical details and usefull tricks. deepcase: what you think about RedAttack man toxic : He's a wannabe. A kiddie who thinks he's the best hacker on earth. With this we can live, you just ignore guys like that. But what's really scary is that a lot of people buy his shit. In an interview with a belgian magazine, he was so full of shit, it made me sick. Example : he claimed he had hacked the largest bank of Belgium ("Generale Bank"). He said it took him AND a team 3 weeks and a hell of a lot maths to get the job done. Reality : the password of the helpdesk was "hlpdsk". Need I say more. The only thing he got was a few internetbanking usernames, no passwords. Big deal. He went to the media with this. Ofcourse they believed he had hacked into the core of the banks mainframe, you know the media. The whole thing is blown out of proportion. He's also claiming that there aren't other hackers in Belgium and shit like that. But just a few days ago, his own website got hacked ;) deepcase: whats yur comment on his bust toxic : His early bust proves he's not really that good, it took us just 1 e-mail to get his name and real IP address, so... But now he wants everybody to believe he's a crusader on a mission. A mission of cleaning the internet. He wants to ban all "harmfull" content from the net, stuff like "how to make a pipebomb". What happened to free speech?? Not to mention that you can also find all these things in ur local library... This explanation is crap, he's only telling this because he doesn't wanna go to jail and wants to have a "clean" image... He's a media wh0re, a kiddie who wants his 5 minutes of fame... Even worse, because of him the politicians are now making laws against "computer criminals". Before redattacks media exposion, there were no such laws here in Belgium... deepcase: you knew him? toxic : Nope, never heard of him before he was on tv... <--end interview-- deepcase deepcase@net-security.org XIV. Freedom of speech - related incidents ------------------------------------------- ******************************************************************* The most certain test by which we judge whether a country is really free is the amount of security enjoyed by minorities. --- Lord Acton ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): Thursday, August 26: Australia's newly passed censorship laws make it the Internet's "village idiot"... 30 Chinese Protestant house church leaders arrested... Students, artists, religious, and intellectuals have long been targets for repressive regimes but now even FARMERS in China are being tried for subversion... "Dozens of farmers will be tried for subversion in China's southwest autonomous city of Chongqing for establishing an "anti-corruption army" and calling for the reassessment of the 1989 Tiananmen democracy protests, a human rights group said Thursday." Malaysians rally around Lim finally free from prison... "Mr Lim, who had clearly lost weight but was in good spirits, took up the multi-racial theme in his first remarks after his release. He said he had been condemned as a Chinese chauvinist but he was just "championing the rights of the people". He said he was "a true Malaysian" who was "fighting for a just society". Mr Lim said he would continue the struggle and was "prepared to go to jail again". He stood on the roof of a car with his father, Lim Kit Siang, the DAP secretary-general, and said he was he was pleased to breathe fresh air again but would not feel really free until all Malaysians who were "unfairly in prison" were freed." Weekend, August 27-29 FCC approves wiretaps on networks... Monday, August 30 Press Freedom Violated In 15 Francophonie States Press freedom advocate arrested in Kinshasa Czech firm builds wall isolating gypsies... Tuesday, August 31 China has tortured to death three Tibetan monks... 250 protest outside the World Bank as the bank promises to investigate their project in Occupied Tibet After a 98.6% voter turnout anti-independence faction turns violent in East Timor and yet the UK is continuing to sell arms to Indonesia... UN says Indonesian military took part in violence Nigerian youths speak out against the Niger-Delta Development Commission... ""We don't need a commission. Bureaucrats would just come, hijack it and siphon all the money sunk in it to the detriment of the masses."...As a way forward to restore normalcy in the Niger Delta region, Mr. Igboku-Otu, who is also the President of Civic Rights Organisation, posited: "I will urge President Obasanjo not to listen again to our elders who visit him in Aso Rock. He should make them irrelevant and now consult directly with the youth via their umbrella organisations and within 24 hours, the Niger-Delta problem will be over. "Let me tell Obasanjo that all the arms brought to the Niger -Delta are bought by these same people who visit him in Abuja in the name of Niger-Delta. Where does the helpless youth have 3,000 dollars to buy AK 47?" he queried." Wednesday, September 1 10-year-old Tibetan boy spends 4 months in jail because he refused to say he was a Chinese citizen... "Luodeng Chideng was horrified when the police led away his 10-year-old son because the boy refused to repeat the phrase "I am a Chinese citizen" in school, insisting instead that he is Tibetan. The boy spent four months behind bars. He was released only when Luodeng bribed a police officer who, adding a final insult, warned the father not to let it happen again. "It was my fault he got arrested," Luodeng said later, shaking his head. "I'm the one who taught him to be proud he is Tibetan." Liu Qing, Chinese democracy activist, on the use of the Internet in leading the protest war against China's PRC Khamenei slams Iranian journalists who question Islam's vengeance laws... ""Any newspaper or writer wanting to renounce the fundamental principles of Islam or questioning the vengeance law is an apostate and liable to the death penalty," Khamenei told a gathering of several thousand troops in the northeastern town of Mashhad." A "union of revolutionary writers" protesting consumerism take responsibility for Kremlin bomb... "``Acts like those taken today create a social engine which is still experimental, but is gradually becoming a real social factor,'' the note read, according to a spokesman at the FSB. ``A hamburger not eaten to the end by the dead consumer is a revolutionary hamburger. Consumers: We don't like your way of life and it's unsafe for you.''" In just one week... diva aka Pasty Drone CEO NewsTrolls, Inc. http://www.newstrolls.com pastydrone@newstrolls.com XV. Microsoft Installs US Spy Agency with Windows --------------------------------------------------- Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and browser bugs, Microsoft has a dismal track record in computer security. Most of us accept these minor security flaws and go on with life. But how is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the National Security Agency (NSA - the USA's spy agency) making it orders of magnitude easier for the US government to access their computers? While investigating the security subsystems of WindowsNT4, Cryptonym's Chief Scientist Andrew Fernandes discovered exactly that - a back door for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in 'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture for security flaws. Since the CryptoAPI is the fundamental building block of cryptographic security in Windows, any flaw in it would open Windows to electronic attack. Normally, Windows components are stripped of identifying information. If the computer is calculating "number_of_hours = 24 * number_of_days", the only thing a human can understand is that the computer is multiplying "a = 24 * b". Without the symbols "number_of_hours" and "number_of_days", we may have no idea what 'a' and 'b' stand for, or even that they calculate units of time. In the CryptoAPI system, it was well known that Windows used special numbers called "cryptographic public keys" to verify the integrity of a CryptoAPI component before using that component's services. In other words, programmers already knew that windows performed the calculation "component_validity = crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly what the cryptographic key "23479237498234..." meant semantically. Then came WindowsNT4's Service Pack 5. In this service release of software from Microsoft, the company crucially forgot to remove the symbolic information identifying the security components. It turns out that there are really two keys used by Windows; the first belongs to Microsoft, and it allows them to securely load CryptoAPI services; the second belongs to the NSA. That means that the NSA can also securely load CryptoAPI services... on your machine, and without your authorization. The result is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system. For non-American IT managers relying on WinNT to operate highly secure data centers, this find is worrying. The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US; that they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers. There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of "strong" crypto from Windows. A demonstration program that replaces the NSA key can be found on Cryptonym's website. Cryptonym: Bringing you the Next Generation of Internet Security, using cryptography, risk management, and public key infrastructure. Interview Contact: Andrew Fernandes Telephone: +1 919 469 4714 email: andrew@cryptonym.com Fax: +1 919 469 8708 Cryptonym Corporation 1695 Lincolnshire Boulevard Mississauga, Ontario Canada L5E 2T2 http://www.cryptonym.com