[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 37 Volume 1 1999 Oct 10th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #37 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #37 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Why Your Network is Still Vulnerable............................. 04.0 .. 'PhoneMasters' Finally Sentenced ................................ 05.0 .. India Objects to Comments From Vatis ............................ 06.0 .. Bill Cheek Diagnosed with Cancer Still Faces Charges............. 07.0 .. The IBM 2020 Neural Implant Chip ................................ 08.0 .. Banks to Share Info Secretly .................................... 09.0 .. Melissa's Twin Appears in Outlook ............................... 10.0 .. L0pht Heavy Industries Exposed .................................. 11.0 .. ASX Claims Attacked by US Military .............................. 12.0 .. Microsft Clears Self of HotMail Breach .......................... 13.0 .. TISC I/O Lab to Showcase Security Tech .......................... 14.0 .. Web Anonymizing Tests Released .................................. 15.0 .. CyberCrime Prosecutor Moves to Private Practice ................. 16.0 .. Home Banking Weaknesses Begin at Home ........................... 17.0 .. Subversion of Information........................................ 18.0 .. SAGE Offers Impenetrable Server and Kills Word "Hacktivist' ..... 19.0 .. 19yr old Sentenced For AOL Break In.............................. 20.0 .. ZD Net Admits To Favoritism in Security Challenge ............... 21.0 .. CyberWarriors Could Have Cut Kosovo Campaign Time In Half ....... 22.0 .. JTF-CND Moves to Space Command .................................. 23.0 .. Anti-CyberCrime Unit Opens in Netherlands ....................... 24.0 .. CERT to Share Info With iDefense ................................ 25.0 .. Online Safety and Ethics Program Funded by DoJ .................. 26.0 .. Shell-Lock Use Found to Be Risky ................................ 27.0 .. Hole Found in Auto_FTP .......................................... 28.0 .. Singaporean eduMall Defaced ..................................... 29.0 .. No Evidence to Support Cell Phone Ban ........................... 30.0 .. Global Jam Echelon Day .......................................... 31.0 .. Vatis Creates Second International Incident ..................... 32.0 .. Who Were the Phone Masters Really? .............................. 33.0 .. Twstdpair's [HWA] nmap scanner frontend.......................... 34.0 .. Another GAO Report Says US Vulnerable ........................... 35.0 .. FidNet Gets Funding ............................................. 36.0 .. Softseek.com Distributes Trojan Horse ........................... 37.0 .. Global Jam Echelon Day Update ................................... 38.0 .. NSA Document Retrieval Capabilities ............................. 39.0 .. To Few Comp Crime Experts in FBI Says Vatis ..................... 40.0 .. The Truth About AntiOnline? ..................................... 41.0 .. Software Liability .............................................. 42.0 .. PHONELOSERS PARODY............................................... 43.0 .. TAKING HACKER TO COURT NOT SO EASY............................... 44.0 .. RUSSIA RESPONDS TO HASTY SPYING CONCLUSIONS...................... 45.0 .. KeyRoot presents nitestick.java.................................. 46.0 .. VIRGINIA'S INTERNET LAW CHALLENGED............................... 47.0 .. SECURITY WEAKNESSES PREVALENT AT TREASURY'S FMS.................. 48.0 .. FEDERAL SECURITY PLAN WILL SEEK CORPORATE BUY-IN................. 49.0 .. CISCO FIREWALL PROMISES PRIVACY.................................. 50.0 .. SEATTLE TIMES ON E-BAY SCAMMER................................... 51.0 .. FUD FROM THE EMPIRE, THE GLOVES COME OFF......................... 52.0 .. READ WIRE NEWS BEFORE IT'S ON IT................................. 53.0 .. Y2K LESSONS APPLY TO INFORMATION SECURITY........................ 54.0 .. AOL SPAM SCAN CONTINUES TO MAKE VICTIMS.......................... 55.0 .. MS: IT'S NOT OUR FAULT, THE HACKERS DID IT....................... 56.0 .. INDUSTRY BACKING AUSSIE CENSORSHIP LAW?.......................... 57.0 .. CYBERCROOKS BREACHING THE BORDERS OF CYBERSPACE.................. 58.0 .. NUKING THE HACKERS?.............................................. 59.0 .. BATTLING THE VIRUSES OF THE FUTURE............................... 60.0 .. Advisory:Hybrid Network's Cable Modems........................... 61.0 .. Faulty software:Omni-NFS/X Enterprise version 6.1................ 62.0 .. A vulnerability exists in the rpmmail package distributed on the Red Hat 6. 63.0 .. A vulnerability exists in the /usr/lib/merge/dos7utils program... 64.0 .. Sambar HTTP-Server DoS attack.................................... 65.0 .. There is a buffer overflow vulnerability in cdda2cdr............. 66.0 .. inews exploit , gives you the inews egid ........................ 67.0 .. Shows any file from any NT Server, if it has the SHOWCODE.ASP script. 68.0 .. The Hack kit (root kit).......................................... 69.0 .. Placing Backdoors Through Firewalls [THC]........................ =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Well, there it is. the 13th is our first birthday so expect something * (as yet undetermined) special for our birthday edition, we'll be one * year old, also celebrating birthday's this month are HNN and help * net-security.org, a big happy birthday to our friends at both places * net-security.org'd birthday is on the 27th and HNN is on the 7th... * its been a hell of a year and hopefully things will just get better * with the coming year, what with our server near completion it will be * online soon and will carry a huge phac archive as well as our ezine.. * * HWA also welcomes its newest member twstdpair, to the fold, he's a * member of the main group and has contributed a shell script for this * issue, Everyone say hi... *g* * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Why Your Network is Still Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Brian Martin Your high priced security consultants advised you to or you just read a new book by some whiz-bang security hot shot and they recommended that you run SATAN against your network. You did and now your wondering why your web site was just defaced. New in the Buffer Overflow section is a new article that will hopefully tell you: Why Your Network is Still Vulnerable http://www.hackernews.com/orig/buffero.html Why Your Network is Still Vulnerable By: Brian Martin October 4, 1999 You trust the security experts. Their books and articles about security are often the bibles of System Administrators. Their one paragraph biographies tell you of their ten to twenty years doing network security. They take on impressive titles of neat sounding companies they secure. Why is it these experts often give you the absolute worst advice that could cross your ears? Time and time again, security 'experts' casually recommend that you use or deploy a package like the SATAN security scanner to test your network for vulnerabilities. While few references to SATAN will claim it is the end all solution to computer security, the mere fact people ever recommended the tool is absurd. More disturbing is that over four years after it is released, some continue to reference it in a serious manner. Before I continue, I'd like to qualify and assure you this is not a rant against SATAN's (or any other tool's) authors. The attention and hype that propelled SATAN into the media spotlight is no fault of theirs. Rather, other security 'experts' and/or media outlets cried wolf before it was released and helped create the "demise of the internet" as it was once called. This article will focus on SATAN as an example, simply because of the label it received from so many. Please keep in mind that SATAN is a forefather to most of the commercial scanners you are familiar with. So time progresses and people realize the futility of recommending a utility never designed for intensive and thorough auditing, right? Of course not. Politically Correct Instead of researching options more suitable for these books and articles, many security professionals dutifully recommend SATAN, COPS, Tiger and other out of date utilities. The question is why? Regardless of the answer, it isn't a good enough reason. Security experts have an ethical obligation to recommend viable and solid solutions to their readers and customers. Each and every time they don't, they further validate weak utilities as a method for securing your network. Days after auditing your network with these tools, their network falls victim to an intruder and they can't figure out why. SATAN was last released as version 1.1.1 on March 20, 1995. Obviously, network security concerns move at the speed of light. Any security audit tool not updated hours ago is already behind the times. So how can so many security professionals continue to recommend such an old and outdated tool? The only answer that comes to mind is the concept of being Politically Correct. The media told the masses this was a serious tool and should be regarded as a legitimate network auditing tool. Who would want to go against the grain and say otherwise? No one apparently. Media and mainstream press put SATAN on a pedestal of unseen heights. As a result, several security professionals are still looking up and not seeing the scanner for what it is. Every day that passed with no qualified individuals speaking up, the more it lent to what the media had already said. Four years later, this is the first article to my knowledge that is doing that. Who's on the Bandwagon? If you haven't read many security articles, you may not have run across a reference to SATAN. In case you haven't, lets look at a few of the many media outlets, security professionals and others who tell you to use it. It started in 1995 with a wave of articles and press frenzy surrounding the tool's release. To this day, articles still seem to latch onto the idea SATAN is a viable tool for network security. In 1995, an Oakland Tribune article said: "It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one." More recently SATAN has popped back up in more articles. James Glave quoted a Microsoft spokesperson on the use of SATAN in his article "Back Orifice a pain in the..?" (27). In April, Kevin Reichard wrote about the tool in his article "Network Security" (28). Many popular and respected magazines have run articles suggesting the use of SATAN. Among them are Linux Journal (1), Info Security News (2), Security Advisor (3) and Information Security (An ICSA Publication) (4). Most disturbing is that most of the publically available security magazines each push SATAN onto their readers at one point or another. These are the so-called experts, the people that should know the program does little for today's networks. Yet as late as September 1998, three years since SATAN's last release, they are still doing it. Visit your local bookstore and you will be lucky to find more than five or ten security books. Over the past five years over one hundred books focusing on security have crossed these shelves. Interestingly enough, a healthy percentage each make the misplaced recommendation of SATAN as a valuable auditing tool. Worse, the idea of using such outdated and inferior tools has crossed beyond the realm of security books. A few of these books you may have seen are Practical Unix & Internet Security (5), UNIX System Administrator's Companion (6), Halting the Hacker (7), and Internet Besieged (8). Recently, O'Reilly released an entire book devoted to using SATAN to protect your networks. (9) To a degree, this release gave the ultimate validation to the tool's ability to protect your network. Are these books unworthy of attention? No. I would hazard they are being politically correct. To keep on the bandwagon of overhype and undue attention, several security advisories have been released to prepare the net for this tool. One issue remains unresolved though. Why have few advisories followed the various SATAN advisories warning users of other utilities that are far more dangerous to their organization? In 1995 we were flooded with advisories from every response team or security group out there. CERT CA-95:06 (10), CIAC F-19 (11), CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14), CIAC F-24 (15), SMS 00130A (16), NASIRC (17), Assist 95-11 (18), Assist 95-19 (19), and Auscert AA-95.03 (20) are just a few of the security advisories warning us of the impact of SATAN. With all of the news articles, books, security advisories and other miscelaneous hype, how could anyone go against the grain and jump off the bandwagon? Satan is as Satan Does Giving these various doomsday media outlets the benefit of the doubt, we could at least expect them to talk to knowledgeable professionals. That leads to two more questions. First, why didn't they do just that? Second, why are some security professionals writing articles recommending it? Some might argue that since it has a point and click graphical user interface, it is easy for the novice admin. I certainly don't buy that. Considering it takes a unix host, perl, x-windows and other resources that are not the easiest to setup, expecting novice admins to use it is not logical. Martin Freiss (author of 'Protecting Networks with SATAN') writes in his introduction about the extent of SATAN protecting your network: "Naturally, SATAN cannot detect every security vulnerability. In particular, there are security problems in the transfer protocols of the Internet and intranets.. True security can be achieved only if all dangers are known, including those that SATAN cannot detect.." Based on these words, I think it fair to say that those people familiar with the tool realizes its limits. Most security professionals when asked if there is an end all be all solution to network security, will answer no such beast exists. On the other hand, they will also tell you that no one tool will be the 'demise of the internet' like some claimed. Falling Short Technically speaking, why shouldn't these organizations and people be recommending SATAN? Let's examine what the program does in the way of vulnerability checking on a remote host. The following list is taken from the documentation. NFS file systems exported to arbitrary hosts NFS file systems exported to unprivileged programs NFS file systems exported via the portmapper NIS password file access from arbitrary hosts Old (i.e. before 8.6.10) sendmail versions REXD access from arbitrary hosts X server access control disabled arbitrary files accessible via TFTP remote shell access from arbitrary hosts writable anonymous FTP home directory First thing we notice is that it scans for ten whole vulnerabilities. Thinking back to the start of this year alone, you should be aware that over one hundred vulnerabilities have been brought to light on the Internet. So the sheer percentage of vulnerabilities doesn't quite cut it. Commercial competitors of SATAN like ISS and Cybercop pride themselves and attempt to gain market share based on the high number of vulnerabilities they scan for (over 500). Since numbers are often misleading, lets look at some real world examples of why SATAN is not a good recommendation. If you are tasked to deal with network security and you run any flavor of unix, you are probably aware of the hundred or so vendor based security advisories for your platform of choice. Some of the more recently exploited vulnerabilities: ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23) Statd (rpc.statd): Detailed in SMS Advisory #186 (24) Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25) Cold Fusion (WinNT): Several problems covered in many advisories (26) wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and more. Comparing the list of vulnerabilities being widely exploited on the Internet today with the list of vulnerabilities SATAN checks for, we can see it does one thing quite well. It falls short. For you NT administrators, seek help elsewhere. Insult to Injury Yes, it gets worse. Not only does the program fall short in assisting with network security analysis, it poses a serious threat to your network security in ways that didn't previously exist. As outlined in CERT CA-95:07 (21), there is a "Password Disclosure" issue with SATAN 1.0, fixed in version 1.1. CIAC F-22 (22) covers another vulnerability that allows unauthorized users to execute commands and gain root access through SATAN. Marc Heuse later posted to Bugtraq regarding SATAN and other widely used security tools having /tmp race conditions allowing unauthorized users to create or overwrite any file on the system. This last vulnerability was found in SATAN 1.1.1, the last version released. No further revisions have been forthcoming so the issue has not been fixed. So What's the Solution? So if tools like SATAN are antiquated, what is a viable freeware solution? Like most tools, there are always alternatives. In the past few years, a more current tool based on SATAN's foundation has arisen, called SAINT (30). As of August 19, 1999, SAINT version 1.4 was released adding more features and security checks that address current security concerns. Among these are checks for well known NT security holes, Operating System fingerprinting, as well as several new Unix vulnerabilities. The continued development and community effort to support this product has turned it into a much better foundation for testing network security than many other tools like it. Due to its active development and continued support for detecting new vulnerabilities, this seems like a great alternative to recommending outdated tools. When possible, don't rely on canned tools at all. They will never come close to the ability and instinct of a qualified security consultant. Conclusion A few dozen cliches come to mind as a way to wrap up this article. I think I have sufficiently shown that everyone from the media to security experts continue to quote SATAN as a way to defend your network. Because the tool has not been updated in several years, it is far behind the times in addressing network security issues. On top of it not being adequate by any stretch of the imagination, it poses further risk to your machines. Despite all this, the recommendation to use inferior technology still comes pouring in. Brian Martin (bmartin@attrition.org) Copyright 1999 @HWA 04.0 'PhoneMasters' Finally Sentenced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Arik and iwchick A group few people have heard of, dubbed the 'Phone Masters' by the FBI, had three of its members raided four years ago. Using new technology developed by the FBI specifically for this case, 'the magic box' allowed investigators to gather evidence on what has been called one of the greatest cyber-intrusions of all time. The group allegedly had their run of telephone and other networks across the country. The three people apprehended have plead guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. MSNBC http://www.msnbc.com/news/317947.asp ZD Net http://www.zdnet.com/filters/printerfriendly/0,6061,2345639-2,00.html MSNBC busted a hacker ring FBI investigator Michael Morris stung the ‘Phonemasters’ in their own game By John Simons THE WALL STREET JOURNAL DALLAS, Oct. 1 — In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written: “My parents taught me good ethics, but I have departed from some of these, lost my way sometimes,” the letter states. “I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers. MR. CANTRELL CERTAINLY DID WORK with computers — both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation’s telecommunications infrastructure in high-tech history. And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Mr. Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Mr. Cantrell’s sentencing was the final act in a five-year drama for Mr. Morris, and secured his reputation as the FBI’s leading computer gumshoe. The tale of Mr. Morris and Mr. Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI “data tap.” It illustrates how the nation’s law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers. The story also shows that hacking’s potential harm is far more ominous than theft of telephone credit-card numbers. Mr. Cantrell was part of an eleven-member group dubbed “The Phonemasters” by the FBI. They were all technically adept twenty-somethings expert at manipulating computers that route telephone calls. The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show. The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI’s own National Crime Information Center. Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and — by way of middlemen — the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses. “They could have — temporarily at least — crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage,” says Mr. Morris. “They must have felt like cyber-gods.” With the exception of Mr. Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Mr. Cantrell and two accomplices, largely put together from federal district court records and FBI interviews. Mr. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Mr. Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: personal credit reports were $75; state motor-vehicle records, $25; records from the FBI’s Crime Information Center, $100. On the menu for $500: the address or phone number of any “celebrity/important person.” Mr. Morris immediately opened an investigation. Only 33 years old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. “I was young and making the big bucks, but every morning I would think ‘God, I don’t want to go to work.’ ” Tall, square-jawed and mustachioed, Mr. Morris began working white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. “These guys are not the kind who’ll rob the convenience store then stare right into the security camera,” he says. “Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased.” Mr. Morris convinced the private investigator to meet with Mr. Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Mr. Cantrell’s phone lines, which would log numbers of all outgoing calls. It showed that Mr. Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Mr. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Mr. Morris’s interest. So, late that summer, Mr. Morris took an unprecedented step. He began writing a 40-page letter to the FBI’s Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Mr. Cantrell — now his central suspect — while on the phone wasn’t sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington’s permission to intercept the impulses that traveled along Mr. Cantrell’s phone line as he was using his computer and modem. “It’s one of the hardest techniques to get approved, partly because it’s so intrusive,” says Mr. Morris, who spent the next month or so consulting with federal authorities. “The public citizen in me appreciates that,” he says. Still, the long wait was frustrating. “It took a lot of educating federal attorneys,” he says. Once authorities said yes, Mr. Morris faced another obstacle: The equipment he needed didn’t exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably. Mr. Morris and technicians at the FBI’s engineering lab in Quantico, Va., worked together to draft the specifications for the device Mr. Morris wanted. It would need to do the reverse of what a computer’s modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Mr. Morris’s device would intercept the analog signals on Mr. Cantrell’s phone line and convert those impulses back to digital signals so the FBI’s computers could capture and record each of a suspect’s keystrokes. While waiting for the FBI to fit him with the proper gear, Mr. Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn’t always warm. “It’s kind of sad. Some of the companies, when you told them they’d had an intrusion, would actually argue with you,” he said. GTE was an exception. Mr. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Mr. Oswald and Mr. Morris began working together and uncovered another of Mr. Cantrell’s schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls. Mr. Morris also learned that on Oct. 11, 1994, Mr. Cantrell hacked GTE’s computer telephone “switch” in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn’t sure how Mr. Cantrell convinced people to call the number, but court records show that Mr. Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service. In early December 1994, Mr. Morris’s “analog data intercept device” finally arrived from the FBI’s engineering department. It was a $70,000 prototype which Mr. Morris calls “the magic box.” On Dec. 20, Mr. Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Mr. Cantrell’s home and the nearest telephone central office. Mr. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment. As middle-class families go, the Cantrells seem exemplary. Calvin’s father, Roy, was a retired detective who had once been voted “Policeman of the Year” in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades. As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games, and spy movies. Mr. Cantrell’s longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious. Mr. Cantrell certainly did work with computers — both his own, and, surreptitiously, those of some of the largest companies in the world. “He would always talk to me about religion,” says Mr. McWhorter. “He held very strong religious beliefs.” After high school, Mr. Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college. He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Mr. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day. “They’d go in my room and see all the notes and the phone numbers. Even though they couldn’t put it together technically, they knew something was up,” says Mr. Cantrell. “They were kind of in denial... . My parents were pretty soft.” Mrs. Cantrell says Calvin had been so well behaved that she never suspected his computer activities were more than fun and games. “I wish I had known what was going on. Unfortunately, my son was smarter than I was.” (Calvin’s father passed away last year.) At 8:45 on the night of Dec. 21, just four days before Christmas, Mr. Cantrell went online. Using an ill-gotten password, he entered a Sprint Corp. computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show. The Phonemasters often got passwords and other key information on companies in a low-tech approach called “Dumpster diving,” raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Mr. Cantrell to run one of his favorite ruses — passing himself off as a company insider. “I’d call up and say, ‘Hi, I’m Bill Edwards with systems administration.’ ... I’d chat with them for a while, then I’d say ‘We’re doing some network checkups today. Can you log off of your computer, then tell me every character you’re typing as you log back on?’ A lot of people fell for that,” Mr. Cantrell says. After hacking into the Sprint database that evening, Mr. Cantrell talked to another hacker, Corey Lindsley, over the phone. He’d “met” Mr. Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Mr. Cantrell then sent the copied files to Mr. Lindsley, who was a student at the University of Pennsylvania in Philadelphia. Mr. Morris’s equipment captured everything — voice and data. It was an FBI first. “We’re sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting,” says Mr. Morris. “We were ecstatic.” As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. “It’s great, you know. I really love fraud,” joked Mr. Bosanac, a Californian who was musing with Mr. Cantrell about the various technical methods of using other people’s cellular telephone accounts to place free calls. “Fraud is a beautiful thing.” Family conversations even entered the investigation. On Jan. 7, for instance, Mr. Cantrell called his mother from a friend’s house and asked her find an MCI Corp. manual on his shelf. He then asked her to read him a set of directions for accessing MCI’s V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Mr. Cantrell just avoided his mother’s question. The FBI data-tap captured every word. Still, the process took its toll on the FBI team, especially coming during the holidays. “It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents and it’s tough making people work through Christmas,” Mr. Morris said. On top of that, he had to keep records of his findings, and every ten days he had to reapply to the court to prove that his wiretap was yielding evidence. By late January, the FBI had begun to get a clear profile of Mr. Cantrell and his hacker friends. Mr. Lindsley, it appeared, was the group’s acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department “the pager treatment” in retaliation for a speeding ticket he received. Mr. Lindsley had caused the police department’s telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Mr. Lindsley bragged, would surely crash the department’s phone system. They also enjoyed collecting information about film stars, musicians and other famous people. Mr. Cantrell has admitted that he broke into President Clinton’s mother’s telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers. They weren’t without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Messrs. Bosanac, Cantrell, and Lindsley shared a three-way conference call. “What the hell happened?” asked Mr. Bosanac, according to an FBI transcript of the conversation. “That was the FBI tapping in,” laughed Mr. Cantrell. “Do you know how ironic that’s gonna be when they play those tapes in court?” Mr. Lindsley said. “When they play that tape in court and they got you saying it was the FBI tapping in?” On Jan. 18, the FBI overheard Messrs. Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Mr. Cantrell dialed his computer into Southwestern Bell’s network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down. “Just remember, nobody f— rats anybody out,” said Mr. Lindsley to the others. “No deals.” “Yeah, no deals is right,” replied Mr. Bosanac. “No deals. I’m serious. I don’t care what your f— lawyers tell you,” said Mr. Lindsley. Mr. Cantrell said nothing. Later that morning, between 5:09 a.m. and 7:36 a.m., Mr. Cantrell entered Sprint’s computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Mr. Morris would later learn that a contact in Canada paid Mr. Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know — or care — where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland. On Jan. 23, while probing a U S West telephone database, Mr. Cantrell, Mr. Bosanac, Mr. Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people — a suspected drug dealer, says Mr. Morris — and let him know his pager was being traced by the police. On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Mr. Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Mr. Cantrell began to have reservations. “What if I stopped before all of y’all?” Mr. Cantrell asked Mr. Lindsley. “Would you applaud my efforts?” “No,” said Mr. Lindsley. “I don’t think there’s any reason to stop. What are you worried about?” “Uh, I’m not worried about anything. I’m just saying, uhm. There might ... There might come a time here where I don’t have time for this.” He added a little later: “I, you know, really like it. But, I don’t know, I just ... Eventually, I don’t see myself doing a lot of illegal things.” Mr. Lindsley continued to prod Mr. Cantrell to speed up the download of stolen codes by spending more time online and using two phones. “I’m telling you, you run two lines around the clock,” Mr. Lindsley said. “You can’t run them around the clock,” said Mr. Cantrell. “Why not?” “Oh, come on. I think that’s pushing it too hard.” “I think you just got a weak stomach there, boy.” By late February, things began to get tense. One of Mr. Cantrell’s hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in. Mr. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Mr. Cantrell’s home, Mr. Lindsley’s college dorm room, and burst into Mr. Bosanac’s bedroom in San Diego. For Mr. Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. “All the documents and tapes from this case could fill a 20-by-20 room,” Mr. Morris explains. “And at the time, I was the only computer investigator for all of Texas.” In the meantime, as federal prosecutors slowly geared up for a trial, Mr. Cantrell tried to get on with his life. “I spent the first few weeks after the raid being paranoid and wondering what would happen,” he says. Occasionally, Mr. Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Mr. Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. “It’s been mental torture for the last four years, not knowing,” says Mr. Cantrell. “Can I go to school, move to another state? That kind of thing messes with your head.” Over time, Mr. Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn’t worth the trouble. “Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head.” Mr. Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group’s members who haven’t yet been apprehended. The matter finally seemed near conclusion this March when Mr. Morris was able to play “a couple of choice tapes” in separate meetings with Messrs. Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plead guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation. During a hearing on the matter, Mr. Lindsley’s attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client’s hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Mr. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives. As for Mr. Cantrell, Judge Buchmeyer lauded his “acceptance of guilt.” He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year. Mr. Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes. Copyright © 1999 Dow Jones & Company, Inc. All Rights Reserved. ZDNet; (Note: this also appeared in last weeks issue -Ed) -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Unplugged! The biggest hack in history By John Simons, WSJ Interactive Edition October 1, 1999 8:54 AM PT URL: http://www.antionline.com/ DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written: "My parents taught me good ethics, but I have departed from some of these, lost my way sometimes," the letter states. "I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers." Cantrell certainly did work with computers -- both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history. And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Cantrell's sentencing was the final act in a five-year drama for Morris, and secured his reputation as the FBI's leading computer gumshoe. The tale of Morris and Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI "data tap." It illustrates how the nation's law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers. Unlimited potential for harm The story also shows that hacking's potential harm is far more ominous than theft of telephone credit-card numbers. Cantrell was part of an eleven-member group dubbed "The Phonemasters" by the FBI. They were all technically adept twentysomethings expert at manipulating computers that route telephone calls. The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show. The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI's own National Crime Information Center. Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and -- by way of middlemen -- the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses. "They could have -- temporarily at least -- crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage," says Morris. "They must have felt like cyber gods." Some may be still at large With the exception of Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Cantrell and two accomplices largely put together from federal district court records and FBI interviews. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: Personal credit reports were $75; state motor-vehicle records, $25; records from the FBI's Crime Information Center, $100. On the menu for $500: the address or phone number of any "celebrity/important person." Morris immediately opened an investigation. Only 33-years-old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. "I was young and making the big bucks, but every morning I would think 'God, I don't want to go to work.' " Tall, square-jawed and mustachioed, Morris began working on white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. "These guys are not the kind who'll rob the convenience store then stare right into the security camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased." Morris convinced the private investigator to meet with Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Cantrell's phone lines, which would log numbers of all outgoing calls. It showed that Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Morris's interest. So, late that summer, Morris took an unprecedented step. He began writing a 40-page letter to the FBI's Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Cantrell -- now his central suspect -- while on the phone wasn't sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington's permission to intercept the impulses that traveled along Cantrell's phone line as he was using his computer and modem. "It's one of the hardest techniques to get approved, partly because it's so intrusive," says Morris, who spent the next month or so consulting with federal authorities. "The public citizen in me appreciates that," he says. Still, the long wait was frustrating. "It took a lot of educating federal attorneys," he says. Once authorities said yes, Morris faced another obstacle: The equipment he needed didn't exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably. Morris and technicians at the FBI's engineering lab in Quantico, Va., worked together to draft the specifications for the device Morris wanted. It would need to do the reverse of what a computer's modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Morris's device would intercept the analog signals on Cantrell's phone line and convert those impulses back to digital signals so the FBI's computers could capture and record each of a suspect's keystrokes. Alerting the victims While waiting for the FBI to fit him with the proper gear, Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn't always warm. "It's kind of sad. Some of the companies, when you told them they'd had an intrusion, would actually argue with you," he said. GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Oswald and Morris began working together and uncovered another of Cantrell's schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls. Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer telephone "switch" in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn't sure how Cantrell convinced people to call the number, but court records show that Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service. In early December 1994, Morris's "analog data-intercept device" finally arrived from the FBI's engineering department. It was a $70,000 prototype that Morris calls "the magic box." On Dec. 20, Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Cantrell's home and the nearest telephone central office. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment.As middle-class families go, the Cantrells seem exemplary. Calvin's father, Roy, was a retired detective who had once been voted "Policeman of the Year" in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades. As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games and spy movies. Cantrell's longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious. "He would always talk to me about religion," McWhorter says. "He held very strong religious beliefs." After high school, Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college. He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day. "They'd go in my room and see all the notes and the phone numbers. Even though they couldn't put it together technically, they knew something was up," says Cantrell. "They were kind of in denial... . My parents were pretty soft." Mrs. Cantrell says Calvin had been so well-behaved that she never suspected his computer activities were more than fun and games. "I wish I had known what was going on. Unfortunately, my son was smarter than I was." (Calvin's father passed away last year.) The hack At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell went online. Using an ill-gotten password, he entered a Sprint computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show. The Phonemasters often got passwords and other key information on companies in a low-tech approach called "Dumpster diving," raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Cantrell to run one of his favorite ruses -- passing himself off as a company insider. "I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.' ... I'd chat with them for a while, then I'd say 'We're doing some network checkups today. Can you log off of your computer, then tell me every character you're typing as you log back on?' A lot of people fell for that," Cantrell says. After hacking into the Sprint database that evening, Cantrell talked to another hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Cantrell then sent the copied files to Lindsley, who was a student at the University of Pennsylvania in Philadelphia. Morris's equipment captured everything -- voice and data. It was an FBI first. "We're sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting," says Morris. "We were ecstatic." As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. "It's great, you know. I really love fraud," joked Bosanac, a Californian who was musing with Cantrell about the various technical methods of using other people's cellular telephone accounts to place free calls. "Fraud is a beautiful thing." Family conversations even entered the investigation. On Jan. 7, for instance, Cantrell called his mother from a friend's house and asked her find an MCI manual on his shelf. He then asked her to read him a set of directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Cantrell just avoided his mother's question. The FBI data-tap captured every word. Taking a toll Still, the process took its toll on the FBI team, especially coming during the holidays. "It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents, and it's tough making people work through Christmas," Morris said. On top of that, he had to keep records of his findings, and every 10 days he had to reapply to the court to prove that his wiretap was yielding evidence. By late January, the FBI had begun to get a clear profile of Cantrell and his hacker friends. Lindsley, it appeared, was the group's acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department "the pager treatment" in retaliation for a speeding ticket he received. Lindsley had caused the police department's telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Lindsley bragged, would surely crash the department's phone system. They also enjoyed collecting information about film stars, musicians and other famous people. Cantrell has admitted that he broke into President Clinton's mother's telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers. They weren't without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Bosanac, Cantrell, and Lindsley shared a three-way conference call. "What the hell happened?" asked Bosanac, according to an FBI transcript of the conversation. "That was the FBI tapping in," laughed Cantrell. "Do you know how ironic that's gonna be when they play those tapes in court?" Lindsley said. "When they play that tape in court and they got you saying it was the FBI tapping in?"On Jan. 18, the FBI overheard Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Cantrell dialed his computer into Southwestern Bell's network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down. "Just remember, nobody f-- rats anybody out," said Lindsley to the others. "No deals." "Yeah, no deals is right," replied Bosanac. "No deals. I'm serious. I don't care what your f-- lawyers tell you," said Lindsley. Cantrell said nothing. Transferred codes to Canada Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Morris would later learn that a contact in Canada paid Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know -- or care -- where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland. On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him know his pager was being traced by the police. On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Cantrell began to have reservations. "What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you applaud my efforts?" "No," said Lindsley. "I don't think there's any reason to stop. What are you worried about?" "Uh, I'm not worried about anything. I'm just saying, uhm. There might ... there might come a time here where I don't have time for this." He added a little later: "I, you know, really like it. But, I don't know, I just ... Eventually, I don't see myself doing a lot of illegal things." Lindsley continued to prod Cantrell to speed up the download of stolen codes by spending more time online and using two phones. "I'm telling you, you run two lines around the clock," Lindsley said. "You can't run them around the clock," said Cantrell. "Why not?" "Oh, come on. I think that's pushing it too hard." "I think you just got a weak stomach there, boy." Tension rises By late February, things began to get tense. One of Cantrell's hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's bedroom in San Diego. For Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. "All the documents and tapes from this case could fill a 20-by-20 room," Morris explains. "And at the time, I was the only computer investigator for all of Texas." In the meantime, as federal prosecutors slowly geared up for a trial, Cantrell tried to get on with his life. "I spent the first few weeks after the raid being paranoid and wondering what would happen," he says. Occasionally, Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. "It's been mental torture for the last four years, not knowing," says Cantrell. "Can I go to school, move to another state? That kind of thing messes with your head." Over time, Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn't worth the trouble. "Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head." Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group's members who haven't yet been apprehended. The matter finally seemed near conclusion this March when Morris was able to play "a couple of choice tapes" in separate meetings with Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plea guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation. During a hearing on the matter, Lindsley's attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client's hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives. As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year. Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes. @HWA 05.0 India Objects to Comments From Vatis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by seano Indian officials have strongly objected to comments made by Michael Vatis, head of the National Infrastructure Protection Center (NIPC). Vatis indicated that Y2K code fixes by Indian programers may be riddled with back doors and logic bombs. The chairman of the Indian government's Y2K Action Force called the statements 'utterly ridiculous'. Reuters - Via ABC News http://www.abcnews.go.com/wire/US/reuters19991001_638.html WIRE:10/01/1999 04:45:00 ET India Slams U.S. Talk On Y2K-Linked Security Fears NEW DELHI (Reuters) - Indian officials Friday slammed as ridiculous a suggestion by U.S. officials that Indian Y2K (Year 2000) software firms could have been used to smuggle in computer codes aimed at threatening Washington's security. Michael Vatis, the top cyber cop in the Federal Bureau of Investigation (FBI), told Reuters Thursday that malicious code changes under the guise of Y2K modifications had begun to surface in some U.S. work undertaken by foreign contractors. The claim signaled possible economic and security threats. Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code. The article appeared in the June issue of Infrastructure Protection Digest. "I think this is an utterly ridiculous assertion...without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the Indian government's Y2K Action Force. "I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement," Ahluwalia told Reuters. He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies. The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people." Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns. India and Israel have had differences with the United States on security matters, particularly on nuclear policy. "TOO MUCH AT STAKE" Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss suggestions Indian firms may be a security threat. He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients. Besides, Indian firms did the bulk of Y2K work at U.S. sites under client supervision, he added. "We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said. He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in client systems. Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage or leave it vulnerable to malicious altering of data, he said. Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a U.S. Senate panel said last week that long-term consequences of using foreign firms for Y2K work could include more espionage and reduced information security. Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions. "I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors." Maynard noted Ireland, Pakistan and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm U.S. systems but did not rule out threat possibilities. Copyright ©1999 ABC News Internet Ventures. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form. Please click here for legal restrictions and terms of use applicable to this site. Use of this site signifies your agreement to the terms of use. @HWA 06.0 Bill Cheek Diagnosed with Cancer Still Faces Charges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com Stolen from Strong Signals Bill Cheek, editor of the "Experimenters Workshop" column in Monitoring Times and author of a series of books on scanner modifications was just diagnosed with incurable lung cancer at the end of September. If treatment is not begun aggressively and rapidly, doctors give him about 3-4 months. Charges brought against him in a New York federal court last spring -- related to his scanner business -- are currently being heard before the Grand Jury. Though always a controversial figure, there is no disputing the fact that Bill has devoted his life to the love of radio and technology. Strong Signals http://www.strongsignals.net/htm/newsflsh.htm#100199 Bill Cheek Update October 1, 1999 Thanks to Larry Van Horn for the following details! An appeal to Monitoring Times readers and friends of Bill Cheek: Bill Cheek, editor of the "Experimenters Workshop" column in Monitoring Times and author of a series of books on scanner modifications was just diagnosed with incurable lung cancer at the end of September. If treatment is not begun aggressively and rapidly, doctors give him about 3-4 months. Bill says, "research on lung cancers is ever on-going ... My doctor said that even a year ago, my case would not have been treatable at all. Now they can offer me a 4-6 months extension." The problem is, Bill does not have medical insurance. He is self-employed at Comtronics and has two daughters in college. Furthermore, charges brought against him in a New York federal court last spring -- related to his scanner business -- are currently being heard before the Grand Jury. Bill intends to fight the cancer, but he could use your help. Bill welcomes your prayers on behalf of him and his family. If you have knowledge or feedback on the latest cancer research and developments, Bill would appreciate hearing from you. Expressions of concern are welcome, but he'll have little energy for personal replies. You can also help with your contributions. A trust fund has been set up by friends and family to which you may contribute toward medical expenses. Here are the details: Contributions for Bill Cheek can be made through Union Bank of CA. Checks can be made out to either: Bill or Cindy Cheek Cynthia Cheek trustee for William D. Cheek, Sr. Funds should be sent to: Union Bank of California Acct# 0771354719 8359 Mira Mesa Blvd San Diego, CA 92126 Attn: Rhonda or Kevin Smith (619) 230-3800 OR Bill and Cindy Cheek PO Box 262478 San Diego, CA 92196 Though always a controversial figure, there is no disputing the fact that Bill has devoted his life to the love of radio and technology. We at Monitoring Times ask that you give this appeal the widest circulation among your radio friends. As fellow hobbyists, let's show our appreciation by giving generously. 73 Larry Van Horn @HWA 07.0 The IBM 2020 Neural Implant Chip ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan The IBM 2020 Neural Chip Implant Intelli-Connection A Security Division of IBM 1200 Progress Way Armonk, New York 11204 October 20, 1995 LI