-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 17 of 19 ] -------------------------[ P H R A C K W O R L D N E W S ] --------[ disorder ] Like I said in Phrack 54, the increase of news on the net, security, hackers and other PWN topics, it is getting more difficult to keep Phrack readers informed of everything. To combat this problem, PWN will include more articles, but only relevant portions (or the parts I want to make smart ass remarks about). If you would like to read the full article, look through the ISN (InfoSec News) archives located at: http://www.landfield.com/isn/ If you would like timely news delivered with less smart ass remarks, you can always subscribe to ISN by mailing listserv@securityfocus.com with 'subscribe isn firstname lastname' in the body of your mail. Another excellent source of daily news is the Hacker News Network (HNN @ www.hackernews.com). The news included in here are events that occured since the previous edition of Phrack World News (Phrack Magazine V. 8, #54, Dec 25th, 1998. ISSN 1068-1035). If you feel the need to send me love letters, please cc: mcintyre@attrition.org and tell him to "get jiggy on your wiggy". If you would like to mail my cat, don't, he hates you because you are pathetic. Meow. This installment of PWN is dedicated to Federal Agents of Diminished Mental Capacity, stupid little kids running canned scripts for lack of real skill .. err 'hackers', and blatant stupidity. This issue was brought to you by the letters F, U, C, K, O and F. --------[ Issue 55 0x01: State of Defacements 0x02: L.A. district attorney drops Mitnick case 0x03: Mitnick sentenced, ordered to pay $4,125 0x04: Clinton forms security panel 0x05: Bill reopens encryption access debate 0x06: The Hacker Hoax 0x07: Israeli Teen Finds Web Full of Security Holes 0x08: Hotmail Hackers: 'We Did It' 0x09: Scientists crack Net security code 0x0a: NSA Lures Hackers 0x0b: Army to offer 'information survival' training 0x0c: Clinton To Use hackers Against Yugoslav leader 0x0d: Hack attack knocks out FBI site 0x0e: White House threatens to punish hackers 0x0f: MS Refutes Windows 'Spy Key' 0x10: Teens plead innocent in hacking case 0x01>------------------------------------------------------------------------- State of Defacements Attrition 09.01.99 As of 09.01.99, the following statistics and information has been generated based on the mirrors of defaced web sites kept at www.attrition.org/mirror/attrition/ The word 'fuck' occured 1269 times in 584 out of 2145 mirrors dating back to 95.06.12. 337 defaced pages have linked to or greeted 'attrition', the largest mirror of defacements. Shortly after the Columbine shooting, 37 defacements made reference to the incident. To date, 31 defacements have made reference to Serbia. Average number of website defacements per day since 99.01.01: 3.0. Average number of website defacements per day since 99.02.01: 2.5. Average number of website defacements per day since 99.03.01: 4.0. Average number of website defacements per day since 99.04.01: 8.9. Average number of website defacements per day since 99.05.01: 12.7. Average number of website defacements per day since 99.06.01: 10.4. Average number of website defacements per day since 99.07.01: 10.6. Average number of website defacements per day since 99.08.01: 10.3. Total website defacements in 1995: 4 Total website defacements in 1996: 18 Total website defacements in 1997: 39 Total website defacements in 1998: 194 Total website defacements in 1999: 1905 Since 08.01.99 # of BSDi : 13 # of FreeBSD : 9 # of HP/UX : 1 # of IRIX : 11 # of Linux : 71 # of OSF1 : 3 # of SCO : 2 # of Solaris : 78 # of Win-NT : 109 Since 95.06.12 com: 1052 net: 124 org: 140 mil: 52 gov: 121 The past year has seen many high profile sites defaced. Among them: C-Span (www.c-span.org), EBay (www.ebay.com), ABC News (www.abc.com), Symantec (www.symantec.com), The White House (www.whitehouse.gov), The Senate (www.senate.gov), GreenPeace (www.greenpeace.org), US Information Agency (www.usia.gov), MacWeek (www.macweek.com), HotBot (www.hotbot.com), Wired (www.wired.com), and more. Among the armed forces, all branches including the Coast Guard have experienced at least one defacement. 0x02>------------------------------------------------------------------------- L.A. district attorney drops Mitnick case http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html?chkpt=hpqs014 August 6, 1999 Deputy district attorney says state case was 'mischarged' -- clears way for Mitnick halfway house plea. [snip...] In 1993, the district attorney charged Mitnick with one count of illegally accessing a Department of Motor Vehicles computer and retrieving confidential information. The problem with that charge is that Mitnick, posing as a Welfare Fraud investigator, simply picked up a telephone on Dec. 24, 1992, and duped an employee accessing the DMV computer for him. "Since Mitnick did not personally connect to the DMV computer, but either he or someone else communicated with the DMV technician via a telephone conversation," Bershin wrote in his motion to dismiss the case, "it would be difficult to prove that Mitnick gained entry to the DMV computer, or that he instructed or communicated with the logical, arithmetical or memory function resources of the DMV computer." [snip...] 0x03>------------------------------------------------------------------------- Mitnick sentenced, ordered to pay $4,125 August 10, 1999 11:55 AM ET http://www.zdnet.com/pcweek/stories/news/0,4153,1015902,00.html LOS ANGELES -- Four years, five months and 22 days after it began, The United States vs. Kevin Mitnick ended Monday when U.S. District Court Judge Marianna Pfaelzer sentenced the hacker to 46 months in prison. Mitnick was also ordered to pay $4,125 in restitution -- a fraction of the $1.5 million federal prosecutors sought. With credit for good behavior, Mitnick could be free by January 2000. Once released, the hacker is ordered not to touch a computer or cellular telephone without the written approval of his probation officer. Mitnick is also immediately eligible for release to a halfway house at the discretion of the Bureau of Prisons, although the judge recommended he serve the remainder of his sentence in prison. Mitnick pleaded guilty on March 26 to seven felonies, and admitted to cracking computers at cellular telephone companies, software manufacturers, ISPs and universities, as well as illegally downloading proprietary software from some of the victim companies. [snip...] 0x04>------------------------------------------------------------------------- Clinton forms security panel AUGUST 2, 1999 http://www.fcw.com/pubs/fcw/1999/0802/fcw-polsecurity-08-2-99.html President Clinton last month signed an executive order to create the National Infrastructure Assurance Council, the final organization to be established as part of an overall structure to protect the critical infrastructure of the United States against cyberterrorism and other attacks. [Very timely...] The council will be made up of 30 people from federal, state and local governments, as well as the private sector. As outlined in the May 1998 Presidential Decision Directive 63, its main purpose is to enhance and continue to develop the partnership between the public and private sector on initiatives already in place. This includes the Information Sharing and Analysis Centers (ISACs) that are being set up across the country to exchange information about vulnerabilities, cyberattacks and intrusions. [So by the time this council is created, people elected, everything setup.. This is slightly amusing considering the vice-president created the Internet. *smirk*] [snip...] 0x05>------------------------------------------------------------------------- Bill reopens encryption access debate AUGUST 16, 1999 http://www.fcw.com/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html Renewing efforts to allow law enforcement agencies to access and read suspected criminals' encrypted electronic files, the Clinton administration has drafted a bill that would give those agencies access to the electronic "keys" held by third parties. The Cyberspace Electronic Security Act, the drafting of which is being led by the Office and Management and Budget and the Justice Department, "updates law enforcement and privacy rules for our emerging world of widespread cryptography," according to an analysis accompanying the bill obtained by Federal Computer Week. [Oh yeah, this is them figuring a way to keep our best interests in mind! Let law enforcement have access to everything, because they are always good and honorable.] [snip...] 0x06>------------------------------------------------------------------------- The Hacker Hoax August 18, 1999 http://www.currents.net/newstoday/99/08/18/news3.html The world's press might have been fooled into believing that a Chinese hacker group plans to bring down the country's information infrastructure. According to stories that began circulating in July last year, the rogue group, the Hong Kong Blondes, is made up of dissidents both overseas and within the Chinese Government. The rumours began when an interview with the group's leader was published by US hacking group the Cult of the Dead Cow (CDC) at http://www.cultdeadcow.com . In the interview, illusive Hong Kong Blondes director Blondie Wong said that he had formed an organization named the Yellow Pages, which would use information warfare to attack China's information infrastructure. The group threatened to attack both Chinese state organizations and Western companies investing in the country. For their part, the CDC claimed that they would train the Hong Kong Blondes in encryption and intrusion techniques. One year after the group's supposed launch, there is no evidence that the Hong Kong Blondes ever existed. In fact, all evidence appears to indicate that the Hong Kong Blondes report was a highly successful hoax. [snip...] 0x07>------------------------------------------------------------------------- Israeli Teen Finds Web Full of Security Holes August 17, 1999 http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html [Westport, CT] An independent consultant in Israel has released the results of one of the first exhaustive surveys of Internet security, hoping to provide a wake-up call for Internet companies. With the help of a piece of homemade scanning software, Liraz Siri probed nearly 36 million Internet hosts worldwide over a period of eight months. Siri and his program, the Bulk Auditing Security Scanner or BASS, went looking specifically for UNIX systems that were vulnerable to 18 widely known security vulnerabilities -- holes for which vendors have already released patches and other fixes. [snip...] 0x08>------------------------------------------------------------------------- Hotmail Hackers: 'We Did It' 4:00 p.m. 30.Aug.99.PDT http://www.wired.com/news/news/technology/story/21503.html A previously unknown group known as Hackers Unite has claimed responsibility for publicizing Hotmail's security breach, which Microsoft vehemently denied was the result of a backdoor oversight. The group of eight hackers said Monday through a spokesman that they announced the hole to the Swedish media to draw attention to what they say is Microsoft's spotty security reputation. The stunt exposed every Hotmail email account, estimated to number as many as 50 million, to anyone with access to a Web browser. [snip..] Microsoft vehemently denied the backdoor suggestions, and instead described the problem as "an unknown security issue." "There is nothing to these allegations [of a backdoor in Hotmail]," said MSN marketing director Rob Bennett. "It is not true. Microsoft values the security and privacy of our users above all." [I think if you sub the "." in that last statement with the word "that", it is much more accurate.] 0x09>------------------------------------------------------------------------- Scientists crack Net security code Aug. 27 http://www.msnbc.com/news/305553.asp A group of scientists claimed Friday to have broken an international security code used to protect millions of daily Internet transactions, exposing a potentially serious security failure in electronic commerce. Researchers working for the National Research Institute for Mathematics and Computer Science (CWI) in Amsterdam said consumers and some businesses could fall victim to computer hackers if they get their hands on the right tools.However, not every computer whiz has access to the equipment, worth several million dollars, and no related Internet crimes have yet been uncovered, the experts said. The scientists used a Cray 900-16 supercomputer, 300 personal computers and specially designed number-crunching software to break the RSA-155 code the backbone of encryption codes designed to protect e-mail messages and credit-card transactions. THE SCIENTISTS USED a Cray 900-16 supercomputer, 300 personal computers and specially designed number-crunching software to break the so-called RSA-155 code — the backbone of encryption codes designed to protect e-mail messages and credit-card transactions. Your everyday hacker won’t be able to do this,” said project director Herman te Reile. “You have to have extensive capacity, the money, and the know-how, but we did it.” [snip...] 0x0a>------------------------------------------------------------------------- NSA Lures Hackers 27 August 1999 http://www.currents.net/clickit/printout/news/28074924000990080.html There's a future in the National Security Agency for young techies and hackers, showing that maybe the Clinton administration is a little off-base in its efforts to turn children away from the so-called dark side of computer obsession. According to a page on the NSA Website, last updated in December 1998, the agency is looking for a few good teen-aged hacker-types, promising them free college tuition, room and board if they come to work for the agency for at least five years upon college graduation. The NSA program is not exactly restricted to the dean's list cream of the crop, however, requiring only a minimum SAT score of 1200 (or composite Act score of 27), a 3.0 grade point average or higher, "demonstration of leadership abilities" and US citizenship. [snip...] 0x0b>------------------------------------------------------------------------- Army to offer 'information survival' training MAY 5, 1999 http://www.fcw.com/pubs/fcw/1999/0503/web-army-5-5-99.html The Army this fall plans to offer an online graduate-level training course on information systems survivability, teaching engineers to develop systems capable of surviving any kind of technical glitch and network attack. [Define 'irony'. The army training anyone about security. Lets have a quick look at some public validation for the army and security! Date Web page defaced ------ ---------------- 99.01.25 wwwjtuav.redstone.army.mil 99.03.02 www.bweb.wes.army.mil 99.03.07 wrair-www.army.mil 99.04.11 mdw-www.army.mil 99.04.19 www-anad.army.mil 99.05.01 www.rsc.stuttgart.army.mil 99.05.03 www.ett.redstone.army.mil 99.06.04 cenwo.nwo.usace.army.mil 99.06.24 www.monmouth.army.mil 99.06.27 www.army.mil 99.07.16 www.ado.army.mil 99.08.03 akamai.tamc.amedd.army.mil 99.08.29 www.cmtc.7atc.army.mil Oh yes, sign me up please.] 0x0c>------------------------------------------------------------------------- Clinton To Use hackers Against Yugoslav leader http://www.attrition.org/errata/www/art.0109.html President Clinton has approved a top-secret plan to destabilize Yugoslav leader Slobodan Milosevic, using computer hackers to attack his foreign bank accounts and a sabotage campaign to erode his public support, [Yes, sneaky me. The URL above is part of the Errata page. Why? Because several news outlets blindly reported this as the truth, when it is highly likely it is not. Sensationalism at its finest.] 0x0d>------------------------------------------------------------------------- Hack attack knocks out FBI site May 26, 1999 6:44 PM PT A skirmish between the FBI and a well-known hacker group seemingly erupted Wednesday. Not long after federal agents served search warrants on members of hacker group Global Hell (gH), probably in connection with recent attacks on U.S. government computers, the FBI's own Web site was attacked and is currently offline. Earlier on Wednesday, MSNBC was told by a member of gH that the FBI had served search warrants on several members of the hacker group. Last week, gH member Eric Burns (who also goes by the name Zyklon), was arrested in connection with three separate attacks on U.S. government computers, including systems at the U.S. Information Agency. [Pay attention journalists. Dozens of you misread this to say the FBI web page was defaced. It clearly says they were victim of a Denial of Service attack.] 0x0e>------------------------------------------------------------------------- White House threatens to punish hackers June 1, 1999, 3:35 p.m. PT http://www.news.com/News/Item/0,4,37257,00.html Annoyed by a recent wave of attacks against official U.S. government Web sites, the White House today warned hackers who target federal Web sites that they will be caught and punished. "There's a government-wide effort to make sure that our computer systems remain secure," White House Press Secretary Joe Lockhart said in a briefing. "For those who think that this is some sort of sport, I think [it will be] less fun when the authorities do catch up with them...and these people are prosecuted," he said. [Busting the people that have already violated your security will not make you secure in the future. Talk about blind to the world.] 0x0f>------------------------------------------------------------------------- MS Refutes Windows 'Spy Key' 10:20 a.m. 3.Sep.99.PDT http://www.wired.com/news/news/technology/story/21577.html Microsoft is vehemently denying allegations by a leading cryptographer that its Windows platform contains a backdoor designed to give a US intelligence agency access to personal computers. Andrew Fernandes, chief scientist for security software company Cryptonym in North Carolina, claimed on his Web site early Friday that the National Security Agency may have access to the core security of most major Windows operating systems. "By adding the NSA's key, they have made it easier -- not easy, but easier -- for the NSA to install security components on your computer without your authorization or approval," Fernandes said. But Microsoft denied that the NSA has anything to do with the key. [Yeah. The NSA isn't bright enough to change the name of a 'backdoor' key from "_NSAKEY" to something a little less glaring.] 0x10>------------------------------------------------------------------------- Teens plead innocent in hacking case 09/02/99- Updated 01:34 PM ET http://www.usatoday.com/life/cyber/tech/ctg016.htm JERUSALEM (AP) - Four teen-agers charged with hacking into the computer systems of the Pentagon, NASA and the Israeli parliament pleaded innocent Thursday, the lawyer for the alleged ringleader said. Shmuel Tzang said his client, Ehud Tenenbaum, 19, broke no law when he penetrated the Internet sites of American and Israeli institutions because there was no notice on the sites declaring them off-limits. [This is patently stupid. Because the systems didn't say "breaking in is illegal", they didn't break the law? This level of stupidity is indicative of the level they showed to get busted.] ----[ EOF