0blivion6:(0blivion6.txt):23/08/2000 << Back To 0blivion6

_____ _ _ _____ | | |_| |_|| | | | _ _ __ _ _ _ | | ____ | _ || | | |\ \\ \ | || || _ || _ \ | | | || |__ | | \ \\ \ | || || | | || | \ \ | | | || || | \ \\ \ | || || | | || | | | | |_| || [] || |___\ \\ \| || || |_| || | | | |_____||____||_____\\_\\___||_||_____||_| |_| M a g a z i n e -=[ Oblivion Magazine ]=- -=[ http://www.0blivion.org ]=- Feer Us Fools, Because We Are Gaining R00t On You -=[ Editor: Cyber0ptix ]=- -=[ cyberoptix@0blivion.org ]=- -=[ Assistant Editor: Slider ]=- -=[ Slider@0blivion.org ]=- -=[ Writer/Advice: LockDown ]=- -=[ lock-down@hushmail.com ]=- Pain Is A Thing Of The Past, Feel Oblivion -=[ IRC: #OBLIVIONMAG on EFNet ]=- Join Us And Communicate ----------------------------- Designed On 800x600 Resolution -=[ Issue 6 - 15/08/2000 ]=- The Sixth Sense -=[ Contents ]=- -------- --------------------------------------- ----------------- [ Articles ] [ Author ] +-------------------------------------+ +---------------+ [ Contents ] [ 0blivion.org ] [ Introduction To Issue 6 ] [ Slider ] [ Editor - Comments/Rant ] [ Cyber0ptix ] [ Speed up your Connection ] [ Cyber0ptix ] [ Application Programming Interfaces ] [ Tango-Omega ] [ Windows 2000 File System Encryption ] [ Kermit23 ] [ The Andrew File System (AFS) ] [ Slider ] [ Multiprotocol Transport Net. (MPTN) ] [ Slider ] [ News - http://net-security.org ] [ 0blivion.org ] [ End Credits ] [ 0blivion.org ] --------------------------------------- ----------------- When Mozart was composing at the end of the eighteenth century, the city of Vienna was so quiet that fire alarms could be given verbally by a shouting watchman mounted on top of St. Stefan's Cathedral. In twentieth-century society, the noise level is such that it keeps knocking our bodies out of tune and out of their natural rhythms. This ever-increasing assault of sound upon our ears, minds, and bodies adds to the stress load of civilized beings trying to live in a highly complex environment. - Steven Halpern ---------------------------------------------- ********************************************** Introduction To Issue 6 - Slider ********************************************** Re. Welcome to Issue 6, this is a very short issue im afraid due to myself being away on holiday and having to start a new job, and Cyber moving house (still!) and working and being a typical student. At the moment we are trying to get ideas in for articles, so we would appreciate any ideas for text files, no matter how silly or indepth they might be that we can research and then write about after gaining some experience in these subjects. Many thanks to all of you who stuck in your points of view, and of course your articles! And please will you continue sending them in, we appreciate points of view and of course your articles. This way you can get your work published to a wider audience. Also, if you are thinking of writing a article yourself then also contact us, we will help you as much as possible to write it. We are here to promote learning and sharing of information like the Internet community should be, all we ask is that you publish the document or text in Oblivion mag first, then distribute it to other mags if you wish. This gives us peace of mind knowing that we got something good out of it! At the moment i am trying to organise as many things as possible to get this issue out and even have put my love life (shock horror) to one side for this issue! dedication or shat... shit what am i saying ??? this aint like me, but what the hell the groupies come first innit :] And remember we may not be covering stuff like 0-day hacking tekniq's, but instead we are covering stuff that should be known. We are here to be an instrument for learning. Also we are looking for a host that may be able to supply us with an shell acc. so that we may increase our amount of bots on our channel. This is due to take overs from unknown parties. May i add this is extrememley stupid and irritating for all of us. Oblivion is a place to share and absorb information from many people and parties, we dont need ppl doing this kind of stubborn and stupid activities. Also, more members in the chan would be v. much appreciated so if anyone has any free time just come and idle with us. We are v. much acceptable to new peeps and always happy to chat about anything under the sun. [Cyber0ptix - Yeah and it gives me something to do when I get b0red at work ;0) ] Slider. All we could do was gaze in superfication at our friends going to inevitable death... - Reverend G. A. Pare, Chaplain, Glider Pilot Regiment, British 1st Airbourne division, describing the division watching the thrid lift at Arnhem on September 19, 1944 ---------------------------------------------- ********************************************** My Rant - Cyber0ptix ********************************************** Hi, and welcome to issue 6 of 0blivion. Well who woulkd believe we would still be around after half a year! Well we are and still getting good reviews and feedback although the articles have slowed down a lot ;o( This means that this issue may be quite a short one. So come on and lets get sending some articles in to make issue 7 the best ever. So what has been happening this month? Well looks like BT attempt at letting the UK have high speed 'always on' net connections using ADSL is going to be a big let down. The have just changed the contention ratio of the line from 50:1 to a rediculous 80:1, this means that although you will have a maximum speed of 512k upload this could be used by a maximum of 80 people at once bringing it down to speeds the like of a 14,400 bps modem. Also rumours around the net make it out like it is going to be so port blocked that all you will be able to do is browse the web and send email. They arn't even allowing ICQ to work. Come on BT, get you finger out and give us what we need. The UK is so far behind in internet technology we will still be using 56k modems in 10 years time if they dont get it right. Oh well looks like we will just have to wait for them to open up the local loop and get some competition in there and show them how its done. But when the fuck is this going to happen? Also another crack at BT for their pathetic unmetered product SurfTime. Well it would of been good but they just had to gedt involved with the data side of it and completely fuck it up. Instead of just giving out free 0844 numbers that route through to the ISP's hardware they decided to make these connect to the exchanges and then get routed through their data network to free up the voice network for calls. Great a faster conection! Well you would of thought so, but the number of hops it takes to get through to your ISP's hardware is beyond a joke and puts ping rates to about 500. I have seen poeople having 15 hops till they even reach the ISP. ISDN is tempremental, and cos they have installed BT modems you get crap connection speeds. SurfTime was also down for 17 hours last month when a fibre cable split. Oh well its a routing network you would of thought, no need to worry. Well BT didn;t think about building b ackup routes into the network and decided to leave it with a single point of failure, which resulted in no one being able to connect. Well I think that is enough slating of BT, I'll probably be getting sued by them now. ;o) Anyway so what else has been happening? Lotus notes was broken wide open at Defcon 8 last weekend when information was released concerning the encryption method used to store passwords and how easy it was to crack them. Another e-commerce site has been down this week. www.wollies.co.uk as their security was weak. The site has been taken down for a 'major security overhaul' which is expected to take 2 weeks. Come on how long does it take if you had of done it right in the first place. Well that my little rant over for another month, and as I said lets get some articles sent in from you the readers, it doesn;t matter how long they are, or how technical as long as they are of a good standard and an interesting read we will try and include them in the zine, just email them to me at cyberoptix@0blivion.org. Also happening next weekend is DNSCON 2. Unfortunately I am unable to go due to work, but if anyone that goes can write a review for next month issue we would be very grateful. ********************************************** Getting the best Connection - Cyber0ptix ********************************************** Well this is just a little text that I have written to help you all get the fastest connection to the net without any slowdown or connection problems. This is all basic stuff but this is bound to help out some people who arn't too sure on this. As you all know getting a fast connection over the PSTN relies on many variables to ensure that every thing is OK. So I am going to outline a few of the problems and how you can get round them. 1. Line Noise. Most people tend to blame their ISP if they have a slow connection. Well you are connecting over a phone system which was not designed to give high speed data transfer. It may interest you to know that BT only gaurentees a data connection upto 9600bps. Well what is the point in that in todays world with modem technology at 56k and the soon to be released V.92, which is only going to be any good if BT totally fuck up ADSL. If you find that you are having random disconnects or slow connection speeds then it is time to get in touc hwith your telco. First off fone the fault department and ask them to check your line for noise. Tell them your number and the number that you are dialing, your ISP's. Ask them to run a full check between the two numbers. Also ask them to turn the gain up on your line as this will get you a better connection. 2. DACS! So you thought you'd get a dedicatedc line for the internet and leave your other line so people can get in touch with you. So you get in touch with BT and as kthem to install it. Thgey come round and fit everything and you go to connect for the first time. You click connect and what do you see? 'Connected at 28,800bps' What the fuck? Well it looks like BT have DACS'ed you. This basically involves multiplexing your existing line to give you the ability to have two lines on one by splitting the bandwidth. This is fine for voice lines but when you want to use one of them for the internet it is a complete waste of time. So what can you do? Not much if you have already had it installed. As I said earlier they only gaurentee data connections upto 9600bps and are within their right to do this to your line. Try calling them and ask them to replace it with a 'real' line so you can get the connection speed you want. If they wont, refuse to pay and tell them to come and remove it. Before you ask for a second line to be installed, tell them that you do not want a DACS box as you need the line for the internet and tell them to install a new line. This may be a problem as you exchange need free space to add this free line, it also costs a lot more for BT to install the line so they may refuse and only offer you the DACS box. Do NOT bother as there is no point. 3. Netwkring Protocols. Check through your Networking protocols and make sure you have the latest updates installed. IF you are running Windows goto Control Panel and click on Network. This will tell you what you have installed. As a bare minimum all you want is the following Client for Microsoft Networks Dial Up Adaptor TCP/IP You may have more installed for VPN? Support but this does not matter. If you are having problems with data transfer try removing TCP/IP, reboot, add it back in and then reboot again. This will reinstall the protocol stack and should solve your problems. Remove all unwanted protocols such as IPX/SPX compatable and NETBEUI. Another problem is with Windows 98 which installs with 'Microsoft Family Logon' as default instead of Client for Microsoft Networks. Remove this imediately as it causes more problems than it solves. Replace it with Client for Microsoft Networks and reboot. 4. Dial Up Networking. First of, with Windows 95 make sure you have upgraded to DUN 1.3, this will install the DUN with compatability for 56k modems. Without this upgrade you will not get a good connection. Next check your settings. My Computer > Dialup Networking, then right click on the icon you connect with and select properties. Make sure the number you are dialling is correct for your modem type. Some ISP's run different numbers for different technologies. IF in doubt phone Tech Support or look on their website. Next click 'Server Types' Untick everything on this page except for the following. Use Software Compression TCP/IP Click OK and reboot your machine. 5. Modem Drivers. As with all harware your modem has drivers installed to make it work. Make sure these are uptodate by visiting your modem manufacturewrs website and downloading the latest versions. Also see if they have a flash upgrade to update the 'Software' inside your modem. And thats it, once you have made sure all this uis correct you should enjoy the fastest connection for your modem/phone line quality. Happy Surfing. Cyber0ptix. ********************************************** Application Programming Interfaces - Tango-Omega ********************************************** Application programming interfaces (APIs) allow developers to write applications that can make use of TCP/IP services. The following sections provide an overview of the most common APIs for TCP/IP applications. -- The Socket API The socket interface is one of several application programming interfaces (APIs) to the communication protocols. Designed to be a generic communication programming interface, it was first introduced by the 4.2BSD UNIX system. Although it has not been standardized, it has become a de facto industry standard. The socket interface is differentiated by the services that are provided to applications: stream sockets (connection-oriented), datagram sockets (connectionless), and raw sockets (direct access to lower layer protocols) services. A variation of the BSD sockets interface is provided by the Winsock interface developed by Microsoft and other vendors to support TCP/IP applications on Windows operating systems. Winsock 2.0, the latest version, provides a more generalized interface allowing applications to communicate with any available transport layer protocol and underlying network services, including, but no longer limited to, TCP/IP. -- Basic Socket Calls The following lists some basic socket interface calls. In the next section we see an example scenario of using these socket interface calls. * Initialize a socket. FORMAT: int sockfd = socket(int family, int type, int protocol) Where: -* family stands for addressing family. It can take on values such as AF_UNIX, AF_INET, AF_NS, AF_OS2 and AF_IUCV. Its purpose is to specify the method of addressing used by the socket. -* type stands for the type of socket interface to be used. It can take on values such as SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, and SOCK_SEQPACKET. -* protocol can be UDP, TCP, IP or ICMP. -* sockfd is an integer (similar to a file descriptor) returned by the socket call. * Bind (register) a socket to a port address. FORMAT: int bind(int sockfd, struct sockaddr \localaddr, int addrlen) Where: -* sockfd is the same integer returned by the socket call. -* localaddr is the local address returned by the bind call. Note that after the bind call, we now have values for the first three parameters inside our 5-tuple association: {protocol, local-address, local-process, foreign-address, foreign-process} * Indicate readiness to receive connections. FORMAT: int listen(int sockfd, int queue-size) Where: -* sockfd is the same integer returned by the socket call. -* queue-size indicates the number of connection requests that can be queued by the system while the local process has not yet issued the accept call. * Accept a connection. FORMAT: int accept(int sockfd, struct sockaddr \foreign-address, int addrlen) Where: -* sockfd is the same integer returned by the socket call. -* foreign-address is the address of the foreign (client) process returned by the accept call. Note: this accept call is issued by a server process rather than a client process. If there is a connection request waiting on the queue for this socket connection, accept takes the first request on the queue and creates another socket with the same properties as sockfd; otherwise, accept will block the caller process until a connection request arrives. * Request connection to the server. FORMAT: int connect(int sockfd, struct sockaddr \foreign-address, int addrlen) Where: -* sockfd is the same integer returned by the socket call. -* foreign-address is the address of the foreign (server) process returned by the connect call. Note that this call is issued by a client process rather than a server process. * Send and/or receive data. The read(), readv(sockfd, char *buffer int addrlen), recv(), readfrom(), send(sockfd, msg, len, flags) and write() calls can be used to receive and send data in an established socket association (or connection). Note that these calls are similar to the standard read and write file I/O system calls. * Close a socket. FORMAT: int close(int sockfd) Where: -* sockfd is the same integer returned by the socket call. -- An Example Scenario As an example, consider the socket system calls for a connection-oriented protocol. Consider the previous socket system calls in terms of specifying the elements of the association: **************************************************************************** * Protocol * Local Local * Foreign Foreign * * * Address , Process * Address , Process * **************************************************************************** * connection-oriented server * socket() * bind() * listen() accept() * **************************************************************************** * connection-oriented client * connect() * socket() * **************************************************************************** * connectionless server * socket() * bind() * recvfrom() * **************************************************************************** * connectionless client * socket() * bind() * sendto() * **************************************************************************** The above diagram shows Socket System Calls and Association The socket interface is differentiated by the different services that are provided. Stream, datagram, and raw sockets each define a different service available to applications. * Stream socket interface (SOCK_STREAM): It defines a reliable connection-oriented service (over TCP for example). Data is sent without errors or duplication and is received in the same order as it is sent. Flow control is built-in to avoid data overruns. No boundaries are imposed on the exchanged data, which is considered to be a stream of bytes. An example of an application that uses stream sockets is the File Transfer Program (FTP). * Datagram socket interface (SOCK_DGRAM): It defines a connectionless service (over UDP for example). Datagrams are sent as independent packets. The service provides no guarantees; data can be lost or duplicated, and datagrams can arrive out of order. No disassembly and reassembly of packets is performed. An example of an application that uses datagram sockets is the Network File System (NFS). * Raw socket interface (SOCK_RAW): It allows direct access to lower layer protocols such as IP and ICMP. This interface is often used for testing new protocol implementations. An example of an application that uses raw sockets is the Ping command. -- Remote Procedure Call (RPC) Remote Procedure Call is a standard developed by Sun Microsystems and used by many vendors of UNIX systems. RPC is an application programming interface (API) available for developing distributed applications. It allows programs to call subroutines that are executed at a remote system. The caller program (called client) sends a call message to the server process, and waits for a reply message. The call message includes the procedure's parameters and the reply message contains the procedure's results. RPC also provides a standard way of encoding data in a portable fashion between different systems called External Data Representation (XDR). -- RPC Concept The concept of RPC is very similar to that of an application program issuing a procedure call: * The caller process sends a call message and waits for the reply. * On the server side, a process is dormant awaiting the arrival of call messages. When one arrives, the server process extracts the procedure parameters, computes the results and sends them back in a reply message. This is only a possible model, as the Sun RPC protocol doesn't put restrictions on the concurrency model. In the model above, the caller's execution blocks until a reply message is received. Other models are possible; for instance, the caller may continue processing while waiting for a reply, or the server may dispatch a separate task for each incoming call so that it remains free to receive other messages. The remote procedure calls differ from local procedure calls in the following ways: * Use of global variables as the server has no access to the caller program's address space. * Performance may be affected by the transmission times. * User authentication may be necessary. * Location of server must be known. Transport: The RPC protocol can be implemented on any transport protocol. In the case of TCP/IP, it can use either TCP or UDP as the transport vehicle. The type of the transport is a parameter of the RPCGEN command. In case UDP is used, remember that this does not provide reliability, so it will be up to the caller program itself to ensure this (using timeouts and retransmissions, usually implemented in RPC library routines). Note that even with TCP, the caller program still needs a timeout routine to deal with exceptional situations such as a server crash. The call and reply message data is formatted to the XDR standard. RPC Call Message: The RPC call message consists of several fields: * Program and procedure numbers Each call message contains three fields (unsigned integers): that uniquely identify the procedure to be executed: * Remote program number * Remote program version number * Remote procedure number The remote program number identifies a functional group of procedures, for instance a file system, which would include individual procedures such as read and write. These individual procedures are identified by a unique procedure number within the remote program. As the remote program evolves, a version number is assigned to the different releases. Each remote program is attached to an internet port. The number of this port can be freely chosen, except for the reserved well-known-services port numbers. It is evident that the caller will have to know the port number used by this remote program. Assigned program numbers: 00000000 - 1FFFFFFF defined by Sun 20000000 - 3FFFFFFF defined by user 40000000 - 5FFFFFFF transient (temporary numbers) 60000000 - FFFFFFFF reserved * Authentication fields Two fields, credentials and verifier, are provided for the authentication of the caller to the service. It is up to the server to use this information for user authentication. Also, each implementation is free to choose the varieties of supported authentication protocols. Some authentication protocols are: -* Null authentication. -* UNIX authentication. The callers of a remote procedure may identify themselves as they are identified on the UNIX system. -* DES authentication. In addition to user ID, a timestamp field is sent to the server. This timestamp is the current time, enciphered using a key known to the caller machine and server machine only (based on the secret key and public key concept of DES). * Procedure parameters Data (parameters) passed to the remote procedure. RPC Reply Message: Several replies exist, depending on the action taken: -* SUCCESS: Procedure results are sent back to the client. -* RPC_MISMATCH: Server is running another version of RPC than the caller. -* AUTH_ERROR: Caller authentication failed. -* PROG_MISMATCH: If program is unavailable or if the version asked for does not exist or if the procedure is unavailable. For a detailed description of the call and reply messages, see RFC 1057 RPC: Remote Procedure Call Protocol Specification Version 2, which also contains the type definitions (typedef) for the messages in XDR language. Portmap or Portmapper: The Portmap or Portmapper is a server application that will map a program number and its version number to the Internet port number used by the program. Portmap is assigned the reserved (well-known service) port number 111. Portmap only knows about RPC programs on the host it runs on. In order for Portmap to know about the RPC program, every RPC program should register itself with the local Portmapper when it starts up. The RPC client (caller) has to ask the Portmap service on the remote host about the port used by the desired server program. Normally, the calling application would contact Portmap on the destination host to obtain the correct port number for a particular remote program, and then send the call message to this particular port. A variation exists when the caller also sends the procedure data along to Portmap and then the remote Portmap directly invokes the procedure. RPCGEN: RPCGEN is a tool that generates C code to implement an RPC protocol. The input to RPCGEN is a file written in a language similar to C, known as the RPC language. Assuming that an input file named proto.x is used, RPCGEN produces the following output files: * A header file called proto.h that contains common definitions of constants and macros * Client stub source file, protoc.c * Server stub source file, protos.c * XDR routines source file, protox.c -- Windows Sockets Version 2 (Winsock V2.0) Winsock V2.0 is a network programming interface. It is basically a version of Berkeley Sockets adapted for Microsoft Windows operating systems with more functions and enhancements. The previous version of the Winsock API, Windows Sockets V1.1, is widely implemented. Therefore, Winsock V2.0 retains backwards compatibility with Winsock V1.1 but provides many more functions. One of the most significant aspects of Winsock V2.0 is that it provides a protocol-independent transport interface supporting various networking capabilities. Besides, Winsock V2.0 also supports the coexistence of multiple protocol stacks. The new functions of Winsock V2.0 can be summarized as follows: * Support for multiple protocols * Protocol-independent name resolution * Quality of Service * Protocol-independent multicast and multipoint * Overlapped I/O and event objects - Socket sharing * Layered service providers The Winsock V1.1 architecture permits only one Dynamic Link Library (DLL), WINSOCK.DLL or WSOCK32.DLL, on a system at a time, which provides the Winsock API with a way to communicate with an underlying transport protocol. This approach restricts the use of different types of Winsock implementations in conjunction with Winsock V1.1. For systems that have more than one network interface, this can become a hindrance. Winsock V2.0 provides a better solution to this problem. The new Winsock V2.0 architecture allows for simultaneous support of multiple protocol stacks, interfaces, and service providers. -- SNMP Distributed Programming Interface (SNMP DPI) SNMP defines a protocol that permits operations on a collection of variables. This set of variables (MIB) and a core set of variables have previously been defined. However, the design of the MIB makes provision for extension of this core set. Unfortunately, conventional SNMP agent implementations provide no means for an end user to make new variables available. The SNMP DPI addresses this issue by providing a light-weight mechanism that permits end users to dynamically add, delete, or replace management variables in the local MIB without requiring recompilation of the SNMP agent. This is achieved by writing the so-called subagent that communicates with the agent via the SNMP DPI. It is described in RFC 1592. The SNMP DPI allows a process to register the existence of a MIB variable with the SNMP agent. When requests for the variable are received by the SNMP agent, it will pass the query on to the process acting as a subagent. This subagent then returns an appropriate answer to the SNMP agent. The SNMP agent eventually packages an SNMP response packet and sends the answer back to the remote network management station that initiated the request. None of the remote network management stations have any knowledge that the SNMP agent calls on other processes to obtain an answer. Communication between the SNMP agent and its clients (subagents) takes place over a stream connection. This is typically a TCP connection, but other stream-oriented transport mechanisms can be used. (As an example, the VM SNMP agent allows DPI connections over IUCV.) The SNMP Agent DPI can: * Create and delete subtrees in the MIB * Create a register request packet for the subagent to inform the SNMP agent * Create response packet for the subagent to answer the SNMP agent's request * Create a TRAP request packet. The following figure shows the flow between an SNMP agent and a subagent. * The SNMP agent communicates with the SNMP manager via the SNMP protocol. * The SNMP agent communicates with some statically linked-in instrumentation (potentially for the MIB II), which in turn talks to the TCP/IP layers and kernel (operating system) in an implementation-dependent manner. * An SNMP sub-agent, running as a separate process (potentially on another machine), can set up a connection with the agent. The sub-agent has an option to communicate with the SNMP agent through UDP or TCP sockets, or even through other mechanisms. * Once the connection is established, the sub-agent issues a DPI OPEN and one or more REGISTER requests to register one or more MIB subtrees with the SNMP agent. * The SNMP agent responds to DPI OPEN and REGISTER requests with a RESPONSE packet, indicating success or failure. * The SNMP agent will decode SNMP packets. If such a packet contains a Get or GetNext request for an object in a subtree registered by a sub-agent, it sends a corresponding DPI packet to the sub-agent. If the request is for a GetBulk, then the agent translates it into multiple DPI GETNEXT packets and sends those to the sub-agent. However, the sub-agent can request (in the REGISTER packet) that a GETBULK be passed to the sub-agent. If the request is for a Set, then the agent uses a 2-phase commit scheme and sends the sub-agent a sequence of SET/COMMIT, SET/UNDO or SET/COMMIT/UNDO DPI packets. * The SNMP sub-agent sends responses back via a RESPONSE packet. * The SNMP agent then encodes the reply into an SNMP packet and sends it back to the requesting SNMP manager. * If the sub-agent wants to report an important state change, it sends a DPI TRAP packet to the SNMP agent which will encode it into an SNMP trap packet and send it to the manager(s). * If the sub-agent wants to stop operations, it sends a DPI UNREGISTER and a DPI CLOSE packet to the agent. The agent sends a response to an UNREGISTER request. * There is no RESPONSE to a CLOSE; the agent just closes the DPI connection. A CLOSE implies an UNREGISTER for all registrations that exist for the DPI connection being CLOSED. * An agent can send DPI UNREGISTER (if a higher priority registration comes in or for other reasons) to the sub-agent. The sub-agent then responds with a DPI RESPONSE packet. * An agent can also (for whatever reason) send a DPI CLOSE to indicate it is terminating the DPI connection. * A sub-agent can send an ARE_YOU_THERE to verify that the connection is still open. If so, the agent sends a RESPONSE with no error, otherwise, it may send a RESPONSE with an error. -- FTP API The file transfer protocol (FTP) API is supplied as part of TCP/IP for OS/2. It allows applications to have a client interface for file transfer. Applications written to this interface can communicate with multiple FTP servers at the same time. It allows up to 256 simultaneous connections and enables third-party proxy transfers between pairs of FTP servers. Consecutive third-party transfers are allowed between any sequence of pairs of FTP servers. An example of such an application is FTPPM. The FTP API tracks the servers to which an application is currently connected. When a new request for FTP service is requested, the API checks whether a connection to the server exists and establishes one if it does not exist. If the server has dropped the connection since last use, the API re-establishes it. Note: The FTP API is not re-entrant. In a multithreaded program, the access to the APIs must be serialized. For example, without serialization, the program may fail if it has two threads running concurrently and each thread has its own connection to a server. -- CICS Socket Interface Customer Information Control System (CICS) is a high-performance transaction-processing system. It was developed by IBM and has product implementations in MVS/ESA, MVS, VSE, OS/400, OS/2 and AIX/6000. CICS is the most widely used Online Transaction Processing (OLTP) system in the marketplace today. It provides a rich set of CICS command level APIs to the application transaction programs for data communications (using SNA) and database (using VSAM, IMS or DB2). Given the need for interoperability among heterogeneous network protocols, there is a requirement to enhance the CICS data communications interface to include support for TCP/IP in addition to SNA. The IBM Sockets Interface for CICS is a first step towards addressing this requirement. [ I am actually hoping to write a text on this next month, this is due to attending courses detailing this - Slider ] -- IMS Socket Interface The IMS socket interface is implemented in TCP/IP for OS/390 V2R5. The IMS to TCP/IP sockets interface allows you to develop IMS message processing programs that can conduct a conversation with peer programs in other TCP/IP hosts. The applications can be either client or server applications. The IMS to TCP/IP sockets interface includes socket interfaces for IBM C/370, assembler language, COBOL, and PL/I languages to use datagram (connectionless) and stream (connection-oriented) sockets. It also provides ASCII-EBCDIC conversion routines, an ASSIST module that permits the use of conventional IMS calls for TCP/IP communications, and a Listener function to listen for and accept connection requests and start the appropriate IMS transaction to service those requests. -- Sockets Extended The Sockets Extended information described here is related to the implementation in MVS only. Sockets Extended provides programmers writing in assembler language, COBOL, or PL/I with an application program interface that may be used to conduct peer-to-peer conversations with other hosts in the TCP/IP networks. You can develop applications for TSO, batch, CICS, or IMS using this API. The applications may be designed to be reentrant and multithreaded depending upon the application requirements. Typically server applications will be multithreaded while client applications might not be. -- REXX Sockets REXX sockets allow you to develop REXX applications that communicate over a TCP/IP network. Calls are provided to initialize sockets, exchange data via sockets, perform management activities, and close the sockets. The REXX Socket APIs are implemented in TCP/IP for MVS and OS/2. Thats about it for a v. basic text on how API's work. Tango-Omega Signing off. ---------------------------------------------- ********************************************** Windows 2000 File System Encryption - Kermit23 ********************************************** Windows 2000, or more specifically NTFS 5.0 feature EFS, Encrypted File System. It's uses the code behind MS's CryptoAPI, which should allow for good clean crypto fun, though appears to be essentially underdeveloped in the first release of Windows 2000. I haven't had chance to take a look at the brand spanking new SP1, yet, so this may have changed. - Where in the world is EFS. EFS is built into the kernel, and integrated with NTFS 5, which should make for speedy use, on my celery 333, 192 megs ram it took about 1-1╜ minutes to encrypt a 3.8 meg directory, and there was no perceptable access time hit. One of the strengths of EFS is also one of it's most annoying features. The EFS driver is closest to the file system running on top (basically) of NTFS. It communicates with the kernel IO manager, and the EFS service (part of the security services natch) outside of the kernel. The EFS service deals with all the key management duties (the system using public key encryption, see below). The ESF driver also communicates with NTFS thorough the EFS File System Run Time Library (FSRTL). This packages and implements all the NTFS calls needed, guarenteeing that NTFS, and hence it's permission system, is used at all times, in addition to the protection used by EFS. In fact, NTFS callouts are used exclusively for communication between the EFS driver and the FSRTL. All the encryption keys are stored in the non paged pool, and hence not written to disk. This means that encrypted files can be messed about with in just about anyway and remain encrypted as all the move, copy and other calls and captured and dealt with by EFS, as long as the volume they are being, for example, moved to is also NTFS 5.0. This also works copying across networks, though the file will not be exactly the same as on the original machine, as a new key will be used on the new machine. This is also a pretty hard to avoid weakness, as if the file is copied to a non NTFS 5 volume, it was be stored unencrypted, as the user never gets to manipulate the encrypted version of the file. The same problem is experienced if a program makes a temp copy of a file on a non NTFS 5 volume. I am fairly sure that in any procedure it is the EFS service that does the check of the certificate (of the public key), if it is invalid denying the user the ability ot encrypt files. Decryption continues as long as the user has a valid private key. - Using EFS. Either when the user is created or when EFS is first used (I am not sure about this), a key pair is generated and signed by the signing authority (if one's about) or self signed if not. The advanced button on the general tab in the properties of an directory or file gives a nice little checkbox which allows you to encrypt or decrypt files (the decrypt on a permenant basis obviously, general use decryption being done automatically). There is also a CLI program cipher which can do the same thing. NB There was talk of disabling the file option in the EFS whitepaper, so some betas of win2k may not have it, if you are still using one. - Encryption Technologies. EFS falls down in a pretty significant way with the strength of the encryption. The basic method is 128 bit DESX, but there is no way to change the strength or the algorithm, though this may appear in future version and is supported by the CryptoAPI. The unfortunate thing however is that fact that all the intl. beta's and possibly the intl. release versions of Windows 2000 were released with only 40 bit support (padded to 128 bit). This is seriously rubbish, but hopefully should be improved with a service pack now the crypto regulations in the US have been relaxed. Coupled with this is RSA. The public key is used to encrypt the DES file key (MS-speak: FEK, File Encryption Key), and a list of all the FEK's is stored in a file atribute called the Data Decryption Field (DDF, shockingly). The private part of the key has the potential to be stored anywhere including a smart card (very cool), though is usually kept in the CryptoAPI's "software based protected store". The FEK is then also encrypted with a number (though not necessarily any, if you don't want to) of encryption keys from the recovery agent, from their X509 v3 certificate which is stored in the EDRA (Encrypted Data Recovery Agent). A list of these keys are stored in another file atribute the Data Recovery Field (DRF). The private portions of these keys (incidentally) are supposed to be stored ina safe place as they are anticipated to be rarely used. If files are copied or moved, the temporary file is also encrypted while attributes are transferred. - Data Recovery It is necessary to have a Data Recovery policy set up as a group policy as EFS will not encrypt anything without it. The policy is simply any number (or none) X509 certificates with a File Recovery key usage. Since these are machine wide, the lowest level of policy is per computer. The administrator is a recovery agent (holder of a recovery private key) by default. For a # policy defined over a group of computers, if the policy is 0 keys, EFS cannot be used, however if there is no policy, EFS can be used on individual computers if set up with policies on each machine. If a recovery agents certificate becomes invalid no further files can be encrypted, though decryption continues as normal. - Weakness. As I mentioned earlier, there is a problem with copying to a non NTFS 5 volume. Interestingly the white paper mentions that while cut and paste will retain file encryption drag and drop will not. Though this may have been true in the beta stages, it has definitely been fixed on the release, and files will remain encrypted. However, knowing Microsoft it may be worth checking various releases in case the problem was "missed". System files cannot be encrypted, and EFS will refuse to do so. The reason for this is that the private key is not loaded until log in, and therefore cannot be used to decrypt files which would probably be esential for boot. This applies to any file marked as a system file. On the default set up the private key is loaded automatically, so the encryption is still down to a password, which is obviously a lot weaker than the random keys (depending on the randomness of the generator, though this is almost certainly still true). However, the private key does not have to be stored in this fashion, though I would suspect that in most cases, and almost all home use situations, the key will be stored in the default software cache. I do not know how secure the software cache is, as this could be another vunerability. Similar to this is the way EFS protects against crashes and disk full errors, by writing a plaintext version of the file to the disk before encryption, then deleting it once the write is confirmed. A crash or software interruption at the right time could leave a plaintext version of the file open to be grabbed by traditional techniques for avoiding NTFS user attributes. In the specifications, there is potential for encrypted files to be shared between various sets of users. This has not been implemented for the release version of Win2k, though has been promised for later version. The main reason for this is another weakness in the system, the fact that many "legacy" (ie not released tomorrow) applications do not support EFS in certain key features. This means that EFS and the CryptoAPI is not being used to it's full potential. Even when more EFS aware application exist, there may, and almost certainly will, be potential for penetration of the encryption by using software that does not take account of the encryption. While the CryptoAPI in itself is ready to be used, other key features like back up and recovery are not finalised, or at least in any easily accessable specification. This means programmers are less likely to implement various features, and hence increase the time untill EFS can be used fully, and the chances of finding some way of breaking it via the old implementation. Finally, the Indexing Service index's the contents of a file for faster searching. Though this can be tuned with relation to what should be indexed, or disabled on a per file basis, in many cases I suspect this will not be used, leaving potentially valuable information in an easily accessable place. Incidentally, there was a NT/Bugtraq post recently regarding encrypting the autoexec.bat to cause the system not to hang when it tried to read it. This would require access to the file, and if you have that access the same trick could be applied to several other system files. The weakness comes from the fact that the file is writable by Power Users, while the other system files are admin and SYSTEM only. There are several ways of avoiding this problem, including setting system on autoexec.bat, and ignoring autoexec completely on boot (HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon \ParseAutoexec= 0), but this problem should really be dealt with by having a properly configured EFS policy, and users with properly set up access restrictions. Kermit23@raegunne.com ---------------------------------------------- ********************************************** The Andrew File System (AFS) - Slider ********************************************** This is a small short text on AFS and a v. v. brief overview of its use. The Andrew File System (AFS) is a distributed file system used in non-DCE environments. DCE DFS was based upon AFS, and the two file systems are similar in architecture. The latest version (AFS 3) has the following attributes: * Single logical shared namespace Every AFS user shares the same uniform name space. File names are independent of both the user's and the file's physical locations. Groups of client and server machines are known as cells. * Client caching Data is cached on client machines to reduce subsequent data requests directed at file servers, which reduces network and server loads. Servers keep track of client caches through callbacks, guaranteeing cache consistency without constant queries to the server to see if the file has changed. RPCs AFS uses its remote procedure call (RPC) reads and writes for efficient data transfer across the network. Security Kerberos-based authentication requires that users prove their identities before accessing network services. Once authenticated, AFS access control lists (ACLs) give individual users or groups of users varying levels of authority to perform operations on the files in a directory. -- Replication Replication techniques are used for file system reliability. Multiple copies of applications and data may be replicated on multiple file servers within a cell. When accessing this information, a client will choose among the available servers. Replication also reduces the load on any particular server by placing frequently accessed information on multiple servers. -- Management Utilities Backup, reconfiguration and routine maintenance are all done without any system down time, files remain available to users during these operations. This is done by creating online clones of volumes (subsets of related files). AFS commands are RPC-based. Administrative commands can be issued by any authenticated administrator from any client workstation. System databases track file locations, authentication information and access control lists. These databases are replicated on multiple servers, and are dynamically updated as information changes. Furthur information can be found at http://www.transarc.com/ Slider. ---------------------------------------------- ********************************************** Multiprotocol Transport Network (MPTN) - Slider ********************************************** Multiprotocol transport networking (MPTN), developed by IBM, is an open architecture for: * Mixed-protocol networking: running applications associated with one network protocol over different network protocols * Network concatenation: connection matching applications across networks of different protocols through gateways - Requirements for Mixed-Protocol Networking With the growth of networking in general and local area networks in particular, many large customer networks have become confederations of individual networks running different networking protocols. This heterogeneity has arisen for a number of reasons. Some of these include: * Shift of customer interest away from selecting a particular networking architecture in favor of finding solutions to business problems, regardless of the specific network protocol required * Inter-enterprise information exchange requirement, for example, direct manufacturing, order placement, or billing systems * Company mergers requiring interconnection - MPTN Architecture Networking protocols generally provide three types of functions: * Transport * Naming and addressing * Higher level functions Transport functions are those that provide the basic facility for two partners to communicate, either through connections or in a connectionless manner through datagrams. Naming and addressing conventions define how entities are known and how they are to be found. The higher level functions include allocation of the connections to users and control of their use. Not all networking protocols support higher level functions. SNA and OSI do; TCP/IP and NetBIOS do not. MPTN separates transport functions from higher level functions and from the address formats as seen by the users of the protocol. Its goal is to allow any higher level protocol using the corresponding address structure to run over any transport function. The division of functions between transport and higher level was chosen because the transport level is the highest level at which there are common functions that can be reasonably mapped across protocols. At other levels the number of services is either too large or too small to provide a practical division. - MPTN Methodology MPTN architecture solves the above requirements by defining a new canonical interface to a set of transport services that concatenate connections across multiple networking protocols. When an application is written for a particular transport service, it may be written so that it makes assumptions about the particular transport service. Thus it may appear to be transport-specific in the services that it uses. For example, applications written to the NetBEUI interface may request a message be broadcast. In environments where a particular service is not natively supported over the underlying transport network, MPTN provides compensation. In essence though, MPTN frees up applications so that they are able to operate over different transport networks. Another way of thinking about this is that (in the OSI model) functions from the session layer up are users of transport services or transport users. These services are in turn provided by functions from the transport layer down. MPTN defines a boundary interface, called the transport-layer protocol boundary (TLPB), which clearly delineates this distinction between transport user and transport provider. - MPTN Major Components MPTN functions appear in four types of nodes: * MPTN Access Node An MPTN access node contains the transport-layer protocol boundary (TLPB), which provides a semantic interface so that higher level protocols or application interfaces written for a particular transport protocol can be transported over another protocol with no apparent change. Such a node can run application programs independent of the underlying transport network and can run application programs on different underlying transport networks. The applications in the MPTN access node are generally written to an existing application programming interface (API). The API uses the functions of the native communications protocol. When transport-level MPTN functions are accessed, the API will be converted to access these functions instead of the native communication protocol, while keeping the same interface to the application program. For example, the NetBEUI application interface is written to use the NetBIOS communications protocol. To use another protocol stack below the transport layer, the NetBEUI API must be made to invoke the MPTN functions. After this is done, all programs using NetBEUI on this MPTN access node can communicate via, for example, SNA, TCP/IP, OSI and other protocols, with another NetBEUI application within the MPTN network. All this is possible without the original application program requiring any change. * MPTN Address Mapping Server Node An address mapping server node is an MPTN node with a special function that provides a general address mapping service to the address mapping client component of other MPTN nodes, access or gateway, connected to the same transport provider network. * MPTN Multicast Server Node A multicast server node is an MPTN node with a special function, the multicast server, which manages multicast and broadcast distribution of datagrams in networks that do not provide the service as a natural consequence of their design. For example, a NetBIOS transport network is designed to support multicast distribution of datagrams while an SNA network is not. The multicast server operates in cooperation with the address mapping server to provide a multicast service where this capability does not exist within the services offered by the transport network. * MPTN Gateway Node An MPTN gateway connects two transport networks to provide an end-to-end service over both of them for one or more transport user protocols. There are two types of gateways, nonnative-to-nonnative, with respect to the supported transport user protocol, and native-to-nonnative, with respect to the supported transport user protocol. In the case of nonnative-to-native one of the transport providers connected to the gateway node is native to the transport user. This type of gateway allows access to an end node that has no MPTN function. When one side is native, the MPTN protocol (of the nonnative side) terminates in the gateway. Slider. ---------------------------------------------- ********************************************** News - 0blivion.org + Net-security.org ********************************************** Net-Sec newsletter Issue 22 - 17.07.2000 http://net-security.org Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. General security news --------------------- ---------------------------------------------------------------------------- US MAY ANNOUNCE NEW ENCRYPTION RULES Following closely on the heels of the European Union's relaxing of export and encryption controls, William Reinsch, head of the Commerce Department's Bureau of Export Administration said today that the US was prepared to announce similar regulations in an effort to keep US companies competitive with foreign manufacturers. Link: http://www.computeruser.com/news/00/07/11/news13.html DEFEATING OPENHACK Austrian hacker Alexander Lazic received $500 award for exploiting MiniVend, e-commerce storefront package on OpenHack.com. BTW MiniVend had about million downloads, so there are lot of vulnerable e-commerce sites out there. ZDNet's article describes the hack. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html FBI SYSTEM COVERTLY SEARCHES E-MAIL The U.S. Federal Bureau of Investigation is using a superfast system called Carnivore to covertly search e-mails for messages from criminal suspects. Contributed by Jonathan. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html AN INTRODUCTION TO PGP In today's busy world of online communication and transaction thousands of messages consisting of sensitive data are sent across the Internet daily. Do you want everyone looking at your email? Is the encryption of email really necessary? Undoubtedly. Link: http://www.ironboxtech.com/articles/neurality/intropgp.shtml MICROSOFT FIXING NEW EXCEL BUG Microsoft said it is working to close a security hole in its Excel spreadsheet program that could open computers to attack while bypassing warning systems. Link: http://www.net-security.org/text/bugs/963357077,83705,.shtml Link: http://news.cnet.com/news/0-1005-200-2247443.html?dtn.head MAN ARRESTED FOR PENETRATING INTO NASA SERVERS A 20-year-old man was arrested Wednesday for allegedly breaking into two computers owned by NASA's Jet Propulsion Laboratory, and different counts of stealing credit card and penetrating other systems. Link: http://dailynews.yahoo.com/h/nm/20000712/tc/crime_hacker_dc_1.html ISPS BITE BACK AT CARNIVORE Internet-service providers and privacy advocates are concerned about the implications of a new electronic surveillance system devised by the Federal Bureau of Investigation, with some providers vowing to resist if they are asked to install it on their networks. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2602200,00.html KEVIN MITNICK ALLOWED BACK ONLINE Mitnick's federal probation officer informed him this week that he could pursue some computer-related work. Among the jobs approved: writing for Steven Brill's online magazine Contentville, speaking in Los Angeles on computer security, consulting on computer security, and consulting for a computer-related TV show. Link: http://news.cnet.com/news/0-1005-200-2250843.html KASPERSKY LAB WARNS OVER JULY 14 SMASH VIRUS The Russian antivirus specialist, says that the Win95 Smash virus, which first surfaced in late April, could cause problems for PC Windows users when it triggers on July 14. Link: http://www.computeruser.com/news/00/07/14/news20.html NMAPNT FROM EEYE DIGITAL SECURITY "nmap has various options to perform stealth scans, ping scans, UDP scans, as well as a whole handful of other scan types. nmap also has the ability to remotely fingerprint an IP address. Basically what that means is by sending various queries to a remote IP address, and reading the responses, nmap can determine if the remote IP address is running a certain operating system or maybe it is a router or network printer. Infact, nmap's datebase of fingerprints has over 500 unique finger prints in it." Link: http://www.eeye.com/html/Databases/Software/nmapnt.html EXCITE USER BLOCKED FROM JPL WEB SITES After several attempted breakins from Excite @ Home subscribers, technicians at the Jet Propulsion Lab quietly blocked access to some of its Web sites to all Excite subscribers. Link: http://www.msnbc.com/news/432831.asp?cp1=1 E-SECURITY CHALLENGE From Secure Computing: "We are launching Secure's e-Security Challenge at Blackhat and will run it for the duration of 60 days thereafter. Secure's e-Security Challenge lets you test your wit and skills...and if you're good enough, you might even win $10,000 US Dollars!" Link: http://www.net-security.org/phorum/read.php?f=2&i=11&t=11 ANTI-MILOSEVIC DEFACEMENT Three days ago, web site of Serbian pro-government magazine "Politika" was defaced with a false message that Serbian president Slobodan Milosevic was killed by a bomb detonation. Link: http://www.active-security.org/images/1207_b_politika.gif EFF BRIEFING EFF in conjunction with H2K Conference, held a briefing about the latest information on the case, and an in-depth look at the issues surrounding the first trial brought under the controversial DMCA. Link: http://www.eff.org/pub/Intellectual_property/Video/dvd_briefing_release.html CDC AT HOPE2K Oxblood Ruffin announced that he had personally recruiting a group of six programmers (Mixter and BroncBuster were mentioned in the article) to work on a project to stop censored Internet in some countries. Link: http://dailynews.yahoo.com/h/zd/20000716/tc/cult_of_the_dead_cow_s_bizarre_theater_1.html PENENBERG IS LEAVING FORBES Adam Penenberg, who always did great articles on computer underground, says he's leaving his job because Forbes magazine won't support his refusal to testify before a federal grand jury. Link: http://www.washingtonpost.com/wp-dyn/style/columns/medianotes/A54672-2000Jul16.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- EXCEL 2000 VULNERABILITY - EXECUTING PROGRAMS Excel 2000/Windows 98 (suppose other versions are also vulnerable, have not tested) allows executing programs when opening an Excel Workbook (.xls file). This may be also be exploited thru IE or Outlook. This may lead to taking full control over user's computer. Link: http://www.net-security.org/text/bugs/963357077,83705,.shtml APACHE::ASP HOLE FIXED Apache::ASP had a security hole in its ./site/eg/source.asp distribution examples file, allowing a malicious hacker to potentially write to files in the directory local to the source.asp example script. Link: http://www.net-security.org/text/bugs/963357248,90975,.shtml BIG BROTHER VULNERABILITY The problem exists in the code where $HOSTSVC does not do authenticity checking for its assigned variable. All files could be snatched just with a browser. Link: http://www.net-security.org/text/bugs/963357356,65475,.shtml NETSCAPE ADMINISTRATION SERVER PASSWORD DISCLOSURE The administration server is installed when you first install SuiteSpot server. For remote logon, it authenticates by validating the password prompt input with the administration server password file. This password file is kept in a local directory within the SuiteSpot server. Link: http://www.net-security.org/text/bugs/963135822,65666,.shtml FEARTECH FTP BROWSER PROBLEM FTP Browser allows you to display a html enhanced directory listing, which is great for managing your ftp files. FTP Browser can also be used for downloading password files. Link: http://www.net-security.org/text/bugs/963578519,23215,.shtml "ABSENT DIRECTORY BROWSER ARGUMENT" PROBLEM PATCHED Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft Internet Information Server. In sum, the vulnerabilities could allow a malicious user to stop the web server from providing useful service, or to extract certain types of information from it. Link: http://www.net-security.org/text/bugs/963664473,69872,.shtml "THE IE SCRIPT" VULNERABILITY PATCHED Microsoft has released a patch that eliminates a security vulnerability in Microsoft Office 2000 (Excel and PowerPoint) and in PowerPoint 97. Microsoft has also documented a workaround that prevents the use of Microsoft Access to exploit a vulnerability in Internet Explorer. A patch for the latter vulnerability will be available soon and we will have an update to this bulletin. Link: http://www.net-security.org/text/bugs/963664619,71371,.shtml [MANDRAKE] CVSWEB UPDATE Cvsweb contains a hole that provides attackers who have write access to a cvs repository with shell access. Thus, attackers who have write access to a cvs repository but not shell access can obtain a shell. In addition, anyone with write access to a cvs repository that is viewable with cvsweb can get access to whatever user the cvsweb cgi script runs as (typically nobody or www-data, etc.). This update closes all of these possibly exploited pipe-opens. Link: http://www.net-security.org/text/bugs/963664736,92640,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- AGREEMENT ON DEBIT CARD FRAUD PROTECTION SERVICE - [10.07.2000] NYCE Corporation and MasterCard International have signed an agreement to bring enhanced neural network fraud prediction services to MasterMoney issuers that are processed by NYCE. The service, called RiskFinder , is a neural network system developed by MasterCard and HNC Software. RiskFinder uses HNC's patented neural network modeling technology while leveraging the MasterCard Banknet global transaction processing network to predict and, ultimately, help to reduce fraud losses associated with credit and offline debit cards. Press release: < http://www.net-security.org/text/press/963246513,23242,.shtml > ---------------------------------------------------------------------------- ENTRUST/TRUEPASS WEB SECURITY SOLUTION AVAILABLE - [10.07.2000] Entrust Technologies Inc. (NASDAQ: ENTU), a global leader in solutions that bring trust to e-business, announced today the commercial availability of Entrust/TruePass, web security solution, a new product to enhance its market-leading public-key infrastructure (PKI) portfolio of solutions, which began shipping to customers during the last week in June. Press release: < http://www.net-security.org/text/press/963246890,86727,.shtml > ---------------------------------------------------------------------------- RAINBOW ADDS NEW FEATURES TO SENTINELSUPERPRO 6.0 - [10.07.2000] Rainbow Technologies, a leading provider of high-performance security solutions for the Internet, eCommerce and software protection, today announced new upgrades to the company's flagship Sentinel software protection product family. The new SentinelSuperPro 6.0 significantly improves the ease-of-use and rapid deployment while maintaining powerful levels of security and software protection. SentinelSuperPro 6.0 provides users with a new graphical user interface, which is more intuitive and instructional. This makes implementing security into a customer's software application as simple as possible. Press release: < http://www.net-security.org/text/press/963247005,78506,.shtml > ---------------------------------------------------------------------------- INSURANCE FOR E-COMMERCE AND INTERNET SECURITY - [10.07.2000] Counterpane Internet Security today announced that its clients and their customers will be able to purchase insurance policies to protect against loss of revenues and information assets caused by Internet and e-commerce security breaches. The first of its kind, this new insurance program from Lloyd's of London was arranged by leading insurance brokers Frank Crystal & Co. and SafeOnline and offers up to $100 million in coverage. Press release: < http://www.net-security.org/text/press/963247191,59797,.shtml > ---------------------------------------------------------------------------- AXENT'S NETPROWLER WINS AT NETWORKS TELECOM 2000 - [10.07.2000] AXENT Technologies, Inc., one of the world's leading Internet security solutions providers for e-business, announced today that its network-based intrusion detection solution, NetProwler, part of its ProwlerIDS Series, won Network Telecom 2000's "Security Monitoring Product of the Year" award, presented by Network News magazine. To win the award, NetProwler defeated competitors such as Network Associates, Inc.'s CyberCop Scanner, and Internet Security System, Inc.'s Real Secure, among others. Press release: < http://www.net-security.org/text/press/963247286,56322,.shtml > ---------------------------------------------------------------------------- IDENTIX LAUNCHES WIRELESS INTERNET SECURITY BUSINESS - [12.07.2000] Identix Inc. announced the launch of a new secure-transaction service, itrust, which will operate as a new division of Identix. In conjunction with the launch, Motorola announced that it has invested $3.75 million in Identix through the company's global, strategic venture capital investment arm, One Motorola Ventures. itrust is one of the first security service solutions designed to offer secure biometric authenticated transaction services for the Internet and wireless Web e-commerce marketplace through a server-based security infrastructure. Press release: < http://www.net-security.org/text/press/963358016,72875,.shtml > ---------------------------------------------------------------------------- VIREX RECEIVES HIGH RATINGS FROM MACWORLD - [12.07.2000] McAfee Retail Software, a division of Network Associates, today announced that its Dr. Solomon's Virex software received a four out of five rating in a recent review by Macworld. The rating is higher than any other anti-virus software product, including Norton AntiVirus, which received a three out of five rating. The Virex product was commended for its sophisticated virus update and scheduling features as well as its new, streamlined interface. Press release: < http://www.net-security.org/text/press/963437149,41361,.shtml > ---------------------------------------------------------------------------- SECURE ONLINE ELECTRONIC DOCUMENT DELIVERY - [12.07.2000] CertifiedMail.com, the premier provider of secure Internet and wireless document delivery and BizProLink.com, an Internet Business Service Provider Network supporting the daily needs of businesses within 124 industry sectors, today announced that they have signed a strategic partner agreement. Together, BizProLink.com and CertifiedMail.com will offer businesses direct access to secure electronic document delivery solutions without the need to download any special software. Press release: < http://www.net-security.org/text/press/963437517,84790,.shtml > ---------------------------------------------------------------------------- SECURE EPAYMENT SOLUTIONS FOR WIRELESS E-COMMERCE - [12.07.2000] Trintech Group PLC, a leading provider of secure electronic payment infrastructure solutions, and Visa International, today announced a strategic partnership to jointly develop the next generation of ePayment solutions to speed the global adoption of secure mobile commerce. The alliance follows Trintech's announcement today of the launch of PayWare mAccess, the company's secure payment solution designed specifically for mobile devices, as well as a strategic collaboration with Phone.com. PayWare mAccess allows for "one touch" payment and real time authentication of user while shopping using mobile phones and other non-PC devices. Press release: < http://www.net-security.org/text/press/963437700,17134,.shtml > ---------------------------------------------------------------------------- BLUE LANCE RELEASES LT AUDITOR+ 7.0 - [14.07.2000] Blue Lance Inc., one of the leading network security software companies in the country, has announced the newest release of its popular program designed especially for use on the Microsoft NT and Windows 2000 platforms, LT Auditor+ 7.0 for NT. The program is significantly more robust in its features and functionality than any of its predecessors. It gives users greater flexibility in structuring security alerts, increases options and control of rights and access and, in general, provides a greater level of security for all assets managed and protected by computers. Press release: < http://www.net-security.org/text/press/963578674,72424,.shtml > ---------------------------------------------------------------------------- Net-Sec newsletter Issue 23 - 24.07.2000 http://net-security.org Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter General security news --------------------- ---------------------------------------------------------------------------- NEW ENCRYPTION REGULATIONS The Clinton administration today said it plans to change laws governing the export of powerful encryption technologies to allow export of all information-scrambling products to any end user in the European Union and to eight other trading partners. Link: http://www.computeruser.com/news/00/07/18/news12.html Link: http://www.wired.com/news/politics/0,1283,37617,00.html WHEN HACKING IS GUESSING A survey by credit card giant Visa has found that 67% of passwords chosen to protect information are easy to guess names or numbers. It revealed that the majority of people choose their birth date, nickname or favourite sports team as a password. Link: http://news.bbc.co.uk/hi/english/sci/tech/newsid_837000/837802.stm THE BIOMETRIC CONSORTIUM 2000 CONFERENCE "In addition to the speakers and panel sessions, over fifteen Supporting Organizations will have exhibits and demonstrations available. The Conference is open to the Biometric Consortium members and to the general public. We are very pleased to announce that Stephen Walker, a widely recognized expert and leader in information security technology and policy, is scheduled to deliver the opening address." Link: http://www.nist.gov/itl/div895/isis/bc/bc2000/ "CARNIVORE" AND OTHER CYBERSNOOP PROGRAMS In what may be the first request of its kind, the American Civil Liberties Union is asking the Federal Bureau of Investigation to disclose the computer source code and other technical details about its new Internet wiretapping programs. In a Freedom of Information Act (FOIA) request sent today to the FBI, the ACLU is seeking all agency records related to the government e-mail "cybersnoop" programs dubbed Carnivore, Omnivore and Etherpeek, including "letters, correspondence, tape recordings, notes, data, memoranda, email, computer source and object code, technical manuals, [and] technical specifications." Link: http://www.aclu.org/news/2000/n071400a.html ERIC CORLEY FACES PIRACY TEST CASE A court case pitting Hollywood against Eric Corley has started in the US, in what is being seen as a test case against alleged digital piracy. Movie giants including Disney, Universal and Paramount, accuse Eric Corley (aka Emmanuel Goldstein) of posting links to software on his website, allowing users to break the copy protection system on digital video discs. Link: http://news.bbc.co.uk/hi/english/sci/tech/newsid_839000/839609.stm POWERGEN IN SECURITY SCANDAL UK utility, Powergen, has admitted to a massive security breach that left the debit card details of thousands of customers open to a potential multimillion pound fraud. The security hole was discovered by a Powergen customer and silicon.com viewer, John Chamberlain, when he went to the company's site to pay his bill online. Chamberlain - an IT manager - said he was surprised to discover three files on the web server, containing the names, addresses and card details of more than 7,000 home and business users, including his own. Link: http://www.silicon.com/public/door?REQUNIQ=963958275&6004REQEVENT=&REQINT1=38650&REQSTR1 BUREAU NAMES NEW eFBI CHIEF The FBI has named a new assistant director to oversee the design and launch of eFBI, a recently renamed and resurrected program that will give bureau agents the ability to share and sift through information via the World Wide Web. Link: http://www.fcw.com/fcw/articles/2000/0717/web-efbi-07-18-00.asp STAGES IS YET UNKNOWN? NOT. Malaysian The Star magazine has an article on viruses that were sent trough State Department's office of public mailing list. Reporter writes that e-mails have "life stages" written in the subject line, and to him it is "yet unknown virus which can destroy a computer's hard drive". Of course Stages worm is known to all of us for a while. Link:http://thestar.com.my/tech/story.asp?file=/2000/7/18/technology/hacksum18&sec=technology Link:http://net-security.org/text/viruses/962240637,93160,.shtml MY EXPERIENCE WITH BEING CRACKED "I emailed my findings to the systems admin and the owner of the ISP, including the backdoor password and how to use it, with the suggestion that they should backup everything, wipe the machine, and load a current version of Red Hat (6.0 at the time) with the latest patches. They replied that they would look into it." Link: http://www.rootprompt.org/article.php3?article=678 PENENBERG'S LETTER Black Market Enterprises published a copy of Adam Penenberg's letter of resignation to Forbes' owner, Tim Forbes. Link: http://www.b-m-e.com/features.411.forbes_penenberg_doj.html#letter ANOTHER BRICK IN THE WALL Brian Martin from Attrition did another great article entitled "Another brick in the wall - Fighting a losing battle on the front lines of security". Link: http://www-4.ibm.com/software/developer/library/su-wall.html FIRST AUTOCAD VIRUS FOUND Kaspersky Lab, an international anti-virus software development company, announces the discovery of a first computer virus that affects the world's most popular PC-based design software AutoCAD. Link: http://www.net-security.org/text/viruses/autocad.shtml BT UNDER DoS ATTACKS "This is my payback to BT for ripping this country off. I'm tired of being cut off the net at 12 just because I have a cable line heres my payback :\," - said someone in an e-mail message sent to The Register staff. Link: http://www.theregister.co.uk/content/6/12097.html MESSAGING RIVALS CALL AOL ON PRIVACY, SECURITY ISSUES A group of America Online's instant messaging rivals accused the Internet giant of using inflated security and privacy concerns to stall progress on technology standards that would allow its services to work with those of competitors. Link: http://news.cnet.com/news/0-1005-200-2312096.html 'NEW BREED' DROWNING OUT HACKER CULTURE? Weld Pond, a research scientist working with the security firm @Stake Inc., talks about script kiddies and their numbers compared to those who actually have the hacking skills to find the vulnerabilities in a supposedly secure system. Link: http://www.zdnet.com/zdnn/stories/comment/0,5859,2605327,00.html MORE ON SPAM This time, Louis Trager from Inter@ctive Week, did yet another rant on spam entitled "Spam, Spam, Baloney And Spam". Link: http://mcafee.snap.com/main/page/pcp/cd/0,85,-1713-1517323-413516,00.html LINUX DISTRIBUTION SECURITY REPORT How are the various Linux distributions doing in terms of general security? Link: http://www.securityportal.com/cover/coverstory20000724.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- ROXEN SECURITY ALERT Roxen 2.0 up to version 2.0.68 has a vulnerability where using URLs containing null characters can gain the browser access to information he is not authorized to. Link: http://www.net-security.org/text/bugs/964399028,33871,.shtml [MANDRAKE] INN UPDATE A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. This new version also does not install inews as setgid news or rnews as setuid root. Many other security paranoia fixes have been made as well. Link: http://www.net-security.org/text/bugs/964398854,44315,.shtml "PERSISTENT MAIL-BROWSER LINK" VULNERABILITY Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft Outlook Express. The vulnerability could allow a malicious user to send an email that would "read over the shoulder" of the recipient as he previews subsequent emails in Outlook Express Link: http://www.net-security.org/text/bugs/964176207,44621,.shtml UPDATED PATCH FOR FOR "MALFORMED E-MAIL HEADER" PROBLEM On July 18, 2000, Microsoft released the original version of this bulletin, to advise customers of the issue and recommend that they install either of the two service packs that will eliminate the vulnerability. On July 20, 2000, the bulletin was updated to announce the availability of patches that eliminate the vulnerability. Link: http://www.net-security.org/text/bugs/964176103,14653,.shtml O'REILLY WEBSITE PROFESSIONAL OVERFLOW The indexing utility webfind.exe distributed with O'Reilly WebSite Professional contains an unchecked buffer allowing for the remote execution of arbitrary code on vulnerable hosts. Link: http://www.net-security.org/text/bugs/964141648,97231,.shtml [@STAKE] IKEY 1000 PROBLEMS Rainbow Technologies' iKey 1000 (http://ikey.rainbow.com) is a portable USB (Universal Serial Bus) smartcard-like device providing authentication and digital storage of passwords, cryptographic keys, credentials, or other data. Using the legitimate user's PIN number and the physical USB key, access to the public and private data within the key will be granted. The iKey also allows administrator access using the MKEY (Master Key) password. Administrator access to the iKey, normally used for initialization and configuration, will allow all private information stored on the key to be accessed. Link: http://www.net-security.org/text/bugs/964141537,67366,.shtml HP JETDIRECT - INVALID FTP COMMAND DOS If you connect to the ftp service on your HP printer and send it the following string: quote AAAAAAAAAAA < cr> The printer crashes. It may require that you turn the power off and on again to get the printer to work again. The display will show an error message similar to this: 86:0003 (the bit after the colon seems to vary a bit, we've also gotten :0004, :000B). Link: http://www.net-security.org/text/bugs/964103346,59356,.shtml REMOTELY EXPLOITABLE BUFFER OVERFLOW IN OUTLOOK The vulnerability could enable a malicious sender of an e-mail message with a malformed header to cause and exploit a buffer overrun on a user's machine. The buffer overrun could crash Outlook Express, Outlook e-mail client, or cause arbitrary code to run on the user's machine. Link: http://www.net-security.org/text/bugs/964100872,57148,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- SYMANTEC'S WEB SUPPORT NAMED ONE OF THE BEST - [17.07.2000] Symantec Corp. today announced that for the third consecutive year, the company's technical support Web site, has been selected as one of the year's ten best online Web support sites by the Association of Support Professionals, an international organization dedicated to the advancement of the technical support profession. Press release: < http://www.net-security.org/text/press/963845931,19665,.shtml > ---------------------------------------------------------------------------- AXENT TO SECURE NOKIA WAP SERVER - [17.07.2000] AXENT Technologies, Inc., one of the world's leading Internet security solutions providers for e-business, announced that customers worldwide can leverage Enterprise Security Manager, AXENT's market-leading security assessment solution, to help secure the Nokia wireless application protocol (WAP) server. Like all servers, the Nokia WAP server, which provides the content for wireless devices such as cell phones, personal data assistants, and laptops, can be compromised through vulnerabilities in their operating systems. Now with ESM, companies can find and secure these vulnerabilities, and be assured of the security and availability of the WAP server providing the wireless content. Press release: < http://www.net-security.org/text/press/963846068,8460,.shtml > ---------------------------------------------------------------------------- PC-CILLIN 2000 ACHIEVES ICSA CERTIFICATION FOR W2K - [17.07.2000] Trend Micro Inc., a leader in enterprise and personal antivirus and content security for the Internet age, today announced that its consumer desktop antivirus software, PC-cillin(R) 2000, has been granted ICSA Certification by the Anti-Virus Product Developers Consortium. Antivirus product certification testing was recently revised to include products that protect the Windows 2000 operating system. To achieve ICSA Anti-Virus Certification, products are tested for their ability to detect 100% of the "in the wild" viruses as they enter the system and also during periodic file and directory scans. Press release: < http://www.net-security.org/text/press/963846158,52053,.shtml > ---------------------------------------------------------------------------- ALADDIN SHIPS SECURE USB AUTHENTICATION TOKEN - [19.07.2000] Aladdin Knowledge Systems, a global leader in the field of Internet content and software security, has announced that its new USB security token, eToken R2, is now being shipped to customers worldwide. Aladdin also announced that Gecko Internet joined Aladdin's eToken Technology Partner Program. Press release: < http://www.net-security.org/text/press/964002572,83662,.shtml > ---------------------------------------------------------------------------- INTERSCAN VIRUSWALL CERTIFIED FOR ASP DEPLOYMENT - [19.07.2000] Trend Micro, a leading provider of enterprise antivirus and Internet content security products, today announced that its best-of-breed InterScan VirusWall Internet gateway virus protection software has become one of the first thirteen products and the only antivirus product to achieve Sun Microsystems' SunTone Application Certification for deployment in ASP environments. The SunTone Certification confirms Trend Micro's ability to deliver reliable and highly scalable Unix-based technology that can meet the demanding requirements of Service Providers. Press release: < http://www.net-security.org/text/press/964002786,39586,.shtml > ---------------------------------------------------------------------------- SYMANTEC CONTINUES PERSONAL FIREWALL LEADERSHIP - [19.07.2000] Symantec Corp. today announced that EarthLink, a leading broadband Internet Service Provider has selected Symantec's Norton Personal Firewall software to protect it's PC-using EarthLink DSL customers. EarthLink will offer Norton Personal Firewall free of charge to new and existing EarthLink DSL customers. Norton Personal Firewall will be delivered via a redeemable electronic coupon e-mailed to customers after their DSL service is installed. Norton Personal Firewall is then downloaded from co-branded Web site. Press release: < http://www.net-security.org/text/press/964002938,79452,.shtml > ---------------------------------------------------------------------------- SYMANTEC OFFICIALS WILL SPEAK AT ISACA CONFERENCE - [19.07.2000] Symantec Corp., a world leader in Internet security technology, announced today three executives have been invited to speak at the International 2000 Conference of the Information Systems Audit and Control Association, July 17-19 in Orlando, Florida. Mark Egan, chief information officer and vice president of Information Technology; Char Sample, principal researcher of the Core Technology Group; and Greg Adams, director of Development Enterprise Security Solutions, will each address separate sessions of the conference. Press release: < http://www.net-security.org/text/press/964003015,17911,.shtml > ---------------------------------------------------------------------------- RAINBOW RESPONDS TO @STAKE RL'S ADVISORY - [21.07.2000] Rainbow Technologies, Inc. responded to a Security Advisory issued by @stake Research Labs regarding potential weaknesses in the company's iKey 1000 entry-level workstation authentication device. @stake's Advisory, issued to several security mailing lists, confirmed in-house testing being performed at Rainbow which also uncovered potential weaknesses in the iKey 1000. The threat can exist in cases where an adversary is able to obtain a user's iKey. Rainbow has improved the iKey 1000's design to defend against this class of attack. Rainbow began a thorough internal testing of the iKey 1000 in May after @stake issued a Security Advisory on a competitive key token product. Press release: < http://www.net-security.org/text/press/964140967,15366,.shtml > ---------------------------------------------------------------------------- SECURE COMPUTING TO DELIVER SECURITY TO ASPS - [21.07.2000] Secure Computing announced that it has signed an OEM agreement with Hewlett-Packard Company. Under the terms of the agreement, Secure Computing's SafeWord authentication application is to be resold as a standard feature of HP's e-utilica instant e-service solution for Application Service Providers. HP's e-utilica is a pre-integrated solution that enables ASPs to offer businesses instant access to design collaboration applications and scalable computer capacity on a pay-per-use basis, keeping the information technology overhead low and providing a secure platform for e-business. Press release: < http://www.net-security.org/text/press/964141092,13277,.shtml > ---------------------------------------------------------------------------- Net-Sec newsletter Issue 24 - 01.08.2000 http://net-security.org Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. General security news --------------------- ---------------------------------------------------------------------------- PICKING THE LOCKS ON THE INTERNET SECURITY MARKET "Another day, another e-commerce break-in ... The problem, argue a number of new startups, isn't products. It's people." Link: http://www.redherring.com/insider/2000/0724/tech-fea-security-home.html WE'RE STILL GETTING SECURITY WRONG Worries about security, and justified ones at that, could still stop the eCommerce bandwagon in its tracks, it seems. The recent revelation of a security loophole in MS Outlook has been followed by a report from IDC asserting that corporate Europe is still adopting the wrong approach to strengthening the security of its systems. Link: http://www.it-director.com/00-07-25-3.html EVALUATION TECHNOLOGY FOR INTERNATIONAL SECURITY STANDARD The international standard serves as a framework for establishing system reliability by a product's functions, quality, operation and management. More specifically, the standard prescribes requirements for the functioning and quality of the security component that systems must meet to prevent intrusion and unauthorized access. Link: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/108225 COST OF INTRUSIONS Enterprises hiring reformed crackers to expose their soft underbellies will only add to the more than $2.6 trillion lost worldwide annually because of security intrusions, warns professional services firm PricewaterhouseCoopers. Link: http://www.it.fairfax.com.au/industry/20000725/A26681-2000Jul24.html MICROSOFT SECURITY EXECUTIVE PROMISES IMPROVEMENTS The man who receives more complaints about the security of Microsoft Corp.'s software than anyone on the planet vowed here yesterday that the company's products are improving in quality and will continue to become more secure. Link: http://www.idg.net/ic_204796_1794_9-10000.html Can we believe that? Comment this in our forum: http://www.net-security.org/phorum/read.php?f=2&i=41&t=41 WHY PEOPLE NEED OUTLOOK With all this problems with Microsoft Outlook, people are wondering why do others use Outlook rather than some other mail clients. On HNS forum, Ladi wrote her opinion on "Why is Outlook so widely used in corporate environments?". Link: http://www.net-security.org/phorum/read.php?f=2&i=39&t=29 DEFACEMENTS BY WEBSERVER Attrition published statistics entitled "Defacements by Webserver August 01, 1999 - July 22, 2000". According to the stats, Microsoft IIS had the biggest number of defacements. Link: http://www.attrition.org/mirror/attrition/webserver-graphs.html ERROR AND ATTACK TOLERANCE OF COMPLEX NETWORKS The Internet's reliance on only a few key nodes makes it especially vulnerable to organized computer attacks, according to a new study on the structure of the worldwide network. Link: http://www.nature.com/cgi-taf/DynaPage.taf?file=/nature/journal/v406/n6794/full/406378a0_fs.html SECURITY POLICY Marcus Ranum, chief technology officer at NFR: "We are creating hordes and hordes of script kiddies. They are like cockroaches. There are so many script kiddies attacking our networks that it's hard to find the real serious attackers because of all the chaotic noise." Link: http://news.excite.com/news/zd/000726/18/silence-the-best NSA OFFICIAL BLASTS AT SECURITY VENDORS The National Security Agency's senior technical director Thursday lambasted developers of security tools, which he said were so weak that they encouraged attacks by computer crackers. Link: http://www.infoworld.com/articles/hn/xml/00/07/28/000728hnnsa.xml BRITISH VERSION OF CARNIVORE IS NOW LAW The British government approved the Regulation of Investigatory Powers (RIP) that allows British law-enforcement agencies to force ISPs to hand over 'Net traffic logs and encrypted e-mail messages, along with the decryption keys needed to read their content. ISPs will have to set up secure channels to the government's monitoring center and to install "black boxes" that will do the tracking if the government issues a notice and has a warrant asking the ISP to do so. Link: http://www.geek.com/news/geeknews/q22000/gee2000728001991.htm HOW THE FBI INVESTIGATES COMPUTER CRIME This guide provides information about the federal investigative and prosecutive process for computer related crimes. It will help you understand some of the guidelines, policies, and resources used by the Federal Bureau of Investigation when it investigates computer crime. Link: http://www.cert.org/tech_tips/FBI_investigates_crime.html TOOL TRACES DENIAL OF SERVICE SOURCES The Internet Engineering Task Force (IETF) is working on technology that will minimise the problem of denial of service attacks by making it possible to quickly trace the source of the attack. The organisation last week formed a working group to develop ICMP Traceback Messages, which would allow network administrators to trace the path packets take through the internet. Link: http://www.vnunet.com/News/1107643 RECRUITING HACKERS Department of Defense and military officials turned a hacker conference into a recruiting drive Friday, trying to woo the best and the brightest into becoming security experts. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2609334,00.html DEFCON Defcon has always been an event known as much for its intensive technical content - talks on "advanced buffer overflow techniques" are de rigueur - as its social opportunities, but this year it seems to have become more party than conference. Call it the new American geek holiday. Link: http://www.wired.com/news/culture/0,1284,37896,00.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- VULNERABILITY IN NETSCAPE BROWSERS This advisory explains a vulnerability in Netscape browsers present since at least version 3.0 and up to Netscape 4.73 and Mozilla M15. The vulnerability is fixed in Netscape 4.74 and Mozilla M16. Link: http://www.net-security.org/text/bugs/964528232,40698,.shtml IBM WEBSPHERE VULNERABILITY A show code vulnerability exists with IBM's Websphere allowing an attacker to view the source code of any file within the web document root of the web server. Link: http://www.net-security.org/text/bugs/964528397,78068,.shtml ANALOGX PROXY DOS AnalogX Proxy is a simple but effective proxy server that has the ability to proxy requests for the following services: HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP. Using commands of an appropriate length, many of the services exhibit unchecked buffers causing the proxy server to crash with an invalid page fault thus creating a denial of service. Normally this would only be a concern for users on the LAN side of the proxy, but by default Proxy is configured to bind to all interfaces on the host and so this would be exploitable remotely from over the Internet. Link: http://www.net-security.org/text/bugs/964577654,52746,.shtml PATCH FOR "NETBIOS NAME SERVER PROTOCOL SPOOFING" Microsoft has released a patch that eliminates a security vulnerability in a protocol implemented in Microsoft Windows systems. It could be used to cause a machine to refuse to respond to requests for service. Link: http://www.net-security.org/text/bugs/964789771,23452,.shtml BEA'S WEBLOGIC SHOW CODE VULNERABILITY Two show code vulnerabilities exist with BEA's WebLogic 5.1.0 allowing an attacker to view the source code of any file within the web document root of the web server. Depending on web application and directory structure attacker can access and view unauthorized files. Link: http://www.net-security.org/text/bugs/964901015,87907,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- E-SHOPPING MADE FAST, EFFICIENT AND SECURE - [24.07.2000] JAWS Technologies Inc. announced that it has signed a memorandum of understanding with iSolver.com to integrate JAWS security solutions into iSolver's technology and facilities. JAWS will develop new secure Internet encryption products to support iSolver's Universal Cart Technology (UCT). In addition, JAWS will validate, develop and deliver security concepts for all new Internet applications conceived by iSolver. The two firms expect to complete a definitive Business Partnership Agreement Aug. 1, 2000, which will have JAWS provide for a total security solution to support iSolver's business offering. Press release: < http://www.net-security.org/text/press/964399208,14554,.shtml > ---------------------------------------------------------------------------- JAVA-BASED B2B TECHNOLOGY TO ALLOW DIGITAL SIGNATURES - [24.07.2000] With the recent passage of the landmark Electronics Signature Act giving digital signatures legal validity, Cyclone Commerce, Inc. continues to take the lead in making E-Signatures an eCommerce reality. With its flagship product, Cyclone Interchange, organizations can apply valid and secure digital signatures to every document sent. This is made possible by Cyclone CrossWorks Security Framework, a revolutionary technology the company pioneered. Press release: < http://www.net-security.org/text/press/964475791,79890,.shtml > ---------------------------------------------------------------------------- ZKS PREVIEWS LINUX VERSION OF FREEDOM - [24.07.2000] Zero-Knowledge Systems, the leading developer of privacy solutions for consumers and companies, will release its first source code. Mike Shaver, Zero-Knowledge's Chief Software Officer, last week previewed the Linux client of the company's award-winning privacy software, Freedom at the Ottawa Linux Symposium. In this first source release, Zero-Knowledge will release the source code of the Freedom Linux kernel interface. Press release: < http://www.net-security.org/text/press/964475936,91408,.shtml > ---------------------------------------------------------------------------- RAINBOW SIGNS NEW CRYPTOSWIFT OEM AGREEMENT - [25.07.2000] Rainbow Technologies, Inc., a leading provider of high-performance security solutions for the Internet and eCommerce, today announced that the company has signed a major OEM agreement with a leading provider of next-generation Internet infrastructure solutions - and has received an initial order of nearly $1 million. Rainbow's CryptoSwift eCommerce accelerator is a key component in a new family of products designed to enable eBusinesses to meet the demands resulting from the rapid growth of the Internet. This new family of products are optimized to manage Web traffic - and provide the high performance and availability of leading networking infrastructure solutions. Press release: < http://www.net-security.org/text/press/964482291,24441,.shtml > ---------------------------------------------------------------------------- SYBARI'S ANTIGEN SELECTED BY SUNBELT SOFTWARE - [25.07.2000] Sybari Software, Inc., the premier antivirus and security specialist for groupware solutions today, announced that it has been selected by Sunbelt Software, the No. 1 provider of "best-of-breed" solutions for Windows 2000/NT, for antivirus protection of their groupware environment. "We needed something we knew could protect our groupware. A network disabled, even for a short while, from a virus attack is not acceptable," said Stu Sjouwerman, president of Sunbelt Software. Press release: < http://www.net-security.org/text/press/964482448,58117,.shtml > ---------------------------------------------------------------------------- DEFENDNET SOLUTIONS PARTNERS WITH TREND MICRO - [25.07.2000] DefendNet Solutions Inc., a leading provider of total managed security solutions for the Internet, today announced that it has partnered with Trend Micro Inc. to deliver virus scanning services based on Trend Micro's award-winning InterScan VirusWall technology. By incorporating Trend Micro's InterScan antivirus software into its comprehensive suite of managed security offerings, DefendNet will enable its carrier partners to offer remotely managed gateway virus protection to their corporate customers. Press release: < http://www.net-security.org/text/press/964482508,73308,.shtml > ---------------------------------------------------------------------------- SYMANTEC STRENGHTENS WITH ACQUISITION OF AXENT - [27.07.2000] Symantec Corp. and AXENT Technologies, announced that their boards of directors have approved the acquisition of AXENT by Symantec in a stock-for-stock transaction valued at approximately $975 million. The combination of the two companies will create a new leader in Internet security for enterprise customers. Under the agreement, AXENT shareholders will receive in a tax-free exchange 0.50 shares of Symantec common stock for each share of AXENT common stock they own. Press release: < http://www.net-security.org/text/press/964717984,72585,.shtml > ---------------------------------------------------------------------------- 'HACK PROOFING YOUR NETWORK' - [28.07.2000] Syngress Publishing, Inc., today announced the publication of "Hack Proofing Your Network: Internet Tradecraft" by Ryan Russell and with contributing grey-hat hackers such as "Mudge," "Rain Forest Puppy," "Caezar," "Effugas," and "Blue Boar." The premise of the book is "The only way to stop a hacker is to think like one." It provides a tour of information security from the hacker's perspective and offers practical advice for fending off local and remote network attacks. The book is divided into four parts on theory and ideals, local attacks, remote attacks, and reporting. Press release: < http://www.net-security.org/text/press/964790472,38581,.shtml > ---------------------------------------------------------------------------- FREE INDUSTRY-LEADING ANTI-VIRUS SOLUTION - [28.07.2000] Verio Inc. and Computer Associates International, Inc. today announced that the two companies have entered into a partnership to help ensure safe computing in eBusiness environments. The alliance provides Verio with the opportunity to offer its 400,000 customers a free, downloadable version of CA's award-winning anti-virus solution, InoculateIT Personal Edition. The anti-virus software is a component of eTrust, CA's comprehensive Internet security solutions suite. Press release: < http://www.net-security.org/text/press/964790527,6132,.shtml > ---------------------------------------------------------------------------- @STAKE ACQUIRES CERBERUS INFORMATION SECURITY - [27.07.2000] @stake, the world's leading Internet security professional services firm, today announced the acquisition of London-based Cerberus Information Security, Ltd, specialists in penetration testing and security auditing services. As a result of today's acquisition, @stake has formalized its entry into the European market, paving the way for further global expansion. With this agreement, CIS' security specialists will become @stake security consultants. In addition, @stake will inherit CIS' client base, a roster of more than 20 blue-chip clients based in the UK. Financial terms of the acquisition were not disclosed. Press release: < http://www.net-security.org/text/press/964837499,43578,.shtml > ---------------------------------------------------------------------------- Net-Sec newsletter Issue 25 - 07.08.2000 http://net-security.org Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter General security news --------------------- ---------------------------------------------------------------------------- BARCLAYS SLAMMED OVER INTERNET SECURITY FLAW Barclays came under fire from customers and consumer groups today after a security breach exposed confidential account details. The bank was forced to shut down its online banking service yesterday evening after a Saturday night upgrade to the online transaction software left user data accessible to other account holders. Link: http://www.uk.internet.com/Article/100360 NORTON PATCHES FIREWALL HOLES Symantec has quietly modified its Norton Personal Firewall and Norton Internet Security 2000 products to block advertising programs that are sometimes dubbed "spyware." The programs, called adbots, fetch banner ads over the Internet, but they also transmit encrypted data about the user back to the advertising companies. This function has earned them the "spyware" label among privacy and security advocates. Link: http://www.pcworld.com/pcwtoday/article/0,1510,17880,00.html 250 LINUX SERVERS INFECTED Some 250 Linux servers were found to have been infected with a program used in denial of service attacks, raising serious security concerns with the popular open source code servers. Link: http://www.koreaherald.co.kr/news/2000/08/__10/20000801_1026.htm STOP CARNIVORE WEB SITE LAUNCHED A new site devoted to shutting down the FBI's Carnivore email surveillance system has launched - "Stop Carnivore". The site explains what Carnivore is, why it is wrong, what you can do, and how it hurts the Internet. Link: http://cipherwar.com/news/00/stop_carnivore.htm SNOOPING IN NETHERLANDS Dutch newspaper De Volkskrant said Monday that the Internal Security Service (Binnenlandse Veiligheidsdienst) had monitored e-mail messages between an unnamed Dutch software company and an Iranian customer. Link: http://www.infoworld.com/articles/hn/xml/00/08/01/000801hndutch.xml LINUXSECURITY.COM WINS SOURCE OF THE MONTH FOR JULY "This month's LinuxLock.Org Security Source of the Month goes to a group of individuals dedicated to bringing security to the fore-front of the linux community; this is the staff of LinuxSecurity.Com. Since we started following the site in January 2000, it has evolved into one of the internet's premiere sources of Linux Security Information." Link: http://www.linuxlock.org/features/somjuly00.html BARCLAYS, AGAIN Troubled online bank Barclays admitted to another security blunder that again led to Internet accounts being compromised. Link: http://www.zdnet.co.uk/news/2000/30/ns-17040.html STEALING DATA FROM LOS ALAMOS Hackers suspected of working for a Chinese government institute in Beijing broke into a computer system at Los Alamos National Laboratory and pilfered large amounts of sensitive information, including documents containing the word "nuclear," The Washington Times has learned. Link: http://www.washingtontimes.com/national/default-20008321179.htm MYANMAR MILITARY SITE DEFACED Myanmar telecommunications engineers were trying Thursday to restore the military governmentÆs Web site after hackers shut it down, a military intelligence officer said. Link: http://www.msnbc.com/news/441508.asp?cp1=1 "MAFIABOY" FACES 64 NEW CHARGES A Canadian youth pleads innocent to accusations that he orchestrated denial of service attacks on Yahoo!, eBay and other high-profile Web sites. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2611672,00.html AOL HIT WITH CREDIT CARD SCAM According to an AOL member who contacted CNET News.com, over the past 24 hours some AOL Instant Messenger subscribers have received a message informing them of credit card problems. The scam directs members to a site on AOL's Hometown service, a personal Web site builder, and requests credit card information to update customer records. Link: http://news.cnet.com/news/0-1005-200-2435585.html BROWN ORIFICE SECURITY HOLE From Dan Brumleve homepage - "I've discovered a pair of new capbilities in Java, one residing in the Java core and the other in Netscape's Java distribution. The first (exploited in BOServerSocket and BOSocket) allows Java to open a server which can be accessed by arbitrary clients. The second (BOURLConnection and BOURLInputStream) allows Java to access arbitrary URLs, including local files. As a demonstration, I've written Brown Orifice HTTPD for Netscape Communicator. BOHTTPD is a browser-resident web server and file-sharing tool that demonstrates these two problems in Netscape Communicator. BOHTTPD will serve files from a directory of your choice, and will also act as an HTTP/FTP proxy server." Link: http://www.brumleve.com/BrownOrifice/BOHTTPD.cgi EXCITE@HOME IP FLAW EXPOSED Excite@Home has warned it will take action against anybody who attempts utilise an IP vulnerability that allows a single user to block up to 127 IP addresses, effectively shutting people out of the service. Contributed by Apocalyse Dow. Link: http://www.zdnet.com.au/zdnn/stories/zdnn_display/au0004627.html ICAT - SEARCHABLE INDEX OF SECURITY ISSUES The U.S. government has created a searchable index of computer vulnerabilities called ICAT. ICAT links users into a variety of publicly available vulnerability databases and patch sites, thus enabling one to find and fix the vulnerabilities existing on their systems Link: http://csrc.nist.gov/icat ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- [MANDRAKE LINUX] PAM UPDATE There is a problem with the pam_console module that incorrectly identifies remote X logins for displays other than :0 (for example, :1, :2, etc.) as being local displays, thus giving control of the console to the remote user Link: http://www.net-security.org/text/bugs/965226007,4809,.shtml [MANDRAKE LINUX] KON2 UPDATE There is a vulnerable suid program called fld. This program accepts option input from a text file and it is possible to input arbitrary code into the stack, thus spawning a root shell. Link: http://www.net-security.org/text/bugs/965226086,20677,.shtml [TURBOLINUX] CVSWEB-1.90 UPDATE A security hole was discovered in the cvsweb-1.90 package. Current and previous version of cvsweb allow remote users to access/write files as the default web user via the cvsweb.cgi script. Link: http://www.net-security.org/text/bugs/965226233,73749,.shtml MS WINDOWS 2000 PIPE IMPERSONATION VULNERABILITY A vulnerability in the way Windows 2000 handles named pipes allows any non-privileged user to elevate his or her current security context to that of an arbitrary service (started by the service control manager). By exploiting this bug, a non-privileged local user can gain privileged access to the system. Link: http://www.net-security.org/text/bugs/965262176,1136,.shtml MS WINDOWS 2000 PIPE IMPERSONATION VULNERABILITY PATCHED Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could allow a user logged onto a Windows 2000 machine from the keyboard to become an administrator on the machine. Link: http://www.net-security.org/text/bugs/965262270,2600,.shtml CISCO SECURITY ADVISORY - GIGABIT SWITCH ROUTER A defect in Cisco IOS(tm) Software running on all models of Gigabit Switch Routers (GSRs) configured with Gigabit Ethernet or Fast Ethernet cards may cause packets to be forwarded without correctly evaluating configured access control lists (ACLs). In addition to circumventing the access control lists, it is possible to stop an interface from forwarding any packets, thus causing a denial of service. Link: http://www.net-security.org/text/bugs/965352730,637,.shtml FTP SERV-U 2.5E VULNERABILITY Sending FTP Serv-U a string containing a large number of null bytes will cause it to stack fault. The system Serv-U is running on may become sluggish/unstable and eventually bluescreen. A valid user/pass combination is not required to take advantage of this vulnerability. Link: http://www.net-security.org/text/bugs/965608002,70838,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- CYBERCASH PROVIDES ONLIONE FRAUD DETECTION SERVICES - [02.08.2000] CyberCash, Inc., the world's leading provider of electronic payment technologies and services, announced it will offer integrated online payment and fraud detection support for Microsoft Commerce Server 2000. Merchants who use Microsoft's Commerce Server 2000 to create Internet storefronts will be able to easily configure their storefronts with real-time payment processing and CyberCash's new Internet fraud detection service by simply installing CyberCash's components. Press release: < http://www.net-security.org/text/press/965182044,72105,.shtml > ---------------------------------------------------------------------------- CERTIFICATES IN WEBTRENDS ENHANCED LOG FORMAT PROGRAM - [02.08.2000] Further enhancing its position as the standard in eBusiness Systems management and reporting solutions, WebTrends Corporation announced that 12 leading firewall vendors have been certified in the WebTrends Enhanced Log Format program, ensuring that their firewall products are compatible with WebTrends Firewall Suite 3.0. Released today, Firewall Suite 3.0 manages, monitors and reports on Firewall activity, alerting IT and security managers to issues with incoming and outgoing activity, protocol usage, security problems, employee Internet activity and bandwidth consumption. Press release: < http://www.net-security.org/text/press/965182212,13233,.shtml > ---------------------------------------------------------------------------- BINDVIEW'S BV-CONTROL SELECTED BY BUY.COM - [02.08.2000] BindView Corporation, a provider of IT risk management solutions, announced that Internet retailer buy.com has selected BindView's bv-Control for Windows 2000 software to provide further security for its Web servers. The Internet superstore will use bv-Control to administer and secure their Windows enterprise. bv-Control is an administration and security management solution that pinpoints and corrects risks to the safety and integrity of a network. BindView's relationship with buy.com further establishes the company's expertise in working with dot com companies to provide IT risk management solutions. Press release: < http://www.net-security.org/text/press/965182290,73090,.shtml > ---------------------------------------------------------------------------- NETWORK-1 SECURITY SOLUTIONS SELECTED BY BMC - [02.08.2000] Network-1 Security Solutions, Inc., a leader in distributed intrusion prevention solutions for e-Business networks, today announced the signing of an enterprise-wide site license agreement with BMC Software, Inc., the leading provider of e-Business systems management. The agreement enables BMC Software to deploy Network-1's unique CyberwallPLUS-WS software - a distributed, workstation-resident firewall and intrusion prevention product - on all of its enterprise users' Windows NT/2000 computers. This will provide BMC Software's employees with protection against hacking and unauthorized network intrusions. Press release: < http://www.net-security.org/text/press/965182394,59788,.shtml > ---------------------------------------------------------------------------- NEW ABILITIES IN CHECK POINT REALSECURE 5.0 - [02.08.2000] Check Point Software Technologies Ltd., the worldwide leader in securing the Internet, and Internet Security Systems, a leading provider of security management solutions for the Internet, introduced the next level in advanced network intrusion detection capabilities with Check Point RealSecure 5.0. The new version of Check Point RealSecure includes: - X-Press Updates for real-time notification of newly identified cyber attack signatures, including the over 500 attack signatures already cataloged in Check Point RealSecure 5.0 - The ability to reassemble fragmented packets to provide defense against attackers using split up attack signatures - New detection logic to improve performance and greatly reduce the number of "false positives," or legitimate network traffic that is misdiagnosed as an attack. Press release: < http://www.net-security.org/text/press/965182530,80729,.shtml > ---------------------------------------------------------------------------- FREE INTRODUCTORY OFFER BY IVERIFY.COM - [03.08.2000] iVerify.com launches its verified Internet identification service, iV-Caller, with a free introductory offer to companies who agree to try the service for three months. Trial offer winners will receive customization, turnkey installation and up to 1000 free verifications. Insuring that web users provide a valid phone number where they can actually be reached, iV-Caller is an Internet application and service that incorporates quickly and easily into virtually any web site. IV-Caller can be used in an endless variety of web scenarios including the verification of credit card purchases, auction buyers and sellers, sales leads, e-groups, chat rooms and much more. Press release: < http://www.net-security.org/text/press/965310705,2208,.shtml > ---------------------------------------------------------------------------- EVIRUS BUYS 51% IN VIRTUAL AIR-GAP TECHNOLOGY - [03.08.2000] eVirus announces that it has completed the acquisition of a 51% interest in CIPLOCKS Inc., a Canadian computer security company. The acquisition gives eVirus exclusive rights to CIPLOCKS' revolutionary computer security technology. CIPLOCKS Inc. has created an innovative 'anti-hacking' software architecture known as Virtual Air-Gap Technology that is a means of keeping computers secure from Internet based attacks by controlling the link to the outside world. Press release: < http://www.net-security.org/text/press/965310780,25330,.shtml > ---------------------------------------------------------------------------- CYLINK AND METRICOM TEAM FOR WIRELESS SECURITY - [03.08.2000] Cylink Corporation today announced that it will participate in Metricom's Alliance Partner Program and is planning to provide its security solution for resale through Ricochet Authorized Service Providers. By combining Metricom's Ricochet technology and Cylink's award-winning PrivateWire software, customers can receive a fast, easy-to-use mobile access solution that incorporates strong encryption, authentication and auditing capabilities to prevent unauthorized access to applications that are used during wireless-to-Internet communications. Press release: < http://www.net-security.org/text/press/965310833,49198,.shtml > ---------------------------------------------------------------------------- PENTASAFE ACQUIRES BRAINTREE SECURITY SOFTWARE - [03.08.2000] PentaSafe Security Technologies, Inc., a leading developer of IT auditing and security software, today announced that it has acquired privately held BrainTree Security Software. BrainTree Security Software is a leading international developer of Oracle , Sybase, and SQL Server database security software solutions. This acquisition supports PentaSafe's strategy to offer its customers a broad portfolio of security solutions across all facets of their IT operations. Press release: < http://www.net-security.org/text/press/965312120,48220,.shtml > ---------------------------------------------------------------------------- Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Questions, contributions, comments or ideas go to: Help Net Security staff staff@net-security.org http://net-security.org Any questions about how this was put together for Oblivion please direct them to : Slider@0blivion.org ---------------------------------------------- | | | \____ 0wning The World Is A Slow Process,So Give Up And Let Us Gain R00t On You #OblivionMag EFNet Copyright 0blivion.org 2000 B0w Down And Feer The Revolution Of Oblivion Designed On 800x600 Resolution Sponsors : http://www.slidersecurity.co.uk http://net-security.org http://www.hackernews.com http://www.caffeine.org.uk http://www.slidersecurity.co.uk/omega Music : Rage Against The Machine Zombie Nation Death in Vegas Red Hot Chilli Peppers - Californication Live feed from Ministry Of Sound via. www.ministryofsound.co.uk Drink : Red Bull - Late nite shizz Java Coffee Thanks : Vortex, For hosting 0blivion.org Spammy for his Bot's on #oblivionmag - Where they gone ??? Pep - Have a good trip mate! Aleph1, R.F.P and all the h0es that make my life worth living online And Akt0r, DC_`, d0tslash, Cl0wn, TNC, redmang and a few others that i forget #Darkcyde, #bellcrew, #2600-uk, #bifemunix, #hax0r, #b10z, #is, #beyond Funny : Colin Noble aka. CPUKiller - http://COLINSDOMAIN.4MG.COM