AOH :: P54-11.TXT

Phrack World News


---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 11 of 12


-------------------------[  P H R A C K     W O R L D     N E W S


--------[  Issue 54
           

Hi. A few changes have been made to Phrack World News (PWN) and will
probably change again in the future.  Because of the increase of news on
the net, security, hackers and other PWN topics, it is getting more
difficult to keep Phrack readers informed of everything.  To combat this
problem, PWN will include more articles, but only relevant portions (or
the parts I want to make smart ass remarks about).  If you would like to
read the full article, look through the ISN (InfoSec News) archives
located at: 

        ftp.repsec.com          /pub/text/digests/isn

If you would like timely news delivered with less smart ass remarks, you
can always subscribe to ISN by mailing majordomo@repsec.com with 'subscribe
isn' in the body of your mail. 

The following articles have been accumulated from a wide variety of places.
When known, original source/author/date has been included.  If the information
is absent, then it wasn't sent to us. 

As usual, I am putting some of my own comments in brackets to help readers
realize a few things left out of the articles.  Comments are my own, and
do not necessarily represent the views of Phrack, journalists, government
spooks, my cat, or anyone else.  If you want to see more serious comments
about the piss poor journalism plagueing us today, visit the Security
Scene Errata web page: http://www.attrition.org/errata/

If you feel the need to send me love letters, please cc: 
route@infonexus.com so he can see I really do have fans.  If you would like
to mail my cat, don't, he hates you because you are a plebian in his eyes.
Meow. 

This installment of PWN is dedicated to Feds, Hackers, and blatant stupidity.
It was brought to you by the letters that collectively spell 'dumb shit'. 

- disorder

--------[  Issue 54

 0x1: Teen Crackers Admit Guilt
 0x2: FBI grads get gun, badge, and now, a laptop
 0x3: Meet the Hacker Trackers
 0x4: Justice Department to Hire Computer Hackers
 0x5: A Cracker-Proofing Guarantee
 0x6: First-Ever Insurance Against Hackers
 0x7: New Unit to Combat High-Tech Crime (National Police Agency)
 0x8: First 'Cyber Warrior' Unit is Poised for Operational Status (DOD)
 0x9: Tracking Global Cybercrime (Chamber of Commerce)
 0xa: FBI Opens High-Tech Crisis Center 
 0xb: Navy fights new hack method
 0xc: Pentagon Blocks DoS Attack
 0xd: Hackers Elude Accelerator Center Staff
 0xe: Cyberattacks leave feds chasing 'vapor'
 0xf: Congress Attacks Cyber Defense Funds
 0x10: Mudge on Security Vendors
 0x11: More delays for Mitnick trial
 0x12: 'Back door' doesn't get very far 
 0x13: ICSA Goon Pretends to be a Hacker      
 0x14: Is Your kid a Hacker
 0x15: Paging Network Hijacked              
 0x16: FBI busts hacker who sold clandestine accounts on PageNet system
 0x17: EFF DES Cracker Machine Brings Honesty to Crypto Debate
 0x18: Hacking site gets hacked
 0x19: From Criminals to Web Crawlers
 0x1a: Running a Microsoft OS on a Network? Our Condolences
 0x1b: Security expert explains New York Times site break in
 0x1c: Merriam-Webster Taken Offline Old Fashioned Way
 0x1d: Long Haired Hacker Works Magic           
 0x1e: Body of Evidence
 0x1f: The Golden Age of Hacktivism
 0x20: Phrack straddles the world of hackers
 0x21: Cops see little hope in controlling computer crime

0x1>-------------------------------------------------------------------------

Title: Teen Crackers Admit Guilt
Source: Wired
Date: 1:10pm  11.Jun.98.PDT

Two California teenagers have pleaded guilty to federal charges of
cracking Pentagon computers, the San Francisco Chronicle reports. 
   
Terms of the plea are still being negotiated after a meeting last week
between attorneys for the youths and federal officials, the newspaper
said. Neither youth is expected to serve time in custody, sources close to
the case said. 
   
In February, the FBI raided the Cloverdale homes of the two suspected
crackers -- nicknamed Makaveli, 16, and TooShort, 15 -- and seized
computers believed to have been used to break into unclassified computer
systems in government agencies, military bases, and universities. 

[Sucks to be busted. Sucks worse to plead guilty to being a script
 kiddie.]

The youths were never formally arrested in the FBI probe. US Deputy
Defense Secretary John Hamre called the breach "the most organized and
systematic attack" to date on Pentagon systems. 
  
[Feds only enjoy sticking guns in the faces of these kids. Not actually
 arresting them.]

0x2>-------------------------------------------------------------------------

Title: FBI grads get gun, badge, and now, a laptop
Source: TechWeb
Date: 7.22.98

When FBI special-agent trainees graduate from the bureau academy at
Quantico, Va., they are each issued a gun, a badge -- and now, a laptop
computer. 

[Unfortunately, they don't always get a clue.]

Crime today often involves the use of sophisticated technology, and new
agents have to be able to shoot straight, learn the law, and be able to
use technology.

Part of the FBI's duty is to investigate computer-related crimes and
issues of national security. Because it needs these specialized skills,
the bureau is in competition with other agencies such as the Secret
Service and the Central Intelligence Agency (CIA) -- as well as the
private sector -- for recruits.

[Great low pay! Lots of travel! No respect! Come join the FBI!]

Attorney General Janet Reno, addressing a conference on children's safety
on the Internet in December, called on the technology community to help
law enforcement.

But Reno's call does not mean making a computer geek into a G-man.  The
FBI recruits in the high-tech industry and in colleges and universities
for special agents with other attributes besides computer-science degrees.
 
"There is not a specific category [in the FBI] for someone with more
computer skills," said Special Agent Ron Van Vraken, an FBI spokesman. 
"But someone with skills and experience is highly marketable. We've
recognized we need to attract those people into the FBI."
 
The FBI is not alone. 

The CIA has a long listing of Web postings for technology-related jobs. 
There are ongoing requirements for knowledge-based systems engineers,
software developers, and electronics engineers listed alongside jobs such
as theatrical-effects specialists and clandestine service trainees.

[Yet the CIA is scrambling to find jobs for all the cold-war spook
 rejects...]

Although the CIA is not a law-enforcement agency like the FBI and the
Secret Service, it, too, chases "bad guys" and needs people trained in
technology, said Anya Guilsher, an agency spokeswoman. "We have a great
interest in people with advanced technology skills," she said.
 
The Secret Service, which investigates financially related crimes as well
as protects the president, is also looking. Its jobs listings include
openings for computer specialists and telecommunications specialists.

The ideal candidate for these agencies is not necessarily a computer wiz,
said Ron Williams, a former Secret Service agent and current CEO of
high-tech security company Talon Technology.

"The ideal candidate is well-rounded," he said, adding they should also
understand computers, have good communications skills, and know human
behavior.

"To catch a criminal, you have to think like one," Williams said. "You can
take agents, and if they have good street smarts and good computer skills,
you can make them into hacker sleuths."

[Hypothetically.. since they haven't done it yet.]

0x3>-------------------------------------------------------------------------

Title: Meet the Hacker Trackers 

A gang of convicts dressed in cartoon-striped uniforms shuffle slowly
along a sidewalk, searing in the noon-day sun. This is downtown Phoenix, a
low-rise high-tech city with a decidedly old- fashioned approach to crime. 
From her office on the sixth floor of the county attorney's office, the
prosecutor remains unmoved by the sight of the prisoners. "People 'round
here don't have much in the way of sympathy for criminals of any kind. And
most of those guys are real criminals, not jumped up nobodies screaming
for attention - the kind of people I deal with!" 

Meet Gail Thackeray, the world's foremost legal expert on computer crime. 
A former assistant attorney general of the state of Arizona, Thackeray has
been fighting hackers and fraudsters for nearly 25 years. Now she works as
a prosecutor for the Maricopa County attorney's office, a jurisdiction the
size of New England that takes in all of Phoenix. It's most famous as the
home of Sheriff Joe Arpaio, "the meanest sheriff in America". This is the
man responsible for the convicts in stripes. He has made his reputation by
toughening up prison conditions, to loud hollers of approval from
freedom-loving Arizonans.

Good citizens of Maricopa County can now walk the streets in safety, but
for the big technology companies that have moved to the "valley of the
sun", the unseen hand of hackers and computer phreaks is proving a major
distraction. Whether it's a left-over hippy feeling, the University campus
or just a reaction to the extreme heat, Phoenix is a top spot for computer
criminals. Thackeray is there to stop them. 

Arizona has perhaps the United States' strongest legal code against the
activities of hackers, but sometimes Gail aches to fight fire with fire. 
"We have to document every step of the way we investigate. They don't need
to have our education. They just need one other crook showing them, like
monkeys at a keyboard, how to imitate the crime. The bulletin boards were
the precursors to this, but the Net has exploded it down to the individual
level anywhere in the world. You don't need sophistication, you don't even
need very good equipment - one of the best hackers we've ever dealt with
had a Compaq luggable 286 and he was wreaking havoc around the world. Just
a list of his route on different systems attached to the Internet would
keep me in the hacker business for the rest of my life - it goes on for
pages." 

Getting away with it

We move from her office to the conference room next door. Thackeray
proudly displays her new Compaq notebook. Her famous slide show is now
held on the notebook's hard disk. For more years than she'd care to
remember, Thackeray has been showing her slides to police forces and
prosecutors across the United States, advising them how to build a case
against hackers. She also trains police forces all over the country,
including secret service agents at the Georgia Federal training centre.
Even the bad guys have been known to call her to find out what the cops
have been up to. 
 
Although she has been a hacker tracker for 25 years, Thackeray is more
depressed than ever by the escalating scale of computer crime. The Web,
she says, has made it impossible to catch the crooks. "Even if it's the
boy next door, we haven't a chance. He may be doing something rotten to
your high-tech consulting firm, he may be next door trying to steal your
stuff - but he's looping through a long-distance carrier, a corporate
phone system, three Internet providers and circling the world twice before
he hits you. That's the problem from our standpoint. Even assuming all
those parties can trace the links they're involved in, we have to go
through a different process, and probably a different law enforcement
agency, for every single one.

"In the old days out here, the Texas rangers were very famous for catching
bank robbers. They didn't stop at the Texas border when chasing a killer. 
They'd jump on their horse and, even if they crossed the state line, they
would follow wherever the chase lead them. In the computer age we can't do
that at all. What we have now in the US is a mish-mash of laws and
agencies. Multiply that on the international level and it's completely out
of hand." 

High-tech law enforcement

Thackeray moved to Arizona in 1986 after beginning her career as a
prosecutor in Philadelphia. She worked in the attorney general's office
running an organised crime and racketeering unit that won a national
reputation for its technical ability in the fight against hackers. She was
also the mastermind behind Operation Sundevil (see panel, overleaf), the
first nationally coordinated raid on hackers. But then democracy took a
turn and she became a victim of the strange process by which Americans
elect their most senior law officers. Her boss lost the race to be elected
attorney general. The victor wasn't interested in technology so 12 people
got sacked, including Thackeray. 

Taking a break from the slide show for a moment, she shows me a little
number-generating program stored on her laptop. It generates random
numbers for Visa cards. Give it the four-digit code that identifies a card
issuer and within minutes you'll have hundreds of false credit card
numbers to play with. "Now supposing you had another little program that
made the bank think these numbers were legitimate - How much do you think
you could make?" We go on-line to see some of the hacker sites. Thackeray
believes that the Web is making a bigger range of crimes much easier to
commit. "In the future the good parts of the Internet will be bigger and
more complex and available to more people and that's great. But this means
all of those people will have victim potential. Thanks to the growth of
the Web, one criminal can now do an unprecedented amount of damage,
whether it's to corporations or to individual's feelings by threatening
and stalking, spam attacks or just shutting down ISPs. 

"We have had four incidents in the first six months of this year.  These
people are attacking not just the little local service provider, but also
some of the 19 Internet backbone carriers. They're absolutely ruthless and
don't care who they hurt. In a case in Tucson, tens of thousands of users
were shut down just because some person with an adolescent level of
maturity decided he was mad at another ISP, so he took all of its
customers off-line. It's frighteningly easy to do and only took one
broadcast message. All the routers that run the Internet shake hands
periodically, so if you can infect one router, given time it will infect
the entire world. And that's what happened. It took just a few days for
the entire world to believe that this service provider, and all its
customers, didn't exist."  Not only is the Web host to a whole new range
of crimes, it's also home to a brand new band of weirdos. "Unfortunately
the Web is the best playground ever invented for sociopaths. They can
hide, are anonymous and can't be traced. Nobody is in charge and it gives
them that power rush that psychologists say is what they live off. It's
their whole life's breath. It's the chest-beating power surge of being
able to do it and get away with it. We are just seeing more acts of wanton
destruction simply for the sake of showing that you can do it." 

Does she think this new generation of Web hackers is a real threat to
people? "Every baby in America knows the 911 emergency system. If mommy's
drowning in the pool, we've had three-year- olds save her life by dialling
911. The hackers have attacked the 911 system and they're still doing it. 
That's not for knowledge or for glory, that's just an act of vicious ego." 

Rat's nests and technocrap

Personal liberty is taken very seriously in the western United States. 
No-one likes the idea of "big government" interfering with people's lives. 
Even hackers gain sympathy when they complain of harassment by police and
prosecutors. Some say they've been victimised by the authorities. 

Thackeray denies this. "It's a hacker myth that we take away their
computers and sit on them forever. In one case we came across, the guy had
over 12Gb of data stored on his system - that's equivalent to 15,000
paperback books. It's better that we seize all that material - you might
have love letters, cook book recipes and your extortion kidnapping letter
on the same disk. We can't take one without taking the other. We cannot
physically copy that volume. It is far easier for us to take computers
away than for us to camp out in your house for six months." 

A hovel of a bedroom fills the projector screen. Coke cans everywhere,
rubbish dotted across an unmade bed. In the corner sits a naked computer,
stripped of casing, wires exposed. Thackeray calls it a rat's nest. She
has hundreds of similar photos. "Back in Philadelphia I began collecting
pictures of computers with their wires hanging out. When the geeks speak
to a jury we call the language they use technocrap. What you have here is
the physical version of technocrap." She gestures at the screen. Typically
hackers will set up a stereo system within easy reach of the computer, and
often a drinks cabinet as well. 

A recent innovation is the home network. "We've come up against four or
five houses recently where people have had multiple systems networked in
the house. And that's even without running a bulletin board. When we get
lucky and we're fast enough we can find the guilty computer - but the
hardest part of the job is finding the brain behind the computer. To find
that person is good old- fashioned low-tech police work." 

Thackeray's team face another new problem caused by the huge increase in
storage capacity. "In the computer situation no one throws anything out. 
That makes our life more difficult. We don't want to read the last five
year's worth of your e-mail, life's too short and frankly it's not that
interesting. But sometimes we're searching for one piece of evidence and
it's buried in a huge volume of stuff so what else can we do?"

Tracking or trailing? 

The slide show draws to an end. We amble downstairs to the office of
another investigator. He shows us an array of hacker memorabilia on his
computer. I ask Gail about the future. She believes that unless there's a
fundamental change in the way police forces treat computer crime, there is
no hope at all. "The police departments and prosecutors around the country
are, frankly, paramilitary organisations with very bureaucratic, layered
decision- making processes. They see the need for more training in gangs; 
they don't see the need for more training in computers because the
management came out of the knife and gun club. 

"Police management is dominated by the physical crimes people.  We've got
to dissolve some of these barriers. When we move we need to move fast like
the Texas rangers - both legally and bureaucratically we're just not there
yet. When I started 20 years ago law enforcement was behind the computer
crime wave. We're farther behind today than we were then."

Matt McGrath is an investigative journalist who works for Radio 5. 

0x4>-------------------------------------------------------------------------

Title: Justice Department to Hire Computer Hackers
Source: Business Week
Date: Aug. 6, 1998

Wanted: Hackers to break into the Justice Dept. computer network. Under a
program known as Operation Get Cracking, the Justice Dept. sought members
of the computer underground at late July's Def Con hackers' conference in
Las Vegas, BUSINESS WEEK reports in its August 17 issue. Attorney General
Janet Reno has quietly committed $1 million to hire up to 16 hackers to
test the Department's networks, says a source at Justice, which would
neither confirm nor deny the operation. 

[Uh... huh... I won't go there.]

0x5>-------------------------------------------------------------------------

Title: A Cracker-Proofing Guarantee
Source: Wired News Report
Date: 9:05 a.m.  5.Oct.98.PDT

CIGNA Secure Systems Insurance is offering a US$25 million liability
policy designed to cover losses resulting from attacks by computer
crackers, the company said Monday.

To qualify for coverage, a client must secure its systems or pass
inspection from a CIGNA-approved security-management company. Otherwise,
potential clients are encouraged to contract with security-management
company NetSolve, in conjunction with Cisco's NetRanger
intrusion-detection software, which is pre-approved by CIGNA.

CIGNA Secure Systems Insurance provides coverage for theft of money,
securities, and property; for damage done by crackers to a firm's data or
software; and for business losses caused by attacks on a company's
computer systems. 

[And how do they put value on your information? Who audits the system
 to make sure you are telling the truth about your policy?]

A recent survey by the Computer Security Institute and the FBI found a 36
percent increase from the previous year in losses stemming from
computer-security breaches. However, traditional property and liability
insurance policies do not address these risks, according to CIGNA.

"It's a nice marketing ploy," said computer security consultant Pete
Shiply. "But if someone is concentrating on breaking into a site,
eventually they will get in. There is no such thing as a secure site; 
security is economics, it's a question of money and how much you want to
invest." 

Asked what kind of intrusion might lead to a $25 million claim, Shiply was
skeptical. 

"While I haven't read the agreements, I am pretty sure you would not get
that much,"  he said. "You would have to prove losses approaching that
figure, and that will likely be a difficult thing to do."

0x6>-------------------------------------------------------------------------

Title: First-Ever Insurance Against Hackers
Source: Reuters
Date: 14-JUN-98
By: Therese Poletti 

A computer security firm is so certain of its security prowess that it is
offering to protect its customers with the first-ever hacker insurance, in
the event a customer is successfully invaded by hackers.

[So secure, hackers dumped logs of one of the ICSA's machines being
 hacked to several IRC channels. Do as we say, not as we do.]

ICSA Inc., the International Computer Security Association, is now
offering as part of its TruSecure service, insurance against hacker
attacks. ISCA will pay up to $250,000 if a customer's network is hacked
into, after it has followed the TruSecure criteria.

``This is the first hacker-related insurance,'' said Peter Tibbett,
president of the ICSA, based in Carlisle, Penn. ``It puts our money where
our mouth is.''

ICSA sells its TruSecure service for $40,000 a year. The service, which it
has been offering for several years, is a series of steps, methods and
procedures that an ICSA client must adhere to. Some steps are simple,
common sense procedures, such as having the server which hosts your
company's Web site inside a locked room.

[You pay 40,000 a year, for up to 250,000 insurance. Pretty high
 premium. 40,000 will buy you a lot of security consulting and additional
 security precautions.]

Other steps are more complicated, such as the requirement to have a secure
firewall around an internal network.

But the ICSA does not sell products. Instead, it recommends a whole range
of software that it has approved as secure and meets its standards,
through open meetings and debates, with all its members, many of whom
develop security products.

Then, ICSA tests a client's security by using typical hacker methods,
through its 100 or so employees, none of whom are reformed hackers.  ICSA
believes, along with executives at International Business Machines Corp.
who perform ``ethical'' hacking on its customers, that there is no such
thing as a reformed hacker.

``We spray them with hacker tools and see where their vulnerabilities
are,'' Tibbett said, referring to many of the widely-used hacker programs
that are available over the Internet or shared among hackers. ``The
average site took about two weeks to get to the place where they meet all
our requirements.''

After ICSA completes a six-step process to test and improve a company's
security, the customer is deemed secure and will then receive insurance.

The ICSA said it will pay its customers if they fall prey to a hacker,
even if they are not financially harmed from the attack.

``Whether you lose money or not, we will pay,'' Tibbett said. ''We believe
that we reduce the risk dramatically ... Yes, we expect to write some
checks, but we don't expect to write very many.''

Tibbett likens the ICSA to the Center for Disease Control, because it
tracks all hacker attacks and tests every hacker tool and virus its
progammers can find. The ICSA also is known for its emergency response
center, which tracks the fallout from known computer viruses and helps
companies in a crisis.

``Good enough is never going to be perfect,'' Tibbett said. ''But we have
a motivation to improve our service. If we have to write a check when
someone gets hacked, it gives us another emphasis.''

The company said it is partnering with major nationwide insurance carriers
who recognize the ICSA TruSecure certification as a requirement for hacker
policies.

0x7>-------------------------------------------------------------------------

Title: New Unit to Combat High-Tech Crime
By: Yomiuri Shimbun
Date: June 05, 1998

The National Police Agency plans to create a special "cyberpolice" unit to
combat the rise in high-tech crimes involving the Internet and other new
technologies, the agency said Wednesday in announcing its new high-tech
crime program. Information will be exchanged with its investigative
counterparts overseas on a 24-hour-a-day basis, it said. The program will
include special high-tech crime squads at the prefectural level, and
information security advisers at prefectural police stations who will
liaise directly with the private sector, with which the NPA wants to
coordinate its efforts. The agency will also request a budget for a
"hacker-proof" supercomputer next fiscal year.

The NPA recorded 263 high-tech crimes last year-eight times more than in
1992. High-tech crime was on the agenda of the Group of Eight summit
meeting in Britain last month, where the eight leaders agreed to report on
their efforts to combat high-tech crime at the G-8 summit in Cologne,
Germany, next year. The NPA said Japan's current laws are inadequate and
it would push to have new laws enacted to limit access to computers by
those with criminal intent. 

0x8>-------------------------------------------------------------------------

Title: First 'Cyber Warrior' Unit is Poised for Operational Status
By: Bryan Bender
Date: June 17 1998

The US Department of Defense (DoD) plans to stand up its first operational
unit of `cyber warriors' by September to safeguard against and respond to
computer attacks aimed at the US military, according to defence officials. 

The Joint Chiefs of Staff (JCS) is assessing several proposals for a
Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is
expected to make a recommendation to Defense Secretary William Cohen, who
will have direct authority over the organisation, in the near future. 

The JCS has a computer attack response cell within its directorate of
operations, but it "has not been codified as a warfighting entity," said
JCS spokesman Lt Cdr Jim Brooks. 

The task force, which will conduct defensive rather than offensive
information operations, will have the necessary authority to take action
in the event of information attacks. Officials are determining how the
unit should be structured, where it should be and how much it will cost. 

They say that the new unit will have to have a high level of co-ordination
with other federal agencies, particularly the Federal Bureau of
Investigation, given the constitutional limitations placed on the US armed
forces in the area of law enforcement. 

JCS sources add that the task force is only expected to be an interim
solution to the rising need for a specialised unit to counter incidents of
cyber warfare. A permanent unit, possibly under the authority of one of
the US warfighting commanders-in-chief, is planned for the future. 

The Pentagon has seen a steep rise in computer attacks and other attempts
either to access or contaminate DoD information networks. Art Money, the
DoD's senior civilian overseeing computer operations, said on 10 June that
the Pentagon experiences an average of 60 cyber attacks per week. 

The US Department of Defense (DoD) plans to stand up its first operational
unit of `cyber warriors' by September to safeguard against and respond to
computer attacks aimed at the US military, according to defence officials. 

The Joint Chiefs of Staff (JCS) is assessing several proposals for a
Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is
expected to make a recommendation to Defense Secretary William Cohen, who
will have direct authority over the organisation, in the near future. 

The JCS has a computer attack response cell within its directorate of
operations, but it "has not been codified as a warfighting entity," said
JCS spokesman Lt Cdr Jim Brooks. 

The task force, which will conduct defensive rather than offensive
information operations, will have the necessary authority to take action
in the event of information attacks. Officials are determining how the
unit should be structured, where it should be and how much it will cost. 

They say that the new unit will have to have a high level of co-ordination
with other federal agencies, particularly the Federal Bureau of
Investigation, given the constitutional limitations placed on the US armed
forces in the area of law enforcement. 

JCS sources add that the task force is only expected to be an interim
solution to the rising need for a specialised unit to counter incidents of
cyber warfare. A permanent unit, possibly under the authority of one of
the US warfighting commanders-in-chief, is planned for the future. 

The Pentagon has seen a steep rise in computer attacks and other attempts
either to access or contaminate DoD information networks. Art Money, the
DoD's senior civilian overseeing computer operations, said on 10 June that
the Pentagon experiences an average of 60 cyber attacks per week. 

0x9>-------------------------------------------------------------------------

Title: Tracking Global Cybercrime
By: Claudia Graziano
Date: 4:00 a.m.  25.Sep.98.PDT

The International Chamber of Commerce said Thursday that it will open a
new division to help companies around the world protect themselves against
cybercrime.

"Basically, any scams you can do terrestrially you can do even easier in
cyberspace," said Eric Ellen, the chamber's executive director, who will
take the reins of the new division.

[Oooh.. 'terrestrially'.. three point word.]

The London-based unit will work with Interpol to fight heavy-duty
technological thievery -- such as money laundering, industrial espionage,
and investment fraud -- as opposed to small-time consumer scams like
selling nonexistent goods online.

Interpol chief Ray Kendall said the international police agency had been
pushing for years for such an alliance with the private sector since it
could move more quickly than governments in purchasing the equipment
needed to investigate high-tech crime.

The cybercrime unit will provide the 7,000 International Chamber of
Commerce members with information about how and where the myriad types of
crimes are committed on the Net and what businesses can do to protect
themselves against crackers and fraud artists.

A Federal Trade Commission official praised the commission's efforts to
raise domestic awareness of Internet fraud. 

"We welcome any international effort to crack down on cyberfraud, because
crime and fraud perpetrated against consumers or businesses only
undermines the electronic marketplace and stifles the great opportunities
available through Internet commerce," said Paul Luehr, an assistant
director at the commission.

The chamber said it hopes to persuade governments, including the United
States, to wipe out restrictions that limit the spread and availability of
strong encryption algorithms.

That position flies in the face of US law enforcement, which currently
limits the export of powerful crypto on the grounds that it might be used
by terrorists.  Meanwhile, US crypto advocates have long said that ciphers
are better suited to fighting crime than hiding it. 

"There will be some lobbying on our part, but many businesses can't wait
for laws,"  Ellen said. "Crimes cross international borders, yet existing
laws [against cybercrime] are national."

The chamber's cybercrime unit will meet regularly with Interpol in Lyon,
France, to exchange information and intelligence on cybercrime and its
perpetrators.

Additionally, the chamber division plans to exchange information with the
FBI's National Infrastructure Protection Center and the FBI's National
Security Awareness unit, which looks after the interests of US businesses.

Headquartered in Paris, the International Chamber of Commerce establishes
rules that govern the conduct of businesses worldwide. The nonprofit group
holds top-level consultative status with the United Nations, where it puts
forward the views of business in countries around the world. 

0xa>-------------------------------------------------------------------------

Title: FBI Opens High-Tech Crisis Center 
By: Michael J. Sniffen
Date: Friday, November 20, 1998; 9:29 a.m. EST

Entering its 91st year with new duties that extend around the world, the
FBI today opened a high-tech, $20 million operations center nearly the
size of a football field to allow headquarters to manage up to five crises
at once.

The new Strategic Information and Operations Center -- called ``sigh-ock''
after its initials -- has 35 separate rooms that can seat up 450 people
total and covers 40,000 square feet on the fifth floor of FBI headquarters
on Pennsylvania Avenue. It is 10 times bigger than its two-decade-old
predecessor that could, with difficulty, handle two crises simultaneously.

Bureau officials became convinced the old SIOC was outmoded in the summer
of 1996 when they tried to manage investigations of the Olympic bombing in
Atlanta, the explosion of TWA 800 and the Khobar Towers truck-bombing in
Saudi Arabia at the same time.

``There weren't enough rooms or enough telephones,'' FBI Director Louis J. 
Freeh said.  ``We had people working at desks in the hallway outside and
reading top secret material in the vending area across the hall.''

The supersecret facility with no windows to the street, or even any
outside walls, has a private ribbon-cutting today with former President
George Bush as the FBI celebrates its 90th birthday.

Introducing the new SIOC to reporters for a one-time-only tour, Freeh said
it was emblematic of the bureau's expanded responsibilities and
technology.

He noted that the bureau's fastest growing component, its Counterterrorism
Center, is arrayed in the offices around the SIOC -- as is its violent
crime unit, which handles domestic attacks such as the Oklahoma City
bombing or hijackings.

Much of the counterterrorism work now extends overseas, to Saudi Arabia
where U.S.  soldiers have been killed in two bombings and East Africa
where two U.S. embassies were bombed, for example. In the last five years,
Freeh said, the FBI has nearly doubled its legal attaches working abroad
-- to 32 cities now. Eight more are to open soon -- in Almaty, Kazakhstan; 
Ankara, Turkey; Brasilia, Brazil; Copenhagen, Denmark; Prague, Czech
Republic; Santo Domingo, Dominican Republic; Singapore and Seoul, Korea.

The computers at desks throughout the center and the 5-by-15-foot video
screens on the walls of almost every room can display not only U.S. 
television broadcasts but also local TV channels from foreign countries. 
The bank of red-lettered digital clocks in each room can display the local
time in five or six locations.

The FBI's new National Infrastructure Protection Center, tasked to prevent
and respond to attacks on government or private computer systems that keep
America running, will have three representatives on each of the 10-member
watch teams that staff the center at all times. Also present around the
clock: a representative of the National Security Agency's Cryptologic
Security Group to provide information from the government's worldwide
electronic eavesdropping. 

Behind a series of blond wood doors, the complex warren of workrooms, many
of which can be combined or divided as need requires, have light gray
carpets, paler gray walls and dark gray metal desks with white plastic
tops. The desks are fixed in place only in two control rooms that manage
the flow of information to each room; elsewhere they are modular and can
be rearranged at will over floor-mounted electric and telephone plugs.
Interior windows allow views into conference rooms or the SIOC's hallways.

Ron Wilcox, deputy chief of the SIOC, said the compartmented areas would
allow bureau agents ``to work in one room with District of Columbia police
on a local kidnapping while another room works on a terrorist bombing with
top secret data.''

Each work station can receive data from three sets of phone and computer
links:  unclassified, secret and top secret-sensitive compartmented
information.

While the center will draw information from around the world, information
will not leave without permission. The center is shielded to prevent
outside detection of electronic emissions, so cell phones do not work
inside it.

In Operations Group D and G, the largest room with capacity for 118
people, there are printers with yard-wide rolls of paper to print out city
maps. So the room will not be overcome with noise, the sound from video
screens is broadcast silently from black boxes around the room to
headphone sets available to each worker. 

The chairs, most on wheels, have arm rests. They are blue-green cloth in
the workrooms;  gray leather in the Executive Briefing Room, the center's
second largest room, with three blond wood semicircles seating 36 and
fixed theater seats at the back for 50 more.

Rather than increasing the burden on field agents to report to Washington,
Wilcox said the new center should reduce such demands, because ``we will
offer one-stop shopping for headquarters. Field agents can report to us,
and we will be responsible for making sure everybody is alerted who should
be.''

0xb>-------------------------------------------------------------------------

Title: Navy fights new hack method
By: Tim Clark
Source: CNET NEWS.COM

Hackers are banding together across the globe to mount low-visibility
attacks in an effort to sneak under the radar of security specialists and
intrusion detection software, a U.S. Navy network security team said
today. 

Coordinated attacks from up to 15 different locations on several
continents have been detected, and Navy experts believe that the attackers
garner information by probing Navy Web sites and then share it among
themselves. 

"These new patterns are really hard to decipher--you need expert forensics
to get the smoking gun," said Stephen Northcutt, head of the Shadow
intrusion detection team at the Naval Surface Warfare Center. "To know
what's really happening will require law enforcement to get hold of the
hackers' code so we can disassemble it." 

The new method involves sending as few as two suspicious probes per hour
to a host computer, a level of interest that usually won't be detected by
standard countermeasures.  But by pooling information learned from those
probes, hackers can garner considerable knowledge about a site.

0xc>-------------------------------------------------------------------------

Title: Pentagon Blocks DoS Attack
Source: Newsbytes via NewsEdge

The Pentagon launched an attack applet of its own this month to thwart a
denial-of-service attack against its DefenseLink Web site at
http://www.defenselink.mil . 

DefenseLink was one of three sites targeted on Sept. 7 by a group that
calls itself the Electronic Disturbance Theater. The group claimed to be
acting in solidarity with Zapatista rebels in the Mexican state of Chiapas
to protest Defense Department funding of the School of the Americas. 

Other target Web sites belonged to Germany's Frankfurt Stock Exchange and
Mexican President Ernesto Zedillo. 

The theater group's Web site referred to the attacks as a virtual sit- in. 
Visitors to the group's site received a hostile Java applet designed to
keep reloading the DefenseLink and other Web sites automatically as long
as the the visitors' browsers were open. 

Multiple simultaneous reload requests can overwhelm a server, but the
attacks apparently had little impact, DOD officials said. 

"Our support staff certainly was aware of the planned attack," Pentagon
spokeswoman Susan Hansen said. "They took preventive measures to thwart
the attack so that DefenseLink was available." 

Hansen would not specify the preventive measures, but the theater group
reported, and a DOD official confirmed, that the Pentagon aimed its own
hostile applet back at the attackers. 

Browsers "got back a message saying the (theater group's) server wasn't
available," Hansen said. 

The Frankfurt exchange reported the reload requests had little or no
impact on its server, either. 

The theater group has promised a second round of attacks, known as
FloodNet, between Sept. 16, Mexican Independence Day, and Oct. 12,
Columbus Day. 

Representatives of security software vendor Finjan Inc. of Santa Clara,
Calif., said the attacks marked the first time Java applets have been used
in a political protest, although the theater group has claimed
participation in other virtual sit-ins against Zedillo and President
Clinton since April. 

The group is a throwback to the 1960s guerrilla theater of the Yippies,
who once hosted an attempt to mentally levitate the Pentagon. The theater
group's Web site at http://www.nyu.edu/projects/wray/ecd.html advocates
electronic civil disobedience. Its attempted Pentagon attack was part of
Swarm, a project launched at the Ars Electronic Festival on InfoWar in
Linz, Austria. 

The group's announced activities, in addition to the unspecified attacks
planned through mid-October, include radio protests against the Federal
Communications Commission on Oct. 4 and 5. 

The Swarm attacks reportedly did not meet with much approval among
hackers, who view FloodNet as an abuse of network resources. 

0xd>-------------------------------------------------------------------------

Title: Hackers Elude Accelerator Center Staff
Source: San Francisco Chronicle
Date: 06/11/98

Officials at Stanford Linear Accelerator Center are rethinking the
openness of their computer system a week after hackers forced them to shut
down outside access to the federal research facility's computer network.

External access to the center's computer system was suspended after staff
members failed to catch hackers who had intercepted a password and were
moving in and out of more than 30 of the facility's Unix servers.

"We traced the hackers around to the point that we weren't gaining on
them," said center spokeswoman P.A. Moore. "The person or persons were
successful in covering their tracks and in getting into and out of
accounts." 

It is still unclear how the hackers got access to a password and the
system, Moore said. 

But as a result of the breach, she said, officials are rethinking the
center's policy of being an open scientific research facility.  She said
proposals are being considered to restrict the center's computer system.

"A number of options are being considered and they range from very mild to
more severe," she said.

Moore said that most of the center's Internet services were restored
Tuesday after security measures were put in place and that staff members
were instructed to change their passwords.

The shutdown did not create any serious problems, although it caused
delays in many projects and denied researchers from all over the world
access to the center's Web site, Moore said.

Established in 1962, the Linear Accelerator Center is funded by the
Department of Energy and operated by Stanford University. With a staff of
about 1,300 and 2,000 researchers worldwide, the center conducts basic
research on atomic and subatomic physics. The center's researchers use
colliders to study matter at the atomic level.  "Mostly, we've lost time
on experiments," Moore said. "We do not see that any data has been
compromised. It's more of a setback than a major disaster."

But she said future break-ins will remain a problem for open scientific
facility. The center does not conduct any classified research, she said.

"Computer hackers are very sophisticated in terms of their knowledge and
ease in traveling through cyberspace," she said. "We're vulnerable. By
being an open facility, we are a target for vandals." Stephen Hansen, a
Stanford University computer security officer, said campus system
break-ins average at least two a month.

A common tool used by hackers is a computer program dubbed "the sniffer," 
which allows intruders to decode data in a system, specifically passwords
and log-on names.

"Sniffers are quite dangerous," Hansen said. "If they are not caught right
away, they can lead to break-ins to thousands of accounts, not just
locally, but across the Internet."

To minimize such break-ins, he said, more system operators are using
encryption programs that prevent hackers from determining sign-on names
and passwords. However, this is not an easy option for the Stanford center
because encryption programs are prohibited in some countries, including
France, where a number of center-affiliated researchers live. 

0xe>-------------------------------------------------------------------------

Title: Cyberattacks leave feds chasing 'vapor'
By: Bob Brewin (antenna@fcw.com)

Top administration officials last week warned that the United States lacks
the capability to quickly identify the nature and scope of a continuing
series of cyberattacks against both federal and private systems that
support the country's telecommunications, financial and energy critical
infrastructures.

During a series of congressional hearings and in speeches last week,
federal security and information technology officials made it clear that
they anticipate a powerful ''Achilles' heel'' cyberattack that could
cripple the nation's vital systems because the government lacks the
ability to defend against such an attack.

John Hamre, deputy secretary of Defense, told the House National Security
Committee that such a paralyzing cyberattack against critical
infrastructures is inevitable. "There will be an electronic attack
sometime in our future," he said. "Should an attack come, it will likely
not be aimed at just military targets but at civilian [targets] as well." 
Administration officials also reported that the attacks continue unabated.

Art Money, who is slated to take over as assistant secretary of Defense
for command, control, communications and intelligence later this year,
said in a speech at a conference in Washington, D.C., last week that DOD
"averages 60 intrusions a week" into its computer systems.  An official of
the FBI's new National Infrastructure Protection Center (NIPC) said the
office is investigating a "half dozen" incidents, describing them as
''substantial.''

But security agencies said the process of chasing down and identifying
attackers is frustrating, as in the case of the highly publicized series
of hacks against DOD computers last February. The FBI and numerous DOD
agencies worked together to track down the hackers, but the agencies could
not "identify [until] the following week"  the source and type of attack,
Ellie Padgett, deputy chief of the National Security Agency, told the
Senate Judiciary Committee's Subcommittee on Technology, Terrorism and
Government Information.

Padgett said it would still take the agency a "matter of days" to
determine if an attack was strategic or just a teenage prank.

Michael Vatis, director of NIPC, told the committee, "In most
cyberattacks, it's impossible to know the identity of the penetrator," be
it teenage hackers, criminals or a strategic attack by a hostile nation. 
Vatis, in an interview, likened chasing down hackers to "tracking vapor."

Barry Collin, a senior researcher with the Institute for Security and
Intelligence, said it will become increasingly difficult to identify
strategic attacks because a nation that is sophisticated enough to mount a
cyberwar against the United States also will have the sophistication to
disguise that effort as a hacker attack mounted by teenagers. "They can
make it appear as if it is a game instead of a real attack," he said.

A "Predatory Phase" 

Also frustrating security experts is the possibility that attacks will be
carried out in quick hits over a long period of time, Hamre said. "The
predatory phase could take place over several years, making it hard to
collate curious, seemingly unrelated events into a coherent picture," he
said. These long-term attacks "could take place over multiple
jurisdictions - [for example] power grids or air traffic control nodes in
various states. Our knowledge of the origin of such attacks and their
sponsorship is likely to be imprecise." 

Hamre also presented classified testimony to a joint closed hearing of the
House National Security Committee's Military Procurement and the Military
Research and Development subcommittees. Hamre may have presented more
detailed evidence of computer vulnerabilities, based on remarks by Rep. 
Curt Weldon (R.-Pa.), chairman of the Military Research and Development
Subcommittee, who called Hamre's classified testimony "the most
provocative briefing" he had ever received during his 12 years in
Congress.

The Clinton administration hopes to protect the critical infrastructures
with recently formed security organizations, including the National
Infrastructure Assurance Plan, the NSA Network Incident Analysis Cell and
the Critical Infrastructure Assurance Office in the Commerce Department. 
CIAO will spearhead multiple-agency efforts to develop better policies,
processes, procedures and systems to detect and deter attacks.

The administration also plans to heavily involve the private sector -
banks, power companies and railroad companies - in "public/private
partnerships'' to protect the infrastructure. 

Members of Congress on both sides of the Hill praised the administration's
initial efforts, but they also expressed some skepticism about the
approach. Sen. Diane Feinstein (D-Calif.) said she "wondered if the nexus
between the public and private sectors will work." 

Rep. Herbert Bateman (R-Va.) said he is "deeply skeptical"  about placing
the CIAO in Commerce rather than in DOD.

Bateman said Commerce's willingness to allow the exportation of critical
satellite and rocketry information to the Chinese left him "unconvinced" 
that Commerce had the same "sensitivity" as the Pentagon has to the
requirements of national security.

0xf>-------------------------------------------------------------------------

Title: Congress Attacks Cyber Defense Funds
Source: Defense News
Date: 6/16/98

U.S. Congress Attacks Cyber Defense Funds By George I. Seffers Defense
News Staff Writer WASHINGTON-- Congress is taking millions of dollars from
the war chest intended to protect critical U.S. infrastructure from
potentially crippling cyber attacks, according to Defense Department and
White House sources. The House Appropriations Committee deleted the entire
$69.9 million the Defense Department had requested for infrastructure
protection in its 1999 budget. That funding should be restored, Linton
Wells, principal deputy for the assistant secretary of defense for
command, control, communications and intelligence, told lawmakers at a
June 11 hearing here on protecting national infrastructures--
telecommunications, banking and finance, energy, transportation, and
essential government services-- from cyber attack. 

[So they make all these new groups to fight cybercrime.. then
 this?]

0x10>------------------------------------------------------------------------

Title: Mudge on Security Vendors
From: Bugtraq

In the SAFER bulletin they mention compromising software that was
explicitly installed as an additional security measure.

While joking around I was mentioning to some colleagues about the
attrocity of some (most) of the security related products out there right
now. Not in what they are claiming to accomplish but in the lack of sound
coding in their own products. I thought it was pretty much understood but
the amazed looks on their faces told me otherwise. So I figured I might
point this out in case that was not an isolated assumption that these
people had. Hopefuly I'm already preaching to the choir on Bugtraq.

[Note - though I explicitly mention ISS and Axent they are by no means any
worse or better than others not mentioned here... in addition I am
referring to older versions of their products. I have not spent time
looking at their most current releases to verify whether things have
improved or gotten worse. Please take this for what it is meant to be - a
general rant about the security vendor world as it stands... not an attack
against particular vendors]

A few real world cases: 

A few revs back in ISS' commercial security scanner there were several
vulnerabilities. One particular company contracted me to come in and give
them a report on the level of competance that an auditing company they had
hired were at.

Sure enough, when the auditor scanned the box that we had setup they were
using ISS (version 3? my memory isn't serving me very well right now).
Upon an attempt to connect to tcp/79 (fingerd) we fed them back a bunch of
'garbage' (well, you know... that garbage that is comprised of a long run
of NOPs followed by machine dependent opcodes and operands :). After a few
tries, root on the scanning machine was handed out as there were no checks
done on the data that was being retrieved (or more accurately assumptions
were being made about the length).

...

Axent swore up and down that their ESM systems were communicating via DES
encrypted channels. In reality the communications were simply XOR'd and
they would send the progressive XOR key every X packets. The DES
components were slated for the 'next rev'. Doesn't matter - the point is
that they shouldn't have done the XOR scheme to begin with when the
purpose of the communications between the client and server are "lists" of
vulnerabilities on said machines. Not something you want advertised to
anyone passivle monitoring.

...

I don't know how many "security" packages I've looked at that do
outrageously stupid things like chmod(777), popen(), or system() even! 
Even if the program is running non-priveledged and is designed to be on a
system that does not have multiple users it is a demonstration that the
people writing the code to protect your systems (often at outrageous price
tags!) seem incapable of demonstrating sane coding techniques themselves.

How is one supposed to get 'warm fuzzies' that one is having their systems
"protected" when the products doing the protecting show no security
competence. 

Vendors listen up!

.mudge

0x11>------------------------------------------------------------------------

Title: More delays for Mitnick trial
By: Kevin Poulsen
Date: November 25, 1998 3:33 PM PT
Source: ZDNet

Accusing government attorneys of stalling efforts to collect key documents
for his case, the defense attorney representing Kevin Mitnick, famed
criminal hacker, requested a continuance on Tuesday. According to Donald
Randolph's motion, the government missed a court-ordered deadline to
provide the defense with copies of prosecution witnesses statements.  The
statements were finally handed over on Tuesday, almost a month late. 

In addition, the prosecution is almost a week behind in handing over a
list of evidence to the defense. Some electronic evidence is being
withheld completely, claimed Randolph.

Prosecution delays

"Due to the government's significant delay in producing discovery as
ordered by this court, and due to its continuing failure to produce
certain discoverable evidence altogether, the defense cannot competently
complete its investigations and prepare for trial in this matter absent a
reasonable continuance in the trial date," stated the motion. 

The original trial was scheduled for Jan. 19, 1999. 

The prosecutors attacked any delay. "The contention that we have been late
with materials is disingenuous," says prosecutor David Schindler.  "We've
provided thousands of pages of discovery."

Government mole? 

The text of the motion also implied that the government had paid a
one-time Mitnick cohort and employee of Mitnick's previous attorney, Ron
Austin, to spy on his client.

"Austin was privy to confidential communications between Mr. Mitnick and
Mr. Sherman which he later disclosed to the government," said the
statement.

0x12>------------------------------------------------------------------------

Title: 'Back door' doesn't get very far 
Source: San Jose Mercury News

A U.S. government panel has failed in a two-year effort to design a
federal computer security system that includes ''back doors,'' a feature
that would enable snooping by law enforcement agencies, people familiar
with the effort said this week. The failure casts further doubt on the
Clinton administration policy -- required for government agencies and
strongly encouraged for the private sector -- of including such back doors
in computer encryption technology used to protect computer data and
communications, according to outside experts. 

But administration officials said the panel, which is set to expire in
July, simply needed more time. The 22-member panel appointed by the
secretary of commerce in 1996 concluded at a meeting last week that it
could not overcome the technical hurdles involved in creating a
large-scale infrastructure that would meet the needs of law enforcers,
panel members said. The group was tapped to write a formal government plan
known as a ''Federal Information Processing Standard,'' or FIPS, detailing
how government agencies should build systems including back doors.

0x13>------------------------------------------------------------------------

Title: ICSA Goon Pretends to be a Hacker        [my title]
Source: Forbes Digital Tool
By: Adam Penenberg

J3 spends his days trolling around the hacker underground, monitoring
hacker channels on Internet Relay Chat, checking out the latest on
"phreaking,"--cracking the phone system-- dialing up bulletin boards and
checking out web sites that offer password-cracking software and how-to
guides. 
 
For J3 this isn't just a hobby, it's a job. 
 
ICSA, a computer security firm, hired J3 (not his real name nor his online
"nick", since his success depends on total anonymity) two years ago as the
company's lead underground analyst. His mission: to keep tabs on the
latest trends and tools in the hacker world. When he gets wind of a new
security hole, he passes the information on to ICSA's tech staff so that
the company can either develop a defense or tip off software makers before
the flaw can be exploited. 

J3 is very busy. Recently, a group of European hackers released a Trojan
horse-like program that would enable them to set up backdoors in geeky
programs known only to network administrators, such as "named" programs
related to domain name servers, a basic component of any network connected
to the larger Internet. J3 found out about it in the course of his
monitoring, passed it on to ICSA, and the company informed CERT (Computer
Emergency Response Team) which posted an advisory. 

The Internet is a lot like Lord of the Flies, a nasty, violent --yet
virtual--world where the strong intimidate the weak. 

He was also instrumental in helping ICSA detect two types of denial of
service attack modes--Teardrop and Land--that were being used to exploit
vulnerabilities in the TCP/IP protocol. These new attacks took advantage
of tweaks that would beat existing patches, which made it difficult for
system administrators to stay ahead of hackers. But J3, because of his
links to the underground, was able to learn of these exploits shortly
after they were posted on hacker channels. 

"I'm proud of a lot of the work we do," J3 says. "I've found a company's
entire password file posted to a web site, or that hackers have root in a
network or that a merchant site with a database of credit cards has been
compromised. I then contact the companies and warn them." 

He says that the Internet is a lot like Lord of the Flies, a nasty,
violent--yet virtual--world where the strong intimidate the weak. Not all
hackers are destructive, of course. There are many good ones on a quest
for pure information, the lifeblood of their avocation, who post security
flaws because they believe it's the best way to fix them.  It's the ones
who exploit these flaws to cause damage that irritate J3. 

But they have a vulnerability: their need for self-aggrandizement, which
is key to J3's success. "If hackers didn't brag," he says, "I wouldn't
have a job." 
 
J3, who works mostly nights since the Internet never sleeps, isn't just a
full-time worker. He's also a graduate student working on his Ph.D. in
psychology. And his area of study? 
 
Hackers, of course. 

0x14>------------------------------------------------------------------------

Title: Is Your kid a Hacker
Source: Family PC Magazine
Date: November 1998
By: Kevin Poulsen

If you suspect your kid is a computer hacker, here's some advice from a
convicted hacker on how to handle it

It starts with a knock on the door.  A dozen men in suits and shoulder
holsters are outside, their Buicks and Broncos crammed into your driveway
and parked along the street.  Over their shoulders you can see your
bathrobe-clad neighbors watching the spectacle from their lawns.  It might
be the FBI, it may be the Secret Service, but whoever it is, the humorless
agents hand you a piece of paper and head toward your son or daughter's
room.  You wonder, perhaps for the first time, what your kid has been
doing in there with the computer.

If you're a parent, you probably regard the Internet as a font of both
promise and peril for your children.  It can be an invaluable learning
tool and a way to encourage your kids to develop the basic computer skills
they'll eventually need.  But what if they take to it a little too eagerly
and enthusiastically and begin using it to get into places where they
don't belong?  In that case, normal youthful rebellion, or simple
inquisitiveness, if it's expressed over the Internet, could turn your
family upside down. 

It happened last February in Cloverdale, California, when surprised
parents found out their teenage son was suspected in a series of Pentagon
intrusions.  It happened again in Massachusetts a week later, when the
Justice Department won its first juvenile conviction under the Federal
Computer Fraud and Abuse Act.

It happened to my family 15 years ago, in one of the first hacker raids in
the country.  At that time, I was the teenage miscreant who was illegally
accessing federal computers.  Now, in my early thirties, I've begun to
wonder how I would protect a kid of my own from becoming a poster child
for computer crime.  I believe the best approach is to stay informed and
to communicate with your potential cyberpunks.

Open Communication Channels

Some of the things you might view as ominous warning signs are actually
quite harmless.  For example, if your teenager calls himself a "hacker," 
he may not be headed for trouble.  Despite the media's breathless
exhortation, hackers are not lawbreakers by definition.  The word actually
describes someone with a talent for technology, a deep interest in how
things work, and a tendency to reject any limitations.  If your son
disassembled the Giga Pet you gave him for Christmas, he's probably a
hacker.  If he made it run better, he definitely is.  Of course, some
hackers go further and test their skills against the adult world of
corporate and governmental computer systems.

If I thought my kids were cracking computers, I would want to put a stop
to it -- though not because it's the crime of the century. True hackers
live by an ethical code that precludes damaging systems or profiting from
their intrusions.  There are worse values for a teenager to have.  But
regardless of motives, a hacker who's caught in the act today is likely to
be treated as an industrial spy or a national security threat.  A single
moment of rebellious exploration could land a teenager an early felony
conviction.

If you suspect that your kid may be crossing the line, there are various
software packages on the market that will allow you to monitor or control
his or her access to the Internet.  Don't even think about using one.  If
your teen really is a hacker, your technological solution will be a source
of amusement and derision, as well as an insult to his talents. Instead of
putting up barriers, I suggest you talk to your kids.

If your kid is reading underground Web sites for hackers, read them
yourself.  If he has a subscription to a hacker magazine, go through it
and ask questions.  Feel free to marvel at the cleverness of the latest
hacker technique.  Then talk about consequences: the rising costs of legal
representation, the problems that a convicted felon encounters in academia
and the job market.  Start looking at alternatives to a life of
cybercrime. 

Constructive Alternatives

If your kid has a rebellious streak, I suggest giving up on trying to
suppress it; try to channel it instead.  When hackers grow up, they often
find a reasonable substitute for the thrill of intrusion by working the
other side.  Ask your teen how he would plug the latest security holes. 
Get him thinking about it.  Ask him for advice on protecting your own
e-mail or your ISP account. 

The hacker tradition has always contained an element of disrespect for
authority. Up until 15 years ago, cracking systems was an acceptable rite
of passage in the industry, and some of the same people who pioneered
artificial intelligence and the personal computer also ushered in phone
phreaking, lock hacking, and computer intrusion. Early hackers believed
that computers were a public resource and that access to them and
knowledge about them should be free.

In a sense, the first-generation hackers won their battle when they
created the personal computer: It gave them free access to computing power
anytime they wanted.  Today, kids can claim that victory on the Internet
by authoring a Web page.  There is plenty of room for innovation and
creativity.

Today's PCs are as powerful as yesterday's mainframes.  With today's PCs,
no one needs to break the law to explore technology. With the right tools,
and parental support, kids can earn the respect of their peers and get an
early start on their future by mastering the latest programming languages. 
If my kid were a hacker, I'd encourage him to shun the instant
gratification of cracking a Fortune 500 company in favor of the greater
satisfaction of creating something unique from scratch.

Ultimately, that's what hacking really is all about. 

0x15>------------------------------------------------------------------------

Title: Paging Network Hijacked              
By: Chris Oakes
Date: 4:00am  24.Jul.98.PDT

[A non internet hacking article! Woohoo!]

Someone in Texas exploited a vulnerability in the PageMart paging network
this week, sending a flurry of mysterious pages to tiny screens
nationwide, confusing subscribers, and swamping the company's customer
service center with phone calls.

PageMart said a random discovery enabled the intruder to use a set of
pager addressing numbers to send messages to entire groups of customers,
rather than individual subscribers. But a security expert said the system
may have been hacked.
                                     
PageMart spokeswoman Bridget Cavanaugh detailed Wednesday's incident in an
email late Thursday.  "A person, unknown to PageMart," she said,
"discovered that three PINs [personal identification numbers] on our
paging terminal in Dallas were actually mail drops." 

[snip...]

On Wednesday, PageMart customer and San Francisco resident Jeremiah Kelly
reported that he received odd messages for a period of about an hour and a
half on Wednesday afternoon.

Upon receiving one incomprehensible page -- unrecognizable in source or
content -- he suspected a simple "wrong-number" message. "But then, all of
a sudden, I got a blitz"  Kelly said. Most notable was a recurring
message: "There is only one blu bula."

"I received one of those several times," he said. Another pair of messages
said "Mike, you're Mom drives a Passat," and another was sexually
suggestive. Both of the latter pages were signed "Christian." Kelly said
he received about 30 of the senseless messages.

[snip...]

"The incident impacted about 1.5 percent of our customers nationwide," 
Cavanaugh said.  "Statistically, it's a small number." PageMart provides
numeric and text paging service in all 50 states, Canada, Mexico, Central
America, and the Caribbean, serving approximately 2.7 million customers.

"It's a perfect example of how overconfidence can eventually cause a
problem," said Peter Shipley, who analyzes and bolsters system security
for accounting firm KPMG Peat Marwick.

Though it wasn't clear that PageMart's system was actually broken into,
Shipley said poor protection against break-ins is all too common. "I'm in
the business of doing these type of security audits, and a large number of
systems I've seen have easy password access -- under the assumption of
'why would somebody want to hack it?'"

In fact, paging services are responsible for enormously valuable data,
from billing addresses to credit card information and more, Shipley said. 
Then there are the messages themselves, which can be easily netted as they
make their way through the airwaves.

"Smaller companies believe they are not targets [for hackers],"  concluded
KPMG's Shipley. "But small companies are as equally targeted as large
companies. They're stepping stones -- the small fish that hackers start
on."

0x16>------------------------------------------------------------------------

Title: FBI busts hacker who sold clandestine accounts on PageNet system
Date: July 30, 1998 7:28 p.m. EDT
Source: Nando Times

PageNet Inc., one of the largest wireless message providers, said U.S.
federal agents arrested a San Diego man Thursday who allegedly set up
unauthorized voice mailboxes and paging accounts on its system, costing
the company about $1 million.

[snip...]

0x17>------------------------------------------------------------------------

Title: EFF DES Cracker Machine Brings Honesty to Crypto Debate
Date: July 17, 1998

"EFF DES CRACKER" MACHINE BRINGS HONESTY TO CRYPTO DEBATE
ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE

SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised
the level of honesty in crypto politics by revealing that the Data
Encryption Standard (DES) is insecure.  The U.S. government has long
pressed industry to limit encryption to DES (and even weaker forms),
without revealing how easy it is to crack.  Continued adherence to this
policy would put critical infrastructures at risk; society should choose a
different course.

To prove the insecurity of DES, EFF built the first unclassified hardware
for cracking messages encoded with it.  On Wednesday of this week the EFF
DES Cracker, which was built for less than $250,000, easily won RSA
Laboratory's "DES Challenge II" contest and a $10,000 cash prize.  It took
the machine less than 3 days to complete the challenge, shattering the
previous record of 39 days set by a massive network of tens of thousands
of computers.  The research results are fully documented in a book
published this week by EFF and O'Reilly and Associates, entitled "Cracking
DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design."

[snip...]

0x18>------------------------------------------------------------------------

Title: Hacking site gets hacked
By: Paul Festa
Source: CNET News.com
Date: October 28, 1998, 11:30 a.m. PT

Hacking and security news and information site Rootshell.com was the
subject of its own coverage today after suffering an early morning hack.

The hack, preserved here, occurred this morning at 5:12 a.m. PT, according
to Rootshell.  Administrators took the site down after discovering the
attack at 6 a.m. PT. The site was restored two hours later.

"Steps have been taken to prevent re-entry, and full details are now being
turned over to law enforcement for what we hope will turn into arrests," 
Rootshell administrator Kit Knox said this morning in a statement.

[Hrm. Lets give out scripts that help every clueless script kiddie
 break into thousands of sites worldwide.. then narc off the one
 that breaks into us. Time to face the music. That's like the pot
 calling the kettle black. Name your cliche', they deserved it.]

Knox later said that the matter had been turned over to the FBI. 

The attacker replaced the Rootshell.com front page with a rambling screed
peppered with profanity as well as references to groups and luminaries in
the hacking world, including imprisoned hacker and perennial cause Kevin
Mitnick.

The attacker also threatened to hit another hacking news site, AntiOnline. 

0x19>------------------------------------------------------------------------

Title: From Criminals to Web Crawlers
By: Kristen Philipkoski 
Date: 4:00am  15.Jul.98.PDT

A crime-fighting search engine used to fight terrorism and insurance scams
may soon find a home at one of the Web's top search engines. The system,
called VCLAS, has helped detectives crack cases all over the world. 

"In 11 days, the PhoneFraud software helped law-enforcement agencies in
New York uncover US$1.2 billion in stolen services," said Jay Valentine,
president and CEO of InfoGlide, the company that owns the VCLAS software
package.

The software is built around a "Similarity Search Engine," which thrives
on imperfect and complex information, data that engineer David Wheeler
said often stumps search algorithms based on neural networks. 

Similarity searching is well-suited to crime work, Wheeler said, because
investigations are often inherently random and disconnected. For instance,
if police are looking for a red vehicle, but a witness says it was maroon,
a traditional keyword search wouldn't register a match since it couldn't
recognize that the colors are similar. 

0x1a>------------------------------------------------------------------------

Title: Running a Microsoft OS on a Network? Our Condolences 
Date: July 21, 1998

[The title alone made this worth including.]

The CULT OF THE DEAD COW (cDc) will release Back Orifice, a remote MS
Windows Administration tool at Defcon VI in Las Vegas (www.defcon.org) on
August 1. Programmed by Sir Dystic [cDc], Back Orifice is a
self-contained, self-installing utility which allows the user to control
and monitor computers running the Windows operating system over a network. 

Sir Dystic sounded like an overworked sysadmin when he said, "The two main
legitimate purposes for BO are, remote tech support aid and employee
monitoring and administering [of a Windows network]." 

Back Orifice is going to be made available to anyone who takes the time to
download it. So what does that mean for anyone who's bought into
Microsoft's Swiss cheese approach to security? Plenty according to Mike
Bloom, Chief Technical Officer for Gomi Media in Toronto. 

[snip...]

None of this is lost on Microsoft. But then again, they don't care. 
Security is way down on their list of priorities according to security
expert Russ Cooper of NT BUGTRAQ (www.ntbugtraq.com). "Microsoft doesn't
care about security because I don't believe they think it affects their
profit. And honestly, it probably doesn't." Nice. But regardless of which
side of the firewall you sit on, you can't afford not to have a copy of
Back Orifice. Here are the specs: 

[snip...]

After August 3, Back Orifice will be available from www.cultdeadcow.com
free of charge. 

0x1b>------------------------------------------------------------------------

Title: Security expert explains New York Times site break in
Date: September 18, 1998
By: Ellen Messmer 

Although the New York Times is not revealing the details of what happened
last weekend when it was hijacked by a hacker group, one security expert
has it figured out.

A group of hackers calling themselves Hackers for Girlies broke into the
Times news site on Sunday. The hackers took control of the site to display
their own diatribe complete with nude images and to protest the arrest of
hacker Kevin Mitnick. The Times worked for half a day to regain command of
its server.

Hackers often break in by exploiting security vulnerabilities associated
with default Common Gateway Interface scripts that ship with Web servers,
according to Patrick Taylor, director of strategic marketing at Internet
Security Systems in Atlanta. They exploit these scripts to send a string
of long commands to cause a buffer overflow that lets them into the
operating system. They first give themselves an account in the system and
then stick in a backdoor Trojan horse program such as "rootkit" to gain
and maintain root control, he said.

"CGI scripts are intended to pass commands from the Web server to
something in the operating system, perhaps to pull database information," 
Taylor said. "But you should get rid of these superfluous CGI scripts and
depend on your own custom scripts."

The Times may have had a long struggle regaining control of its Web site
because the latest Trojan horses are designed so well that they hide
within the operating system, encrypted or even providing the same checksum
as the legitimate operating system.

"It's nefarious--the hacker essentially has remote administration of the
Web server," Taylor said. "You can't rely on a backup of the machine.  You
may have to reinstall the entire operating system."

By coincidence, the Times had once looked at using the ISS security gear,
but decided not to, he said. The Times declined to discuss any aspect of
its Web operations, saying it was "a matter of security."

[The real reason for this article and quoting a PR person from
 ISS maybe? Fact is, ISS didn't audit the network before OR
 after the breakin. How would this guy know the method they used
 to compromise the machine?]

The "Hackers for Girlies" ranted in its own posting to have "busted root" 
on the Times, and directed some invective toward Times reporter John
Markoff and security expert Tsutomu Shimomura for their respective roles
in the investigation of hacker Kevin Mitnick, now held in jail.  Markoff
and Shimomura two years ago collaborated on a book entitled "Takedown" 
about the law enforcement pursuit of Mitnick. In its own account, the
Times said the hacker incident at nytimes.com may be related to an
upcoming trial in January of Mitnick.

While hacker rantings and pornography can be bad enough to discover on a
Web site, a far more serious scenario involves a hijacker more
surreptitiously posting information that has been slightly changed,
leading the reader to view it as authentic.

"This could end up like 'War of the Worlds,' where people went into a
panic because they didn't know what they were hearing on the radio was
made up," commented Doug Barney, Network World news editor.

0x1c>------------------------------------------------------------------------

Title: Merriam-Webster Taken Offline Old Fashioned Way
Date: Wed Aug  5 00:41:57 MDT 1998
Source: www.m-w.com

What happened?

On Thursday night, July 30th, the facility that hosts Merriam-Webster's
Web site was burglarized and its servers were stolen. We've managed to
restore limited capacity, but we need to obtain new hardware from our
suppliers before we can return to full service. We hope to have the entire
site active again in a few days. We apologize for the inconvenience and
hope you will bear with us as we deal with the situation. 

Thank you for your patience.

--The Merriam-Webster Web Team

[Guess we shouldn't put the computer by the window...]

0x1d>------------------------------------------------------------------------

Title: Long Haired Hacker Works Magic           [my title]
Source: Nando Times
Date: September 20, 1998

The hacker calling himself Mudge pushed his long hair back, scratched his
beard and stared at the computer screen. He knew there was something wrong
with the data traffic he was watching, but what was it?
 
A week earlier, Mudge and his fellow hackers in their hangout known as the
L0pht -- pronounced "loft" -- had acquired some software that was supposed
to let computers talk to each other in code. But as Mudge watched the data
he realized someone else was doing the same and maybe even decoding it,
which shouldn't happen.
 
"So you are saying that you're using DES to communicate between the
computers?" Mudge recalled asking representatives of the software maker. 
Yes, they said, they were using DES, a standard encryption method that for
years was considered virtually uncrackable.

But this wasn't DES, thought Mudge. It's almost as if... 

Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at
all. In fact, the encoding was only slightly more complex than the simple
ciphers kids did in grade school -- where "A" is set to 1, "B"  is set to
2, and so on.

The company was selling this software as a secure product, charging
customers up to $10,000. And yet, it had a security hole big enough to
waltz through.
 
Instead of exploiting this knowledge, Mudge confronted the company. 

"You realize there isn't any secure or 'strong' encoding being used in
your communications between the computers, don't you?" he asked.

"Well..." 

"And that you claimed you were using DES to encrypt the data," he pressed. 

"That will go in the next revision." 

Mudge is a "real" hacker -- one who used to snoop around the nation's
electronic infrastructure for the sheer love of knowing how it worked. His
kind today are sighted about as often as the timberwolf, and society has
attached to them the same level of legend.

Like the wolf, they were once considered a scourge. Law enforcement and
telecommunication companies investigated and arrested many of them during
the late 1980s and early '90s.

Today, many elite hackers of the past are making a go at legitimate work,
getting paid big bucks by Fortune 500 companies to explore computer
networks and find the weak spots. 

And none too soon. The void left by the old hackers has been filled by a
new, more destructive generation.

So today, Mudge -- who uses a pseudonym like others in the hacker
community, a world where anonymity keeps you out of trouble -- wears a
white hat. As part of L0pht, the hacker think tank, he and six comrades
hole up in a South End loft space in Boston and spend their evenings
peeling open software and computer networks to see how they work.

When they find vulnerabilities in supposedly secure systems, they publish
their findings on the Web in hopes of embarrassing the companies into
fixing the problems. A recent example: They posted notice via the Internet
of a problem that makes Lotus Notes vulnerable to malicious hackers...

A Lotus spokesman said the company was aware of the flaw but it was
extremely technical and unlikely to affect anyone.

The hackers at L0pht have made enemies among industry people, but they
command respect. They were even called to testify before the U.S.  Senate
Committee on Governmental Affairs in May. 

Why do they publish what they find? 

"If that information doesn't get out," Mudge replies, "then only the bad
guys will have it."
 
The "bad guys" are the hacker cliche: secretive teens lurking online,
stealing credit card numbers, breaking into Pentagon systems, and
generally causing trouble. One of L0pht's members, Kingpin, was just such
a cad when he was younger, extending his online shenanigans to real-world
breaking and entering. Today, L0pht keeps him out of mischief, he said.

"We're like midnight basketball for hackers," said Weld Pond, another
member.
 
****

Malicious hacking seems to be on the rise. 

Nearly two out of three companies reported unauthorized use of their
computer systems in the past year, according to a study by the Computer
Security Institute and the FBI. Another study, from Software AG Americas,
said 7 percent of companies reported a "very serious"  security breach,
and an additional 16 percent reported "worrisome"  breaches. However, 72
percent said the intrusions were relatively minor with no damage.

American companies spent almost $6.3 billion on computer security last
year, according to research firm DataQuest. The market is expected to grow
to $13 billion by 2000.

Government computers are vulnerable, too. The Defense Department suffered
almost 250,000 hacks in 1995, the General Accounting Office reported. Most
were detected only long after the attack. 

This is why business booms for good-guy hackers. 

Jeff Moss, a security expert with Secure Computing Inc., runs a
$995-a-ticket professional conference for network administrators, where
hackers-cum-consultants mingle with military brass and CEOs.

"I don't feel like a sellout," said Moss, who wouldn't elaborate on his
hacking background. "People used to do this because they were really into
it. Now you can be into it and be paid."

News reports show why such services are needed: 

----Earlier this month, hackers struck the Web site of The New York Times,
forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen
said the break-in was being treated as a crime, not a prank.  The FBI's
computer crime unit was investigating. 

----This spring, two California teenagers were arrested for trying to hack
the Pentagon's computers. Israeli teen Ehud Tenebaum, also known as "The
Analyzer," said he mentored the two on how to do it. The two Cloverdale,
Calif., youths pleaded guilty in late July and were placed on probation.

----Kevin Mitnick, the only hacker to make the FBI's 10 Most Wanted list,
was arrested in 1995, accused of stealing 20,000 credit card numbers. He
remains in prison. A film called "TakeDown," about the electronic
sleuthing that led to Mitnick's capture, is in the works.  Comments
protesting Mitnick's prosecution were left during the hack of the New York
Times Web site.

----In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky
University, allegedly masterminded a Russian hacker gang and stole $10
million from Citibank computers. A year later, he was arrested by Interpol
at Heathrow airport in London.

******

"Lemme tell ya," growled Mark Abene one night over Japanese steak skewers. 
"Kids these days, they got no respect for their elders."

Abene, known among fellow hackers as Phiber Optik, should know. He was one
of those no-account kids in the 1980s when he discovered telephones and
computers. For almost 10 years, he wandered freely through the nation's
telephone computer systems and, oh, the things he did and saw. 

Celebrities' credit reports were his for the taking. Unlimited free phone
calls from pilfered long-distance calling card numbers. Private phone
lines for his buddies, not listed anywhere. And the arcane knowledge of
trunk lines, switches, the entire glory of the network that connected New
York City to the rest of the world.

But Abene's ticket to ride was canceled in January 1994, when, at age 22,
he entered Pennsylvania's Schuylkill Prison to begin serving a
year-and-a-day sentence for computer trespassing. The FBI and the Secret
Service described him as a menace. The sentencing judge said Abene, as a
spokesman for the hacking community, would be made an example.

And yet, to many in the digital community, Abene's offenses amounted to
unbridled curiosity. He was just a kid poking around, doing what teen boys
do, going to places they're told to avoid.

"Phree Phiber Optik" pins appeared. Many felt Abene embodied the hacker
ethic espoused by his friend and fellow hacker, Paul Stira:  "Thou Shalt
Not Destroy."

With black hair parted in the middle and falling to the center of his
back, a thin beard ringing his mouth, the 26-year-old Abene still looks
like a mischievous kid. Hacking, he said, is hardwired in boys.  When they
play with toys when they're young, they break them, then try to figure out
how the parts fit back together.

He added, "For some of us, it just never goes away." 

******

Still, the hackers of the 1980s and early '90s have grown up. Some got
busted, others simply graduated from college and fell out of the scene.

Today, many want to be seen as mainstream, said Jeremy Rauch, a network
security expert for Secure Computing Inc. When it's time to talk
consulting contracts with major corporations, the hair gets neatly combed,
the suit replaces the combat boots and black T-shirt, and the
counterculture rhetoric gets toned down.

A hacker in San Francisco who edits the online publication Phrack and goes
by the pseudonym Route talks about his job at a security firm as a sign of
maturity. Contentedly, he notes he can work from home, write as much code
as he can and never punch a clock. 

"Are there still hackers out there?" asked Mike Godwin, counsel for the
Electronic Frontier Foundation, a cyber-rights group. In the early 1990s,
he pushed hard for the organization to champion Abene and other members of
the cyber gang Masters of Deception. By 1993, he said, hysteria
surrounding hackers began to sputter, to be replaced by a fear of
pornography.

"There never were very many hackers," he said, not major ones, anyway. 
Mainly, they were and are "this tiny minority of 13- to 18-year-olds who
learned how to make toll-calls for free."

Today's younger hackers pull programs off the Web that sniff for passwords
and unlock backdoors automatically. It's the equivalent of rattling every
door on a street and finally getting lucky, chancing upon one that's
unlocked. 

As for the true hackers of the first generation, Godwin said: "These guys
are genuinely smart and genuinely have a fascination with the technology. 
And they're mostly harmless."

*********

What do younger hackers say to all this? 

Not much, if you judge by interviews at DefCon6.0, the sixth annual hacker
forum and party held in Las Vegas at the end of July.

Some said they hack to learn. Others took a counter-culture stance: 
hacking as civil disobedience. They wouldn't give names or talk
specifically about any criminal activities. It was as if they wanted to
present themselves as blank slates, upon which the fears of their
non-wired elders could be inscribed.

At DefCon, they set off stink bombs at one point, and pulled other
juvenile pranks.

"Paging Mr. Mitnick," the intercom droned through the hotel-casino's
meeting rooms. The unwitting hotel staff member repeated the call for the
jailed hacker. "Paging Mr. Kevin Mitnick."

Pony-tailed guys dressed in black smirked. Gotcha. 

As hard house and techno music provided a soundtrack, they drooled over
new software and pawed through piles of stuff for sale: computer
equipment, of course, but also more books on conspiracy, privacy
protection, and police methods than any paranoid could want.

Among the titles: "Scanners & Secret Frequencies," "Secrets of a Super
Hacker," even "Throbbing Modems."

The kids flocked to DefCon's talk by the "white hat" hackers of L0pht. 

"We're in the middle generation right now," said convention organizer
Moss. "You've got your original hackers from MIT -- the old school -- who
are established. They're the forefathers of this information revolution. 
And you've got us who watched computers go from mainframe to desktop to
laptop. And you've got the younger generation that have always known
computers." 

0x1e>------------------------------------------------------------------------

Title: Body of Evidence
By: Beverly Hanly
Date: 4:00am  5.Aug.98.PDT

Real criminals are tried in real courts, so why shouldn't virtual
criminals be tried in virtual courts?

A handful of legal scholars from the Institute on the Arts and Civic
Dialogue (IACD) are mulling over the question and will convene Wednesday
to discuss whether virtual courts are the best forum for cybercrime trials
and if a virtual legal system could lead to new legal processes regarding
real world crimes.

The experts will join multimedia artist Shu Lea Cheang, creator of the
Brandon project, for a webcast forum from 8 to 11 pm, EDT, at the Harvard
Law School.

The group will play out a fictitious courtroom drama based on several
disputes involving cyberetiquette, gender identity, and the hazy line
between fantasy vs. reality as the first public forum in the year-long
Brandon project commissioned by New York's Guggenheim Museum. Brandon
explores issues of gender identity and the consequences of experimenting
with sexuality in real life and in cyberspace.

The ongoing media and legal debate regarding hate speech and the
proliferation of sexual content on the Internet and whether or not these
are harmful -- and to whom -- is the territory the mock trial will cover.

Harvard theater director Liz Diamond will collaborate with Cheang to guide
the group as they dramatize elements drawn from real-life sexual assault
cases, including that of the project's namesake Teena Brandon, a
transsexual who was murdered in Nebraska in 1993. Other cases will involve
a virtual trial for "cyberrape," a MUD character named Mr.  Bungle, and
the FBI arrest of Michigan student Jake Baker for his rape-and-murder
fantasy about a fellow student posted to a Usenet newsgroup in 1994.

Actors will play the roles of victims and perpetrators, while professors
from Harvard, University of Virginia, and Columbia law schools will act as
"standing jurors" to examine and comment on the legalities.

"This is a venue where you can experiment with the process and substance
of these [cyberlaw] cases,"  said Jennifer Mnookin, professor of law at
Virginia's School of Law in Charlottesville, who will sit in on the
session. She feels that virtual worlds like LambdaMOO can provide a new
and more appropriate arena for dispute resolution.

"Part of what's at issue here is how much someone can be hurt with words," 
said Mnookin. "Someone who commits a violation in cyberspace shouldn't
necessarily be subject to consequences in real courtrooms. Something like
the LambdaMOO 'cyberrape' was appropriately settled in a virtual court. 
The perpetrator was expelled from that world, his virtual identity was
annihilated -- he was 'toaded.' What is a violation in one world might not
be in another."

Virtual penalties can translate from one world to the other as well. 
Cheang, in her virtual court, suggests the idea of "virtual castration" as
an alternative to "chemical castration" advocated by some as a way of
dealing with sexual offenders.

The August public event in Cambridge, Massachusetts, is the first time
since the Brandon project began on 20 June that Cheang will be able to
interact with both a live and a Net audience.

"The test will serve as a base toward constructing a digiarchitextual
space of a virtual court at the Guggenheim's [proposed] virtual museum," 
said Cheang, who will collaborate with an architect of physical spaces to
create a "courtroom"  at the museum. "My work has always fused actual and
virtual space."

Netizens need nothing more than an Internet connection to tune in to the
mock trial. But Cheang also wants to include a public that has no access
to Net technology.

Anyone in the Harvard area who's interested can physically attend the
staged trial. In New York, street audiences can visit the Guggenheim
SoHo's video wall, which is made up of 75 contiguous 40-inch projection
cubes. The video wall will display images from the Brandon project and
audiences will be able to interact at scheduled times.

"We're not sure how the 'experimentation' with the audience will go," said
Cheang.  "Maybe we'll fail badly. But it is this uncertainty, this feeling
that we're exploring new ground in public interaction that is most
exciting for me and my collaborators here at the Institute."

Law professor Mnookin looks at the experiment as a venue that can open up
the dialog on cyberlaw issues. "What's interesting to me about 'virtual
law' is that it's much more obvious than in the real world that the rules
are malleable, that they're created by the participants.

"In the real world, it's easy to take the legal processes for granted, to
assume that [those processes] can't easily be transformed," she continued. 
"If virtual worlds are used as laboratories, it's easier to recognize the
possibilities for change -- both within a virtual environment, and, just
maybe, in the real world as well."

The Brandon Project is hosted at Harvard in conjunction with the brand-new
IACD until 14 August. IACD puts artists in various media together with a
community of scholars, journalists, and civic activists to explore current
events and controversies.

After the test trial, Cheang will move on to Amsterdam, Netherlands, to
begin setting up the next live installation of the project: "Digi Gender,
Social Body: Under the Knife, Under the Spell of Anesthesia,"  to be
webcast in September 1998. "Would the Jurors Please Stand Up? Crime and
Punishment as Net Spectacle" is scheduled for May 1999.

0x1f>------------------------------------------------------------------------

Title: The Golden Age of Hacktivism
By: Niall McKay
Date: 4:00a.m.  22.Sep.98.PDT

On the eve of Sweden's general election, Internet saboteurs targeted the
Web site of that country's right-wing Moderates political party, defacing
pages and establishing links to the homepages of the left-wing party and a
pornography site.

But the Scandanavian crack Saturday was not the work of bored juveniles
armed with a Unix account, a slice of easily compiled code, and a few
hours to kill. It advanced a specific political agenda.

"The future of activism is on the Internet," said Stanton McCandlish,
program director of the Electronic Frontier Foundation. "More and more,
what is considered an offline issue, such as protesting the treatment of
the Zapatistas in Mexico, is being protested on the Net."

In the computer-security community, it's called "hacktivism," a kind of
electronic civil disobedience in which activists take direct action by
breaking into or protesting with government or corporate computer systems. 
It's a kind of low-level information warfare, and it's on the rise.

Last week, for example, a group of hackers called X-pilot rewrote the home
page of a Mexican government site to protest what they said were instances
of government corruption and censorship.  The group, which did not reply
to several emails, made the claims to the Hacker News Network. The
hacktivists were bringing an offline issue into the online world,
McClandish said. 

The phenomenon is becoming common enough that next month, the longtime
computer-security group, the Cult of the Dead Cow will launch the resource
site hacktivism.org. The site will host online workshops, demonstrations,
and software tools for digital activists.

"We want to provide resources to empower people who want to take part in
activism on the Internet," said Oxblood Ruffian, a former United Nations
consultant who belongs to the Cult of the Dead Cow.

Oxblood Ruffian's group is no newcomer to hacktivism. They have been
working with the Hong Kong Blondes, a near-mythical group of Chinese
dissidents that have been infiltrating police and security networks in
China in an effort to forewarn political targets of imminent arrests.

In a recent Wired News article, a member of the group said it would target
the networks and Web sites of US companies doing business with China.

Other recent hacktivist actions include a wave of attacks in August that
drew attention to alleged human rights abuses in Indonesia. In June,
attacks on computer systems in India's atomic energy research lab
protested that country's nuclear bomb tests.

More recently, on Mexican Independence Day, a US-based group called
Electronic Disturbance Theater targeted the Web site of Mexican President
Ernesto Zedillo.  The action was intended to protest Zedillo's alleged
mistreatment of the Zapatista rebels in Chiapas. Nearly 8,000 people
participated in the digital sit-in, which attempted to overwhelm the
Mexican president's Web servers.

"What we are trying to do is to find a place where the public can register
their dissatisfaction in cyberspace, so that your everyday [mouse] clicker
can participate in a public protest," said EDT co-founder Ricardo. 

The apparent increase in hacktivism may be due in part to the growing
importance of the Internet as a means of communication. As more people go
online, Web sites become high-profile targets.

It also demonstrates that many government sites are fairly easy to crack,
said one former member of Milw0rm, the now defunct group that defaced the
Indian research lab's Web site. In an interview in Internet Relay Chat,
the cracker rattled off a list of vulnerable US government Web sites --
including one hosting an electron particle accelerator and another of a US
politician -- and their susceptibility to bugs.

"They don't pay enough for computer people," said the cracker, who goes by
the name t3k-9. "You get $50,000 for a $150,000 job." 

Some security experts also believe that there is a new generation of
crackers emerging. "The rise in political cracking in the past couple of
years is because we now have the first generation of kids that have grown
up with the Net," John Vranesevich, founder of the computer security Web
site AntiOnline. "The first generation of the kids that grew up hacking
are now between 25 and 35 - often the most politically active years in
peoples' lives."

"When the Cult of the Dead Cow was started in 1984, the average age [of
our members] was 14, and they spent their time hacking soda machines," 
said Oxblood Ruffian. "But the last couple of years has marked a turning
point for us.  Our members are older, politicized, and extremely
technically proficient."

While hacktivists are lining up along one border, police and law
enforcement officials are lining up along another.

This year the FBI will establish a cyber warfare center called the
National Infrastructure Protection Center. The US$64 million organization
will replace the Computer Investigations and Infrastructure Threat
Assessment Center and involve the intelligence community and the military.

Allan Paller, director of research for the SANS Institute, said the FBI is
staffing the new facility with the government's top security experts. 
"They are stealing people from good places, including a woman from the
Department of Energy who was particularly good," he said in a recent
interview. "They are taking brilliant people."

Paller also said that a grassroots effort is under way in Washington to
establish a National Intrusion Center, modeled after the Centers for
Disease Control.

"There is definitely an increased threat of cyber terrorism," said Stephen
Berry, spokesman for the FBI press office in Washington.

As offline protests -- which are protected in the United States by the
constitution -- enter the next digital age, the question remains: How will
the FBI draw the distinction between relatively benign online political
protests and cyber terrorism?

0x20>------------------------------------------------------------------------

Title: Phrack straddles the world of hackers
Source: Nando Times
Date: September 20, 1998

The lines of text scrolled off the screen quickly, but the bleached-blond
hacker snatched quick glances at the visitors' log on his Web page. Lots
of visitors using military and government computers. The hacker, who calls
himself Route, said he always gets a kick out of the feds' visits. He
smiled. 
 
The FBI, the CIA and the others "wouldn't be doing their job if they
weren't tracking computer information both legitimate and illegitimate," 
Route said. "I guess Phrack falls somewhere in between."
 
Phrack is an online publication called a 'zine. It's a digital chimera: 
written for hackers but read by law enforcement, too. It's been the
subject of federal prosecution, yet it still operates in the open. Its
name combines "hack" and "phreak," which refers to phone hacking.
 
It's got attitude, technical know-how and in many ways defines today's
hacker scene. It first hit the electronic bulletin boards Nov. 17, 1985,
ages ago in hacker years.
 
To put its longevity in perspective, Phrack came out two years after the
movie "WarGames" in which actor Matthew Broderick established the
now-cliched image of the hacker as the lonely kid who altered his grades
with a computer. Phrack predates the World Wide Web by almost a decade. 
And Phrack is older than many of its readers, who number about 8,000, said
Route, who refuses to give his real name.
 
Route, 24, doesn't look like the scrawny computer nerd with the
cathode-ray pallor so many think of when the word hacker is mentioned. 
Silver earrings dangle from each ear and a bar pierces his tongue. Spidery
tattoos creep down his shoulders and over biceps grown solid with hours of
iron work.
 
Behind his glower lies a keen mind that cuts through computer network
problems like a digital knife, an invaluable skill for his day job at a
computer security firm with Fortune 500 companies for clients. Route
refused to name his company.
 
Phrack's improbable history begins in 1985 when a hacker with the handle
Taran King cobbled together various subversive texts that had been
circulating like Soviet-era samizdat on the archipelago of underground
electronic bulletin boards.  It included all sorts of mischief-making: 
"How to Pick Master Locks," "How to Make an Acetylene Bomb" and
"School/College Computer Dial-Ups." 
 
But Phrack found itself the focus of federal prosecution in 1990, when
editor Craig Neidorf, also known as Knight Lightning, was prosecuted by
the Chicago Computer Fraud and Abuse Task Force. His alleged crime? He
published a document in Phrack with certain details of the emergency 911
systems in use around the country. It had been given to him by another
hacker who had copied it from computers owned by BellSouth, which valued
it at almost $80,000. 
 
But the task force wanted to prove the document was more than valuable. 
Assistant U.S. Attorney William J. Cook said it put dangerous information
in the hands of hackers.

The case fell apart when Neidorf's lawyer proved that more detailed
information about the system had appeared in other publications. You could
order them from phone company technical catalogs for $13. The charges were
dropped. Neidorf's trial was over.

If today's Phrack is a bit less confrontational, that's understandable. 
Like many of the older hackers, Route is shifting his focus away from
anarchy texts and phone hacking to computer security. Its "how-to" days
are pretty much over.

"Phrack is not meant to be a manual of vulnerabilities," he said. 

As the editor, Route knows that Phrack can still be used for illegal
purposes. "But you can't hold people completely liable for just putting
information out there."

He said he has had "blatantly illegal stuff" sent to him. Once, he said he
received the technical specifications for most pager systems used in the
country, complete with how to hack those systems. He didn't publish. 

"It's a judgment call," he said. "I have no intention of running up
against the law or (upsetting) the military."

But it's almost guaranteed that something gleaned from Phrack will be used
against the computer system of a big and powerful organization or
business.

"The scene is going to do what the scene is going to do,"  he said. "It's
like any clique in society. You have good people and you have bad people."

0x21>------------------------------------------------------------------------

Title: Cops see little hope in controlling computer crime
By: Rob Lemos, 
Source: ZDNN 
Date: August 6, 1998 10:16 AM PT

Despite making headway combating high-tech criminals, law enforcement
officials say they remain worried about their ability to investigate and
prosecute cyber crimes.  Encryption, anonymity, and the jurisdictional
problems posed by a global Internet are quickly turning from small
headaches to full-blown migraines for local, state, and federal police
forces.

"It's hard to predict where we will be in 10 years," said Scott Charney,
chief of the computer crime and intellectual property section of the U.S.
Department of Justice. "But there are going to be all sorts of birthing
pains." Charney gathered here with other computer-savvy law enforcement
officials to attend an international symposium on criminal justice issues
at the University of Illinois at Chicago. The symposium focused on
high-tech crime, cyber-terrorism, and information warfare.

Invisible criminals Law enforcement officers say one of their biggest
challenges paradoxically remains knowing when a crime is committed.

According to the General Accounting Office, there were 250,000 attempted
break-ins at the Department of Defense in 1995. NASA estimates that
crackers -- hacker criminals -- broke in to over 120,000 of its systems in
1996. Yet, few of those incidents are detected, much less reported. When
DOD hackers broke into their own servers in 1996 and 1997, they attacked
38,000 machines. Only four percent of the incidents were detected. Out of
that number, only 27 percent of detected break-ins were reported. 

"We will get better," said Doris Gardner, an investigator with the
National Infrastructure Protection Center, a new federal agency
established to fight computer crime. "We need to educate -- to work better
with each other."

Pandora's box

Yet, even as law enforcement is educating itself on the challenges ahead,
experts here said cyber-criminals continue to refine their abilities. 

According to the DOJ's Charney, the number of cases involving encrypted
data climbed from three percent in 1996 to seven percent in 1997. If that
trend continues, he said, the only tactic left for law enforcement is to
increase its surveillance capabilities.

"If privacy advocates get their way on encryption," said Charney, "they
may not be happy."

With no way to read into encrypted electronic documents, he added, the FBI
and others will have to rely on capturing the evidence at the source. "And
that could really decrease privacy."

Even so, there are other ways around encryption. In 1996, when an ISP
reported that its system had been cracked, all FBI leads ran into brick
walls. Luckily, the cracker, Carlos Salgado Jr. -- who had stolen over
100,000 credit card numbers worth more than an estimated $160 million --
found a potential buyer who suspected his credit card was one of the ones
on the block to be sold. The "buyer" contacted the FBI and became a
cooperative witness in the case.

Despite Salgado's extensive use of encryption -- both his e-mails and the
actual credit-card data were encrypted -- the FBI had no problems
collecting evidence, because their witness received all the codes from
Salgado.

Luck, or a trend? It's too early to tell, but Gardner, for one, seems
positive on the FBI's ability to prosecute. "If we know about it," she
said, "we can usually prosecute it."

----[  EOF

AOH Site layout & design copyright © 2006 AOH