GDT::Security::Watchdog::Archive::Year 2000

Security Watchdog
Attrition.org -- A Non-Profit Computer Security Website
Today's (29 Dec 2000) Business section of the AZ Republic had a article titled Real Estate Testing Digital Signatures. I didn't read the article, but the timing is good because I've been gathering up notes to do a posting concerning eSignatures. We will do a digital (electronic) signature write-up early next semester. Digital signature authentication is extremely important and securing it may be near impossible.

Instead of eSignatures, this week's posting introduces us to the Attrition.org website. The following is from their About Us section.

Attrition.org (http://www.attrition.org) is a computer security Web site dedicated to the collection, dissemination and distribution of information about the industry for anyone interested in the subject. They maintain one of the largest catalogs of security advisories, cryptography, text files, and denial of service attack information. They are also known for the largest mirror of Web site defacements and their crusade to expose industry frauds and inform the public about incorrect information in computer security articles.

Attrition.org provides some interesting graphs that show defacement statistics broken down by operating system.

[29 December 2000, top]
Egghead.com Cracked; What's SSL?
On 22 December 2000, Internet retailer Egghead.com said that a hacker [I say cracker] had accessed its computer systems, possibly its customer database, and it is now taking steps to protect its customers' credit card accounts and the security of the website. "They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected," Egghead said, adding that it is also working with law enforcement authorities, who are conducting a criminal investigation.

What's SSL?
I would not perform an Internet transaction of any kind without using a Secure Sockets Layer [SSL]. By convention, webpages that use SSL connection start with https: instead of http:. When SSL is used, data is transmitted over the Internet in an encrypted format rather than clear text. Using SSL helps ensure your data is not easily read while in transmission, you are still at the mercy of SysAdmins securing the computers on which the data is eventually stored. Netscape provides us with the following Introduction to SSL.

[22 December 2000, top]
ISR Says... Security Stocks Worth a Look
I subscribe to a daily newsletter called the Internet Stock Report (ISR). You can learn a lot about computing by learning about the companies that make up the industry.

Computer security is a major problem these days and it is a tough market for new companies to enter; therefore, the companies who already have a strong footing in this area of computing may have nice long term outlooks.

Please remember that we are NO way recommending you buy stocks or do anything. This hyperlink is provided for those who are interested in computers and the stock market.

Security Stocks Worth a Look

[15 December 2000, top]
Ebay Cancels Auction of Mitnick Stuff
Late last month (Nov 2000), Ebay pulled stuff that use to belong to world famous [hc]racker Kevin Mitnick. There have been a handful of Security Watchdog postings pertaining to Kevin Mitnick. Mitnick served time for cracking communication systems. He is now out of jail, but on probabation that prohibits him from doing anything with computers -- which for a technical guru -- is a harsh probation. Mitnick's dad posted some of Mitnick's stuff to Ebay for autioning, but Ebay canceled the auction. [ThurmThanks to SeanJ for this hyperlink.] [08 December 2000, top]
HackerU: Learn How to be a H(C)racker
Computer security classes that teach students hacking techniques to help them understand potential threats to their systems are becoming increasingly popular. For example, Foundstone.com, offers an "Ultimate Hacking" class that helps students break into their own systems to identify weaknesses. The class shows students how to exploit existing security flaws in popular software and to identify open access ports into the network. In addition, advice is given on guessing master passwords, and demonstrations are given on how to obtain password files in transit and on software that decrypts passwords. The class class also teaches students to deactivate intrusion-detection software. [Source: Los Angeles Times] Here is a Foundstone press release announcing an upcoming Web Hacking Class. [01 December 2000, top]
Colleges Must Post Crime Reports to the Web
Congress is requiring U.S. universities to make crime statistics available via the Internet. Under a recently passed law, spurred by research showing that many universities were not reporting all crimes that took place on their campuses for fear of losing potential students, colleges must post their latest crime figures to the Internet. Congress has toughened laws regarding the reporting of crime figures, and colleges now can be fined $25,000 for each under-reported crime.

Scottsdale Community College follows this law by providing the SCC Incident Report on its website.

[24 November 2000, top]
Altivore: An Open Sourced Carnivore
Altivore is an open-source version of the FBI's Carnivore program. Basic capabilities include: monitors suspect's email (headers and bodies), monitors suspect's accesses to certain types of servers (FTP, HTTP, etc.), and full sniffing of suspect's IP address. [ Carnivore FAQ]

[Bonus Item] Pakistani-based cackers attacked a U.S. website belonging to a pro-Israel lobby, stealing credit card numbers and member records in the latest volley in what has become an online war. The attack, against the American-Israel Public Affairs Committee, consisted of the cackers defacing its website with pro-Palestinian slogans and emails downloaded from the website databases.

[17 November 2000, top]
Netherland Clubs to Use Cyber-Bouncers
Nightclubs (about 15 of them) in the Netherlands are using biometrices (smart cards, fingerprint and face scanning) to control which customers are allowed access to the clubs. Salon Magazine refers to this stuff as a cyber-bouncer. [ThurmFoo] I can see cyber-bouncers being handy when there is a shortage of WWF-like studs around to do the job.] What the heck, maybe gun-toting robots would be effective.] [10 November 2000, top]
No Filtering May Result In Loss of Federal Funding
The Electronic Privacy Information Center (EPIC) has issued an alert concerning the following:
No Filtering, No Federal Funding
Despite strong opposition from education, library and civil liberties organizations, Congress appears to be on the verge of adopting a mandatory requirement for schools and libraries to install Internet filtering software.
What's the issue? I don't know what the issue is, but here is what can be dismissed as being a simple question... Who decides what gets filtered? See EPIC Alert 7.17 for more details. [03 November 2000, top]
Web Wars in the Middle East; Microsoft Cracked by Russia
Lebanon's Hizbollah guerrilla group said recently that its website server crashed earlier this month after being targeted by millions of hits and hostile emails from Israel and the United States. It said the crash occurred on Oct. 7, the day Hizbollah guerrillas captured three Israeli soldiers in an ambush at the border in south Lebanon. The website normally gets 100,000 to 300,000 hits per day, but now that number has increased to 9 million. They are calling it an email bombing. Israeli-Arab Web Wars from WiredNews::Politics. [Hizbollah.org is the website under attack.]

Extra

Microsoft security detected passwords being remotely sent to an email account in Russia. Logs showed that the internal passwords were used to read and copy the source code for software that included Windows and Office. [ More... from the Washington Post] Update: The Qaz worm (which is a Win32 executable) was used to crack MSFT's network. [27 October 2000, top]
Armed Robots? (i.e. Robots with Guns?)
The following was a post to the Risks Digest.
The world's first armed robot security guard that can open fire on intruders while controlled through the Internet was unveiled in Bangkok yesterday.

Assistant professor Pitikhet Suraksa, of the King Mongkut Institute of Technology's Lat Krabang campus, said his roboguard was developed from an unarmed "telerobot" built in Australia in 1994. "The robot is equipped with a camera and sensors that track movement and heat. It is armed with a pistol that can be programmed to shoot automatically or wait for a fire order delivered with a password from anywhere through the Internet. With further development the technology could be applied to building robot guards for important places, including museums that house precious artifacts."

I wouldn't want to be the programmer whose sloppy coding resulted in the accidental shooting of somebody like the cleaning person. [20 October 2000, top]
Major Denial-Of-Service Attack Predicted
Many computer security experts are predicting that a major DOS attack will happen in the near future. In this scenario DOS stands for Denial Of Service. DOS is an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period and does not corrupt data. [13 October 2000, top]
Oklahoma State University Seizes Student's Computer
Oklahoma State University campus police seized a student's computer after receiving a complaint from the recording industry about illegal distribution of copyrighted music on the campus. The student was traced because the university is also the ISP, and campus police presented a search warrant before taking the computer. The student was distributing music and movie files on a large scale, but did not seem to be profiting from the activities. The student distributed files using the FTP Internet application. [Source: Chronicle of Higher Education Online, 18 September 2000] [06 October 2000, top]
Carnivore Review Team Hired
The IIT Research Institute -- an independent, nonprofit research and development organization associated with the Illinois Institute of Technology -- has been selected by the Justice Department to analyze whether the FBI's Carnivore email surveillance system has adequate protections against abuse. The review team will include senior faculty members from the Chicago-Kent College of Law. [ More... from WiredNews::Politics] [29 September 2000, top]
10th Grader Charged with Securities Fraud
The SEC alleges that a 15 year-old used Internet eboards to talk up, or manipulate, stock prices and then unloaded his positions in what an agency administrator called a classic "pump-and-dump" operation. This young person was 14 at the time he traded in stocks. On occasion he placed sell limit orders on stocks so that he wouldn't miss a price increase in the security while he was in school the next day. From TheStreet.com comes news of a 10th Grader Charged with Securities Fraud. [22 September 2000, top]
Personal Identity Theft on the Rise
Having somebody take over you identity sucks. I guess it has always been possible, but the World Wide Web (i.e. WWW) is making personal information more visible than ever. People who are good searchers of the Internet can find social security numbers. Want data about someone's divorce? Connect to the Internet and you can find it in an amazingly few clicks of the stupid mouse. Want to know what someone paid for their house? Again, readily available information obtained free of charge with no questions asked. From USA Today comes Personal Identity Theft on the Rise. [15 September 2000, top]
Security Hole Found with Pretty Good Privacy (PGP)
On 24 August 2000, the CERT issued an advisory against the PGP. PGP software has a defect that allows attackers to trick Windows versions of PGP into not encoding secret information properly. PGP, which stands for (Pretty Good Privacy), was written by Phil Zimmerman in 1991 and it is a public key encryption program. PGP is the de-facto standard for email encryption today. [More from WiredNews::Technology] [08 September 2000, top]
Dorothy Denning::Hacktivism and Other Net Crimes
Hacktivism and Other Net Crimes is an interview with computer security expert Dorothy Denning. [Dr. Dorothy Denning is professor of Computer Science at Georgetown University.] The interview was conducted by the ACM -- Association of Computing Machinery [http://ACM.org] In the interview, Denning discusses the FBI's Carnivore program, the Cybercrime Convention, and hacktivism (hacking with activism [e.g. deface a website with political messages]). [01 September 2000, top]
Secrets and Lies: Digital Security in a Networked World
Secrets and Lies: Digital Security in a Networked World is a new book by computer security expert Bruce Schneier. Information about the book is located at http://www.counterpane.com/sandl.html.

If you order the book (at a 20% discount) from Amazon.com using the URL http://www.amazon.com/exec/obidos/ASIN/0471253111/counterpane/, then a portion of the purchase price will go to EPIC.org [Electronic Privacy Information Center].

The following is quoted from Schneier's 15 August 2000 issue of the CRYPTO-GRAM newsletter:

I had my epiphany in April 1999: that security was about risk management, that detection and response were just as important as prevention, and that reducing the "window of exposure" for an enterprise is security's real purpose. I was finally able to finish the book: offer solutions to the problems I posed, a way out of the darkness, hope for the future of computer security.

"Secrets and Lies" discusses computer security in this context, in words that a business audience will understand. It explains, in my typical style, how different security technologies work and how they fail. It discusses the process of security: what the threats are, who the attackers are, and how to live in their world.

I have not read this book, but I suspect it is excellent and that it will be awared a ThurmBuy. I'm looking forward to getting a copy. Here is a ThurmBit about Bruce Schneier. [25 August 2000, top]
CERT Busy Issuing Browser-Related Advisories
Shortly after last week's posting about the security hole with the Netscape browser's handling of java applets, the CERT issued an advisory about the problem. A couple days laters, CERT issued another advisory concerning the Internet Explorer browser and those nasty VB (Visual Basic) applications and macros.
CERT Advisory CA-2000-16: Microsoft 'IE Script'/Access/OBJECT Tag
Under certain conditions, Internet Explorer can open Microsoft Access database or project files containing malicious code and execute the code without giving a user prior warning. Access files that are referenced by OBJECT tags in HTML documents can allow attackers to execute arbitrary commands using Visual Basic for Applications (VBA) or macros.
CERT Advisory CA-2000-15: Netscape Allows Java Applets to Read Protected Resources
Netscape Communicator and Navigator ship with Java classes that allow an unsigned Java applet to access local and remote resources in violation of the security policies for applets.
[18 August 2000, top]
Brown Orifice: Java Applet/Netscape Security Hole
This security crack didn't generate much news, but Java applets are suppose run in a "sandbox" and be secure. Well, maybe Java applets aren't that secure after all as evidenced and documented and demonstrated by this server-in-an-applet called Brown Orifice.

Here is a blurb from Sun's website about Brown Orifice:

"Developer and computer security consultant Dan Brumleve has uncovered two separate and distinct vulnerabilities in certain implementations of the JavaTM platform. It is important to note that the Java security architecture remains correct and intact. Both vulnerabilities are correctable implementation issues." [More...]

[11 August 2000, top]
EPIC and ACLU Ask for Carnivore's Source Code
The Electronic Privacy Information Center (EPIC) and the American Civil Liberties Union (ACLU), filed Freedom of Information Act requests seeking records and source code related to the Carnivore. The act has never been used to access computer source code. The movements claim they need information to determine if the software only intercepts communication from/to people named in a court order. [ More...] [04 August 2000, top]
Mitnick Not Allowed to be a Web Columnist
The Security Watchdog was started with a posting about hacker/cracker Kevin Mitnick [see Mitnick Goes to Washington]. Mitnick is a convicted computer cracker that has been released after spending time in prison. As part of his probation, he is barred from using a computer or working as a computer consultant without his probation officer's approval. Mitnick was offered a job with an Internet-based business but his probation office is saying no. The issue went before a federal judge who refused to intervene. From the LA Times comes Mitnick Rebuffed in Bid to Take Job as Web Columnist. [30 June 2000, top]
AOL and Nike Websites are Cracked
The Nike corporate website was redirected to the website of an Australian activist group calling for the " shut down" of an upcoming economic forum there in the fall.
Nike Website Hacked by Activists from ABCNEWS.com.
Online intruders sent emails to AOL employees who had access to customer accounts. The emails had attachments containing viruses that gave the sender the employees' passwords. This "created an electronic link between the AOL internal network and the hacker," so that " using what amounted to a covert relay station, the hacker could use the password to look up information about users."
AOL Confirms Data System Leak from MSNBC.com
[22 June 2000, top]
Secret Data Missing from Los Alamos
The FBI and Department of Energy are searching for classified information missing from computers at the Los Alamos National Laboratory. Programmers and computer administrators can do little to protect systems against physical violation. A few weeks ago there was a story about a laptop containing important stuff being lost and now a couple of disks are missing from one of this country's most important research organizations. [ More from ABC News]
 
Update: On 16 June 2000, two computer hard drives containing nuclear secrets from the Los Alamos weapons lab were found behind a copying machine within the lab's top-secret secure area. Authorities think the drives may have been tampered with. [15 June 2000, top]
SANS::List of The Top Ten Internet Security Threats
The SANS Institute (where SANS stands for System Administration, Networking, and Security) is a highly respected organization. Information posted to their website should always be respected. From their website comes the following description:
"SANS is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. SANS was founded in 1989."
During June 2000, SANS provided a document that discusses how to eliminate the Ten Most Critical Internet Security Threats. [09 June 2000, top]
CERT -- Computer Emergency Response Team
Back in 1988 the first crack of the Internet was experienced. This crack was the Internet Worm, a malevolent program, that temporarily disabled approximately 6000 Internet hosts. As a result of this crack, the CERT -- Computer Emergency Response Team was formed at Carnegie Mellon University.

Here a list of some recent CERT Advisories:

  • CERT Advisory CA-2000-09 Flaw in PGP 5.0 Key Generation
  • CERT Advisory CA-2000-08 Inconsistent Warning Messages in Netscape Navigator
  • CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control Incorrectly Marked "Safe for Scripting"
  • CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos Authenticated Services

I recommend that you subscribe to be notified via email when CERT Advisories are issued by visiting http://cert.org [02 June 2000, top]
Russia Thinking About Electronic Warfare
The following Washington Post news item was provided by Declan McCullagh:
MOSCOW--Ultranationalist Vladimir Zhirinovsky has suggested that the computer virus could be a useful tool for Russian foreign policy.

"The era of detective stories and James Bond has long been over," Zhirinovsky said, according to a weekend report in the newspaper Kommersant. "Now there is a different era--the era of computers and the Internet. And we can bring the entire West to its knees with our Russian computer specialists. Let us put viruses into their secret programs like we did recently, and they will not be able to do anything. "

"It is time to put an end to the news focusing on Chechnya," he added. "It must be closed down as a combat spot, and we must track computer viruses more. Thanks to us, the West will soon suffer enormous losses."

[ Washington Post Article] [27 May 2000, top]
Microsoft Internet Explorer Gives Away Cookies
I learned from the AZIPA Discussion List - http://www.azipa.org that there is a security hole in all versions of Internet Explorer for the Windows* platform. In short, this hole allows any website operator to read any cookie set by any other site. There are patches for IE 4.01 and 5.1 only, if you're running anything older than that, you'll need to upgrade. [ More...] [22 May 2000, top]
ILOVEYOU
The ILOVEYOU virus has been a good one that has received lots of press and publicity. There has been so much information published about this virus that it doesn't make sense for me to try to barf back the details to you. WiredNews has done a good job providing up-to-date information about the Love Bug.

Just in case you have nothing better to do with your time, then here is a bunch of ILOVEYOU virus related stuff.

The Name Game: Groking the Love Bug
'Love Bug' Product of Failed Thesis
Hunt for Virus Creator Continues
Students Seen as 'Potential Leads' in Virus Investigation (AP)
Virus May Have Been Thesis Project
Computer Virus Suspect Released
Case vs. 'Love Bug' Suspects Stalls on 'Insufficient Evidence'
New 'Love Bug' Suspects at Large
Byte Blunder?
Love Bug Virus Said Accidental (AP)
Did RP Give 'Love' a Bad Name?
Love Bug Virus Is Tough Act for Hollywood to Top (Reuters)
Virus May Have Been Act of 'Youthful Exuberance'
[15 May 2000, top]
Biometrics to be Supported by Windows
Microsoft has agreed to include in future versions of its Windows operating system a type of software that uses biometric devices such as fingerprint or eye scanners to boost online security. Some see these scanners, which identify users based on unique individual characteristics, as eventually enhancing or replacing computer passwords. The goal is to create a software infrastructure that would let users simply plug in biometric devices and start using them to log on. [ More... from Yahoo::Finance] [05 May 2000, top]
eCommerce Websites Expose Credit Card Numbers
A password was found that allows someone connecting to a website running cart32 shopping cart software to gain access to the server. The owner of the cart32 has confirmed the defect and is fixing it. Hundreds of small-to-medium websites (e.g. Jazzworld.com, MusicWorld CD, ComputerShop.com, Wirelesstoys.com, and ChocolateVault.com) use cart32 shopping software, which runs on Windows 95 and Windows NT machines. [ More... from WiredNews::Politics] [28 Apr 2000, top]
State Dept. Computer With Secrets Vanishes
Computer security can be violated in numerous ways. Physical security is as important as making sure a computer is secure from a software perspective. The FBI is investigating the potential theft of a laptop computer that turned up missing from the State Department's Bureau of Intelligence and Research. According to officials from the State Department, the laptop contains information classified as "sensitive compartmented information," the highest-rated level of the government's sensitive intelligence. From the Washington Post comes State Dept. Computer With Secrets Vanishes.

Excuse me... storing secure information on a laptop? This doesn't compute.

[21 Apr 2000, top]
What is Echelon?
What is Echelon? Good question and the students of csc285 have been looking into the subject. Donna provides us this nutshell description:
"Echelon -- according to Jim Bronskill, in his article on Ottawa Citizen Online -- is a massive computer system that automatically sifts through the vast bulk of messages that travel the globe daily. Radio transmissions, faxes, long-distance phone calls, and emails, are intercepted at the rate of millions an hour by monitoring satellites, microwave radio relays, undersea cables, and the Internet."
I wonder... is the Network Big Brother?

Echelon information provided by students:
Donna  |  Marie

[14 Apr 2000, top]
NIPC Advisory::Self-Propagating 911 Script
National Infrastructure Proection Center (NIPC) mission is both a national security and law enforcement (FBI) effort to detect, deter, assess, warn of, respond to, and investigate computer intrusions and unlawful acts, both physical and cyber, that threaten or target our Country's "critical infrastructures" [See the NIPC website at www.nipc.gov for details about what "critical infrastructures" are.]

On 01 April 2000, the NIPC issued the Self-Propagating 911 Script Advisory.

Symantec provides the following information about the NIPC advisory calling it the BAT.Chode.Worm.

[07 Apr 2000, top]
BrowserSpy::What does your browser know?
BrowserSpy tells you detailed information about the browsers you are using and your computer. You can use this website to find out information like version and support, of your Browser, JavaScript, JVM, Java, Plugins, Components, Language, Screen, Hardware, IP, Cookies, Web Server, FTP Password and so on. Try BrowserSpy on your computer. [Hyperlink by JohnQ.] [31 Mar 2000, top]
Interview with Security Guru Bruce Schneier
Bruce Schneier is a guru on computer security. He preaches that security is a "process, not a product" and this makes lots of sense. [ThurmFoo: security must be designed into systems; hacked solutions end up getting cracked.] When dealing with computer security, Schneier has been quoted saying "All you can do, is try to keep up." Business Week Online has posted an interview with Bruce Schneier. [24 Mar 2000, top]
Mitnick Goes to Washington
Kevin Mitnick (36 years old) was recently released from federal prison after serving five years for cracking into computer systems. In March of 1999 he pleaded guilty to seven felonies arising from a string of intrusions into the networks of cell phone companies and computer makers, including Motorola, Fujtsu and Sun Microsystems. On 02 March 2000, Mitnick spoke to the Senate Governmental Affairs Committee. Here is copy of his Senate Testimony. [10 Mar 2000, top]


Author: G.D.Thurman [gthurman@gmail.com]
Last Modified: Saturday, 05-Jan-2013 11:17:40 MST