GDT::Security::Watchdog::Archive::Year 2001

Security Watchdog

Hollywood Wants to Control Computing
DMCA, SSSCA, licenses, copyright, intellectual property, lawyers, judges, politicians, computer criminals, and so on. Computing is becoming a glob of legal stuff. In a nutshell, content providers are worried about their content being used for free. The following are some quotes from an article by Mike Godwin.
A major component of new home-entertainment systems is the personal computer. Says Business Software Alliance special counsel Emery Simon: "That's the multipurpose device that has them terrified, that will result in leaking [copyrighted content] all over the world."

Hollywood believes "Just as computers make it possible to create remarkably pristine images, they also make it possible to make remarkably pristine copies." Because computers are potentially very efficient and capable copying machines, and because the Internet is potentially a very efficient and capable distribution mechanism, even in the hands of ordinary individuals, the Content Faction has set out to restructure the entire digital world we have today. They want to rearchitect not just the Internet, but every computer and digital tool on or off the Net that might be used to make unauthorized copies.

Hollywood Versus the Internet [full article]

[Extra] U.S. Yanks Mitnick's Radio License

[Extra] As of Fri Dec 28 05:58:04 MST 2001 the National Park Service [http://www.nps.gov] is still down.

[28 December 2001, top]
NPS.gov is Down; Terrorists Worked on XP?; XP Cracked
[Item] Due to security concerns, the Department of Interior has shutdown many portions of its website. Sadly, this includes the National Park Service which now has the following posted on its homepage.
Due to conditions outside our department, the National Park Service has suspended operation of www.nps.gov until further notice. We apologize for this inconvenience and are working to restore service as soon as possible.

[Item] A suspected member of the Al Qaeda terrorist network has claimed that Islamic militants infiltrated Microsoft and sabotaged the company's Windows XP operating system, according to this article from Newsbytes.com.

[Item] Microsoft has claimed XP is its most secure OS to date. This was in today's in-box.

   Date: Thu, 20 Dec 2001 20:15:44 -0500 (EST)
   Subject: CERT Advisory CA-2001-37 Buffer Overflow in UPnP 
            Service On Microsoft Windows
   [...]

   Systems affected:
     * Microsoft Windows XP
     * Microsoft Windows ME
     * Microsoft Windows 98
     * Microsoft Windows 98SE

   [...]

   There is a vulnerability in the Universal Plug and Play 
   (UPnP) service on Microsoft Windows XP and Microsoft 
   Windows ME that could permit an intruder to execute 
   arbitrary code with administrative privileges on a
   vulnerable  system.  The  UPnP  service  is enabled 
   by default on XP.  Microsoft does not ship Windows 
   ME with UPnP enabled by default, but some PC manufacturers 
   do. UPnP may be optionally installed on Windows 98 and Windows 
   98SE. This vulnerability was discovered by Eeye Digital Security. 
   For more information, see

    http://www.eeye.com/html/Research/Advisories/AD20011220.html
    http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

[21 December 2001, top]
Here a Crack, There a Crack, Everywhere a Crack Crack
Two cracks: One Microsoft, One Unix [talk about parity].

Internet Explorer, the most commonly used browser on the web (maybe as high as 85%), has a security hole that allows for spoofed files to be downloaded onto a person's computer. The spoofing can be accomplished without the aid of client-side programming. Microsoft Internet Explorer Download Hole [NewsBytes.com via Slashdot via KevinO]

YABO (Yet Another Buffer Overflow) problem has been discovered on many Unix systems (IBM AIX, HP/UX, Solaris) that allow the login program to be used to gain root access. Once somebody becomes root on a Unix system, then that system has been violated and can no longer be trusted. Buffer Overflow in System V Derived Login [CERT.org]

[14 December 2001, top]
Hodgepodge: Digital Angels; Sousveillance Day; Microsoft Crap; CERT/DOS

Coming Soon: Digital Angels
Digital Angel is a combination of advanced biosensor technology and web-enabled wireless telecommunications linked to GPS. The first target market appears to be Floriduh. Digital Angel monitors key body functions (e.g. temperature and pulse) and transmits that data along with location information to a ground station or monitoring facility. [ Digital Angel, Chip Implants, and Human Tracking]

Mark Your Calendars: Sousveillance Day
24 December 2001 is World Sousveillance Day. On December 24th, passengers photograph cab drivers, customers photograph shopkeepers, citizens photograph police, etc.. There is also a photo competition to encourage participants to send in pictures to be included in a national face recognition database. [Details about World Subjectrights Day]

Microsoft Crap
[item] This hyperlink was provided by Phil Agre [UCLA Professor] and I agree with his editorial comment that "normal people shouldn't have to keep track of Microsoft's stupid patches." [I guess Microsoft could always counter with how do you define normal?] The Great Microsoft Patch Nobody Uses

[item] Rumors are circulating that the current Microsoft Security Chief may start advising our Government on computer security issues. Given Microsoft's ability to provide a secure computing environment [humor], I'm not sure this move makes much sense. Microsoft Takes Its Security Skills to the White House.

[item] On 04 December 2001, a fake screen saver program started floating around the Internet that in turn cracks computers running Windows. The subject-line says 'Hi!' and the body starts with 'How are you?' [at least it is user-friendly] The W32/Goner virus is a malicious Windows program distributed as an email file attachment and via ICQ file transfers. [ CERT Advisory]
[update] (10 December 2001)
Israeli Teens Created Level 4 Virus

CERT Suffers a DOS Attack
On 05 December 2001, the CERT (Computer Emergency Response Team) was hit by a strong DOS attack. [In this case, DOS means Denial-Of-Service and not Disk-Operating-System.]

[07 December 2001, top]
NIPC Worries About CyberProtests (Hackertism)
The NIPC (National Infrastructure Protection Center) warns that Cyber protesters (new word: hackertism) are going to target infrastructure more often and exploit opportunities to disrupt or damage it. The Internet is a major infrastructure component and if it is attacked in a serious way, then I agree with the NIPC's assessment that it could "bring about large economic losses as well as potentially severe damage to the national infrastructure, affecting global markets as well as public safety." The NIPC alerts us that " network administrators must remain educated and defenses must evolve along with the threats and offensive capabilities." [really?] More from NIPC.gov: Cyber Protests: The Threat to U.S. Information Infrastructure [pdf document]

[Extra] This week's Unix & Linux Logger is all about Red Hat (a major Linux distributor), but it turns out many of the Linux tools have security holes and on 29 November 2001 the CERT (Computer Emergency Response Team) issued Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD. It turns out, Red Hat made a mistake handling this flaw by releasing a patch that was intended to be a simultaneous multi-vendor release, coordinated by the CERT and scheduled for 03 December 2001. [ ZDNet article (hyperlink provided by KevinM)]

[ThurmFoo] If the open source and free software communities want to battle Microsoft, then this type of slop just cannot happen. This is Microsoftic computing.

[30 November 2001, top]
CyberKnight, MagicLatern, Carnivore, Altivore...
On the next to last page of the Friday, 23 November 2001, Arizona Republic was a news article titled:
FBI developing high-tech eavesdropping tools

The article states that the FBI has technology called Magic Lantern that is one of many technologies that comprise a FBI project named CyberKnight. These tools can intercept every key typed on a dumb keyboard, every x-y coordinate a dumb mouse may navigate over, every hyperlink clicked, every email subject-line, every word of every instant message, every dot-mp3 listened to, every dot-jpg viewed, so on and so on.

The article indicated that these tools could be installed on PCs without the PC owner being alerted. [PC stands for Personal Computer] These technologies can install themselves using existing cracking tools that exploit known security holes. [Many of which are buffer overflows.]

Magic Latern and CyberKnight already have Carnivore to help them out.

I good way to learn about Carnivore is to learn about Altivore. [ThurmThanks to JeremyF for the hyperlink]

[Extra] Microsoft Says it is Sorry [Thanks Microsoft.]

[23 November 2001, top]
Potpourri::DDOS; HTTP Cookies; Microsoft
DDOS stands for Distributed Denial Of Service and DDOS attacks are easy to implement, but difficult to defend. Key Internet Servers Vulnerable to Attack-Experts

HTTP Cookies from a low-level perspective are relatively secure; however, the way some websites use cookies are not. As a result, Use of Internet Cookies Targeted.

Microsoft products are dangerously flawed when it comes to security. It appears as though their software development practice is to produce some just good enough software and patch the problems when they are found. Microsoft Leaves its Wallet Wide Open.

[16 November 2001, top]
Airports Into Scanning Faces
Prior to 911 we had Napster, but post-911 is leading us into the ubiquitous presence of Nabster-like programs. [e.g. filtering, Carnivore, Echelon, biometric systems, ...]

Airports around the country are turning to biometrics to help them with security. The biometric of choice? Facial scanning.

[Extra] Microsoft Admits Major Passport Flaw, but according to Phil Agre it doesn't admit that the "Passport architecture is fundamentally shoddy."

[09 November 2001, top]
Oxymoron: Microsoft Good
I second this motion: Time to Stop Defending Microsoft Security
Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility.

Speaking of Microsoft's new XP operating system... The following hyperlinks were supplied by UCLA Professor Phil Agre

[Next Week] Biometric usage at airports.

[02 November 2001, top]
Net Security: An Oxymoron
Peter Neumann is a ThurmDreamTeam member. He is a co-founder of the PFIR (People For Internet Responsibility), moderator of the RISKS Digest, and he works as a Principle Scientist at the Stanford Research Institute. Neumann is a computer security guru. Here is quote extracted from a receive interview with Neumann conducted by CNET News.com:
The trouble, Neumann warns, is that the Internet is populated by computers that were not designed with network security in mind. As a result, security is addressed on a patch-by-patch basis, but an effective solution would require redesigning systems from scratch.

Here is the full CNET News.com interview with Peter Neumann: Net security. An oxymoron.

[Extra] The NSA's (National Security Agency) National Cryptologic Museum has been closed until further notice.

[Extra] The Security News Portal website has been cracked.

[26 October 2001, top]
Anthrax Worm Suffers from Anthraxic Code
An Anthrax computer worm has hit the Internet, but crappy code has caused the worm problems at being effective. About the Anthrax Computer Worm

[Extra] Virginia Gov. James Gilmore, warned a congressional panel about the threat of a terrorist cyberattack, and urged the federal government to adopt an array of new defenses against possible electronic strikes [this includes a cyber-court]. Gilmore outlined the panel's cybersecurity findings at a hearing that was cut short when an non-computer Anthrax scare forced a postponement. [ More...]

[19 October 2001, top]
Newbie Lawyer Thinks Carnivore is Good
Some newbie lawyer has posted a document to the FindLaw.com website that defends the use of the FBI's Carnivore spy program. I had to respond to some of the stuff she wrote and I recorded my response in this webpage. [12 October 2001, top]
Crack a Computer and Rot in Prison
I believe accessing a computer without permission is a crime and that those who do it should be treated like criminals. However, the ATA -- Anti-Terrorism Act makes my bark worse than my bite.

The ATA, which is legislation that is being discussed in the halls of our government, classifies most computer crimes as acts of terrorism. Under this Act, crackers would face life imprisonment without the possibility of parole. [ SecurityFocus.com article]

[05 October 2001, top]
Communicating Secret Messages Using Steganography
Steganography is a technique that allows you to encode text or images into documents, images, or sounds.

There are many who believe terrorists have been communicating by sending documents around the world hidden within pornographic images and MP3 files.

Create a resource and execute a program that embeds your message into the resource. Go to a public computer (e.g. at the library) and post the resource to a Usenet group. Place a keyword in the subject line of your posting. Your partner visits the Usenet group and sees a posting containing the keyword. They down-load the resource and execute a program to extract the embedded message.

I found a free program called gifshuffle that can be used to conceal messages in GIF images by shuffling the color-map, which leaves the image visibly unchanged. The program also provides compression and encryption of the concealed message.

sunnie.gif (no message) | sunniemsg.gif (contains message)

Note: the GIF file without the encoded message is 2% larger that the GIF file containing the message.

   -rw-r--r--  1 thurmunit  user  17696 Aug  3  1999 sunnie.gif
   -rw-r--r--  1 thurmunit  user  17347 Sep 28 04:32 sunniemsg.gif

If you want to see the encoded message, then you need to down-load the gifshuffle program from the Gifshuffle Home Page. Using your browser, get sunniemsg.gif and save it to your disk, then execute

   gifshuffle -C -p foo sunniemsg.gif

The message should read that lucky old sun.

[28 September 2001, top]
Admin Spelled Backwards Equals Nimba
Yet another Microsoft related virus is worming its way around the world. This one is called nimba, which is admin spelled backwards.

The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. Because of its size and monopoly power, Microsoft places the responsibility on customers to patch the holes found in their bad software. [It's like you buy a car with a faulty engine and the car dealer gives you a part and tells you to install it. If you don't, then don't be surprised if your car is unusable.]

Nimba spreads through email, via web surfing and by exploiting known holes in the Microsoft's Internet Information Server software.

Nimda is believed to be the fastest-spreading computer virus ever; it not only attaches itself to different applications on a computer but spreads to other computers in several different ways, which makes it a worm as well as a virus.

The worm modifies web documents (e.g., .htm, .html, and .asp files) and certain executable files found on the systems it infects, and creates numerous copies of itself under various file names.

The cost of fixing problems caused by nimba is expected to reach $500,000,000 (half of a billion dollars).

On 18 September 2001 the Computer Emergency Response Team (CERT) issued this advisory.

[Extra] David Dittrich, senior security engineer for the University of Washington and a computer forensics expert, believes software makers such as Microsoft will need to be pro-active about future security holes and treat them like product defects. "Somehow, as the number of patches coming out is going up exponentially, the word has to get out to a larger number of people to apply the patches."

[21 September 2001, top]
Beware of Terrorism-Related Scams Online
The Coalition Against Unsolicited Commercial Email (CAUCE.org) has posted a press release to their website titled Email Groups Warn of Terrorism-related Scams Online. Here is a copy of the first paragraph of their press release.
Email protection and consumer advocacy groups warned today of online attempts to fraudulently profit from the Attack on America. These attempts are taking the form of unsolicited email (i.e. spam) and postings in community forums, soliciting "donations" in the name of victims of the attacks.
It is always wise to practice safe computing, but that is even more true in times of uncertainty. [ Full Press Release]

[Coming Soon] Prior to 911, I was going to post information about a new Bill called the SSSCA [think ++DMCA] and about a new worm/virus named Code Blue. In addition, the Attack on American may result in increased usage of biometrics.

[14 September 2001, top]
Biometric Usage: From the Pentagon to Virginia Beach
Today's military weapon systems make extensive use of computers. Military leaders are concerned that if those systems end up in enemy hands, then the data stored in the computers will become intelligence information for U.S. detractors. To help ensure that the data on the computers is accessed by authorized personal only, the Pentagon Endorses Biometrics To Enhance Computer Security.

Ten (10) cameras feed images of people as they walk along the Oceanfront to monitors, where software compares faces against a database of mug-shots, looking for a match. The database contains outstanding felony warrants as well as pictures of runaways and missing people. The software generally works by creating a map of the face and then identifying 80 distinctive points. To achieve a match, 14 of those points must align with a mug-shot. It appears as though they are Scanning Faces in Virginia Beach.

Biometric related hyperlinks:

Biometric Consortium
Biometrics Digest [pro-biometric website]
Fight the Fingerprint [anti-biometric website]

[07 September 2001, top]
Scanning Faces at Borders; default.ida
When it comes to buying computer books, I like to shop at Borders. I'm looking forward to the Borders opening on Mill Avenue in downtown Tempe.

A couple of weeks ago Declan McCullagh reported that a couple of Borders stores in the UK were going to setup a security system that scans the faces of people entering the store and compares the images to those of known shoplifters.

Well... it turns out many Borders customers were upset about this and as a result Borders has decided not to install the security system. Here is a quote from Borders:

Borders strongly values the human rights and privacy of our staff and our customers. At Borders, we feel we have an obligation to provide a safe environment for our customers and staff. We promise to continue to do so, while offering the best selection and service available anywhere.

[ More... from ComputerWorld.com]

[Extra] The Code Red worm has tried to attack the CSC servers at SCC. I came across the following webserver log entry

   200.47.144.162 - - [27/Aug/2001:18:38:58 -0700] 
   "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9
   090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
   u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
   0%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 283
I didn't know what a default.ida file was and a Google search resulted in the the following find http://thesitewizard.com/news/coderediiworm.shtml.
Estimated worldwide cost of the Code Red: $2.6 billion. It appears the worm came from some university in China.

[31 August 2001, top]
Identity Theft -- It Happens
I'm not sure I would be overly happy if somebody assumed my identity [at least without first seeking out my permission]. How about you? Identity Theft has been a recurring problem for many years, but the exchanging of personal information via the Internet has made Identity Theft easier for the criminals of our world.

PrivacyRights.org is an organization formed to help us protect our privacy and identities. Their website has all kinds of useful information. If you don't think Identity Theft can happen, then here are some Identity Theft Victims' Stories.

[Extra] The following is was distributed by the Electronic Frontier Foundation (EFF.org):
"San Jose, California - Russian programmer Dmitry Sklyarov will appear in a California federal court this Thursday, August 30, for an arraignment on charges of trafficking in a copyright circumvention device. For programming a software application that appears to be legal in Moscow where he wrote it, Sklyarov -- who is out of custody on $50,000 bail -- faces a potential prison term of five years and a $500,000 fine."

"Well-dressed observers plan to attend the arraignment and nonviolent protests are scheduled in Moscow (Russia), London (England), Boston, Chicago, Los Angeles, San Francisco, and Black Rock City, Nevada. The San Francisco protest will likely be well-attended since it will start during the Linux World conference in front of the Moscone Center at 11:30 AM on August 30."

[ThurmFoo] Black Rock City, Nevada is home of Burning Man [which started on 27 August]. [24 August 2001, top]
Code Red Planning Another DDOS Whitehouse Attack
The Code Red worm continues to live and computer security experts are predicting that it will commence a second denial of service attack against an IP address assigned to the website for the White House at 8:00pm (Eastern) on Sunday, 19 August 2001. Proof that the worm is still crawling the Internet:
"A minimum of eight servers operated by America Online's Netscape Communications division have been infected with the Code Red worm, according to independent intrusion monitoring services."
Netscape Hit by Code Red from NewsBytes.com. [17 August 2001, top]
Standing Up to Spam
During May 2001, the US House Judiciary Committee took up the issue of spam and a couple politicians were going to introduce a bill that would have allowed spam email recipients to sue the sending companies should the company fail to remove the recipient from their distribution list. But, some other politician came along and butchered the bill. Standing Up to Spam from SecurityPortal.com. [10 August 2001, top]
Denver, CO to Scan Faces
The Department of Motor Vehicles in Denver, Colorado, is buying cameras that will map every driver's facial characteristics like a three-dimensional land chart. Why? It is an effort to prevent identity theft and driver's license fraud. Driver's get Faces Scanned from the Denver Post.

[Extra] Last week we posted an item about Tampa, Floriduh using scanners to help keep streets safe. It appears as though people like to give the spy-cams the one finger salute.

[Another Extra] Due to the Code Red virus, the U.S. Department of Defense took the dot-mil websites off-line. [ More...]

[27 July 2001, top]
Code Red Virus Hits the Internet
The CERT has issued an advisory on the Code Red virus. This virus uses systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0 or IIS 5.0 enabled. [IIS is Microsoft's webserver software.]

A recent report indicates that the Code Red virus has been used to launch a denial of service attack against www.whitehouse.gov.

Here is a Code Red overview provided by the CERT:

The CERT/CC has received reports of new self-propagating malicious code that exploits certain configurations of Microsoft Windows susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm may have already affected as many as 225,000 hosts, and continues to spread rapidly.

CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL

[Extra] Who stores classified information on lap-top computers? The FBI.

[20 July 2001, top]
POT Related Virus Hits the Internet
We support POT, but to us POT is Plain-Old-Text. [20 years ago, POT was Plain-Old-Telephone] A POT related virus has hit the Internet, but in this case POT equals marijuana. The virus arrives as an email with the message, check this out, with a file named SYSTEM32.EXE attached.
"When activated the worm sends itself to everyone in your address book, appears as a little marijuana leaf in your system tray or on your task-bar and modifies the home pages of your Internet Explorer browser to point to My.Marijuana.com. When the marijuana leaf is clicked on, a message in support of legalizing Marijuana pops up. The virus also appears twice a day as a message box reminder saying: "Time to toke up :)".
From DailyNews.Yahoo.com comes Marijuana Worm Too Mellow to Spread [13 July 2001, top]
Tampa Must Like Biometrics
Police in Tampa, Florida, are using cameras equipped with face-recognition software to search for criminal suspects among people in a downtown district. Since Flori-duh doesn't know how to handle their voting systems, it seems fitting the state will allow some of its cities to violate the privacy of residents and visitors. Tampa Scans Faces from DailyNews.Yahoo.com via the New York Times.

[FlashBack] The 02 February 2001 Internet Observer posting was about Tampa police using cameras to scan for criminals at the 2001 Super Bowl.

[06 July 2001, top]
Opt-Out Must be the Default
Some websites use legal-like jargon to cause users to not opt-out (i.e opt-in). They use the word not in their prompts. Programmer always pay close attention to when the not operator is used in expressions.
Yes, I do not want to not opt-in.
Note: JavaScript is used to cause the checkbox input element to be automatically checked and unchecked -- i.e. it blinks. [ view source]
Yes, I do want to opt-in.
The default is opt-out. The checkbox input element is never automatically checked. If the user wants to opt-in, then they check the box. The prompt does not contain the word not. [29 June 2001, top]
The Case Against Absolute Privacy
Scott McNealy the CEO of Sun Microsystems [and Bill Gates wanna-be] has indicated that absolute computing privacy is dangerous and not always necessary. Here is quote from McNealy:
"Any company that doesn't properly safeguard people's personal information will suffer the same fate as a bank that doesn't safeguard people's money. It will go out of business. But privacy is not always desirable -- and absolute privacy is a disaster waiting to happen."

I like this because it justifies the fact that given today's computing environment absolute privacy is impossible to guarantee. McNealy's opinion provides the computing industry with the ultimate excuse when people's privacy is violated. [We never promised absolute privacy.]

The Case Against Absolute Privacy from the Washingtonpost.com.

[22 June 2001, top]
Crackers Keep a Cracking
The following is from the 15 June 2001 issue of the Crypto-Gram by computer security guru Bruce Schneier.
The HoneyNet team of researchers has built an entire computer network and completely wired it with sensors. Then it put the network up on the Internet, giving it a suitably enticing name and content, and recorded what happened. (The actual IP address is not published, and changes regularly.) Hackers' actions are recorded as they happen: how they try to break in, when they are successful, what they do when they succeed.

The results are fascinating. A random computer on the Internet is scanned dozens of times a day. The life expectancy of a default installation of Red Hat 6.2 server, or the time before someone successfully hacks it, is less than 72 hours. A common home user setup, with Windows 98 and file sharing enabled, was hacked five times in four days. Systems are subjected to NetBIOS scans an average of 17 times a day. And the fastest time for a server being hacked: 15 minutes after plugging it into the network.

I have first hand experience with a Red Hat 6.2 system being cracked within 72 hours. It happens! [15 June 2001, top]
Apache.org Cracked Using the SSHd
This week's posting deserves a great deal of discussion, but we only have time to summarize in one word: Yuck. I copy/pasted the following from Apache.org:
Specifically: on May 17th, an Apache developer with a SourceForge account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced our ssh client and server with versions designed to log names and passwords. When they did this replacement, the nightly automated security audits caught the change, as well as a few other trojaned executables the cracker had left behind. Once we discovered the compromise, we shut down ssh entirely, and through the serial console performed an exhaustive audit of the system. Once a fresh copy of the operating system was installed, backdoors removed, and passwords zeroed out, ssh and commit access was re-enabled. After this, an exhaustive audit of all Apache source code and binary distributions was performed.
Again, Yuck.

I had a real-world Security Watchdog experience today that will be used for next week's posting.

[08 June 2001, top]
CERT + EIA = ISA (Internet Security Alliance)
CERT (Computer Emergency Response Team) plans to begin selling the confidential warnings it has been giving out to government agencies. Companies can pay between $2,500 and $70,000 a year to receive the warnings 45 days before they are released to the public.

The CERT has teamed up with the EIA (Electronic Industries Alliance) to create the ISA (Internet Security Alliance).

The ISA aims to enhance the information security of member companies and, ultimately, the greater Internet community, and to offer high-value information networks that bring usable business ideas and thinking to member companies. [More...http://www.isalliance.org]

[01 June 2001, top]
CERT Website Hit by a DOS Attack
The Computer Emergency Response Team (CERT) website has been subjected to a DOS (Denial-of-Service) attack. The attack was reported in the "Nation" section of the 24 May 2001 Arizona Republic (i.e. I.Q. Public may have read about it) along with a bunch of online Internet resources.

CERT is a federally funded computer security group that warns government agencies and other computer users about computer attacks and viruses. CERT was formed in 1988 after the first major crack of the Internet.

A DOS attack is designed to keep a server busy by flooding it with a bunch of simple service requests.

If you do any type of System Administration, then you should be a regular visitor to http://www.cert.org.

[25 May 2001, top]
Yale University has a Censorhappy Dean of Students
On 12 April 2001, the dean of students at Yale University ordered the school's newspaper to remove an article about how poorly the Secret Service is protecting President Bush's daughter. The paper, which is called the Rumpus, is currently unavailable.

More... from Cluebot.com -- Politics. Technology. Get a clue.

[18 May 2001, top]
DVDs, CSS, DeCSS, 2600, OpenLaw, DMCA
Programmers at MIT created a short Perl program that decrypts DVDs of a layer of encryption that prevents people from watching DVDs without authorization. The program name is qrpff and here is a copy of it. [Does providing this source code make us a criminal?]
Update Wed Aug 29 07:09:37 MST 2001
The DMCA has me scared; therefore, I have removed the source code from of this posting.

CSS stands for Content Scrambling System, a (very weak) encryption used for movie DVDs. DeCSS is a piece of software that breaks the CSS encryption and allows the reading of encrypted DVDs.

2600 Magazine has posted DeCSS stuff to their website and the courts have been after them to stop doing it. 2600 is being defended by Openlaw::Open DVD.

[04 May 2001, top]
RIAA Prevents Professor From Sharing Work
On Tuesday, 24 April 2001, we send an email to Dennis Ritchie informing him that Unix made the New York Times crossword puzzle. Ritchie replied and he alerted us to a New York Times article concerning the RIAA and SDMI.
   From dmr@plan9.bell-labs.com Tue Apr 24 13:22:00 2001
   Subject: Re: [cszero] NY Times Crossword (fwd)

   Thanks for the tip about the crossword.  Looks like
   two interesting things in the paper today-- that
   and the Markoff article about the Felten et al.
   paper about SDMI-hacking that RIAA is trying
   to suppress.

Ritchie's concerns were about Princeton University scholar Edward W. Felton being threatened with lawsuits if he presents how his group cracked the code of a music copyright protection technology. Felton works in steganograpghy, which deals with concealing data openly. Felton received written notice of possible action from the Recording Industry Association of America. Felton's research stems from work done last year with the Secure Digital Music Initiative (SDMI), a creation of the recording industry. It is academic freedom versus the interests of business. The Digital Millennium Copyright Act says that sharing information on methods of cracking computers and other technologies is illegal. [source::New York Times via Dennis Ritchie via NickB]

RIAA Challenges SDMI Attack from Cryptome.org.

On Thursday, 26 April 2001, bowing to a threatened recording industry lawsuit, a Princeton University computer scientist decided against revealing Thursday how he and other researchers thwarted security measures meant to protect copyright digital music. [source::New York Times]

[27 April 2001, top]
Selling Urine Over the Web
Kenneth Curtis was arrested after selling his urine over the Internet. Curtis was quoted saying "I'm not a drug dealer. I'm a urine dealer." He was arrested at a gas station after he allegedly delivered a urine kit to an undercover agent, who bought it online. The state Supreme Court heard arguments in October about whether it was legal for Curtis to sell urine online but has yet to rule on the case. Curtis, who has sold his urine over the Internet for three years, sued because he said the new statute targets him and infringes on his constitutional rights. [Note: As of 20 April 2001, iUrine.com and Pee4Sale.com are available.]

From the 13 April 2001 Charlotte Observer:
Urine Dealer Claims Free Speech [source::Declan McCullagh]

[20 April 2001, top]
$3.9 Billion Internet-based Bank Fraud Uncovered
On 12 April 2001, the International Chamber of Commerce (ICC) reported uncovered an Internet-based scheme involving fake bank guarantees worth $3.9 billion. Twenty-nine websites were used in the scam and have been shutdown, but the principles behind the fraud were still at large. The websites were hosted by U.S. based ISPs. Multi-Billion Dollar Net Banking Fraud Uncovered

[Extra] On 06 April 2001, the National Infrastructure Protection Center issued an advisory about security hole shopping-cart software produces by PDG Software, Inc. Crackers used this hole to steal credit card numbers. I was curious as to what websites are using PDG Software, but I was not able to find anything except a piece from November of 1999 about security problems with PDG Software. [ PDG Software's Response to Security Threat]

[13 April 2001, top]
Security Hole Found in MSIE
A security hole has been found in the Microsoft Internet Explorer (MSIE) browser program. On 03 April 2001, the CERT (Computer Emergency Response Team) issued CA-2001-06 Automatic Execution of Embedded MIME Types -- Microsoft Internet Explorer. [Note: MSIE is used by approximately 68% of web users.]

[Extra] This appears to a first: A virus called W32.Winux has been produced that runs on both Windows and Linux systems. It can replicate under Windows 95/98/Me/NT/2000 (Win32) and Linux operating systems and it infects EXE (Windows executable) and ELF files (Linux executable). [ A Virus that Leaps Platforms]

[06 April 2001, top]
Security Flaw Reported with TCP
A company named Gardent issued an advisory reporting a TCP security flaw. Their report generated some Internet-based discussion, but for the most part it was considered non-important because they reported about a problem that existed in 1986. In 1996, AT&T wrote a document explaining how to overcome it and most of today's operating systems have probably implemented AT&T's suggestions. [TCP -- Transmission Control Protocol -- is one of the protocols used to transmit data over the Internet. Webpages, email, telnet, FTP, and so on use TCP.]

The TCP flaw stems from the random generation of initial sequence numbers, which were believed to protect the communication device. Guardent researchers discovered that these sequence numbers are guessable with a high degree of accuracy.

There are many computer researchers who believe truly random numbers cannot be generated. If this is true, then no tool can have 100% random behavior.

[30 March 2001, top]
Fraud Detected in Authenticode Code Signing Certificates
Wow... first we were going to report about a security hold in TCP [Transmission Control Protocol which is one of the protocols used to transmit data over the Internet], but then we learned about a security problem with PGP [Pretty Good Privacy which is an encryption technique that is commonly used to protect messages (i.e. data) that is transmitted over the Internet], but then on 22 March 2001, the Computer Emergency Response Team (CERT) issued an advisory warning that VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not.

The following was copied from the Versign website:

The risk associated with these certificates is that the fraudulent party could produce digitally signed code and appear to be Microsoft Corporation. In this scenario, it is possible that the fraudulent party could create a destructive program or ActiveX control, then sign it using either certificate and host it on a Web site or distribute it to other Web sites.

Versign has revoked the certificates, which is a necessary step, but it only works if software checks the CRL (Certificate Revocation List). Microsoft's Internet Explorer program does not automatically do this.

At the time of the CERT advisory there did not appear to be any patches available that directly addresses the issue, and Microsoft is working on producing patches that will ensure the invalid certificates are not used.

[Side-bar] At the 1997 Java One conference, I saw a webpage fetched that contained an ActiveX control which then proceeded to examine Excel spreadsheet data, Quicken data, and other files containing data on the user's local computer. When it done doing this, the ActiveX control proceeded to erase data from the hard-disk.


but then... I find out about the Lion Worm that attacks using BIND DNS on Linux machines. I was done for the week with this particular resource, but I was online so what the heck -- we did this bonus posting. [Remember that Billy Preston song... nothing from nothing is nothing.]

[23 March 2001, top]
A Bit About Information Warfare
Time and time again we have indicated how awful cyberwar will be. Corrupting data can be an effective way to " drop bombs" on all citizens of a country. I would not be happy to wake up some morning and have no money in my checking account. I want to thank SeanJ for providing a resource that introduces us to the idea of Information Warfare. [09 March 2001, top]
ISP Guilty of Serving Up Child Porno
WiredNews reports:
An ISP in Buffalo NY pleaded guilty to the State Supreme Court to a misdemeanor charge of knowingly providing access to child pornography.
I agree with the following quote:
"What the New York authorities are saying is that ISPs are going to have to choose between being policemen or criminals."

Excuse my childish-ness, but yuck. If I'm an ISP, then I don't want the responsibility of deciding what can and cannot be served.

It would be nice to be an ISP that didn't have to host everybody and anybody, but most ISPs cannot afford to turn away accounts. Our long term goal is to establish an ISP that is open and free that serves up nothing but good stuff.

WiredNews::ISP Guilty in Child Porn Case

[02 March 2001, top]
PFIR -- Professionals For Internet Responsibility
PFIR is the Professionals For Internet Responsibility and this organization is...
"a global, ad hoc network of individuals who are concerned about the current and future operations, development, management, and regulation of the Internet in responsible manners. The main goal of PFIR is to help provide a resource for individuals around the world to gain an ability to help impact these crucial Internet issues, which will affect virtually all aspects of our cultures, societies, and lives in the 21st century. PFIR is nonpartisan, has no political agenda, and does not engage in lobbying."
I've gotten lots of good stuff from the PFIR via their low-volume mailing list. PFIR was founded by Internet veterans Lauren Weinstein and Peter Neumann.

[Note: ThurmUnit is a long time hyperlinker to Neumann's RISKS Digest, which is a moderated digest of postings from the comp.risks Usenet newsgroup. Weinstein maintains the Privacy Forum and his most recent posting is Network Solutions Sells Out -- Domain Info For Sale to Marketers.]

If you are interested in making sure the Internet remains open and fun, with minimal rules, regulations, and laws, and safe from a political takeover, then visit PFIR at http://PFIR.org.

[23 February 2001, top]
Anna Kournikova Virus Worms the Internet
A person from the Netherlands who goes by the handle OnTheFly has admitted to writing the Anna Kournikova email worm that hit the Internet on 12 February 2001. The cracker posted the Visual Basic code to the alt.comp.virus.source.code Usenet newsgroup. Note: the cracker created their worm using a point-and-click virus creation program called the "Vbs Worms Generator,"

Here is what appears to be a Usenet posting by OnTheFly.

   Date: Tue, 13 Feb 2001 17:49:00 GMT
   From: OnTheFly <OnTheFly@Cotse.com>
   Newsgroups: alt.comp.virus.source.code
   Subject: Re: annakournikova / onthefly


   Some info:
   http://members.tripodnet.nl/on_the_fly/index.html

   Interview with the writer:
   http://www.wired.com/news/technology/0,1282,41782,00.html

   Greetz,
   OnTheFly

[Side-bar] I posted this to ThurmUnit because Anna Kournikova is a popular query string entered into search engines. Now if somebody searches for her, then maybe a hyperlink to ThurmUnit will show up. Users will probably have to scroll trough hundreds of screens before hitting the ThurmUnit hyperlink, but what the heck.

[16 February 2001, top]
Privacy.org -- Helping Keep the Internet Safe
As users of the Internet continue to enter more and more information into email messages, chat rooms, bulletin-boards and newsgroups, privacy issues become increasingly critical. Privacy.org is the website for daily news, information, and initiatives on privacy. It is a joint project of the Electronic Privacy Information Center (EPIC) and Privacy International. The following quotes were obtained from Privacy.org:
	Privacy is a right not a preference.
	No eCommerce without ePrivacy.
	Protect privacy protect anonymity.
[09 February 2001, top]
Beware... Facial Scanning Happens
I've had this facial scanning news item stored away since 16 January 2001. It comes from NationalPost.com and it is about how Ontario (Canada) police want to use facial-scanning technology in casinos. They justify its use because there is "no expectation of privacy" at a casino. [ NationalPost.com article] Recall, the 10 Nov 2000 Security Watchdog posting was about how facial scanning was being used to control access to clubs in the Netherlands. [ Cyber-bouncer article]

Now, on 31 January 2001, there were reports that facial scanning was done at the Super Bowl to search the crowd for potential bad guys. [ WashingtonPost.com article]

Facial scanning is one of many forms of biometrics. The overall market share for each of the biometric technologies in 2000, however, was divided among fingerprint (39.1 percent), hand (31 percent), voice (15.8 percent), face (7.1 percent), eye (4.3 percent), and signature (2.7 percent).

[02 February 2001, top]
Microsoft Experiences a DOS Attack
Microsoft computers were subjected to a DOS attack on 25 January 2001. We have discussed DOS attacks in previous ThurmUnit postings.

29 December 2000 MOTD
Provided the following hyperlink to the New Year's DDOS Advisory.

13 October 2000 Security Watchdog
This posting reported the following.

Many computer security experts are predicting that a major DOS attack will happen in the near future. In this scenario DOS stands for Denial Of Service. DOS is an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period and does not corrupt data.

12 Feb 2000 Internet Observer
Here is a copy of that week's posting.

On 28 Dec 1999, the Computer Emergency Response Team issued the following advisory: CERT Advisory CA-99-17 Denial-of-Service Tools. On 07 Feb 2000 and 08 Feb 2000 major "Denial-of-Service" attacks were launched against the world's largest websites (Yahoo, Ebay, CNN, and so on).

This Internet crack has all kinds of rumors behind it. Here are just a few of what I have heard: it was conducted by our Government to test just how bad Internet security is; it was due to Y2K problems in many of the routers; a good portion of the attacks were conducted using Stanford University's network.

On 02 Feb 2000, the Computer Emergency Response Team issued CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests. Wow... I can hardly wait for this one to manifest itself.

The Free On-Line Dictionary Of Computing (FOLDOC) helps us answer the question... what is ping?

Back to 26 January 2001...

During the 25 January 2001 CSC200 class I executed the Unix whois command using microsoft.com as an argument and redirected the command's standard output stream into a file named msft.

   $ whois microsoft.com >msft

Now we'll view the content of the file using the Unix view command. [This command is really the vi program, but it does not allow us to modify the file -- we are in read-only mode.] You will have to click the hyperlink to see the file content.

   $ view msft

[26 January 2001, top]
Help for Keeping Computers Secure
This week's posting provides some simple guidelines for helping keep computers secure and, surprisingly, these guidelines are provided by Microsoft -- a leader in insecure computing. We also provide a hyperlink to a resource that informs us of some useful tools for helping keep our computers safe from the crackers of the world.
The Ten Immutable Laws of Security from the Microsoft Security Response Center
Top 50 Security Tools provided by Insecure.org
[19 January 2001, top]
Why is There a Security Watchdog?
Given the explosion of the Internet during the last half of the 1990's, computer security has become an increasingly important issue. As of 01 January 2001, it is estimated that computer users will spend more the $3 billion over the next three years on security software to combat a rise in computer-related offenses such as cracking. Thanks to the WWW, John Q. Public has access to an amazing quantity of stuff and public computer networks are used more today than ever before.

The Security Watchdog was started to help us keep track of what is going on in the area of computer security. Topics such as privacy, data encryption, computer ethics, digital identity, biometrics, free speech, and so on are critical to keeping the Internet a safe and useful tool.

As of 01 January 2001, there have been 38 postings made to the Security Watchdog. Typically, this resource is updated on a weekly basis.

[12 January 2001, top]


Author: G.D.Thurman [deru@deru.com]
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting