-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 17 of 19  ]


-------------------------[  P H R A C K     W O R L D     N E W S  ]


--------[  disorder   ]

Like I said in Phrack 54, the increase of news on the net, security,
hackers and other PWN topics, it is getting more difficult to keep Phrack
readers informed of everything.  To combat this problem, PWN will include
more articles, but only relevant portions (or the parts I want to make
smart ass remarks about).  If you would like to read the full article,
look through the ISN (InfoSec News) archives located at: 

	http://www.landfield.com/isn/

If you would like timely news delivered with less smart ass remarks, you
can always subscribe to ISN by mailing listserv@securityfocus.com with

	'subscribe isn firstname lastname'

in the body of your mail. Another excellent source of daily news is the
Hacker News Network (HNN @ www.hackernews.com). 

The news included in here are events that occured since the previous
edition of Phrack World News (Phrack Magazine V. 8, #54, Dec 25th, 1998. 
ISSN 1068-1035). 

If you feel the need to send me love letters, please cc:
mcintyre@attrition.org and tell him to "get jiggy on your wiggy". If you
would like to mail my cat, don't, he hates you because you are pathetic.
Meow. 

This installment of PWN is dedicated to Federal Agents of Diminished
Mental Capacity, stupid little kids running canned scripts for lack of
real skill .. err 'hackers', and blatant stupidity. This issue was brought
to you by the letters F, U, C, K, O and F. 

--------[  Issue 55

 0x01: State of Defacements
 0x02: L.A. district attorney drops Mitnick case
 0x03: Mitnick sentenced, ordered to pay $4,125
 0x04: Clinton forms security panel
 0x05: Bill reopens encryption access debate
 0x06: The Hacker Hoax
 0x07: Israeli Teen Finds Web Full of Security Holes 
 0x08: Hotmail Hackers: 'We Did It'
 0x09: Scientists crack Net security code
 0x0a: NSA Lures Hackers
 0x0b: Army to offer 'information survival' training
 0x0c: Clinton To Use hackers Against Yugoslav leader
 0x0d: Hack attack knocks out FBI site
 0x0e: White House threatens to punish hackers 
 0x0f: MS Refutes Windows 'Spy Key'
 0x10: Teens plead innocent in hacking case

0x01>-------------------------------------------------------------------------

State of Defacements
Attrition
09.01.99

As of 09.01.99, the following statistics and information has been
generated based on the mirrors of defaced web sites kept at
www.attrition.org/mirror/attrition/

The word 'fuck' occured 1269 times in 584 out of 2145 mirrors dating back
to 95.06.12. 337 defaced pages have linked to or greeted 'attrition', the
largest mirror of defacements.  Shortly after the Columbine shooting, 37
defacements made reference to the incident.  To date, 31 defacements have
made reference to Serbia. 

Average number of website defacements per day since 99.01.01: 3.0.
Average number of website defacements per day since 99.02.01: 2.5.
Average number of website defacements per day since 99.03.01: 4.0.
Average number of website defacements per day since 99.04.01: 8.9.
Average number of website defacements per day since 99.05.01: 12.7.
Average number of website defacements per day since 99.06.01: 10.4.
Average number of website defacements per day since 99.07.01: 10.6.
Average number of website defacements per day since 99.08.01: 10.3.

Total website defacements in 1995: 4
Total website defacements in 1996: 18
Total website defacements in 1997: 39
Total website defacements in 1998: 194
Total website defacements in 1999: 1905

Since 08.01.99
 # of BSDi    : 13			 # of FreeBSD : 9
 # of HP/UX   : 1			 # of IRIX    : 11
 # of Linux   : 71			 # of OSF1    : 3
 # of SCO     : 2			 # of Solaris : 78
 # of Win-NT  : 109

Since 95.06.12
com:    1052			net:     124
org:     140			mil:      52
gov:     121

The past year has seen many high profile sites defaced. Among them: 
C-Span (www.c-span.org), EBay (www.ebay.com), ABC News (www.abc.com),
Symantec (www.symantec.com), The White House (www.whitehouse.gov), The
Senate (www.senate.gov), GreenPeace (www.greenpeace.org), US Information
Agency (www.usia.gov), MacWeek (www.macweek.com), HotBot (www.hotbot.com),
Wired (www.wired.com), and more. Among the armed forces, all branches
including the Coast Guard have experienced at least one defacement. 

0x02>-------------------------------------------------------------------------

L.A. district attorney drops Mitnick case
http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html?chkpt=hpqs014
August 6, 1999

Deputy district attorney says state case was 'mischarged' -- clears way
for Mitnick halfway house plea. 

[snip...]

In 1993, the district attorney charged Mitnick with one count of illegally
accessing a Department of Motor Vehicles computer and retrieving
confidential information. The problem with that charge is that Mitnick,
posing as a Welfare Fraud investigator, simply picked up a telephone on
Dec. 24, 1992, and duped an employee accessing the DMV computer for him. 

"Since Mitnick did not personally connect to the DMV computer, but either
he or someone else communicated with the DMV technician via a telephone
conversation," Bershin wrote in his motion to dismiss the case, "it would
be difficult to prove that Mitnick gained entry to the DMV computer, or
that he instructed or communicated with the logical, arithmetical or
memory function resources of the DMV computer." 

[snip...]

0x03>-------------------------------------------------------------------------

Mitnick sentenced, ordered to pay $4,125
August 10, 1999 11:55 AM ET
http://www.zdnet.com/pcweek/stories/news/0,4153,1015902,00.html

LOS ANGELES -- Four years, five months and 22 days after it began, The
United States vs. Kevin Mitnick ended Monday when U.S. District Court
Judge Marianna Pfaelzer sentenced the hacker to 46 months in prison.
Mitnick was also ordered to pay $4,125 in restitution -- a fraction of the
$1.5 million federal prosecutors sought. 

With credit for good behavior, Mitnick could be free by January 2000. Once
released, the hacker is ordered not to touch a computer or cellular
telephone without the written approval of his probation officer. 

Mitnick is also immediately eligible for release to a halfway house at the
discretion of the Bureau of Prisons, although the judge recommended he
serve the remainder of his sentence in prison. 

Mitnick pleaded guilty on March 26 to seven felonies, and admitted to
cracking computers at cellular telephone companies, software
manufacturers, ISPs and universities, as well as illegally downloading
proprietary software from some of the victim companies. 

[snip...]

0x04>-------------------------------------------------------------------------

Clinton forms security panel
AUGUST 2, 1999 
http://www.fcw.com/pubs/fcw/1999/0802/fcw-polsecurity-08-2-99.html

President Clinton last month signed an executive order to create the
National Infrastructure Assurance Council, the final organization to be
established as part of an overall structure to protect the critical
infrastructure of the United States against cyberterrorism and other
attacks. 

[Very timely...]

The council will be made up of 30 people from federal, state and local
governments, as well as the private sector. As outlined in the May 1998
Presidential Decision Directive 63, its main purpose is to enhance and
continue to develop the partnership between the public and private sector
on initiatives already in place. This includes the Information Sharing and
Analysis Centers (ISACs) that are being set up across the country to
exchange information about vulnerabilities, cyberattacks and intrusions. 

[So by the time this council is created, people elected, everything
 setup.. This is slightly amusing considering the vice-president created
 the Internet. *smirk*]

[snip...]
 
0x05>-------------------------------------------------------------------------

Bill reopens encryption access debate
AUGUST 16, 1999 
http://www.fcw.com/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html

Renewing efforts to allow law enforcement agencies to access and read
suspected criminals' encrypted electronic files, the Clinton
administration has drafted a bill that would give those agencies access to
the electronic "keys"  held by third parties. 

The Cyberspace Electronic Security Act, the drafting of which is being led
by the Office and Management and Budget and the Justice Department,
"updates law enforcement and privacy rules for our emerging world of
widespread cryptography," according to an analysis accompanying the bill
obtained by Federal Computer Week. 

[Oh yeah, this is them figuring a way to keep our best interests in mind! 
 Let law enforcement have access to everything, because they are always
 good and honorable.]

[snip...]

0x06>-------------------------------------------------------------------------

The Hacker Hoax
August 18, 1999
http://www.currents.net/newstoday/99/08/18/news3.html

The world's press might have been fooled into believing that a Chinese
hacker group plans to bring down the country's information infrastructure.
According to stories that began circulating in July last year, the rogue
group, the Hong Kong Blondes, is made up of dissidents both overseas and
within the Chinese Government. 

The rumours began when an interview with the group's leader was published
by US hacking group the Cult of the Dead Cow (CDC) at
http://www.cultdeadcow.com . In the interview, illusive Hong Kong Blondes
director Blondie Wong said that he had formed an organization named the
Yellow Pages, which would use information warfare to attack China's
information infrastructure. 

The group threatened to attack both Chinese state organizations and
Western companies investing in the country. For their part, the CDC
claimed that they would train the Hong Kong Blondes in encryption and
intrusion techniques. 

One year after the group's supposed launch, there is no evidence that the
Hong Kong Blondes ever existed. In fact, all evidence appears to indicate
that the Hong Kong Blondes report was a highly successful hoax. 

[snip...]

0x07>-------------------------------------------------------------------------

Israeli Teen Finds Web Full of Security Holes 
August 17, 1999
http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html

[Westport, CT] An independent consultant in Israel has released the
results of one of the first exhaustive surveys of Internet security,
hoping to provide a wake-up call for Internet companies.

With the help of a piece of homemade scanning software, Liraz Siri probed
nearly 36 million Internet hosts worldwide over a period of eight months.
Siri and his program, the Bulk Auditing Security Scanner or BASS, went
looking specifically for UNIX systems that were vulnerable to 18 widely
known security vulnerabilities -- holes for which vendors have already
released patches and other fixes. 

[snip...]

0x08>-------------------------------------------------------------------------

Hotmail Hackers: 'We Did It'
4:00 p.m.  30.Aug.99.PDT
http://www.wired.com/news/news/technology/story/21503.html

A previously unknown group known as Hackers Unite has claimed
responsibility for publicizing Hotmail's security breach, which Microsoft
vehemently denied was the result of a backdoor oversight. 

The group of eight hackers said Monday through a spokesman that they
announced the hole to the Swedish media to draw attention to what they say
is Microsoft's spotty security reputation. 

The stunt exposed every Hotmail email account, estimated to number as many
as 50 million, to anyone with access to a Web browser.

[snip..]

Microsoft vehemently denied the backdoor suggestions, and instead
described the problem as "an unknown security issue." 

"There is nothing to these allegations [of a backdoor in Hotmail]," said
MSN marketing director Rob Bennett. "It is not true. Microsoft values the
security and privacy of our users above all."

[I think if you sub the "." in that last statement with the word "that",
 it is much more accurate.]

0x09>-------------------------------------------------------------------------

Scientists crack Net security code
Aug. 27 
http://www.msnbc.com/news/305553.asp

A group of scientists claimed Friday to have broken an international
security code used to protect millions of daily Internet transactions,
exposing a potentially serious security failure in electronic commerce.
Researchers working for the National Research Institute for Mathematics
and Computer Science (CWI) in Amsterdam said consumers and some businesses
could fall victim to computer hackers if they get their hands on the right
tools.However, not every computer whiz has access to the equipment, worth
several million dollars, and no related Internet crimes have yet been
uncovered, the experts said. 
  
The scientists used a Cray 900-16 supercomputer, 300 personal computers
and specially designed number-crunching software to break the RSA-155 code
the backbone of encryption codes designed to protect e-mail messages and
credit-card transactions. 

THE SCIENTISTS USED a Cray 900-16 supercomputer, 300 personal computers
and specially designed number-crunching software to break the so-called
RSA-155 code — the backbone of encryption codes designed to protect e-mail
messages and credit-card transactions. 

Your everyday hacker won’t be able to do this,” said project director
Herman te Reile. “You have to have extensive capacity, the money, and the
know-how, but we did it.”

[snip...]

0x0a>-------------------------------------------------------------------------

NSA Lures Hackers
27 August 1999
http://www.currents.net/clickit/printout/news/28074924000990080.html

There's a future in the National Security Agency for young techies and
hackers, showing that maybe the Clinton administration is a little
off-base in its efforts to turn children away from the so-called dark side
of computer obsession. 

According to a page on the NSA Website, last updated in December 1998, the
agency is looking for a few good teen-aged hacker-types, promising them
free college tuition, room and board if they come to work for the agency
for at least five years upon college graduation. 

The NSA program is not exactly restricted to the dean's list cream of the
crop, however, requiring only a minimum SAT score of 1200 (or composite
Act score of 27), a 3.0 grade point average or higher, "demonstration of
leadership abilities" and US citizenship. 

[snip...]

0x0b>-------------------------------------------------------------------------

Army to offer 'information survival' training
MAY 5, 1999
http://www.fcw.com/pubs/fcw/1999/0503/web-army-5-5-99.html

The Army this fall plans to offer an online graduate-level training course
on information systems survivability, teaching engineers to develop
systems capable of surviving any kind of technical glitch and network
attack. 

[Define 'irony'. The army training anyone about security. Lets have a quick
 look at some public validation for the army and security!

 Date                         Web page defaced
 ------                       ----------------
 99.01.25                     wwwjtuav.redstone.army.mil
 99.03.02                     www.bweb.wes.army.mil
 99.03.07                     wrair-www.army.mil
 99.04.11                     mdw-www.army.mil
 99.04.19                     www-anad.army.mil
 99.05.01                     www.rsc.stuttgart.army.mil
 99.05.03                     www.ett.redstone.army.mil
 99.06.04                     cenwo.nwo.usace.army.mil
 99.06.24                     www.monmouth.army.mil
 99.06.27                     www.army.mil
 99.07.16                     www.ado.army.mil
 99.08.03                     akamai.tamc.amedd.army.mil
 99.08.29                     www.cmtc.7atc.army.mil

Oh yes, sign me up please.]

0x0c>-------------------------------------------------------------------------

Clinton To Use hackers Against Yugoslav leader
http://www.attrition.org/errata/www/art.0109.html

President Clinton has approved a top-secret plan to destabilize Yugoslav
leader Slobodan Milosevic, using computer hackers to attack his foreign
bank accounts and a sabotage campaign to erode his public support,

[Yes, sneaky me. The URL above is part of the Errata page. Why? Because
 several news outlets blindly reported this as the truth, when it is
 highly likely it is not. Sensationalism at its finest.]

0x0d>-------------------------------------------------------------------------

Hack attack knocks out FBI site
May 26, 1999 6:44 PM PT 

A skirmish between the FBI and a well-known hacker group seemingly erupted
Wednesday. 

Not long after federal agents served search warrants on members of hacker
group Global Hell (gH), probably in connection with recent attacks on U.S.
government computers, the FBI's own Web site was attacked and is currently
offline.

Earlier on Wednesday, MSNBC was told by a member of gH that the FBI had
served search warrants on several members of the hacker group. Last week,
gH member Eric Burns (who also goes by the name Zyklon), was arrested in
connection with three separate attacks on U.S. government computers,
including systems at the U.S. Information Agency.

[Pay attention journalists. Dozens of you misread this to say the FBI web
 page was defaced. It clearly says they were victim of a Denial of Service
 attack.]

0x0e>-------------------------------------------------------------------------

White House threatens to punish hackers 
June 1, 1999, 3:35 p.m. PT 
http://www.news.com/News/Item/0,4,37257,00.html

Annoyed by a recent wave of attacks against official U.S. government Web
sites, the White House today warned hackers who target federal Web sites
that they will be caught and punished. 

"There's a government-wide effort to make sure that our computer systems
remain secure," White House Press Secretary Joe Lockhart said in a
briefing. "For those who think that this is some sort of sport, I think
[it will be] less fun when the authorities do catch up with them...and
these people are prosecuted," he said. 

[Busting the people that have already violated your security will
 not make you secure in the future. Talk about blind to the world.]

0x0f>-------------------------------------------------------------------------

MS Refutes Windows 'Spy Key'
10:20 a.m.  3.Sep.99.PDT
http://www.wired.com/news/news/technology/story/21577.html

Microsoft is vehemently denying allegations by a leading cryptographer
that its Windows platform contains a backdoor designed to give a US
intelligence agency access to personal computers. 

Andrew Fernandes, chief scientist for security software company Cryptonym
in North Carolina, claimed on his Web site early Friday that the National
Security Agency may have access to the core security of most major Windows
operating systems. 

"By adding the NSA's key, they have made it easier -- not easy, but easier
-- for the NSA to install security components on your computer without
your authorization or approval," Fernandes said. 

But Microsoft denied that the NSA has anything to do with the key. 

[Yeah. The NSA isn't bright enough to change the name of a 'backdoor'
 key from "_NSAKEY" to something a little less glaring.]

0x10>-------------------------------------------------------------------------

Teens plead innocent in hacking case
09/02/99- Updated 01:34 PM ET
http://www.usatoday.com/life/cyber/tech/ctg016.htm

JERUSALEM (AP) - Four teen-agers charged with hacking into the computer
systems of the Pentagon, NASA and the Israeli parliament pleaded innocent
Thursday, the lawyer for the alleged ringleader said.  Shmuel Tzang said
his client, Ehud Tenenbaum, 19, broke no law when he penetrated the
Internet sites of American and Israeli institutions because there was no
notice on the sites declaring them off-limits. 

[This is patently stupid. Because the systems didn't say "breaking in
 is illegal", they didn't break the law? This level of stupidity is
 indicative of the level they showed to get busted.]


----[  EOF