Path: nntp.gmd.de!newsserver.jvnc.net!darwin.sura.net!guvax.acc.georgetown.edu!!cunix.esu.edu!porky.pig.gov!uuvaxman!catch.me.if.ya.can.! Newsgroups: alt.2600 Subject: Re: New York Times article? Message-ID: <26OOhertz@shade.com> From: Shade Date: 23 Jan 95 15:54:57 -0500 Sender: Shade Distribution: world Organization: alt.2600 FYI Society Inc. Lines: 72 Alex / Brain21 (scrtnizr@user1.IS.NET) wrote: : I heard last night, and earlier this morning that there was an article in : the Wall Street Journal or New York Times about hacking on the Internet, : and that there would be some sort of a CERT advisory posted today about : whatever it is that they were talking about. The tv reports were less : than vague. Anyone know what I am talking about? Any pointers, etc.?? >I got this from the AOL newsreader - >Internet Route for Computer Theft Found > NEW YORK (Reuter) - Unknown computer hackers have found a new avenue >for theft using the international Internet system, a federal security >agency has found, The New York Times reported in its Monday editions. > The paper said the government-financed Computer Emergency Response >Team had found 20 million home, business and university computers >vulnerable to attack by intruders and to the theft of information, such as >credit card numbers. > It said that the agency would be advising users Monday on the Internet >and how to guard against intruders. > According to The Times, the problem can be compared to finding that >master keys to all the front doors in the neighborhood have fallen into >the hands of burglars. > The paper said the latest attack made use of a flaw in the Internet >design to fool router computers into believing a message is coming from a >trustworthy source. > By masking its data as coming from a familiar computer the illegal >hackers can gain acces to protected computer resources and penetrate the >system, the paper reported. > The response team, based at Carnegie-Mellon University in Pittsburgh, >Pennsylvania, would post an Internet advisory telling users of attacks >that have occurred and urging protective measures involving software and >hardware security, the paper said. > Besides other data, the publication noted that by year's end Internet >is expected to be used by businesses such as florists, supermarkets, >credit card companies and banks. It said the intruders could use their >latest access to steal credit card numbers, merchandise and money. For the information of all who are interested: The attacks that are causing concern are a form of attack using a method first documented around 1984 by Robert Morris. The 'BIG' attack that has everyone running around in a frenzy was an attack that occured on Tsutomu Shimomura, who (for those in the know) is a computer security deity of sorts. The attackers (who will remain forever anonymous due to the cleverness of the attack) first shut down a fileserver inside the domain using a bug in a common internet protcol. (Very Kewl bug I might add) Then they sent packets into the domain with a Source-addr of the fileserver that they had already shut down. By calcultating the seqenence number of the reply the forged another packet and shot it into the network to complete the 3-way handshake. The last packet also contained a 'rsh echo ++:: '>' /etc/hosts.equiv" to open the machine up to the whole internet. Then they proceeded to log into the machine. The site run by Shimomura was a literal 'Motherload' of hacking tools, many created by Shimomura himself for testing and such. Needless to say, this was a beautifully executed job. All log files were cleaned up nicely. (For the most part that is) and it will be IMPOSSIBLE for any to trace. Their best information so far is that is came from a 19200 modem (or at least this was the slowest connection). There was also serval other clever hack that then took place once they opened the first host. Including using an open xterm on another machine (which had a root shell) to execute commands on that other machine. I decline to specify the details of that hack at this time. If you really want to know more about this attack and have interesting input to offer drop me an email. _/_/_/ _/ _/ _/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/ _/_/ -Shade- _/ _/ _/ _/ _/ _/ _/ _/ shade@corcom.com _/_/_/ _/ _/ _/ _/ _/_/_/ _/_/_/