			    ==Phrack Inc.==

               Volume 0x0b, Issue 0x3f, Phile #0x0e of 0x0f

|=-----------------=[ P H R A C K  W O R L D  N E W S ]=-----------------=|
|=-----------------------------------------------------------------------=|
|=--------------------=[ Phrack K0mbat Journalistz]=---------------------=|


Content

    1 - p62 Makes Headlines All Over the World
    2 - Snort Team in Denial
    3 - Will Kevin Poulsen Still Find My Ass Appetizing in 12 Months?
    4 - Another Reason Why Germans Shouldn't Have Computers
    5 - The End of Vetesgirl
    6 - Morons Fail to Hold Down Debian
    7 - Doctors Misfire Valuable Information Intended for Lance
    8 - Narq Out Eeye; Win a New House
    9 - Thwarted Linux Backdoor Hints at Dumber Ppl w/ More 0day/Thwart
    10 - udp.livejournal.com Will Not Be Forgotten!
    11 - hendy Potato Scheme Foiled



|=-----------------------------------------------------------------------=|
|=-=[ p62 Makes Headlines All Over the World ]=--------------------------=|
|=-----------------------------------------------------------------------=|

All the Michael Moores out there would like you to think that p63 was a
"fake" magazine produced by a "fake" group with a "fake" mission. But
watch again and again, as people are forced to respond to the very real
security threats caused by this so-called "fake" rhetoric.

http://conference.hackinthebox.org/speakers.php#cmwong

Presentation Topic: Advanced Linux Kernel Keylogger
Presentation Details: This presentation will discusses some of the more
advanced techniques in writing kernel based keyloggers and will present
the newest release of THC-vlogger 2.1 with new keystroke logging
techniques and more features such as centralized logging. THC-vlogger,
first presented in Phrack Magazine #59, enables the capability to log
keystrokes of all administrator/user's sessions via console, serial port
and Telnet/SSH remote sessions, switching logging modes by using magic
passwords, stealthily sending logged data to centralized remote server.

Its smart mode can automatically detect password prompts to log only
sensitive user and password information. This talk will also discusses the
recently published tool in PHC's 'fake' phrack #62 dealing in the
detection and disabling of Sebek, a host based honeypot monitoring tool
of the Honeynet project. The presentation will also discuss the
advantages of THC-vlogger 2.1 over Sebek and other similar keylogger
tools.




|=-----------------------------------------------------------------------=|
|=-=[ Snort Team in Denial ]=--------------------------------------------=|
|=-----------------------------------------------------------------------=|

More credible: Marty Roesch or the Taliban media relations department?
Please note that even though this is an Internet-based news source which
is reporting on facts contained within an online article, there is no
mention of the primary news source, or the specific evidence found within
the original article. As snort is a narq corporation, with narq/fed ties,
we are not surprised to find that Chomsky's rudimentary theory of media
filters has been applied properly, drowning out the voice of truth.

Note also, the shoddy arguments used to convince half-witted news
readers of the lack of risk: the shell box was 37km away from the CVS
tree, so compromise must be unlikely! Come on, not everybody reading the
news is a CISSP.

http://www.zdnet.com.au/newstech/security/story/0,2000048600,20278877,00.htm

The  author of Snort, an open source Intrusion Detection System (IDS),
Martin  Roesch,  has  dismissed  as  untrue  claims  the  software was
'trojaned' by attackers.

Roesch,  who  is  also  the chief technology officer of U.S. based IDS
company  Sourcefire,  moved  quickly  to quell rumours in the security
community  that  a  hacking group had managed to insert back-door code
into the Snort source-code repository.

"There  is  no backdoor in Snort nor has there ever been, everyone can
relax,"  Roesch  wrote  in  a  posting to the full disclosure security
mailing list.

Attackers  had  breached  one of Roesch's systems, he admits, but that
was  a  low-security shell server -- used by members of the Snort team
and  their  associates to access services such as IRC without exposing
their own machines to risk -- located in his basement, 37 km away from
the Snort code repository.

"If  you're  wondering  'how  do you know the code isn't backdoored?',
since  we  know  that that server is an 'at risk' server, we're not in
the  habit  of  checking  code  into  [the Snort code repository] from
there. If that's not good enough for you, Snort has been through three
code  audits  since  March -- one Sourcefire internal, two third-party
external  -- and there are most definitively no backdoors in the code,
nor were there any," Roesch added.
Trojans  have been found in several open source projects over the last
year,  including  those  found in Sendmail and OpenSSH. Malicious code
was  also found in the libpcap and tcpdump libraries -- software which
is required by the Snort IDS to operate.

Australian  security  consultant  Daniel  Lewkovitz says that the mere
fact that a rumour like this could turn out to be true, even though it
looks  unlikely  in  this  case,  means  the  issue  at least warrants
discussion.  "A lot of threats haven't changed that much, but what has
changed  is  normal  people's  awareness  and attitudes to it. I think
anything  that makes people more aware of relevant issues and relevant
threats a good thing," he told ZDNet Australia.

There's  nothing  necessarily  wrong with listening to a rumour so you
can  check  it out for yourself, Lewkovitz says, as long as the source
of  the  rumour  is at least somewhat credible. "If there was a threat
I'd  want  to  know  about  it,"  he said. "If it came from a reliable
source  I'd  be much more likely to give it credence than the paranoid
rants of tin-foil hat wearing conspiracy theorists."




|=-----------------------------------------------------------------------=|
|=-=[ Will Kevin Poulsen Still Find My Ass Appetizing in 12 Months? ]=---=|
|=-----------------------------------------------------------------------=|

Adrian Lamo begins to ask himself important questions:

http://www.securityfocus.com/news/7771

Lamo Pleads Guilty to Times Hack

By Kevin Poulsen, SecurityFocus Jan 8 2004 2:18PM
NEW YORK--Hacker Adrian Lamo pleaded guilty Thursday to federal
computer crime charges arising from his 2002 intrusion into the New
York Time internal network, and faces a likely six to twelve months in
custody when he's sentenced in April.
In a plea deal with prosecutors, Lamo, 22, admitted to cracking the
Times network and recklessly causing damage exceeding $5,000. Both
sides agreed on the six to twelve month sentencing range which, under
federal guidelines, could permit Lamo to serve his sentence under
house arrest or confined to a halfway house, at the court's
discretion. The judge is not bound by the sentencing recommendation,
and could technically sentence Lamo to as much as five years in
custody-- though it's unlikely. The hacker also potentially faces
$15,000 to $20,000 in fines, and could be ordered to pay financial
restitution.
Clad, uncharacteristically, in a sports coat and loafers, Lamo
answered federal judge Naomi Buchwald in a calm and clear voice
Thursday as she meticulously reviewed his rights as a defendant, and
asked if he wished to waive his right to a jury trial. Lamo told
Buchwald that he regretted causing the Times financial harm. "I knew
that I crossed the line," said Lamo. "I am genuinely remorseful."
"He has always indicated that he's willing to accept responsibility
for what he did," said Lamo's defense attorney, federal public
defender Sean Hecker, after the appearance.
In a statement, Times spokesperson Christine Mohan said Lamo's
intrusion "was a serious offense, and we appreciate that it was
treated as such by the authorities."
'I knew that I crossed the line. I am genuinely remorseful.'
-- Adrian Lamo
The federal case against Lamo began in February, 2002, when, according
to court documents, FBI agent Christine Howard read about the New York
Times hack on SecurityFocus, which first reported on the incident.
Lamo said at the time that he penetrated the Times after a two-minute
scan turned up seven misconfigured proxy servers acting as doorways
between the public Internet and the Times private intranet, making the
latter accessible to anyone capable of properly configuring their Web
browser.
Once inside, Lamo exploited weaknesses in the Times password policies
to broaden his access, eventually browsing such disparate information
as the names and Social Security numbers of the paper's employees,
logs of home delivery customers' stop and start orders, instructions
and computer dial-ups for stringers to file stories, lists of contacts
used by the Metro and Business desks, and the "WireWatch" keywords
particular reporters had selected for monitoring wire services.
He also added his real name, phone number and e-mail address to a
database of 3,000 contributors to the Times op-ed page, where he
listed himself as an expert in "Computer hacking, national security,
communications intelligence."
Financial Losses Disputed
Prosecutors charged Lamo with the intrusion last September, and in an
affidavit Mohan accused the hacker of racking up $300,000 in charges
by conducting 3000 searches on the Lexis-Nexis news and legal
databases service under the Times' corporate account. Lamo said at the
time that the figure had "no basis in fact", and Thursday's plea
suggests that it was at least exaggerated: both sides stipulated that
the hacker caused between $30,000 and $70,000 in losses through a
combination of his unauthorized Lexis-Nexis use, and his access to an
unprotected Microsoft customer service database. (The Microsoft
incident, which took place in 2001, was unrelated to the Times
intrusion, but was included in the plea as "relevant conduct" for
sentencing purposes)
Thursday's guilty plea caps an aggressive FBI investigation that
generated controversy last September when the Bureau notified a dozen
journalists who had covered the hacker's antics that it intended to
subpoena reporters' notes-- a threat that was later withdrawn as
inconsistent with Justice Department policy.
In the months that followed, the probe saw FBI agents contacting a
Who's Who of figures in the computer security and hacking community,
some with no obvious connection to Lamo, like @stake's Chris Wysopal,
and Tsutomu Shimomura, the researcher who helped the FBI track
then-fugitive hacker Kevin Mitnick in 1995. Field agents also
interviewed the nomadic hacker's friends and associates around the
country, toting a list of questions that covered everything from
Lamo's motives as a hacker, to queries about his social life. "They
kind of tried to make me feel like I did something," said Lamo friend
Matt Griffiths. "They asked if I was a hacker, if I ever hacked
anything, what kind of programs I used."
The FBI didn't return a phone call on the case.
Lamo has become something a tech-media darling for his rootless,
wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" --
combined with his habit of publicly exposing security holes at large
corporations, then voluntarily helping the companies fix the
vulnerabilities he exploited, sometimes visiting their offices or
signing non-disclosure agreements in the process.
Until the Times hack, Lamo's cooperation and transparency kept him
from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger,
and other companies, usually using nothing more than an ordinary Web
browser. Some companies even professed gratitude for his efforts: In
December, 2001, Lamo was praised by communications giant WorldCom
after he discovered then helped close security holes in their
intranet.
Lamo said after the court appearance Thursday that his plea agreement
does not preclude the government charging him for some of his other
intrusions, but, "there's sort of an understanding, which may or may
not hold."
The hacker also says he's through committing computer crimes. He
remains free on bail, obliged by court order to live with his parents
and either work or attend school. He's now a student at a community
college in Sacramento, California, where he's studying journalism.




|=-----------------------------------------------------------------------=|
|=-=[ Another Reason Why Germans Shouldn't Have Computers ]=-------------=|
|=-----------------------------------------------------------------------=|

Yea, coming from the country that brought you David Hasselhoff and
TEAM TESO, I couldn't see this one coming...

http://www.thenetworkadministrator.com/Cannibal.htm


Trial of Cannibal the Computer Hacker

BERLIN   The trial of the computer technician known as The Cannibal
has been underway now for Aumin Meiwes. He is being tried for
befriending people in Internet chat rooms, killing and then eating his
willing victim.

The most shocking confessions have been from Meiwes' own
testimony that more than 200 people answered his ad seeking a young
man "who wanted to be eaten". The grisly details of young men
answering ads and willingly subjecting themselves to be killed with
the promise that Meiwes would eat them is writing judicial history in
Germany. Quoting the daily Der Tahesspiegel:

"This trial will write judicial history, and it already now
belongs to the bizarre side of progress in [electronic]
communications. Without the Internet it would have been unthinkable
that such an offer meets such a demand. Now, it is thinkable, but it
remains incomprehensible."
"Be it sexual criminals or necrophiliacs or sadists or
masochists, there are hundreds out there on the Internet," Meiwes told
the court, according to the Berliner Morgenpost.
The narrative of the crime is not in dispute. In March 2001,
Meiwes, a 41-year-old loner, posted his ad in an Internet chat room.
The missive was answered by Bernd Brandes, a 42-year-old Berlin
engineer with a history of depression. Meiwes invited Brandes to his
half-timbered farmhouse in the central German city of Rotenburg, where
Brandes numbed himself with sleeping pills and schnapps.
Meiwes sliced off and cooked part of Brandes' flesh and the two
men ate it, according to court records. Brandes then took a bath while
Meiwes read a book. Hours later, Meiwes stabbed Brandes to death, cut
his body into pieces and placed them in his freezer. Meiwes told a
German magazine that over the next several days he dined on Brandes,
sometimes flavoring his meal with oil and garlic while drinking South
African red wine.
"I had the fantasy and in the end I fulfilled it," Meiwes told
the court recently in the city of Kassel, where the trial is expected
to last until the end of January.
The case touches on seldom-explored legal questions. Cannibalism
is not illegal in Germany. Prosecutors are arguing that Meiwes, who
was found legally sane, murdered his victim in an act of perverse
sexual gratification. Meiwes contends he should not be charged with
homicide because Brandes consented to be killed and eaten. His lawyer
said the harshest penalty Meiwes should face is "killing on request,"
which carries a sentence of six months to five years.
Police say they confiscated from the house more than 600 pictures
depicting the killing of Brandes and Meiwes' cannibalism. They also
discovered 300 videotapes and 16 computers, a testament to Meiwes'
passion for seeking like-minded men in the ambiguity of cyberspace.




|=-----------------------------------------------------------------------=|
|=-=[ The End of Vetesgirl ]=--------------------------------------------=|
|=-----------------------------------------------------------------------=|

pahahaha.

http://www.securityfocus.com/news/7329


Unlucky phisher pleads guilty

By Kevin Poulsen, SecurityFocus Oct 29 2003 5:34PM
An Ohio woman whose credit card fraud schemes began to unravel when
she unwittingly spammed an off-duty FBI computer crime agent pleaded
guilty to a federal conspiracy charge Tuesday, and potentially faces
years in prison.
Helen Carr, 55, admitted in a federal court in Virginia to conspiring
with colleagues in the spam community to send mass e-mails to AOL
subscribers purporting to be from the company's security department.
According to court records, the messages claimed that AOL's last
attempt to bill the recipient's credit card had failed, and included a
link to an "AOL Billing Center" webpage, where an online form demanded
the user's name, address, credit card number, expiration date,
three-digit CCV number and credit card limit.
The so-called "phishing" scams have developed as a popular technique
for fraudsters to swindle people out of everything from PayPal
accounts to ATM codes. In recent months the already-generous flow of
fraudulent e-mails purporting to be from PayPal, eBay and Citibank
were joined by a fresh influx of junk mail bearing the false
imprimaturs of stalwart British institutions like Halifax, NatWest,
Barclays, and Lloyds TSB. Last month a particularly bold variant on
the scheme directed netizens to a fake FBI anti-fraud website that
prompted them for their debit or credit card numbers and PINs.
Carr's undoing began when an FBI agent in the Norfolk, Virginia field
office received one of her e-mails in February, 2001, and launched an
investigation. An electronic trail of stolen AOL accounts and free Web
pages led agents to raid the homes of a professional spammer and a
credit card thief, both of whom snitched on Carr, naming her as the
ringleader of the operation, according to an FBI affidavit in the
case. A search of Carr's home turned up two computers packed with
files relating to the scam.
The plea is silent on how many credit card numbers Carr obtained in
the scam -- a question that's key to her future. Under binding federal
guidelines, Carr's sentence will be determined by the amount of
fraudulent charges racked up on the stolen credit card numbers -- with
a maximum of five years. But the guidelines also dictate that each
credit card be valued at a minimum of $500.00, a formula that helped
boost Carr co-conspirator George R. Patterson's sentence to 37 months
in prison, according to Patterson's attorney. Carr is set for
sentencing on January 20th.
"Internet 'phishing' for credit card numbers and personal information
is thievery," said U.S Attorney Paul McNulty in a statement. "This
defendant was hooked by her own scheme."




|=-----------------------------------------------------------------------=|
|=-=[ Morons Fail to Hold Down Debian ]=---------------------------------=|
|=-----------------------------------------------------------------------=|

yup, definitely not us.

http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
The Debian Project                                http://www.debian.org/
Some Debian Project machines compromised                press@debian.org
November 21st, 2003
- ------------------------------------------------------------------------

Some Debian Project machines have been compromised

This is a very unfortunate incident to report about.  Some Debian
servers were found to have been compromised in the last 24 hours.

The archive is not affected by this compromise!

In particular the following machines have been affected:

  . master (Bug Tracking System)
  . murphy (mailing lists)
  . gluck (web, cvs)
  . klecker (security, non-us, web search, www-master)

Some of these services are currently not available as the machines
undergo close inspection.  Some services have been moved to other
machines (www.debian.org for example).
The security archive will be verified from trusted sources before it
will become available again.

Please note that we have recently prepared a new point release for
Debian GNU/Linux 3.0 (woody), release 3.0r2.  While it has not been
announced yet, it has been pushed to our mirrors already.  The
announcement was scheduled for this morning but had to be postponed.
This update has now been checked and it is not affected by the
compromise.

We apologise for the disruptions of some services over the next few
days.  We are working on restoring the services and verifying the
content of our archives.




|=-----------------------------------------------------------------------=|
|=-=[ Doctors Misfire Valuable Information Intended for Lance ]=---------=|
|=-----------------------------------------------------------------------=|

http://news.com.com/2100-1024_3-5110883.html?tag=nefd_top 

By Reuters

Call  it  spam  rage:  A  Silicon  Valley computer programmer has been
arrested  for threatening to torture and kill employees of the company
he  blames  for  bombarding  his  computer  with  Web ads promising to
enlarge his penis.

In  one  of  the first prosecutions of its kind in the state that made
"road  rage"  famous, Charles Booher, 44, was arrested on Thursday and
released  on $75,000 bond for allegedly making repeated threats to the
staff of a Canadian company between May and July.

Prosecutors  said  that  Booher  threatened to send a "package full of
anthrax spores" to the company, to "disable" an employee with a bullet
and  torture him with a power drill and ice pick, and to hunt down and
castrate the employees unless they removed him from their e-mail list.
He used return e-mail addresses including Satan+hell.org, they said.

In  other cases, Internet vigilantes have bombarded spammers with both
unsolicited  e-mail and regular mail and phone calls, launched attacks
on  spammers'  computers  and posted spammers' personal information on
the Internet, according to reports.

Separately,  the  U.S. House of Representatives has approved a measure
to  outlaw  most  Internet  spam.  Lawmakers  hope  to pass a national
antispam  bill  before  a  much tougher California state law goes into
effect on Jan. 1.

In  a  telephone interview with Reuters on Friday, Booher acknowledged
that  he  had  behaved  badly  but said his computer had been rendered
almost   unusable  for  about  two  months  by  a  barrage  of  pop-up
advertising and e-mail.

"Here's what happened: I go to their Web site and start complaining to
them,  would  you  please, please, please stop bothering me," he said.
"It  just  sort  of  escalated...and  I  sort  of lost my cool at that
point."

The  Sunnyvale, Calif., man now faces up to five years in prison and a
$250,000  fine, with a preliminary hearing scheduled for next month on
charges  of  threatening to injure someone. He said he did not own any
guns or have access to anthrax.

Booher   said  the  problem  stemmed  from  a  program  he  mistakenly
downloaded  from  the  Internet  that  brought  a continuous stream of
advertising to his computer.

The object of the Californian's anger was Douglas Mackay, president of
DM  Contact  Management,  which  works  for  Albion Medical, a company
advertising the "Only Reliable, Medically Approved Penis Enhancement."

"This went for a long, long time. He seemed really dedicated to this,"
Mackay  said  from  Victoria,  British Columbia. "He seemed like a guy
just  crazy  enough  with  nothing  to  lose  that  might  actually do
something."

He  said  his company does not send spam but blamed a rival firm which
he  said  routes  much of their unsolicited bulk e-mail through Russia
and  eastern Europe. Mackay said such companies gave a bad name to the
penis enhancement business.




|=-----------------------------------------------------------------------=|
|=-=[ Narq Out Eeye; Win a New House ]=----------------------------------=|
|=-----------------------------------------------------------------------=|

Or you can paypal us some $ to fund the #phrack jihad.

http://www.cnn.com/2003/TECH/biztech/11/05/microsoft.bounty/

WASHINGTON  (CNN)  --  Microsoft  has  offered  a  $500,000 reward for
information  that  leads  to the arrest of the writers of two computer
viruses.

The Blaster worm and SoBig.F e-mail virus crippled many PCs running on
the Microsoft Windows operating system this summer.

The  world's  largest  software company announced Wednesday that it is
creating  an  anti-virus  reward  program, backed by $5 million of its
cash,  to  help law enforcement agencies catch the authors of computer
bugs, including $250,000 apiece for Blaster and SoBig.

"These  are  not  just Internet crimes, cyber crime or virtual crimes.
These  are  real  crimes  that disrupt the lives of real people," said
Brad Smith, Microsoft senior vice president and general counsel.

But  some  technology  observers  are  skeptical  that the bounty will
actually work.

"This could totally backfire," Richard Williams, strategist for Summit
Analytic  Partners,  a  research  firm  that focuses on software, told
CNN/Money.  "Virus writers are very much driven by the same motivation
that makes people climb mountains. To put a bounty on their heads will
just increase their notoriety and increase their ego."

Microsoft  has  been suffering from a score of bad publicity since the
outbreak of Blaster and SoBig.F in August and early September.

Another  worm,  dubbed Nachi, also plagued users of Microsoft software
during  the  summer.  During  Microsoft's  latest  quarterly  earnings
conference  call last month, chief financial officer John Connors said
that  security  for  its  customers  was  now  Microsoft's  number one
priority.

Steve  Jillings,  president  and  CEO  of FrontBridge Technologies, an
e-mail  security firm, said that Microsoft's reward program could help
deter  some  virus writers but added that bounties were not a complete
solution.

"This  is  a  Band-Aid that does not fix the core root of the problem.
People  don't  look  to  Microsoft as a trusted security source," said
Jillings.

Microsoft's  Smith  stressed that the company is continuing to work on
enhanced  security features for current editions of Windows as well as
for the next version of its operating system, called Longhorn, that is
due out in 2005.

He added that Microsoft, which had more than $51 billion in cash as of
the  end  of  October,  would  commit  more financial resources to the
security problem.
"If  we  need  to  spend  more  money, we will spend more money," said
Smith.




|=-----------------------------------------------------------------------=|
|=-=[ Thwarted Linux Backdoor Hints at Dumber Ppl w/ More 0day ]=--------=|
|=-----------------------------------------------------------------------=|

Watch out for the informative quote by Ryan Russell, who knows about the
differences between programming errors and subtle backdoor, but not the
difference between "tty1" and "dyn-10.dongseo.ac.kr" in lastlog.

http://www.securityfocus.com/news/7388

Thwarted Linux backdoor hints at smarter hacks

By Kevin Poulsen, SecurityFocus Nov 6 2003 6:00PM
Software developers on Wednesday detected and thwarted a hacker's
scheme to submerge a slick backdoor in the next version of the Linux
kernel, but security experts say the abortive caper proves that
extremely subtle source code tampering is more than just the stuff of
paranoid speculation.
The backdoor was a two-line addition to a development copy of the
Linux kernel's source code, carefully crafted to look like a harmless
error-checking feature added to the wait4() system call -- a function
that's available to any program running on the computer, and which,
roughly, tells the operating system to pause execution of that program
until another program has finished its work.
Under casual inspection, the code appears to check if a program
calling wait4() is using a particular invalid combination of two
flags, and if the user invoking it is the computer's all-powerful root
account. If both conditions are true, it aborts the call.
But up close, the code doesn't actually check if the user is root at
all. If it sees the flags, it grants the process root privileges,
turning wait4() into an instant doorway to complete control of any
machine, if the hacker knows the right combinations of flags.
That difference between what the code looks like and what it actually
is -- that is, between assignment and comparison -- is a matter of a
single equal sign in the C programming language, making it easy to
overlook. If the addition had been detected in a normal code review,
the backdoor could even have been mistaken for a programming error --
no different from the buffer overflows that wind up in Microsoft
products on a routine basis. "It's indistinguishable from an
accidental bug," says security consultant Ryan Russell. "So unless you
have a reason to be suspicious, and go back and find out if it was
legitimately checked in, that's going to be a long trail to follow."
Investigation Underway
In all, the unknown hacker used exactly the sort of misdirection and
semantic trickery that security professionals talk about over beer
after a conference, while opining on how clumsy the few discovered
source code backdoors have been, and how a real cyber warrior would
write one.
"That's the kind of pub talk that you end up having," says BindView
security researcher Mark "Simple Nomad" Loveless. "If you were the
NSA, how would you backdoor someone's software? You'd put in the
changes subtly. Very subtly."
"Whoever did this knew what they were doing," says Larry McVoy,
founder of San Francisco-based BitMover, Inc., which hosts the Linux
kernel development site that was compromised. "They had to find some
flags that could be passed to the system without causing an error, and
yet are not normally passed together... There isn't any way that
somebody could casually come in, not know about UNIX, not know the
Linux kernel code, and make this change. Not a chance."
However sophisticated, the hack fell apart Wednesday, when a routine
file integrity check told McVoy that someone had manually changed a
copy of a kernel source code file that's normally only modified by an
automated process, specifically one that pulls the code from
BitMover's BitKeeper software collaboration tool and repackages it for
the open source CVS system still favored by some developers.
Even then, McVoy didn't initially recognize the change as a backdoor,
and he announced to the Linux kernel developers list as a procedural
annoyance. Other programmers soon figured out the trick, and by
Thursday an investigation into how the development site was
compromised was underway, headed by Linux chief Linus Torvalds,
according to McVoy.
If BitMover didn't run automated integrity checks, the backdoor could
have made it into the official release of version 2.6 of the kernel,
and eventually into every up-to-date Linux machine on the Internet.
But to get there a kernel developer using CVS would have to have used
the modified file as the basis for further development, then submitted
it to the main BitKeeper repository through Torvalds.
"If it had gotten out, it could have been really bad, because any
Linux kernel that had this in it, anybody who had access to that
machine could become root," says McVoy. But even then, he's convinced
it wouldn't have lasted long. "If someone started getting root with
it, some smart kid would figure out what was going on."
But Loveless says the hack is a glimpse of a more sophisticated
computer underground than is normally talked about, and fuel for
speculation that backdoors in software products are far more common
than imagined. "We've had bad examples of [backdoors], and we've had
rumors of extremely good examples," says Loveless. "This is a concrete
example of a good one."




|=-----------------------------------------------------------------------=|
|=-=[ udp.livejournal.com Will Not Be Forgotten! ]=----------------------=|
|=-----------------------------------------------------------------------=|

http://www.securityfocus.com/news/7739/

Defenses lacking at social network sites

Sites like LiveJournal and Tribe are poised to be the next big thing
on the Web in 2004, but their security and privacy practices are more
like 1997.
By Annalee Newitz, SecurityFocus Dec 31 2003 3:14PM
Brad Fitzpatrick is president of LiveJournal.com, a social discovery
Web site where over 1.5 million users post diary entries they want to
share with friends. Although members post extremely sensitive
information in their journals -- everything from their plans to commit
suicide or sabotage their boss to their latest sexual adventures --
Fitzpatrick admits that security on his site isn't a priority.
On the initial login page, LiveJournal members send their passwords in
the clear. "We're hoping to change that in the next month,"
Fitzpatrick said. "But site performance is our highest priority, and
SSL is a pain."
Jack (not his real name) is an LJ user whose account was compromised.
He isn't sure how it happened, but one day he logged in and discovered
a huge portion of his journal entries had been deleted. The attacker
didn't stop there -- she or he also plundered his friends' "locked"
entries (visible only to other friends) and reposted extremely private
exchanges as public entries in Jack's journal. Although he quickly
changed his password and fixed the problem, the damage was done. "My
friends were really upset and the bad feelings persist," he said. One
friend feared that she might lose her job when a private entry about
problems with her supervisor was made public on Jack's journal. "It's
still cached on Google," he explained, "although it would probably be
hard for most people to find unless they knew all the details."
'The social network is your strongest weapon... If you try to find a
technical solution to identity spoofing, you'll step on the social
feedback mechanism.'
-- Konstantin Guericke, LinkedIn.com
Security measures are equally weak on social discovery Web site
Tribe.net, whose member base has swollen to 65,000 since it launched
six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that
his site might use SSL for member logins. "We don't need high
industrial strength encryption for that," he said. "We use standard
security techniques like unique session IDs."
As security professionals know, there are any number of ways to defeat
unique session IDs. Jeff Williams, CEO of Aspect Security, works on
Web applications security issues for large financial, health and
government institutions. He explained that Tribe.net's refusal to use
SSL means that "the session ID, which is included in the URL, will be
logged on any proxy. Or you can capture it off the wire with dsniff.
If they aren't using SSL, they are basically saying they don't value
privacy the way you value your privacy."
Cross-site scripting could be another problem. Martino says Tribe does
"tag scrubbing" to protect against people embedding hostile scripts on
their posts to the site. But security pros say an attacker might be
able to target specific members by sending a specially crafted URL
that direct them to a form with hidden tags designed to suck up their
cookies. Williams explained that "XSS is amazingly widespread. Plus,
XSS vulnerabilities are easy to discover and exploit."
The Open Web Application Security Project, where Williams also works,
ranks cross-site scripting number four on its list of the top ten web
application vulnerabilities. "We try hard to [protect against XSS
attacks], but there's always something new," said Fitzpatrick. "The
only solution would be to lose link tags, and that's not a good
solution."
Security consultant and Nmap author Fyodor speculated that social
discovery sites are also vulnerable to a class of attack that is
familiar to anyone who uses eBay: "You can trick a user into divulging
their username/password by sending them to a fake login page you
control. For example, you could send an email, forged as coming from
Tribe, which says they need to agree to a new ToS or their account
will be deactivated. Then you give them a URL that is cloaked to
appear authoritative for Tribe but really could be modified to go to
the attacker's password capture page."
What makes these attacks novel in the context of a social discovery
site isn't how they are deployed, but why. What does an attacker have
to gain by spoofing the identity of a member of Tribe or LinkedIn?
What kinds of damage can be done by hacking into a LiveJournal
account? The answer has to do with the public's growing dependence on
social reputation systems.
As we come closer to quantifying reputation, the identities we use in
online communities begin to have real-world value. A top-ranked member
of a network like eBay might be able to sell more items than her
peers. A high-karma user on a site devoted to legal issues could have
a tremendous influence over public policy. According to social
networks analyst Clay Shirky, identity spoofing is possibly the
greatest threat to social discovery networks. "When your reputation is
valuable, it becomes worth exploiting. It makes a stolen identity a
more valuable commodity."
LiveJournal's abuse manager Mark Ferrell said he receives at least
five reports of ID hijacking per day.
By impersonating a highly-reputable person, an attacker might gain
access to that person's social network, business contacts and private
life. Spammers might launch highly personalized campaigns. And sexual
predators could use their victims' friend lists to find more people to
harass.
....
bla bla bla




|=-----------------------------------------------------------------------=|
|=-=[ hendy Potato Scheme Foiled ]=--------------------------------------=|
|=-----------------------------------------------------------------------=|

don't quit your admin job!

http://www.cnn.com/2004/TECH/ptech/01/13/offbeat.germany.computer.reut/index.html

BERLIN,  Germany (Reuters) -- German police are investigating after an
angry  man returned a computer he had just bought saying it was packed
with small potatoes instead of computer parts.

The  store  replaced the computer free of charge but became suspicious
when  he  returned  a  short  time  later  with  another potato-filled
computer  casing, police in the western city of Kaiserslautern said on
Monday.

"The  second time he said he didn't need a computer any more and asked
for his money back in cash," a police spokesman said.

Police are now investigating the man for fraud.




|=[ EOF ]=---------------------------------------------------------------=|
