[ISN] Sex industry hit by cyber turf war
http://www.vnunet.com/News/1131796 By Nick Farrell [16-05-2002] Hackers put the screws on Vegas phone lines Mobsters and super hackers have joined forces to shut out sex industry rivals, a Nevada public hearing heard this week. Larry Duke Reubel, 63, told the Public Utilities Commission hearing how his business had been closed by telephone hackers using lax security at telecoms company Sprint to redirect calls to rivals. Reubel publishes a sexual services magazine which is distributed by hand to thousands of passing tourists up and down Las Vegas Boulevard every day. If anyone rings one of the services, Reubel gets a commission. He told the hearing that the phones suddenly stopped ringing for no apparent reason. He blamed Sprint for the problem, which told the hearing that it had run tests on the phone and found nothing wrong. The telco ran a script at its switching control centre that periodically checked Reubel's lines for covert call-forwarding, but did not find any evidence. It also examined his lines and found no physical taps. Eddie Munoz, 43, who brought the case, claimed that the Las Vegas telecoms infrastructure is secretly controlled by super hackers working for mobsters. Others at the hearing are expected to tell of similar cases. Munoz said that he will present evidence of calls diverted or tapped by competitors. Reubel's is the most common situation, where calls are blocked and the caller hears silence or an engaged signal. Six members of the Gambino crime family were actually caught by an undercover investigation as they tried to muscle in on the phone racket in 1998, according to an FBI testimony at the hearing. Although that criminal case was successful, Sprint denied all responsibility for the hacks. But Sprint's security has been compromised before, including more famously by Kevin Mitnick between 1992 until his February 1995 arrest. Mitnick's access gave him the power to monitor or reprogram any phone line in town. Munoz also suffered from a similar scam which he claims is still operating. He said that the 15 to 20 calls a night he received for each advertisement is now down to just one. Callers from outside Las Vegas, or from payphones and mobile phones, are able to get through, he said, but hotel callers frequently get false busy signals, or silence, driving them to competing services. His first complaint against Sprint was filed with the Public Utilities Commission in 1994. It took two more complaints and an abortive Federal writ before Commission staff launched an investigation. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
Re: [ISN] Fanatics with Laptops: The Coming Cyber War / RFF Reply
Forwarded from: Richard Forno <[EMAIL PROTECTED]> What is it about Fridays and FUD? Last week it was that piece out of Australia, and now this article. A few choice comments enclosed below. > Fanatics with Laptops: The Coming Cyber War > By Tim McDonald > NewsFactor Network > May 16, 2002 Title alone is sensational enough to tell me this article is a crock. But I'll read anyway because it's Friday and I need to fight some FUD today before meeting the g/f for Episode 2 this afternoon. :) > That increasing interdependence, however, becomes frightening when > one considers that a next-generation cyber terrorist will likely not > represent an aggressive world power. I'm not sure what the cyberterrorists of 'this generation' are, let alone the ones of next generation > In terms of present-day vulnerability, such a terrorist could simply > be a lone fanatic wielding a laptop. And the damage could be > staggering. One guy with a laptop - fanatic or not - does not make a cybeterrorist that is bent on destroying the world. When will these reporter types realize this? All such statements to is fan the flames of speculation and fear, and in most cases, make the reporter look like an idiot. On a side note - does this mean if someone's an aethiest or agnostic, they won't be a good 'cyber-threat'??? Oh, wait - it the eyes of the media, fanatic=terrorist=0911=great imagery for getting readers' attention. I agree with those that say one guy with a backhoe is far more effective at causing wide-spread infrastructure damage than someone with a laptop. But "backhoe-terrorists" aren't as sensational of a story as those allegedly waging "cyber-jihads" so we'll just leave it at that for now > 'Asymmetric Warfare' > The military call it "asymmetric warfare," which means that the > disadvantaged side must use unconventional weapons against the > wealthier side if it is to have any chance of winning. Using airplanes as guided missiles is asymmetric warfare, too, and a far more effective way of wreaking infrastructure havoc than by a laptop. > Any country that can scrape together the price of a computer manual > and that has a basic understanding of information systems > infrastructure can train and motivate a misguided "patriot." Reading a 'manual' does not make one an expert. Nor does getting a diploma or certification, despite the claims to the contrary. > Anonymous Warfare > > Due to recent advances in "attack technology," cyber warfare can be > waged remotely and anonymously. This approach would make it much > harder to find an attacker than it is, for example, to root out Al > Qaeda forces along the border of Pakistan and Afghanistan. Gee, and it wouldn't be hard for someone to do a truck bombing anonymously, either.the problem is that folks like Mcveigh (OK City), Rachman (WTC attack #1), and others, were clumsy terrorists that left a trail..a dedicated adversary would not be so easy to track. Drawing a paralell between cyber-terrorists and al-Qaeda is threat inflation. The implication this reporter makes is that folks should be licensed or easily-tracked onlineif someone's hell-bent on committing murder or terrorist actions, they WILL circumvent any requirements for online monitoring/tracking -- that's the least of their concerns! Making it illegal to be anonymous won't do anything to impede them. > "As the automation of deployment and the sophistication of attack > tool management both increase, the asymmetric nature of the threat > will continue to grow," the report said. This has nothing to do with increasing the asymmetric nature of the threat. It simply means that future such attacks might be more harder to recover from quickly. > New Tactics: Poison and Hijacking > Attackers are finding more ways to bypass firewalls and other > security roadblocks. Some of the newer -- and nastier -- tactics > involve attacks on the Internet domain name system (DNS), including > cache poisoning and domain hijacking. DNS poisoning is an old tactic - security folks have known about it for years. And Domain Hijacking - well, during my time @ NSI, I had to deal with that technical problem far too many times. The problem was a system vulnerability that the company refused to address, and instead chose to deal with recurring negative publicity, giving me and my team major stress headaches on a regular basis. Besides, it's been proven that one can hijack a domain name w/o being a 'hacker' -- using the legal system and WIPO is pretty effective, too, I've heard. DNS cache poisoning was done in 1998 by Eugene Kashpuroff -- it's not a new attack methodology, either -- and that really screwed the net over for a few hours. > Businesses, especially large corporations, are becoming targets with > increasing frequency. In the right hands, cyber attacks could wreak > untold damage. Again, that wonderful word "could" -- most of the folks on this list COULD wreak untold damage, but it's yet to
[ISN] Couple little things
I'd like to thank everyone that has replied so far! The response has been great, and honestly I haven't had the time to look them all over, so there won't be any rash instant decisions on where things are going. The feedback I have read is incredible, I normally only get this kind of insight as I said earlier is from subscribers leaving the list, and various security conferences I attend. Over this past weekend I strolled over to the local Barnes & Noble looking for one book, and ended up buying another. Actually I bought the paperback version of Body of Secrets, its my third copy, not that I have lost or lent the other two copies. The first one I got was a first edition signed at Blackhat 2001 by James Bamford, and the second one I bought at Lindbergh Field in the weeks after September 11th after tiring of sitting around the airport for many hours waiting for my flight. I slowly read about a quarter of the book at various other airports around the U.S., but it was at times too much of a pain to lug it and my laptop in the same backpack, especially at the security checkpoints. In case you are interested, Amazon has Bamford's Body of Secrets in paperback. http://www.amazon.com/exec/obidos/ASIN/0385499086/c4iorg Which includs a new afterword on the events of September 11th, which when I was reading it brought on a swell of emotions I was feeling on that day. For $10.47 beats the $14.95 plus tax I spent on the impulse buy at Barnes and Noble. Cheers! William Knowles [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] "Nessus phones home": the final report.
Forwarded from: Jay D. Dyson <[EMAIL PROTECTED]> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forwarded with permission of Renaud Deraison. - -- Forwarded message -- Date: Fri, 17 May 2002 19:57:22 +0200 From: Renaud Deraison <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: "Nessus calls home" On Wed, May 08, 2002 at 04:50:09PM +0200, Renaud Deraison wrote: > I attended CanSecWest last week and I was told there were rumors of > people complaining about Nessus "calling home" when doing a scan. Thanks to everyone who replied to me on this issue. I was surprisingly overwhelmed with answers, so please forgive me if I did not reply to you personnaly. So sum up the replies : a vast majority of people don't care, but everyone agreed that a user-defineable third party domain was the way to go. In Nessus 1.2.1 (or the current CVS snapshot), a new option now appears in the 'plugin prefs' tab, and is set to "nessus.org" by default. Users can change it to something else, so privacy issues should be somewhat resolved. I modified more plugins than what I thought would be necessary - I'd like to thanks Thomas Reinke for sending me a list of plugins that used "nessus.org" in one way or another (there were more than what I thought, mostly because of lazyness on my part). People interested in the full list can go to cvs.nessus.org and look for the plugins whose commit log is "privacy". While I apologize to those who have felt threatened by this issue, I sincerely regret the fact that they did not voice their concerns directly to me (even though I was attending CanSecWest, and the person who spread the rumor too), and prefered to go the sneaky way about this. Hopefully, the incident is over in CVS, and will be in Nessus 1.2.1. -- Renaud -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE85p/5GI2IHblM+8ERAjRDAJ9vMkip1mnHTHLtuzHkNAi0swb+bACfZjpK Tqb+X88SSFdYy0iV/wJt5pY= =cMBR -END PGP SIGNATURE- - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Advisory Watch - May 17th 2002
++ | LinuxSecurity.comLinux Advisory Watch | | May 17th, 2002 Volume 3, Number 20a | ++ Editors: Dave WreskiBenjamin Thomas [EMAIL PROTECTED] [EMAIL PROTECTED] Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for icecast, shareutils, fileutils, imapd, shadow/pam modules, lukemftp, openssh, tcpdump, and mpg123. The Vendors include Caldera, Mandrake, Red Hat, and SuSE. * SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION * Guarantee transmitted data integrity, secure all communication sessions and more with SSL encryption from Thawte- a leading global certificate provider for the Open Source community. Learn more in our FREE GUIDE--click here to get it now: http://www.gothawte.com/rd250.html FTP Attack Case Study Part I: The Analysis This article presents a case study of a company network server compromise. The attack and other intruder's actions are analyzed. Computer forensics investigation is undertaken and results are presented. The article provides an opportunity to follow the trail of incident response for the real case. http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html +-+ | icecast| // +-+ Buffer overflows in the icecast server allow remote attackers to execute arbitrary code via a long HTTP GET request, as well as allowing denial of service attacks. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/ 3.1.1/Server/current/RPMS icecast-1.3.12-1.i386.rpm 83407efa0c40a9ceac02606ae37237f2 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2067.html +-+ | shareutils | // +-+ The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. The uudecode utility would create an output file without checking to see if t was about to write to a symlink or a pipe. If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation. Red Hat i386: ftp://updates.redhat.com/7.2/en/os/i386/ sharutils-4.2.1-8.7.x.i386.rpm 38d89d89bb513d216b1a2a954be6d07b Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2069.html +-+ | fileutils | // +-+ A race condition in various utilities from the GNU fileutils package may cause a root user to delete the whole filesystem. This updates resolves a problem in the original fix that would cause an attempt to recursively remove a directory with trailing slashes to memory fault. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS/fileutils-4.1-5.i386.rpm d01d42d41800d0b9c1d02c4fec07a79d Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2070.html Mandrake Linux 8.1: http://www.mandrakesecure.net/en/ftp.php 8.1/RPMS/fileutils-4.1-4.1mdk.i586.rpm 593e200c8b2f2c83e7a6bb90a54cd853 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2075.html +-+ | imapd | // +-+ A malicious user may construct a malformed request that will cause a buffer overflow, allowing the user to run code on the server with the uid and gid of the e-mail owner. Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS/imap-2000-14.i386.rpm 3d4c39ed407a122f963f9f508f908c92 imap-devel-2000-14.i386.rpm 5c49edd5001471188ed6da5a20413f42 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2071.html +-+ | shadow/pam modules | // +-+ The shadow package contains several useful programs to maintain the entries in the /etc/passwd and /etc/shadow files.The SuSE Security Team discovered a vulnerability that allows local attackers to destroy the contents of these files or to extend the group privileges of certain users. This is possible by setting evil filesize limits before invoking one of the programs modifying the system files. Depening on
[ISN] Computer whiz still faces second lawsuit
http://www.mlive.com/news/bctimes/index.ssf?/xml/story.ssf/html_standard.xsl?/base/news/1021648510270760.xml Friday, May 17, 2002 By Crystal Harmon TIMES WRITER A teen-age computer wizard has won his legal battle to get the label "hacker" removed from his school record, but now the label "eavesdropper" may be added to his criminal record. Nicholas J. Suchyta, 19, allegedly recorded his roommate and her boyfriend having sex and also beamed live broadcasts of the activities on the Internet early this year. The couple told police they had no idea that the five computers in the living room were rigged with a Web cam. Bay County District Judge Scott J. Newcombe arraigned Suchyta on two counts of installing eavesdropping devices and two counts of divulging information obtained by eavesdropping. Each felony count carries a maximum penalty of two years in prison and $2,000 in fines. Suchyta was released from the Bay County Jail on May 8 after posting a $5,000 bond. Suchyta had shared an apartment on North Hampton Road with an 18-year-old woman who said the two had been best friends since grade school. But she said she became concerned when acquaintances said they'd seen her having sex on the Internet with her 18-year-old boyfriend. She told police she found the recordings on one of the computers, but as she attempted to download the images for evidence, the computer was shut down, apparently from one of the two laptop computers she said Suchyta carries with him. On Feb. 2, police searched the apartment and found a camera hidden on top of one of the computers. With the help of a computer crimes expert, they also found four files containing images of the two teens having sex that apparently had been broadcast on the Internet. Bay City Police also found 14 modems that they determined had been taken from Charter Communications, where Suchyta had worked as a high-speed data technician. Suchyta, who now resides on South Euclid Avenue, declined to comment to The Times about the cases. Meanwhile, Suchyta and Bay City Public Schools have settled a civil suit Suchyta brought against school officials who disciplined him for downloading a "hacking" program. The program included instructions for capturing log-ins and passwords of system users. Suchyta was a co-op student who worked in the student records office and the computer lab, and helped make the transition from one type of system to the other. Staff turned to Suchyta for help with many computer glitches, and, Suchyta said, a secretary gave him the password to the student-record program so he could help her update vaccination records. Later a teacher reported seeing Suchyta browsing student records in class, according to testimony given during depositions for the lawsuit. Co-op supervisor Michael Kehrier said school officials warned Suchyta to stay away from sensitive material, but they allowed him to continue his work in the school computer lab. The district's technology director said he's reviewed security and made some changes. "No data is ever going to be 100-percent secure," John Strycker said this morning. "But a system is only going to be as secure as the user. People that are new to using technology - and in this district it's relatively new - might not understand that passwords are like keys and you don't just hand them out." In November 2000, according to depositions, a Central teacher was having trouble with his computer and school technicians ran a virus program, which found several files saved on Suchyta's hard drive. Suchyta claimed he was simply collecting such information to evaluate possible threats to the network, he said. Assistant Principal Jonathan Whan suspended Suchyta for five days in November 2000, fired him from his co-op job and kicked him out of advanced computer classes. In written memos, Whan classified Suchyta's actions as "hacking" the computer system. Suchyta and his parents, Richard and Shannan, sued the school and Whan for defamation of character, invasion of privacy, intentional infliction of emotional distress and gross negligence. They also accuse school officials of failing to provide copies of computer data they requested under Michigan's Freedom of Information Act. The Suchytas asked for more than $25,000 each. Their attorney, David Skinner, said Thursday that the settlement - forged with help of a mediator and yet to be approved by a judge - was amicable. He wouldn't comment on a monetary settlement, but acknowledged that the schools removed all records of the alleged "hacking" incident from Suchyta's permanent record. In the suit, Skinner described school officials' handling of the incident as "open and hostile." "The school district's agents accused a teen-age high school student of being a hacker, removed him from the classes found most interesting," the complaint reads. "The allegation that Nicholas is a hacker creates the presu
[ISN] 13,000 Credit Reports Stolen by Hackers
http://www.nytimes.com/2002/05/17/technology/17IDEN.htm By JOHN SCHWARTZ May 17, 2002 Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports - a virtual one-stop shop for fraud and identity theft - with data on consumers in affluent neighborhoods across the country. The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies. "I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor." The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets. "This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name. Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News. Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year. Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit. The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I. The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies. Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said. Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case." Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Are you the Klez monster?
http://news.com.com/2100-1001-916945.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com May 17, 2002, 1:05 PM PT It may only be a matter of time before you're accused of spreading the Klez virus. A month after it started spreading, the Klez.h worm isn't slowing down, said antivirus experts on Friday. Moreover, the worm's technique of forging the address of the sender on each infected e-mail message is creating a flood of warnings from gateway antivirus software informing the wrong people that they are infected. "A lot of traffic is being multiplied by the response mechanisms and refusal mechanisms," said Fred Cohen, security practitioner in residence at the University of New Haven. In many cases, antivirus software protecting a company's e-mail gateways is sending out a response to each infected e-mail inadvertently sent out by a victim--but that warning is going to the wrong person. "So, in effect, you're getting twice the fun you would normally get," Cohen said. Apart from magnifying the amount of spam produced by the virus, the incorrect identification of those who are infected is also responsible for hindering efforts to fight the spread of the worm, said Cohen. Faked addresses The Klez.h variant, which appeared in mid-April, infects PCs whose users open the attachment to an infected e-mail. Confusing matters, the e-mail will have a random "from" address, selected from various sources on the original victim's hard drive. And it pairs this bogus sender's address with one of more than 120 different subject lines. When a user opens the attachment, the virus starts up its own e-mail engine and mass mails itself to e-mail addresses found in various files on the PC, using a source address culled from those addresses. Klez.h can also send out a random file from the PC as an attachment, along with the e-mail that carries the worm, potentially passing confidential information. In some instances, the worm also drops one of several other viruses, including the destructive CIH, and tries to remove any active antivirus software from the system. Overall, the Klez.h variant has been extremely successful. "The spread has been really steady," said John Harrington, director of U.S. marketing for e-mail service provider MessageLabs. "We've seen 20,000 again today (Friday), and there's no indication that this is dying down." While the worm has not spread as quickly as, say, the LoveLetter virus - of which MessageLabs received one copy for every 23 legitimate e-mails during the virus' peak in May 2000--it does make up one out of nearly every 170 e-mails, Harrington said. In fact, the steady spread--rather than a firestorm of e-mailsmay actually be part of the reason for the worm's success, said Harrington. The Klez.h variant did manage to top the charts of computer viruses in April. "It kind of cruises below the radar screen," Harrington said. "Everyone had heard of LoveLetter. But if you go into a computer shop and ask people if they've heard of Klez, they'll shake their heads." Hard to track The Klez variant's ability to spoof the source of infected e-mail makes it nearly impossible to track down the infected users who sent the virus. "The whole spoofing thing adds a dimension to it that is a little different," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team. "It's definitely possible that the false addresses are slowing response." Network Associates still receives more than 50 reports a day of the worm from customers, and some corporate clients are seeing more than 20,000 messages carrying the virus at their e-mail gateways. The response to Klez--that uninfected users are being told they sent a virus--shows the holes in the system, added Gullotto. In addition, some out-of-the-office auto-reply mechanisms may be going haywire as a result of an infected user sending an e-mail with a random source and receiver who are both away. "I am sure there are some auto-reply wars that have been going on," Gullotto said. "There has been a lot of mail that is going around that is caused by this." Until system administrators disable antivirus notification on the e-mail gateway servers, the confusion will only continue. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.