==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x0e of 0x0f |=-----------------=[ P H R A C K W O R L D N E W S ]=-----------------=| |=-----------------------------------------------------------------------=| |=--------------------=[ Phrack K0mbat Journalistz]=---------------------=| Content 1 - p62 Makes Headlines All Over the World 2 - Snort Team in Denial 3 - Will Kevin Poulsen Still Find My Ass Appetizing in 12 Months? 4 - Another Reason Why Germans Shouldn't Have Computers 5 - The End of Vetesgirl 6 - Morons Fail to Hold Down Debian 7 - Doctors Misfire Valuable Information Intended for Lance 8 - Narq Out Eeye; Win a New House 9 - Thwarted Linux Backdoor Hints at Dumber Ppl w/ More 0day/Thwart 10 - udp.livejournal.com Will Not Be Forgotten! 11 - hendy Potato Scheme Foiled |=-----------------------------------------------------------------------=| |=-=[ p62 Makes Headlines All Over the World ]=--------------------------=| |=-----------------------------------------------------------------------=| All the Michael Moores out there would like you to think that p63 was a "fake" magazine produced by a "fake" group with a "fake" mission. But watch again and again, as people are forced to respond to the very real security threats caused by this so-called "fake" rhetoric. http://conference.hackinthebox.org/speakers.php#cmwong Presentation Topic: Advanced Linux Kernel Keylogger Presentation Details: This presentation will discusses some of the more advanced techniques in writing kernel based keyloggers and will present the newest release of THC-vlogger 2.1 with new keystroke logging techniques and more features such as centralized logging. THC-vlogger, first presented in Phrack Magazine #59, enables the capability to log keystrokes of all administrator/user's sessions via console, serial port and Telnet/SSH remote sessions, switching logging modes by using magic passwords, stealthily sending logged data to centralized remote server. Its smart mode can automatically detect password prompts to log only sensitive user and password information. This talk will also discusses the recently published tool in PHC's 'fake' phrack #62 dealing in the detection and disabling of Sebek, a host based honeypot monitoring tool of the Honeynet project. The presentation will also discuss the advantages of THC-vlogger 2.1 over Sebek and other similar keylogger tools. |=-----------------------------------------------------------------------=| |=-=[ Snort Team in Denial ]=--------------------------------------------=| |=-----------------------------------------------------------------------=| More credible: Marty Roesch or the Taliban media relations department? Please note that even though this is an Internet-based news source which is reporting on facts contained within an online article, there is no mention of the primary news source, or the specific evidence found within the original article. As snort is a narq corporation, with narq/fed ties, we are not surprised to find that Chomsky's rudimentary theory of media filters has been applied properly, drowning out the voice of truth. Note also, the shoddy arguments used to convince half-witted news readers of the lack of risk: the shell box was 37km away from the CVS tree, so compromise must be unlikely! Come on, not everybody reading the news is a CISSP. http://www.zdnet.com.au/newstech/security/story/0,2000048600,20278877,00.htm The author of Snort, an open source Intrusion Detection System (IDS), Martin Roesch, has dismissed as untrue claims the software was 'trojaned' by attackers. Roesch, who is also the chief technology officer of U.S. based IDS company Sourcefire, moved quickly to quell rumours in the security community that a hacking group had managed to insert back-door code into the Snort source-code repository. "There is no backdoor in Snort nor has there ever been, everyone can relax," Roesch wrote in a posting to the full disclosure security mailing list. Attackers had breached one of Roesch's systems, he admits, but that was a low-security shell server -- used by members of the Snort team and their associates to access services such as IRC without exposing their own machines to risk -- located in his basement, 37 km away from the Snort code repository. "If you're wondering 'how do you know the code isn't backdoored?', since we know that that server is an 'at risk' server, we're not in the habit of checking code into [the Snort code repository] from there. If that's not good enough for you, Snort has been through three code audits since March -- one Sourcefire internal, two third-party external -- and there are most definitively no backdoors in the code, nor were there any," Roesch added. Trojans have been found in several open source projects over the last year, including those found in Sendmail and OpenSSH. Malicious code was also found in the libpcap and tcpdump libraries -- software which is required by the Snort IDS to operate. Australian security consultant Daniel Lewkovitz says that the mere fact that a rumour like this could turn out to be true, even though it looks unlikely in this case, means the issue at least warrants discussion. "A lot of threats haven't changed that much, but what has changed is normal people's awareness and attitudes to it. I think anything that makes people more aware of relevant issues and relevant threats a good thing," he told ZDNet Australia. There's nothing necessarily wrong with listening to a rumour so you can check it out for yourself, Lewkovitz says, as long as the source of the rumour is at least somewhat credible. "If there was a threat I'd want to know about it," he said. "If it came from a reliable source I'd be much more likely to give it credence than the paranoid rants of tin-foil hat wearing conspiracy theorists." |=-----------------------------------------------------------------------=| |=-=[ Will Kevin Poulsen Still Find My Ass Appetizing in 12 Months? ]=---=| |=-----------------------------------------------------------------------=| Adrian Lamo begins to ask himself important questions: http://www.securityfocus.com/news/7771 Lamo Pleads Guilty to Times Hack By Kevin Poulsen, SecurityFocus Jan 8 2004 2:18PM NEW YORK--Hacker Adrian Lamo pleaded guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April. In a plea deal with prosecutors, Lamo, 22, admitted to cracking the Times network and recklessly causing damage exceeding $5,000. Both sides agreed on the six to twelve month sentencing range which, under federal guidelines, could permit Lamo to serve his sentence under house arrest or confined to a halfway house, at the court's discretion. The judge is not bound by the sentencing recommendation, and could technically sentence Lamo to as much as five years in custody-- though it's unlikely. The hacker also potentially faces $15,000 to $20,000 in fines, and could be ordered to pay financial restitution. Clad, uncharacteristically, in a sports coat and loafers, Lamo answered federal judge Naomi Buchwald in a calm and clear voice Thursday as she meticulously reviewed his rights as a defendant, and asked if he wished to waive his right to a jury trial. Lamo told Buchwald that he regretted causing the Times financial harm. "I knew that I crossed the line," said Lamo. "I am genuinely remorseful." "He has always indicated that he's willing to accept responsibility for what he did," said Lamo's defense attorney, federal public defender Sean Hecker, after the appearance. In a statement, Times spokesperson Christine Mohan said Lamo's intrusion "was a serious offense, and we appreciate that it was treated as such by the authorities." 'I knew that I crossed the line. I am genuinely remorseful.' -- Adrian Lamo The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the New York Times hack on SecurityFocus, which first reported on the incident. Lamo said at the time that he penetrated the Times after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser. Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services. He also added his real name, phone number and e-mail address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence." Financial Losses Disputed Prosecutors charged Lamo with the intrusion last September, and in an affidavit Mohan accused the hacker of racking up $300,000 in charges by conducting 3000 searches on the Lexis-Nexis news and legal databases service under the Times' corporate account. Lamo said at the time that the figure had "no basis in fact", and Thursday's plea suggests that it was at least exaggerated: both sides stipulated that the hacker caused between $30,000 and $70,000 in losses through a combination of his unauthorized Lexis-Nexis use, and his access to an unprotected Microsoft customer service database. (The Microsoft incident, which took place in 2001, was unrelated to the Times intrusion, but was included in the plea as "relevant conduct" for sentencing purposes) Thursday's guilty plea caps an aggressive FBI investigation that generated controversy last September when the Bureau notified a dozen journalists who had covered the hacker's antics that it intended to subpoena reporters' notes-- a threat that was later withdrawn as inconsistent with Justice Department policy. In the months that followed, the probe saw FBI agents contacting a Who's Who of figures in the computer security and hacking community, some with no obvious connection to Lamo, like @stake's Chris Wysopal, and Tsutomu Shimomura, the researcher who helped the FBI track then-fugitive hacker Kevin Mitnick in 1995. Field agents also interviewed the nomadic hacker's friends and associates around the country, toting a list of questions that covered everything from Lamo's motives as a hacker, to queries about his social life. "They kind of tried to make me feel like I did something," said Lamo friend Matt Griffiths. "They asked if I was a hacker, if I ever hacked anything, what kind of programs I used." The FBI didn't return a phone call on the case. Lamo has become something a tech-media darling for his rootless, wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" -- combined with his habit of publicly exposing security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited, sometimes visiting their offices or signing non-disclosure agreements in the process. Until the Times hack, Lamo's cooperation and transparency kept him from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered then helped close security holes in their intranet. Lamo said after the court appearance Thursday that his plea agreement does not preclude the government charging him for some of his other intrusions, but, "there's sort of an understanding, which may or may not hold." The hacker also says he's through committing computer crimes. He remains free on bail, obliged by court order to live with his parents and either work or attend school. He's now a student at a community college in Sacramento, California, where he's studying journalism. |=-----------------------------------------------------------------------=| |=-=[ Another Reason Why Germans Shouldn't Have Computers ]=-------------=| |=-----------------------------------------------------------------------=| Yea, coming from the country that brought you David Hasselhoff and TEAM TESO, I couldn't see this one coming... http://www.thenetworkadministrator.com/Cannibal.htm Trial of Cannibal the Computer Hacker BERLIN The trial of the computer technician known as The Cannibal has been underway now for Aumin Meiwes. He is being tried for befriending people in Internet chat rooms, killing and then eating his willing victim. The most shocking confessions have been from Meiwes' own testimony that more than 200 people answered his ad seeking a young man "who wanted to be eaten". The grisly details of young men answering ads and willingly subjecting themselves to be killed with the promise that Meiwes would eat them is writing judicial history in Germany. Quoting the daily Der Tahesspiegel: "This trial will write judicial history, and it already now belongs to the bizarre side of progress in [electronic] communications. Without the Internet it would have been unthinkable that such an offer meets such a demand. Now, it is thinkable, but it remains incomprehensible." "Be it sexual criminals or necrophiliacs or sadists or masochists, there are hundreds out there on the Internet," Meiwes told the court, according to the Berliner Morgenpost. The narrative of the crime is not in dispute. In March 2001, Meiwes, a 41-year-old loner, posted his ad in an Internet chat room. The missive was answered by Bernd Brandes, a 42-year-old Berlin engineer with a history of depression. Meiwes invited Brandes to his half-timbered farmhouse in the central German city of Rotenburg, where Brandes numbed himself with sleeping pills and schnapps. Meiwes sliced off and cooked part of Brandes' flesh and the two men ate it, according to court records. Brandes then took a bath while Meiwes read a book. Hours later, Meiwes stabbed Brandes to death, cut his body into pieces and placed them in his freezer. Meiwes told a German magazine that over the next several days he dined on Brandes, sometimes flavoring his meal with oil and garlic while drinking South African red wine. "I had the fantasy and in the end I fulfilled it," Meiwes told the court recently in the city of Kassel, where the trial is expected to last until the end of January. The case touches on seldom-explored legal questions. Cannibalism is not illegal in Germany. Prosecutors are arguing that Meiwes, who was found legally sane, murdered his victim in an act of perverse sexual gratification. Meiwes contends he should not be charged with homicide because Brandes consented to be killed and eaten. His lawyer said the harshest penalty Meiwes should face is "killing on request," which carries a sentence of six months to five years. Police say they confiscated from the house more than 600 pictures depicting the killing of Brandes and Meiwes' cannibalism. They also discovered 300 videotapes and 16 computers, a testament to Meiwes' passion for seeking like-minded men in the ambiguity of cyberspace. |=-----------------------------------------------------------------------=| |=-=[ The End of Vetesgirl ]=--------------------------------------------=| |=-----------------------------------------------------------------------=| pahahaha. http://www.securityfocus.com/news/7329 Unlucky phisher pleads guilty By Kevin Poulsen, SecurityFocus Oct 29 2003 5:34PM An Ohio woman whose credit card fraud schemes began to unravel when she unwittingly spammed an off-duty FBI computer crime agent pleaded guilty to a federal conspiracy charge Tuesday, and potentially faces years in prison. Helen Carr, 55, admitted in a federal court in Virginia to conspiring with colleagues in the spam community to send mass e-mails to AOL subscribers purporting to be from the company's security department. According to court records, the messages claimed that AOL's last attempt to bill the recipient's credit card had failed, and included a link to an "AOL Billing Center" webpage, where an online form demanded the user's name, address, credit card number, expiration date, three-digit CCV number and credit card limit. The so-called "phishing" scams have developed as a popular technique for fraudsters to swindle people out of everything from PayPal accounts to ATM codes. In recent months the already-generous flow of fraudulent e-mails purporting to be from PayPal, eBay and Citibank were joined by a fresh influx of junk mail bearing the false imprimaturs of stalwart British institutions like Halifax, NatWest, Barclays, and Lloyds TSB. Last month a particularly bold variant on the scheme directed netizens to a fake FBI anti-fraud website that prompted them for their debit or credit card numbers and PINs. Carr's undoing began when an FBI agent in the Norfolk, Virginia field office received one of her e-mails in February, 2001, and launched an investigation. An electronic trail of stolen AOL accounts and free Web pages led agents to raid the homes of a professional spammer and a credit card thief, both of whom snitched on Carr, naming her as the ringleader of the operation, according to an FBI affidavit in the case. A search of Carr's home turned up two computers packed with files relating to the scam. The plea is silent on how many credit card numbers Carr obtained in the scam -- a question that's key to her future. Under binding federal guidelines, Carr's sentence will be determined by the amount of fraudulent charges racked up on the stolen credit card numbers -- with a maximum of five years. But the guidelines also dictate that each credit card be valued at a minimum of $500.00, a formula that helped boost Carr co-conspirator George R. Patterson's sentence to 37 months in prison, according to Patterson's attorney. Carr is set for sentencing on January 20th. "Internet 'phishing' for credit card numbers and personal information is thievery," said U.S Attorney Paul McNulty in a statement. "This defendant was hooked by her own scheme." |=-----------------------------------------------------------------------=| |=-=[ Morons Fail to Hold Down Debian ]=---------------------------------=| |=-----------------------------------------------------------------------=| yup, definitely not us. http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ The Debian Project http://www.debian.org/ Some Debian Project machines compromised press@debian.org November 21st, 2003 - ------------------------------------------------------------------------ Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. |=-----------------------------------------------------------------------=| |=-=[ Doctors Misfire Valuable Information Intended for Lance ]=---------=| |=-----------------------------------------------------------------------=| http://news.com.com/2100-1024_3-5110883.html?tag=nefd_top By Reuters Call it spam rage: A Silicon Valley computer programmer has been arrested for threatening to torture and kill employees of the company he blames for bombarding his computer with Web ads promising to enlarge his penis. In one of the first prosecutions of its kind in the state that made "road rage" famous, Charles Booher, 44, was arrested on Thursday and released on $75,000 bond for allegedly making repeated threats to the staff of a Canadian company between May and July. Prosecutors said that Booher threatened to send a "package full of anthrax spores" to the company, to "disable" an employee with a bullet and torture him with a power drill and ice pick, and to hunt down and castrate the employees unless they removed him from their e-mail list. He used return e-mail addresses including Satan+hell.org, they said. In other cases, Internet vigilantes have bombarded spammers with both unsolicited e-mail and regular mail and phone calls, launched attacks on spammers' computers and posted spammers' personal information on the Internet, according to reports. Separately, the U.S. House of Representatives has approved a measure to outlaw most Internet spam. Lawmakers hope to pass a national antispam bill before a much tougher California state law goes into effect on Jan. 1. In a telephone interview with Reuters on Friday, Booher acknowledged that he had behaved badly but said his computer had been rendered almost unusable for about two months by a barrage of pop-up advertising and e-mail. "Here's what happened: I go to their Web site and start complaining to them, would you please, please, please stop bothering me," he said. "It just sort of escalated...and I sort of lost my cool at that point." The Sunnyvale, Calif., man now faces up to five years in prison and a $250,000 fine, with a preliminary hearing scheduled for next month on charges of threatening to injure someone. He said he did not own any guns or have access to anthrax. Booher said the problem stemmed from a program he mistakenly downloaded from the Internet that brought a continuous stream of advertising to his computer. The object of the Californian's anger was Douglas Mackay, president of DM Contact Management, which works for Albion Medical, a company advertising the "Only Reliable, Medically Approved Penis Enhancement." "This went for a long, long time. He seemed really dedicated to this," Mackay said from Victoria, British Columbia. "He seemed like a guy just crazy enough with nothing to lose that might actually do something." He said his company does not send spam but blamed a rival firm which he said routes much of their unsolicited bulk e-mail through Russia and eastern Europe. Mackay said such companies gave a bad name to the penis enhancement business. |=-----------------------------------------------------------------------=| |=-=[ Narq Out Eeye; Win a New House ]=----------------------------------=| |=-----------------------------------------------------------------------=| Or you can paypal us some $ to fund the #phrack jihad. http://www.cnn.com/2003/TECH/biztech/11/05/microsoft.bounty/ WASHINGTON (CNN) -- Microsoft has offered a $500,000 reward for information that leads to the arrest of the writers of two computer viruses. The Blaster worm and SoBig.F e-mail virus crippled many PCs running on the Microsoft Windows operating system this summer. The world's largest software company announced Wednesday that it is creating an anti-virus reward program, backed by $5 million of its cash, to help law enforcement agencies catch the authors of computer bugs, including $250,000 apiece for Blaster and SoBig. "These are not just Internet crimes, cyber crime or virtual crimes. These are real crimes that disrupt the lives of real people," said Brad Smith, Microsoft senior vice president and general counsel. But some technology observers are skeptical that the bounty will actually work. "This could totally backfire," Richard Williams, strategist for Summit Analytic Partners, a research firm that focuses on software, told CNN/Money. "Virus writers are very much driven by the same motivation that makes people climb mountains. To put a bounty on their heads will just increase their notoriety and increase their ego." Microsoft has been suffering from a score of bad publicity since the outbreak of Blaster and SoBig.F in August and early September. Another worm, dubbed Nachi, also plagued users of Microsoft software during the summer. During Microsoft's latest quarterly earnings conference call last month, chief financial officer John Connors said that security for its customers was now Microsoft's number one priority. Steve Jillings, president and CEO of FrontBridge Technologies, an e-mail security firm, said that Microsoft's reward program could help deter some virus writers but added that bounties were not a complete solution. "This is a Band-Aid that does not fix the core root of the problem. People don't look to Microsoft as a trusted security source," said Jillings. Microsoft's Smith stressed that the company is continuing to work on enhanced security features for current editions of Windows as well as for the next version of its operating system, called Longhorn, that is due out in 2005. He added that Microsoft, which had more than $51 billion in cash as of the end of October, would commit more financial resources to the security problem. "If we need to spend more money, we will spend more money," said Smith. |=-----------------------------------------------------------------------=| |=-=[ Thwarted Linux Backdoor Hints at Dumber Ppl w/ More 0day ]=--------=| |=-----------------------------------------------------------------------=| Watch out for the informative quote by Ryan Russell, who knows about the differences between programming errors and subtle backdoor, but not the difference between "tty1" and "dyn-10.dongseo.ac.kr" in lastlog. http://www.securityfocus.com/news/7388 Thwarted Linux backdoor hints at smarter hacks By Kevin Poulsen, SecurityFocus Nov 6 2003 6:00PM Software developers on Wednesday detected and thwarted a hacker's scheme to submerge a slick backdoor in the next version of the Linux kernel, but security experts say the abortive caper proves that extremely subtle source code tampering is more than just the stuff of paranoid speculation. The backdoor was a two-line addition to a development copy of the Linux kernel's source code, carefully crafted to look like a harmless error-checking feature added to the wait4() system call -- a function that's available to any program running on the computer, and which, roughly, tells the operating system to pause execution of that program until another program has finished its work. Under casual inspection, the code appears to check if a program calling wait4() is using a particular invalid combination of two flags, and if the user invoking it is the computer's all-powerful root account. If both conditions are true, it aborts the call. But up close, the code doesn't actually check if the user is root at all. If it sees the flags, it grants the process root privileges, turning wait4() into an instant doorway to complete control of any machine, if the hacker knows the right combinations of flags. That difference between what the code looks like and what it actually is -- that is, between assignment and comparison -- is a matter of a single equal sign in the C programming language, making it easy to overlook. If the addition had been detected in a normal code review, the backdoor could even have been mistaken for a programming error -- no different from the buffer overflows that wind up in Microsoft products on a routine basis. "It's indistinguishable from an accidental bug," says security consultant Ryan Russell. "So unless you have a reason to be suspicious, and go back and find out if it was legitimately checked in, that's going to be a long trail to follow." Investigation Underway In all, the unknown hacker used exactly the sort of misdirection and semantic trickery that security professionals talk about over beer after a conference, while opining on how clumsy the few discovered source code backdoors have been, and how a real cyber warrior would write one. "That's the kind of pub talk that you end up having," says BindView security researcher Mark "Simple Nomad" Loveless. "If you were the NSA, how would you backdoor someone's software? You'd put in the changes subtly. Very subtly." "Whoever did this knew what they were doing," says Larry McVoy, founder of San Francisco-based BitMover, Inc., which hosts the Linux kernel development site that was compromised. "They had to find some flags that could be passed to the system without causing an error, and yet are not normally passed together... There isn't any way that somebody could casually come in, not know about UNIX, not know the Linux kernel code, and make this change. Not a chance." However sophisticated, the hack fell apart Wednesday, when a routine file integrity check told McVoy that someone had manually changed a copy of a kernel source code file that's normally only modified by an automated process, specifically one that pulls the code from BitMover's BitKeeper software collaboration tool and repackages it for the open source CVS system still favored by some developers. Even then, McVoy didn't initially recognize the change as a backdoor, and he announced to the Linux kernel developers list as a procedural annoyance. Other programmers soon figured out the trick, and by Thursday an investigation into how the development site was compromised was underway, headed by Linux chief Linus Torvalds, according to McVoy. If BitMover didn't run automated integrity checks, the backdoor could have made it into the official release of version 2.6 of the kernel, and eventually into every up-to-date Linux machine on the Internet. But to get there a kernel developer using CVS would have to have used the modified file as the basis for further development, then submitted it to the main BitKeeper repository through Torvalds. "If it had gotten out, it could have been really bad, because any Linux kernel that had this in it, anybody who had access to that machine could become root," says McVoy. But even then, he's convinced it wouldn't have lasted long. "If someone started getting root with it, some smart kid would figure out what was going on." But Loveless says the hack is a glimpse of a more sophisticated computer underground than is normally talked about, and fuel for speculation that backdoors in software products are far more common than imagined. "We've had bad examples of [backdoors], and we've had rumors of extremely good examples," says Loveless. "This is a concrete example of a good one." |=-----------------------------------------------------------------------=| |=-=[ udp.livejournal.com Will Not Be Forgotten! ]=----------------------=| |=-----------------------------------------------------------------------=| http://www.securityfocus.com/news/7739/ Defenses lacking at social network sites Sites like LiveJournal and Tribe are poised to be the next big thing on the Web in 2004, but their security and privacy practices are more like 1997. By Annalee Newitz, SecurityFocus Dec 31 2003 3:14PM Brad Fitzpatrick is president of LiveJournal.com, a social discovery Web site where over 1.5 million users post diary entries they want to share with friends. Although members post extremely sensitive information in their journals -- everything from their plans to commit suicide or sabotage their boss to their latest sexual adventures -- Fitzpatrick admits that security on his site isn't a priority. On the initial login page, LiveJournal members send their passwords in the clear. "We're hoping to change that in the next month," Fitzpatrick said. "But site performance is our highest priority, and SSL is a pain." Jack (not his real name) is an LJ user whose account was compromised. He isn't sure how it happened, but one day he logged in and discovered a huge portion of his journal entries had been deleted. The attacker didn't stop there -- she or he also plundered his friends' "locked" entries (visible only to other friends) and reposted extremely private exchanges as public entries in Jack's journal. Although he quickly changed his password and fixed the problem, the damage was done. "My friends were really upset and the bad feelings persist," he said. One friend feared that she might lose her job when a private entry about problems with her supervisor was made public on Jack's journal. "It's still cached on Google," he explained, "although it would probably be hard for most people to find unless they knew all the details." 'The social network is your strongest weapon... If you try to find a technical solution to identity spoofing, you'll step on the social feedback mechanism.' -- Konstantin Guericke, LinkedIn.com Security measures are equally weak on social discovery Web site Tribe.net, whose member base has swollen to 65,000 since it launched six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs." As security professionals know, there are any number of ways to defeat unique session IDs. Jeff Williams, CEO of Aspect Security, works on Web applications security issues for large financial, health and government institutions. He explained that Tribe.net's refusal to use SSL means that "the session ID, which is included in the URL, will be logged on any proxy. Or you can capture it off the wire with dsniff. If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy." Cross-site scripting could be another problem. Martino says Tribe does "tag scrubbing" to protect against people embedding hostile scripts on their posts to the site. But security pros say an attacker might be able to target specific members by sending a specially crafted URL that direct them to a form with hidden tags designed to suck up their cookies. Williams explained that "XSS is amazingly widespread. Plus, XSS vulnerabilities are easy to discover and exploit." The Open Web Application Security Project, where Williams also works, ranks cross-site scripting number four on its list of the top ten web application vulnerabilities. "We try hard to [protect against XSS attacks], but there's always something new," said Fitzpatrick. "The only solution would be to lose link tags, and that's not a good solution." Security consultant and Nmap author Fyodor speculated that social discovery sites are also vulnerable to a class of attack that is familiar to anyone who uses eBay: "You can trick a user into divulging their username/password by sending them to a fake login page you control. For example, you could send an email, forged as coming from Tribe, which says they need to agree to a new ToS or their account will be deactivated. Then you give them a URL that is cloaked to appear authoritative for Tribe but really could be modified to go to the attacker's password capture page." What makes these attacks novel in the context of a social discovery site isn't how they are deployed, but why. What does an attacker have to gain by spoofing the identity of a member of Tribe or LinkedIn? What kinds of damage can be done by hacking into a LiveJournal account? The answer has to do with the public's growing dependence on social reputation systems. As we come closer to quantifying reputation, the identities we use in online communities begin to have real-world value. A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity." LiveJournal's abuse manager Mark Ferrell said he receives at least five reports of ID hijacking per day. By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass. .... bla bla bla |=-----------------------------------------------------------------------=| |=-=[ hendy Potato Scheme Foiled ]=--------------------------------------=| |=-----------------------------------------------------------------------=| don't quit your admin job! http://www.cnn.com/2004/TECH/ptech/01/13/offbeat.germany.computer.reut/index.html BERLIN, Germany (Reuters) -- German police are investigating after an angry man returned a computer he had just bought saying it was packed with small potatoes instead of computer parts. The store replaced the computer free of charge but became suspicious when he returned a short time later with another potato-filled computer casing, police in the western city of Kaiserslautern said on Monday. "The second time he said he didn't need a computer any more and asked for his money back in cash," a police spokesman said. Police are now investigating the man for fraud. |=[ EOF ]=---------------------------------------------------------------=|