Default Newsletter Issue #4: Description of the Millenium problem, A look into basic cryptography, Telecom 101: Receiving through the serial port, Macintosh security: Security audit with our Mac, Computing: Matrox G400 MAX Review, Understanding basic crypto techniques, Infection & Vaccination, New programs on Net-Security (NS Watch!), More news from the ACPO front, The Hotmail security hole, Meet the underground, Freedom of speech - related incidents, Microsoft Installs US Spy Agency with Windows.
135c1a3d2ad99b4219bb1b0c1cd135db1e677acc96aa882c3c5f5bc6c7612a10
Default newsletter Issue #4
http://default.net-security.org
05.09.1999 Help Net Security
http://www.net-security.org
TABLE OF CONTENTS
-----------------
I. Editorial
II. Last weeks news on Help Net Security
a) Help Net Security news headlines
b) Vulnerabilities reported in last week
c) Site News
d) Defaced Pages
III. Description of the Millenium problem
IV. A look into basic cryptography
V. Telecom 101: Receiving through the serial port
VI. Macintosh security: Security audit with our Mac
VII. Computing: Matrox G400 MAX Review
VIII. Understanding basic crypto techniques
IX. Infection & Vaccination
X. New programs on Net-Security (NS Watch!)
XI. More news from the ACPO front
XII. The Hotmail security hole
XIII. Meet the underground
XIV. Freedom of speech - related incidents
XV. Microsoft Installs US Spy Agency with Windows
I. Editorial
------------
Hi there and welcome to yet another issue of our Default newsletter. A bit
late, but brought straight to you from the Hit2000 Con (http://www.hit2000.org).
Ok, I (Thejian) am going to kick off with some issues regarding the organization
of Default. We would like to hear your (the readers) opinion on them, because that's
the only way for us to make this thing work (even better :) to your liking.
A lot of our editors do have lives outside the Internet (yeah don't ask me why or
how but..) and it has shown to be pretty difficult to expect them to come up with
articles and columns on weekly basis. We thought of 2 ways to battle this. We could
start rotating columns, so our editors have a longer time-period to complete their
work (quantity- and quality-wise) in while another column fills up its spot in the
newsletter, or we could change the number of times we release Default.
The "rotate-thing" very heavily depends on other people submitting articles, so once
again, when you feel that writing urge, don't hesitate, just do it :)
Releasing Default on a different time-frame would be another solution, but we don't
want to get the releases too far apart, we were thinking about once every 2 weeks or
something. We're going to discuss this with all our editors as well, but we'd love to
have some of your thoughts for them to think about then. Please give us some feedback
on this.
On a very different note, I would like to take this opportunity to congratulate our
affiliates at Newstrolls (http://www.newstrolls.com) with their one year birthday. Keep
up the good work!
To finish off the points of interest, we now have 2 (or at least two of which we know
of) mirrors up at Attrition.org (http://www.attrition.org/~modify/texts/zines/Default/)
and NWO.net (http://www.nwo.net/Default).
Well that's about it for me, nothing much more interesting to tell here. It's been a
very challenging week, with some major security and privacy breaches discovered. We've
tried to deal with at least a couple of them in this issue, untill then happy reading
and thanks for supporting HNS and Default.
For the HNS and HNS Default Crew:
Berislav Kucan
aka BHZ, webmaster Help Net Security
bhz@net-security.org
Xander Teunissen
aka Thejian, co-webmaster Help Net Security
thejian@net-security.org
II. Last weeks news on Help Net Security
----------------------------------------
a) Help Net Security news headlines
- Friday 27th August 1999:
Microsoft Security Bulletin #31
Default #3 released
Girl power hits e-commerce
"Nines problem"
Is Yahoo spam or anti-spam oriented?
- Saturday 28th August 1999:
Front page permissions
New acquisitions in Linux world
Debian not vulnerable
7 fired from first union bank
- Monday 30th August 1999:
Intel y2k ready
Toadie
Security hole in Hotmail
- Tuesday 31st August 1999:
Linus Torvalds
More on Hotmail
An overload of computer crime
German encryption products freely exportable
Pargain web hoax creator sentenced
Canadian government site hacked
CERT current activity
How to counter an unseen, unpredictable enemy
- Wednesday 1st of September 1999:
Teen hacker arrested
Legal percussions of the Hotmail flaw
Adobe unveils secure pdf
Microsoft issues IE patch
Government preparing for y2k violence
Office fix flawed
WH panel calls for crypto export reform
- Thursday 2nd of September 1999:
Securitysearch
Government sites attacked
LOU dissolved
"Thursday" virus sightings
Most software sold online is pirated
Hacker sentenced to 18 months
The other y2k problem: Hacker attacks
Hackers threat to minister's web site
- Friday 3rd of September 1999:
Visa and Cybersource target online fraud
New privacy web service not so private
Analyzer pleads innocent
Projects page is up
No y2k problems for cars
Value net and scam
The cleaner 3.0
Secure web based e-mail
Windows contains a backdoor?
- Saturday 4th of September 1999:
Hackers answer MS Win2000 challenge
PrivacyX reverses course
City hires company for security audit
Crackers threaten NASA and Mormon web sites
Paris hacked
b) Vulnerabilities reported in last week (our thanks goes out to BugTraq for this list)
27-08 Microsoft HTML Form Control DoS Vulnerability
27-08 ProFTPD Remote Buffer Overflow
30-08 Redhat amd Buffer Overflow Vulnerability
31-08 mars_nwe Buffer Overflow Vulnerabilities
31-08 TFS Gateway 4.0 Denial of Service Vulnerability
02-09 Netscape Communicator EMBED Buffer Overflow Vulnerability
02-09 Multiple Vendor INN inews Buffer Overflow Vulnerability
02-09 Cisco Catalyst 2900 VLAN Vulnerability
c) Help Net Security site news
* not applicable this week *
d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org))
Site: Western Australian Electoral Commission (www.waec.wa.gov.au)
Mirror: http://default.net-security.org/4/www.waec.wa.gov.au
Site: Bureau of Transportation for Taipei City (www.dot.taipei.gov.tw)
Mirror: http://default.net-security.org/4/www.dot.taipei.gov.tw
Site: Ministry of Transportation and Communications, Republic of China (www.motc.gov.tw)
Mirror: http://default.net-security.org/4/www.motc.gov.tw.htm
Site: HotMail Hack (www.hotmailhack.com)
Mirror: http://default.net-security.org/4/www.hotmailhack.com.htm
Site: Ontario Ministry of Northern Development and Mines (www.mndm.gov.on.ca)
Mirror: http://default.net-security.org/4/www.mndm.gov.on.ca.htm
Site: 7th Army Training Command, Bavaria, Germany (www.cmtc.7atc.army.mil)
Mirror: http://default.net-security.org/4/www.cmtc.7atc.army.mil.htm
Site: MegaAdult (www.megaadult.com)
Mirror: http://default.net-security.org/4/www.megaadult.com.htm
Site: SecurityNet (www.securitynet.net)
Mirror: http://default.net-security.org/4/www.securitynet.net.htm
Site: Minist'rio da Agricultura e do Abastecimento (www.agricultura.gov.br)
Mirror: http://default.net-security.org/4/www.agricultura.gov.br.htm
III. Description of Y2K Problem
-------------------------------
The Year 2000 problem (Y2K, Millennium Bug, Millennium Virus) came
about due to programming practices involving the use of 6 digit dates
(dd/mm/yy) vs. 8 digit dates (dd/mm/yyyy). This results in the
possibility of a date such as 31 being misinterpreted (is it 1931 or
2031?). Thus, any computer program which deals with 6 digit dates is
susceptible to the Y2K problem.
The Y2K problem involves two key date issues:
Date mathematics. For years businesses have used date math to compute
things such as aging schedules, due dates, past due accounts, etc. Many
computer applications now support the use of date mathematics (Lotus
1-2-3, MS-Excel, MS-Access, etc.) These applications all work by using
a base year (often Jan. 01, 1900) as a starting point and then tracking
the date and time numerically from that point (how much time has elapsed
since Jan 01. 1900). Thus, a time might be stated as a fractional component
of the day integer (35927.63 = May 12, 1998, 3:08 pm based on MS-Excel).
This means that to compute the difference between Jan 01, 1998 and Jan 01,
1999 would result in 365 days. Computing the difference in today and when a
bill was incurred would indicate how old a debt was (e. g. 45 days = past due).
So, when the year 2000 comes into play using a 6 digit date we end up with
situations like Jan 01, 00 - May 12, 1998. If this is misinterpreted by a
computer system as 1900 then the calculation will result in a large negative
number (in this case -35,926). This number may or may not be a problem the
computer application can deal with. It is possible that this number will be
made into the absolute value (the negative sign is dropped if no space is
reserved to hold it) which will cause even more confusion. Imagine if your
debt went from 22 days old to 35,926 days old. The past due notice would give
you a surprise.
In old COBOL (a programming language that is still in widespread use) dealing
with date math is even more complicated. Dates in COBOL are typically stored
in three different locations (a month, a day, and a year). The year is often
stored as 2 digits to save space and simplify output problems with pre-printed
forms. In some cases, COBOL programs were written with 4 digit dates and 1900 is
subtracted from the date to generate the form (1981 - 1900 = 81) so that the
form can look like 1981 when it is generated. This will cause a problem since
2001 - 1900 = 101 instead of 01. In other cases where a 6 digit date was used,
the problem is even worse since there is no clear indication of which date we are
talking with. Imagine COBOL program that deals with county records to record births
and deaths. If all the dates are stored as 6 digits soon you will have records
which say something like 09/03/63. Now suppose, I live to be a hundred years old,
my birth is recorded as 09/03/63 and if I die on my birthday 100 years later my
death would also be 09/03/63. A casual observer might interpret this as me dying
at birth or who knows what.
Thus, the main problem of Y2K is the problem of incorrect results when date
mathematics are conducted. Most companies are working to correct these problems
in their COBOL programs and most current microcomputer applications already have
built in fixes.
The second type of problem involves systems that check the date for some purpose
to determine if a valid date is being used. An example might be a credit card
expiration date. If the program that checks this when the card is scanned is very
simple it might just say is today greater than the expiration date. Thus, 01/01/99
is greater than 01/01/00 which would result in your credit card being rejected.
Another example is a security system which checks to see if today is a valid date
before recording an entry or exit from a building. If the 00 date is determined to
be out of range or the computation is at fault the system may simply shut down and
lock all the doors.
--------------------------------------------------------------------------------
Why did Programmers Do This?
Essentially, several reasons exist for this problem:
Saving Space in computer memory. Originally, computers had very small amounts of
memory available and the repeated use of two extra numbers could make a significant
difference on the amount of memory available so in the interests of efficiency, the
seemingly redundant thousands and hundreds were dropped.
Preprinted forms. Designing computer output for old systems was quite tedious and
required that every variable be specifically defined. In order to make it easy to
print a two digit year after a preprinted 19 it was simpler to use two digit years
in the program.
Unexpected Longevity. Since the year 2000 was a very distant date most people didn't
really think about this problem until recently. Thus, a lot of programs were written
in the traditional manner of using 2 digit years on the date.
--------------------------------------------------------------------------------
What is COBOL and why does it exist?
COBOL is a computer programming language developed by the CODASYL committee
(Conference on Data Systems Languages) in 1959. COBOL became the business
programming language of choice for large scale applications throughout the
60's 70's and 80's. Millions and millions of lines of COBOL programs were written
and these systems (often called legacy systems) are still in use today since it
is expensive and difficult to replace an accounting system or payroll system in
a large corporation. The old adage, "If it ain't broke, don't fix it" has also
played a roll in the continuation of COBOL as a programming language nearly 40
years after its original inception.
Where is the problem?
Any computer program which deals with dates is susceptible to this problem. Thus,
if you use dates in any of your applications at home or work, you should make sure
the applications you are using or the programs you are writing are compliant with 8
digit dates or have some other mechanism built in to deal with the year 2000. If you
fail to do this your business may suddenly find all of its records our of order or
important information could be lost due to problems dealing with data that is out of
range.
Will this problem dramatically affect my life?
Not likely, most companies are taking steps to deal with this problem. There will
likely be isolated incidences of problems (like a credit card rejected) that will
quickly be identified and corrected by the institution. At home, if you make sure
all of your applications and programs utilize 8 digit dates then you should experience
no problems with your personal applications.
What are Logic Devices [PLD]?
Logic devices and programmable logic devices are technical terms used to refer to the
many semiconducter based "chips" that are used to manage various devices (anything
from a simple coffee maker to a giant production machine). These devices are usually
programmed using Assembler programming language and it is estimated that literally
10s of billions of these things exist around the world.
Why are people concerned about PLDs in conjunction with Y2K?
Many people believe that a large number of devices that utilize PLDS will fail when
the year 2000 rolls around since PLDS may contain date sensitive code. In particular
programmable devices like VCRS, Coffee Makers, Security Systems, etc. are susceptable
to this type of problem. If the PLD is date sensitive and was not set up to deal with
8 digit dates (discussed earlier), then a number of different things may happen,
1) the device may simply fail to operate;
2) the device may report the incorrect day of the week (if it thinks the year is 1900);
3) The device may fail to operate as expected (coffee maker doesn't come on in the
morning). Thus, there is the potential for a lot of problems with this type of thing
but I don't think any of it is earth shattering (although if my coffee maker stops
working there is going to be a serious problem).
The other side of this coin is that PLD devices are used in large production systems
that manage things like power plants and food processing machinery (literally everything
these days has a PLD in it somewhere). Many speculate that electricity will fail and
all sorts of problems will ensue. My thought is that if the power company is not
producing electricity then it is not making any money. While I have not worked in
the power industry, my feeling is that they are testing these systems and making
corrections so again, there may be some isolated power outages, but as soon as the
power fails they can start repairing that system.
What can I do about PLDs?
Well, the easiest thing to do is to set the dates on the various devices in your
house that are programmable (security system, coffee maker, etc.) to dates after
the year 2000 and see what happens. If any problems ensue then you can figure out
what to do next (contact the manufacturer or replace the device). Mostly I would
check out your mission critical systems. I checked out the coffee maker and the
security system and both worked fine.
--------------------------------------------------------------------------------
How to be sure:
Assess your personal work. Are there applications or programs that use dates in
computation or for reference purposes? If you have such applications you may want
to investigate to determine if those applications and programs use 6 or 8 digit dates.
If you are using 6 digit dates, then you should convert them to 8 digit dates or at
least test the application to determine if there is a problem (try entering some dates
in the future). Be sure and back up your original files before you try any of this.
Dr. Doug White
Monfort College of Business
The University of Northern Colorado
doug.white@acm.org
IV. A look into basic cryptography
----------------------------------
Last issue I gave you the algorithm to a message. The message was HELLO
and encrypted, was CCJQA. I asked you to take the known key, 73, and
decipher the message and release the way you decrypted it.
Here is how you do it.
A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14
O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26
3-73=-70 26-70=-44 26-44=-18 26-18= 8 is the first letter. 8 is H
3-73-3=-73 26-73=-47 26-47=-21 26-21= 5 is the second letter. 5 is E
10-73-3=-66 26-66=-40 26-40=-14 26-14= 12 is the third letter. 12 is L
17-73-10=-66 26-66=-40 26-40=-14 26-14= 12 is the fourth letter. 12 is L
1-73-17=-89 26-89=-63 26-63=-37 26-37=-11 26-11= 15 is the fifth letter. 15 is O
The original message is HELLO.
Now mathematically...
C(1)-N=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(1).
C(2)-N-C(1)=X (if X<0, add it to 26. Repeat until 26>X>0. Thats the P(2).
C(r)-N-C(r-1)=X (if X<0, add it to 26. Repeat until 26>X>0. That is P(r).
Now here's another challenge for you. The Ciphertext is
XHGSQGAECWSI
And no, I did not encode the key number. See if you can crack it.
One suggestion is making a program to brute force it. Then again... It
may be a very very very high number...but it also may be really small.
I dont expect anyone to crack this.
Ill release the message in the next issue.
-you know the algorithm. Get to analyzing.
NOTE: If anyone does come up with an algorithm, dont be shy. Send it on
in, I will take a look at it. If I understand it and like something
about it, I may just toss it up on here for people to look at. If I
dont understand it, Ill inquire with you about it.
Just dont send me a message enciphered with some algorithm you made up
and ask me to crack it without the algorithm. Im balancing several jobs
and doing this newsletter in my spare time, so I dont have much time to
work on decrypting things.
Thats it for today, you've seen the entire howto as it stands up to date.
Expect more from me next issue.
Been fun.
-Iconoclast
crypto@default.net-security.org
V. Telecom 101 - Receiving through the serial port
--------------------------------------------------
Hi and welcome to the last part of my pager-messages sniffing column. This one is
going to be a quicky, but o well :). Anyways, let's get this going.
As I earlier mentioned, it's possible to hook your scanner up to your pc and set it
to scan certain frequency ranges for messages. In this way you could set it to receive
pager signals which you could decode. Pagers however are made to pick up those signals
for themselves and with a little modification even for others too. Today we'll put all
of this together into a device to do some off-the-air POCSAG decoding. Using this
device as a middle-man between your scanner/receiver and your box will allow a more
accurate and clearer receipt of the POCSAG numeric and alpha-numeric signals.
What will you need for this? The parts-list:
U1 741
R1 100k
R2 10k
C1 0.1 uF
C2-3 10uF, 16v
D1-4 1N4148 or 1N914
Here's the schematic, yeah I know my ASCII skills are elite :) and the deciphering
of this schematic will probably take up the most time, but this damn laptop keyboard
of mine just isn't cooperating.
D1-D4
-----------|>|------------------ DTR
+12v | | |_
C1 2 |\ 7 |__|>|___ | __ |
-----II---------------------| \| \|/ | |
Audio In | 3 |U1\_6____ CTS | | |
| ---| / | | |
-- | | /| ---|>|----- | -----
| | | |/ 4 | | |
|R1| -- -12v--------|>|---------- RTS |
| | | | | ---
-- |R2| --- ---
| | | --- | C3
| -- | C2 -------------
| | | |
GND ---------------------------------------------------------------- GND
Now how to connect this thing. Input to this device comes straight from your receiver
(pager/scanner) Most of the time you connect this device to the com2 port, but it more
or less depends on what port you've got free. You connect the ports like this:
COM Port 25 way 9 way
CTS 5 8
GND 7 5
TxD 2 3
RTS 4 7
DTR 20 4
DSR 6 6
The device is powered by the serial port.
Sources (go here for more info):
An excellent article by Emanuel Goldstein in Phrack
http://www.2600.com/phrack/p46-08.html
Software for the actual encoding and decoding of POCSAG signals
http://www.bearnet.demon.co.uk/pocsag/index.htm
A pretty good (dutch) site on scanners and telecommunications in general
http://ssb.auvicom.nl
Ok that's it for today. Parting is sorrow, but don't worry, I'll be back in the next
issue :)
Xander Teunissen,
aka Thejian, Help Net Security
thejian@net-security.org
VI. Security audit with our Mac
-------------------------------
Part-1
Security audit are very fun, from penetration testing, to local domain(s) checking,
to users rights it gives to white hackers a great way to express their skills. Common
users thinks that it asks a very powerfull computer, it's not totally true unless you
want to use bruteforce attack on ftp, webserver, appletalk, or nt passwords. There a
1000's of tools you can use: commercial products or freeware security tools. Yes you
can use windows NT, linux tools but why not use all your favorites toys on one computer,
a mac?
Let's take a powerbook G3 450 mhz 128mo 6go to make this audit. The aim is to not make
a C2 security level, even it can be done and checked from the powerbook, but a basic
security audit focused on 3 points:
-NT, Unix and AppleTalk Password ressistance to brute force attacks.
-LAN production servers reliability.
-DMZ penetration testing (from the internet and the local lan).
First of all we will get a copy of two other OS: win NT and Linuxppc. Get something
like virtualpc (http://www.connectix.com) or bluelabel (http://www.lismoresoft.com) to
run NT and copy of Linuxppc (http://www.linuxppc.com).
*/First we will test the reliability of user's password.Almost 75 % of the threats
comes from the inside of a company...Easy passwords and default rights (especialy with
NT) on local network can be a VERY dangerous. For the brute force attack we will get
dictionnaries (ftp://ftp.replay.com/pub/replay/wordlists/). Point your browser to
L0pht to get the world most known NT password checker: L0phtcrack 2.5. For the
appletalk password guessing we'll get Magic Key 2.0.2
(http://www.deepquest.pf/MK202.sit). You'll use L0phtCrack 2.5 on your virtualpc
Workstation and Macgic key under MacOS. This first part doesn't ask much skills, but it
will put heavy load on your computer, so let it run at least 1 business day to get a
good result. If this network has Unix computers try to decrypt the password file
locally or remotely with Meltino (http://www.deepquest.pf/mac.htm) it'll give you
some passwords, more passwords you'll get less secure they are. It's very common to
find names of people, animals etc... We could have used Linux for breakin the password
file on the Unix computer, but Magic Key won't be able to run. Now you mac is in full
effect: it's a real heavy brute force attack simulation: Appletalk, NT, and Unix
password attack. Let your computer run several hours with this software, don't try to
use anything else because of maximum cpu load and to get a better result. Make sure you
merge several dictionnaries.
*/Major companies run win NT sever mixed with Unix flavored servers like Solaris.
Plus those companies have most of time an Intranet, dialup access, and Internet
webserver (sometimes directly hosted by an ISP). Your likely to find IIS or apache
webserver. Those servers are for the different departements of the company (HR,
Marketing, finance etc..) with restricted access.The best tool is to use a cgi-check
program trying to access restricted directory, or administrativ files. The original
cgi-check was written in C, so you have to compile it with Unix... There's another
alternative, a few months ago I adapted this great tool to language more cross
platform: rebol. You just have to get rebol from www.rebol.com and cgicheck 99. Then
put the file on the rebol software or put cgi-check99.r in the rebol folder then
launch rebol and do a "do %cgi-check99.r" it will ask you an ip to scan and will
display the discovered vulnerabilities. Around 70 most known vulnerabilities are
detected. Rebol runs on most OS'es.
----------beginning of code/c-p to a cgi-check99.r file----------
REBOL [ Title: "CGI Check 99 v0.3"
Date: 9-Jun-1999 Author: "deepquest"
Comment: "extR4 shOut 2: loser, packetstorm, attrition, H4k, acpo,
krisTof, mad55, siRYus, bl4St, nucleus, & Other dark/white cR3Ws"
File: %cgi-check99.r
Email: deepquest@netscape.net
Purpose: { Remote Exploits Checker 75 vulnerabilities. }]
secure none
print "CGI Scanner. Improved by deepquest."
prin "Site to scan: "
site: input
a: exists? join http:// [ site "/cgi-bin/rwwwshell.pl " ]
if a == yes [ print "THC - Backdoor" ]
b: exists? join http:// [ site "/cgi-bin/phf " ]
if b == yes [ print "PHF" ]
c: exists? join http:// [ site "/cgi-bin/Count.cgi " ]
if c == yes [ print "Count.cgi" ]
d: exists? join http:// [ site "/cgi-bin/test.cgi " ]
if d == yes [ print "test-cgi" ]
e: exists? join http:// [ site "/cgi-bin/nph-test-cgi " ]
if e == yes [ print "nhp-test-cgi " ]
f: exists? join http:// [ site "/cgi-bin/nph-publish " ]
if f == yes [ print "nph-publish" ]
g: exists? join http:// [ site "/cgi-bin/php.cgi " ]
if g == yes [ print "PHP" ]
h: exists? join http:// [ site "/cgi-bin/handler " ]
if h == yes [ print "handler" ]
i: exists? join http:// [ site "/cgi-bin/webgais " ]if
i == yes [ print "webgais" ]
j: exists? join http:// [ site "/cgi-bin/websendmail " ]
if j == yes [ print "websendmail" ]
k: exists? join http:// [ site "/cgi-bin/webdist.cgi " ]
if k == yes [ print "webdist.cgi" ]
l: exists? join http:// [ site "/cgi-bin/faxsurvey " ]
if l == yes [ print "faxsurvey" ]
m: exists? join http:// [ site "/cgi-bin/htmlscript " ]
if m == yes [ print "htmlscript" ]
n: exists? join http:// [ site "/cgi-bin/pfdisplay.cgi" ]
if n == yes [ print "pfdisplay" ]
o: exists? join http:// [ site "/cgi-bin/perl.exe" ]
if o == yes [ print "perl.exe" ]
p: exists? join http:// [ site "/cgi-bin/wwwboard.pl" ]
if p == yes [ print "wwwboard.pl" ]
q: exists? join http:// [ site "/cgi-bin/www-sql " ]
if q == yes [ print "www-sql" ]
r: exists? join http:// [ site "/cgi-bin/view-source " ]
if r == yes [ print "view-source" ]
s: exists? join http:// [ site "/cgi-bin/campas " ]
if s == yes [ print "campas" ]
t: exists? join http:// [ site "/cgi-bin/aglimpse " ]
if t == yes [ print "aglimpse" ]
u: exists? join http:// [ site "/cgi-bin/glimpse " ]
if u == yes [ print "glimpse" ]
v: exists? join http:// [ site "/cgi-bin/man.sh " ]
if v == yes [ print "man.sh" ]
w: exists? join http:// [ site "/cgi-bin/AT-admin.cgi " ]
if w == yes [ print "AT-admin.cgi" ]
x: exists? join http:// [ site "/cgi-bin/filemail.pl " ]
if x == yes [ print "filemail.pl" ]
y: exists? join http:// [ site "/cgi-bin/maillist.pl " ]
if y == yes [ print "maillist.pl" ]
z: exists? join http:// [ site "/cgi-bin/jj " ]
if z == yes [ print "jj" ]
aa: exists? join http:// [ site "/cgi-bin/info2www " ]
if aa == yes [ print "info2www" ]
bb: exists? join http:// [ site "/cgi-bin/files.pl " ]if
bb == yes [ print "files.pl" ]
cc: exists? join http:// [ site "/cgi-bin/finger " ]
if cc == yes [ print "finger" ]
dd: exists? join http:// [ site "/cgi-bin/bnbform.cgi " ]
if dd == yes [ print "bnbform.cgi" ]
ee: exists? join http:// [ site "/cgi-bin/survey.cgi " ]
if ee == yes [ print "survey.cgi" ]
ff: exists? join http:// [ site "/cgi-bin/AnyForm2 " ]
if ff == yes [ print "AnyForm2" ]
gg: exists? join http:// [ site "/cgi-bin/textcounter.pl " ]
if gg == yes [ print "textcounter.pl" ]
hh: exists? join http:// [ site "/cgi-bin/classifieds.cgi " ]
if hh == yes [ print "classifieds.cgi" ]
ii: exists? join http:// [ site "/cgi-bin/environ.cgi " ]
if ii == yes [ print "environ.cgi" ]
jj: exists? join http:// [ site "/cgi-bin/wrap " ]
if jj == yes [ print "wrap" ]
kk: exists? join http:// [ site "/cgi-bin/cgiwrap " ]
if kk == yes [ print "cgiwrap" ]
ll: exists? join http:// [ site "/cgi-bin/guestbook.cgi " ]
if ll == yes [ print "guestbook.cgi" ]
mm: exists? join http:// [ site "/cgi-bin/edit.pl " ]
if mm == yes [ print "edit.pl" ]
nn: exists? join http:// [ site "/cgi-bin/perlshop.cgi " ]
if nn == yes [ print "perlshop.cgi" ]
oo: exists? join http:// [ site "/_vti_inf.html " ]
if oo == yes [ print "_vti_inf.html" ]
pp: exists? join http:// [ site "/_vti_pvt/service.pwd " ]
if pp == yes [ print "service.pwd" ]
qq: exists? join http:// [ site "/_vti_pvt/users.pwd " ]
if qq == yes [ print "users.pwd" ]
rr: exists? join http:// [ site "/_vti_pvt/authors.pwd" ]
if rr == yes [ print "authors.pwd" ]
ss: exists? join http:// [ site "/_vti_pvt/administrators.pwd " ]
if ss == yes [ print "administrators.pwd" ]
tt: exists? join http:// [ site "/_vti_pvt/shtml.dll " ]
if tt == yes [ print "shtml.dll" ]
uu: exists? join http:// [ site "/_vti_pvt/shtml.exe " ]
if uu == yes [ print "shtml.exe" ]
vv: exists? join http:// [ site "/cgi-dos/args.bat " ]
if vv == yes [ print "args.bat" ]
ww: exists? join http:// [ site "/cgi-win/uploader.exe " ]
if ww == yes [ print "uploader.exe" ]
xx: exists? join http:// [ site "/cgi-bin/rguest.exe " ]if
xx == yes [ print "rguest.exe" ]
yy: exists? join http:// [ site "/cgi-bin/wguest.exe " ]
if yy == yes [ print "wguest.exe" ]
zz: exists? join http:// [ site "/scripts/issadmin/bdir.htr " ]
if zz == yes [ print "BDir - Samples" ]
aaa: exists? join http:// [ site "/scripts/CGImail.exe " ]
if aaa == yes [ print "CGImail.exe" ]
bbb: exists? join http:// [ site "/scripts/tools/newdsn.exe " ]
if bbb == yes [ print "newdsn.exe" ]
ccc: exists? join http:// [ site "/scripts/fpcount.exe " ]
if ccc == yes [ print "fpcount.exe" ]
ddd: exists? join http:// [ site "/cfdocs/expelval/openfile.cfm " ]
if ddd == yes [ print "openfile.cfm" ]
eee: exists? join http:// [ site "/cfdocs/expelval/exprcalc.cfm " ]
if eee == yes [ print "exprcalc.cfm" ]
fff: exists? join http:// [ site
"/cfdocs/expelval/displayopenedfile.cfm " ]
if fff == yes [ print "displayopenedfile.cfm" ]
ggg: exists? join http:// [ site "/cfdocs/expelval/sendmail.cfm " ]
if ggg == yes [ print "sendmail.cfm" ]
hhh: exists? join http:// [ site
"/iissamples/exair/howitworks/codebrws.asp " ]
if hhh == yes [ print "codebrws.asp" ]
iii: exists? join http:// [ site
"/iissamples/sdk/asp/docs/codebrws.asp " ]
if iii == yes [ print "codebrws.asp" ]
jjj: exists? join http:// [ site "/msads/Samples/SELECTOR/showcode.asp
" ]
if jjj == yes [ print "showcode.asp" ]
kkk: exists? join http:// [ site "/search97.vts " ]if
kkk == yes [ print "search97.vts" ]
lll: exists? join http:// [ site "/carbo.dll " ]
if lll == yes [ print "carbo.dll" ]
mmm: exists? join http:// [ site
"/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd " ]if
mmm == yes [ print "whois_raw.cgi" ]
nnn: exists? join http:// [ site "/doc " ]if
nnn == yes [ print "Debian Boa" ]
ooo: exists? join http:// [ site "/.html/............./config.sys "
]if
ooo == yes [ print "ICQ99" ]
ppp: exists? join http:// [ site "/....../ " ]if
ppp == yes [ print "personal webserver" ]
rrr: exists? join http:// [ site "/scripts/no-such-file.pl " ]if
rrr == yes [ print "IIS-perl" ]
sss: exists? join http:// [ site "cgi-bin/visadmin.exe?user=guest "
]if
sss == yes [ print "OmniHTTPd Web Server " ]
--------------------end of code--------------------
Another basic thing you can do if to look for latest security issues from forums like
Bugtraq or others. Zero day exploits have to be taken in consideration since you're
asked to take a snapshot of Information Services. Don't waste your time on local bugs,
but rather on remote exploits. I assume the company has at least a secure data room!
Another thing to do from your virtualpc is to use a dumpacl and dumpreg for NT server.
What are the access levels and for who? Checkin Appleshareip shares is a very fast to
check remotely with ServerScan (http://freaky.staticusers.net/network.shtml). You
won't have to worry about special shares like NT does in registry, or admin share c$
etc... Unix is quite different I suggest you to use Panda309 by thegrid
(http://www.deepquest.pf/panda309-v1.0.tar.gz).It runs on Linuxppc, does a B or C class
portscan with remote OS fingerprinting and some vulnerability detections. In few
minutes you get a topo of the LAN. This part of the audit can take up pretty much time,
but make sure you check what you're told to check :-)
/*EOF 1-2
ps:this txt does NOT make your computer, LAN, DMZ safer at all!It's just a basic
overview of what you can do from a mac.
DMZ audit to be continued....next week
Deepquest
deepquest@default.net-security.org
All rights not reserved- Serving since 1994
http://www.deepquest.pf
VII. Computing: Matrox G400 MAX Review
--------------------------------------
Matrox has been around since the dawn of 3D graphics. Their Millenium actually
harbored a 'few' 3D features but the subsequent Mystique, PowerVR PCX2 and G200 parts
were far from being 'real' gaming boards. The performance and feature list was way
below par for the Mystique and the G200 just couldn't cope with Quake 2. 1997 to the
present hasn't been exactly fruitful for Matrox. Gamers in particular have always sided
with 3dfx or NVIDIA. With only a few OEM design wins for the G200, Matrox clearly had
some work to do for their next generation G400 chipset.
The fill rate of the G400 MAX is certainly up there with the best of the bunch
at 333MTexels per second (and identical to that of the Voodoo3 3000). The G400 MAX
processor also supports single cycle multi-texturing (great for those 3D first person
shooters). As with most of these new 2D/3D chips, the G400 MAX is on a .25micron five
layer metal process technology. It also harbors Matrox's 256-bit DualBus architecture
with true 128-bit external bus to video memory. Although we've yet to witness the
Camino and APG 4X, the G400MAX is AGP 2X/4X capable with Multi-threaded Bus Mastering.
It's ably backed up by 32MB of SGRAM. Matrox hasn't actually come out and said what
their clock speed is but with a 333Mtexel/sec fill rate, it's pretty easy to work out
that 'magic' number. Bearing in mind that it is two cycles per clock you simply divide
333 by two and are left with 166MHz. D3D is certainly where the 'future' lies and with
a G400 MAX and its 32MB, you'll be in the very best of hands. It really is exceptionally
fast. The Forsaken scores were not only the fastest yet seen.but the astounding 32-bit
performance certainly sets a precedent. The performance hit was minimal at 'worst' and
at 800x600 in 32bit, frame rate was over 200fps. Even at 1600x1200 we still see scores
over 70fps in 32-bit on a Pentium III 500MHz. The multitexturing capabilities of the
card under DX6 were also impressive as the Shogo: MAD scores show.
(The higher the resolution and color depth, the wider the gap between the G400MAX and
the rest.)
No FINAL ICD was available with the review unit. Matrox really does need to sort
this out in time for the product launch (it even says a FULL ICD is supposed to come
with the retail part). Clearly some work needs to be done. Quake 2 performance, whilst
acceptable (especially at the higher resolutions), was still some way off from a Voodoo3
or TNT2. Half-Life was even worse. The performance was way below par. We understand that
the OpenGL drivers we were given were in BETA so we'll update these scores as and when
we can. On the other hand, Quake 3: Arena at 1024x768 and in 32-bit was very playable.
(The slower OpenGL Quake 2 scores force us to dock a point off of the final score.
Should Matrox get around to improving the performance- we will re-evaluate.)
Clearly for its whopping great $249 asking price, this card is NOT for the
low-end user. The faster your CPU, the better performance you get for your money. A
Celeron 400 would be our cut-off point, where you're still likely to find that the D3D
performance is top notch.
(The question is, how many game developers are going to implement this feature. We hope
it picks up more than S3's S3TC has done thus far. Matrox lists some 40 games.....)
Ok so now you've seen just how stunning a game can look when the feature is
implemented but what's the big deal? All the major 3D chip manufacturers list 'bump
mapping' on their spec sheet, right? Well the truth is out there somewhere. There are
many ways to represent this effect. There's the conventional cheat of embossing,
there's the PowerVR way, there's the Dot3 3Dlabs method and finally there's the Matrox
way. Matrox's implementation of this DirectX6.0 'quality feature' allows for a richer
looking environment than mere embossing can simulate. It allows for multiple light
sources in one pass as well as reflective environment mapping on the same bump. Most
other 3D cards (the Voodoo3, TNT2 etc.) use the conventional embossing method to
simulate bump mapping- which really isn't all that big of a deal. Voodoo Graphics could
do the very same thing way back in 1997. This Embossing (or multi-pass alpha blending)
is limited to monochrome lighting and also brings out artifacts when simulated because
of its per-polygon technique (Matrox's bump mapping is per pixel instead). Using
embossing won't give you those luscious rolling waves as seen above, one can't use an
environment map to simulate distortion effects. Basically, a TNT2 or Voodoo3 will
'counterfeit' bump mapping because embossing is NOT the real deal. In a market so
over-saturated it's really no surprise that Matrox is pushing their beloved bump
mapping so hard. For them it's what separates their card from the rest of the crop.
The question is, does it do for you what it does for them? You've seen the shots of
Expendable but even if Matrox convinces game developers that bump mapping is a case
of 'do or die', it'll still be a while before it becomes an industry standard (if it
indeed does). The jury is still out amongst gamers and game developers alike in terms
of the performance hit entailed with bump mapping. Although Expendable 'seemed' to
hold-up to a similar frame rate when bump mapping was turned on, it wasn't really the
best test. Odd cars and water effects are not exactly 'whole scenes'. Try a couple of
Quake 3: Arena 'bump mapped' tunnels and then we'll know for sure. Having said that,
using embossing is an even greater strain on your CPU as it calculates UV shifts.
(It really is gorgeous but will game developers support this feature? Only time will
tell.)
The G400MAX is certainly a 'feature' driven product. Just like the NVIDIA TNT2,
it harbors support for 24-bit Z-Buffer with an 8-bit stencil buffer (which looks
excellent when used in Quake 3). The stencil buffering can be used to specify
conditional masks, which in turn allows for dissolve and transition effects such as
volumetric shadows, silhouettes, scorch/skid marks etc. It's certainly a welcome
feature and eradicates the 'flickering shadow' seen with a 16-bit Z Buffer. (Whilst far
from being an essential feature (the Voodoo3 is limited to a 16-bit Z buffer) it does
add to the overall LOD of a complex scene. Most other chips support this now.) The
G400MAX's DualHead Display is certainly one of its most interesting and innovative
characteristics. In a market saturated by products that all do the same thing, the
DualHead Display technology gives end-users something else to think about. In a
nutt-shell, it allows a single chip to output two physically separate images
simultaneously to two different output devices. This feature currently supports
simultaneous output to either two RGB monitors, to an RGB monitor and a television set,
to an RGB monitor and a Digital Flat Panel or to two analog Flat Panels. The G400
design contains two separate Cathode Ray Tube Controllers (CRTCs), which can retrieve
data independently from different locations in the AGP memory or display buffer.
Interestingly enough, the two CRTCs (connected to the integrated 360 MHz RAMDAC) can
read the same image but at varying refresh rates. The second CRTC can be connected to
the TV-Out function (which supports PAL/NTSC and SECAM) or to a DFP (Digital Flat Panel
Display) transmitter, with an RGB stream of up to 1280x1024 at 32 bit (in 60Hz for a
second monitor). The DualHead also solves the 'flicker' problem and eliminates
limitation of current TV-Out solutions, where the PC monitor has to run at 50/60Hz in
order to support the PAL/NTSC TV-Out standards.
"So what", you might think? Have you ever tried editing images in Adobe Photoshop? With
the DualHead feature enabled, you could have all your small images on one monitor and
edit a blown-up version of an image on another. One monitor can be used to display the
canvas, whilst the toolbars can be displayed by the secondary monitor. Photographs and
scanned images can be zoomed, whilst pixels can be zoomed to the second display for
retouching. Less, minimizing and all around less hassle- we've tried it and really can
see the benefits for the artistically minded end-user. Photoshop isn't the only
application suited for this feature either. Gamers might also be able to reap the
benefits too in the not too distant future. Flight Sim fans would surely crave for
multimonitor in-game support. Fire a missile and then track its progress on the second
monitor. well we're still some way off from seeing that but Microsoft has already
stated that their MS Flight Simulator series will harbor support for DualHead.
Windows 2000 will also mean this feature might well get used more and more. There are
other advantages to this DualHead technology (see below). For example you can watch a
DVD movie on one screen whilst whizzing through your spread sheets (what joy) on
another. (Matrox has clearly decided to stay 'ahead' of the game and gone for
innovation. DualHead won't change your life just yet but its usefulness should grow.)
The Matrox G400 doubles the engine bandwidth by using 256-bit DualBus architecture,
composed of two independent one way 128-bit buses working in parallel inside the chip
to output 128 bits of valid data on every chip clock cycle, while the traditional
128-bit bus outputs 128 bits of valid data only on every other clock cycle.
Here's how it works. The two internal buffers store a multitude of instructions and/or
data. On every chip clock cycle, data is sent to the engine via the 128-bit internal input bus
and on the same chip clock cycle, processed data from the engine is sent back to the output
buffer via the 128-bit internal out-put bus. It's a two-lane highway compared to a one-lane
bridge.
Because the external 128-bit bus to video memory can run at higher clock rates than the internal graphics engine, data multiplexing logic is used
to manage the data buffers to ensure that data is being sent to the engine, and that
processed data is being read from the engine, on every chip clock cycle. This way, the
bus never sleeps. With the advent of multi-textured applications comes the potential
for multiple messes. While single texturing is relatively straight forward, multi-texturing
requires blending many textures onto a single polygon. If your hardware does a sloppy
job of it you end up with UGLY. The key is precision throughout the internal 3D pipeline. In the ongoing 16 vs. 32-bit debate, don't lose sight of
the reason it makes a difference:
More bits means more accuracy. The reason 3dfx can claim closer to 22-bit color is
because their internal pipeline is 32-bit. Well, Matrox has gone a step further and
outputs at 32-bit as well. In fact they've gone a 32-bit mad, here's the list:
o 32-bit precision throughout the 3D pipeline along with 32-bit accumulation buffers
o 32-bit rendering to ensure all internal operations are done with 32-bit accuracy
o 32-bit source textures (with support for texture sizes up to 2048 x 2048)
o 32-bit Z-buffer/stencil buffer for maximum depth precision
o 32-bit internal results dithered down for the highest quality 16-bit output
Lest you get the notion that 32-bit is the only buzzword on their lips, here's another list:
o Full subpixel and subtexel positioning
o 8-bit filter coefficients, to provide the best quality bilinear, trilinear and
anisotropic filtering
o Ultrasharp RAMDAC technology for fully saturated analog outputs.
Here is Matrox's reasoning "A 32-bit texture typically has eight bits for each
of the following components: Red, Green, Blue, and Alpha. Therefore, 32-bit rendering
selects from among 256 different shades of each RGB color component, for a total of
16.7 million possible colors. On the other hand, a 16-bit texture typically has five
bits for each Red, Green and Blue component, and only one for Alpha. This means that
16-bit rendering draws images from a color palette containing 32 shades for each color
component, for a total of only 65,000 possible colors.
32-bpp color accuracy throughout the rendering pipeline makes for a cleaner,
smoother gradient of colors than 16-bpp can deliver. The reason for the difference in
quality is simple: the lack of available shades with 16-bit rendering results in lower
image quality. On top of this, internal calculations with 16-bit rendering deteriorate
image quality even further due to the errors caused by lack of precision." Didn't we
just say that?
Unlike everything Voodoo which utilizes AGP for the bus speed only, the Matrox
G400 and G400 MAX are designed from the inside out to make maximum use of the AGP 4X's
1GB/sec bandwidth. While that doesn't much matter now (there is narry a 4X equipped
system to be had) it could matter a great deal when Intel and AMD release their full
AGP 4X rigs and developers really begin to push that envelope.
The Matrox G400 chipset entails an MPEG II DVD decoder (most next generation
2D/3D cards do these days). The software bundle that Matrox has gone for is Zoran's
SoftDVD2 (ATI uses the same) player for DVD video playback, which lets you watch all
of your favorite flicks on your PC. The software itself is easy to use and get used
to with the remote control supporting basic play functions, as well as advanced
navigational features (play, forward, rewind etc.). The usual array of features include,
sub-picture blending, aspect ratio scaling (allowing for 16:9 encoded DVD on to 4:3
aspect ratio TVs) and full-screen output to a TV. The default resolution for watching
movies is at 800x600 (the software automatically drops your desktop to this resolution).
Although Zoran's SoftDVD software is well respected and a popular choice, the
first version was also known for its 100% CPU usage. As with the previous version of
Zoran's SoftDVD, this new version also requires a hefty CPU- a Pentium II 333MHz being
the MINUMUM spec. The software decoding hogged most of your system's resources so
checking stock prices whilst watching Mr. White go bezerk in Resevoir Dogs wasn't
really an option. Version 2 of the SoftDVD has been markedly improved in terms of
its CPU usage and multitasking (whilst not advised) is just about possible. For much
more rewarding results, the G400MAX's DualHead function can be used to great effect.
For example, you could use the primary RGB output for your web browsing, whilst at
the same time use the second RGB output to watch a DVD movie on a second monitor. Then again, you could do your work faster, unbothered by a movie
in the background and then just switch off your PC and go watch a movie on your
TV later...
Features
o Title and menu options include title and chapter search, subtitle and language
option, audio and root menu
o Language selection of up to 32 different audio tracks
o Seamless viewing angle switching without audio interruption
o Parental lock for controlling adult content
(The quality of the MGA-G400MAX really does the DVD job well. The pictures are crisp
and the colors rich (useful during the full 1hour 33mins of the Resevoir Dogs test))
The 2D on the Matrox is absolutely unbeatable. You couldn't really expect
anything less from Matrox, who have been the 2D kings on and off since the Millenium
days. The G400 MAX's 360MHz RAMDAC is the fastest to date (some 10MHz faster than
on a Voodoo3 3500) and as a result has the best 2D performance so far. The G400
MAX's UltraSharp DAC technology and support for true 24-bit color at resolutions as
high as 2048 x 1536 dishes out fast screen refresh rates along with crisp/clean text and images. The 256-bit DualBus graphics engine and optimized
AGP 2X chip design no doubt helped it fly through a couple of ZD 2Dwinbench runs.
(If 2D is your oyster then the two best 2D performers are the G400 MAX and the
Voodoo3 3000 (in that order).)
Matrox's PowerDesk tools have always been solid and in the G400 MAX's case,
it's no different. You can tweak away till your heart's content (refresh rates,
gamma settings). The controls for the DualHead are also easy to use and just require
'checking' and 'unchecking' as the case may be. Gamers will be slightly 'peeved'
at the lack of a V-Sync 'disable' check box. Those of you that are happy to edit
the registry can do just that, whilst others may choose to use Powerstrip etc...
Matrox chose to stay WHQL certified and thus offers no V-Sync disabling functions.
(No witnessed ZERO crashes in any Windows applications.)
Other than the provided DVD software from Zoran (top notch) and the Matrox
drivers, nothing has yet been set in stone. All of the bump mapping demos found on
their web site came with the CD as well as playable demo versions of Expendable,
Drakan and Slave Zero. All fun while they lasted.
Matrox has entered the 3D gaming scene. The G400MAX is lighting quick in
some D3D games but when multitexturing comes into play, the architecture doesn't
seem quite as efficient as the Voodoo3's or TNT2's and the OpenGL really needs improving.
So really hardcore gamers that live and die by Quake 2 (let's see how Quake 3
performs when the timedemo is released) might still want to go for a Voodoo3 3000
or a UltraTNT2.
If you're a gamer but all about 'image' rather than frame rate, the G400MAX
wins hands down. It did outperform a Voodoo3 and UltraTNT2 in some D3D tests and
it also shows that 32-bit rendering can be used at a minimal performance loss.
Alongside the UltraTNT2, the G400MAX harbors the best image quality and with bump
mapping enabled (where possible) it creeps ahead. Whilst on the expensive side at
$249.99, we were still left pleasantly surprised and do recommend this card to gamers and end-users who would make use of some of the more innovative
features such as DualHead.
GOOD:
o Visual Quality
o Unique Features (bump mapping & DualHead)
o Exceptional D3D performance
BED:
o Quake 2 Scores not up to scratch (currently)
o High Price
o Requires a fast CPU
Damir Kvajo
aka Atlienz
atlienz@default.net-security.org
VIII. Understanding basic crypto techniques
-------------------------------------------
To begin with, it's important to understand the primary basic techniques
of encryption: symmetric key-based algorithms, such as block ciphers and
stream ciphers; asymmetric key-based algorithms, such as public key
encryption; and hash ciphers, which are used for passwords on most
operating systems. These are the three primary methods of cryptography
systems -- most systems are based on one of these techniques, or a
combination of them.
Block ciphers and stream ciphers are known as symmetric key-based
algorithms. What this means, in plain English, is that the same key is
used for encryption and decryption. If I encrypt the word 'SPEEDBOAT' as
'QLXXAFRMP', such that Q=S, L=P, X=E, etc, then I should be able to
decrypt 'QLXXAFRMP' using the same key. Block ciphers are commonly used
to encrypt files on a system. In a block cipher, information is divided
into equal-sized blocks of text (say, five letters: 'THIS IS A SECRET
MESSAGE' would be separated into 'THISI SASEC RETME SSAGE') and then each
block is encypted using the same algorithm. IDEA is an example of a
well-known block cipher, as is Blowfish. In stream ciphers, data is
encrypted in much smaller chunks, usually bits. This form of encryption
is generally what's used to encrypt information as it passes from one
system to another, because it's much faster than block ciphers -- crypt
(the original UNIX command) is a stream cipher, as are most non-computer
based encryption systems. For instance, the Cryptoquote in many daily
newspapers is a stream cipher -- each letter is encrypted as it comes.
The differences between the two are mostly in the implementation. An easy
way to think of it is that block ciphers are generally implemented within
software, while stream ciphers within the hardware encrypt individual bits
as they go by.
In asymmetric key-based algorithms, a different key from the one used to
encrypt a message is used to decrypt it. This is more commonly known as
public key encryption, and RSA is a notable implementation of it -- a user
of public key encryption has both a public key (which is used to encrypt a
message) and a private key (which is used to decrypt a message). In a
public key system, I could post my public key somewhere easily available,
and a complete stranger could use it to encrypt a message. He then sends
the message to me, and my private key decrypts it. If the message is
intercepted, because two different keys are used, my message remains
secure even if the interceptor has my public key. Only the private key
can decipher the encrypted message.
And then there are one-way hash systems, such as SHA and MD5, which most
operating systems use to store passwords. I discuss password management
in detail later in the article.
Some encryption implementations use all three methods to serve various
different purposes in the system. For instance, the well-known public key
system PGP (Pretty Good Privacy) uses the IDEA block cipher for the actual
encryption of the data, RSA for the public and private keys themselves,
and an MD5 one-way hash for passwords. This way, the system itself is
protected in many ways, with each cryptography technique being put to its
best use.
How passwords work
------------------
Most operating systems handle passwords by using one-way hashes. What
this means, in practice, is that your password is not stored anywhere on
your computer. When you initially enter your password, the system
encrypts it using a hash function. The system knows how it hashed the
sequence of characters that is your password, so every time you log on,
the system encrypts what you have just typed using the same hash function,
and compares the encrypted results to the encrypted password. For
instance, if your password is 'Superman', the actual hash may look
something like 'dLboH6tH$kP/Nre1TMLr4thuBRmz' (please note: this is not
an actual hash). Whenever you type in the word 'Superman' at your
password prompt, the machine sees 'dLboH6tH$kP/Nre1TMLr4thuBRmz'. It
compares, notes that the two hashes are the same, and lets you into your
account.
What password cracking programs do is either take lists of words (in the
case of a dictionary or word file attack) or generate strings of
characters (in the case of a brute force attack), encrypts them, and
compares them to the hashes in the password file until it finds a match.
This is why it's important to protect your password file even though it's
encrypted.
References
----------
By far the most comprehensive book on cryptography is Bruce Schneier's
_Applied_Cryptography_ (2nd edition). It's easy to understand, so if this
subject interests you, I recommend buying it. For information about
breaking password encryption, L0pht's documentation for L0phtCrack
(http://www.l0pht.com/l0phtcrack/) contains a brief description of the
various methods it uses. Crack (http://www.users.dircon.co.uk/~crypto/)
is a dictionary-style password checker, and John the Ripper
(http://www.false.com/security/john/) is a brute force-style password
checker.
/dev/null
null@fiend.enoch.org
IX. Infection & Vaccination
---------------------------
It's been a long time but yes we do have two spanking new trojans for you. We also
have a little story for you. To top that off we continued with our general trojan
info: why trojans work on Windows 95 and not Windows NT.
Our first trojan of the week is called Digital Rootbeer. The name is the most unique
thing about this trojan. It has a lot of features, but nothing new. The most
dangerous feature is it's file control(Execute, upload, download, delete). Rootbeer
listens for connections on port 2600 (TCP) and cannot be changed. It installs to c:\windows\ with whatever name it is called when you run it. It
does not run on Windows NT. If you would like to find out where the original file is open regedit and browse to: HKEY_LOCAL_MACHINE\SOFTWARE\1999
--=[">?t~%?"-M¥N]=--\. The Program Path key contains the location and filename of
the file you ran that installed Digital RootBeer. So you might be able to find out who gave it to you. Like if someone on ICQ gave it to you, it
should be in the received files under the name of the person who sent it to you.
Here is the 3 step manual removal
1. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
Then remove the ActiveX Console.
2. Close the server or reboot the machine.
3. Browse to c:\windows and remove the trojan file which can be found in the Program
Path key at HKEY_LOCAL_MACHINE\SOFTWARE\1999 --=[">?t~%?"-M¥N]=--\.
The next trojan we have for you is Death version 1.0 by Earlz Plumbing. The client's GUI looks nice but is rather difficult to use. It too has a
lot of features like Digital Root Beer without anything new. Though it does have
a window lock command to lock a window on the host computer from being updated.
While unlike RootBeer it runs on port 2 TCP, which can be changed. Unfortunately we
could not get it to run on Windows 95 because it needs Visual Basic 6 runtime files
which we currently do not have on that machine. On our NT machine we do have VB 6
files, but it does not infect NT :-) Sorry.
Here is a little story that has many good lessons to learn from it. One of our
friends came across this page: http://www.blue.icestorm.net/nerv/. It has a program
called iCMP J1zz that can knock anyone off of IRC. Which is a tool we all need isn't it.
Well even though the person took credit for programming it in C++, it is in fact a
SubSeven server configured. I could be wrong but it appears the j1zz.exe has some
Visual Basic runtimes files in plain text when viewing in notepad, which is usually
an indication its programmed in Visual Basic. Another thing I do not believe that SubSeven is even made in C++ so that's just wrong. Believe it
or not we actually have some lessons that can be learned from this. Okay well first
don't just go downloading every cool sounding program you see. Another thing is if
your infected with a trojan you can always send it to me to be studied. I had fun
finding an Email address and 2 different ICQ UINs from the SubSeven server. To all
you people that use trojans, maybe you should not use SubSeven. Also just for your
info on that site all 3 programs are just SubSeven servers.
Okay here is our last section for this week. It's a simple thing that a lot of people
don't realize. Most trojans will not run on Windows NT due to two. First there is
no c:\windows directory standard on Windows NT which messes up a very small number of
trojans. The other difference between Windows NT and 95 is in the API code. When
a trojan tries to hide from the taskmanager you can view on Windows 95 (Using Alt-Ctrl-Del)
it uses an API code which differs enough on NT to stop it from working.
Next week we will compare the following Trojan removers: Trojan Defense Suite,
LockDown 2000 and The Cleaner. Hope you all have a trojan free week.
Zemac
zemac@dark-e.com
http://www.dark-e.com
X. New programs on Net-Security (NS Watch!)
-------------------------------------------
After some time, Projects page on net-security.org is finally updated.This page
will follow its previous tradition in bringing you the best security programs
made by net-security staff.
NS Watch! (NSW) in its latest version (2.0.4.0 FINAL) is a program that watches
over your windows\system, registry run keys and 32 bit CRC of selected files.
I have come to idea to make this program after I was hit by Marburg virus.
Idea was to make something like logger that would take care about newcomers
in your windows\system and registry run keys.I was not satisfied with loggers
like regmon and filemon because they were displaying to much unimportant
info. After first version released I found one symapthic CRC calculating rutine.
Why not to include it in NSW?So I did it and that was it.Of course they were
some bug occuring, and I encourage you to uninstall any previous NSW version
except this FINAL.
Second program is made by one person that is not in net-security.His name is
Dancho and he made Trojan Library.It is one of the few programs of its kind,
because it is bringing you latest Trojan/Worm information for reading
offline.Dancho promised that he will update this library often so don't forget
to check projects page from time to time.
I will put some "Goltha approved" :) links also on projects page.I know we have
already links page on net-security, but this links are going to lead only to
sites very you can find very useful or rare things.
And in the end, if you have any comments, wishes or anything else do not
hesitate to contact me...
Tomislav "Goltha" Petrovic
Net-Security programer
goltha@net-security.org
XI. More news from the ACPO front
---------------------------------
Hi again...
I'm honored to be allowed to tell you a bit more about ACPO
[http://www.antichildporn.org] and our future...
This weekend, we will be traveling to deliver a presentation to our
first political group, http://WWW.mntaxpayers.org/#Moorhead
Conference. I'll fill you in on more of the details next week.
BTW .. just a little note here about politics, we do not support any
political group, just the stopping of child abuse and child porn on
the internet.. Some people are concerned with our involvement in
governments and their politics. But please tell me a way to stop this
injustice without involving ourselves in politics and the law!
We are just beginning to plan our first European tour--roughly in the
October/November time frame. While we know the places we must visit,
we are open to your suggestions, as to places we might have an
opportunity to tell our story, and recruit Euro. members. Please eMail
me at natasha@infovlad.net if you have suggestions or ideas.
On the home front, ACPO will be attending the Techno-Security &
Disaster Prevention '99 Conference.
http://www.thetrainingco.com/Agenda-99.html Plans are being made to
develop additional approaches in assisting law enforcement to identify
and successfully prosecute child pornographers. We anticipate forming
both public and private partnerships to further this cause.
Thanks again to net-security.org for their support, and this forum to
express ourselves, and to keep you informed.
Natasha Grigori Founder antichildporn.org
============================
Thanks for being 'Child-Friendly'
Natasha Grigori Founder AntiChildPornOrg
ACPO http://www.antichildporn.org/
mailto:thenatasha@mediaone.net
============================
XII. The Hotmail security hole
------------------------------
Hotmail, one of the best known Microsoft acquisitions, was included in a
security scandal earlier this week. Group of "hackers" (I will talk
about this later), discovered a backdoor in Hotmail service, which
opens millions of accounts to other people.
"We did not do this hack to destroy, we want to show the world how bad
the security on Microsoft really is, and that company nearly have
monopoly on [all] the computer software" - Lasse Jung aka DarkWing
said to the media (this group talked with Swedish tabloid Expressen
and one of the big media houses online - Wired News (www.wired.com).
It looks like they found a hole in new Microsoft Passport program
that is a secure (lol:) way for you to sign in to multiple Internet
sites using one member name and password.
----------------------------------------------------------------------
Here's how it works: If you sign in to Hotmail or any other MSN site,
you are automatically signed in to all MSN sites that use Passport. As
you move from site to site, you'll instantly be recognized, and you'll
have access to the best features the sites have to offer. Once other
Internet sites begin using Passport, you'll also be able to sign in to
those sites with just one click-without having to re-enter any
information. No multiple sign ins, no hassles!
----------------------------------------------------------------------
Ok so it looks good, but security is a myth. It would be better to MSN
members spend 10 seconds more for entering their password again, than the
computer caches logins and passwords.
The main problem was that Hackers Unite found an address which opens
any Hotmail mailbox with using password "eh". It was the following address:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=username &passwd=eh
It could be used from a mailform or just copy-pasting the URL into your
browser. You could look at the image of the "hotmail-hack" mirrors:
http://default.net-security.org/4/hotmail.jpg
Microsoft's response:
----------------------------------------------------------------------
Dear Valued Customer,
You may be aware from published reports that recently MSN Hotmail
experienced service issues that have generated questions about security.
We can tell you that the issue has been resolved and MSN Hotmail is
currently operating normally.
This letter is intended to address your concerns and provide you with
the latest information concerning this issue.
Microsoft was notified early Monday morning (August 30, 1999) of a
potential security vulnerability that could enable unauthorized access
to Hotmail servers. Microsoft immediately began to investigate the
issue and in the interest of user privacy and security made the
decision to temporarily take Hotmail servers offline. In light of the
inconvenience that such an action can cause users, this is not
something that we take lightly but felt that, given Microsoft's
commitment to protecting people's private data and information, it was
an appropriate course of action.
Since then, Microsoft engineers have worked quickly to pinpoint the
issue and to resolve it and have restored the Hotmail servers so that
users can continue enjoying the benefits of Hotmail with full privacy
and security. Please note that no action on your part is necessary to
take advantage of the updated Hotmail.
We apologize for the inconvenience this issue may have caused. We are
gratified that you have made Hotmail the world's most popular free
e-mail provider, and are committed to further improving the
award-winning service in the months ahead.
----------------------------------------------------------------------
In all their (Microsoft's) official statements they were saying that
Microsoft Passport is secure, and the "hackers" did not enter to Hotmail
trough it. Their explanation was that they were hit by unknown security
breach. Rob Bennett, Microsoft's director of marketing, commented:
"The situation was that there was a hacker who wrote some advanced code
to basically bypass the Hotmail login process. This person did have
very specific knowledge of how to write development code, and put up a
website apparently that allowed people to put in a user name. That code
does not work anymore and there should be no future attacks from this
person".
this statement is really silly. Let's look into it little bit closer.
Is this - http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login
=username &passwd=eh - advanced code??? Not. It is just a simple address.
Are those people who found it hackers? Not. They didn't hack into anything,
they just found a backdoor in Hotmail service which let them inside any
account. It looks like that the main party to blame over here is
Microsoft. But we could look at it with some other aspects. That group
Hackers Unite had to report the bug to Microsoft, because security is
the first thing that matters. They didn't report it, and chaos started.
Latest reports say that some people will have problems caused by the
Hotmail security breach. Unidentified attackers read e-mails from couple
of Swedish prostitutes, and published details, about business manager
of a well-known Swedish media company wanting their "services", on an
anonymous web-site in the USA. He later said that this is nasty, and
that he understands that this can lead to rumors - "I just wanted to
know if they really were prostitutes and I never paid for sex with the
prostitutes" - he said.
Did this Hotmail security breach showed Microsoft engineers to test their
programs and servers little bit more, or it will just start chaos related
to on-line privacy? Future will show. If you are Hotmail user, and you
are paranoid about your privacy, you could always use Hushmail
(www.hushmail.com), who offers Web-based 1,024-bit encryption technology
through a Java applet.
Berislav Kucan
aka BHZ
bhz@net-security.org
http://net-security.org
XIII. Meet the underground
--------------------------
Special about Beglian Hacker Szene / Bust of RedAtack. Intervied CUM ( Crew Madness
Underground )
I had a little interview with toxic from CUM, Belgiums best h/p/v/c/a group.
Check his statements about The RedAttack bust and about the Belgian hacker scene.
<--begin interview--
deepcase: ok, tell something about the belgium scene !
toxic : There isn't much to tell about that.. we used to have a quite "close"
scene in the BBS era.. but that's now gone with the Internet... You
don't have much belgian groups anymore... with the internet it's like
more the individual that counts i guess..., still there are some
very good belgian guyz like m0n from cha0s, d0mz, segfau|t, n3m0,
socked, deepcase, g_rax ...
deepcase: something about CUM, what yu do, why, since when etc.
CUM was founded in 1996, this when Hacker, Immortal Intruder, Fiber
Optic and I (Toxic Ocean) met IRL for the first time... in that time
Hacker was running a multi-node warez board ("Unusual Project"),
Immortal and Fiber had one of the biggest h/p/a/v/c board in Belgium
("Hacker Town")... and i was a frequent caller of both boards.. We
shared some common interests like hacking, computer security - and
just plain computer phun :) .. so we decided to start our own group,
in the beginning just to share ideas and files, and later to test
new technologies, security, gather knowledge... we really aren't a
"defacing" group, as we think that's rather lame... when we hack a
server, we keep the access to learn and explore.. not to deface the
page and have our moment of fame... but since these times you need
to deface a page to be taken "serious" , we now and then deface a
page .. but then mostly stupid servers with nothing on it ..
lately we also begun to explore more "hardware" stuff - this is why
we founded the CUM-tech-lab, our own lab with all kindsa computers to
"test things out".. we also begun exploring the phone system, and GSM
nets... right now we're writing a "Belgian Phreak/Phonephun Guide"
for all belgian (and other) h/p/a/v/c'ers , with in it up-to-date info,
technical details and usefull tricks.
deepcase: what you think about RedAttack man
toxic : He's a wannabe. A kiddie who thinks he's the best hacker on earth.
With this we can live, you just ignore guys like that. But what's really
scary is that a lot of people buy his shit. In an interview with a
belgian magazine, he was so full of shit, it made me sick.
Example : he claimed he had hacked the largest bank of Belgium
("Generale Bank"). He said it took him AND a team 3 weeks and a hell
of a lot maths to get the job done. Reality : the password of the
helpdesk was "hlpdsk". Need I say more. The only thing he got was a few
internetbanking usernames, no passwords. Big deal. He went to the media
with this. Ofcourse they believed he had hacked into the core of the
banks mainframe, you know the media. The whole thing is blown out of
proportion. He's also claiming that there aren't other hackers in Belgium
and shit like that. But just a few days ago, his own website got hacked ;)
deepcase: whats yur comment on his bust
toxic : His early bust proves he's not really that good, it took us just 1 e-mail
to get his name and real IP address, so... But now he wants everybody to
believe he's a crusader on a mission. A mission of cleaning the internet.
He wants to ban all "harmfull" content from the net, stuff like "how to
make a pipebomb". What happened to free speech?? Not to mention that you
can also find all these things in ur local library... This explanation
is crap, he's only telling this because he doesn't wanna go to jail and
wants to have a "clean" image... He's a media wh0re, a kiddie who wants
his 5 minutes of fame... Even worse, because of him the politicians are now
making laws against "computer criminals". Before redattacks media exposion,
there were no such laws here in Belgium...
deepcase: you knew him?
toxic : Nope, never heard of him before he was on tv...
<--end interview--
deepcase
deepcase@net-security.org
XIV. Freedom of speech - related incidents
-------------------------------------------
*******************************************************************
The most certain test by which we judge whether a country is really free
is the amount of security enjoyed by minorities.
--- Lord Acton
*******************************************************************
Every day the battle between freedom and repression rages through the global
ether.
Here are this week's links highlights from
NewsTrolls(http://www.newstrolls.com):
Thursday, August 26:
Australia's newly passed censorship laws make it the
<http://www.wired.com/news/news/business/story/21425.html>
Internet's "village idiot"...
30 Chinese Protestant house church leaders
<http://www.insidechina.com/news.php3?id=88013>
arrested...
Students, artists, religious, and intellectuals have long been targets for
repressive regimes
<http://www.insidechina.com/news.php3?id=88025>
but now even FARMERS in China are being tried for subversion...
"Dozens of farmers will be tried for subversion in China's southwest
autonomous city of Chongqing for establishing an "anti-corruption army"
and calling for the reassessment of the 1989 Tiananmen democracy protests,
a human rights group said Thursday."
Malaysians rally around Lim
<http://www.scmp.com/News/Asia/Article/FullText_asp_ArticleID-1999082603171397
9.asp>
finally free from prison...
"Mr Lim, who had clearly lost weight but was in good spirits, took up the
multi-racial theme in his first remarks after his release. He said he had
been condemned as a Chinese chauvinist but he was just "championing the
rights of the people". He said he was "a true Malaysian" who was "fighting
for a just society". Mr Lim said he would continue the struggle and was
"prepared to go to jail again". He stood on the roof of a car with his father,
Lim Kit Siang, the DAP secretary-general, and said he was he was pleased to
breathe fresh air again but would not feel really free until all Malaysians
who were "unfairly in prison" were freed."
Weekend, August 27-29
FCC approves
<http://www.epic.org/privacy/wiretap/calea/fcc_decision_release_8_99.html>
wiretaps on networks...
Monday, August 30
Press Freedom Violated In
<http://www.africanews.org/atlarge/stories/19990827_feat3.html>
15 Francophonie States
Press freedom advocate arrested
<http://www.africanews.org/central/congo-kinshasa/stories/19990826_feat2.html>
in Kinshasa
Czech firm builds wall
<http://www.cnn.com/WORLD/europe/9908/30/BC-CZECH-WALL.reut/>
isolating gypsies...
Tuesday, August 31
China has tortured to death
<http://www.insidechina.com/news.php3?id=88997>
three Tibetan monks...
250 protest outside the World Bank as the bank promises to investigate
<http://www.insidechina.com/news.php3?id=88795>
their project in Occupied Tibet
After a 98.6% voter turnout
<http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_434000/434647.stm>
anti-independence faction turns violent in East Timor
and yet the UK is continuing to
<http://news.bbc.co.uk/hi/english/uk_politics/newsid_434000/434350.stm>
sell arms to Indonesia...
UN says Indonesian military
<http://asia.yahoo.com/headlines/310899/world/936110760-90831144608.newsworld.
html>
took part in violence
Nigerian youths speak out against the
<http://www.africanews.org/business/stories/19990830_feat23.html>
Niger-Delta Development Commission...
""We don't need a commission. Bureaucrats would just come, hijack it and
siphon
all the money sunk in it to the detriment of the masses."...As a way forward
to
restore normalcy in the Niger Delta region, Mr. Igboku-Otu, who is also the
President of Civic Rights Organisation, posited: "I will urge President
Obasanjo
not to listen again to our elders who visit him in Aso Rock. He should make
them
irrelevant and now consult directly with the youth via their umbrella
organisations
and within 24 hours, the Niger-Delta problem will be over. "Let me tell
Obasanjo
that all the arms brought to the Niger -Delta are bought by these same people
who
visit him in Abuja in the name of Niger-Delta. Where does the helpless youth
have
3,000 dollars to buy AK 47?" he queried."
Wednesday, September 1
10-year-old Tibetan boy spends 4 months in jail because
<http://www.tibet.ca/wtnarchive/1999/9/1_4.html>
he refused to say he was a Chinese citizen...
"Luodeng Chideng was horrified when the police led away his 10-year-old son because
the boy refused to repeat the phrase "I am a Chinese citizen" in school, insisting
instead that he is Tibetan. The boy spent four months behind bars. He was released
only when Luodeng bribed a police officer who, adding a final insult, warned the
father not to let it happen again. "It was my fault he got arrested," Luodeng said
later, shaking his head. "I'm the one who taught him to be proud he is Tibetan."
Liu Qing, Chinese democracy activist, on the use of the Internet in
<http://www.insidechina.com/news.php3?id=89096>
leading the protest war against China's PRC
Khamenei slams Iranian journalists who
<http://asia.yahoo.com/headlines/010999/world/936190560-90901125649.newsworld.
html>
question Islam's vengeance laws...
""Any newspaper or writer wanting to renounce the fundamental principles of
Islam or questioning the vengeance law is an apostate and liable to the death penalty,"
Khamenei told a gathering of several thousand troops in the northeastern town of
Mashhad."
A "union of revolutionary writers" protesting consumerism
<http://www.nytimes.com/aponline/i/AP-Russia-Explosion.html>
take responsibility for Kremlin bomb...
"``Acts like those taken today create a social engine which is still
experimental, but is gradually becoming a real social factor,'' the note read, according
to a spokesman at the FSB. ``A hamburger not eaten to the end by the dead consumer
is a revolutionary hamburger. Consumers: We don't like your way of life and it's
unsafe for you.''"
In just one week...
diva aka Pasty Drone
CEO NewsTrolls, Inc. http://www.newstrolls.com
pastydrone@newstrolls.com
XV. Microsoft Installs US Spy Agency with Windows
---------------------------------------------------
Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and
browser bugs, Microsoft has a dismal track record in computer security. Most
of us accept these minor security flaws and go on with life. But how is an IT
manager to feel when they learn that in every copy of Windows sold, Microsoft
has installed a 'back door' for the National Security Agency (NSA - the USA's
spy agency) making it orders of magnitude easier for the US government to
access their computers?
While investigating the security subsystems of WindowsNT4, Cryptonym's
Chief Scientist Andrew Fernandes discovered exactly that - a back door
for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on
the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture
for security flaws. Since the CryptoAPI is the fundamental building
block of cryptographic security in Windows, any flaw in it would open
Windows to electronic attack.
Normally, Windows components are stripped of identifying information. If the
computer is calculating "number_of_hours = 24 * number_of_days", the only
thing a human can understand is that the computer is multiplying "a = 24 * b".
Without the symbols "number_of_hours" and "number_of_days", we may have no
idea what 'a' and 'b' stand for, or even that they calculate units of time.
In the CryptoAPI system, it was well known that Windows used special numbers
called "cryptographic public keys" to verify the integrity of a CryptoAPI
component before using that component's services. In other words, programmers
already knew that windows performed the calculation "component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly
what the cryptographic key "23479237498234..." meant semantically.
Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it allows
them to securely load CryptoAPI services; the second belongs to the NSA. That
means that the NSA can also securely load CryptoAPI services... on your
machine, and without your authorization.
The result is that it is tremendously easier for the NSA to load unauthorized
security services on all copies of Microsoft Windows, and once these security
services are loaded, they can effectively compromise your entire operating
system. For non-American IT managers relying on WinNT to operate highly secure
data centers, this find is worrying. The US government is currently making it
as difficult as possible for "strong" crypto to be used outside of the US;
that they have also installed a cryptographic back-door in the world's most
abundant operating system should send a strong message to foreign IT managers.
There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way the
crypto verification occurs, users can easily eliminate or replace the NSA key
from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows, without
Microsoft's or the NSA's approval. Thus the NSA has effectively removed export
control of "strong" crypto from Windows. A demonstration program that replaces
the NSA key can be found on Cryptonym's website.
Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure.
Interview Contact:
Andrew Fernandes
Telephone: +1 919 469 4714
email: andrew@cryptonym.com
Fax: +1 919 469 8708
Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada L5E 2T2
http://www.cryptonym.com