View
218
Download
1
Category
Preview:
Citation preview
Security Views/Dr. BIll Hancock
cool toys and that’s a given”, says Jeff Moss, the event’smain organizer, who also goes by the hacker handleDark Tangent. “When I jumped jobs in the past it was to work with cool people and interesting stuff. Iwould take a $20 000 pay cut to be with an interest-ing group of people doing cool stuff.”
Should the government be wary of hiring hackers?Probably not, at least not as long as they don’t have aconviction record, Moss says. He knows a thing ortwo about hiring hackers. He himself worked forSecure Computing until October 1999, when hedevoted himself full time to putting on DefCon.“When I was at Secure Computing, we admitted thatyes, we hire hackers, but we don’t hire computercriminals. We wanted smart, old-school hackers whoknew what they were doing.”
The heavy federal presence made the traditional ‘Spotthe Fed’ contest almost pointless.The idea behind thecontest has always been to ‘out’ a federal officer whomay be quietly lurking at the convention.A suspectedfed, sometimes spotted by his or her more conserva-tive dress, is quizzed by about his or her profession,and if they work for a federal or other governmentagency, they’re asked to produce a badge or officialidentification. Of course it’s all meant in good fun.The prizes? An ‘I Spotted the Fed’T-shirt for the spot-ter, and an ‘I Was the Fed’T-shirt for the spottee.
For the past two years, hackers attending DefConhave looked forward most of all to the annual visitfrom the Cult of the Dead Cow (cDc), a hackertroupe with a 16-year history, known for its collectionof interesting personalities and superior skills. DefConhas recently been the place where cDc releases its lat-est and most controversial software tools. At DefCon6 in 1998, the group released Back Orifice, a networkadministration tool that would allow a user toremotely manage a Windows-based computer. It wasalso useful for some of the malicious hackers whoused it — by sneaking a copy into a computer — as away of monitoring the activity on a target computerwithout the knowledge of the computer’s owner.Computer security firms rushed to find ways to coun-teract the misuse of the program, many declaring it aTrojan horse. Then last year, at DefCon 7, cDc
released a new version of the program, Back Orifice2000, which was smaller, faster and more powerfulthan the original.
So what did cDc have for the crowd at DefCon thisyear? A big show that included, among other things, amock human sacrifice, but almost nothing else.“We’renot a software company, so people shouldn’t beexpecting a new tool every year”, says a member ofcDc who goes by the name of Tweety Fish. (“I want-ed a name so ridiculous that if I ever got arrested, ajudge would laugh it out of court”, he says of thename.) Yet cDc, having recently released a softwaretool called NDNames, continues to be a thorn in theside of software giant Microsoft. The program takesadvantage of an apparent weakness in the Windowsoperating system by blocking a computer’s ability toget a unique identifying name on a network, therebyinterfering with its ability to talk to other machineson the network.The group told Microsoft about theweakness, and patch has been issued, but only forWindows 2000. Microsoft said in a security bulletinthat the weakness lies not in Windows, but in theNetBIOS protocol.
Another vulnerability was revealed at the conferencein Lotus Notes, a Internet server platform sold byLotus Development, a unit of IBM, by ChrisGoggans, of Security Designs International, who usedto go by his hacker handle Erik Bloodaxe and theTrust Factory, a Netherlands-based computer securityfirm. Essentially, the weakness could, Goggans says, inthe most extreme cases, allow an attacker to usurp theidentification information of a Notes user, gainingaccess to that server. Lotus has suggested ways to fendoff such an attack, but Goggans says that while this isa good start, they still don’t cover all the ways it couldbe carried out. No word yet if Lotus plans to recruitat DefCon 9.
Hacker Target: Mobile PhonesMobile phones have become the focus of attacks byvirus writers and hackers, according to Russian anti-virus firm Kaspersky Lab. The Moscow-based com-pany said that in the past few months, mobile phonesand their users have had increasing attention paid to
494
COSEv19no6.qxd 9/11/00 9:43 AM Page 494
495
Computers & Security, Vol. 19, No. 6
them by virus writers who have found a new play-ground to create chaos. Kaspersky said that accordingto the existing information, someone with apseudonym of HSE has created a program called SMSFlooder.As the name implies, the software allows SMS(short message service) text messages to be sent in anyvolume to chosen numbers at any time.
According to the anti-virus firm, the hacking utility,which is coded in Visual Basic 5.0, uses some of themany Internet E-mail-to-SMS gateway services,including www.free-sms.com, sms-link.btn.de,www.nm-info.de, www.pcteam.de, www.mobidig.netand www.lycos.de. As a result of its research,Kaspersky said it classifies the program as a maliciouscode, although concedes that the program itself is notdangerous — just its potential results.
The slightly good news is that, so far, SMS Flooderhas been restricted to Germany, mainly because thegateways given with the software only allow SMSmessages to be sent to German mobile phone net-works.“Certain features of this program suggest how-ever, that this is just the first step towards the creationof a Trojan horse program capable of attacking mobilephones”, said the company in a customer advisory.Asa result of its findings, details for the detection andneutralization of SMS-Flooder have been added tothe latest Kaspersky Anti-virus daily database updateat http://www.avp.ru.
E-Mail Privacy Issues EscalateShould you worry about someone reading your pri-vate E-mail? Although there may not be much moti-vation for hiding your thank-you note to your sister-in-law, E-mail certainly has its dangers.Those dangersare especially obvious in the workplace, according toEmployment Law Learning Technologies. The com-pany, which advises businesses regarding the legal lia-bilities in daily business conduct, released a list of topE-mail no-no’s,“The Seven Most Common Miscon-ceptions About E-mail.”
The company cites actions against employees at DowChemical and The New York Times as examples ofthe risks employees take when they use the Internet
for Web browsing and E-mail.The list of misconcep-tions is based on cases handled by ELT’s parent com-pany, employment and labour law firm LittlerMendelson.
• E-mails can be deleted. Reality: by using utilitiesor by checking recipients’ workstations, they canalmost always be recovered.
• E-mails get ‘lost’ among the millions being sentaround the Internet. Reality: sophisticated searchtools, as the FBI’s Carnivore program illustrates, lettheir users find almost any E-mail from anyone.
• E-mails go to the people you address them to.Reality: E-mails are often distributed broadly to people you often don’t know because of forwarding.
• Comments made in E-mail aren’t that powerful.Reality: even if unintended by the sender, certaincomments or idle remarks can be perceived asthreats or harassment. For example, referring to acoworker as a “dinosaur” can become the basis foran age discrimination lawsuit.
• You can send E-mails from work in a personalcapacity. Reality: when sent over company sys-tems, the law recognizes E-mails as official compa-ny communications regardless of the content.Potential exposure is created each time an employ-ee uses corporate E-mail to send personal messagesto friends.
• Private E-mail messages are private. Reality:E-mails can be accessed as part of an investigationand cause liability for employers.
• Your identity is protected through E-mail com-munications. Reality: it is extremely easy to dupli-cate someone’s identity for the purpose of sendingfraudulent E-mail messages.
GeoCities Ordered to Report onInformation PosterA Yahoo! Inc. subsidiary must turn over to AppleComputer Inc. personal information on a customerwho allegedly posted Apple trade secrets on theInternet, a judge ordered. Superior Court JudgeGregory H. Ward recently issued a subpoena toYahoo!’s GeoCities site to turn over records of amember using the computer pseudonym ‘worker
COSEv19no6.qxd 9/11/00 9:43 AM Page 495
Recommended