NETCOM HACKING NEWS

Hacker Interview (IBM's Dr. Charles Palmer)

2008-09-30T10:01:00.000-07:00

Q&A with IBM's Charles Palmer

Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit.

1. How do you define hacking?

Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)

2. Are there appropriate forms of hacking?

Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target.

3. What do you and the other members of your team do?

(We) work with IBM Consulting and its customers to design and execute thorough evaluations of their computer and network security. Depending on the evaluation they request (ranging from Web server probes to all-out attacks), we gather as much information as we can about the target from publicly available sources. As we learn more about the target, its subsidiaries and network connectivity, we begin to probe for weaknesses. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. As we find and exploit vulnerabilities, we document if and how we gained access, as well as if anyone at the organization noticed. (In nearly all the cases, the Information Syhstems department is not informed of these planned attacks.) Then we work with the customer to address the issues we've discovered.

4. What is the background of the people on your team?

We have Ph.D.s in physics, computer scientists, and even one former photographer with a fine arts degree. They are all well-known, highly respected system security professionals from around the world. Most of them did not start their careers in this area, but ended up doing computer and network security because they were provoked by hackers at one time. Once they started on the road to improving security, they got hooked on the challenges it presents.

5. In "Helpful Hacking" from IBM Research magazine in 1997, you are quoted as saying you don't hire reformed hackers and "there's no such thing." Could you explain?

The number of really gifted hackers in the world is very small, but there are lots of wannabes.... When we do an ethical hack, we could be holding the keys to that company once we gain access. It's too great a risk for our customers to be put in a compromising position. With access to so many systems and so much information, the temptation for a former hacker could be too great -- like a kid in an unattended candy store.

6. Is it fair to say that you are opposed to hacking?

As I said before, hacking is a felony -- for good reason. Some of the "joyriders" -- hackers who access systems just for the challenge -- think it's harmless since they usually don't "do" anything besides go in and look around. But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless? These joyriders could be causing damage inadvertently since just by their presence they are using system resources.

7. Do you think hacking can be useful?

Hacking can be useful in a controlled environment where there are ground rules and contractual agreements.

8. Do you have a profile of the typical hacker?

The profile has broadened in the last couple of years to include many types of people, which makes it very difficult to call out a "typical" hacker. The motivations behind hacking have changed (see Answer No. 11 below). No longer are hackers limited to the teen-age, soda-slurping misfits, although they're probably the majority. There are girls and even younger kids. Many companies think all hackers come from outside, but surveys continue to show that the threat from inside an organization is greater than from outside. So if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you.

9. There have been reported instances where corporate security personnel have tracked hacking back to the source, broken in and stolen computers, or even used force. Do you endorse "vigilantism" as a response to hacking?

I've heard those stories, too, and I don't believe most of them. It makes zero sense to respond to an illegal attack with another illegal attack. First of all, it can be very difficult to accurately determine where an attack comes from. Whether they end up retaliating against the right or wrong person, they've committed a felony and are just as guilty as the original perpetrator. It's no different than other forms of vigilante justice.

10. What about attacking Web sites that list hacking scripts?

Again, any attack is a felony. It's a First Amendment rights issue as well. Where do you draw the line? Attacking adult sites? Attacking spammers? It makes more sense for corporations, schools and other organizations to try to block access to those sites.

11. Can you characterize the nature of most hacking attacks?

A few years ago, the original motivations were pursuit of knowledge and the desire to "show off" one's skills. Now, there are new lures of money and power. However, the statistics can be misleading, so many of these incidents go unreported due to lack of detection or fear of further losses due to tarnished image and credibility.

I believe that the majority of hacks are still motivated by curiosity and a desire to point out system weaknesses. However, as organizations have been finding, most of today's threats come from within the organization. According to a recent META Group study, current figures indicate that recent breaches of security within Information Technology organizations occur internally 58 percent of the time. The threat from the outside is rising at a steady rate, though.

12. Is there a trend in these attacks?

Denial-of-service attacks and macro-viruses are the most popular hacker activities. The denial-of-service attacks are fairly easy for hackers of all skill levels -- from "script-kids" to professionals -- to launch. This is a situation where a company's Web site or online service is simply made unavailable by a hacker overtaxing the system resources. It doesn't sound that harmful, but there can be serious monetary and image losses attached to this. If you want to buy a book and you go to a popular book-selling Web site and find that site unavailable, chances are you'll try the next most popular book Web site. There's simply too much competition on the Internet right now to overlook security needs. These denial-of-service attacks are particularly troubling because they are hard to defend against. There are defenses available with firewall products from IBM and other companies, but there can be denial-of-service attacks from inside as well, which lends credence to the argument for Intranet firewalls.

13. Where does the real threat of hacking lie: in the private sector, in government or somewhere else?

The widely reported attacks against government sites are troubling, but it's a good bet that the government would not have any sensitive information on a machine connected to the Internet. An unfortunate side effect of these reports is that people end up thinking that securing systems and networks is hard. It's not hard, but it does take time and training, and it's an ongoing process to stay one step ahead of the bad guys.

Corporate espionage is also a threat, but not in the glamorous way portrayed in the movies. There, the threat is from the inside. There have been many reports of employees purposely sending proprietary information outside the company to other companies, perhaps just before they themselves move to that company. The greater connectivity that employees have today also leads them to inadvertent leaks via e-mail.

14. To what extent is cyberterrorism a genuine concern?

There is little motivation for industrial control systems like those running nuclear plants or airports to be on the open Web. They may have dial-up access or private networks within the organization that would be susceptible to attack from the inside. IBM has found that it can be quicker and cheaper to attack a target physically, rather than digitally -- we've nonchalantly walked into businesses, snooped around, and walked out with confidential material (once with the security guard holding the door for us!). And there are many examples of unfortunate accidents that resulted in very effective "attacks." The most common example is the "backhoe attack," where an errant heavy-equipment operator accidentally cut a communications cable.

... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action.

15. What about responses such as the recent Pentagon counteroffensive that redirected hackers' attack to an applet that caused their browsers to crash? Is that an appropriate response to hackers?

Anytime you acknowledge the hacker, you run the risk of heightening his or her interest. If you change the game from solitaire to a real poker game with human opponents, it becomes more interesting to most hackers. Such retaliation is also short-lived, since countermeasures will quickly be developed and publicized around the Web. In my opinion, this is not an effective usage of limited security personnel.

16. Are anti-hacking measures improving?

The most important improvement is in the area of awareness. ... Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race.

17. If attacks can only take place on computers that are online, to what extent could hacking be mitigated by keeping sensitive materials, data, etc., offline?

One of my colleagues at IBM likes to say, "only trust physics." My version is that the only 100 percent, truly secure system is one that is powered-off and filled with concrete. The military has long understood the security of an "air gap" (where a secure machine has no connection whatsoever to an unsecured machine), and we recommend to our customers that they consider such an arrangement for their most secure systems. This comes down to risk-analysis -- that is, weighing the cost in convenience and availability against the threat of having a system online.

If it's important to ... your business to have data available online inside the company, then protecting it with an internal firewall makes sense. ... If you have a Web server you want your customers to access, you can't hide it behind your corporate firewall because they won't be able to get to it. There are network designs that will enable you to position the Web server on the "outside," while securely maintaining a connection between it and, perhaps, a server behind the firewall.

18. What is the long-term outlook for hacking?

As long as there are unsecured computers with interesting stuff on them, there will be hackers. Law enforcement agencies have stepped up their facilities and training programs to meet the demand for computer and network security.

Moving toward technologies that use strong encryption will greatly improve the overall security of systems. Virtual Private Networks are a fantastic tool for companies and governments to protect their systems and networks while taking advantage of the low-cost, high-availability offered by the Internet. Internet standards bodies are also moving toward designing security into new standards.

Most kids today know much more about computers than their parents do, and some start "messing around" at earlier ages than in the past. The best thing we can do is to show them how interesting it can be to work at protecting systems and networks.

19. What about the outlook for computer security?

While better security technologies are appearing all the time, education and awareness will continue to be the limiting factor. System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities (like choosing good passwords, not installing unauthorized modems, etc.). ... Innovations like biometrics and smart cards will go a long way toward making security easier for the end user as well as for the system administrators.

Hacker Interview (Emmanuel Goldstein)

2008-09-30T09:59:00.000-07:00

Q&A with Emmanuel Goldstein of 2600: The Hacker's Quarterly

Emmanuel Goldstein is the editor-in-chief of 2600: The Hacker Quarterly and hosts a weekly radio program in New York called "Off the Hook."

1. How do you define hacking?

Hacking is, very simply, asking a lot of questions and refusing to stop asking. This is why computers are perfect for inquisitive people -- they don't tell you to shut up when you keep asking questions or inputting commands over and over and over. But hacking doesn't have to confine itself to computers. Anyone with an inquisitive mind, a sense of adventure and strong beliefs in free speech and the right to know most definitely has a bit of the hacker spirit in them.

2. Are there legal or appropriate forms of hacking?

One of the common misconceptions is that anyone considered a hacker is doing something illegal. It's a sad commentary on the state of our society when someone who is basically seeking knowledge and the truth is assumed to be up to something nefarious. Nothing could be further from the truth.

Hackers, in their idealistic naiveté, reveal the facts that they discover, without regard for money, corporate secrets or government coverups. We have nothing to hide, which is why we're always relatively open with the things we do -- whether it's having meetings in a public place or running a system for everyone to participate in regardless of background. The fact that we don't "play the game" of secrets also makes hackers a tremendous threat in the eyes of many who want to keep things away from the public.

Secrets are all well and good, but if the only thing keeping them a secret is the fact that you say it's a secret, then it's not really a very good secret. We suggest using strong encryption for those really interested in keeping things out of the hands of outsiders. It's interesting also that hackers are the ones who are always pushing strong encryption -- if we were truly interested in getting into everyone's personal affairs, it's unlikely we'd try and show them how to stay secure. There are, however, entities who are trying to weaken encryption. People should look toward them with concern, as they are the true threat to privacy.

3. What in your mind is the purpose of hacking?

To seek knowledge, discover something new, be the first one to find a particular weakness in a computer system or the first to be able to get a certain result from a program. As mentioned above, this doesn't have to confine itself to the world of computers. Anyone who's an adventurer or explorer of some sort, or any good investigative journalist, knows the feeling of wanting to do something nobody has ever done before or find the answer despite being told that you can't. One thing that all of the people involved in these endeavors seem to share is the feeling from outsiders that they're wasting their time.

4. Are you a hacker? Why? Or why not?

Absolutely. It's not something you can just erase from your personality, nor should you want to. Once you lose the desire to mess around with things, tweak programs and systems, or just pursue an answer doggedly until you get a result, you've lost a very important part of yourself. It's quite possible that many "reformed" hackers will lose that special ingredient as they become more and more a part of some other entity that demands their very souls. But for those who can resist this, or figure out a way to incorporate "legitimacy" into their hacker personalities without compromising them, there are some very interesting and fun times ahead.

5. What kind of hacking do you do?

My main interest has always been phones and rarely does a day pass when I don't experiment in some way with a phone system, voice mail system, pay phone, or my own telephone. I've always been fascinated by the fact that we're only a few buttons away from virtually anyone on the planet and I hope that I never lose that sense of marvel.

One of the most amazing things I ever got involved in was routing phone calls within the network itself -- known as blue-boxing. You can't do that as easily any more, but it was a real fun way to learn how everything was connected -- operators, services, countries, you name it. And in the not-too-distant past, there were so many different sounds phones made depending on where you were calling. Now they tend to be standardized rings, busies, etc. But the magic hasn't disappeared, it's just moved on to new things ... satellite technology, new phone networks and voice recognition technologies.

Many times these new technologies are designed by the very people who were hacking the old technologies. The result is usually more security and systems that know what people will find useful. While I've spent a great deal of time playing with phones, I get the same sense of fun from computer systems and have invested lots of time exploring the Internet. It would fill a book to outline all of the hacker potential that exists out there. And, of course, there's radio hacking, which predates a lot of the current technology. It's gotten to the point where simply listening to a certain frequency has become a challenge. It's hard to believe that it's actually turned into a crime to listen to some of these non-scrambled radio waves. But this is the price we pay when people with no understanding of technology are the ones in charge of regulating it.

6. How much time do you spend at it a week?

That's like asking how much time you spend breathing. It's always with you, you do more of it at certain times, but it's always something that's going on in your head. Even when I sleep, I dream from a hacker perspective.

7. Do you have a certain kind of site or "target" sites that most attract you?

We don't sit around with a big map and a list of targets. In fact, we don't even sit around together. Most hacking is done by individuals who simply find things by messing around and making discoveries. We share that info and others add input. Then someone tells the press and the government that we're plotting to move satellites and all hell breaks loose.

I think most of us tend to be drawn to the sites and systems that are said to be impossible to access. This is a normal human reaction to being challenged. The very fact that we continue to do this after so many of us have suffered so greatly indicates that this is a very strong driving force. When this finally becomes recognized as a positive thing, perhaps we'll really be able to learn from each other.

8. What, in general, do you think attracts people to hacking?

People have always been attracted to adventure and exploration. Never before have you been able to get this without leaving your house and without regard to your skin color, religion, sex, or even the sound of your voice. On the Internet, everyone is an equal until they prove themselves to be a moron. And even then, you can always start over. It's the ability to go anywhere, talk to anyone, and not reveal your personal information unless you choose to -- or don't know enough not to -- that most attracts people to the hacker culture, which is slowly becoming the Internet culture.

We find that many "mainstream" people share the values of hackers -- the value of free speech, the power of the individual against the state or the corporation, and the overall sense of fun that we embrace. Look in any movie where an individual is fighting a huge entity, and who does the audience without exception identify with? Even if the character breaks the rules, most people want him/her to succeed because the individual is what it's all about.

9. Do you know enough hackers personally to know what personality traits they share, if any?

Hackers come from all different backgrounds and have all kinds of lifestyles. They aren't the geeks you see on television or the cyberterrorists you see in Janet Reno news conferences. They range in age from under 10 to over 70. They exist in all parts of the world, and one of the most amazing and inspiring things is to see what happens when they come together. It's all about technology, the thrill of discovery, and sharing information. That supersedes any personality issues that might be an issue in other circumstances.

10. Do you think hackers are productive and serve a useful purpose?

I think hackers are necessary, and the future of technology and society itself (freedom, privacy, etc.) hinges on how we address the issues today that hackers are very much a part of. This can be the dawning of a great era. It can also be the beginning of true hell.

11. What percentage would you say are destructive as opposed to those in it out of intellectual curiosity or to test their skills?

This raises several points that I feel strongly about. For one thing, hacking is the only field where the media believes anyone who says they're a hacker. Would you believe someone who said they were a cop? Or a doctor? Or an airline pilot? Odds are they'd have to prove their ability at some point or say something that obviously makes some degree of sense. But you can walk up to any reporter and say you're a hacker and they will write a story about you telling the world that you're exactly what you say you are without any real proof.

So every time a movie like "Hackers" comes out, 10 million people from AOL send us e-mail saying they want to be hackers, too, and suddenly, every 12-year-old with this sentiment instantly becomes a hacker in the eyes of the media and hence, the rest of society. You don't become a hacker by snapping your fingers. It's not about getting easy answers or making free phone calls or logging into someone else's computer. Hackers "feel" what they do, and it excites them.

I find that if the people around you think you're wasting your time but you genuinely like what you're doing, you're driven by it, and you're relentless in your pursuit, you have a good part of a hacker in you. But if you're mobbed by people who are looking for free phone calls, software or exploits, you're just an opportunist, possibly even a criminal. We already have words for these people and it adequately defines what they do. While it's certainly possible to use hacking ability to commit a crime, once you do this you cease being a hacker and commence being a criminal. It's really not a hard distinction to make.

Now, we have a small but vocal group who insist on calling anyone they deem unacceptable in the hacker world a "cracker." This is an attempt to solve the problem of the misuse of the word "hacker" by simply misusing a new word. It's a very misguided, though well-intentioned, effort. The main problem is that when you make up such a word, no further definition is required. When you label someone with a word that says they're evil, you never really find out what the evil was to begin with. Murderer, that's easy. Burglar, embezzler, rapist, kidnapper, all pretty clear. Now along comes cracker and you don't even know what the crime was. It could be crashing every computer system in Botswana. Or it could be copying a single file. We need to avoid the labeling and start looking at what we're actually talking about. But at the same time, we have to remember that you don't become a hacker simply because you say you are.

12. Do people stay in hacking a long time, or is it the kind of thing that people do for a few years and then move on to something else?

It can be either. I tend to believe that it's more of a philosophy, a way of looking at something. When you have the hacker perspective, you see potential where others don't. Also, hackers think of things like phones, computers, pagers, etc., as toys and things to be enjoyed whereas others see work and responsibility and actually come to dread these things. That's why hackers like to hold onto their world and not become part of the mainstream. But it certainly can and does happen.

13. What is the future of hacking?

As long as the human spirit is alive, there will always be hackers. We may have a hell of a fight on our hands if we continue to be imprisoned and victimized for exploring, but that will do anything but stop us.

14. Given increased attention to corporate and government security, is it getting tougher to hack or not?

Hacking isn't really about success -- it's more the process of discovery. Even if real security is implemented, there will always be new systems, new developments, new vulnerabilities. Hackers are always going to be necessary to the process and we're not easily bored.

15. Is the possibility of being identified and even prosecuted an issue for most hackers?

Hackers make very bad criminals. This is why we always wind up being prosecuted. We don't hide very well or keep our mouths sealed shut to protect corporate or government interests. But the same security holes would exist even if we weren't around, so I think the hackers should be properly seen as messengers. That doesn't mean that you should expect them to just hand over all of their knowledge -- it's important to listen and interpret on your own, as any hacker would.

16. Are there hackers who are up for hire? What are they paid? Who hires them, and for what?

Just as you can use hacker ability to attain a life of crime, you can use that ability to become a corporate success. Some are able to hold onto their hacker ideals. Others, sadly, lose them. It's especially hard when young people who haven't worked it all out yet are approached and tempted with huge amounts of money by these entities. It can be very hard to resist and the cost is often greater than anticipated.

17. Have you had any contact with people you consider cyberterrorists? Do you endorse what they do?

In all of the time I've been in the scene, which is a pretty long time, I've never come across anyone I consider to be a "cyberterrorist," whatever that is. Most people who talk of such creatures either have something to sell or some bill to pass. This is not to say that such a concept is impossible. But I believe the current discussions aren't based in reality and have very suspicious ulterior motives.

18. What about the people who hack into Pentagon sites? Do you think they should be punished?

According to the Pentagon, there is no risk of anything classified being compromised because it's not on the Internet. If they were wrong, I would like to see someone prove that. If a non-classified site is hacked, I don't see the harm unless something is damaged in some way. Remember, the security hole was already there. If a hacker finds it, it's far more likely the people running the system will learn of the hole. If a criminal or someone with an ulterior motive (espionage, etc.) finds the hole first, it's likely to remain secret for much longer and the harm will be far greater.

While you may resent the fact that some 14-year-old from Topeka proved your security sucks, think of what could have happened had you not learned of this and had someone else done it instead. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offender is a true risk to society. The great majority of these cases do not involve damage or vandalism, a fact that largely goes unreported. What people have to remember is that most of the time, this is simply an example of kids being kids and playing games like they have always done.

Obviously, the tools have changed, but that's really not something the kids are responsible for. If some kid somewhere can access your medical records or your phone records, he or she is not the one who put them there. The true violator of your privacy is the person who made the decision to make them easily accessible.

19. Your real name is Eric Corley. Why do you use the name Emmanuel Goldstein?

I believe everyone should be given the opportunity to name themselves. That name should reflect something about who you are and what you believe in and stand for. Emmanuel Goldstein is that for me, and for those who want to learn why, get a copy of George Orwell's "1984" and see for yourself. Interestingly, our first issue of 2600 was published in January 1984. A complete coincidence.

'South Park' Trojan Horse can create e-mail storms

2008-09-30T09:55:00.000-07:00

(IDG) -- A Trojan Horse dubbed "South Park" that made its first appearance on the Internet last June is on the loose again, antivirus software vendors warned last week.

The Trojan Horse spreads by sending itself as an e-mail attachment to all the addresses listed in a user's Outlook Express program. It attempts to do this every 30 minutes, and has the potential to cause storms of e-mail that can clog up company's network, the vendors said.

The attachment contains an icon of the character Kyle from the cult cartoon series "South Park," and will appear as though it has come from someone known to the recipient, vendors said.

The Trojan Horse has been reported on Windows NT and 9x machines at dozens of large corporations, government organizations, universities and Internet companies, primarily in the U.S. but also in Asia and Europe, said Martin Skov, a product-marketing manager with Network Associates' McAfee software division.

Known as W32/Pretty.worm.unp, the Trojan is a variant of the W32/PrettyPark.worm that first surfaced last June and has been dormant for the most part ever since. The new variant differs in that it is not compressed, which made it a little harder to detect initially, Skov said.

The Trojan Horse may also try to connect to an Internet relay chat server, and could potentially use the connection to get information such as the computer name and registered owner, as well as dial up networking and user names stored on that computer, Skov said. Network Associates hasn't received a report of that happening yet, he added.

While its payload isn't considered too severe, in the sense that it doesn't delete data, antivirus vendors upgraded their rating on the Trojan Horse from medium to high risk, primarily because of its ability to spread quickly and clog networks. Network Associates received 70 reports of it in the first four days of the week, compared with 150 reports in the prior two-week period. The company first discovered it in mid-February.

"It's not limited to one industry sector; it's hit pretty much across the board," Skov said.

The number of reports subsided somewhat and Network Associates hopes to downgrade it to medium risk soon, Skov said. Network Associates has classified seven Trojan Horses and viruses as high risk in the past year, he added.

Outlook Express users should be aware of e-mails that carry the subject line, "C:/coolprogs/prettypark.exe." File attachments are called "Pretty park.exe" and in some cases "Pretty~1.exe."

Scenes From a mall (Friday Night)

2008-09-30T09:48:00.000-07:00

Friday night by the Cinnabon with the 'hacker underground'

The following is an account of an informal, public meeting of self-described hackers. This article is an account of the event, not an endorsement of hacking.

It's Friday night, and the hackers are out. At the mall.

The Atlanta chapter of 2600, a loosely knit international organization of self-described hackers, meets in the food court of Lenox Square, a huge Atlanta shopping mall. Their meetings are planned and publicized -- first Friday of the month, some time between 6 and 8 p.m.

Few of the 20 or so participants at this meeting refuse to be photographed, though all give their online handles rather than real names. That's not just because there's a reporter present; it's par for the course.

"Some of these guys know my real name, some don't," shrugs Low Tek, one of the more outspoken members of the group.

The group looks like it could be in a high school or college cafeteria: its members are overwhelmingly young, and they come in a variety of shapes, sizes, clothes and hair lengths. JLee, a visitor from Chattanooga, has spiky, fuschia hair. Squirrel, a tall, heavyset young man, wears a T-shirt with an anatomically explicit photo of a squirrel. Several have piercings, but nothing particularly startling.

If this does not fit your notion of hackers, that's part of the point. The consensus among the 2600ers is that the mass media -- and people who get their information from the mass media -- Just Don't Get It. Press coverage is "more to scare you than it is to inform you nowadays," Low Tek says.

Aside from "They Just Don't Get It," there are few points of universal assent among hackers. This is an anarchic, argumentative group, the atmosphere polite but contentious. The first of many arguments, and the first of many to remain unresolved, is over the fundamental question of what a hacker is.

'A bunch of different meanings...'

"The word 'hacker' has a bunch of different meanings," one participant says. A bunch of different meanings are then offered.

"Most hackers in the scene today are ... White Hats," one says. "They don't break into systems."

"That's bull----," counters JLee. "Hacking is hacking. Hacking means breaking into systems."

Whatever a hacker is, the consensus is that a "hacker ethic" exists. Hackers are driven by curiosity, exploring computers the way kids climb over fences. "Hacking, at its basic level, is the pursuit of knowledge," Dos Spider says. "How does it work?"

In the broadest sense, "hacking" means digging for information in ways the holders of information never intended -- JLee mentions Abbie Hoffman's "Yippies" of the 1960s as an influence. The hacker is an ordinary person who, for once, has an advantage over the system -- "It's someone watching the watchers, basically," says Empress.

But hacking, they say, is not stealing; there's a general scorn for computer criminals who abuse the knowledge developed by "real" hackers. The people who break into machines to steal are often labeled "Black Hats" -- though, again, there's no consensus on the definition.

Social engineering: Are you being hacked?

Several of the hackers mention "social engineering," a high-tech name for the ancient process of asking questions. "When I talk to you, and I get you to say information, I'm hacking your brain," Low Tek says. "When you shook my hand, I was social engineering you."

"Uh-oh, you've been hacked," a bystander laughs.

"The only true form of hacking that's still going to be here when computers come to an end is social engineering," Low Tek says. "There's always going to be a weak link in the chain -- it's always going to be operated by a human."

Lithium says credit card security, a common worry on the Internet, is an illusion even for those who don't own a computer.

"If someone wants to get your credit card information, they're going to get it, whether you like it or not," says Lithium, one of the youngest-looking members of the group.

"It is scary," he says, though he seems more resigned than frightened.

Who's watching the hackers?

The philosophy that information is inherently insecure breeds an odd sort of paranoia -- not the fear of being watched, but a near-certainty.

Throughout the meeting, rumors surface: People spotted lurking nearby are recognized from past meetings and marked as plainclothes mall security, local police or even feds. 2600ers have become more attentive to such signs since The Incident.

The Incident, as it is called, was a 2600 meeting whose participants were hassled by security and run out of the mall, accused of trading pornography. "Some people today believe that it was a way to get pictures [of group members], or a way to get names," Low Tek says. "Other people just think it was a misunderstanding."

There's a strong sense of hacker history here, a belief that the best days of hacking have come and gone. "The '80s to early '90s were definitely the Golden Age," Low Tek says. "It was before everybody started locking down ... before security started getting smart."

"Any one of us here would give a ... pint of blood to live in the early '80s with the knowledge that we have now," Low Tek says.

Hacking Hollywood, and the cyberpolitics of gender

Favorite hacker movies among hackers? "Sneakers" is a hands-down choice, followed by "WarGames" as a time capsule of the Golden Age. The recent film "Hackers" is blasted in every respect except the casting of Angelina Jolie. Which brings up another observation -- the hackers at this meeting were nearly all male.

"Being a woman in this type of thing, you get recognized all the time," says Empress, the only woman at the meeting. "I've been coming to these meetings for a long time ... since '95."

Had there not been a reporter present, the 2600ers say, the meeting would have been a primarily social event. "Some of these guys here, I'll hang out at a club, go to a rave with, do the occasional drug..." Low Tek says.

"We didn't come here as part of some big scheme to overthrow the government like everyone thinks," Lithium says. "That's what my Mom thought."

As the meeting breaks up, Low Tek gets down to business: "So, what's everybody doing tonight?"

It is, after all, Friday night.

No Defense

2008-09-30T09:44:00.000-07:00

No one connected to a computer network is really safe from hackers. Luckily, most invasions or infections don't result in serious injury to the system that has been attacked.

The only real defense is limiting your risk by using virus scanners and enforcing security measures on network computers. But in the end, hackers see security systems as a challenge, not an obstacle.

For more information on hacking and security, take a look at these sites:

Technology and Society at the World Wide Web Consortium (W3C) -- The W3C tries to set and maintain standards for the portion of the Internet people are most familiar with, the World Wide Web. The Technology and Society domain seeks to influence public and private policy on issues, including security, arising out of the development of Web technology. The articles may be a little dry, but the information is good.

Electronic Freedom Foundation -- An organization dedicated to keeping the Internet an uninhibited medium for information, the EFF is an excellent source of information about security issues and legislation that affects the Internet.

Virus Builders

2008-09-30T09:43:00.000-07:00

Some hackers are also virus builders. Viruses, worms, Trojan horses and logic bombs are all forms of programs that can invade a system. Some are malicious, some aren't.

A virus is a program that may or may not attach itself to a file and replicate itself. It may or may not corrupt the data of the file it invades. It may or may not try to use all of the computer's processing resources in an attempt to crash the machine. If that seems vague, it's because viruses are tricky. They may be simple notes that say "Hello" -- or they may attack and corrupt the files at the core of the system, causing it to crash.

Worms invade a computer and steal its resources to replicate themselves. They use networks to spread themselves.

A Trojan horse appears to do one thing but does something else. The system may accept it as one thing, but upon execution it may release a virus, worm or logic bomb.

A logic bomb is an attack triggered by an event, like the computer clock reaching a certain date. It might release a virus or be a virus itself.

Software Crackers

2008-09-30T09:39:00.000-07:00

Application software, such as programs for word processing or graphics, puts the power of a personal computer in the hands of a user, even one who doesn't know how the computer works. It's often expensive and, like anything else that's useful but expensive, there's bound to be someone who wants to get it free of charge. That's where "crackers" -- hackers who break software security -- come in.

These hackers develop their own software that can circumnavigate or falsify the security measures that keep the application from being replicated on a PC. For instance, you have a piece of software that requires a serial number to install. A software hacker does this in much the same way that network hackers attack network security. They may set up a serial number generator that tries millions of combinations of numbers and letters until it finds one that matches. The hacker could also attack the program at the assembly-code level, finding and altering the security measures.

One note: A software hacker is not necessarily a software pirate. A hacker may break the security and use the software, but a true pirate would also replicate and sell the cracked software.

Network Hackers

2008-09-30T09:15:00.000-07:00

These are the hackers you see in movies, usually as unattractive, introverted and anti-social -- or ultra-hip, sexy and connected. Real hackers don't fit those stereotypes. They aren't nerds living in darkened dorm rooms or multi-millionaire industrial spies. They are average people with strong computer skills and the desire to test those skills in ways that often prove illegal.

Network hackers engage in several sorts of activities. Some, like "denial of service attacks" or "mail bombs," are designed to swamp a computer network's ability to respond and perform its internal functions. For instance, a denial of service attack on a Web server floods it with bogus requests for pages. The server spends so much time trying to process these requests that it can't respond to legitimate requests and may crash. A mail bomb is similar but targets a victim's mail server. A number of businesses and Internet service providers have suffered these sorts of attacks in recent years.

Another form of network hacking involves penetrating a secure area by subverting its security measures. Network hackers might accomplish this by setting up programs that try millions of passwords until one is accepted. A hacker may set up "sniffers," programs that check data to find encrypted or sensitive information. Once they gather the information they can decode it, or if unencrypted, use it directly to find out more about a network and penetrate it more easily.

Once hackers get onto the machines that host networks, they can alter or remove files, steal information and erase the evidence of those activities. But many hackers break security systems just to see if they can do it. They may enter the system, look at the data within and never go back. For these hackers, it's more a test of skill than an attempt to steal or alter data.

Hackers, crackers and Trojan horses: A primer

2008-09-30T08:44:00.000-07:00

Two things terrify today's computer users: viruses and hackers. And just like viruses, most people don't understand hackers or what they do.

Hackers come in many varieties. The term "hacker" usually brings to mind three of these -- people who break the security of computer networks, people who break the security on application software, and people who create malicious programs like viruses. These aren't mutually exclusive, but it's a simple way to divide the activities that fall under "hacking."

Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection

2008-09-30T06:03:00.000-07:00

By: Arvind Nehra

Rootkit Unhooker v3.8
It's Past, Present and Future of the NTx86 Rootkit Detection

Contents:

1) RKU short overview (Past)
2) New features of the 3.8 (Present)
3) Perspectives (Future)

******RKU short overview******

Rootkit Unhooker is enough known for specialists (and not only) rootkit detection and removal software developed since 2006 by group of independent people who are NOT related or affiliated with commercial security companies or malicious software coders groups.

RKU main goal was always not simple reveal rootkits, but effectively counteracts with them, resulting in rootkits removal with help of RKU. Due to implementation specific, this rootkit detection software is able to reveal most of well-known rootkit technologies implemented in both user and kernel mode of the NT core based operation systems such as Windows 2000, XP, 2003, Vista, 2008. RKU main features are: detection of different type of hooks (just as example: most common used splicing, Import table patching, Export table patching, DKOH, (S)SSDT patching, IDT manipulation etc), successful removal most of them (if they of course can be removed and doesn’t restoring), detection of the other hidden stuff such as processes, drivers, files, alternate data streams stealth code working in kernel mode, internal system mismatches and more and more, where main goals of each part was and will be deeper technical realization of each feature. You can read full list of features inside RKU help so let us do not waste our time and continue to more interesting stuff.

Originally, program development started in the end 2005 beginning of the 2006 as proof-of-concept project. With time it has become more than just simple PoC as many others antirootkits\rootkit detectors (for example klister, DarkSpy and many many others). Its target was always wide sphere of activity, where each part of detection implemented well-enough, in the beginning for the detection of all-available proof-of-concepts rootkits and their technologies, further for the detection and removal of the existent and dramatically quickly evolving malicious software such as never-ending bots with rootkit components. Little time after born this project was open source (until 2.0.40 version). The first appearance of this software was on SysInternals forums, now they are part of the Microsoft Technet. Well we will return to this part soon lately.

This project was always fully FREEWARE and free from any kind of specially created backdoors or “easter“ eggs. Since 2007 RKU divides on the two different parts, LE and VX, where LE stands for Lite Edition and VX for Veritable eXtended version. Their main difference initially was not only the level of features they are provides, but also their future development. For example, it has claimed that LE is the last public available Rootkit Unhooker version due to numerous reasons and its development will be soon completely over. And this exactly is happened, 4 October 2007 was released last version of public RKU labeled as 3.7. The reasons of this were said many times before and we see no points in repeating them again.

Unfortunately, instead of understanding few simple (as we think) things many people related to crapware/security coding has started creating numerous idiotic rumors about RKU itself and its authors. We have a very good laugh on their hypothesis and their behavior during last year. We even was unable to think, that few “respected” well-known security developers (like Ilya Rabinovich for example in his postings at virusinfo.info Kaspersky sponsored forums) will spread and actively defend full of idiocy theory about relationship between disappearing of the RKU and pompous introducing of the so-called first fourth generation rootkit detection software (in reality bullshit). Stuff that is more interesting has taken place at the SysInternals forums where several guys starts actively search for backdoors inside RKU and by the way advertising of their commercial software (OnlineSolutions). Seems to be these people just waited when we finally shut up to start their ridiculous campaigns. After revealing of the well-known for specialists Rustock.C but fully unknown for everybody else including most of the antivirus companies mister Alexander Gostev from the KL accused us in malicious software coding and “long advertising of nothing”, where mister Gostev used several interesting for his physiatrist terms and analogues, moreover this so-called virus analyst from so-called antivirus company even claimed that we can’t detect Rustock beastie. Thank you, dear Kaspersky Lab, hope after this shit, your buggy and shitty product will detect something more than just KL self-made Trojans and VBA macro-viruses written by mister Gostev.

In the middle of 2008 become real vacuum of rootkit detection software from independent groups. Actually just ONE active good freeware project – Root Repeal (http://rootrepeal.googlepages.com). Anything else – only full trash, even GMER did not update for a long time. In addition, where IceSword is almost dead. We are not speaking about numerous so-called antirootkits from antivirus companies just because they are full trash oriented mostly on rootkits of Hacker Defender long time ago finished era. Rootkit activity however didn’t reduced and more rootkits in the past year dramatically evolved in technologies they are using. Yes most of them are still completely script-kiddies by their nature, but we saw malware bootkit, we saw Acsesso, we saw Rustock series and we can imagine what will be in the near future. And it was required to update old good RKU 3.7 to satisfy new time, new threats, “new” rootkit technologies and we did this.

******New features of the 3.8******

First, it was required to answer on the existing or just revealed rootkit technologies implemented for example in Rustock.C. Kaspersky Lab long time ago denies its existence and after revealing of this rootkit by their concurrent DrWeb they of course started stupid and absolutely mediocre, helpless campaign against everybody who are not with them or their passive proactive position. Obviously we cannot copy-paste all methods of the detection of this kind of rootkits from VX to LE, so we did another variant of detection, based on revealing and removing rootkit hooks. It is known, that exactly numerous Rustock.C hooks are protecting this rootkit from revealing/removal by antivirus software. We do not want to speak anymore about Rustock because it is obviously dead theme, where too much money of the AV is involved and too much shit already told. However new 3.8 LE doesn’t detects all this rootkit hooks, just because for revealing all of them it is required to copy-past too much code from VX, which we do not want to publish at all. Our next target was bootkit. Yes it is quite old and already very good known rootkit, but we would like to add to its detection something new, not just did copy-paste like did some of antivirus antirootkits (BlackLight, GMER (aswar) for example). The idea of the bootkit detection is not new – it is crosschecking of the main boot record sector (usually 0) for mismatch between two different scan. Where High Level API make first scan and where next low-level disk reading make the second scan. Most of antirootkits here using original ClassReadWrite handler located inside classpnp.sys, however we found this solution good, but not very cool, since it is obviously several easy ways to bypass it. We decided to do a little experiment and since we cannot use anything from private VX series, it was required to create new detection method for the bootkit, which not mentioned in VX variant. We choose SCSI, actually SCSI_REQUEST_BLOCK. It is well documented way, but very easy and not very hardware independent. However it works, at least in our test, lol. The removal of bootkit, also was based on the same method. We doubt in future of the bootkits, since it is always known for what and where you should look for their detection, no matter even if bootkit will change boot sequence in BIOS.
After dealing with these two bad guys we started attacking rootkits with anti-antirootkits part. Yes, such kind of beasties exists, and it is new flow in malicious rootkit development. While seems to be completely unable to bypass antirootkits conceptually malware coders due to complete lack of professionalism and their love for easy-money started attacking antirootkits in their crappy products. Example given – special FSD filters preventing antirootkits from operation with RAW disk data, hooking several non-meaningful for rootkit, but meaningful for antirootkits functions and preventing antirootkits from correct using them. As the last and very dangerous methods here we saw rootkit named Siberia2 which specially did damage to Object Directory to prevent antirootkits from work and detection. The funny part of all of these rootkits – there are nothing else interesting in them except their aggressive defense. Further rootkits with such “technologies” will come soon; we have no doubt in this. Next, it was required to answer on several new interesting proof-of-concept which were introduced during last year. However we found nothing useful in some of them (such as raw filtering) simple because these PoC incomplete, buggy and in real life will not survive few hours of work, because when they are becoming unseen for the system, it can do with space they allocate whatever operation system wants. There is no good realization of the disk sectors hider, only BSOD-generator like dead concepts. Very likely that this kind of technology exists elsewhere (since we have equal private demo non-malicious rootkits), but in the private. Therefore, we cannot and do not want fight with non-meaningful shadows.
We found very simple and efficient way of the hidden processes detection for the 2003/Vista/2008 systems. It isn’t really new, as you probably know klister introduced Scheduler lists analysis long time ago. But since 2003 release no rootkit detectors with klister functionality were made for the new NT core. Scheduler was changed in 2003 and it is applies also for Vista/2008.
Little explanations here. Since 2003 scheduler lists are now doesn’t accessible from functions body where they were located previously. Scheduler lists now accessible from Processor control region data, where scheduler now operates them though special array of PCRB structures per processor.

It is not a secret technology and we can even give a sample of the code to the public, it is very simple and covers all available now NT versions since 2003. We would like to share this code because it is easy way to help antirootkits developers detect hidden stuff under new NT’s. We didn’t see something like that in public before, maybe because we too little googled for this?

void Win2k3VistaKiWaitListHeads()
{
    ULONG KiWaitInListHead_offset = 0;
    ULONG KiDispatcherReadyListHead_offset = 0;
    PKPRCB p1 = NULL;
    KiWaitInListHead = NULL;
    KiDispatcherReadyListHead = NULL;

    p1 = KeGetCurrentPrcb();
    if (p1)
    {
        switch ( NtBuildNumber )
        {
        case 3790:
            {
                switch ( wServicePackMajor )
                {
                case 0:
                    {
                        KiWaitInListHead_offset = 0x920;
                        KiDispatcherReadyListHead_offset = 0x930;
                        break;
                    }
                case 1:
                case 2:
                default:
                    {
                        KiWaitInListHead = &p1->WaitListHead;
                        KiDispatcherReadyListHead = &p1->DispatcherReadyListHead[0];
                        return;
                    }
                }
                break;
            }
        case 6000:
            {
                KiWaitInListHead_offset = 0x1A20;
                KiDispatcherReadyListHead_offset = 0x1A60;
                break;
            }
        case 6001:
            {
                KiWaitInListHead_offset = 0x1AA0;
                KiDispatcherReadyListHead_offset = 0x1AE0;
                break;
            }
        default:
            {
                KiWaitInListHead_offset = 0;
                KiDispatcherReadyListHead_offset = 0;
                break;
            }
        }
        if (KiWaitInListHead_offset)
            KiWaitInListHead = (PLIST_ENTRY)(PBYTE(p1) + KiWaitInListHead_offset);
        if (KiDispatcherReadyListHead_offset)
            KiDispatcherReadyListHead = (PLIST_ENTRY)(PBYTE(p1) + KiDispatcherReadyListHead_offset);
    }
}

Where KiDispatcherReadyListHead now is array of ListEnties for each priority. Parsing of these lists also was changed since 2000/XP.

void ProcessKiWaitListHead(PLIST_ENTRY List, PEPROCESSINFO pinf)
{
    PLIST_ENTRY entry = List;
    PETHREAD et1;
    ULONG _offset;

    if (List == NULL) return;
    entry = entry->Flink;

    do
    {
        //Thread.Tcb.WaitListEntry - OffsetWaitListEntry
        switch ( NtBuildNumber )
        {
        case 3790:
            {
                _offset = 0x60;
                break;
            }
        case 6000:
        case 6001:
            {
                _offset = 0x70;
                break;
            }
        default:
            {
                _offset = 0x60;
                break;
            }
        }
        et1 = (PETHREAD)((ULONG)entry - _offset);
        if (MmIsAddressValid(et1))
        {
            AddToProcessTable(et1, pinf);
        }
        entry = entry->Flink;
    } while (entry != List);
}

void ProcessKiDispatcherReadyLists(PLIST_ENTRY StartListHead, PEPROCESSINFO pinf, ULONG ListHeads)
{
    PLIST_ENTRY CurrentListHead;
    ULONG Counter = 0;

  for( CurrentListHead = StartListHead;
            Counter <>
            CurrentListHead++, Counter++)
    {

      ProcessKiWaitListHead(CurrentListHead, pinf);
    }
}

We would like to thanks author of RootRepeal because we have consultation with him while researching this method.

Excluding these new features in the RKU 3.8 also fixed some old terrible bugs, removed some obsolete detection methods, updated internal structures etc. RKU 3.8 also features physical memory dumping which is based on opensource win32dd project. However we found win32dd code, especially driver part buggy and recoded most of it.

******Perspectives******

As for now we continue LE as well as VX development even if sources of VX were sold in last year the rights on this code is still ours. More things should be added to improve their usability, stability and detection\removal methods. We are not anymore interested in script-kiddies feedback as well as their continuing idiotic rumoring of nonexistent things. However if you have questions, minidumps etc we will be glad to hear you, feel free to contact. Development of freeware tools heavy depends on feedback from users. We long time were on sysinternals forums helping people in dealing not only with malware, but also in different areas. This place long time have a lot of constructive and talented peoples. However since acquiring by Microsoft in the July 2006 SysInternals become more and more unfriendly, and finally now we can tell with 100% sure, Microsoft provides at SysInternals (as part of TechNet) and especially forums politics of the CENSORSHIP. You do not need to be very smart person to understand this. Firstly Microsoft ordered to drop support of the old versions of Windows for SI tools (it was made specially because the same new ProcMon can have compatibility with old versions, no matter what somebody claims against, it may not use Minifilters for NT4/2000 for example, and please do not make us too much laugh telling that this is impossible). Stupid EULA was added in everything, most interesting projects like Rootkitrevealer, Autoruns, FileMon, RegMon were ended, because we cant say that non-meaningful updates of Autoruns is evolution. However all this of course on programs authors decisions, but it is too suspicious in relation to Microsoft isn’t? What about forums, which we cannot anymore use, because Microsoft Administration in the face of Curtis Metz has build blacklist of IP’s. Forums are under heavy censorship. And main role here is playing mister Karl, aka Karlchen – very old moderator, who is responsible for all censorship at forums, mockery in several topics, posting personal moderators opinions in closed by the same moderator topics, silent graffiti in several topics (which they now can’t delete – pure Drama, isn’t?). It is really – “Power corrupts” and mister Karlchen now perfectly knows this. After kicking/banning us this place was owned by gang of real idiots of any kind, they all think that they are living in Matrix and evil rootkits everywhere including their home toasters. This idiocy owned in the past very good and interesting place. Owned with direct help of mister Karl and new administration.
Drama.

Well enough about idiots, let’s go back to main theme.
Below is the link to the latest Rootkit Unhooker v3.8. It is uploaded to free file hoster service, simple because we doesn’t have a vault here and can’t use any other ftp in security reasons. MD5 checksum included, help file and localization packs also here. Perhaps if administration of rootkit.com won't be against here also will be soon posted old source code of RKU, not only very old 2.0 ;)

If you have questions/comments/suggestions please use Memo system to reach us. Stupid output will be ignored, offensive output will be ignored and reported to administration.

NOTE: YOU USE THIS SOFTWARE AT YOUR OWN RISK
NOTE: REMOVE ALL PREVIOUS LE VERSIONS BEFORE USING THAT VERSION!

http://rapidshare.com/files/136965760/RkU3.8.341.552.rar.html
df4536abcf25ec8f77c91f2b058e4c02 *RkU3.8.341.552.exe

Locals
http://rapidshare.com/files/134702156/2local.rar.html

This software and article is posted at rootkit.com as exclusive. Any other links elsewhere to this software without noticing original post location and MD5 checksum IS NOT GENUINE.

Cutting to the chase: Hackers

2008-09-30T05:50:00.001-07:00

Cutting to the chase: Hackers join forces with security firm to keep the world safe
Net Life/Stephanie Schorow

Which is a more revealing story? That in December a hacker calling himself Maxim broke into a server at an on-line CD store and obtained thousands of credit card numbers?

Or that when Maxim posted those numbers on a Web site from which visitors could get them, one at a time, thousands reportedly did so?

Must we beware the hacker in the machine - or the hacker next door?

First, a look at the word ``hacker'' - it's not a synonym for ``criminal,'' just as not every locksmith is a burglar, as one hacker told me. A hacker cracks software codes to get into a company's network or Web page for the thrill of beating the system, not necessarily to cause mischief. But the movie ``War Games'' transformed a bit of MIT slang for a guy who likes to create computers into a term for someone who wants to destroy them.

In popular culture, the Evil Genius Hacker has joined the Mad Scientist and Meglomaniac Who Wants to Rule the World as a standard stereotype. Fox Mulder of TV's ``The X-Files'' could not chase his aliens without illegal hacking help from the so-ugly-they're-cute Lone Gunmen, Good Guy Hackers. Hackers get a total makeover into leather-coated chic in ``The Matrix.''

But such stereotypes don't hold up in real life. The most recent Def Con - the hackers' annual meet-and-defeat confab, had, according to one on-line report, ``all the corporate professionalism of a computer mainstream industry.'' Activists, calling themselves ``white hat hackers,'' have formed a group dedicated to hacking into and shutting down kiddie-porn sites.

And just two weeks ago, the famed Boston-area hacker collective - known as the LOpht - announced its merger with a start-up security company, @Stake. With founders hailing from Compaq and Forrester Research, plus $10 million in venture capital, @Stake is pure pinstripe. At LOpht, geek rules.

The news intrigued me. For years, I'd heard about LOpht's expertise, its Web postings of key security flaws in Windows-based systems, about its outlaws-in-good-standing image with the so-called black hat hacker underground, and about their gizmo- and Cheez-Its-clogged warehouse. Going by hacker handles of Mudge, Dildog and Space Rogue, they've testified on lax computer security before the U.S. Senate. They embodied Bob Dylan's phrase: ``to live outside the law, you must be honest.''

When the hacker who goes only by ``Mudge'' returned my call, his voice was more lighthearted than mysterious. For a guy who supposedly has the ability to take down the Internet in 30 minutes, he was cheerfully patient with a fumbling reporter's Hacking 101 questions.

What enticed LOpht to come in from the cold? Well, money, for one thing; ``we'd been looking around for various way to get the LOpht to fund itself,'' said Mudge. With @Stake's pledge not to market any specific security product, take kickbacks from vendors or interfere with LOpht's continued posting of security flaws, LOpht will be able to remain the hacker's Consumer Reports, Mudge said.

LOpht's independence is invaluable to @Stake, said Ted Julian, @Stake founder and vice president of marketing: ``There's an enormous demand in the marketplace for these people.''

That's because computer security itself is transforming. As Mudge said, ``We know how to make a closed system.'' Put up a fire wall and keep people out. But with burgeoning e-commerce, systems have to remain open enough to allow consumers access to key information. Users, for example, might want to search inventories or track a delivery. Yes, Mudge asserted, ``you absolutely can'' secure such systems. You just need the right tools. Attorney General Janet Reno's recent call for a national anti-cybercrime network underscores the need for enhanced security.

Hacking is changing, too. Once the domain of code-writing uber-nerds, it's been invaded by so-called script kiddies, young neophytes who attack with a point and click. ``The media actually encourages them,'' Mudge said, disgustedly. ``If you read about someone breaking into a high profile Web page, it's `a 16-year-old, brilliant misguided kid.' If a 16-year-old walked into a liquor store, shot the clerk to get the money, they never say, a `brilliant juvenile expert in spontaneous combustion.' ''

For me, the most telling aspect of the Maxim hack was that afterwards no one I knew - even those who blew big bucks shopping the dotcoms - seemed spooked about e-shopping. Perhaps we've accepted a certain level of e-commerce risk. Consider: thousands of traffic accidents occur daily, but we wouldn't ban driving. We just want to keep the 16-year-old drivers under control. And we want safer roads. Which makes me glad that the LOpht is still out there.

Download Hacker Defender

2008-09-30T05:47:00.000-07:00

Hacker Defender Download from Here : http://24.161.50.41/RootKits/

Hacker Defender rootkit for Windows

2008-09-30T05:43:00.000-07:00

short description	This is the Hacker Defender rootkit for Windows.
long description:	Hacker Defender was a very common rootkit in the wild. It sports a user friendly inifile that controls its behaviour. It is 98% userland rootkit and some source-code is available. There are also commercial versions of Hacker Defender that brings new functionality together with protection against antivirus products and rootkit detectors.
project leader:	NETCOM
homepage:	http://hxdef.org
changelog:
download:	link

Winlogon Hijack

2008-09-30T02:45:00.000-07:00

short description	Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
long description:
project leader:	NETCOM
homepage:	http://www.netcomhacknews.blogspot.com
changelog:	http://www.rootkit.com/vault/JeFFOsZ/winlogonhijack-changelog.txt
download:	link

Security Through Virtualization Obscurity

2008-09-30T02:40:00.000-07:00

Security Through Virtualization Obscurity

Prologue

Presented in the beginning of the 2008 Hypersight Rootkit Detector was immediately rumored and gained a lot of myths just like Rustock.C. Their homepage ,http://northsecuritylabs.com, here you can also download the latest version of this program. Authors of this program claimed it as
"World’s first Fourth-Generation rootkit detector". It is a bullshit. And we will tell you why.

1. The First VIPS
2. Actual View of Things or the Mysterious Ring -1
3. Security Through Virtualization Obscurity
4. Epilogue

1. The First VIPS

Mostly rumored at the beginning this unknown North Security Lab was immediately linked with our UG North as a continuing of the RKU project.
The most most surprising here the obstinacy of some persons which begun collecting rumors and creating new ones, about the detector and about it's authors. We would like to officially tell everybody that we have nothing with this unknown "North Security blah blah blah". More to say, we thinking this is a another scope of former carders who are trying to begin new life with an another white project related to security. The examples of such behaviour can be found not only in Russia.

This detector uses Intel VT technology built in the new Intel chips generation Core2 and AMD-V analogue. This is kind of Blue Pill in the security sphere, and as it was with Blue Pill here more rumors and myths than real usefulness. As you understand this program will not work on the old machines without Virtualization support, that is the huge percent of all available computers. They even created the new brand name for its project - Virtual Intrusion Prevention System aka VIPS. This is kinda bullshit and as were shown by Rustock.C this old rootkit were isn't supervised by VIPS just because it gained control on the system much more earlier and HRD were unable to decide.

2. Actual View of Things or the Mysterious Ring -1

What is the Ring 0xFFFFFFFF aka Ring -1?

It is kind of Hypervisor. You can find some part of it even now in Windows Server 2008. You can find a lot of useful information in the Mark Russinovich article about Ring -1, check his blog at Microsoft TechNet, you can also gain more information about virtualization from the VMWare Inc. publications.

Hypervisor gives ability to control the following components: i/o ports requests, memory, CPU registers. Something else? No, that is all folks. Is it enough for rootkit detection? Presumable yes? Ye.. Of course no. Why?

To do successful detection of real kernel mode backdoors aka rootkits it is not enough to simple supervise register changes or attempts to read/write at some addresses. To gain a REAL supervision over the system the antirootkit (lets call it VIPS if they so wish) should firstly control the file systems, the operation system specific data and structures. Here we are seeing the first but the dead for this concept reefs. Emulation of the file systems will reduce performance of any computer and will results in the numerous system/software configuration related bugs with third-party hardware or for example, lets take a RAID. Don't forget about OS-dependent issues, for example with W2k08. And that is all, VIPS going to the trashcan, because what do you want - a workable computer or the totally fucked and screwed virtual machine that will hung, fly in blue screens country only when you decide to change something in the hardware etc. Another fuck for the VIPS is the its communication with operation system. No matter hows good this Virtual Machine (we believe it is very poorly coded even now, because we have successfully started this crap only after numerous attempts on the different configurations of Intel Core2 Duo/Quad) it is required the same system data and structures. And don't you think that it is very hard to fake them specially for the this virtual machine? Nope. And what about user mode stuff? It isn't changing registers and doesn't attempts to write data somewhere in kernel mode, but it is not less rootkits than they kernel mode brothers And what about the other categories of rootkits, such as keyloggers for example? What about rootkits which will loads before VIPS? What about legitimate software? FSD filters? Encryption software? CD/DVD emulation software? DRM? They all will be flagged by VIPS? So it is completely unknown for what exactly this program was created because it is simple useless at this point. The same existing antirootkits (so called 1-3 generations) can find much more than any VIPS can gather through it a priory buggy and slow virtualization. Lets remember for what exactly VT was introduced, was it introduced for security software? No. We feeling yourselfs just like tourists in the fucken zoo where big boys and girls playing with monkeys and operating the words and terms they do not understand. We wouldn't be wondered if after beta testing this "Four generation antirootkit" will became a paid program.

Call this nonsense 4 generation rootkit detector is just like call Kaspersky AV - the most technically advanced antivirus. The same edges just in profile, well, russian speaking readers will understand this point :D

Bypassing this idiocy doesn't requires something specific. You can modify the SSDT for example without resetting write protection bit, you can successfully hide processes, drivers, files or keys without any notice of this "detector". DKOM and DKOH still here. CmRegisterCallback still here. Trying to control all these stuff will force VIPS to output any sneezes from the system. But if the authors really wants to know, it is exists the strong methods which can help to identify VIPS and shut it fucken down. In the end user mode rootkit part can gain access to the VIPS components and simple turn them off. Of course it is needed to identify the VIPS, but at the current level of its implementation it is very to done. What about future here can be used specially organized timing attacks which will successful not only with VIPS but with Blue Pill also.

We are not telling about the hybridizing of the rootkit with operation system (this is started with Rustock.C and will be continued we for sure) and VIPS will be useless at this point. So the VIPS will require a long white list of trusted components and trusted areas, the same what we actually seen currently with HIPS. Where is the Know How here? Finally this program unfamilar with "anti" part.

This is still unknown what this program will do on the systems with disabled virtualization support. As it shows on our machines it is simple dies. Such kind of security programs have no future. The further operation system versions can and it is most likely will use the own hypervisor implementation and will not let such programs normally working. So for what purpose this all was started?

So this whole story with "World’s first Fourth-Generation rootkit detector" remembers us another Fairy Tales from Russia.

In another hand lets see hows Microsoft realized Hyper-V in Windows 2008. Hyper-V is the virtualization platform INTEGRATED with the operating system and considered as three main components: the hypervisor itself, virtualization stack and the virtualized IO model. The hypervisor basically acts to create the different "partitions" that each virtualized instance of code will run. The virtualization stack and the IO components provide interactivity with Windows itself and with the various partitions that are created. All three components work in "tandem". Using servers with processors equipped with Intel VT or AMD-V technology (which of course must be enabled), Hyper-V interacts with the hypervisor, which is a very small layer of software that is present directly on the processor. This software hooks into threads on the processor that the host operating system can use to efficiently manage multiple virtual machines and multiple virtual operating systems, running on a single physical processor. Do you feeling the difference between dilettantes from North Security and Microsoft? Of course Hyper-V isn't security components, but it is much more close to it than any of VIPS will be.

3. Security Through Virtualization Obscurity

It is unknown why almost all smart guys and girls in this world have completely "put on detection" (ignored it) and started inventing a bicycle. Maybe because they are not so smart guys and girls as they think?
Every new term and technology starts a ridiculous circus around it. There is the good example - Data Execution Prevention technology built in Windows XP SP2. And what, does it really helps? Mostly incompetent people starting circus around every new term and new technology, even if it is so cool as VT is. Do not look for a black cat in the darkness.

What HIDS gives to you?
Checking by in advance programmed criteria of certain places and objects of the operation system and its environment.

What is the weakness points of this?
Compromised criteria and methods, "Vision horizon" problems of antirootkits especially.

What HIPS gives to you?
Control over the system via documented and not documented features and places.

What is the weakness points of this?
Does it controlling enough? No. It is acting like intrusion software and not a part of OS. Dead-end by design, when this software can't decide automatically it gives user to choose what he/she will do next. Rules problem. Dead-end by design when the malicious software compromises security system in the methods.

What VIPS gives to you?
Controlling? No mostly observing of the several system areas.

What is the weakness points of this?
There is no future for only VT based detection. Compromising at many points including methods, criteria and "vision horizon". Blind fate not in VT, blind fate in developers abilities to control, predict and prevent everything.

So all this weak. Not good enough, not modern HIPS, not modern antirootkits aka HIDS not VIPS.

But it is still possible to develop a close to perfect rootkit detection and removal software, but it will be ALWAYS operation system dependent and will COMBINE the numerous technologies maybe JUST maybe including this hardware VT, but not ONLY the one harmonious name, otherwise it simply idiocy and empty advertising of nothing.

The best way to detection software will be integration of it into the operation system core, which will make it much more powerful ever seen before. And only after this you can call it - The four, five, sixth generation rootkit detection and this will not sounds like a bullshit. The best approach to the system will be - to not let any unwanted software gain control over the system. All third-party protection are vulnerable to the attacks. HIPS always will be vulnerable because of the design Trust-Not-Trust dilemma. But even now without integration exists very good and free tools capable to detect most of the known and available shit and all them will work without any VT related idiocy. Lets leave VT for Virtual Machines support and start thinking by head not ass.

HIPS as well as this VIPS gives people wrong feeling of security without giving them this security. They both compromise your computer security just by their presence at your computer. Just look on the numerous bugs inside them. Instead of HIDS this systems working 24/7/365 (always since the os startups) and slowing down your computer. Wondering, why they using the undocumented features and hooks everything what can be hooked? The same design dilemma, but here it is inside dev's brains. You do not need all this hooking trash and you do not need this special "Hypervisor for good". You must be an user of computer not a slave of the security though obscurity.

And yeah rootkits here just because OS is not enough.

Epilogue.

That's how all this stuff actually looking:

Russian Former Carder (RFC) selling 0day detection software to the Naive European Casual (NEC), retrospective from bhc magazine:

RFC: Yo, bro. I have got some new eleven generation rootkit detector for sale! Wanna to buy? VT, BT, ZT technologies included!
NEC: 0_0 Sure! How much it will be?
RFC: Two hundred rubles.
NEC: Man, i don't give a fuck where you take these rubles.
RFC: 2k bucks and we have a deal then.
NEC: Yo! Done! I love Russia.

HolaHola aka DNY / VX Heavens
EP_X0FF / VX Heavens
MP_ART / VX Heavens

Windows Memory Forensic Toolkit

2008-09-30T02:38:00.000-07:00

short description	Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
long description:	Windows Memory Forensic Toolkit is used to perform offline analysis of a physical memory. This is utility intended mainly for forensic-related investigative use. Current version can be used: to enumerate processes (linked by doubly linked list) and processes hidden by DKOM, to display detailed data about each process (e.g. info from access_token, data section control areas), to enumerate page frames which belongs to each process and to identify a process to which any Page Frame Number belongs.
project leader:	NETCOM
help page:	http://strony.aster.pl/forensics/
changelog:
download:	link

Kernel Exploitation Papers

2008-09-30T02:35:00.000-07:00

NEHRA writes: I just wanted to post the following links to papers that myself and Kostya Kortchinksy posted today:

Exploiting Kernel Pool Overflows (Kostya Kortchinsky)
http://immunityinc.com/downloads/KernelPool.odp

The I2OMGMT Driver Impersonation Attack (Justin Seitz)
http://immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf

We are definitely interested in any feedback (good or bad) so drop me a line.

Patchfinder

2008-09-30T02:33:00.000-07:00

short description	Patchfinder implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system.
long description:	Patchfinder (PF) is a sophisticated diagnostic utility designed to detected system libraries and kernel compromises. Its primary use is to check if the given machine has been attacked with some modern rootkits, i.e. programs which tries to hide attacker’s activity on the hacked system, by cheating about the list of active processes, files on filesystem, running services, registry contents, etc... New release (2.x) of PF is the first version which is intended to be not only a proof-of-concept code for developers, but also to be useful tool for administrators. To make a proper use of the PF, every user should read the attached PDF paper. With this tool you should be able to detect even the newest versions of such rootkits like: Hacker Defender, APX, Vaniquish, He4Hook, and many more...
project leader:	NETCOM
homepage:	netcomhacknews.blogspot.com
changelog:	http://www.rootkit.com/vault/joanna/Changelog.txt
download:	link

MyNetwork

2008-09-30T02:22:00.000-07:00

short description	An ethernet bridge / VPN program for windows.
long description:	This ethernet bridge allows many subnets to connect to one another, supports a central server, and watches ARP and ethernet traffic to maintain a MAC-router table. (windows vc7++) requires winpcap
project leader:	NETCOM
homepage:
changelog:
download:	link

BluePill

2008-09-29T06:32:00.000-07:00

short description	Public version of the Blue Pill rootkit
long description:	The original Blue Pill proof of concept code was written by Joanna Rutkowska. Alexander Tereshkin decided to redesign and rewrite the New Blue Pill rootkit from scratch. You can download it from their website.
project leader:	NETCOM
homepage:	http://bluepillproject.org/
changelog:
download:	link

Vista System Restore Rootkit

2008-09-29T06:29:00.000-07:00

NETCOM writes: Microsoft Vista has introduced new implementation for system restore feature.But does this new implementation really make it more reliable?

On 19th,July 2008, I have presented a pure user mode rootkit to hide its file and registry keys from Vista system restore in HIT(hackers in Taiwan) conferrence, which means the Vista system resotre will not help user to restore the given rootkit's file and registry settings although other normal files are restored.

What may be interesting is the theory can also be used for malware to infect system without any popup of modern HIPS thru system restore.

The theory is almost like a "hook" technology in rootkit domain, it injects the system restore flow and provide a fake restore impact to user.Regarding another way -- "DKOM" trick against the system restore, I also have some research results, and might introduce it somewhere later.

Please refer to the following link for the slides : ( it also include protection and detection technology)
http://www.rootkit.com/vault/cardmagic/HIT2008_CardMagic.ppt

BotNet Attacker

2008-09-29T06:22:00.000-07:00

Admin comment: This is worthy as long as the binaries remain available.

download : http://botnet.8800.org/down/free.zip

shortcut : http://botnet.8800.org/images/free.gif

our official website http://botnet.8800.org/

our Botnet is Free for all , and update forever . when the anti-virus software killed it,when we will update the Server. and make it undetectable. please play attention to our website.anything you don't know please post in our forum . thanks for your support.

-------------------------------------------------------------------------------------------------------------
IcePoint BotNet Attacker v1.0

this software is coded by VB6.0. copyright by IcePoint security team.

the SERVER Cracked TCPIP.sys driver,changed default value to 1024.

that have the most powerful effect,when you are using IIS,and Apache for websites attack.

and can run on NT/XP/2003/Vista all windows edision sucessfully.

It's the best and free botnet software on the internet.

we will update the new version when anti-virus software killed it.

so,please pay atttention to our office website.

----------------------------------------------------------------------
Don't use this software to attack websites!we developed it but we are
only for tecnique research,please make sure what you want to do before
use it!