---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 14 of 15


-------------------------[  P H R A C K     W O R L D     N E W S


--------[  Issue 53

Hi.  A few changes have been made to Phrack World News (PWN).  Because of
the increase of news on the net, security, hackers and other PWN topics,
it is getting more difficult to keep Phrack readers informed of everything.
To combat this problem, PWN will include more articles, but only relevant
portions (or the parts I want to make smart ass remarks about).  If you would
like to read the full article, look through the ISN (InfoSec News) archives
located at:

        ftp.sekurity.org        /pub/text/isn
        ftp.repsec.com          /pub/text/digests/isn

The following articles have been accumulated from a wide variety of places.
When known, original source/author/date has been included.  If the information
is absent, then it wasn't sent to us.  If you wish to receive more news, the
ISN mail list caters to this.  For more information, mail
majordomo@sekurity.org with "info isn".  To subscribe, mail
majordomo@sekurity.org with "subscribe isn" in the body of the mail.

As usual, I am putting some of my own comments in brackets to help readers
realize a few things left out of the articles.  Comments are my own, and
do not necessarily represent the views of Phrack, journalists, government
spooks, my cat, or anyone else.  Bye.

    - disorder


0x1:  Identifying Net Criminals Difficult
0x2:  "The Eight" meet to combat high-tech crime
0x3:  Fired Forbes Technician Charged With Sabotage
0x4:  Internet Industry Asked to Police Itself
0x5:  Internet may be Hackers Best Friend
0x6:  Hacker Cripples Airport Tower
0x7:  Profits Embolden Hackers
0x8:  Cyberattacks spur new warning system
0x9:  
0xa:  IBM's Ethical Hackers Broke In!
0xb:  Two accused of conspiring to hack into CWRU system
0xc:  FBI Warns of Big Increase In On-line Crime
0xd:  Computer hacker jailed for 18 months
0xe:  Afternoon Line
0xf:  Hacking Geniuses or Monkeys
0x10: Low Tech Spooks - Corporate Spies
0x11: 'White Hat' Hackers Probe Pores in Computer Security Blankets
0x12: 101 Ways to Hack into Windows NT
0x13: Suspected NASA Hacker Nabbed
0x14: CEOs Hear the Unpleasant Truth about Computer Security
0x15: Codebreakers
0x16: Hackers Could Disable Military
0x17: Secret Service Hackers Can't Crack Internet
0x18: Now Hiring: Hackers (Tattoos Welcome)
0x19: Hacker Stoppers?
0x1a: Hackers' Dark Side Gets Even Darker
0x1b: Japan Fears It's Becoming a Base for Hackers
0x1c: Kevin Mitnick Hacker Case Drags On and On
0x1d: Millions Lost to Phone Hackers
0x1e: Hackers on the Hill
0x1f: RSA Sues Network Associates
0x20: Clinton to Outline Cyberthreat Policy
0x21: Programmer Sentenced for Military Computer Intrusion
0x22: Editorial - Hacker vs Cracker, Revisited
0x23: Windows NT Security Under Fire
0x24: New Decoy Technology Designed to Sting Hackers
0x25: Reno dedicates high-tech crime fighting center
0x26: Man poses as astronaut steals NASA secrets

0x27: Convention: Defcon 6.0
0x28: Convention: Network Security Solutions July Event
0x29: Convention: 8th USENIX Security Symposium
0x2a: Convention: RAID 98
0x2b: Convention: Computer Security Area (ASC) / DGSCA 98
0x2c: Convention: InfoWarCon-9


0x1>-------------------------------------------------------------------------

Title: Identifying Net Criminals Difficult
Source: 7Pillars Partners
Author: David Plotnikoff (Mercury News Staff Writer)
Date: 10:12 p.m. PST Sunday, March 8, 1998

[snip...]

What began as an innocent chat-room flirtation isn't so innocent anymore.
The last e-mail message you received began: ``I know where you live. I
know where you work. I know where your kids go to day care. . . .''
Potential loss: Your life. 

There is no way to calculate how many hundreds or thousands of times each
day the Net brings crime into some unsuspecting person's life. But a
report released by the Computer Security Institute found that nearly
two-thirds of the 520 corporations, government offices, financial
institutions and universities queried had experienced electronic break-ins
or other security breaches in the past 12 months. 

Although fewer than half the companies assigned a dollar amount to their
losses, the estimated total from those that did is staggering: $236
million for the last two years. 

[More estimates on losses, no doubt from accurate estimations
 by professionals.]

[snip...]

But those charged with enforcing the law in cyberspace say the vast
majority of Net-borne crime never reaches the criminal justice system. And
in the relatively few instances where a crime is reported, most often the
criminal's true identity is never found. 

The San Jose Police Department's elite high-tech crimes unit is every
citizen's first line of defense when trouble comes down the wire in the
capital city of Silicon Valley. But today, four years after the explosion
of the Internet as a mass market, even the top technology-crimes police
unit in the country finds itself with just a handful of Internet crimes to
investigate. 

[Wait... they say criminals get away with everything, then call the
 Police an "elite" high-tech crimes unit?]

[snip...]

The Internet slice of the job -- chasing down hackers, stalkers and
assorted scammers -- is too small to even keep statistics on. When pressed
for a guess, Sgt. Don Brister, the unit's supervisor, estimates that
Internet and online-service crimes make up ``probably no more than 3 or 4
percent'' of the team's workload. 

[snip...]

While most Net crimes are actually old crimes -- stalking, harassment,
fraud and theft -- in a new venue, there is at least one criminal act
entirely native to cyberia: ``denial of service'' attacks. 

[Route, you're such a criminal.]

[snip...]

``The scary part,'' Lowry says, ``is we know the storm is coming, but we
don't know exactly what shape it's going to take. The scale is huge. . . .
You're sitting on this beach, knowing it's going to hit, but you don't
know what it is or when it's going to hit.''

0x2>-------------------------------------------------------------------------

Title: "The Eight" meet to combat high-tech crime
Date: Jan 1998

   Recently, U.S. Attorney General Janet Reno hosted a historic meeting of
Justice and Interior officials from the countries that constitute "the
Eight" on ways to combat international computer crime. (Formerly dubbed
the G-7, the group now includes Russia along with the United Kingdom,
France, Germany, Italy, Canada, Japan, and the U.S.) 
   
   The meeting was the first of its kind and resulted in an agreement
endorsing ten principles, such as "Investigation and prosecution of
international high-tech crimes must be coordinated among all concerned
states, regardless of where harm has occurred;" and adopting a ten-point
action plan, for example, "Use our established network of knowledgeable
personnel to ensure a timely, effective response to transnational
high-tech cases and designate a point-of-contract who is available on a 24
hour basis." 
   
The full text will be available at http://www.usdoj.gov.

0x3>-------------------------------------------------------------------------

Title: Fired Forbes Technician Charged With Sabotage
Source: Dow Jones News Service
Date: 11/25/97


A temporary staff computer technician has been charged with breaking into
the computer system of Forbes, Inc., publisher of Forbes magazine, and
causing a computer crash that cost the company more than $100,000. 

  According to the complaint against George Mario Parente, the sabotage
left hundreds of Forbes employees unable to perform server-related
functions for a full day and caused many employees to lose a day's worth
of data. If convicted, Parente faces up to five years in prison and a
maximum fine of $250,000. 


0x4>-------------------------------------------------------------------------

Title: Internet Industry Asked to Police Itself


SEATTLE -- The Internet industry had better police itself or it will face
renewed threats of government regulation, participants said Wednesday at a
Seattle conference of technology leaders from throughout North America as
well as Europe and Japan. 

[And they've done such a good job so far, with legislation like the CDA
 and WIPO... sure, we can trust the government to do the right thing.]

[snip...]

Balkam warned that Arizona Sen. John McCain plans hearings next month on
the topic, and that Indiana Sen. Dan Coats plans to introduce a new
content-regulation bill designed to avoid the problems that caused the
Supreme Court to reject the first one. 

[Everyone keep your eyes peeled.]

Wednesday's discussion was well-timed; the conference will hear Thursday
from President Clinton's Internet czar, Ira Magaziner, who is expected to
deliver a stern admonition that government won't hesitate to step in if
the industry's own efforts fall short. 

Sponsored by GTE, Telus Corp. and the Discovery Institute, the program
also included Rep. Rick White, R-Washington, founder of the Congressional
Internet Caucus and Rob Glaser, founder of Seattle-based RealNetworks and
a proponent of the Internet as the ``next mass medium.''

While Wednesday's sessions focused on content regulation, Thursday's deal
more with electronic commerce and such issues as privacy, authentication
and legal jurisdiction. 

Effective self-regulation has several keys, said Jim Miller, architect of
a system known as PICS, the Platform for Internet Content Selection. 

[snip...]

0x5>-------------------------------------------------------------------------

Title: Internet may be Hackers Best Friend

The Internet may be the computer hacker's best friend. The international
computer network has made the sharing of sophisticated break-in tools
easier, computer security experts say. 

[But they don't mention the sharing of security information, or the fact
 that the experts can subscribe to the same 'hacker' sharing sources.]

[snip...]

A report released Wednesday by the Computer Security Institute noted that
while both external and internal computer crime is on the rise, the
greatest losses result from unauthorized access by insiders. 

``Those are the attacks that cause tens of millions of dollars,'' Power
said. 

But it's still the outside jobs that grab headlines. A Defense Department
official last week termed the attack linked to the young hackers ``the
most organized and systematic attack the Pentagon has seen to date.''

[snip...]

0x6>-------------------------------------------------------------------------

Title: Hacker Cripples Airport Tower

A juvenile hacker who crippled an airport tower for six hours, damaged a
town's phone system, and broke into pharmacy records has been charged in a
first-ever federal prosecution, the U.S. Attorney's office announced
today. 

But in a plea bargain, the juvenile will serve no jail time, the
government announced. 

The incidents occurred in early 1997, but the federal criminal charges
were unsealed just today. The government said it was the first federal
prosecution ever of a minor for a computer crime. 

According to U.S. Attorney Donald K. Stern, the hacker disabled a key
telephone company computer servicing the Worcester airport, roughly 45
miles southwest of Boston. 

"As a result of a series of commands sent from the hacker's personal
computer, vital services to the FAA control tower were disabled for six
hours in March of 1997," a release from Stern's office said. 

[So the FAA routes vital tower control through the PSTN? Scary...]

[snip...]

The plea agreement sentences the juvenile to two years' probation, "during
which he may not possess or use a modem or other means of remotely
accessing a computer or computer network directly or indirectly,"
according to Stern

In addition, he must pay restitution to the telephone company and complete
250 hours of community service. He has been required to forfeit all of the
computer equipment used during his criminal activity. 

[snip...]

"Public health and safety were threatened by the outage, which resulted in
the loss of telephone service, until approximately 3:30 p.m., to the
Federal Aviation Administration Tower at the Worcester Airport, to the
Worcester Airport Fire Department, and to other related concerns such as
airport security, the weather service, and various private air freight
companies. 

"Further, as a result of the outage, both the main radio transmitter,
which is connected to the tower by the loop carrier system, and a circuit,
which enables aircraft to send an electric signal to activate the runway
lights on approach, were not operational for this same period of time." 

[NICE design guys... real nice.]

[snip...]

0x7>-------------------------------------------------------------------------

Title: Profits Embolden Hackers
Source: InternetWeek
Author: Tim Wilson

Conventional wisdom says that most IT security threats come from inside
the company, not outside. Any guess who's reaping the greatest benefit
from that little piece of wisdom? 

Hackers and computer criminals.

In two separate studies completed this month, Fortune 1000 companies
reported more financial losses due to computer vandalism and espionage in
1997 than they ever experienced before. Several corporations said they
lost $10 million or more in a single break-in. And reports of system
break-ins at the Computer Emergency Response Team site are the highest
they've ever been. 

Despite recent security product and technology developments, computer
networks are becoming more vulnerable to outside attack, not less. 

[Woohoo!]

[snip...]

"I know about 95 percent of [the vulnerabilities] I am going to find at a
company before I even get there," said Ira Winkler, president of the
Information Security Advisory Group -- a firm that specializes in
penetrating business security systems to expose vulnerabilities -- and
author of the book Corporate Espionage. "I can steal a billion dollars
from any [corporation] within a couple of hours." 

[One trick pony...]

[snip...]

In a study to be published next month, WarRoom Research found that the
vast majority of Fortune 1000 companies have experienced a successful
break-in by an outsider in the past year. More than half of those
companies have experienced more than 30 system penetrations in the past 12
months. Nearly 60 percent said they lost $200,000 or more as a result of
each intrusion. 

In a separate study published earlier this month by the Computer Security
Institute and the FBI, 520 U.S. companies reported a total loss of $136
million from computer crime and security breaches in 1997, an increase of
36 percent from the year before. The Internet was cited by 54 percent of
the respondents as a frequent point of attack, about the same percentage
of respondents that cited internal systems as a frequent point of attack. 

[snip...]

What You Can Do

One universal piece of advice came from hackers, hackers for hire and
those who collect computer crime data: When your vendor issues a software
patch, install it immediately. 

"The biggest mistake people make is that they underestimate the threat," 
Moss said. "They don't put in the patches, they misconfigure their
firewalls, they misconfigure routers." 

[snip...]

0x8>-------------------------------------------------------------------------

Title: Cyberattacks spur new warning system
Author: Heather Harreld
Date: March 23, 1998

The Defense Department has created a new alert system to rate the level of
threats to its information systems that mirrors the well-known Defense
Conditions (DEFCONs) ratings that mark the overall military status in
response to traditional foreign threats. 

The new Information Conditions, or "INFOCONs," are raised and lowered
based upon cyberthreats to DOD or to the U.S. Strategic Command (Stratcom)
at Offutt Air Force Base in Nebraska. Stratcom is responsible for
deterring any military attack on the United States and for deploying
troops or launching nuclear weapons should deterrence fail, a Stratcom
spokesman said. As INFOCONs are raised, officials take additional measures
to protect information systems. 

[snip...]

Officials at Stratcom have developed detailed guidelines on raising and
lowering INFOCONs based on the threat. Structured, systematic attacks to
penetrate systems will result in a higher INFOCON level than when
individual, isolated attempts are made, according to Stratcom. 

[snip...]

0x9>-------------------------------------------------------------------------

Title: 
Source: "Betty G.O'Hearn" 

Infowar.Com was notified today by the "Enforcers" Computer Hackers Group,
that an agreement was reached with chief negotiator Ian A. Murphy, aka
Capt. Zap, to cease and desist their cyber destruction witnessed in the
recent attacks and intrusions that have rocked the Internet in past weeks. 
The Enforcers began their massive assault on corporate and military
websites after the arrest of "Pentagon Hackers" here in the US and Israel. 

Ian Murphy, CEO of IAM/Secure Data Systems, and the first US hacker
arrested back in 1981, issued press releases during negotiations. (see
www.prnewswire.com) Murphy began the process to begin deliberations out of
a sense of duty.  Murphy's dialogue with members of the Enforcer group
pointed to the fact that the destruction was counter productive. He urged
the group to consider halting this activity. "The destruction of
information systems for an alleged cause is not the way to go about such
things in defense of Hackers and Crackers." 

[Who made Ian Murphy chief negotiator? Why wasn't I notified so I
 could talk to these wankers? This is the kind of pathetic shit
 that makes PRNewswire the pond scum of journalism. In case you couldn't
 tell, this is pure media hype designed to get more business for
 Murphy and CO.]

[snip...]


Statement from a Enforcers representative is below.

[HTML tags have been removed.]

From: Adam <
Reply-To: adamb1@flash.net
Date: March 26, 1998
Organization: Adam's Asylum
To: "Betty G.O'Hearn" <
Subject: Enforcers Press Release/Announcement

STATEMENT OF THE ENFORCERS

We, the Enforcers, have decided that it would be in the best interest of
the hacking community and the security community at large to cease and
desist all web site hacking of external businesses as advised by Mr. Ian
Murphy (Captain Zap.) We agree that our actions are not productive and are
doing more harm than good towards the security community.

Therefore, as an agent of the Enforcers, I hereby state that all web site
hacks on external sites will be immediately halted.  We feel that there
will be other avenues opening to achieve our goal of a substantial
reduction in child pornography and racist web sites and netizens. We also
support the larger goals of the hacker community and in the future we will
work to augment the public's view rather than detract from it. All members
of Enforcers who hacked the web sites have agreed to this release and will
stop hacking external web sites. 

[13:51 GMT -0600 26 March 1998]

We thank you for your time and assistance in this matter.

We congratulate both Mr. Murphy and The Enforcers for their diligence in
reaching this agreement. This is indeed an act of peace in our cyberworld.

[This is indeed an act which causes illness to stomach.]

0xa>-------------------------------------------------------------------------

Title: IBM's Ethical Hackers Broke In!

TUCSON, Ariz. (March 23, 1998 8:30 p.m.) - International Business Machines
Corp.'s team of "ethical hackers" successfully broke into an unnamed
company's computer network in a demonstration of a live attack at a
computer industry conference. 

[They make it sound like this is a big event. "Look guys! We
 actually broke in!#$!"]

[snip...]

Palmer said IBM charges between $15,000 to $45,000 to perform a hack of a
company's system, with its permission, to test its security. Palmer said
because hacking is a felony, its clients sign a contract that he calls a
"get out of jail free card" specifying what IBM is allowed to do. 

The IBM team, which has an 80 percent success rate in electronic
break-ins, is not a team of reformed hackers and Palmer warned the
audience that hiring former hackers can be very dangerous, and not worth
the risk. 

[*BULLSHIT* .. IBM hires hackers.. IBM hires hackers.. secret is out,
 nyah nyah.]

[snip...]

He said that there are currently about 100,000 hackers worldwide, but that
about 9.99 percent of those hackers are potential professional hired
hackers, who may be involved in corporate espionage, and .01 percent are
world class cyber criminals. Ninety percent are amateurs who "cyber" 
joyride." 

[snip...]

0xb>-------------------------------------------------------------------------

Title: Two accused of conspiring to hack into CWRU system
Source: Plain Dealer Reporter
Author: Mark Rollenhagen
Date: Thursday, March 26, 1998
     
A federal grand jury yesterday indicted two Cleveland Heights residents on
felony computer hacking charges.
     
Rebecca L. Ching, 27, and Jason E. Demelo, 22, who authorities said live
in an apartment on Mayfield Rd., are accused of conspiring to hack into
the computer system at Case Western Reserve University between October
1995 and June 1997. 
     
Ching was a systems administrator for a computer system on the CWRU campus
network during at least a portion of the conspiracy, the indictment said.
     
She is accused of helping Demelo hack into the CWRU system by directing
him to install a "sniffer" program capable of intercepting electronic
information, including user names and passwords.
     
Federal prosecutors would not say why Ching and Demelo allegedly sought 
to hack into the system.
     
Neither could be reached to comment.
     
Tom Shrout, director of communications for CWRU, said Ching worked part
time for the university in its information sciences division three or four
years ago. 
     
The case is believed to be the first federal computer hacking case brought
in Northern Ohio since the FBI organized a computer crime unit last year. 
     
Demelo is also charged with seven counts of illegally intercepting
electronic communications sent to other universities, including Cleveland
State University, George Mason University and the University of Minnesota,
and Internet providers, including Modern Exploration, APK Net Ltd., and
New Age Consulting Service, and Cyber Access, a software company. 
     
0xc>-------------------------------------------------------------------------

Title: FBI Warns of Big Increase In On-line Crime

[Hrm.. wonder if it is time to get next year's budget?!]

WASHINGTON (March 25, 1998 00:19 a.m. EST) -- Criminal cases against
computer hackers have more than doubled this year as the ranks of teenage
hackers were joined by industrial spies and foreign agents, the FBI warned
Tuesday. 

[Cases have doubled... no word on convictions.. hrm...]

The FBI told a congressional Joint Economic Committee hearing that it had
recorded a significant increase in its pending cases of computer
intrusions, rising from 206 to 480 this year. 

[snip...]

Michael Vatis, head of the FBI's national infrastructure protection
center, said: "Although we have not experienced the electronic equivalent
of a Pearl Harbor or Oklahoma City, as some have foretold, the statistics
and our cases demonstrate our dangerous vulnerabilities to cyber attacks." 

[snip...]

He told how one hacker had broken into telephone systems in Massachusetts
to cut off communications at a regional airport and disconnect the control
tower last year. Last week a teenager agreed to serve two years' probation
after pleading guilty to disrupting communications at the Worcester,
Mass., airport for six hours. 

Another hacker in Florida is accused of breaking into the 911 emergency
phone system last year and jamming all emergency services calls in the
region. 

The FBI said the dangers of cybercrime were rising because of the
increased availability of hacking tools on the Internet, as well as
electronic hardware such as radio frequency jamming equipment. 

Last week Deputy Defense Secretary John Hamre toured European governments
to warn of the risks of computer crime and discuss possible
counter-measures. 

In spite of the publicity surrounding hackers, industrial espionage
remains the most costly source of cybercrime, the committee heard Tuesday. 

Last July an unnamed computer communications company sent a malicious
computer code which diverted communications from one of its rivals. The
FBI estimated the victim company suffered losses of more than $1.5
million. 

Other FBI officials told how the U.S. was increasingly the subject of
economic attack by foreign governments using computers. Larry Torrence, of
the FBI's national security division, said foreign agents were
"aggressively targeting" proprietary business information belonging to
U.S. companies. 

More frequently, criminals are using the Internet to defraud potential
investors with bogus investment schemes and banks. 

Fraudulent schemes on the Internet were becoming "epidemic," said Neil
Gallagher, of the FBI's criminal division. One pyramid scheme, called
Netware International, had recruited 2,500 members across the country by
promising to share profits of 25 percent a year in a new bank which it was
claiming to form. 

Investigators said they had seized almost $1 million to date.

0xd>-------------------------------------------------------------------------

Title: Computer hacker jailed for 18 months
Date: Friday, March 27, 1998
     
A computer hacker who tried to destroy an Internet company that refused to
hire him was jailed for 18 months today for offences that include
publishing customer credit card numbers. 
     
In the NSW District Court, Judge Cecily Backhouse said Skeeve Stevens
seriously damaged AUSnet, which has since gone out of business, by
compromising 1,225 credit cards and by prominently displaying a message on
its homepage on the World Wide Web. 
     
The April 1995 message included: "So dont (sic) be surprised if all you
(sic) cards have millions of dollars of shit on them ... AUSNET is a
disgusting network ... and should be shut down and sued by all their
users!" 
     
Stevens, 26, pleaded guilty to inserting data into a computer system in
Sydney in April 1995 and asked the judge to take into account another
eight offences, including accessing confidential information. 

[snip...]

The judge said Stevens' actions caused serious harm to the goodwill of
AUSnet, whose staff had to answer non-stop calls from angry customers -
many of whom cancelled their accounts - and who had to deal with crippling
effects of their cash flows. 
     
Judge Backhouse said general deterrence was important in this type of
offence, which was very hard to detect. 
     
She jailed him for three years, but ordered him to be released on a
recognisance after 18 months. - Australian Associated Press *Australian
Eastern Daylight Time (AEDT) is 11 hours ahead of Greenwich Mean Time. 
     
0xe>-------------------------------------------------------------------------

Title: Afternoon Line
Source: The Netly News
Author: Declan McCullah
Date: March 24, 1998

Technology is one of those issues where lawmakers vie to sound as dumb as
possible. At a "cyber-theft" hearing this morning, Rep. Jim Saxton
(R-N.J.) said that his only knowledge about computers dates back to when
his printer had a cover "to shield our ears from the noise."  Could the
witnesses from the FBI please explain the problems they had with this
newfangled Internet? Sure, replied Michael Vatis, the head of the National
Infrastructure Protection Center: "There are hacker web sites" out there,
he said, with software that lets you "click on a button to launch an
attack." The fact that Carnegie Mellon University's CERT center reported a
20 percent reduction in attacks from 1996 to 1997 didn't faze him. The
real problem, Vatis griped, is "people out there who still romanticize
hackers as kids just having fun. [What about] the elderly person who can't
get through to 911 in an emergency because of a hacker?" Joining Vatis in
testifying before Congress' Joint Economic Committee were top FBI honchos
Larry Torrence and Neil Gallagher. Nobody representing civil liberties
groups, computer security organizations, or high tech companies was
invited to speak. --By Declan McCullagh/Washington

[...]

Witness at the Persecution

Then again, there's a job opportunity in Los Angeles for someone with
top-notch skills in telecommunications, system and network administration,
and computer security -- and you won't even have to turn on a computer.
The lawyer for renown hacker Kevin Mitnick is looking for an expert
witness to testify at his client's trial, and has issued a sort of want-ad
press release. "Qualified candidates must have an advanced degree and be
knowledgeable in DOS, Windows, SunOS, VAX/VMS and Internet operations,"
the job description reads. Oh well, they lost me after "qualified," but
with Uncle Sam paying the tab it could be the perfect opportunity for
someone with a taste for the spotlight and nothing on their agenda
starting as early as March 30. 


0xf>-------------------------------------------------------------------------

Title: Hacking Geniuses or Monkeys
Source: ZDTV
Author: Ira Winkler
Date: March 30, 1998

By now everyone has heard about the Pentagon hacks-- and the ensuing
arrests of two teenagers in Cloverdale, Calif., and The Analyzer, the
Israeli claiming to be the superhacking mentor of the Cloverdale teens. 
There were also two other Israelis arrested at the same time.

The media and Websites like antionline.com portrayed the criminals as
geniuses. I never heard of these supposed geniuses before, but the one
thing that went through my mind was a quote by Scott Charney, Chief of the
Department of Justice Computer Crime and Intellectual Property Unit: "Only
the bad ones get caught."
                  
I wanted the inside scoop, so I talked to some real hackers, who are
really considered "elite" within the hacking community. These are people
who have been hacking for over a decade and can take control of any system
that they want. They invent the hacks that the wannabes find tools to
accomplish.

The opinion of the elite varied little: "The hackers involved in the
Pentagon and ensuing hacks are clueless."

Bad hackers are clueless

Why are the Pentagon hackers clueless? In the first place, they were
caught. 

The inside scoop is that the Pentagon hackers did nothing to cover their
tracks and used the same routes of access again and again, making their
capture inevitable. In short, they failed the basics of Criminal Hacking
101.

The true act of stupidity, however, was talking to the press and being
totally unrepentant about their actions. They even bragged about it. This
is like asking the FBI, "Please prosecute me."

While the Department of Justice doesn't usually prosecute juveniles, the
teenagers were almost daring them to. Then The Analyzer jumped in,
threatening to wreak havoc on the entire Internet if the teenagers were
pursued. A week later he was arrested.

Skilled hackers remember the arrest of the people who hacked the DoJ and
CIA webpages. The lesson: if you leave any tracks while embarrassing the
US Government, you will be caught.

The hacking inner circle told me that The Analyzer did not cover his
tracks at all, and his capture was easy, even though it spanned
international lines. And how skillful are The Analyzer and the Pentagon
hackers? According to my sources, almost all the hacks were accomplished
via a tool that automatically exploited the rstatd problem. 

You really don't have to know what the rstatd problem means. The best
analogy is that the Pentagon hackers found a master key on the street and
tried it on every lock that they could find. Unfortunately, there are tens
of thousands of "locks" that the master key fits. This is hardly the sign
of a computer genius, according to the elite.

Who is The Analyzer, anyway?

The real hackers then wondered why they have never heard of The Analyzer
before. The talented hackers do seem to know each other or at least hear
about the "rising stars" of the community. The Analyzer never fit this
category. Nor did anyone recognize him when his picture was wired around
the world. 

And what about the language that the Pentagon hackers and The Analyzer
used in their unwise interviews? 

The Analyzer threatened to damage "Internet servers." Apparently, real
hackers don't use this term, it is too mainstream. The California
teenagers were quoted as saying that the reason they hacked was, "Power." 
Among the elite, real power is the anonymous and undetected control of a
computer. Needless to say, the Pentagon hackers were not anonymous or
undetected. I wonder how "powerful" they will feel in prison.

It didn't surprise my hacker friends when another group of hackers,
calling themselves The Enforcers, jumped on the bandwagon. These people
threatened to hack computers all over the world in retaliation for the
capture of The Analyzer and the Cloverdale teens. Of course, The
Enforcers' self-proclaimed leader used the same email address to put out
his statements and respond to queries from the media-- making himself and
his group easy targets for federal attention. 

The only reasons he may not be arrested is that his group hasn't caused
any real damage, and the FBI has more important problems to deal with than
wannabe hackers looking for their 15 minutes of fame. 

Hacker wannabes

I'm really getting sick of the Pentagon hacking stories, and all the
wannabe hackers clamoring for their moment in the spotlight. Perhaps, when
the FBI starts actively prosecuting juveniles and other people for
hacking-related crimes, these wannabes will start using their computers in
more productive ways.

More importantly, maybe the media will stop portraying anyone who can hack
a computer as some sort of genius. As I have said before, and as the real
hackers can confirm, I can train a monkey to break into a computer in a
few hours. The Pentagon hackers have displayed no more talents than the
monkeys of which I speak. On the other hand, the fact that they can break
into Pentagon computers makes the Department of Defense look like monkeys
as well.

The fact that the media continues to paint these wannabes as geniuses
makes them worse than monkeys. 

0x10>-------------------------------------------------------------------------

Title: Low Tech Spooks - Corporate Spies
Source: Forbes
Author: Adam L. Penenberg

In his slightly crumpled brown uniform, Richard Jones looked like any
typical deliveryman, bringing in a new batch of urgently needed office
supplies to corporations everywhere. But Jones, who was heading for the
parking lot of a major chipmaker's border town maquiladora, only looked
the part.  Everything about him that day was made up. 

His uniform, "A close match, but not perfect," he would recall later, the
office supplies--paper, pens and toner cartridges--picked up from a local
stationery store. Even his name was fictional.

As Jones took a final deep breath and carried the supplies into the
company's air-conditioned chill, a security guard took one look at the
brown uniform and lazily waved him through to the office manager's office. 
Jones had already contacted the delivery company and, pretending to be
from the semiconductor company, had canceled that week's delivery run.

[snip...]

And that was that. The office manager showed Jones around the entire
premises, pointing out photocopiers, fax machines, bookshelves, supply
cabinets that had to be resupplied and the offices of executives. She even
got him coffee.

What was the point of the charade? Jones, not his real name, is a
corporate spook. A rival company had paid him to obtain the semiconductor
company's forthcoming quarterly earnings before they were announced. The
fee: a nifty $35,000. 

[snip...]

Many former Central Intelligence Agency, National Security Agency and
Defense Intelligence Agency employees have sought refuge in the corporate
world, often heading their own companies. They even have their own trade
organization: the Society of Competitor Intelligence Professionals, or
SCIPs. 

[You must have proper ID and know the secret handshake to join.]

"The scope of the problem is enormous," says Ira Winkler, security
consultant and author of Corporate Espionage. "On any one day there are a
few hundred people engaged in breaking into companies and stealing
information in this country. I can literally walk into a company and
within a few hours walk out with billions of dollars." 

[One trick pony...]

[snip...]

0x11>------------------------------------------------------------------------

Title: 'White Hat' Hackers Probe Pores in Computer Security Blankets
Source: Washington Post
Author: Pamela Ferdinand
Date: April 4, 1998

BOSTON: In a chaotic room crammed with computer terminals and circuit
boards, a long-haired man in black jeans -- "Mudge" by his Internet handle
-- fiddles with the knobs of a squawking radio receiver eavesdropping on
the beeps and tones of data transmissions.

Nearby, a baby-faced 22-year-old in a baggy sweat shirt, nicknamed
"Kingpin," analyzes reams of coded equations to break password sequences
percolating on his computer screen. Other figures with equally cryptic
identities toil in an adjoining chamber, their concentrated faces lit only
by a monitor's glare and the flicker of silent television sets.

This is the L0pht, pronounced "loft," a techie operations center in a
suburban warehouse several miles from city center that is inhabited by a
group whose members have been called rock stars of the nation's
computer-hacking elite.

The seven members of this computer fraternity-cum-high tech clubhouse have
defeated some of the world's toughest computer and telecommunications
programs and created security software that is the gold standard of
corporate and hacking worlds. By day, they are professional computer
experts, mostly in their twenties and thirties, with jobs and even wives. 
By night, they retreat to the warehouse and their electronic aliases troll
the Internet for security gaps.

Hacking mostly for the challenge, they have exposed security flaws in
Microsoft Corp.'s leading network operating system, revealed holes in
Lotus software and figured out how to decode pager messages and mobile
police terminal data, among other feats.

Hackers typically get into supposedly secure computer systems and pinpoint
security breaches by deciphering elaborate number, letter and symbol
combinations designed by manufacturers to protect their products. If
security is breached, users risk having everything from private e-mail
read to databases erased.

A single, unintentional hack is not illegal, the U.S. attorney general's
office here says. But repeat intruders face criminal penalties, especially
when they compromise and damage confidential government, military or
financial information. 

[Hrm.. such nice vague wording. Break in one time (the first time),
 and it isn't illegal?!]

[snip...]

L0pht members pride themselves on a less invasive and more altruistic goal
just this side of the law:  To locate and document Internet security gaps
for free for the sake of consumers who have been led to believe their
online transactions are secure.

"We think of our Net presence as a consumer watchdog group crossed with
public television," said "Mudge," a professional cryptographer by day who
declined to identify himself for security reasons.  "At this point, we're
so high profile . . . it would be ludicrous for us to do anything wrong."

Even companies whose products have been hacked for security weaknesses
laud the social ethos and technical prowess of the members of the L0pht,
who frequently notify manufacturers and recommend fixes before going
public with their finds. Unlike villainous hackers labeled "black hats," 
who probe cyberspace for profit and malice, Robin Hood-style "white hats" 
like the L0pht are generally accorded respect, and even gratitude.

[snip...]

In the L0pht's most widely publicized hack, "Mudge" and a colleague
assaulted Microsoft's Windows NT operating system last year and found
inherent flaws in the algorithm and method designed to hide user
passwords. They demonstrated the security breach by posting their
victorious code on the Internet and showing how it was possible to steal
an entire registry of passwords in roughly 26 hours, a task Microsoft
reportedly claimed would take 5,000 years. 

"It's big. It's bad. It cuts through NT passwords like a diamond tipped,
steel blade," boasts advertising for the latest version of their
security-auditing tool, dubbed "L0phtcrack." "It ferrets them out from the
registry, from repair disks, and by sniffing the net like an anteater on
dexadrene."

Microsoft took notice and, in an unprecedented move, executives invited
the L0pht to dinner at a Las Vegas hacker convention last year. They have
worked with the L0pht to plug subsequent security loopholes while
simultaneously adding hacker-style techniques to in-house testing.

[snip...]

In doing so, the L0pht is grabbing the world's attention. But for all
their skill in unscrambling the great riddles of technology, they remain
baffled by some fundamental mysteries of life. Asked what puzzle they
would most like to solve, "Kingpin" replied: "Girls."

[See! At least 2 out of 7 l0pht members hack for girls!]

0x12>------------------------------------------------------------------------

Title: 101 Ways to Hack into Windows NT
Source: Surveillance List Forum
Date: April 3, 1998

MELBOURNE, AUSTRALIA: A study by Shake Communications Pty Ltd has
identified not 101, but 104, vulnerabilities in Microsoft Windows NT,
which hackers can use to penetrate an organisation's network. 

Many of the holes are very serious, allowing intruders privileged access
into an organisation's information system and giving them the ability to
cause critical damage - such as copying, changing and deleting files, and
crashing the network.  Most of the holes apply to all versions (3.5, 3.51
and 4) of the popular operating system. 

[snip...]

Shake Communications also provides links to patches/fixes in its
Vulnerabilities Database, which also covers other operating systems,
programs, applications, languages and hardware. 

[snip...]

0x13>------------------------------------------------------------------------

Title: Suspected NASA Hacker Nabbed
Source: CNET news.com
Date: April 6, 1998

TORONTO, Ontario--A 22-year-old Canadian man suspected of breaking into a
NASA Web site and causing tens of thousands of dollars in damage has been
arrested by Canadian Mounties. 

The Royal Canadian Mounted Police in the northern Ontario city of Sudbury
charged Jason Mewhiney with mischief, illegal entry, and willfully
obstructing, interrupting, and interfering with the lawful use of data,
Corporal Alain Charbot said today. 

[u4ea?!]

[snip...]

More than $70,000 worth of damage was caused at the NASA Web site and
officials were forced to rebuild the site and change security, Charbot
said. 

The FBI tracked the hacker by tracing telephone numbers to the Sudbury
area. 

The Mounties raided the homes of Mewhiney's divorced parents and seized an
ancient computer, a second basic computer, a high-speed modem, diskettes,
and documents. 

[snip...]

Charbot said ironically, once hackers are released from police custody
they are prime candidates for cushy corporate jobs, doing the same type of
work--but with the permission of Web site builders. 

[Why must these people revert to the use of 'web' terms?!]

0x14>------------------------------------------------------------------------

Title: CEOs Hear the Unpleasant Truth about Computer Security
Source: CNN
Author: Ann Kellan
Date: April 6, 1998

ATLANTA (CNN) -- Computer hackers breaking into government and corporate
computers is estimated to be a $10 billion-a-year problem, so CEOs met
Monday in Atlanta to hear what government and industry experts are doing
about it. 

[More expert figures on damage... ]

They learned, among other things, that the Pentagon alone had 250,000
hacker attempts on its computer system last year, and that computer
networks are easy targets. 

[And more quoting of inaccurate statistics...]

They also learned that there are almost 2,000 Web sites offering tips,
tools and techniques to hackers. 

Among the things a hacker can do is send an e-mail to someone and attach a
computer program to it. The attached program will, in the words of one
hacker, "open up a back door" into the computer system it was sent to. 

[Its just that easy I bet...]

[snip...]

According to IBM CEO Louis Gerstner, government and corporations need to
work together to set standards for security practices such as
hacker-resistant encryption codes. 

"We should be encouraging the widespread adoption of encryption technology
right now, led by U.S.-based manufacturers," Gerstner said. 

CIA Director George Tenet told the CEOs not to look to the government to
fix the problem. 

[Now there is a good quote.]

[snip...]

0x15>------------------------------------------------------------------------

Title: Codebreakers
Source: Time Magazine
Date: April 20, 1998
	  
CRACKED Thought your new digital cell phone was safe from high-tech
thieves? Guess again. Silicon Valley cypherpunks have broken the
proprietary encryption technology used in 80 million GSM (Global System
for Mobile communications) phones nationwide, including Motorola MicroTAC,
Ericsson GSM 900 and Siemens D1900 models. Now crooks scanning the
airwaves can remotely tap into a call and duplicate the owner's digital
ID. "We can clone the phones," brags Marc Briceno, who organized the
cracking. His advice: manufacturers should stick to publicly vetted codes
that a bunch of geeks can't crack in their spare time. --By Declan
McCullagh/Washington

0x16>------------------------------------------------------------------------

Title: Hackers Could Disable Military
Source: Washington Times
Author: Bill Gertz
Date: April 16, 1998

Senior Pentagon leaders were stunned by a military exercise showing how
easy it is for hackers to cripple U.S. military and civilian computer
networks, according to new details of the secret exercise.

Using software obtained easily from hacker sites on the Internet, a group
of National Security Agency officials could have shut down the U.S. 
electric-power grid within days and rendered impotent the
command-and-control elements of the U.S. Pacific Command, said officials
familiar with the war game, known as Eligible Receiver.

[snip...]

Pentagon spokesman Kenneth Bacon said, "Eligible Receiver was an important
and revealing exercise that taught us that we must be better organized to
deal with potential attacks against our computer systems and information
infrastructure."

[Such a neat name too!]

The secret exercise began last June after months of preparation by the NSA
computer specialists who, without warning, targeted computers used by U.S. 
military forces in the Pacific and in the United States.

The game was simple: Conduct information warfare attacks, or "infowar," on
the Pacific Command and ultimately force the United States to soften its
policies toward the crumbling communist regime in Pyongyang. The "hackers"
posed as paid surrogates for North Korea. 

The NSA "Red Team" of make-believe hackers showed how easy it is for
foreign nations to wreak electronic havoc using computers, modems and
software technology widely available on the darker regions of the
Internet: network-scanning software, intrusion tools and password-breaking
"log-in scripts." 

[They successfully hack their target, yet they are "make-believe"?]

According to U.S. officials who took part in the exercise, within days the
team of 50 to 75 NSA officials had inflicted crippling damage. 

They broke into computer networks and gained access to the systems that
control the electrical power grid for the entire country. If they had
wanted to, the hackers could have disabled the grid, leaving the United
States in the dark. 

[snip...]

The attackers also foiled virtually all efforts to trace them.  FBI agents
joined the Pentagon in trying to find the hackers, but for the most part
they failed. Only one of the several NSA groups, a unit based in the
United States, was uncovered. The rest operated without being located or
identified.

The attackers breached the Pentagon's unclassified global computer network
using Internet service providers and dial-in connections that allowed them
to hop around the world. 

[snip...]

The targets of the network attacks also made it easy. "They just were not
security-aware," said the official. 

A second official found that many military computers used the word
"password" for their confidential access word. 

[*scribbling notes..*]

0x17>------------------------------------------------------------------------

Title: Secret Service Hackers Can't Crack Internet
Source: PA News
Author: Giles Turnbull
Date: April 21, 1998

[So the NSA has better hackers than the Secret Service. ]

   Professional computer hackers from the secret services were brought in
to attempt to hack into the Government's internal secure communications
system, which was launched today. 

   As part of the year-long planning and preparation of the Intranet, staff
from GCHQ and similar security organisations were brought in to try to hack
into the system.

   But they failed.

[snip...]
 
0x18>------------------------------------------------------------------------

Title: Now Hiring: Hackers (Tattoos Welcome)
Source: Tribune
Author: Susan Moran
Date: April 12, 1998

Even the computer professionals who like to wear Birkenstocks and T-shirts
to work find the dress code of GenX hackers a bit extreme. The main
elements seem to be tattoos and nose rings. 

[No stereotyping here...]

They'd better get used to them. Many computer hackers, some of them
recovering computer criminals, are adeptly turning their coveted expertise
into big bucks.

A surge in computer crime, spurred by the shift to networked computers and
by the growing popularity of the Internet, has created a huge demand for
information security experts who can help protect companies' computer
systems. Recent high-profile attacks on government and university computer
networks highlighted the vulnerability of these networks and spurred
corporate executives to seek ways to fortify their systems.

[snip...]

In a separate recent incident, the Justice Department last month arrested
three Israeli teenagers suspected of masterminding the break-ins of
hundreds of military, government and university computer sites to gaze at
unclassified information. The Federal Bureau of Investigation is also
investigating two California teens who linked up with their Israeli
co-conspirators over the Internet. 

[Three Israeli teens? Gee, could they mean the two Cloverdale CALIFORNIA
 kiddies and 'the analyzer'?]

[snip...]

Hackers' anarchistic style is gradually gaining acceptance in corporations
and government agencies, although some conservative organizations feel
safer renting experts from established consulting firms. 

[Experts that consist of hackers who can dress well, and act all
 'corporate'.]

[snip...]

That yellow-haired hacker, a 24-year-old who prefers to be known by his
alias, "Route," also sports a tongue bar. His work as an information
security consultant is worth $1,500 to $2,000 a day to clients who want to
arm themselves against attacks by "crackers"--the correct term for hackers
who use their computer expertise to commit malicious acts of infiltrating
computer networks. On his own time, Route edits Phrack, a computer
security journal (phrack.com). And he occasionally gives talks to
government and corporate clients for Villella's firm, New Dimensions
International (www.ndi.com). Route writes his own security-related tools
and claims he's never used them for illegal snooping.

[Woohoo! Go Route! Go Route!]

[snip...]

Another hacker who now makes a healthy living consulting goes by the alias
"Mudge." He is a member of L0pht, a sort of "hacker think tank" consisting
of a handful of Boston-based hackers who work out of a loft space, where
they research and develop products and swap information about computer and
cellular phone security, among other things. Mudge consults for private
and public organizations, teaches classes on secure coding practices, and
writes his own and reviews others' code. "It pays well, but the money
isn't the main reason I'm doing it," he said.

[In a recent talk over beer, Mudge confided in me that he does it
 for the girls. :) ]

What he likes best is knowing he's among the elite experts who understand
computer security more than big-name consultants. He's proud that he and
his ragged assortment of hacker friends are called in to solve problems
that stump the buttoned-down set.

"Not bad for a bunch of bit-twiddlers," he wrote in an e-mail missive. 

0x19>------------------------------------------------------------------------

Title: Hacker Stoppers?
Source: InformationWeek
Author: Deborah Kerr
Date: April 27

Companies bought $65 million worth of network-intrusion
tools last year, but capabilities still lag behind what's promised. 

Neal Clift no longer sleeps on the floor of his office. Ten years ago, he
slept under his Digital VAX at Leeds University in England, listening for
the telltale clicks and hums that signal an intruder on his network. For
weeks, a hacker had been shamelessly crashing his machine, deleting files,
and reconfiguring controls. Clift tracked the hacker's movements, recorded
the keystrokes, and eventually closed up the hacker's entry points.

At the time, pulling late-nighters was the only way to catch a hacker,
since poring over system logs could only establish the hacker's patterns
after the fact. Now, intrusion-detection technology lets network security
managers and administrators catch trespassers without spending the night
on the office floor.

Intrusion-detection tools are a $65 million industry that will grow as
large as the firewall market, which reached about $255 million in 1997,
according to the Hurwitz Group, in Framingham, Mass. Touted as network
burglar alarms, intrusion-detection systems are programmed to watch for
predefineds2000] attack "signatures," or predefined bytecode trails of
prespecified hacks.  Intrusion-detection systems also send out real-time
alerts of suspicious goings-on inside the network.  enger]

But don't bet the server farm on intrusion-detection systems yet. They're
still new, and their capabilities are limited. No matter what you buy,
some portion of the enterprise will be unprotected. Intrusion-detection
systems also can break down under certain types of attacks, in some cases
even turning on their own networks under the guidance of a truly
knowledgeable hacker. 

"There's no one tool to solve all the security problems throughout your
network," says Jim Patterson, vice president of security and
telecommunications at Oppenheimer Funds, in Denver... 

[snip...]


0x1a>------------------------------------------------------------------------

Title: Hackers' Dark Side Gets Even Darker
Author: Douglas Hayward

LONDON -- The hacker community is splitting into a series of distinct
cultural groups -- some of which are becoming dangerous to businesses and
a potential threat to national security, an official of Europe's largest
defense research agency warned Thursday. New types of malicious hackers
are evolving who use other hackers to do their dirty work, said Alan Hood,
a research scientist in the information warfare unit of Britain's Defense
Evaluation and Research Agency (DERA).

Two of the most dangerous types of malicious hackers are information
brokers and meta-hackers, said Hood, whose agency develops security
systems for the British military.  Information brokers commission and pay
hackers to steal information, then resell the information to foreign
governments or business rivals of the target organizations.

Meta-hackers are sophisticated hackers who monitor other hackers without
being noticed, and then exploit the vulnerabilities identified by these
hackers they are monitoring. A sophisticate meta-hacker effectively uses
other hackers as tools to attack networks. "Meta-hackers are one of the
most sinister things I have run into," Hood said. "They scare the hell out
of me."

[Great.. more terms and lousy journalism..]

DERA is also concerned that terrorist and criminal gangs are preparing to
use hacking techniques to neutralize military, police and security
services, Hood said.

[Criminal gangs.. oooh...]

[snip...  lame stereotype crap]

0x1b>------------------------------------------------------------------------

Title: Japan Fears It's Becoming a Base for Hackers
Source: Daily Yomiuri On-Line
Author: Douglas Hayward
Date: 4/29/98

To fill in legal loopholes that have caused an increase in unauthorized
computer access, the National Police Agency has set up a group of experts
to study how to prevent Internet crimes. 
 
Unlike Europe and the United States, Japan has no law prohibiting
unauthorized access to computers through the Internet. There has been a
stream of reports of anonymous hackers accessing corporate servers. 

[Gee, they have no laws making hacking illegal, and they wonder why
 they are becoming a base for hackers? Bright.]

[snip...]

The Japan Computer Emergency Response Team Coordination Center has been
studying cases of unauthorized access through the Net, and found a total
of 644 from the time of the center's establishment in October 1996 to last
month. 
 
Meanwhile, police uncovered 101 high-tech crimes in 1997, three times as
many as in the previous year. 

0x1c>------------------------------------------------------------------------

Title: Kevin Mitnick Hacker Case Drags On and On
Source: ZDTV
Author: Kevin Poulsen
Date: 4/28/98

[If you haven't visited, go to www.kevinmitnick.com right now.]

LOS ANGELES-- "Now, have we made any progress here?" 

With those words, Judge Mariana Pfaelzer opened the latest hearing in the
Kevin Mitnick case in L.A.'s U.S. District Court Monday. She might as well
have said, "Let's get ready to rumble."

It's now been more than three years since a dramatic electronic manhunt
ended with Mitnick's arrest, national headlines, books and movie deals.

Since then, the excitement has faded. The books oversaturated the market; 
the movies never got made.  And the once fast-paced story of a compulsive
hacker with a goofy sense of humor is mired in its epilogue: the slow ride
to disposition over the speed-bumps of the federal justice system.

[snip...]

But only some of it. The government wants to keep a tight lid on the
"proprietary" software in the case, and on what it calls "hacker tools." 
The defense can review these files, but they can't have their own copies
for analysis.

[snip...]

If the evidence was in paper form, the government would have probably
agreed. But Painter says that with electronic evidence, "it's too easy for
this to be disseminated by the defendants."

In other words, the government doesn't want the data to show up on a Web
site in Antigua. 

[snip...]

0x1d>------------------------------------------------------------------------

Title: Millions Lost to Phone Hackers
Author: Andrew Probyn

MILLIONS of dollars are being ripped off phone users in Australia by
hackers using increasingly elaborate phone scams.  Households, businesses
and mobile phone users have become victims of widespread and systematic
phone fraud. 

[Hackers using phone scams?]

As carriers Telstra and Optus make advances in protecting their
telecommunications networks, hackers are increasingly adept at breaking
their security codes to rip off users.

The Herald Sun has discovered many cases of billing discrepancies blamed
on hackers, including one householder charged $10,000 for calls he said he
never made. 

A Herald Sun investigation has also shown:  SEX calls to chat lines in the
United States, Guyana, the Dominican Republic, Russia, Chile and the
Seychelles are commonly charged to other people's accounts.  HACKERS can
divert their Internet, local and international call costs without
detection. 

[Why do I think they are using 'hackers' for any sex-fiend that stole
 a code?]

[snip...]

"Hacking could be costing consumers in the region of millions of dollars," 
he said. "Some of these calls are very expensive - sex calls, for example,
can be up to $30 just to be connected."

[snip...]

0x1e>------------------------------------------------------------------------

Title: Hackers on the Hill
Author: Annaliza Savage

[FINALLY...get some incredible hackers up there to school these
 weenies. Go l0pht!]

Seven hackers will face the Senate Government Affairs Committee Tuesday. 
But they aren't in any trouble. 

The seven hackers have been invited by Senator Fred Thompson (R-Tenn.)--
the sometime-actor you may remember from such films as The Hunt For Red
October and Die Hard 2-- to testify about the state of the US Government's
computer networks.

The seven-- Mudge, King Pin, Brian Oblivian, Space Rouge, Weld Pond, Tan
and Stefan-- are all members of the L0pht, a hacker hangout in Boston, and
have been part of the hacker underground for years. 

"We were surprised to get an email from a senator's aide. We have had some
contacts with law enforcement over the years, but this was something
completely different," said Weld Pond. 

[snip...]

"We are trying to return the label hacker to the badge of honor it used to
be in the old days. A word that means knowledge and skill, not criminal or
script-kiddies, as it does in the popular press today," Weld Pond said. 

[snip...]

When Thompson's aide, John Pede, showed up at the L0pht to discuss the
Senate hearings with the group, the irony of the visit wasn't wasted on
hackers. Weld Pond explained: "We thought about blindfolding him on the
way over here but decided against it in the end. The visit was a little
uncomfortable. When the FBI has reporters visit them they clean up quite a
bit and keep an eagle eye on the visitors. This was no different except
the tables were turned." 

Mudge was glad to be able to show off the l0pht to the men in suits. "We
actually enjoyed having the government officials over. It's a wonderful
sight when we bring guests over to the l0pht and their jaws drop on the
floor after seeing all of the stuff we have managed to engineer and get
working. Especially when they realize it has all been without any formal
funding." 

[snip...]

0x1f>------------------------------------------------------------------------

Title: RSA Sues Network Associates
Source: CNET NEWS.COM
Author: Tim Clark
Date: 5.20.98

RSA Data Security is seeking to bar Network Associates from shipping any
Trusted Information Systems software that uses RSA encryption technology.

[Nyah nyah!]

Earlier this year, Network Associates acquired TIS, licensed by RSA to use
its encryption algorithms in TIS virtual private network software. RSA is
a wholly owned subsidiary of Security Dynamics.

[snip...]

"RSA is a company based on intellectual property," said Paul Livesay,
RSA's general counsel. "Right now we perceive Network Associates as having
an approach to doing business by acquiring companies and ignoring
third-party agreements, so why would we want to assign the license to TIS
to a party that operates in that manner?"

0x20>------------------------------------------------------------------------

Title: Clinton to Outline Cyberthreat Policy
Source: CNET NEWS.COM
Author: Tim Clark
Date: 5.21.98

In a commencement speech at the U.S. Naval Academy tomorrow, President
Clinton is expected to highlight cyberthreats to the nation's electronic
infrastructure, both from deliberate sabotage and from accidents such as
the satellite outage that silenced pagers across the nation this week. 
   
Clinton also is expected to outline two new security directives, one aimed
at traditional terrorism and the other at cyberthreats. The cyberthreats
directive follows last year's report from the Presidential Commission on
Critical Infrastructure Protection. 

[snip...]

"Clinton will announce a new policy for cyberterrorism based on the
recommendations of the commission, stressing the fact that we need
private-sector help to solve this problem, since the private sector owns
80 to 90 percent of the nation's infrastructure," said P. Dennis LeNard
Jr., deputy public affairs officer at PCCIP. Under the new policy, that
agency will become the Critical Infrastructure Assurance Office, or CIAO. 
   
Clinton also is expected to order federal agencies to come up with a plan
within three to five years that identifies vulnerabilities of the nation's
infrastructure and responses to attacks as well as creating a plan to
reconstitute the U.S. defense system and economy if a cyberattack
succeeds, said a former White House staffer familiar with Clinton's
speech. 

[Three to five years.. how.. timely.]

[snip...]

"The Department of Justice is not keen on sharing information that could
lead to criminal prosecutions," the official said. "The private sector
does not trust the FBI, and the FBI doesn't want to give out secrets.
They're afraid that if they share information, they may someday have to
testify in court." 
   
0x21>------------------------------------------------------------------------

Title: Programmer Sentenced for Military Computer Intrusion
Source: CNN
Date: 5.25.98

DAYTON, Ohio (AP)- A computer programmer was sentenced to six months at a
halfway house for gaining access to a military computer that tracks Air
Force aircraft and missile systems. 

Steven Liu, 24, was also fined $5,000 Friday after pleading guilty to
exceeding authorized access to a computer. 

Liu, a Chinese national who worked for a military contractor in Dayton,
downloaded passwords from a $148 million database at Wright-Patterson Air
Force Base. He said he accidentally discovered the password file and used
it to try to find his job-performance evaluation. 

[snip...]

0x22>------------------------------------------------------------------------

Title: Editorial - Hacker vs Cracker, Revisited
Source: OTC: Chicago, Illinois
Author: Bob Woods
Date: 5.22.98

Newsbytes. If a person talks about or writes a news story regarding a
hacker, one creates an image that is perpetuated in a Network Associates
TV ad: the heavily tattooed, ratty looking cyberpunk who breaks into
systems and posts proprietary information on the Internet for the same
reason "why (I) pierce (my) tongue." The big problem, though, is that
person is more accurately described as a "cracker," not a "hacker." 

   ZDTV CyberCrime correspondent Alex Wellen said earlier this week that
"cracker" is gaining acceptance in the media -- and quoted an old column
of mine in the process. Because of this unexpected exposure, I decided to
take a second look at my old work. 

   First, here's the text of my January 23, 1996 column: 

   Our readers have their hackles up when hacker is mentioned in our
stories. "Hackers," they argue, are good people who just want to learn
everything about a computer system, while "crackers" are the ones who are
breaking into computer systems illegally. 

   The problem arises when the public and people who shape society get a 
hold of terms like "hacker" -- a word once viewed as non-threatening,  but
is now turned into a name that conjures up visions of altered World  Wide
Web pages and crashed computer systems. 

   "Que's Computer and Internet Dictionary, 6th Edition," by Dr. Bryan 
Pfaffenberger with David Wall, defines a hacker as "A computer  enthusiast
who enjoys learning everything about a computer system and,  through clever
programming, pushing the system to its highest possible  level of
performance." But during the 1980s, "the press redefined the  term to
include hobbyists who break into secured computer systems,"  Pfaffenberger
wrote. 

   At one time hackers -- the "good" kind -- abided by the "hacker ethic," 
which said "all technical information should, in principle, be freely
available to all. Therefore gaining entry to a system to explore data and
increase knowledge is never unethical," according to the Que dictionary. 

   These ethics applied to the first-generation hacker community, which
Que said existed from roughly 1965 to 1982. While some of those people do
still exist, many other people who describe themselves as "hackers"  are a
part of the current generation of people who "destroy, alter, or move data
in such a way that could cause injury or expense" -- actions that are
against the hacker ethic, Que's dictionary said. Many of those actions are
also against the law.

   Today's hacker generation -- the ones bent on destruction -- are more
accurately called "crackers." Que defines such a person as "A computer
hobbyist who gets kicks from gaining unauthorized access to computer
systems. Cracking is a silly, egotistical game in which the object is to
defeat even the most secure computer systems. Although many crackers do
little more than leave a 'calling card' to prove their victory, some
attempt to steal credit card information or destroy data. Whether or not
they commit a crime, all crackers injure legitimate computer users by
consuming the time of system administrators and making computer resources
more difficult to access." 

   Here's the rub: whenever the media, including Newsbytes, uses the term
"hacker," we are hit with complaints about the term's usage.  E-mails to
us usually say "I'm a hacker, yet I don't destroy anything."  In other
words, the people who write us and other media outlets are a part of the
first generation of hackers.

   But the media reflects society as much as, if not more than, they
change or alter it. Today's culture thinks of hackers as people who
destroy or damage computer systems, or ones who "hack into" computers to
obtain information normal people cannot access. While it's probably the
media's fault, there's no going back now -- hackers are now the same
people as crackers.

   Besides, if a person outside of the computer biz called someone a
cracker, images of Saltines or a crazy person or an investigator in a
popular British television series would probably come to mind. For most
people on the street, the last thing they would think of is a person they
know as a hacker.

   So, what's to be done about the situation? Not a whole heck of a lot,
unfortunately. The damage is done. If more people in the "general public" 
and the "mainstream media" read this news service and saw this article,
some headway might be made. But even if they did, cultural attitudes and
thoughts are very difficult to change. For those people in the US --
remember New Coke? Or the metric system? If you're outside the US, can you
imagine calling football "soccer?"

   And to the first generation of hackers -- those of us "in the know"  in
this industry do know about you. When we report on hackers nowadays, we're
not talking about you, and we do not mean to insult you. Honest.

   ===  Today's Opinion 

   Okay, so that last paragraph was a bit on the hokey side. Alright, so
it was really hokey. But from what I remember, we had been getting quite a
few angry e-mails at the time regarding our usage of "hacker,"  and I was
trying to do a bit of damage control. But if memory serves me correctly,
we received a couple of "nice try" letters after we published the
editorial. Nice try? Well, I thought it was.

   But, was it a "safe" editorial? Sure. But it was -- and still is --
also "safe" to just write about "hackers" and offend a few people, rather
than use the term "cracker" and leave a bunch of people scratching their
heads over what the heck a "cracker" even was.

   While I'm seeing "cracker" more and more in computer-related
publications (unfortunately, though, not in ours as much as I'd like to
see) these days, the term is sorely lacking in the widely
read/viewed/listened-to media outlets.

   I'll take the liberty of quoting what ZDTV's Wellen quoted me as saying
two years ago: "If more people in the 'general public' and the 'mainstream
media' read this news service and saw this article, some headway might be
made (in accurately calling people crackers instead of hackers)." 

   Now, I can see a mainstream media-type -- I used to be one of these
people, by the way -- wondering how in the heck can they get their average
seventh-grade audience to understand that a cracker is different from a
hacker. It's easy for us computer/IT journalist types to write to our
expectations of our audience, because it is generally pretty much like us. 

   The answer, though, is pretty easy. Here's an example: 

   "Two teenage hackers, more accurately known as 'crackers,' illegally
entered into the Pentagon's computer system and took it out in an
overnight attack." The real trick, then, is to never again use "hacker" 
in the story. Just use "cracker." Your audience will pick up on this,
especially if you do it in all of your stories. I promise.

   So there. My unwieldy media consulting bill is now in the mail to all
of the non-computing local and national media outlets.

0x23>------------------------------------------------------------------------

Title: Windows NT Security Under Fire
Author: Chris Oakes
Date: 6.1.98

Listen to security expert and consultant Bruce Schneier and he'll tell you
that Windows NT's security mechanism for running virtual private networks
is so weak as to be unusable. Microsoft counters that the issues Schneier
points out have mostly been addressed by software updates or are too
theoretical to be of major concern. 

Schneier, who runs a security consulting firm in Minneapolis, says his
in-depth "cryptanalysis" of Microsoft's implementation of the
Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed
security techniques that dramatically compromise the security of company
information. 
                     
"PPTP is a generic protocol that will support any encryption. We broke the
Microsoft-defined [encryption] algorithms, and also the Microsoft control
channel." However, he said he was unaware of some of Microsoft's NT 4.0
updates when he ran his tests. 
                     
With relative ease, intruders can exploit the flaws, Schneier said, which
he summarizes as weak authentication and poor encryption implementation.
The result is that passwords can be easily compromised, private
information can be disclosed, and servers used to host a virtual private
network, or VPN, can be disabled through denial-of-service attacks,
Schneier said. 
                     
It's kindergarten cryptography. These are dumb mistakes," Schneier said. 

In letting companies use the public Internet as a means for establishing
"private" company networks, VPN products use the protocol to establish the
"virtual" connections between remote computers. 

PPTP secures the packets sent via the Internet by encapsulating them in
other packets. Encryption is used to further secure the data contained in
the packets. It is the scheme Microsoft uses for this encryption that
Schneier says is flawed. 

Specifically, Schneier's analysis found flaws that would let an attacker
"sniff" passwords as they travel across a network, break open an
encryption scheme, and mount denial-of-service attacks on network servers,
which render them inoperable.  Confidential data is therefore compromised,
he said. 

The nature of the flaws varied, but Schneier identified five primary ones.
For example, Schneier found a method of scrambling passwords into a code
-- a rough description of "hashing" -- to be simple enough that the code
is easily broken.  Though 128-bit "keys" can be used to access the
encryption feature of the software, Schneier said the simple
password-based keys that it allows can be so short that information could
be decrypted by figuring out what may be very simple passwords, such as a
person's middle name. 

"This is really surprising. Microsoft has good cryptographers in their
employ." The problem, he said, is that they're not adequately involved in
product development. 

Schneier emphasized that no flaws were found in the PPTP protocol itself,
but in the Windows NT version of it. Alternate versions are used on other
systems such as Linux-based servers. 

Microsoft's implementation is "only buzzword-compliant," Schneier said.
"It doesn't use [important security features like 128-bit encryption]
well." 

Windows NT has in the past been the object of several security complaints,
including denial-of-service vulnerabilities. 

Microsoft says the five primary weaknesses Schneier has called attention
to are either theoretical in nature, previously discovered, and/or have
been addressed by recent updates to the operating system software. 

"There's really not much in the way of news here," said Kevin Kean, an NT
product manager at Microsoft. "People point out security issues with the
product all the time. 

"We're on our way to enhancing our product to take care of some of these
situations already," Kean said. 

He acknowledged that the password hashing had been fairly simple, but that
updates have used a more secure hashing algorithm. He also contends that
even a weak hashing can be relatively secure. 

The issue of using simple passwords as encryption keys is relevant to
individual company policy more than Microsoft's product. A company that
has a policy requiring employees to use long, more complex passwords can
ensure that their network encryption is more secure. An update to the
product, Kean said, lets administrators require a long password from
company employees. 

On another issue, where a "rogue" server could fool a virtual private
network into thinking it was a legitimate node on the network, Karan
Khanna, a Windows NT product manager, said while that was possible, the
server would only intercept of a "stream of gobbledygook" unless the
attacker had also cracked the encryption scheme. That and other issues
require a fairly difficult set of conditions, including the ability to
collect the diverging paths of VPN packets onto a server, to come into
place. 

For that reason, Microsoft insists its product offers a reasonable level
of security for virtual private networks, and that upcoming versions of
the software will make it stronger. 

Windows NT security expert Russ Cooper, who runs a mailing list that
monitors problems with Windows NT, agrees with Microsoft that most of
Schneier's findings have been previously turned up and discussed in forums
like his. What Schneier has done is tested some of them, he said, and
proven their existence. 

But he points out that fixes for the problems have only recently been
released, outdating Schneier's tests. The problems may not have been all
successfully addressed by the fixes, Cooper said, but represent an unknown
that may negate some of Schneier's findings. 

On Schneier's side, however, Cooper agrees that it typically takes
publicity of such weaknesses to get Microsoft to release fixes. "Folks
need to get better response from Microsoft in terms of security,"  Cooper
said. 

He also added support to a point that Schneier makes -- that Microsoft
treats security more casually than other issues because it has no impact
on profit. 

"Microsoft doesn't care about security because I don't believe they think
it affects their profit. And honestly, it probably doesn't."  Cooper
believes this is part of what keeps them from hiring enough security
personnel. 

Microsoft vehemently contests the charge.  Microsoft's Khanna said in
preparing the next release of the operating system, the company has
installed a team to attack NT, an effort meant to find security problems
before the product is released. 

And, Microsoft reminds us, no product is totally secure. "Security is a
continuum," Microsoft's Kean said. "You can go from totally insecure to
what the CIA might consider secure." The security issue at hand, he said,
lies within a reasonable point on that continuum. 

0x24>------------------------------------------------------------------------

Title: New Decoy Technology Designed to Sting Hackers
Source: ZDNet
Author: Mel Duvall

There was a sweet bonus for Network Associates Inc. in its recent
acquisition of intrusion detection company Secure Networks Inc. The
security vendor gained access to a new technology that is designed to
sting hackers, not just keep them out. 

Secure Networks is developing a product, code-named Honey Pot, that is
essentially a decoy network within a network. The idea is to lure hackers
into the decoy, like flies to a honey pot, to gain as much information
about their hacking techniques and identity as possible. 

"It's a virtual network in every way, with one exception - it doesn't
exist," Secure Networks President Arthur Wong said. 

The product is unusual in that it acknowledges a fact of life few
companies are willing to admit - that hackers can and do break into
corporate networks. 

Tom Claire, director of product management at Network Associates, said
after years of denying the problem exists, companies are beginning to take
intrusion detection seriously. 

"Now they're starting to say, maybe I can watch what hackers are doing in
my network and find out what they're after and how they do it," he said.
"Then they can use that knowledge to make their systems better." 

The seriousness of the issue was underscored last week with reports that
America Online Inc. was suffering from a series of attacks during which
hackers gained access to subscriber and AOL staff accounts. The intruders
appeared to gain access by tricking AOL customer service representatives
into resetting passwords, based on information they obtained by looking at
member profiles. 

Honey Pot, which is due to be released in the fourth quarter, draws
hackers in by appearing to offer access to sensitive data. 

Once into the dummy network, hackers spend their time trolling through
fake files, while the software gains information about their habits and
tries to trace their source. 

Wong said it's unlikely a hacker's identity can be obtained after one
visit to the Honey Pot, but once a hacker breaks into a system, he or she
tends to come back for more. 

"It's like tracing a phone call - the more they return, the more you can
narrow down their identity," Wong said. 

Larry Dietz, a security analyst at Zona Research Inc., said another
security company, Secure Computing Corp., built offensive capabilities
into its Sidewinder firewall as early as 1996, but "strike back" 
technologies, such as Honey Pot, are still relatively unused in the
corporate market. 

"It's a good idea if you have a sophisticated user that knows what to do
with the technology," Dietz said. "But how many companies have the staff
or the expertise to be security cops?" 

0x25>------------------------------------------------------------------------

Title: Reno dedicates high-tech crime fighting center
Source: Knight Ridder
Author: Clif leblanc

COLUMBIA, S.C. -- With the grandeur of a French royal palace, the nation's
first school for prosecutors was dedicated Monday with a challenge from
U.S. Attorney Janet Reno to fight 21st century electronic crime.

``When a man can sit in St.  Petersburg, Russia, and steal from a New York
bank with wire transfers, you know you've got a problem,'' Reno told a
conference room full of dignitaries at the National Advocacy Center. 

She said the high-tech equipment the center on the University of South
Carolina campus offers will allow prosecutors to ``fight those who would
use cyber tools to invade us.''

An estimated 10,000 federal, state and local prosecutors annually will
learn from the nation's best government lawyers at the $26 million center,
which takes up about 262,000 square feet and has 264 dormitory rooms for
prosecutors in training.  Students -- practicing prosecutors from across
the nation -- will be taught to use digital wizardry and conventional
classroom training to win convictions against computer criminals, health
care frauds, employers who discriminate and run-of-the-mill offenders.

The center is a unique facility dreamed up 17 years ago by then-U.S. 
Attorney General Griffin Bell so government lawyers at all levels could
learn to prosecute crime better. 

Reno, formerly a state prosecutor in Dade County, Fla., said she was
especially happy the center will help state and local prosecuting
attorneys, too. ``I'm a child of the state court system,'' she said. ``It
is my hope that this institution can lead the way in properly defining the
roles of state and local ... law enforcement.''

About 95 percent of all prosecutions in the nation are by local
prosecuting attorneys, said William L. Murphy, president of the National
District Attorneys Association, who attended Monday's opening. 

Reno said she also wants the center to tap into University of South
Carolina faculty to teach prosecutors about office management, budgeting,
alternatives to litigation and even to find better ways for citizens and
police to work together to fight crime. 

``We can all blaze a trail to make government responsible to its people
and still make people accountable,'' Reno said in a 15-minute dedication
speech. 

If the center works as she envisions it, federal prosecutors will get
better at trying capital cases, and DNA evidence will reduce the chances
that innocent people will be wrongly convicted, Reno said. 

In her third trip to Columbia, Reno joked good reports from students
trained at the center have put a stop to early complaints of ``who wants
to go to Columbia?''

Reno thanked Sen. Fritz Hollings for pushing the idea of the center. She
recalled that in their first meeting Hollings confronted her with a Forbes
magazine article that reported the Justice Department was too big, ``and
there was this little center he wanted to talk about.''

USC President John Palms said when Hollings first approached him about
placing the center at the school, Palms' immediate answer was:  ``Whatever
it is, yes.''

But the center has a much bigger role for USC, Palms said. He described
the dedication as, ``an event that's probably as important as anything
that's ever happened at the university.''

Hollings, who is seeking re-election to a seventh term in the U.S. 
Senate, jokingly described the finished facility as, ``a little
Versailles.'' The 1,300-room Palace of Versailles was the opulent home of
the French royal family for more than 100 years. 

``This is the most beautiful building the government has ever built,''
Hollings said. 

``We've got the best of the best for America's prosecutors,'' Hollings
said. ``Now it's up to us to produce the best.'' [Image]

0x26>------------------------------------------------------------------------

Title: Man poses as astronaut steals NASA secrets
Source: Reuters
Date: 6.4.98

HOUSTON (Reuters) [6.4.98] - A licensed airline pilot posing as an
astronaut bluffed his way into a top-security NASA facility and got secret
information on the space shuttle during an eight-month deception, federal
prosecutors said Wednesday. 
 
Jerry Alan Whittredge, 48, faces up to five years in jail and a $250,000
fine for misrepresenting himself as a federal employee, the U.S.
Attorney's Office for Southern Texas said. 
 
Whittredge contacted NASA's Marshall Space Center in Huntsville, Alabama,
in November, claiming he had been chosen for a space shuttle mission and
requesting a tour of the facility. 
 
According to an affidavit by NASA special agent Joseph Gutheinz,
Whittredge told NASA officials that he was a CIA agent and held the Medal
of Honor. 
 
On the basis of his false credentials he was granted a tour on Nov. 21 and
22. 
 
"Mr. Whittredge was permitted to sit at the console of NASA Mission
Control (NASA's most secure area) at Marshall Space Flight Center during a
shuttle mission," the affidavit said. 
 
In March Whittredge tricked NASA into giving him confidential information
about the shuttle's propulsion system and in May he hoodwinked officials
at Kingsville Naval Air Station in Texas into giving him training on a
T-45 flight simulator. 
 
Gutheinz said Whittredge had most recently been living in Texas but did
not appear to be employed there and that he also had a permanent address
in Florida. 
 
Whittredge made an initial appearance in court on Tuesday and is due to
attend a bond hearing on Friday. 

0x27>------------------------------------------------------------------------


            DEF CON 6.0 Convention Announcement #1.00 (03.27.98)
         July 31-August 2 @ The Plaza Hotel and Casino in Las Vegas

IN SHORT:--------------------------------------------------------------------

        WHAT: Speakers & partying in Vegas for hackers from the world over.
        WHEN: July 31st - August 2nd
        WHERE: Las Vegas, Nevada @ The Plaza Hotel and Casino
        COSTS: $40 at the door
        MORE INFO: http://www.defcon.org/ or email info@defcon.org


0x28>------------------------------------------------------------------------

         Network Security Solutions Conference Announcement

                July 29th and 30th, Las Vegas Nevada


******************  Call For Papers Announcement ***************************

Network Security Solutions is now accepting papers for its 1998 event.
Papers and requests to speak will be received and reviewed from March 24th
until June 1st.  Please submit an outline on a self selected topic
covering either the problems or solutions surrounding network security. 
Topics of interest include Intrusion Detection Systems (IDS), distributed
languages, network design, authentication systems, perimeter protection,
and more.  Talks will be an hour with a half hour for Q&A.  There will be
LCD projectors, overhead, and slide projectors. 

Updated announcements will be posted to newsgroups, security mailing lists,
email, or visit the website at http://www.blackhat.com/


0x29>------------------------------------------------------------------------

The Program Chair, Win Treese of Open Market, Inc., and the Program
Committee announce the availability of the Call for Papers for:

8th USENIX Security Symposium
August 23-26, 1999
Marriott Hotel, Washington, D.C.

Sponsored by USENIX, the Advanced Computing Systems Association
In cooperation with The CERT Coordination Center

================================================
IMPORTANT DATES FOR REFEREED PAPERS
Paper submissions due:          March 16, 1999
Author notification:            April 21, 1999
Camera-ready final papers due:  July 12, 1999
================================================

If you are interested in submitting a paper to the committee, proposing
an Invited Talk, or proposing a tutorial, you can find the Call for
Papers at http://www.usenix.org/events/sec99/cfp.html.

The USENIX Security Symposium brings together researchers, practitioners,
system administrators, system programmers, and others interested in the
latest advances in security and applications of cryptography.

Symposium topics include:

       Adaptive security and system management
       Analysis of malicious code
       Applications of cryptographic techniques
       Attacks against networks and machines
       Authentication & authorization of users, systems & applications
       Detecting attacks, intrusions, and computer misuse
       Developing secure systems
       File and file system security
       Network security
       New firewall technologies
       Public key infrastructure
       Security in heterogeneous environments
       Security incident investigation and response
       Security of agents and mobile code
       Technology for rights management & copyright protection
       World Wide Web security

=============================================================
USENIX is the Advanced Computing Systems Association.  Its members are
the computer technologists responsible for many of the innovations in
computing we enjoy today.  To find out more about USENIX, visit its
web site: http://www.usenix.org.

0x2a>------------------------------------------------------------------------

		Last Call For Participation - RAID 98

      (also available at http://www.zurich.ibm.com/~dac/RAID98)

   First International Workshop on the Recent Advances in Intrusion
			      Detection

	   September 14-15, 1998 Louvain-la-Neuve, Belgium

We solicit your participation in the first International Workshop on the 
Recent Advances in Intrusion Detection (RAID 98). 

This workshop, the first in an anticipated annual series, will bring 
together leading figures from academia, government, and industry to talk 
about the current state of intrusion detection technologies and paradigms 
from the research and commercial perspectives. 


We have scheduled RAID 98 immediately before ESORICS 98, at the same time 
as CARDIS 98, and at the same location as both of these conferences. This 
provides a unique opportunity for the members of these distinct, yet 
related, communities to participate in all these events and meet and share 
ideas during joined organized external events. 


The RAID 98 web site: http://www.zurich.ibm.com/~dac/RAID98,

The ESORICS 98 web site: http://www.dice.ucl.ac.be/esorics98. 

The CARDIS 98 web site: http://www.dice.ucl.ac.be/cardis98/ 

0x2b>------------------------------------------------------------------------

                    Computer Security Area (ASC) / DGSCA

                                  DISC    98

                           "Individual Responsability"
                      
                     Fifth Computer Security Event In Mexico

                      Mexico, D.F.     November 2-6, 1998

==========================================================================

                        C A L L   F O R   P A P E R S

The goal of DISC 98 event is to create  a conscience about the strategies 
of security to protect information between the community who uses computers.
This year the DISC belongs to the most important events of Mexico.  

The computing general congress (http://www.org.org.mx/cuarenta) 
celebrates forty years of computing in Mexico and convoques those 
specialist in computer sucurity to participate on this as lecture.

"Individual responsability" is the slogan of this year and suggest 
that the security of an organization should be totally supported 
by directive, security responsables, managers, and system's users.


WWW    :        http://www.asc.unam.mx/disc98


0x2c>------------------------------------------------------------------------

C A L L   F O R  P A P E R S

Assurance for the Global Convergence: 
Enterprise, Infrastructure and Information Operations

InfoWarCon-9
Mount Royal Hotel, London, UK
December 7-9

December 7 - Tutorials
December 8-9  General Session.

Sponsors:	
MIS Training Institute - www.misti.com
Winn Schwartau, Interpact, Inc. - www.infowar.com


For more information contact: Voice: 508.879.7999 Fax: 508.872.1153 
Exhibitors & Sponsorship: Adam Lennon - Alennon@misti.com
Attendance & Registration: www.misti.com


----[  EOF