From: Fyodor 

Sciantific American Compromised
http://www.dhp.com/~fyodor/meinelfraud.txt

Cedar Crest, NM /InsecureWire/ -- September 16, 1998 -- In a hack which is
arguably more devastating than the recent NYTimes fiasco, Scientific
American's "Special Report on Security" has been compromised by notorious
Internet con artist Carolyn P. Meinel. 

Sources suggest that veteran Internet security charlatan Meinel managed to
insert her bogus featured article using one of her favorite techniques:
convincing those inexperienced with security that she is a respected
expert in the field.  The Editors' note for the article demonstrates this
deception by gushing that "... events reported here are drawn from the
firsthand experiences of the author, who is known both in the computer
underground and among security experts for her hacking skills ...." 

Meinel then produced a long rambling diatribe which tells the story of a
white-hat hero "Dogberry" struggling to keep his network secure from
attacks by the insidious uber-cracker "Abednego". 

Fortunately, Dogberry has a very interesting firewall technique:

  "The firewall compares this request with its own strict rules of
  access.  In this case, refrigerus.com [the firewall] has decreed
  that there should be only one response to Abednego's scanner.  From
  that instant on, a program on refrigerus.com sends a blitzkrieg of
  meaningless data, including random alphanumeric characters, back to
  Abednego, overwhelming his home PC.  Meanwhile, another daemon sends
  e-mail to Abednego's Internet service provider (ISP) complaining
  that someone is attempting to break into refrigerus.com.  Within
  minutes, the ISP closes Abednego's account for suspicion of computer
  crime." (pp 99)

Carolyn does not mention what kind of ISP would shutdown an account
"within minutes" based on some potentially forged email supposedly sent by
a "firewall" based on a potentially forged port scan.  The reader can only
assume she refers to Rt66 Internet, the only ISP Ms. Meinel mentions in
the article. 

Ms. Meinel also did not comment on whether this is similar to the recent
Blitzkrieg firewall con job which (according to the Signal article and
press release) uses "self-programmed adaptive automatacapsids" and when it
detects invadors "this 'infection' assimilates all other nodes attached to
the network ... irrespective of any antivirus preventative or protective
mechanism ...."  To perform such a feat, Blitzkreig comes equipped with
"three-dimensional OpenGL graphics accelerated hardware" [1]. 

Security experts were strangely not awed by her denial of service attack
methods.  Many real-life examples send pathologically fragmented IP
packets or other corrupt packet headers.  This is obviously no match for
the C. Meinel technique of of "sending meaningless data, including random
alphanumeric characters".  We can only hope this new attack does not fall
into the wrong hands!  These attacks should only be launched from your
firewalls! 

Ms. Meinel then moves on to dump lavish praise on two software products in
particular.  She continually refers to the "Macintosh's high-quality
EtherPeek logs" as well as "T-sight, an advanced antihacker program that
can monitor every machine on the company network".  URLs are given for
each product.  Meinel fails to mention that those are (the only?) two
companies which have donated to her organization. 

Ms. Meinel then goes an to explain another advanced network administration
technique: 

   "Dogberry must have set up the refrigerus.com network so that all
   packets destined for any of its internal addresses are sent first
   to a name-server program, which then directs them to the
   appropriate computers within the network."

We queried several security experts about this technique of forwarding
random packets destined for other machines to your DNS nameserver.  Most
seemed puzzled, although one hacker offered a plausable explanation:  "She
must be smoking crack again".  Others thought this was an exceptionally
poor explanation of NAT or IP masquerading. 

The article presents yet another firewall technique:

  "Next, Abednego tries to log onto the refrigerus.com through the
  31,659 port by issuing the command 'telnet refrigerus.com 31,659.'
  The respons is, "You lamer!  Did you really think this was a back
  door?!"  The 31,659 daemon atempts to crash his PC by sending
  corrupt packets, while emailing the system administratior at
  Abednego's hacked ISP that someone had attempted to commit a
  computer crime.  Within minutes, Abednego's connection dies."

This advanced technique is news to the firewall community.  "I have always
tried to shut off as many ports as possible," exclaimed one administrator. 
"Why didn't I think of keeping a port open to insult anyone who connects
to it, launch DOS attacks against their networks, and auto-spam the
administrators at the (probably forged) source addresses?".  Other
administrators just grumbled about the fact that their 'telnet' does not
allow commas (and instead sends them to port 31).  "ey3 w|sH my t3lNet wuZ
that 'l33t," mumbled one frustrated script kiddie/"happy hacker" contacted
via IRC. 

Journalists are excited about the new generalizations and steriotypes
Carolyn applies the security community.  Carolyn flatly stats that "like
most hackers, Abednego never learned to program ...."  Carolyn's straw-man
hacker spends all night trying to compile my nmap program (which she never
mentions by name or givs a URL for it, since I didn't donate to her
organization).  Her narrative goes on to say "As dawn breaks, Abednego has
finally finished compiling the code ..."  She claims that this "difficulty
in converting the software is not unusual ...".  One hacker gave the
logical retort:  "Just because Carolyn usually spends 12 hours trying to
use gcc, doesn't mean that we all do!". 

Though C. Meinel thinks hackers are stupid, she does believe they are
quite patient: 

  "Abednego's next strategy is to try brute force, using a program
  that will repeatedly dial the Irix box and guess passwords for root
  ... the slow, painstaking process can take months, or even years"

It is our humble opinion that anyone who spends years password-guessing a
single machine without being noticed deserves to get in. 

Scientific American appreciates comments about their articles.  These
can be sent to editors@sciam.com or by post
                Scientific American
                  415 Madison Ave.,
                 New York, NY 10017

We should also note that the October issue also contains many excellent
articles on computer security by William Cheswick & Steve Bellovin,
Phillip Zimmermann, Ronald Rivest, and James Gosling.  It is a horrible
shame to see these great articles all coming after Meinel's prolonged
rant/product showcase.  Many people will surely close the magazine in
discust before reaching the real material. 


[1] http://www.us.net/signal/Archive/May98/make-may.html

Recommended reading:

Check out Jericho's excellent C. Meinel "hall of shame":
http://www.dimensional.com/~jericho/shame/

More about Meinel is posted on various hacks which can be found at:
http://24.0.214.250/~comega/

END OF REPORT

Quick plug: Check out nmap, my free security scanner at
http://www.dhp.com/~fyodor/nmap/ .  A new version should be coming out
soon.  Get it from dhp because insecure.org will probably be down
until next week :(. 

- --
Fyodor                             'finger fyodor@dhp.com | pgp -fka'
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the
criminal community.  --Mitch Stone on Microsoft ActiveX