From: FyodorSciantific American Compromised http://www.dhp.com/~fyodor/meinelfraud.txt Cedar Crest, NM /InsecureWire/ -- September 16, 1998 -- In a hack which is arguably more devastating than the recent NYTimes fiasco, Scientific American's "Special Report on Security" has been compromised by notorious Internet con artist Carolyn P. Meinel. Sources suggest that veteran Internet security charlatan Meinel managed to insert her bogus featured article using one of her favorite techniques: convincing those inexperienced with security that she is a respected expert in the field. The Editors' note for the article demonstrates this deception by gushing that "... events reported here are drawn from the firsthand experiences of the author, who is known both in the computer underground and among security experts for her hacking skills ...." Meinel then produced a long rambling diatribe which tells the story of a white-hat hero "Dogberry" struggling to keep his network secure from attacks by the insidious uber-cracker "Abednego". Fortunately, Dogberry has a very interesting firewall technique: "The firewall compares this request with its own strict rules of access. In this case, refrigerus.com [the firewall] has decreed that there should be only one response to Abednego's scanner. From that instant on, a program on refrigerus.com sends a blitzkrieg of meaningless data, including random alphanumeric characters, back to Abednego, overwhelming his home PC. Meanwhile, another daemon sends e-mail to Abednego's Internet service provider (ISP) complaining that someone is attempting to break into refrigerus.com. Within minutes, the ISP closes Abednego's account for suspicion of computer crime." (pp 99) Carolyn does not mention what kind of ISP would shutdown an account "within minutes" based on some potentially forged email supposedly sent by a "firewall" based on a potentially forged port scan. The reader can only assume she refers to Rt66 Internet, the only ISP Ms. Meinel mentions in the article. Ms. Meinel also did not comment on whether this is similar to the recent Blitzkrieg firewall con job which (according to the Signal article and press release) uses "self-programmed adaptive automatacapsids" and when it detects invadors "this 'infection' assimilates all other nodes attached to the network ... irrespective of any antivirus preventative or protective mechanism ...." To perform such a feat, Blitzkreig comes equipped with "three-dimensional OpenGL graphics accelerated hardware" [1]. Security experts were strangely not awed by her denial of service attack methods. Many real-life examples send pathologically fragmented IP packets or other corrupt packet headers. This is obviously no match for the C. Meinel technique of of "sending meaningless data, including random alphanumeric characters". We can only hope this new attack does not fall into the wrong hands! These attacks should only be launched from your firewalls! Ms. Meinel then moves on to dump lavish praise on two software products in particular. She continually refers to the "Macintosh's high-quality EtherPeek logs" as well as "T-sight, an advanced antihacker program that can monitor every machine on the company network". URLs are given for each product. Meinel fails to mention that those are (the only?) two companies which have donated to her organization. Ms. Meinel then goes an to explain another advanced network administration technique: "Dogberry must have set up the refrigerus.com network so that all packets destined for any of its internal addresses are sent first to a name-server program, which then directs them to the appropriate computers within the network." We queried several security experts about this technique of forwarding random packets destined for other machines to your DNS nameserver. Most seemed puzzled, although one hacker offered a plausable explanation: "She must be smoking crack again". Others thought this was an exceptionally poor explanation of NAT or IP masquerading. The article presents yet another firewall technique: "Next, Abednego tries to log onto the refrigerus.com through the 31,659 port by issuing the command 'telnet refrigerus.com 31,659.' The respons is, "You lamer! Did you really think this was a back door?!" The 31,659 daemon atempts to crash his PC by sending corrupt packets, while emailing the system administratior at Abednego's hacked ISP that someone had attempted to commit a computer crime. Within minutes, Abednego's connection dies." This advanced technique is news to the firewall community. "I have always tried to shut off as many ports as possible," exclaimed one administrator. "Why didn't I think of keeping a port open to insult anyone who connects to it, launch DOS attacks against their networks, and auto-spam the administrators at the (probably forged) source addresses?". Other administrators just grumbled about the fact that their 'telnet' does not allow commas (and instead sends them to port 31). "ey3 w|sH my t3lNet wuZ that 'l33t," mumbled one frustrated script kiddie/"happy hacker" contacted via IRC. Journalists are excited about the new generalizations and steriotypes Carolyn applies the security community. Carolyn flatly stats that "like most hackers, Abednego never learned to program ...." Carolyn's straw-man hacker spends all night trying to compile my nmap program (which she never mentions by name or givs a URL for it, since I didn't donate to her organization). Her narrative goes on to say "As dawn breaks, Abednego has finally finished compiling the code ..." She claims that this "difficulty in converting the software is not unusual ...". One hacker gave the logical retort: "Just because Carolyn usually spends 12 hours trying to use gcc, doesn't mean that we all do!". Though C. Meinel thinks hackers are stupid, she does believe they are quite patient: "Abednego's next strategy is to try brute force, using a program that will repeatedly dial the Irix box and guess passwords for root ... the slow, painstaking process can take months, or even years" It is our humble opinion that anyone who spends years password-guessing a single machine without being noticed deserves to get in. Scientific American appreciates comments about their articles. These can be sent to editors@sciam.com or by post Scientific American 415 Madison Ave., New York, NY 10017 We should also note that the October issue also contains many excellent articles on computer security by William Cheswick & Steve Bellovin, Phillip Zimmermann, Ronald Rivest, and James Gosling. It is a horrible shame to see these great articles all coming after Meinel's prolonged rant/product showcase. Many people will surely close the magazine in discust before reaching the real material. [1] http://www.us.net/signal/Archive/May98/make-may.html Recommended reading: Check out Jericho's excellent C. Meinel "hall of shame": http://www.dimensional.com/~jericho/shame/ More about Meinel is posted on various hacks which can be found at: http://24.0.214.250/~comega/ END OF REPORT Quick plug: Check out nmap, my free security scanner at http://www.dhp.com/~fyodor/nmap/ . A new version should be coming out soon. Get it from dhp because insecure.org will probably be down until next week :(. - -- Fyodor 'finger fyodor@dhp.com | pgp -fka' In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX