From rforno at infowarrior.org Thu Mar 30 08:18:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Mar 2006 08:18:47 -0500 Subject: [Infowarrior] - Justice Department Subpoenas Reach Far Beyond Google In-Reply-To: <78825170-82F3-4DB1-BD83-D6B406E017B3@farber.net> Message-ID: (from IP-L) Justice Department Subpoenas Reach Far Beyond Google (Embedded image moved to file: pic24393.gif) By Thomas Claburn InformationWeek (Embedded image moved to file: pic03548.gif) Mar 29, 2006 06:00 PM In its effort to uphold the 1998 Child Online Protection Act (COPA), the U.S. Department of Justice is leaving no stone unturned. Its widely reported issuance of subpoenas to Internet search companies AOL, MSN, Google, and Yahoo is just the tip of the iceberg: The government has demanded information from at least 34 Internet service providers, search companies, and security software firms. Responding to a Freedom of Information Act request filed by InformationWeek, the Department of Justice disclosed that it has issued to subpoenas to a broad range of companies that includes AT&T, Comcast Cable, Cox Communications, EarthLink, LookSmart, SBC Communications (then separate from AT&T), Symantec, and Verizon. Asked which companies objected to, or sought to limit, these subpoenas, Department of Justice spokesperson Charles Miller declined to comment because the litigation is ongoing. He also declined to comment on utility of the information gathered by the government. The documents presented to InformationWeek reveal that some companies did object to the government's demands. In an E-mail sent to the Department of Justice last July, Fernando Laguarda, an attorney representing Cablevision Systems Corp., characterized some of what the government was asking for as "overly broad, vague, ambitious, and unduly burdensome." In a letter sent to the Department of Justice in August, Joseph Serino Jr., an attorney representing Verizon, voiced similar objections. However, he clearly states that his objections are routine and intended protect the company. The one exceptional objection he cites has to do with the sensitivity of the information sought. Serino said Verizon Online is concerned that documents might be forwarded to people working for entities hostile to Verizon Online, or suing the company, including the Justice Department itself, and the American Civil Liberties Union. Verizon did not respond to requests for comment. The subpoenas were issued between June and September, 2005. Beyond AOL, MSN, Google, and Yahoo, the only other search engine subpoenaed was LookSmart. It's likely, however, that the government's interest in LookSmart stems not from the company's search engine but from its ownership of Internet content filtering software company Net Nanny. LookSmart declined to comment about the information it was asked for and the information it provided. EarthLink likewise declined to comment. The bulk of the subpoenas were directed at Internet service providers and makers of content filtering software. The effectiveness of filtering technology is a critical issue in the COPA case. If the Department of Justice can prove that filters fail to shield minors from explicit material online, COPA may well be reinstated. The full list of companies subpoenaed by the Department of Justice includes: 711Net (Mayberry USA), American Family Online, AOL, ATT, Authentium, Bell South, Cable Vision, Charter Communications, Comcast Cable Company, Computer Associates, ContentWatch, Cox Communications, EarthLink, Google, Internet4Families, LookSmart, McAfee, MSN, Qwest, RuleSpace, S4F (Advance Internet Management), SafeBrowse, SBC Communications, Secure Computing Corp., Security Software Systems, SoftForYou, Solid Oak Software, Surf Control, Symantec, Time Warner, Tucows (Mayberry USA), United Online, Verizon, and Yahoo. From rforno at infowarrior.org Thu Mar 30 08:24:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Mar 2006 08:24:50 -0500 Subject: [Infowarrior] - Website: I Hate DRM Message-ID: Welcome to the "official" I Hate DRM site. Over the last couple of years and especially over the last couple of months, the DRM issue has really received a lot of press. I created this site because, as a consumer, I am fed up. I feel like all of the entertainment that I love it slowly being eroded away by overly greedy companies. This website is meant to be a platform to capture how DRM is changing the way paying customers are receiving content. I want to hear your complaints, your horror stories, your whatever...even your good stories if you have one. This site is a work in progress as far as content goes and as far as technology goes. I am a technologist by trade but the technology contained in this site is new to me and I am still learning so please forgive me while I make mistakes and learn along the way. < snip > http://www.ihatedrm.com/cs2/ From rforno at infowarrior.org Thu Mar 30 08:39:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Mar 2006 08:39:34 -0500 Subject: [Infowarrior] - Drone aircraft may prowl U.S. Skies Message-ID: Drone aircraft may prowl U.S. skies By Declan McCullagh http://news.com.com/Drone+aircraft+may+prowl+U.S.+skies/2100-11746_3-6055658 .html Story last modified Wed Mar 29 15:33:19 PST 2006 advertisement Unmanned aerial vehicles have soared the skies of Afghanistan and Iraq for years, spotting enemy encampments, protecting military bases, and even launching missile attacks against suspected terrorists. Now UAVs may be landing in the United States. A House of Representatives panel on Wednesday heard testimony from police agencies that envision using UAVs for everything from border security to domestic surveillance high above American cities. Private companies also hope to use UAVs for tasks such as aerial photography and pipeline monitoring. "We need additional technology to supplement manned aircraft surveillance and current ground assets to ensure more effective monitoring of United States territory," Michael Kostelnik, assistant commissioner at Homeland Security's Customs and Border Protection Bureau, told the House Transportation subcommittee. Kostelnik was talking about patrolling U.S. borders and ports from altitudes around 12,000 feet, an automated operation that's currently underway in Arizona. But that's only the beginning of the potential of surveillance from the sky. In a scene that could have been inspired by the movie "Minority Report," one North Carolina county is using a UAV equipped with low-light and infrared cameras to keep watch on its citizens. The aircraft has been dispatched to monitor gatherings of motorcycle riders at the Gaston County fairgrounds from just a few hundred feet in the air--close enough to identify faces--and many more uses, such as the aerial detection of marijuana fields, are planned. That raises not just privacy concerns, but also safety concerns because of the possibility of collisions with commercial and general aviation aircraft. "They're a legitimate user of the airspace and they need to play by the same rules as everyone else," Melissa Rudinger, vice president of regulatory affairs at the Aircraft Owners and Pilots Association, said in a telephone interview. Pilots undergo extensive training on collision detection and avoidance. Planes that fly at night are required to have certain types of lights, for instance. Operating an aircraft near busy airports (in government parlance, "Class B" airports) requires a transponder that broadcasts its altitude. And during all flights that take place in poor weather or higher than 18,000 feet above sea level, the pilot must be in radio contact with controllers. No such anti-collision rules apply to UAVs. Rudinger is concerned that UAVs--either remote-controlled or autonomous drones--will pose a safety threat to pilots and their passengers. She's not that worried about larger UAVs operated by the military that have sophisticated radar systems, but about smaller ones that have limited equipment and potentially inexperienced ground controllers. "The FAA needs to define what is a UAV," Rudinger said. "And they need to regulate it just like they do any other aircraft, and integrate it into the system. The problem is the technology has advanced, and there are no regulations that talk about how to certify these aircraft, how to certify the operator, and how to operate in the national airspace system." For its part, the FAA says it's created a UAV "program office" to come up with new rules of the sky. Preliminary standards for "sense and avoid" UAV avionics are expected in three to four years. "Currently there is no recognized technology solution that could make these aircraft capable of meeting regulatory requirements for 'see and avoid,' and 'command and control,'" said Nick Sabatini, associate FAA administrator for aviation safety. "Further, some unmanned aircraft will likely never receive unrestricted access to (U.S. airspace) due to the limited amount of avionics it can carry because of weight, such as transponders, that can be installed in a vehicle itself weighing just a few ounces." Complicating the question of how to deal with UAVs is the fact that there are so many different varieties of them. Some are essentially large model aircraft and weigh only a few ounces or pounds, while some military models are the size of a Boeing 737. Most are designed to sip fuel slowly, so they have long flight times and low airspeeds--meaning that they could be flying at the same altitude as a jet aircraft but at half the speed. Egging on Congress and the FAA are manufacturers of UAVs, who see a lucrative market in domestic surveillance and aerial photography. "It is quite easy to envision a future in which (UAVs), unaffected by pilot fatigue, provide 24-7 border and port surveillance to protect against terrorist intrusion," said Mike Heintz on behalf of the UNITE Alliance which represents Boeing, Lockheed Martin and Northrop Grumman. "Other examples are limited only by our imagination." From rforno at infowarrior.org Fri Mar 31 09:16:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 09:16:11 -0500 Subject: [Infowarrior] - Bill seeks to end color-coded terror alert In-Reply-To: <20060331101346.PYKV14821.eastrmmtao02.cox.net@DB0PJ521> Message-ID: *blinks in surprise* Is this a Congressional April fools prank or something? -rf The Washington Times www.washingtontimes.com Bill seeks to end color-coded terror alert By Audrey Hudson THE WASHINGTON TIMES Published March 31, 2006 A bipartisan push on Capitol Hill to strip the hue from the government's color-coded terrorist alert system is gaining momentum. A package of legislation moving through the House eliminates the Department of Homeland Security's use of colors to change the threat level, and calls for more specific threat information to be shared with the private sector and local governments. "The color code doesn't provide any information to people, what it does is foster a climate of anxiety without giving useful information to people," said Rep. Zoe Lofgren, California Democrat, who worked with Rep. Rob Simmons, Connecticut Republican, on the legislation. "It's not a proper way to give a nationwide response to actual threats." The current system, implemented by former Homeland Security chief Tom Ridge, has frustrated governors and local officials nationwide who say they are forced to spend millions responding to threat level rises without information as to whether it directly affects their region. The House Homeland Security subcommittee on intelligence, information sharing and terrorism risk assessment, chaired by Mr. Simmons, yesterday approved the plan by voice vote. It now awaits action by the full committee. "There are no plans to change the color-coded system at this time," said William Knocke, Homeland Security spokesman. "The system itself has matured over time as the country's baseline of preparedness rises and our threat analyses improves." The last time the alert level was raised was July 7-12 after the London subway bombings. Mr. Ridge tweaked the system in 2004 when specific economic areas were thought to be terrorist targets in New York, New Jersey and in Washington, and limited the increase in security and spending to those specific cities. The terrorist alert system was introduced in March 2002 in five color-coded stages; low (green) guarded (blue) elevated (yellow) high (orange) and severe alert (red). The country has been on elevated level since the code was introduced and the terrorist threat has been raised five times to high nationwide. The White House briefly went to severe alert when a private aircraft accidentally crossed over its restricted airspace in 2005. The country has never been on low or guarded alert. The legislation also gives full authority to Homeland Security officials to issue an increase in threat levels. In the past, conflicting warnings were sometimes issued from the Justice Department then led by Attorney General John Ashcroft, which created confusion, the legislation notes. From rforno at infowarrior.org Fri Mar 31 09:22:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 09:22:00 -0500 Subject: [Infowarrior] - PSP UMD losing H'wood game Message-ID: UMD losing H'wood game http://www.hollywoodreporter.com/thr/film/article_display.jsp?vnu_content_id =1002274591 By Thomas K. Arnold Exactly a year after it was launched in the U.S., the Sony PlayStation Portable's days as a hand-held movie-viewing device might be numbered. Disappointing sales have slowed the flow of movies on the proprietary Universal Media Disc to a mere trickle. At least two major studios have completely stopped releasing movies on UMD, while others are either toying with the idea or drastically cutting back. And retailers also are shrinking the amount of shelf space they've been devoting to UMD movies, amid talk that Wal-Mart is about to dump the category entirely. Wal-Mart representative Jolanda Stewart declined comment on reports that the retailer is getting out of the UMD business. But studio sources say such a move is imminent, and a check Wednesday of a Wal-Mart store in Santa Ana, Calif., revealed a drastic shrinkage of UMD inventory. Several shelves of movies in the PSP section were gone; all that remained were seven UMD titles sitting bookshelf-style on the top of the PSP section, with no prices or other information. Universal Studios Home Entertainment has completely stopped producing UMD movies, according to executives who asked not to be identified by name. Said one high-ranking exec: "It's awful. Sales are near zilch. It's another Sony bomb -- like Blu-ray." Paramount Pictures Home Entertainment also is said to be out of the UMD business. "We continue to evaluate the PSP platform for each title, and if it makes sense for business reasons and the target audience, we will release them," spokeswoman Brenda Ciccone said. "Our focus right now is much more aimed at HD at the moment, though." A high-ranking executive was more blunt: "We are on hiatus with UMD," he said. "Releasing titles on UMD is the exception rather than the rule. No one's even breaking even on them." Also out of the UMD business is Image Entertainment, while other studios -- including 20th Century Fox Home Entertainment and Buena Vista Home Entertainment -- have drastically slashed release schedules. "No one's watching movies on PSP," said the president of one of the six major studios' home entertainment divisions. "It's a game player, period." Observers speculate the studios released too many movies, too fast. Within five months of the PSP's March 2005 launch, 239 movie and TV titles already were either in the market or in the pipeline -- a significantly higher tally than games, according to the DVD Release Report. But while sales were initially strong -- two Sony Pictures titles even crossed the 100,000-unit threshold after just two months -- the novelty quickly wore off, observers say. The arrival last fall of Apple's video iPod only hastened the PSP's decline as a movie-watching platform. Benjamin Feingold, president of Sony Pictures Home Entertainment, was a big believer in PSP as a movie-watching platform. He still is, even though he concedes retail shelf space for UMD movies is on a sharp decline and his own studio is being "more selective" in choosing movies for UMD release. Feingold believes the PSP's biggest drawback as a movie-watching device was the inability to connect the gadget to TV sets for big-screen viewing, "which would have made it more compelling," as well as the inclusion of memory stick capability. "I think a lot of people are ripping content and sticking it onto the device rather than purchasing," he said. But next week, Sony Computer Entertainment executives will begin making the rounds of the Hollywood studios to discuss plans for making the PSP able to connect to TV sets. "We're hoping the format's going to be reinvigorated with next-generation capability that may include living-room or normal television playback," he said. From rforno at infowarrior.org Fri Mar 31 09:35:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 09:35:29 -0500 Subject: [Infowarrior] - Security Analysis Websites Form Public Interest Firm Message-ID: SECURITY ANALYSIS WEBSITES FORM NEW PUBLIC-INTEREST FIRM March 30, 2006 (HANNOVER, MD) - Attrition.Org and Vmyths.Com, two of the Internet's most venerable security information resources, are announcing their merger and subsequent creation of Brilliant Security Initiatives (BSI), a public-interest security consultancy based in Hannover, MD. Since late 2005, the firm has quietly received funding from the Department of Homeland Security to support the development of its next-generation adaptive search appliance based on BSI's proprietary Bilateral Unique Linear Logarithm technology. In a public statement to analysts this week, Attrition.Org founder Brian Martin and Vmyths founder Robert Rosenberger agreed that "while we've both had repeated offers over the years to 'go corporate' none of them seemed like a good match for our culture and services. This particular opportunity is a 'perfect storm' to align our expertise to serve a critical need for our nation's defense and bring an exciting project into reality." The BULL project is intended to provide seamless, intelligent and adaptive Realtime Query Services (RQS) for the Department of Homeland Security's own Secure Homeland Information Transfer network that provides a common shared and secure operating environment for federal, state, and local law enforcement and emergency responders. In addition to the RQS initiative, Brilliant Security develops and provides subscription-based research and analysis pertaining to Internet security and other topics related to critical infrastructure protection. "Most research firms provide analysis and 'advice' from an Ivory Tower perspective," says Jay Dyson, the firm's Technical Research Director. "What we bring to the table are lessons-learned based on direct, recent, and ongoing experience as security practitioners instead of industry groupthink and fuzzy research findings that change daily." In addition to the $3.4 million RQS funding for 2006 is a last-minute, $1.2 million contract to provide secure electronic mail services to the FBI's New York Field Office, which was discovered recently to be lacking such basic networked services for its crime-fighting activities. Supporting this effort is Lockheed Martin Information Systems, already overseeing a $500 million program to develop the successor to the Bureau's failed Virtual Case File system. Martin said, "Rob [Rosenberger] and I were tired of sending mail to New York based FBI agents only to get it bounced back as undeliverable, and that just won't fly in this day and age of fighting terrorism -- especially when it involves our invoices and getting paid for our work in the Big Apple." Assisting in this merger is Richard Forno, the former operator of the seven-year old Infowarrior.Org security site, who will join the venture as chief scientist, and noted security expert AJ Reznor as chief technology officer. Corporate technical support and outsourced consulting services for the New York FBI e-mail project will be provided by the five-year-old UnixGeeks.Org consultancy, also merged into the combined entity. With a full-time staff of fourteen, the new company will be based in Hannover, MD. The firm's new website will launch on 1 April 2006. Press Contact: bsi-press at attrition.org Interested in joining our growing consultancy on a full or part-time basis? See who else is part of the Brilliant Security Initiatives family at: http://attrition.org/misc/ee/20050426-names.txt8 From rforno at infowarrior.org Fri Mar 31 10:25:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 10:25:56 -0500 Subject: [Infowarrior] - Cube-farms a potential terror risk Message-ID: (c/o Bruce S) (They obviously forgot the dangers that can come from disgruntled insiders who are trying to reclaim their Red Swigline stapler........rick) MI5 warn open-plan offices 'raise bomb risk' JAMES KIRKUP POLITICAL EDITOR http://news.scotsman.com/index.cfm?id=419082006 THE trend towards open-plan offices without internal walls could put employees at increased risk in the event of a terrorist bomb, MI5 has warned business leaders. The advice comes as the Security Service steps up its advice to companies on how to prepare for an attack. MI5 has produced a 40-page leaflet, "Protecting Against Terrorism", which will be distributed to large businesses and public-sector bodies across Britain. Among the guidance in the pamphlet is that bosses should consider the security implications of getting rid of internal walls. Open-plan offices are increasingly popular as businesses seek to improve communication and cooperation between employees. But MI5 points out that there are potential risks, too. "If you are converting your building to open-plan accommodation, remember that the removal of internal walls reduces protection against blast and fragments," the leaflet says. All businesses should make contingency plans for keeping staff safe in the event of a bomb attack, the Security Service advises. Instead of automatically evacuating staff, companies are recommended to gather workers in a designated "protected space" until the location of the bomb can be confirmed. "Since glass and other fragments may kill or maim at a considerable distance from the centre of a large explosion, moving staff into protected spaces is often safer than evacuating them on to the streets," the leaflet cautions. Interior rooms with reinforced concrete or masonry walls often make suitable protected spaces, as they tend to remain intact in the event of an explosion outside the building, employers are told. But open-plan offices often lack such places, and can have other effects on emergency planning: "If corridors no longer exist then you may also lose your evacuation routes, assembly or protected spaces, while the new layout will probably affect your bomb threat contingency procedures." Companies converting to open-plan are told to ensure that there is no significant reduction in staff protection, "for instance by improving glazing protection". The booklet has been produced by MI5's National Security Advice Centre to advise organisations that "own or operate key assets, services and systems which form part of the UK's critical national infrastructure". Copies are now being distributed to businesses including banks, transport companies, water and power suppliers and communications providers. The document can also be downloaded from the MI5 website. MI5, police chiefs, the Home Office and the Cabinet Office's Civil Contingencies Secretariat are all increasing their efforts to encourage businesses and individuals to review their preparations for a potential attack. Some government counter-terrorism experts are concerned that despite the suicide attacks on London last summer, public opinion about the threat of attack still lags some way behind the official analysis of the danger. Some Whitehall insiders hope that may change in coming months, as a number of groups accused of plotting terrorist offences in Britain come to trial and the allegations against them can be openly reported. Peter Clarke, the Metropolitan Police's most senior anti-terrorism expert, last month revealed to a London security conference that there are up to 60 accused terrorists awaiting trial in British courts at the moment. The first such major trial is provisionally due to begin in London on Monday, after several legal delays. From rforno at infowarrior.org Fri Mar 31 10:28:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 10:28:26 -0500 Subject: [Infowarrior] - U.S. Demands Files From ISPs, Tech Firms Message-ID: U.S. Demands Files From ISPs, Tech Firms http://www.washingtonpost.com/wp-dyn/content/article/2006/03/30/AR2006033001 658_pf.html By MARYCLAIRE DALE The Associated Press Thursday, March 30, 2006; 8:17 PM PHILADELPHIA -- The Justice Department is demanding internal files from dozens of Internet service providers and other technology firms as it seeks to defend a controversial Internet child protection law. The subpoenas are similar to one given to Google Inc., which waged a partially successful battle over the government's request for millions of pieces of information about search engine requests and Web site domains. InformationWeek magazine unearthed subpoenas that show the government also demanded information from at least 34 other companies, including Internet service providers such as Comcast Corp. and EarthLink Inc., security software firms and other technology companies. The subpoenas, which the magazine obtained through Freedom of Information Act requests, show the Justice Department preparing for an October trial in Philadelphia over the 1996 Child Online Protection Act. It is not clear which companies are complying, and to what extent. "That money could be spent so much more wisely on giving software away to parents that are having these problems," Dan Jude, president of Security Software Systems, said of the litigation costs. The 12-person firm, which makes filtering software, spent more than 40 hours trying to comply with the subpoena, he said. The company refused to provide some information on proprietary grounds, fearing it could make its way into the court file. "If that information gets out in the public, we've just lost our competitive edge," Jude said Thursday. The subpoena also sought information the company does not keep, such as customer satisfaction, he said. Department of Justice spokesman Charles Miller did not immediately return a message Thursday afternoon. The subpoenas also went to companies including AT&T Inc., Cox Communications Inc., Verizon Communications Inc. and Symantec Corp. The U.S. Supreme Court has twice said the law _ which would criminalize Internet material deemed "harmful to children" as defined by "contemporary community standards" _ is likely to violate First Amendment protections and granted preliminary injunctions. Critics say that definition is so broad it would stifle free speech, and also note that pornographers and others could simply base their operations offshore, beyond the reach of U.S. authorities. Online publishers who are challenging the law argue that filters are a less restrictive way to protect children. The publishers, which include sexual health sites, a gay newspaper and the online magazine Salon.com, are represented by the American Civil Liberties Union. "Our overarching concern over what the government is doing (with the subpoenas) stems from the 'why,' _ what is it they're actually trying to accomplish?" said David McGuire, a spokesman for the Center for Democracy and Technology in Washington. "It doesn't seem reasonable." From rforno at infowarrior.org Fri Mar 31 12:54:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 12:54:27 -0500 Subject: [Infowarrior] - Senate Passes Phone Data Confidentiality Bill Message-ID: www.internetnews.com/bus-news/article.php/3595611 Senate Passes Phone Data Confidentiality Bill By Roy Mark March 31, 2006 A U.S. Senate panel pushed out legislation yesterday that makes it illegal to acquire, use or sell a person's confidential phone records without affirmative written consent. Applying to wireline, wireless and Voice over IP &bspcarriers, the bill also bars unscrupulous companies and individuals from fraudulently obtaining consumers' private phone records through a deceptive practice known as "pretexting." The term refers to unauthorized persons using false pretenses to acquire private phone records. Under the Protecting Consumer Phone Records Act, a carrier must notify a customer if someone without authorization gains access to their phone records. It also charges the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) with concurrent enforcement. As approved by the Senate Commerce Committee, S. 2389 directs the FCC to ensure that its phone record regulations are similar in scope and structure to FTC regulations protecting financial information under the Gramm-Leach-Bliley Act. The bill also streamlines the two-step FCC process for fining phone record theft by non-carriers, such as data brokers and Web sites selling the information. Currently, this process can tip-off parties that are not regulated by the FCC that they are under investigation because the FCC must issue a notice before it can move to an enforcement action. The penalty for each violation is $30,000 with a cap of $3 million for any continuing violation. "Confidential phone records are easily being sold on Web sites for very small fees. It is private property and a privacy violation that, in the wrong hands, can threaten a person's safety," Sen. Kay Bailey Hutchison (R-Tex.) said in a statement. Bailey added: "Making it illegal to buy and sell this personal information will give consumers the protection they deserve and expect. Americans' phone records should be private and protected like their medical records." Approved on a voice vote, the bill now moves to the Senate floor. The Senate action follows similar House legislation, also awaiting a full floor vote, aimed at the same issue. "Who you call, when, and how long you talk is like a diary of your private life. The committee recognized consumers' wishes to keep their phone records private and keep their cell phone number unlisted, but we are urging stronger privacy safeguards be added on the floor of the Senate," Magda Herrera, policy advocate for Consumers Union, said in a statement. Herrera also praised two amendments added to the bill by Senators Mark Pryor (D-Ark.) and Barbara Boxer (D-Calif.). Pryor's amendment authorizes civil suits by individuals whose phone records have been unlawfully acquired, sold, or used. The Boxer amendment allows consumers to decide whether their wireless numbers are listed in any future cell phone directories. "We are grateful the committee adopted two pro-consumer amendments from Senators Pyror and Boxer. Unfortunately, the bill remains problematic because it fails to require phone companies to put in place strict privacy safeguards regarding customer records," Herrera said. "It also undercuts what the states are doing and might do in the future to protect their residents." From rforno at infowarrior.org Fri Mar 31 12:57:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 12:57:58 -0500 Subject: [Infowarrior] - VA Law Directs Schools to Teach Cyber-Safety Message-ID: Law Directs Schools to Teach Cyber-Safety By Rosalind S. Helderman Washington Post Staff Writer Thursday, March 30, 2006; VA03 http://www.washingtonpost.com/wp-dyn/content/article/2006/03/29/AR2006032900 705_pf.html RICHMOND -- Virginia public schools will be required to teach students about Internet safety under a law passed by the General Assembly and signed by Gov. Timothy M. Kaine (D) this month. The law, which takes effect July 1, is designed to ensure that tech-savvy children understand the dangers lurking in cyberspace. The measure's sponsor, Del. William H. Fralin Jr. (R-Roanoke), said he wrote the bill after his oldest son turned 10 and started competing with his parents for computer time. "It raised a question in my mind," he said. "We teach our kids not to talk to strangers. We teach our kids not to take candy. But in today's world on the Internet, not only can you be talking to strangers without supervision, but you can be talking to someone you think is not a stranger, but who is one. There needs to be some sort of basic training on that." The law directs the state Department of Education to issue guidelines to schools for integrating Internet safety into their regular instruction. Fralin said many children encounter dangers with computers at home, not school, but since some parents are tech-phobic, schools need to step in. "In some cases the parents are more technologically challenged than their kids are," he said. "We've certainly sat down with my son and talked about Internet safety. But to tell you the truth, I'd be more comfortable if someone with more knowledge talked to him." Many local schools are already teaching students about online safety, sometimes in classrooms and sometimes more informally. In Fairfax, all seventh-graders enrolled in family life education classes get a course on Internet dangers, including a video and a fact sheet designed for them to take home and share with their parents. "We talk about having them trust their feelings," said Elizabeth T. Payne, the county's health and physical education coordinator. "If you think something's not right, get out, get off." At T.C. Williams High School in Alexandria, where all students are issued a school-owned laptop, students also get orientation lessons on the appropriate use of those computers. That includes safety information -- and warnings against visiting off-limits Web sites. Principal John Porter said teachers follow up with spot-checks to see where children are surfing and what they're posting. "Sometimes [students] don't think someone's really looking, particularly school folks," he said. "Certainly, with technology, you can't check everybody all the time. . . . But, of course, word spreads quickly once we do a check, and then they know we have people who know how to get to the spots they know how to get to." Teachers and principals agree part of their job is to educate parents so they develop a better sense of what their children are doing online. Bull Run Middle School in Prince William County holds daytime coffees and evening seminars during school dances for parents to talk about the problem of cyber-bullying. That's when children tease each other or pose as one another in instant messages or chat rooms, sometimes spreading vicious gossip or rumors. Principal William Bixby said even though the bullying usually occurs after school, arguments and hurt feelings can spill into the classroom. School officials said children need more than one day of classroom discussions to absorb the message. After all, many have already been told that it is unwise to reveal personal information or talk to strangers online. "The trend with people in general, and maybe kids a little more, is to think it won't happen to me," Porter said. "It's important for them to know that not only might it, but it really does." The new law, the school officials agreed, is an important step to formalize what so far have been ad hoc conversations in many areas. "Students have such ready access to computers," Payne said. "They need to know how to protect themselves." According to the National Center for Missing and Exploited Children, nearly one in five children ages 10 to 17 have been sexually solicited online. There have been many news reports about students posting personal and potentially embarrassing information about themselves in online blogs and on personal Web sites such as myspace.com. Such data can make children targets for Internet predators searching for children to befriend. It can also follow them as they age, creating problems when they apply to college and for jobs. ? 2006 The Washington Post Company From rforno at infowarrior.org Fri Mar 31 18:51:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 18:51:41 -0500 Subject: [Infowarrior] - Seeking changes to the DMCA Message-ID: Seeking changes to the DMCA By Declan McCullagh http://news.com.com/Seeking+changes+to+the+DMCA/2100-7348_3-6056616.html Story last modified Fri Mar 31 13:48:24 PST 2006 WASHINGTON--Because of a controversial 1998 copyright law, it may be illegal to defang even potentially harmful software, like the anticopying technology found on some Sony BMG Music Entertainment CDs. But those strict legal restrictions should stay in effect, entertainment industry lobbyists said Friday, when they urged the U.S. Copyright Office to avoid making any changes to the Digital Millennium Copyright Act. "There are many other avenues to address these questions, and certainly many other laws that may be relevant in this circumstance," said Steven Metalitz, a senior vice president at the International Intellectual Property Alliance. The group represents large copyright holders. Computer security experts have asked the Copyright Office to alter the DMCA to protect their research. Edward Felten, a professor of computer science at Princeton University, said Friday that he and graduate student J. Alex Halderman uncovered the Sony problem a month before the news about it broke in November--but feared a lawsuit under Section 1201 of the DMCA if they disclosed it without the record label's authorization. Because of the lag time, "a great many of consumers were at risk every day," Felten said. "Our exemption request is fundamentally asking for protection for those consumers." Under federal law, the Copyright Office is required to solicit public opinion every few years on whether any amendments--called "exemptions"--to the DMCA are necessary. Section 1201 of the law broadly restricts circumventing "a technological measure that effectively controls access" to a copyrighted work. Sony rootkit's lesson In the past, security researchers would notify the vendors first of any bugs, but now they're afraid to disclose such flaws without first consulting a lawyer, Felten said. He added that the DMCA has discouraged security researchers from embarking on new projects and has driven some away from the field. (Felten once was threatened with a DMCA lawsuit by the recording industry for exposing weaknesses in a music-watermarking scheme.) After a public outcry last fall, Sony voluntarily said it would halt production of certain copy-protected CDs. Those CDs installed a bundle of software, including a "rootkit" used to mask the presence of copy-protection software--and, if abused, malicious programs as well. The incident prompted one Homeland Security official to suggest banning rootkits. Aaron Perzanowski, a law student at the University of California at Berkeley's Samuelson Law, Technology and Public Policy clinic, and clinic director Deirdre Mulligan, said that Felten could have been subject to legal liability if he had disclosed his findings about the Sony rootkits. After he found the flaw, Felten said he called lawyers and spent a month in negotiations with them, and decided not to publish his results right away. Programmer Mark Russinovich did instead. Lobbyist Metalitz offered a detailed list of reasons why he said such an interpretation of the DMCA was incorrect. The law already provides sufficient protection in Section 1201 for researchers like Felten to do their work, he said. (That section, 1201(j), permits bypassing anticopying technology "solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability.") But in the Sony BMG incident, the record label's first crack at an uninstaller proved riddled with new problems, Felten said, and even the latest version of the patch won't prevent reinstallation of the rootkit each time the type of copy-protected CD is inserted into a computer. Felten and other security professionals have been able to devise alternative uninstallers that would prevent such reinstallation indefinitely, but are worried that their "unauthorized" methods could get them sued. "It's this uncertainty that creates the very risk," agreed Matthew Schruers, a lawyer for the Computer and Communications Industry Association, whose members include Sun Microsystems, Verizon and Yahoo. "So that raises for me a perplexing question: Why on earth are we putting cybersecurity in the hands of copyright lawyers?" Previous DMCA exemptions granted by the Copyright Office include: Researchers into filtering could study blacklisting techniques, and obsolete copy-protection schemes could be legally bypassed. When reviewing the DMCA, the Librarian of Congress is required to consider the impact that the anticircumvention sections have "on criticism, comment, news reporting, teaching, scholarship, or research (and) the effect of circumvention of technological measures on the market for or value of copyrighted works." The Copyright Office received more than 100 comments on its notice of proposed rulemaking published last year and plans to release its final determinations by the end of October. Marybeth Peters, the Register of Copyrights, said that the office has reached no conclusions yet on any of the exemptions yet. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Mar 31 20:52:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Mar 2006 20:52:02 -0500 Subject: [Infowarrior] - Collegiate Cyber Defense Competition Message-ID: A Student-Hacker Showdown at the Collegiate Cyber Defense Competition Date: Mar 31, 2006 By Seth Fogie. http://www.informit.com/articles/printerfriendly.asp?p=462526 Students faced off against experienced hackers at the Mid-Atlantic Regional Collegiate Cyber Defense Competition. The students' goal: lock down unfamiliar systems and secure their networks. The hackers' goal: to own the students' networks and steal important data. Seth Fogie witnessed this real-world competition and reports on its unexpected twists, turns, and even drama. Imagine if you just graduated with an IS degree and landed a job at a small business as their only IT staffer. You know your way around an operating system and understand some of the protocols and programs that keep data flowing, but for the most part your skills are untested in the real world. Regardless, you are the only thing separating the company's users and data from downtime. Sound like a tough situation? Oh, I forgot to mention there are four of the best hackers in the world trying to get into your digital domain and steal anything of value, including a database of 10,000 credit card numbers. This isn't something seasoned administrators would want to face, much less fresh graduates. Well, this is exactly what several groups of college students faced recently at the Regional Collegiate Cyber Defense Competition, which was held at several locations around the US. I was able to attend this three day event, and this is my story. Get ready for some fun, shocks, and dohs! as you follow along with me, the Red Team, and the students. Collegiate Cyber Defense Competition Before we get into the actual details of the event, it is important to highlight the reason behind the competition. As per their website at http://utsa.edu/cias/CCDC, "Unlike traditional 'hack and defend' or 'capture the flag' contests, this competition tests each team?s ability to operate, secure, manage, and maintain a corporate network. This competition is the first to create, as closely as possible, a realistic corporate administration and security experience ? giving the competitors a chance to compare their education and training against their peers and the real world challenges that await them." In other words, the competition is about creating a practical experience from the classroom knowledge. Students simply take what they have learned and apply it in a simulated environment for educational purposes. However, the competition aspect helps schools know where they stand in relation to other schools that are teaching related content. It is important to note that the program is funded 'in part' by the National Science Foundation (Award ID 0501828 http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0501828) and has paid out a little over $1,000,000 so far to create "problem-based and case-based learning methodologies in order to provide students with activities that simulate real-life work experiences ." I suggest you check out the above link to see the details of this award. The contests are first held regionally, and the winner of each regional exercise competes against each other at the national finals in San Antonio, Texas. I attended the Mid-Atlantic Regional Collegiate Cyber Defense Competition, which was hosted in Lancaster, PA by White Wolf Security. The five schools where from the PA/VA/MD area and were a mix of two/four year degrees that range from networking to programming. The participating schools were: * Anne Arundel Community College * Community College of Baltimore County * George Mason University * Millersville University * Towson University White Wolf Security The host and operator of the event (White Wolf Security) operates a training facility that serves as a working-training environment for hands on computer lab-based education. Everyone, from local colleges to the US Secret Service, use White Wolf's equipment as a hands-on lab for training events and other related activities. The owner, Tim Rosenberg, is well known in educational/government circles for both his lab (which is mobile) and for his training events. The Details There are several different groups involved with the games. Each has a function, and a tag. The white cell is there to keep the games running smoothly. Gold members are the judges and professors who basically monitored the games from afar. The red cell was there to attack, and finally, the law enforcement was there to arrest the hackers. The Scoring At the beginning of the game, everyone starts with zero points. If the team can keep all the services open, and a selection of 'target' files available, they keep that zero. However, if a team suffers from a loss of confidentiality, integrity, or availability in any other way, they start collecting points ? sometimes quite rapidly. Figure 1 is a shot of the scorebot system, and backend components of the network. Figure 1 Figure 1: Scorebot system The Feds One particular aspect of this game that added significant value was the inclusion of a reporting process to the authorities. On hand was a real US Secret Service agent who deals with computer-related crimes on a regular basis. His job in the game was to show up on scene when a student team detected an attack. If the incident report was filled out correctly (see a real incident report from USSS web site: http://www.secretservice.gov/forms/form_ssf4017.pdf), the team would get points taken away from their growing score. This aspect to the game was actually one of the most valuable as one who has had to deal with the authorities before. Not only will this experience give each of the students something to look back on if they ever have to deal with the government for real, but they also now have someone they can talk to if something does arise. The Network Layout The network was separated into seven different subnets. Five were split up between the teams, one was used for scoring systems, and the final was for the Red Team. At the edge of each of the student's networks was a router and firewall, which were off limits until the second day and third days, respectively. Finally, each school had four servers in a DMZ that were connected to the firewall, each with a 'public' IP and a specific purpose. In addition to this, they had two workstations that were in the protected area of the network that were used for syslogging and other functions. The following breaks down the initial system setup ? try not to grimace. * Alpha1 ? Windows 2003 Server running IIS 6.0 (HTTP/HTTPS), MYSQL and OSCommerce (with PHP support). * Alpha2 ? Fedora Core 4.0 with VSFTPD and DNS (BIND) * Alpha3 ? Fedora Core 3.0 with SSH * Alpha4 ? Windows 2000 Server with IIS5.0, MYSQL, Telnet, SMTP/POP, and DNS (Secondary) running an HR database. Each system and program was of an unknown patch state/version. In addition, there was a network IP camera thrown in for grins and giggles. Welcome to most small IT shops where money is tight and time is valuable. Figure 2 provides a look at an unmanned pod. Note the four monitors that are connected to the stack via KVM. Figure 2 Figure 2: Unmanned pod Business Objectives To make the games a bit more realistic, each team would receive various business objectives that would have to be completed in due course, or they would lose points. This could be something as simple as add an email account or even install PGP. The details of the objective were up to those running the games. The Rules The rules were fairly simple ? at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure. Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email. There are some other rules and regulations that are laid out in some detail (http://student.ccbcmd.edu/~cobrie12/ccdc/docs/ Mid_Atlantic_Regional_Team_Packet.pdf). However, for the most part, the rules were fairly loose to allow some dynamics in the game. The Competition The event kicked off around 1PM on a Friday afternoon. All the students were sitting at the 'pod,' waiting for the green light. The Red Team was all set to go in a separate room with their equipment. After some general announcements, Tim Rosenberg introduced the students to their mission. "Your job is to keep the services up, the router routing and keep the store open ? as well as everything else". After some brief descriptions as to what and who was involved, he gave the green light. At this point, the students had three hours to figure out what they had just inherited from 'the previous IT person' and fix it. Meanwhile, the Red Team was set loose to discover just who was out there and figure out what they were running. They were not to attack anything until after the three hour limit was up. However, the term 'attack' is very grey and seemed to include rooting routers and firewalls. When the teams were set loose I positioned myself in the red room to see how the initial information discovery process would go. It was at this point one of the Red Team members stood up, kicked everyone out, and locked the door. Fortunately, I was labeled as trustworthy and was able to stay inside. He next reached inside his bag and pulled out a complete description of the student's setup, including all operating systems, services, web applications, and IP addresses he had obtained from an anonymous source. Everyone in the room immediately got a slightly evil grin on their face as they realized the results of this social engineering reward. Oh yes ? things were about to get very bad for the students. Figure 3 gives you a shot of the Red Team in action. Figure 3 Figure 3: Red team in action After the disclosure of this damning piece of information, I stepped outside the room to see how the students were managing. Ironically, the students at this point knew less then the Red Team about what was running on their systems. Once again, fortune shined down on me because I happened to know one of the school?s teams leaders. After a short catch-up (I knew him from high school), I started to ask what he knew about the competition and what his students were dealing with. As it turned out, his team was all programmers who jumped into the event at late notice. That said, they seemed to be very busy figuring out what they had to fix and seemed to be fairly astute as to what they needed to do. I saw kernel recompiling, service packs being downloaded and installed, account permissions being locked down, and much more. In fact, as I looked around the room, all of the teams seemed to be in a frantic rush as they tried secure their VERY insecure systems. I walked around from team to team and quickly realized that no one trusted me, which is a good thing as social engineering was allowed. After an introduction ("I am press") and assurance I was not going to tell the Red Team anything, they allowed me to be near, but still kept one eye on me and the other on what I was looking at. Paranoia had set in. Since the first three hours were critical to their success, I decided to keep my distance from the teams and watched from the sidelines. Considering the feat they were trying to accomplish, they did not need me interfering. During this time, I was able to talk to several of the team leaders, who were not allowed to interact with their teams. Most of them are college professors (PhD types) who wanted to expose their teams to some real world experience. Since the bill was paid for by the grant, there was little to lose and much to be gained by joining the competition. In fact, I am pretty sure there will be at least one school that will be including a class on router configuration. Back in the red room, the Red Team was working hard at 'information gathering.' This involved scanning the systems with nmap and popular GUI applications from Windows. After looking at the results, it was pretty obvious that the students had some serious issues to address. However, it was equally as obvious that the much of the content of the Red Team's information packet was going to be learned by the schools in the first half hour ? except for the default passwords. Since the Red Team knew the default passwords for most of the accounts and services of the running servers, they had logged into each of the teams routers and changed the default password to something a bit more hard to guess. They were also logging into the Linux servers via SSH and changing account passwords, plus doing a little system level recon to see what kind of vulnerabilities they could use to raise their newly acquired accounts to root level access. Some might call this active hacking, but the lines were not that clearly drawn, which leaves much to 'interpretation.' This type of network and system recon continued for roughly three hours, during which time I bounced between the red room and student pods. There were several hiccups in the process, such as an overload on a power circuit that led to a complete loss of power for two teams, but that just made the event that more realistic IMHO. As the teams started to get things under control, they acknowledged my presence and started to talk a bit. I learned that most of the students were expecting to be slaughtered when the Red Team was set loose. I personally agreed. Even if everyone on the team was an experienced veteran, there was no way they could lock down everything in three hours. Don't Let Your Momma Dress You When I first entered the White Wolf Security lab, the first thing that caught my eye was a team that was wearing all blue. Everyone else was in typical student attire that mostly consisted of jeans and a t-shirt. Ironically, this attempt at professionalism turned out to be a bad idea because the Red Team also noticed the blue shirts. The result: 'the blue team' became target number 1. Let the Games Begin ? Day One When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleamed from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours. One interesting event occurred during this first stretch that warrants a mention. As it turns out, a team detected that their router?s default password did not work. They corrected this problem by uploading new configs to the router, which gave them control again. However, a Red Team member realized what happened and decided to find another way into the device. It took a few minutes, but they quickly learned that the router had SNMP enabled and allowed read/write access for public and private. The result was that the attacker used 'private' community access to add a new account to router. Once again, this activity was detected by the students, at which point they attempted to completely secure their router. Unfortunately for them, they messed up this process and inadvertently took themselves out of the game. Since the router is the doorway to their servers, the scoring bot had no way to tell if their servers were running. The point to this is, killing your device might keep an attacker out, but it also keeps valid communications from occurring. Day Two Saturday started out slowly, but by the end of the day things would not be looking good for most of the teams. With one team pretty much out of the picture thanks to a router issue, the Red Team really focused on the 'blue shirts'. Their first target was an OSCommerce application that was running on one of their Windows machines. Unfortunately, the blue shirts forgot to change the permissions for the admin directory on the application. As a result, the Red Team had complete access to the configuration manager portion of the application. This not only gave them access to all the order information that included 10,000 credit cards, but also gave them access to a file manager application that allowed them to upload/download/edit files on the system, which they did. One of the members on the Red Team decided to make the ownering of this application obvious, and renamed the Title of the OSCommerce site to something like 'Welcome to Tim Rosenberg?s School of UDP.' Unfortunately for the Red Team, this was quickly spotted by the students who then started to look at how and why this happened. Meanwhile, the Red Team member had also defaced their home page, which the students again spotted. Access to the admin folder was soon disabled, but the damage was done ? integrity was lost, services were denied, and confidentiality was gone. The blue shirts were able to detect and report the web server defacement to the authorities, but they missed the customer information download. Since web defacement is minor on the scale of attacks, the Red Team was only given community service instead of the felony charge they could have been hit with. The end result is that the color blue was a good pick for this team as depression sunk in. The Red Team did spread the love around a bit after pummeling the blue shirts for a few hours. They discovered an unprotected HR program that was loaded with SQL injection vulnerabilities. This was then used to download/alter employee data, which represented a major loss in confidentiality and integrity. However, it was what the Red Team did after this that was quite clever. Using some custom code, the Red Team created a SQL injection query that then connected to another team's web server in an attempt to create a denial of service attack. This odd attack forced one of the teams to approach the other team with an apology that went something like this: "Hi. Uh, I am sorry if we are attacking you, but we aren't really doing it." The DoS was stopped soon afterwards upon request of the judges. At about 2PM the second day, attention was shifted to one team in particular because they had managed to stay out of the limelight. It was soon discovered that this team had failed to change their postmaster email password, which gave the Red Team full control over the emails coming and going to the server. Various methods of abuse were discussed, but it was concluded that the best thing to do was to change the password on the administrator accounts, create a new account, and forward all email from the CEO email account to the Red Team?s account. Once this was set up, the Red Team was told to take a break because the student teams were getting overwhelmed. Thus the attacks stopped, which gave the students time to focus on reporting incidents and securing their systems from the various attacks that had been occurring during the day. Confusion Techniques One of the interesting tricks that the Red Team did to keep the students guessing was to run continuous scans from programs like Nessus. They did this for one reason ? overload the students. In addition to indirect misinformation, the Red Teams also employed tools like mucus, which have no other purpose but to trigger IDS alerts. They also noted the use of ethereal and injected malicious packets into the network that would crash the sniffer and cause general havoc. It is important to note these techniques because in a real attack, it is not only possible for this to occur, but even probable ? especially if the attacker knows you are watching. The Hacker Mentality As I sat in with the Red Team, I got to watch how each worked and what tools/methods were used. The four members really represented a wide range of skills and personalities. On the one side was the professional information assurance who really knew the technology and was able to assist with various tasks that led to loss of confidentiality. Another member was very prepared with a rack server that had six CPUs. His system was loaded with programs like Canvas, metasploit, and other automated penetration testing tools. Next was a member who blended the casual professional with rule bending hacker. He proved to be a valuable asset and was the one who coded up the script that performed the SQL denial of service attack. The final member was the pony tail/ear-ring type that really stretched the rules and thought nothing of it. As a career penetration tester, his skills were valuable for the team as well. The point is, each member took a different approach and used different tools to get the job done. They used everything from OS X to Linux and even Windows, not to mention intimidation, ladders, and glow sticks (more on that in the next section). Day Three I arrived early on day three with an understanding that there would be one more hour of active Red Team hacking. The rest of the day was set aside for some competition between the students to allow them some Red Team action. However, to my surprise, I arrived to find all the students in a panic. Apparently, someone had messed with the computer systems during the night and no one would fess up as to who had done it or what was done. While we all waited on the Red Team, it was discovered that during the night the forwarded CEO email account had intercepted two emails from one of the student teams. Unfortunately for them, it contained all the user/passes for every member of the team. As a result, the present Red Team member was able to log into the OSCommerce site and download the customer database and access the accounts on the SSH server, not to mention anything else that required an account. Of interest, the Red Team was not able to use the file manager in OSCommerce to upload/download files because the students had only allowed read/execute access to the admin directory. It was at this time that the Red Team arrived and explained what had happened. To keep the games interesting, and provide a bit of a educational anomaly, the Red Team had done what any criminal hacker would consider ? they broke into the teams? pods and installed backdoors. Using only the light from a glow stick (the hotel they were staying at didn't have any flashlights), they found a ladder, climbed up the outside of the room (12 foot ceilings), pulled back a drop ceiling tile, and climbed down a wooden rod they collected from nearby. With physical access granted, the Red Team went to town. Rootkits, backdoors, password changes, system configuration changes and more were fair game with no one around to stop them. One team had locked down the KVM device with a password, but this was quickly bypassed by plugging the monitor into the actual computer. Another team used BIOS password protection, but again, a quick short of the CMOS and the BIOS flash was reset back to default. Windows administrator accounts fell quickly to boot disk based password reset attacks. Root account was gained by 'single user' mode hacks on the Linux machines. From there, log files were deleted, PHP scripts were embedded in programs, backdoors were installed, accounts were created with root level access, and much more. Simply put, the Red Team owned the students through and through. The only way anyone could realistically recover is if they took everything offline and started from scratch, which is exactly what a business would have to do. In fact, in a real case, the feds would probably ask to take the systems as evidence. The Summary After a brief break for lunch and some major discussions about the games and the physical break in, the Red Team gave a short talk to the students about what they did. Not including the physical attacks, 90% of the issues were related to default passwords. The remaining problems were related to bad code. They also brought up the blue shirt affect and that avoiding attention is a great technique to staying out of harm?s way. It was also discovered that most of the teams were expecting serious 0-day attacks that they would have to find and stop, when in reality telnet, SSH, and a web browser were the primary weapons. The winning team was actually the one that kept their router running (two teams hosed themselves on this issue), changed most of the default passwords, locked down their permissions, and didn't attract attention to themselves. Oh, and of interest, it was the same team that had only a week to prepare and were all programmers (as seen in figure 4). Figure 4 Figure 4: The Winners! The end result was that a group of students got a first-hand experience of just how bad it can be in the real world, and what they would need to do if they ever had to deal with a similar scenario. From setting up a secure shopping cart to understanding how the chain of evidence and how to deal with authorities, the experience was valuable for everyone there, including me. I for one will be back again next year to watch the games! Winning Team: Millersville University Todd E Echterling: System administrator for the computer science department Chad A Billman Edward J Schwartz Thomas J Miller Cory W Adams Michael A Vicinsky Mark A Olszewski Bradley J Chronister Red Team: Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the "three letter agencies" security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life. Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science. Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare. Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world's largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world's media on matters relating to computer security.