|
features post Articles
(Articles)
online chat server:
irc.xor.cx
channel:
#neworderrandom article
quotable quotes CALLAGHAN: you know nothing of the pain I feel, nothing. Old Skool NO Boards
|
Neworder Newsletter #7
@ New Order Newsletter
Jan 12 2002, 16:11 (UTC+0) | cd writes: [n e w o r d e r n e w s l e t t e r]
seven
.contents
0x01 intro from zwanderer
0x02 cd's small rant
0x03 neworder articles
0x04 edge > whats new
0x05 whats up in the world [this isnt long, the joy of SMS]
0x06 gobbles is a fake
0x07 exploits > microsoft, *nix, web
0x08 outro
.intro from zwanderer
This is the seventh neworder newsletter since it started in July last year, and so much has happened since. On neworder, the user count passed the 100.000 mark, several times in fact. A function was added to the Edge engine, that removes 6 month old, inactive accounts. The total death toll of the first pass was over 10.000, but luckily we have almost reached this number again.
It has always been the fundamental principal of neworder and the entire box network to pursue knowledge, not only for the members, but also for every visitor of the site. Neworder was created with this goal in mind - to educate; and the Edge engine was applied to aid the process, and it has grown immensely due to the ongoing development, and plans of opening the source.
Knowledge spawns freedom, but it also spawns obligation - and we mustn't forget our obligation towards ourselves, and others. It may seem corny, but September 11th showed us both things. It was the end of a year where xenophobia played fare too great a role, and where people forgot the obligation and only concentrated on personal freedom - freedom from others. It is box networks, and all hosted sites, profoundest hope that this year may prove more orientated towards helping, and aiding others, in what they wish to achieve; rather than concentrating on personal gain.
It thus seems, that people have been more concentrated on gathering reputation and prestige, than on distributing information. Sadly, people have posted material from other sites - and even though this information sometimes contained the correct links to the original material, it is still not individual work. This might not seem like a big deal, the reads learn something even if the poster borrowed it from someone else, but this is not always the case. Many times, people come to neworder for special material, or for different views on subjects, and the above mentioned goal of aiding others, mustn't mean that personal goals are set aside. This is not about giving and not receiving - we give because we feel we benefit from this as well - although not in the same way.
A group is held together by its members, not its leaders. A perfect group needs no leaders, only prominent front figures. This is how many of us see our place in this. We do no benefit from our positions - and our status is only set for administrative purposes. Many have felt that there are leaders and that they rule with an iron fist. In reality, they see themselves as your equals, although the feeling may or may not be mutual. Of course this means that you must show maturity and try your best not to think of this as hierarchical, but show that you can take responsibility. In any case, this is all about discussion, dialog, and most of all networking. But networking has become a meaningful word, not just in the sense of a computer network, but also in the way we organize our society and ourselves. Neworder is a network because it consists of connected computers - but also because it acts as a virtual information network between users.
We consider our group - one big distributed network. The loss of one node means less computing potential, and is of course a loss; but the group as a whole lives on. No nodes mean more than others.
This is issue 7 - we hope you enjoy it, and that you enjoy the new year, with hopefully more peace and reconciliation than the last one.
zwanderer
.cd's quick rant
hey everyone, i bet you cant believe it! its another newsletter. long story about why its taken so long so we'll not even go there. enough to say that the newsletter is back in what should be a much more regular occurance.
please bear in mind that this isnt probably as long or as detailed as it might normally be. im still thinking of what should go into this so for the most part its the general summary of whats happened on neworder. still, im sure the next newsletter will be much better and more informative, as well as better laid out. for the most part though, what was in previous newsletters is here with the exception of tons of news summaries, that me thinks is a bit of a lost cause considering the SMS feature of neworder. why reinvent the wheel eh? ;)
now its time for me to go off and review all those exploits and neworder happenings of this past while. good thing i downloaded some quality music last night since all my mp3's are stuck on my linux box. damn TDK and their lack of support :) cya all laterz...
cd
.neworder articles
aw man, i thought the backlog of exploits was bad, but this is extreme. lots of articles and, much to lots of people's happiness, more technical topics rather than 'what is a hacker?' style stuff. we've also had 3 new theme's of the month since last time. so without further ado, heres a couple of notes on articles that may be of interest to those that registered about 2 minutes ago and havent finished scrolling down the page...
those of you starting your hacking career would do well to read a couple of the following:
Paris2k's Simple CGI-Hacking Tutorial as in P2k's style, this nicely introduced and written article gives you an insight to CGI vulnerabilities (that means web scripts kids)
Thran's NMAP Tutorial often refered to as the swiss army knife of security, thran shows those that have lived under a rock the in's and out of NMAP
Resolution DOS FTP Tutorial this is actually more useful than you'd imagine, imperial college could do with reading this stuff...
Scrumps ICMP OS Detection Tutorial Stack fingerprinting is the main technique used to identify unknown systems on the network and this guide looks at how it works
ajhacksu explains the Win9x registry pretty damn long guide to the ins and outs of the core of the windows since 3.1
There's tons more at Article BackList. The one series that im really looking foward to is zwanderers discussion on operating systems [stems from his proposed hamsterOS - dont ask]. you can see the beginning of the guides with his bootstrap for dummies guide here. nice and low as it should be :)
for those looking a bit of privacy, we've had our share of articles on that particular topic. you'll probably want to check out a couple of these:
Enaegma's Patriot Bill Summary find out what this privacy and invading bill could mean for you
xinterix's Spyware vs your Firewall more on windows xp's built in firewall and what it really is
finally, check out kismet's Artificial Neural Networks article. ANN's are a very cool and interesting thing and it makes you sound really intelligent if you bring them up in conversation with your mates ;)
now, theme's of the month. yeah thats right themes. we've had three since last time. the newest concerns cryptography. this is a f**king huge article. apologies for the expletive, but it is. it even goes into detail on quantum cryptography with nice wavy diagrams. i suggest you read this right away now and enlighten yourself. You can get it here.
not to be outdone by his more than 200 SMS posts in 30 days at one point, rattlesnake wrote 2 themes of the month. a very nice, very big and very informative one on programming langauges and an equally large and well written ethical hacking discussion with lots of definitions of hacking and why we do it. this should have been printed in a newspaper, it would save a lot of explaining to people...
.edge > whats new
edge is the code name for the engine that powers neworder and indeed much of the boxnetwork. those that have been here since the days of old when neworder wasnt registered and we could all post as callaghan and say 'im an 31337 hax0r d00d' and the like have probably seen such huge change in the services the site offers.
just since the last newsletter some more features have been added. they are in no order (cos i dont know what order they came in):
ability to delete all memo's from a certain user
an admin board for level 5 and above so that we can discuss confidential material about neworder
new user levels (1 and 2) for regular and contributor users
user level descriptions instead of the simple level number
revised FAQ engine
a lack of decembers newsletter
ive probably missed something there, but you can see that edge is developing at a fast pace and who knows what will be implemented in six months time [yeah, when the next newsletter comes out-saved you the bother of saying it bakey ;)]
.so whats up in the world?
way to bloody much. suffice to say that whilst i have been away, contrary to popular belief, the world did not stop revolving. just taking a look at the SMS postings since january 4th is enough to make me cry. still, someone posted on the board that kimble has fled to south america after threats on his life. im sure im not alone when i say 'haha'. personally, i have no sympathy for him.
i dont think it would be worth the huge effort to pull bits of news which i know you all wont read. thats what SMS is for anyway guys. my quick news summary ;).
.gobbles is a fake
this is old news, but worthy in the light of newsletter 6 and the whole neworder/snp defacement. it would appear that GOBBLE's is a bit of a fake/liar and whole manner of things. you can read some related stuff at these links:
neworder defacement statement
gobbles is a fake article
.exploits
theres been many an exploit released since november surprisingly, so ill not dwell too much on anything pre-mid december because that makes it a little old. not that many admins care anyway. look at unicode for gods sake.
:microsoft [Os / Software]
name: Microsoft IIS/5 Bogus Content-Length Memory Bug
what?: a denial of service attack to do with content length fields causing the server to consume memory
versions: 5
example/code?: yep
where?:(example) and (exploit code, perl)
name: IE Denial of Service
what?: more DoS in the form of a very strange img tag causes IE to totally crash
versions: none stated > all(?)
example/code?: yep
where?: here
name: IE Denial of Service 2
what?: an update of a form value in IE automatically will cause the program to hang.
versions: IE 5.5/Sp2, Netscape 4.73
example/code?: yep
where?: here
name: Windows FTP "Network Place"
what?: saved passwords can be viewed by altering the address bar when adding new network places
versions: XP, 2K, 98
example/code?: yep
where?: here
name: MSIE May Download and Run Programs Automatically
what?: more content type fun with IE by content spoofing of files
versions: 5.0 > 6 [see table for more info online]
example/code?: yep, java this time
where?: here
name: Internet Explore HTTPS Certificate Attack
what?: SSL 'man in the middle' attacks are possible
versions: none state, assume all
example/code?: yep, proof of concept
where?: here
name: Scripting Hole In Microsoft IE Exposes Local Files
what?: a GetObject() bug allows IE to read local files
versions: 6, some 5
example/code?: yep
where?: here
name: WinME/XP UPNP remote dos and buffer overflow
what?: a service under ME and XP for allowing seemless connectivity of devices suffers from these two crackers
versions: ME/XP
example/code?: yep, *nix C
where?: here
name: PGP 7.0 Outlook Plug-in Flaw
what?: decrypted messages may be stored and viewable by others in a certain setup
versions: 7.0 > !7.1.1
example/code?: none needed
where?: here
:*nix based
name: XTerm UnixWare Exploit Code
what?: a standard buffer overflow attack in XTerm
versions: none stated
example/code?: yep, C code
where?: here
name: XChat IRC Session Hijacking
what?: Xchat can be tricked into sending commands to the IRC server allowing lots of possibilities
versions: 1.4.2 > 1.4.3
example/code?: yep
where?: here
name: Vulnerability in Encrypted Loop Device for Linux
what?: attackers may be able to modify the encrypted filesystem without being detected
versions: none stated
example/code?: big-ass example
where?: here
name: Solaris x86 v2.8 /bin/login via telnet remote buffer overflow
what?: more buffer overflow madness
versions: 2.8
example/code?: *nix C code
where?: here
name: Local DoS in Solaris 8 (smcboot)
what?: local denial of service is possible with some smcboot startup procedures on certain hardware releases
versions: Solaris 8
example/code?: yep
where?: here
name: Linux Package Default UID (573)
what?: source code decrompression is owned by uid/gid 573. if a user exists with such id's, they could change the source and insert hostile code
versions: none stated
example/code?: yep
where?: here
name: Trust Issues with RH and Debian Package Managers
what?: really interesting stuff on the FBI's magic lantern program about trojaned software
versions: none stated
example/code?: yep
where?: here
:web holes
name: Slashcode Login Vulnerability
what?: logged users can login as anyother user
versions: 2.1.x
example/code?: no
where?: here
name: Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, and Site Spoofing Bug
what?: cookie stealing amongst other things are possible by using document.open and not finishing with document.close
versions: 6
example/code?: yep
where?: here
name: SQL Server Text Formatting Functions Contain Unchecked Buffers
what?: not much, no code released yet
versions: 7.0, 2000
example/code?: no, ms bulletin
where?: here
name: PHPNuke module.php Vulnerability and PHP error_reporting Issue
what?: cross scripting problems within modules.php
versions: none stated
example/code?: yep
where?: here
name: WebSEAL Vulnerable to a DoS Attack (%2E)
what?: requested urls with the '.' character cause it to crash
versions: 3.8
example/code?: yep
where?: here
name: DayDream BBS Buffer Overflows
what?: mutliple buffer overflow vulnerabilities
versions: example/code?: yep
where?: here
name: Web Administration Vulnerability in CacheOS
what?: certain requests to port 8081 on the box may allow for useful information gathering
versions: 3.1
example/code?: yep
where?: here
Theres plenty more exploits and vulnerabilities on neworder and of course other security sites. If you cant find anything of interest in the list above, try looking at all the vulnerabilities on neworder, or using a simple search. you'd be amazed :)
get me an exploit!
.month in the media news [by zwanderer]
News items are always important, and interesting, although hard to keep up with. Neworder is equipped with the special SMS section to give you news fast and efficient. However, the amount of news published is enormous - and thus this section was created to give you a view of what happened since the last newsletter was published.
Russian programmer, Dmitry Sklyarov, the hacker who cracked the e-book security [http://neworder.box.sk/smsread.php?newsid=2151] at Defcon, was arrest in the US and went to court facing a 25 year sentence. He returned home to Moscow in the beginning of the new year, after having defeated the justice department. Different statements floated around during the case, some claiming that Dmitry had made a deal with them, while he himself claims never to have made a deal. Dmitry states that: "I am a man of integrity and as such am doing nothing more than telling the truth, not for or against anyone." .[http://neworder.box.sk/smsread.php?newsid=1953]
On Dec 26, 2001, the US Senate passed a new bill: H.R. 3482 - the Cyber Security Enhancement Act of 2001, which gave judges more room to too apply tougher sentences for cyber criminals.
These cyber terror bills were all passed on the basis of the September 11th attack and its aftermath.
[http://neworder.box.sk/smsread.php?newsid=1971]
Likewise, according to the security watcher, mi2g Intelligence Unit, September 11th has also made crackers stop defacements. This will mostly be due to patriotism, the feeling or hurting at a bad time, or due to recent laws in the area where defacements are close to being considered terrorist actions.
[http://neworder.box.sk/smsread.php?newsid=1971]
UNICEF might have used this insecurity to propose Internet censorship, pointing out that child pornography is a growing problem, where the Internet is a safe haven. Whether or not the Internet should be censored is still unknown, but two camps have already emerged with opposing views on the subject.
[http://neworder.box.sk/smsread.php?newsid=2147]
Some of those in favor of a censorship free Internet are the hackers/crackers roaming the Internet in search of idealistic freedom. Crackers seem to have moved from commercial server cracking, to home computers. The reason, apparently, is that home computers are more powerful and less secure than ever before. This, combined with increased bandwidth, makes it equally attractive for crackers to compromise home computers. The prestige of cracking large corporations is still a factor to be reckoned with, but in the scriptkiddie category, this might not be the case.
[http://neworder.box.sk/smsread.php?newsid=2161]
The Norwegian hacker that wrote the DeCSS decryption program has been sued by the motion picture industry. The program, which was created over a year ago, has been used extensively, although banned by the industry. Combined with the newest compression techniques like DivX, DVD quality movies can now be stored on CDs.
[http://neworder.box.sk/smsread.php?newsid=2305]
One of the most popular programs used for sharing DivX files, is the Dutch program, Kazaa and Morpheus. Both programs are based on P2P technology, and are able to share each other's networks, accessing enormous amounts of information. Kazaa was sued for offering access illegal copyrighted material, and was sentenced to close down - though this has not happened yet. Morpheus published plans for growing their network and proceeding with further development of the file sharing software, thus giving new hope to file sharing enthusiasts everywhere.
[http://neworder.box.sk/smsread.php?newsid=2002]
Windows XP was published just before last issue, and was included in the news summery then too. Since then, Windows XP has been tested for vulnerabilities, and many have been discovered. FBI published an advisory, urging people using Windows XP to disable certain features vulnerable to attack. Many serious vulnerabilities have been found, and weaknesses in the Windows firewall have been pointed out as well. The fear of RAW sockets being a serious hazard, however, has not been mentioned since the large discussion prior to the launch. Many hackers have posted programs exploiting this feature.
[http://neworder.box.sk/smsread.php?newsid=1991]
The monopoly trial against Microsoft was thought settled last year, when it suddenly broke out once again. After 9 states rejected the settlement proposed, they accused Microsoft of staling, due to their request that the trial be postponed 4 months. Microsoft accused the 9 stats of rejecting the proposal because they wanted a dramatic ending to the matter. This was denied by the sates.
[http://neworder.box.sk/smsread.php?newsid=2058]
Fighting a war on two fronts, Microsoft continued its fight against GNU/Linux. Microsoft was accused of paying for surveys concerning the usability of Windows compared to Linux, and found that Windows in some cases was cheaper to install than Linux. This caused an uproar in the Linux community where the Microsoft statement was hard to take serious. In the same community, the discussion of whether or not Linux is/should be a desktop operating system, is at an all time high. More and more people seem to be acknowledging Linux' strengths with servers, but fewer see its potential as a desktop operating system. No prominent figures (Kernel developers) have uttered any comments concerning the turn of Linux, but the end of 2.4 kernel branch was called "A landmark in Linux on servers" because most optimizations were server specific.
[http://neworder.box.sk/smsread.php?newsid=2095]
America Online said that their user count passed the 33 million user mark around New Year. The worlds largest interactive services company have released AOL 7 and included many groundbreaking features (according to their own description). Broadband will play a bigger role with AOL due to the ownership of Time Warner Cable Company.
[http://neworder.box.sk/smsread.php?newsid=2024]
Broadband was promised its final breakthrough this year, and according to some analysts in 2000/2001 - Governments around the world would begin to offer free broadband to its citizens as a democratic and cultural stimulant. This, however, doesn't seem to have been the case. The number of broadband users has risen, although it didn't reach its promised potential.
Other sci-fi techniques were promised a great future last year, including implanted chips acting as unique ID's in emergencies. This, along with many other ideas - didn't make it out of the university labs last year, yet predictions foresee the same thing this year. It will be exciting to see if this year holds the key to humans future involvement in technology.
[http://neworder.box.sk/smsread.php?newsid=2224]
.outro
So this concludes issue 7. We hope that you have enjoyed it, and that you will read the next issue as well. If you wish to contribute to the community, publish your articles on neworder (Using the "Post into news" link on the front page) and help neworder grow.
Normally there would be recognitions of the authors here - but I will sustain from thanking individuals, and instead thank the entire community for equal parts in the success of neworder. The fact that people take time to write/read/comment/reflect on articles posted, is what drives this site. Thank you for reading.
zwanderer
hmm, not sure if this is as long as normal but still. anywayz, im rambling now. i am unfortunatly off to finish some digital systems coursework and then off to pick up some beers and work on some code. oh the life of cd, its not all fun and games. ill leave you with a comment from bakesnake which made me chuckle...
cd
'You know guys, being a Sexual Stallion whose manly musk sends women into a slathering frenzy isn't all it's cracked up to be. I'm exhausted most days.' |
| Top of page
|
