Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

forwarded message from Chris Goggans

From: scott () santafe edu (scott () santafe edu)
Date: Thu, 10 Feb 1994 08:52:18 MST

Just a forwarded message from the firewalls mailing list.

Scott


------- Start of forwarded message -------
Status: RO
X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil]
        ["3296" "Thu" "10" "February" "94" "00:02:42" "-0600" "Chris Goggans" "erikb () tic com " nil "73" "Insecurity? 
 What else is new?" "^From:" nil nil "2"])
Return-Path: <Firewalls-Owner () GreatCircle COM>
Received: from relay1.UU.NET by sfi.santafe.edu (4.1/SMI-4.1)
        id AA04121; Wed, 9 Feb 94 23:34:44 MST
Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP
        (5.61/UUNET-internet-primary) id AAwcpl08552; Thu, 10 Feb 94 01:18:48 -0500
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103)
        id AA10079; Thu, 10 Feb 94 06:01:14 GMT
Received: from akasha.tic.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103)
        id AA10072; Wed, 9 Feb 94 22:01:02 PST
Received: by akasha.tic.com (5.65/akasha.m4.1.15)
        id AA28060; Thu, 10 Feb 94 00:02:42 -0600
Message-Id: <9402100602.AA28060 () akasha tic com>
Sender: Firewalls-Owner () GreatCircle COM
Precedence: bulk
From: erikb () tic com (Chris Goggans)
Subject: Insecurity?  What else is new?
Date: Thu, 10 Feb 94 00:02:42 -0600
To: firewalls () GreatCircle COM


As many have read lately, the Internet is once again the center
of attention for people up in arms about "SECURITY PROBLEMS!!"

This is a load of hooey.  What is happening now, is no different than
what has been going on for years.  The only difference now is that
more reporters are (or at least consider themselves) net aware.

Here's the story...

The biggest perpetrators of the recent break ins (recent meaning the
last year or so) have been a group of miscreants who are oftimes
referred to as "The Posse."

They, and their friends, are located in Pennsylvania, New York/New
Jersey, Ohio, Arizona, and Florida.

One of the PA residents, and the FL person, involved in the breakins has
parted ways with the two main people involved due to in-fighting among
their little group.  The New York/New Jersey parties are not as actively
involved in the hacking, but perfom needed social engineering and
phone related tricks for the group in exchange for other favors.  The
main antagonists are both in their late teens...a PA data entry clerk,
and an OH hotel desk clerk.

Their main method of attack involves getting root on a site then
monitoring incoming and outgoing traffic using ethernet sniffers (on suns
since they are too pathetic to port their swiped esniff.c program
to run on ultrix or other variants) and capturing all tcp activity.
They then use this information to get in other hosts and start over.

They have programs that allow them to get ypmaps from remote
(ypsnarf.c); to nfs mount damn near anything; to get root using
sendmail, rdist, the mult bug, and others.

They have patches to allow them the ability to place backdoors in
login and in.telnetd, and to run other shells to let them jump over
firewalls.  They have utilities to remove themselves from
wtmp, utmp, pacct, ps, and netstat.  Unless you have a tcp-wrapper
going, you probably wont notice them.

I would estimate that about 25% of the American Internet is
compromised.  This is predominantly university traffic but
since these are the people behind breakins at The Well, CNS, Panix,
NSFNet, BarrNet, Sun, and others, its pretty safe to assume that
they have a lot of fun addresses to play with.

Although they have amassed a HUGE amount of hosts through their
sniffing, it is unclear as to what they want with the hosts.  The
predominant motive appears to be the ability to get on IRC
anonymously and send ICMP floods to servers and annoy people.
They also play games impersonating people on netnews and mail, they
fake hacking attempts in order to try to frame people, they play
phone games and prank people over and over or otherwise disconnect or
disrupt service, they get credit information or billing records to
spread around, etc.

(As I said before, its pretty pathetic)

The real crime here is that the authorities know precisely who is
involved, and it persists.  One individual was even involved with
the MOD busts a few years back and is no longer a minor.  Perhaps
this time his father won't be able to intervene.

They really dont seem to care what happens to them, and they know full
well that the authorities have been questioning people about them, yet
they persist.  Obviously the illusion of power on the net is far more
desirable than their petty real lives.

my .02

- ->ME

------- End of forwarded message -------
Previous By Date Next
Previous By Thread Next

Current thread: