Bugtraq mailing list archives
forwarded message from Chris Goggans
From: scott () santafe edu (scott () santafe edu)
Date: Thu, 10 Feb 1994 08:52:18 MST
Just a forwarded message from the firewalls mailing list. Scott ------- Start of forwarded message ------- Status: RO X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil] ["3296" "Thu" "10" "February" "94" "00:02:42" "-0600" "Chris Goggans" "erikb () tic com " nil "73" "Insecurity? What else is new?" "^From:" nil nil "2"]) Return-Path: <Firewalls-Owner () GreatCircle COM> Received: from relay1.UU.NET by sfi.santafe.edu (4.1/SMI-4.1) id AA04121; Wed, 9 Feb 94 23:34:44 MST Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwcpl08552; Thu, 10 Feb 94 01:18:48 -0500 Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103) id AA10079; Thu, 10 Feb 94 06:01:14 GMT Received: from akasha.tic.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103) id AA10072; Wed, 9 Feb 94 22:01:02 PST Received: by akasha.tic.com (5.65/akasha.m4.1.15) id AA28060; Thu, 10 Feb 94 00:02:42 -0600 Message-Id: <9402100602.AA28060 () akasha tic com> Sender: Firewalls-Owner () GreatCircle COM Precedence: bulk From: erikb () tic com (Chris Goggans) Subject: Insecurity? What else is new? Date: Thu, 10 Feb 94 00:02:42 -0600 To: firewalls () GreatCircle COM As many have read lately, the Internet is once again the center of attention for people up in arms about "SECURITY PROBLEMS!!" This is a load of hooey. What is happening now, is no different than what has been going on for years. The only difference now is that more reporters are (or at least consider themselves) net aware. Here's the story... The biggest perpetrators of the recent break ins (recent meaning the last year or so) have been a group of miscreants who are oftimes referred to as "The Posse." They, and their friends, are located in Pennsylvania, New York/New Jersey, Ohio, Arizona, and Florida. One of the PA residents, and the FL person, involved in the breakins has parted ways with the two main people involved due to in-fighting among their little group. The New York/New Jersey parties are not as actively involved in the hacking, but perfom needed social engineering and phone related tricks for the group in exchange for other favors. The main antagonists are both in their late teens...a PA data entry clerk, and an OH hotel desk clerk. Their main method of attack involves getting root on a site then monitoring incoming and outgoing traffic using ethernet sniffers (on suns since they are too pathetic to port their swiped esniff.c program to run on ultrix or other variants) and capturing all tcp activity. They then use this information to get in other hosts and start over. They have programs that allow them to get ypmaps from remote (ypsnarf.c); to nfs mount damn near anything; to get root using sendmail, rdist, the mult bug, and others. They have patches to allow them the ability to place backdoors in login and in.telnetd, and to run other shells to let them jump over firewalls. They have utilities to remove themselves from wtmp, utmp, pacct, ps, and netstat. Unless you have a tcp-wrapper going, you probably wont notice them. I would estimate that about 25% of the American Internet is compromised. This is predominantly university traffic but since these are the people behind breakins at The Well, CNS, Panix, NSFNet, BarrNet, Sun, and others, its pretty safe to assume that they have a lot of fun addresses to play with. Although they have amassed a HUGE amount of hosts through their sniffing, it is unclear as to what they want with the hosts. The predominant motive appears to be the ability to get on IRC anonymously and send ICMP floods to servers and annoy people. They also play games impersonating people on netnews and mail, they fake hacking attempts in order to try to frame people, they play phone games and prank people over and over or otherwise disconnect or disrupt service, they get credit information or billing records to spread around, etc. (As I said before, its pretty pathetic) The real crime here is that the authorities know precisely who is involved, and it persists. One individual was even involved with the MOD busts a few years back and is no longer a minor. Perhaps this time his father won't be able to intervene. They really dont seem to care what happens to them, and they know full well that the authorities have been questioning people about them, yet they persist. Obviously the illusion of power on the net is far more desirable than their petty real lives. my .02 - ->ME ------- End of forwarded message -------
Current thread:
- forwarded message from Chris Goggans scott () santafe edu (Feb 10)