From: cmeinel@t... Date: Wed Feb 14, 2001 10:22 pm Subject: How to Defeat Intrusion Detection Systems Inside Happy Hacker Feb. 14, 2001 ___________________________________________________________ See the Happy Hacker web site at http://www.happyhacker.org. Firewall or web babysitter program blocks you? Try http://happyhacker.org. Still doesn't work? Try entering 206.62.52.30 in the location window of your web browser. ___________________________________________________________ Inside this issue: How to Defeat Intrusion Detection Systems Whatever happened to the Windows and Unix Digests? Beware Netscape 6 Eudora Denial of Service Attack Happy Hacker poll results ___________________________________________________________ *** How to Defeat Intrusion Detection Systems ___________________________________________________________ Here's yet another of Meinel's articles for MessageQ magazine: How Computer Criminals Defeat Intrusion Detection Systems. Enjoy! http://www.messageq.com/security/meinel_3.html. In case you were wondering, it is written at the level of technical detail found in Meinel's book Uberhacker! (sample chapters at http://happyhacker.org/uberhacker/ ) ___________________________________________________________ *** Whatever happened to the Windows and Unix Digests? ___________________________________________________________ Someone wrote: "I've been a fan of yours and the digests for quite some time now, and this was the only time I was able to mail you. I just wanted to ask about the digests, how come I don't receive any windows or unix digests anymore? I really enjoyed reading them. Also, are there any current mirror sites that may have the past digests?" Answer: We have spun off several mailing lists and discussion groups, hosted by Yahoo Groups. *** Hhwindows: a moderated discussion group of Windows 95/98/ME/NT/2K security and hacking. To subscribe, go to http://groups.yahoo.com/group/hhwindows/join . To read archives of such cool things as the source code for how to how to remove Explorer from your Windows 9x operating system, see http://groups.yahoo.com/group/hhwindows/ . Moderator in chief is Greggory Peck, who breaks into computers for a living in his job at KPMG (http://www.kpmg.com) Co-moderators are Shane Devault (who is a tech support guy) and John Demchenko, a computer science student. Over 2000 people are on this discussion list. You can find older archives at happyhacker.org/hhlist/ *** Hh-unix: a moderated discussion group on the Unix type operating systems: Linux, Solaris, Aix, Irix and all the other operating systems with an "x" in the name:):) To subscribe, go to http://groups.yahoo.com/group/hh-unix/join . Moderators are Mike Miller and Phil Dibowitz both computer science students. Phil is also webmaster of a Metallica fan site, http://www.ipom.com . Some 1300 people are on this list. Recent archives are at http://groups.yahoo.com/group/hh-unix/ . You can find older archives at happyhacker.org/hhlist/ *** Hhprogramming: For the serious programmer. How to create makefiles... Assembly language... and more... To subscribe, go to http://groups.yahoo.com/group/hhprogramming/join Moderator is a professional programmer of computer games who wishes to remain anonymous, xjayporter@y... . Archives are at http://groups.yahoo.com/hhprogramming/ . *** Hhnetwork: covers network hacking. To join, go to http://groups.yahoo.com/group/hhnetwork/join *** Hhmac: All things Mac! To join, go to http://groups.yahoo.com/group/hhnetwork/join ___________________________________________________________ *** Beware Netscape 6 ___________________________________________________________ My (Carolyn Meinel) firewall came in handy when I installed Netscape 6. My firewall asked me right after I launched the program whether I wanted it to act as a server! !!! !!!!! What being a server means is that it will allow outside client programs to access and use Netscape. Now what could that be for, I wondered? The Bugtraq list soon answered that question. (Or at least part of it.) Outlook 2000, Outlook Express 5 and Netscape Messenger 6 all can be used by people to snoop on your email. Solution is to turn off Javascript in these programs. For the complete, ugly details, see http://www.privacyfoundation.org/advisories/advemailwiretap.html . If you know anything else on the issue of Netscape 6 acting as a server, please write in. Oh, yes, and be sure to portscan your own computer from time to time to see what kinds of unwanted servers it runs. I discovered an antivirus program running a server of some sort on port 110 of my Windows computer. This occurred when I configured it to scan incoming Eudora 5 email attachments. Note that port 110 is usually used for POP servers (incoming email). ___________________________________________________________ *** DOS Attack in Eudora ___________________________________________________________ I (Carolyn) recently got rid of my latest version of Eudora and am using Eudora 2.2 again. Why? (Besides those problems with Javascript email snooping and that port 110 business.) After great misery working with tech support they finally confessed that the reason it was crashing every time I tried to download a certain email message was that it can't handle unusual characters or a really wrong date in the headers of email. The solution, if you don't want to get rid of your version of Eudora, is to get your ISP to find the offending email and delete it. If you have a shell account with your ISP, you can fix it yourself. Your incoming email is usually in /var/spool/mail/. Or, you can go back to an earlier version that doesn't have this bug, for example Eudora 2.2. Want to build a reputation as a talented hacker? Try forging a lot of weird headers and report what crashes email client programs such as Eudora. Since Eudora is the second most widely used email program, it is possible to crash millions of people's email clients by spamming them with email with bad headers. It would totally tie up ISPs trying to repair mail spools and incidentally force Eudora to fix their program. When you find characters that make it crash, you can be a nice guy and report it to Jeff Bekley, product manager for Eudora. If his team still can't/won't fix it, you can always try the not nice guy option of reporting it to the Bugtraq list. (Subscribe at http://securityfocus.com.) What characters are likely to make Eudora crash? Try Unicode, as you can expect that none of the 256 ASCII characters will be a problem. Wonder what Unicode is? Read my article on how to defeat Intrusion Detection Systems! How do you forge weird headers? Use the regular email forging instructions at happyhacker.org, and after entering sender and recipient give the data command. After it you can add as many headers as you like by using the format my_funny_header: followed by a line of funny stuff then press the enter key to start a new header line. For example: x-favorite_color: Polka Dot As long as each line starts with a sequence of characters with no spaces in it (x-favorite_color) followed by a colon followed by one line (Polka Dot) followed by return, it will be part of the header. Some mail servers even let you substitute your choice of date instead of overriding it with its own. The same goes with message ID. Can't find a mail server that lets you forge email? Use the mail server of your own ISP (duh!) Remember, since you're sending this email to yourself, you don't need to worry about hiding who you are. Or, set up a computer in your home LAN running Linux, OpenBSD, FreeBSD, NetBSD. All of these have free mail servers (POP and smtp). Put a Windows box on your LAN, get a free Eudora program from http://www.eudora.com, and play email games on your own LAN. This is the essence of hacking. I promise, there is pay dirt in this experiment and lots of prestige from those who generate a good catalog of how to crash Eudora. ___________________________________________________________ *** Latest Poll ___________________________________________________________ The latest Happy Hacker poll was met with a resounding yawn. Results, out of the 25,000 readers of this list, were: Do you want Carolyn Meinel to respond to the allegations Brian Martin makes against her and her books at Attrition.org? Sure, heck, it will be good for a laugh. 178 votes 67.68% Sheesh, get a life, ignore Martin. 48 votes 18.25% I'm really worried that Carolyn Meinel is really a deranged drug addict computer criminal who doesn't know how to hack, just like Martin claims. Can Meinel disprove this? 37 votes 14.07% To help out the 37 people who are really worried that I am a drug addict suffering from "herpes viral encephalitis" (as stated at the Attrition web site), and the 178 folks who figure it will be good for a laugh, here's how to prove for yourself that Attrition.org is full of baloney. The most obvious way you can tell that Martin is making up lots of things on his web site is to look at an example story in detail. OK, OK, I already showed an example in his attempts to "prove" that John Vranesevich paid someone to hack the US Senate web site (http://happyhacker.org/uberhacker/se.shtml). You can also read about Martin's penchant for making up outrageous stories in the article "Barbarians @ the Gate," Vanity Fair magazine, June 2000. But, heck, people want to know if he's making up stories about me, too. So let us consider his claim that I suffer from "herpes viral encephalitis." 1) There is no such disease. 2) A web site specializing in encephalitis research at http://glaxocentre.merseyside.org/1hse.htm says there is a disease with a similar name: "herpes simplex encephalitis." Herpes simplex normally just causes cold sores. This is the only encephalitis that is caused by a herpes virus. Is it possible that I have this disease? If I did, how would Martin know? Martin cites someone who claims to know, but there is no evidence that this person has access to my medical records. It is unlikely that anyone other than doctors of my choosing have access to my medical records because the American Medical Association has "Principles of Privacy and Confidentiality" that forbid a doctor from revealing anyone's medical records to the public. See http://www.ama-assn.org to learn more about how seriously they take medical records. Currently the US Health and Human Service Dept. is considering tough rules to prevent even accidental release of people's medical records. 3) OK, so maybe somehow Martin accessed my medical records. How likely am I to have herpes simplex encephalitis? As shown in the web site above, each year only a few hundred people among the 4 billion plus people on the planet are diagnosed with it. So chances that I have been diagnosed with this disease are astronomically low. 4) If I do have it, would I even be alive? "If left untreated it will usually lead to progressive impairment of consciousness, coma and death." "The role of Acyclovir is central to the treatment of HSE. If therapy can be started during the first few days of the illness there is a dramatic reduction in the mortality rate - c.80% down to 25%." (From http://glaxocentre.merseyside.org/1hse.htm .) 5) If I do have this disease and was one of the handful of people on the planet lucky enough to get a proper diagnosis and treatment in time to survive, what symptoms would I show today? Among those who survive, symptoms include amnesia, epilepsy (seizures) and other severe neurological impairments. Few, if any survivors are able to lead normal lives. A movie based on a true story about encephalitis is the Academy Award-nominated "Awakenings." You will notice that the encephalitis victims of this movie spend their time mostly being unconscious. Well, I'd better mail this out quick before I die or spend the rest of my life in a coma. Oops, I forgot, I don't have herpes simplex encephalitis after all… P.S. If you want some laughs, check out the latest edition of "It Sucks to Be Me" at http://happyhacker.org/sucks/ ___________________________________________________________ This is a list devoted to *legal* hacking! If anyone plans to use any information in this Digest or at our Web site to commit crime, go away! We like to put computer criminals behind bars where they belong! Unix editor Mike Miller unixeditor@t...; Windows editor Greggory Peck wineditor@t... Mac editor Pat St. Arnaud, maceditor@t... Network editor neteditor@t... Clown Princess: Carolyn Meinel cmeinel@t... Happy Hacker, Inc. is part of a 501 (c) (3) tax deductible Organization. ___________________________________________________________