Bulletin Board #4
#1
From: "Mike Andrews"
Subject: Bulletin Board
Date: Wed, 12 Feb 1997 07:08:28 -0500
Another news article of interest to the Technical Security Professional.
Mike
Source: New York Times
Bogus Web Sites Troll
For Credit Card Numbers
By PETER WAYNER
A few days after James Kantor, the President of Eastern Avionics International, decided to launch his company's Web site, he got an important lesson in the dark side of the free flowing information and sketchy identities on the Internet.
Plugging his company's name into a general search engine, Kantor discovered that his company's Web site was already finished and online. Any item from the catalog could be ordered with a click of a button and a credit card number.
"Lo and behold!" Kantor said, "I found I was already on the Internet."
The frightening truth caught up with him after he called Capstone Studio, the company designing his site. Their work wasn't finished, they told Kantor, and whoever had launched the Eastern Avionics site he was looking at was probably masquerading as his company to steal credit card numbers......
Full story can be found at:
http://www.nytimes.com/library/cyber/week/021297fraud.html
If you are not an online subscriber you may subscribe free at http://www.nytimes.com - No I don't own stock - just a few chickens and ducks but no stock ;)
(Andrews' comment: provide an additonal security service for your corporate clients - search the internet for misuse of their trademarks, copyrights, etc. Don't overlook the possibility of discovering mail and wire fraud.)
Mike Andrews
2nd Guessing is Only 2nd Best.
#2
(New York Times, Feb. 11, 1997 By Robert E. Calem) A new variety of Internet scam, in which a downloaded application surreptitiously reconnects a user's computer to a telephone number in Eastern Europe, has cost thousands of people in the US and Canada tens of thousands of dollars in long-distance phone charges since December.
(Andrews' note: This is another example of a Trojan Horse virus - moral of the story? Set your browser security options to refuse any download such as cookies, ActiveX, Java, etc. without first asking.)
Full story can be found at: http://www.nytimes.com You will be required to subscribe - it's currently free. After subscribing go to http/www.nytimes.com/library/cyber/week/021197scam.html for the story.
Mike Andrews
#3
From: gremlin@interserv.com
Date: Wed, 12 Feb 1997 18:46:46 -0800
Subject: Telephone hacking
The PBX at Apple Computer Limited, Singapore Branch was hacked into on 28 Dec 96. The hackers had accessed the PBX using normal incoming phone lines and voicemail; they then used a complex scenario of DTMF codes and timeouts to bypass normal security, access dialtone from the exchange and then break the dialtone using an in-line DTMF amplifier to make the exhange place a call. The hacking started on 28 Dec 96 (a Saturday). On the next day, Singapore Telecom (ST) informed Apple that "uncharacteristic" calls had been made from the Apple lines in the past 24 hours - excessive length and volume to several locations (China, Morocco, Mexico, Senegal, Ghana, Gambia, Nepal), but predominantly China.
On 30 Dec 96, Apple checked the Call Data Recorder records but found no record of the alleged calls. The calls were not captured by their call logger because the calls were not placed from the PBX as such, only the exchange line was accessed with the PBX being used as an intermediary. Suspecting line tapping, Apple checked the physical telecom cabling with ST from PBK connection all the way to the exchange for external tampering but found nothing.
At this stage, it was apparent that a hacker was at work. Apple then agreed with ST and the PBX vendor (Telecom Equipment) to carry out a tracing exercise to identify how the breach had been perpetrated and identify long term remedial measures and attempt to track down the culprits. ST had also agreed to waive all the call charges for the period of the tracing. The net result of the exercise was that ST and Apple were able to fully identify the access methods and plug the loop hole by 5 Jan 97. The exact methodology used for the Northern Telecom Meridian Voice Mail system which was used by Apple are as follows:
- Dial a DID number with a voicemail account
- After voicemail has answered dial 0 9 * * * # to request operator assistance, then thru-dial, then wait for dial timeout, then terminate dialling leaving dialtone from the exchange.
- using in-line amplifier and DTMF tone dialler, dial from source (US) through the PBX to the exchange breaking dial-tone and causing the exchange to place the onward call. - Once target call (eg. China) is established call back source party and connect calls
Note: Though the above can be done from an ordinary (analog) handset, the call will not be placed, the DTMF amplifier is required.
Additional point to note is that the above calls will also not be captured by PBX call loggers because the call is not plcaed by the PBX but "through it from the hackers terminal.
Although Apple and ST were not able to identify the perpetrator, the calls were traced to AT&T trunk lines originating from New York and it was concluded that the perpetrator is based somewhere in the US and is hacking an intermediary PBX in New York.
Although the method of hacking highlighted by Apple is applicable specifically to those who uses Northern Telecom Meridian 1 switches, in view of the fact that the hack is based on abuse of normal features and use of specialist equipment, it is believed that it also applies to all voicemail system and possibly even any PBX with a trunk to trunk connection capability such as that used for conferencing, call forwarding and transfer etc. In Apple's case, what they discovered was one switch setting in the voicemail that opened the back door.
#4
TipWorld - http://www.tipworld.com
The Internet's #1 Source for Computer Tips, News, and Gossip
Proudly presents:
Don Crabb--Crustacean-at-Large
Computer Industry Gossip of the Day
ACTIVE-X AND WEB SECURITY LOOPHOLES
First it was Java. Then unencrypted CGIs that processed your credit card
numbers. Now it's Active X. What do these three Web technologies have in
common? They've all gotten a bad rap for creating security loopholes on
Websites.
ActiveX is a Web-control technology based on Microsoft OLE (object linking and embedding). And ActiveX usage is growing nearly as fast as Java, your Carapacious Reporter has learned.
Unfortunately (or fortunately, depending upon you view), the hacker
community has figured how to use ActiveX to have their own "fun,"
pointing out just how lax ActiveX security really is. A group based in
Sweden recently demonstrated to the Swedish government how an ActiveX
control on a bank Website can be manipulated to initiate a transfer of
funds (by controlling a copy of Microsoft Money)--without any of the
normally required verification measures.
An ActiveX control works through Internet Explorer like a Java applet
works through any Web browser. The difference is that Java
implementations segregate Java applets so they cannot operate outside
their default zone. ActiveX controls lack this default zone of
operation.
As the calls from worried application developers (who fear their benign
applications will be used nefariously by ActiveX hackers) and corporate
IS managers have been stacking up in Crusty's voicemail, he decided he'd
better bring these concerns to light.
"The technology is seriously flawed, and Microsoft does not want to
admit it," said one developer. "They wanted to make it fast and they
did, but in their rush to the market to compete with Java, their
security model is totally inadequate," said another.
"And unlike Java, which does not have access to your file system from
Java applets, ActiveX does. You can access and control virtually
anything on a machine running ActiveX controls living on Websites. Think
about that," one scared Fortune 500 IS manager told your Seafood du Jour
yesterday.
According to Cornelius Willis, group product manager for Internet
platforms at Microsoft, "All executable content is potentially
dangerous. You simply don't download anonymous controls. People need to
be very careful about who they let into their house." In addition,
Microsoft provides an ActiveX accountability system, Authenticode, which
lets you track ActiveX controls and verify their credibility.
One thing Crusty is sure about: The issue of downloading content and
applications from the Web is one that needs common-sense, not just
techno-sense, solutions.
#5
From: TMcdono903@aol.com
Date: Sat, 15 Feb 1997 10:30:29 -0500 (EST)
Subject: Proposed Posting
I wonder if anyone knows the status of a former Army TSCM CI Special Agent
who worked for me in Germany in 1981-82. His name is Louis (Lou) Hall.
Heard he got into some bigtime trouble while working in Albuquerque in the
mid-80's, perhaps with respect to misappropriation, and was court martialed.
If anyone knows the details of the incident, sentence, and current
activities of Hall I would appreciate hearing from you.
Tom McDonough
tmcdono903@aol.com
#6
Date: Sat, 15 Feb 1997 16:29:47 -0800
From: Carlos J G B
Subject: voice changers
Hello
I'm writing to ask if you know where i can find schematicas and
informations on portable voice changers(not those who come incorporated
in phones).
Carlos, thanks
#7
From: JET5MARS@aol.com
Date: Sat, 15 Feb 1997 12:39:30 -0500 (EST)
Subject: Re: No Subject
Thankyou for those headlines! They were great, send me some more stuff!
Except for when I'm on vacation or travel, they'll be posted one to three times a week, depending on input, comments, questions or items to be discussed.
Please don't hesitate to make your inputs, as well. The primary purpose of the site is to provide input to the non technical security professional as well as a conduit for discussion by the technical types. I only ask that you try to couch you questions and commenst with the non technical audience in mind (and occasionally remind me of my words).
Tim Johnson
#8
From: PRV8EYE@aol.com
Date: Fri, 14 Feb 1997 14:05:59 -0500 (EST)
Subject: Your new site
Tim,
Please add my address to your new site. Are you aware that there is allready a site called the Surveillance List which deals with the technical aspects of surviellance? It has a huge souce of contributers and subscribers. To subscribe: 6886@mne.net and put in the subject box.
Semper Fi,
Gus Morrow
Top Secret Research & Investigations
http://www.angelfire.com/biz/prv8eye
#9
From: "Robert Saunders"
Subject: Technical subjects
Date: Mon, 17 Feb 1997 13:55:21 -0000
Greetings:
I would certainly like to get more info. on cameras, surveillances, etc.
Please send me any info. that you are offering.
Bob Saunders
CASE CLOSED, INC.
http://www.geocities.com/wallstreet/4961
rsaunders@worldnet.att.net
#10
Sorry to be so long between postings, but with all the problems I had with the 12X CD ROM , followed up by problems with Eudora Pro, I lost a lot of addresses and e-mai,l for which I apologize. If you sent me something and didn't receive an answer, please post it again as I believe the problems are under control now. I'm saving a copy of the e-mail list on a separate location.
Also, in reconstructing the list, I received an e-mail over the weekend with almost all the former names on it; plus a few. For those on the list who have not asked to be placed here, please let me know and I'll be glad to remove you. For the present, I don't know who was supposed to be here and who wasn't, so consider this an opportunity to have your name removed.
Additionally, I'm seeking input about items you'd like to have more information on. I'd like to start off discussing carrier current transmissions, so send your input and questions.
And finally, I don't remember if I mentioned that I posted a newsletter in early January. I have also posted info on an upcoming seminar in Boston on the Web site. Stop by and check them out.
Tim