[ISN] Carolyn hacks Scientific American, October issue

From: mea culpa (jerichoat_private)
Date: Fri Sep 18 1998 - 02:10:20 PDT

  • Next message: mea culpa: "[ISN] Can you Believe What you Read?"

    From: Fyodor <fyodorat_private>
    
    Sciantific American Compromised
    http://www.dhp.com/~fyodor/meinelfraud.txt
    
    Cedar Crest, NM /InsecureWire/ -- September 16, 1998 -- In a hack which is
    arguably more devastating than the recent NYTimes fiasco, Scientific
    American's "Special Report on Security" has been compromised by notorious
    Internet con artist Carolyn P. Meinel. 
    
    Sources suggest that veteran Internet security charlatan Meinel managed to
    insert her bogus featured article using one of her favorite techniques:
    convincing those inexperienced with security that she is a respected
    expert in the field.  The Editors' note for the article demonstrates this
    deception by gushing that "... events reported here are drawn from the
    firsthand experiences of the author, who is known both in the computer
    underground and among security experts for her hacking skills ...." 
    
    Meinel then produced a long rambling diatribe which tells the story of a
    white-hat hero "Dogberry" struggling to keep his network secure from
    attacks by the insidious uber-cracker "Abednego". 
    
    Fortunately, Dogberry has a very interesting firewall technique:
    
      "The firewall compares this request with its own strict rules of
      access.  In this case, refrigerus.com [the firewall] has decreed
      that there should be only one response to Abednego's scanner.  From
      that instant on, a program on refrigerus.com sends a blitzkrieg of
      meaningless data, including random alphanumeric characters, back to
      Abednego, overwhelming his home PC.  Meanwhile, another daemon sends
      e-mail to Abednego's Internet service provider (ISP) complaining
      that someone is attempting to break into refrigerus.com.  Within
      minutes, the ISP closes Abednego's account for suspicion of computer
      crime." (pp 99)
    
    Carolyn does not mention what kind of ISP would shutdown an account
    "within minutes" based on some potentially forged email supposedly sent by
    a "firewall" based on a potentially forged port scan.  The reader can only
    assume she refers to Rt66 Internet, the only ISP Ms. Meinel mentions in
    the article. 
    
    Ms. Meinel also did not comment on whether this is similar to the recent
    Blitzkrieg firewall con job which (according to the Signal article and
    press release) uses "self-programmed adaptive automatacapsids" and when it
    detects invadors "this 'infection' assimilates all other nodes attached to
    the network ... irrespective of any antivirus preventative or protective
    mechanism ...."  To perform such a feat, Blitzkreig comes equipped with
    "three-dimensional OpenGL graphics accelerated hardware" [1]. 
    
    Security experts were strangely not awed by her denial of service attack
    methods.  Many real-life examples send pathologically fragmented IP
    packets or other corrupt packet headers.  This is obviously no match for
    the C. Meinel technique of of "sending meaningless data, including random
    alphanumeric characters".  We can only hope this new attack does not fall
    into the wrong hands!  These attacks should only be launched from your
    firewalls! 
    
    Ms. Meinel then moves on to dump lavish praise on two software products in
    particular.  She continually refers to the "Macintosh's high-quality
    EtherPeek logs" as well as "T-sight, an advanced antihacker program that
    can monitor every machine on the company network".  URLs are given for
    each product.  Meinel fails to mention that those are (the only?) two
    companies which have donated to her organization. 
    
    Ms. Meinel then goes an to explain another advanced network administration
    technique: 
    
       "Dogberry must have set up the refrigerus.com network so that all
       packets destined for any of its internal addresses are sent first
       to a name-server program, which then directs them to the
       appropriate computers within the network."
    
    We queried several security experts about this technique of forwarding
    random packets destined for other machines to your DNS nameserver.  Most
    seemed puzzled, although one hacker offered a plausable explanation:  "She
    must be smoking crack again".  Others thought this was an exceptionally
    poor explanation of NAT or IP masquerading. 
    
    The article presents yet another firewall technique:
    
      "Next, Abednego tries to log onto the refrigerus.com through the
      31,659 port by issuing the command 'telnet refrigerus.com 31,659.'
      The respons is, "You lamer!  Did you really think this was a back
      door?!"  The 31,659 daemon atempts to crash his PC by sending
      corrupt packets, while emailing the system administratior at
      Abednego's hacked ISP that someone had attempted to commit a
      computer crime.  Within minutes, Abednego's connection dies."
    
    This advanced technique is news to the firewall community.  "I have always
    tried to shut off as many ports as possible," exclaimed one administrator. 
    "Why didn't I think of keeping a port open to insult anyone who connects
    to it, launch DOS attacks against their networks, and auto-spam the
    administrators at the (probably forged) source addresses?".  Other
    administrators just grumbled about the fact that their 'telnet' does not
    allow commas (and instead sends them to port 31).  "ey3 w|sH my t3lNet wuZ
    that 'l33t," mumbled one frustrated script kiddie/"happy hacker" contacted
    via IRC. 
    
    Journalists are excited about the new generalizations and steriotypes
    Carolyn applies the security community.  Carolyn flatly stats that "like
    most hackers, Abednego never learned to program ...."  Carolyn's straw-man
    hacker spends all night trying to compile my nmap program (which she never
    mentions by name or givs a URL for it, since I didn't donate to her
    organization).  Her narrative goes on to say "As dawn breaks, Abednego has
    finally finished compiling the code ..."  She claims that this "difficulty
    in converting the software is not unusual ...".  One hacker gave the
    logical retort:  "Just because Carolyn usually spends 12 hours trying to
    use gcc, doesn't mean that we all do!". 
    
    Though C. Meinel thinks hackers are stupid, she does believe they are
    quite patient: 
    
      "Abednego's next strategy is to try brute force, using a program
      that will repeatedly dial the Irix box and guess passwords for root
      ... the slow, painstaking process can take months, or even years"
    
    It is our humble opinion that anyone who spends years password-guessing a
    single machine without being noticed deserves to get in. 
    
    Scientific American appreciates comments about their articles.  These
    can be sent to editorsat_private or by post
                    Scientific American
                      415 Madison Ave.,
                     New York, NY 10017
    
    We should also note that the October issue also contains many excellent
    articles on computer security by William Cheswick & Steve Bellovin,
    Phillip Zimmermann, Ronald Rivest, and James Gosling.  It is a horrible
    shame to see these great articles all coming after Meinel's prolonged
    rant/product showcase.  Many people will surely close the magazine in
    discust before reaching the real material. 
    
    
    [1] http://www.us.net/signal/Archive/May98/make-may.html
    
    Recommended reading:
    
    Check out Jericho's excellent C. Meinel "hall of shame":
    http://www.dimensional.com/~jericho/shame/
    
    More about Meinel is posted on various hacks which can be found at:
    http://24.0.214.250/~comega/
    
    END OF REPORT
    
    Quick plug: Check out nmap, my free security scanner at
    http://www.dhp.com/~fyodor/nmap/ .  A new version should be coming out
    soon.  Get it from dhp because insecure.org will probably be down
    until next week :(. 
    
    - --
    Fyodor                             'finger fyodorat_private | pgp -fka'
    In a free and open marketplace, it would be surprising to have such an
    obviously flawed standard generate much enthusiasm outside of the
    criminal community.  --Mitch Stone on Microsoft ActiveX
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:38 PDT