[ISN] 'Happy Hacker' Drops A Bomb On Security Experts

From: InfoSec News (isnat_private)
Date: Sat Sep 22 2001 - 01:42:07 PDT

  • Next message: InfoSec News: "[ISN] Asymmetrical Attack on America & Possible Responses"

    'Happy Hacker' Drops A Bomb On Security Experts
    By Brian McWilliams, Newsbytes
    21 Sep 2001, 3:34 PM CST			
    They operate in a shadowy online world where people often conceal
    their true identities through nicknames like Blue Boar, ObLiviON, and
    w1re p4ir.  But sometimes even computer security experts get a brutal
    reminder: You can't always trust what you read on e-mail lists. And
    you certainly shouldn't put any faith in programs posted there.
    On Wednesday, the 5,000-strong subscribers to a popular security list
    known as Vuln-Dev received what may have appeared a rare treat: a
    message to the list containing source code to a program that gave the
    user full control of a remote Unix system.
    The message, apparently from Carolyn Meinel, a computer security
    consultant and author of a book called "The Happy Hacker," claimed the
    code exploited a vulnerability in the latest version of WU-FTPD, a
    file transfer program used by many sites around the world. A copy of
    the code, wu261.c, was also available at Meinel's site,
    But as some Vuln-Dev readers, many of whom are system administrators
    for businesses, painfully learned, the program was a Trojan horse, and
    if compiled and run, could delete most of the files on the user's
    List member Jason Parker told Newsbytes he glanced over the code
    before compiling it, decided it looked legitimate, and ran it Thursday
    on the test account of a system.
    "I lost everything in the home directory, including information I
    would rather not have lost, but that's the price you pay for
    trusting," said Parker, who has since replaced the front page of his
    site with an obscene comment about Meinel.
    But Meinel claims that she did not write the message containing the
    "exploit." Instead, she believes it was skillfully composed and mailed
    out by someone who hacked her site and had the ability to create files
    and send e-mail using her account.
    "Whoever did it is pretty darn good. This is not the work of your
    average script kiddie," Meinel told Newsbytes.
    A frequent target for attack by some security professionals who
    consider her a charlatan, Meinel suffered a similar site compromise in
    January. A group calling itself Girlies for Hacking defaced Meinel's
    site and posted the contents of her e-mail inbox on the Web.
    Meinel said she's not embarrassed by the latest security breach and is
    mainly concerned about the potential harm done to systems managed by
    Vuln-Dev readers.
    "This wasn't an attack on me. It was an attack on the Internet
    infrastructure," according to Meinel, who said she is working with a
    forensics expert to track down the perpetrators.
    The incident has aggravated officials at SecurityFocus, the security
    information and consulting firm that hosts and moderates the Vuln-Dev
    "Somebody went to a lot of effort to make us look like fools," said
    David Ahmad, threat analysis manager for SecurityFocus.
    According to Ahmad, pranksters often submit exploits with hidden
    malicious payloads to the company's numerous security discussion
    lists. List moderators review the postings and weed out the trash, but
    accidents happen, as was the case recently when a obfuscated program
    made it through to the firm's prestigious Bugtraq list, which has
    nearly 40,000 readers. That code secretly launched a denial of service
    attack on a nameserver operated by Network Associates.
    Ahmad said the attackers attempted to post the phony WU-FTPD exploit
    to Bugtraq Monday, but he became suspicious after skimming the code
    and blocked it from going through. But due to distractions from
    dealing with the Nimda worm, the attackers were able to slip the
    posting past moderators of Vuln-Dev a few days later, according to
    SecurityFocus has deleted the phony Meinel posting from the Web
    archive for Vuln-Dev. But while the code hasn't shown up yet in online
    libraries of hacking tools, its damage may not be done and there may
    be more hard lessons in store for curious hackers.
    "A remote exploit for the latest version of a common service is like a
    prize. Anyone who sees it will be tempted to download and run it,"
    said Ahmad.
    Vuln-Dev is archived on the Web at
    http://www.securityfocus.com/templates/archive.pike?list=82 .
    A mirror of the January defacement of Techbroker.com is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 04:37:34 PDT