http://www.eweek.com/article2/0,3959,990617,00.asp By Dennis Fisher April 1, 2003 Several security-related April Fool's Day hoaxes began floating around the Internet Tuesday, several of which ruthlessly satirized the security industry and its denizens. From phony vulnerability advisories warning that the end of the world is upon us to a "product announcement" for a tool that automatically strikes back at hackers, the hoaxes have become far more elaborate than simple false virus warnings. Perhaps the most clever—and certainly the most widely believed—of these is a bogus RFC published by security and networking expert Steve Bellovin, of AT&T Labs Research in Florham Park, N.J. Titled "RFC 3514: The Security Flag in the IPv4 Header," the document proposes utilizing an unused bit in the IP header to define whether a given packet is "evil" or "benign." Evil packets, e.g., those sent by attackers, must have this bit set to 1; benign packets must have the bit set to 0. The idea, Bellovin writes, is to help intrusion detection systems, firewalls and other security technologies to distinguish between malicious packets and those that are simply odd. Many members of the security mailing lists on which the document was distributed appear to have fallen for the gag, mystifying Bellovin, who has jokingly referred to the evil bit in IP headers for years. "What can I say? It's clearly an April 1 joke," he said. "I finally got around to writing it up. I've thought about doing it other years and then realized that the deadline had passed. I've gotten a lot of mail about it and people appreciate the joke." The proposal is identical in layout and format to genuine RFCs, down to the details of how applications might set the evil bit and list technical references at the end. Messages posted on some security mailing lists complain of having to write patches to make applications compliant with Bellovin's RFC. "If the bit is set to 1, the packet has evil intent. Secure systems should try to defend themselves against such packets. Insecure systems may choose to crash, be penetrated, etc.," Bellovin writes in the RFC. Adding to the aura of believability around the document is a follow-up message from Fyodor, the author of the popular port-scanning tool, Nmap. In his message to the Nmap mailing list, Fyodor floats several options for making his program compliant with RFC 3514. "Perhaps an -evil option would be handy, or maybe a standard environmental variable should be used (SCRIPT_KIDDIE=1) so that all security programs run by the hacker set the flag appropriately?" he writes. He also suggests that perhaps he could include a hard-coded list of Unix usernames of known hackers. An obviously fake, but still poignant, vulnerability advisory posted to BugTraq Tuesday warns that "a distributed denial-of-service condition is present in the election system in many polypartisan democratic countries. A group of determined but unskilled and not equipped low-income individuals, usually between 0.05% and 2% of the overall population of the country, can cause serious disruptions or even a complete downfall of the democratic system and its institutions." The advisory purportedly comes from a company called S.E.L.L., which describes itself as "a number one provider of deep-insight security strategies for maximizing ROI with state-of-the-art TCO management customer-facing security philosophy. Founded in a garage in Latvia, we soon became the realization of the American Dream, growing to an extended family of 300. Then down to 15." The fix for this vulnerability, according to the advisory, is for affected parliaments to either "establish a convenient dictatorship or a monarchy, or [become] the 51st state." The bulletin also lampoons the discovery-to-disclosure timeline included in a typical vulnerability report. The vulnerability was discovered and tested by S.E.L.L. on Jan. 5, 1999; the company's customers were notified the next day; the vendors were notified March 30, 2003; and the report was released April 1. Not to be outdone, the folks at The Register, a U.K.-based IT news Web site, created a security company and its product out of whole cloth. A story on the site Tuesday announced the availability of Backfire Security Inc.'s Payback 1.0, an application that supposedly is able "to instantly and dynamically 'trace' the IP source address - no matter how well masked - of the network attack/infection and respond by launching either a Domain Name or mail server flood attack in the direction of the attacker." The software is allegedly the first of a new breed of anti-hacker applications known as Intruder Retaliation Systems (IRS). - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 03:20:40 PST