[ISN] April Fool's Pranks Target Security Industry

From: InfoSec News (isnat_private)
Date: Wed Apr 02 2003 - 01:01:25 PST

  • Next message: InfoSec News: "[ISN] Al-Qaida supporters hack into student's Web site"

    http://www.eweek.com/article2/0,3959,990617,00.asp
    
    By Dennis Fisher
    April 1, 2003 
    
    Several security-related April Fool's Day hoaxes began floating around
    the Internet Tuesday, several of which ruthlessly satirized the
    security industry and its denizens.
    
     From phony vulnerability advisories warning that the end of the world
    is upon us to a "product announcement" for a tool that automatically
    strikes back at hackers, the hoaxes have become far more elaborate
    than simple false virus warnings.
    
    Perhaps the most clever—and certainly the most widely believed—of
    these is a bogus RFC published by security and networking expert Steve
    Bellovin, of AT&T Labs Research in Florham Park, N.J.
    
    Titled "RFC 3514: The Security Flag in the IPv4 Header," the document
    proposes utilizing an unused bit in the IP header to define whether a
    given packet is "evil" or "benign."
    
    Evil packets, e.g., those sent by attackers, must have this bit set to
    1; benign packets must have the bit set to 0. The idea, Bellovin
    writes, is to help intrusion detection systems, firewalls and other
    security technologies to distinguish between malicious packets and
    those that are simply odd.
    
    Many members of the security mailing lists on which the document was
    distributed appear to have fallen for the gag, mystifying Bellovin,
    who has jokingly referred to the evil bit in IP headers for years.
    
    "What can I say? It's clearly an April 1 joke," he said. "I finally
    got around to writing it up. I've thought about doing it other years
    and then realized that the deadline had passed. I've gotten a lot of
    mail about it and people appreciate the joke."
    
    The proposal is identical in layout and format to genuine RFCs, down
    to the details of how applications might set the evil bit and list
    technical references at the end.
    
    Messages posted on some security mailing lists complain of having to
    write patches to make applications compliant with Bellovin's RFC.
    
    "If the bit is set to 1, the packet has evil intent. Secure systems
    should try to defend themselves against such packets. Insecure systems
    may choose to crash, be penetrated, etc.," Bellovin writes in the RFC.
    
    Adding to the aura of believability around the document is a follow-up
    message from Fyodor, the author of the popular port-scanning tool,
    Nmap. In his message to the Nmap mailing list, Fyodor floats several
    options for making his program compliant with RFC 3514.
    
    "Perhaps an -evil option would be handy, or maybe a standard
    environmental variable should be used (SCRIPT_KIDDIE=1) so that all
    security programs run by the hacker set the flag appropriately?" he
    writes. He also suggests that perhaps he could include a hard-coded
    list of Unix usernames of known hackers.
    
    An obviously fake, but still poignant, vulnerability advisory posted
    to BugTraq Tuesday warns that "a distributed denial-of-service
    condition is present in the election system in many polypartisan
    democratic countries. A group of determined but unskilled and not
    equipped low-income individuals, usually between 0.05% and 2% of the
    overall population of the country, can cause serious disruptions or
    even a complete downfall of the democratic system and its
    institutions."
    
    The advisory purportedly comes from a company called S.E.L.L., which
    describes itself as "a number one provider of deep-insight security
    strategies for maximizing ROI with state-of-the-art TCO management
    customer-facing security philosophy. Founded in a garage in Latvia, we
    soon became the realization of the American Dream, growing to an
    extended family of 300. Then down to 15."
    
    The fix for this vulnerability, according to the advisory, is for
    affected parliaments to either "establish a convenient dictatorship or
    a monarchy, or [become] the 51st state."
    
    The bulletin also lampoons the discovery-to-disclosure timeline
    included in a typical vulnerability report. The vulnerability was
    discovered and tested by S.E.L.L. on Jan. 5, 1999; the company's
    customers were notified the next day; the vendors were notified March
    30, 2003; and the report was released April 1.
    
    Not to be outdone, the folks at The Register, a U.K.-based IT news Web
    site, created a security company and its product out of whole cloth. A
    story on the site Tuesday announced the availability of Backfire
    Security Inc.'s Payback 1.0, an application that supposedly is able
    "to instantly and dynamically 'trace' the IP source address - no
    matter how well masked - of the network attack/infection and respond
    by launching either a Domain Name or mail server flood attack in the
    direction of the attacker."
    
    The software is allegedly the first of a new breed of anti-hacker
    applications known as Intruder Retaliation Systems (IRS).
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 03:20:40 PST