To tell you the truth, having had my days as a script kiddie and playing with subseven and the like, I have come to the reality that New Zealand (where this kid is from) is one of the most wide open countries in the world when it comes to hacks and script kiddie behaviour. I remember at one point I could scan a certain well established ISP in NZ and pick up 20-30 subseven infected machines, with no passwords whatsoever. I contacted this same ISP concerning a vulnerability in their SMTP server, however it was never fixed and continue to be ignorant to this day. I cannot disclose the ISPs name for obvious reasons. NetBIOS traffic is a favourite with the kiddies thatI know at school, who spend hours every night hacking via netbios onto other machines. The fact that there are no laws currently in place makes (imho) little difference - just as it hasn't really inpacted the black hat community of the USA, Australia or the UK. As NZ law stands it would be very difficult to backtrack a "hack" on anyone if the hack was commited before the law was in place. It would be a very difficult prosecution, and unless the hack was big enough the police would most likely spend their time trying to bust "fresh cases". I dont know about everyone else, but thats just my 5c Thanks Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? >From: ohnononoat_private >To: incidentsat_private >Subject: netbios vuln >Date: Fri, 6 Dec 2002 06:50:02 -0800 >Received: from outgoing.securityfocus.com ([205.206.231.26]) by >mc1-f10.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 8 Dec >2002 20:06:39 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com >[205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid >1CCED8F291; Sun, 8 Dec 2002 19:16:18 -0700 (MST) >Received: (qmail 16936 invoked from network); 6 Dec 2002 14:27:56 -0000 >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Message-Id: <200212061450.gB6Eo3YL061068at_private> >Return-Path: >incidents-return-4585-koremeltdown=hotmail.comat_private >X-OriginalArrivalTime: 09 Dec 2002 04:06:39.0579 (UTC) >FILETIME=[5FE78AB0:01C29F38] > >-----BEGIN PGP SIGNED MESSAGE----- > >I posted this question to the list 3 weeks ago but the moderator failed to >act on my post and thus it was returned to me. I have been a ridicilious >amount of netbios traffic at my main firewall. This morning I read this >article. It seems to hint at a way to run arbitarty code via netbios, now >my question is does anyone know anything about this; is anyone seeing the >netbios traffic and finally is it just the author of the article (who is >not a security writer like a brian mcwillaims or a thomas greene) didnt >really understand what was going on? This was from the securitynewsportal >site. > >Thanks > >A teenage hacker attacked an online chatroom run by The Edge radio station >and then turned his attention to TV3's website. The 15-year-old, who goes >by the online name of "deejay-fuzion" and attends Roturua Lakes High >School, rang the Herald to brag about his exploits. Asked why he launched a >"DDOS" (distributed denial of service) attack against the chatroom on >Monday night, he said: "Because the administrator was ... just being a >smart arse." "Dj-fu" signalled his "bots" to flood the chatroom computer >with spurious internet traffic, causing the server to slow down and >eventually stop. During the process he noticed other servers belonging to >TV3 were in the same proximity so he tried his attack on TV3's website - >"just because I could". (Radioworks, which owns the Edge, and TV3 have the >parent company CanWest). TV3 communications manager Roger Beaumont >confirmed The Edge chat server had a DDOS attack and was offline for a >short period. But he said it was coincidence that > TV3's website was offline on Tuesday for routine maintenance. Will >Steele, a friend of the 15-year-old who was online at the time, said the >TV3 site was unavailable during the attack and the "routine maintenance" >message appeared on the site after the attack ended at 9.45pm. That was >when the hacker was taken offline by his internet provider, Quicksilver. > >Its network manager Mark Frater said two individuals were disconnected on >Monday night after the internet provider received a complaint from a server >administrator. When contacted by Quicksilver, both denied knowledge of an >attack and had their internet accounts reinstated. Quicksilver manager >Trevor Isted said there was no proof to link the pair to the attack. Usage >logs were being investigated, and if evidence was found, the pair would be >banned from access for breaching the internet provider's acceptable use >policy. The teenager claims to have written a trojan program called "FB3" >with a friend known online as "lynx". The program exploits a "Netbios" >vulnerability in Windows PCs related to file and print sharing, to plant >itself on unsuspecting users' computers. The infected computers (bots - >short for robots) signal their presence to a computer in the United States >which the teenager uses to send out the instructions to attack. In this >case the method of attack was a "SYN > flood" - an efficient process which fakes the initial handshake of an >internet connection with false addresses which the target Machine is unable >to answer. It keeps retrying to accept them, and with enough of these >happening, a server can become overwhelmed. New anti-hacking provisions - >including clauses covering DDOS attacks - in the Crimes Amendment Bill are >waiting to be introduced to Parliament. But the hacker would be immune >from prosecution because he is only 15 >-----BEGIN PGP SIGNATURE----- >Version: Hush 2.2 (Java) >Note: This signature can be verified at https://www.hushtools.com/verify > >wl0EARECAB0FAj3wuNMWHG9obm9ub25vQGh1c2htYWlsLmNvbQAKCRAuXN+1lPsfqSgh >AJ9KSph4ZPYS+x9o8iWlsdJy11TBcwCgmGYUvx4bjHy7/bOxVWtjDrZ/54o= >=JfiS >-----END PGP SIGNATURE----- > > > > >Concerned about your privacy? Follow this link to get >FREE encrypted email: https://www.hushmail.com/?l=2 > >Big $$$ to be made with the HushMail Affiliate Program: >https://www.hushmail.com/about.php?subloc=affiliate&l=427 > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:18:06 PST