March 9, 1998
URL of the week: (http://www.pcweek.com/) You'll see why as you
See back issues if the Happy Hacker Digest and Guides to (mostly)
Hacking at http://cmeinel.com/happyhacker.html.
Super Swedish Happy Hacker site: http://w1.340.telia.com/~u34002171/hhd.html.
Coming soon: Spanish translations of the Digests!
GTMHH en espanol: http://underhack.islatortuga.com
Table of Contents:
* Ziff Davis helps with anonymous email
* Hoaxes - Learn to open your eyes, ask questions and think
* Digest Q- IP Spoof; Tete-a-tete; Line Install
* Firewall walkarounds
*** Ziff Davis helps with anonymous email -- RJ
Ssshhh!! Don't let anyone know that you found this out. But
Ziff Davis has
decided to let anyone who wants to have some "harmless"
fun use their web
server to do it -- and to do it totally anonymously!
I first found this out since I subscribe to ZD's "PC
Week Inbox Direct".
Each week ZD sends out an email with an HTML attachment that
stories on their PC Week site. A couple of weeks ago I noticed
interesting new "feature" had been added to their repertoire
of services --
the ability to email the article which you were looking at to
the person of
your choice. When I clicked on the "email this story"
button, I was
presented with a screen which asked me to answer four simple
4--Select the message format -- text or HTML
"Now", I thought to myself, "surely you can't
just put ANY OLD EMAIL
ADDRESS as your own and have the message headers reflect that
Or can you ??" Well, as it turns out -- you can!!! I gave
Carolyn a heads
up on my suspicions, and then sent her a message which claimed
to be from a
certain well known US politician who has problems with his zipper.
found no way of tracing who it had come from, other than the
Then I sent myself a message which looked as though it came
from one of my
friends at WC3. ("WC3" is one of many White Collar
Crime units at the
FBI). Here it is, headers and all, for your review:
Received: from u2.zdnet.com.
by mail.rapidsite.net (8.8.5/8.8.5) with SMTP id LAA03680
for <>; Wed, 21 Jan 1998 11:06:40
Received: by u2.zdnet.com. (SMI-8.6/SMI-SVR4)
id LAA24833; Wed, 21 Jan 1998 11:06:40 -0500
Date: Wed, 21 Jan 1998 11:06:40 -0500
To: Subject: FWD: PC WEEK: Serious E-commerce sites will find Kiva
This message was forwarded to you from ZDNet (http://www.zdnet.com)
Comment from sender:
<<The article followed here>>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You'll notice there is nothing in the headers which indicates
address of the sender, only the address I chose to type in.
Imagine all of the fun you could have with this! For instance,
may take one of the Monica Lewinsky articles which has appeared
in PC Week,
and forward it to "email@example.com" from "firstname.lastname@example.org"
and in the
"Comment" field say something like: "I'm tired
of all of the bad press,
especially articles like the one I've forwarded with this message.
you folks would treat this information fairly -- so I've decided
you these details about our relationship in the hopes of demonstrating
sincerity to the American people." Then --- share away.
Who knows what
interesting information might appear on Headline News in the
hour. ("CNN learned today, in an exclusive message from
that he and .......") Well, you get the picture.
Just a final thought. If you did anything illegal with this,
there is that
pesky field in the header labeled "Message-Id:"; and
who knows how long ZD
may keep other information on that message. So I'd recommend
*** Hoaxes -- RJ
RJ - This next section is somewhat long for the Digest, and could
have been the beginnings of a GTmHH on Social Engineering. (And
become just that after more work.) But I wanted to get these
out in the open now.)
For as long as I have been on the net, there have been hoaxes
of one sort
or another being sent around cyberspace. This is not likely
to diminish or
cease anytime in the near future. But one thing that a hacker
aware of is the ever-present possibility of spoofs. This translates
asking questions, and seeking source information from wherever
it may be
obtained in order to verify the data presented. In just the
last week, I
have received two of these "hoax" messages.
The first was quite harmless, except for the bandwidth it
was taking up as
thousands of people crowded cyberspace with this cyber-litter.
It read as follows:
>I received this from Children's Hospital in Denver...after
you read it
>you will want to follow the instructions and pass it on as
>>Subject: This is for Cancer Research... -Forwarded
>>>>This is why we all work in Cancer Research...and
should be thankfule
>>No comedy here. It's about a seven year old girl with
>>Please read it and pass it on to as many people that
>>Occasionally we get to use this medium for some actual
>>than trading barbs across the waves. And once in a while
>>this bring us back to reality, allowing us to count ourselves
>>Let's put our network to work here!
>> It will only take you a second to send this message.
>>>>Jessica Mydek is seven years old and is suffering
from an acute and
>>very rare case of CEREBRAL CARCINOMA. This condition
>>Malignant brain tumors and is a terminal illness. The
>>given her six months to live. As part of her
>>dying wish, she wanted to start a chain letter to inform
>>this condition and to send people the message to live
life to the
>>fullest and enjoy every moment, a chance that she will
>>Furthermore, the American cancer society and several
>>sponsors have agreed to donate three cents toward continuing
>>research for every new person that gets forwarded this
>>Please give Jessica and all cancer victims a chance.
>>to the list of people that you send this to so that the
>>cancer society will be able to calculate how many people
>>this. If there are any questions, send them to
>>the American cancer society at email@example.com. Three cents
>>person that receives this letter turns out to be a lot
>>considering how many people will get this letter and
how many people
>>they, in turn, pass it on to.Please go ahead and forward
>>whoever you know- it really doesn't take much to help
>>>>Jean Ann Linney, Ph.D.
>>Professor Department of Psychology
>>University of South Carolina
>>Columbia, SC 29208
Just the type of message to tug at your hear strings and cause
forward this message to your entire contact list, pat yourself
on the back
for a deed well done, and continue on with your work. Unfortunately
(unless, of course, if you're Jessica Mydek) this message is
fraudulent. Let's examine the message in detail, and note some
are "nice touches" and some others that should raise
** "I received this from Children's Hospital in Denver"
-- Nice "appeal to
** "This is why we all work in Cancer Research" --
Inclusion, you're part
of "our" team
** "...seven year old girl with cancer" -- Ouch! Who
can NOT want to help.
** "Let's put our network to work here!" -- Inclusion
** "As part of her dying wish" -- More heartstrings
** "... it really doesn't take much to help out" --
Hey, you aren't THAT
lazy, are you??
** Finally, the Professors' Name, Degree and Phone # -- Another
The overall effect of these gambits is that you are left feeling
this HAS TO BE legitimate; after all, someone who was a Ph.D.
and is a
Psychology professor at the University of South Carolina would
not fall for a hoax .... would she? Well, as of right now, the
this question is not known. Dr. Linney is in fact the Chair
Psychology department at the Univ. of SC. I have sent her an
requesting clarification of issues from her, but have yet to
As I see it, there are at least two distinct possibilities
Dr. Linney's name was used without her knowledge or consent.
tend to indicate that a present or recent member of the academic
the university had determined to attempt to discredit her judgement
some reason. Second, she may have fallen prey to the hoax, and
What are the items in the message that should raise red flags?
** "and should be thankfule" -- Professionals rarely
misspell words in a
** "the American cancer society and several corporate sponsors
to donate three cents toward continuing cancer research for every
person etc -- American Cancer Society is not capitalized. Furthermore,
they *collect* money for cancer research and then PERFORM CANCER
they don't *donate* their money for cancer research.
** "Add firstname.lastname@example.org to the list ... forward it to whoever
you know" -- That
the American Cancer Society would have a *single* AOL account
for email is
stretching the imagination a bit. what is more likely to be
is an address grabbing operation for sale of the addresses.
The solution here was as simple as two toll-free calls. (REALLY
no phreaking here.)
The first was to the ATtoll free directory for the 800 number
ACS, the second was to their National Cancer Information Center
TX. They quickly confirmed that the entire matter was a hoax.
working out a few details with them, I sent the following reply
on my end of the chain (which was several hundred people!):
As a network security consultant, I frequently confirm information
receive with the purported source. Unfortunately, I have confirmed
the National Cancer Information Center in Austin TX that the
is fraudulent. I have also agreed to assist them in disseminating
confirmation that it is false. It is indeed unfortunate that
this type of
"chain letter" is started and wastes the time of so
many caring individuals
who would like nothing better than to help a poor child. You
turn that which was meant for evil into something very good:
donation to the American Cancer Society would accomplish the
Give them a call at 800-227-2345 for details.
RJ Gosselin, Sr.
Network Security Consultant
The second hoax message sounded much more ominous - but "Join
The Crew" was
much easier to see through. It read like this:
>VIRUS WARNING !!!!!!
>>If you receive an email titled "JOIN THE CREW"
DO NOT open it.
>It will erase everything on your hard drive. Forward this
>to as many people as you can. This is a new, very malicious
virus and not
>many people know about it. This information was announced
>morning from IBM; please share it with everyone that might
>internet. Once again, pass this along to EVERYONE in your
address book so
>that this may be stopped. Also, do not open or even look
at any mail that
>says "RETURNED OR UNABLE TO DELIVERY" This virus
will attach itself to
>your computer components and render them useless. Immediately
>mail items that say this. AOL has said that this is a very
>and that there is NO remedy for it at this time. Please practice
>measures and forward this to all users.
When you start talking about erased hard drives -- people
stand up and take
notice! Especially when IBM and AOL are the ones doing the warning.
is only one small problem here, the virus and the danger are
someone's imagination. But the clues, even without contacting
IBM or AOL,
were easily detected.
First, email is text. Text cannot erase your hard disk ...
only real danger here would be an attachment to an email which,
could possibly contain a virus of some sort, but *not* simply
message. No virus exists that can do this strictly from a text
opened. But, even if you didn't know that to be the case, one
of virus information is the Symantec Antivirus Research Center
website. (http://www.symantec.com/avcenter) They even have a
dedicated to hoaxes, and our friend "Join the Crew"
has their own listing.
But the same sort of social engineering gambits used in the
first hoax are
used in the second, as well as the added element of fear. You
it and see their appeal to authority, the inclusion on a team
or an elite
few, and the appeal for help.
Learn to be suspicious when you read anything that is unsolicited
you to forward it to everybody you know. That is the biggest
red flag of
all. -- RJ
*** Digest Q--
Would it not be possible to do a perfect email forge using IP-spoofing?
(probably to a PPP connection, as most PCs do not log the incoming
packets) If you were to spoof a server, then (as in the above
could be traced by time of attack, but spoofing from a PC should
record. or am I mistaken? -Nethead
[Carolyn: The FIRST packet of a spoofed IP connection is always
packet. Someday soon I'm going to write a GTMHH on IP spoofing
and how to
catch the spoofer anyhow. Folks, there is NO WAY to commit the
From: Kenn ***** responding to Strider (our Mac Editor)
A true hacker enjoys exploring and working things out- programming
of the best ways to do this. Why not give away the fruits of
your fun? Some
would say that being paid for it is selfish- although I doubt
of the cracker mentality would understand that: a typical cracker
agree, like to take- breaking into a system, pirating "warez"
and the like,
but not give. After all- where, they would say, is the gain in
Civilization is the process of setting men free. Men do the
love and trade it by mutual agreement to mutual benefit so that
pursue their own productive avenues. Money is merely a tool
facilitate that process. Being paid for anything IS selfish,
and I think
that a rational selfishness is a virtue not a vice. I will not
free, because I value my life, and my time. I am proud of the
of my efforts. But you've damned yourself, you're selfish too.
were no people, no community of intelligent, productive people
to make something to mutual benefit (like Linux), then you're
selfish too. But is this bad? Is this evil? Think about it.
Perhaps you're right. But the people who need the money, as
you say, create
shareware or commercial products. The people who create free
products do so
on their own time, because they love to do it and don't NEED
the money. If
more people showed generosity such as that, instead of charging
manufacturing and development for their products, more things
in life would
be free, or at least cheaper. Releasing free software works
who charge too much for a shoddy product (WinNT is an example-
holes, many of the patches don't work, and although it's overall
system, the only thing it can use to compete with freeBSD or
linux is hype)
and displays an appreciation for community. It also completely
elitism (or 331337ism, if you must) because all the source code
accessible. Anyone can learn from anyone else's work, and that
heightened learning and growth in any developmental community.
>>Linux Answer from Tom Ben-Yehoshua
Regarding the anon dude installing red-hat:
Like him, I'm a newbie at linux (installed 1st time last week).
had some problems with LILO - I've installed latest Slackware
on a P166,
64Mb, 3HD's (8+ Gb combined), 24x CDROM, all IDE - let's see
if I can
help out :
1. first problem I've encountered was setting LILO as my boot
manager on a UMS DOS partition - everything looked fine until
I tried to
boot without the boot diskette :
a. at first LILO would boot, writing LILO really slow and then
b. for some reason, after re-installing (exactly the same way)
would write the entire LILO booting phrase (can't remember exactly
it says in there and then giving me a prompt. If I just pressed
it would try to mount a ramdrive, exit with an error and re-post
2. well, time for a DOS fdisk... I've deleted the obscure UMS
partition, loaded linux boot disk and created an all linux partition...
Installed... no good... same as 1(a) - probably I'm missing something
but who gives - fdisk;format c: /u/s/v:LINUX... and start over..
3. well I now have a DOS partition.. let's go.. Installed UMS
this time without a linux boot partition :
DOS boots fine and now I have to directories on my HD :
Slackware (all linux install diskettes) and linux (guess...)
- ha ha,
what's in the root dir? LODLIN16.ZIP.. guess what that is? Unzip,
executable a batch file and a couple of readme's.. seems LODLIN
for LOAD LINUX (check the batch file for an example..) et' voila
loaded ... Yee-pee
4. well next level was configuring X for a Number 9 Imagine128
a MAG Trinitron display...
ALL IS WELL NOW...;)
Btw: I have an Award BIOS dated July 97 with virii detection
*** Firewall Question
From: JAY BAYLON
>>I have been reading GTmHH for some time now. I'm not
a hacker nor am I a
>cracker but I do know my computers (maybe someday *grin*).
What I really like to hear is some in-depth explanation on
work and how to trick them.
>>ANSWER FROM SKURP
First you cannot trick a firewall, but you can defeat a firewall.
A firewall cannot protect against connections that don't go through
A firewall cannot provide 100% protection against all threats.
You want to know how a firewall works? Firewalls can be configured
1. Packet Filtering - worst way for configure a firewall.
works by dropping packets based on their source or destination
ports...decisions are made only from the contents of the current
Administrators makes a list of acceptable machines and services,
and a list
of unacceptable machines. It is easy to permit any IP access
A and B, or deny any access to B from any machine but A.
For example, one might want to allow any host to connect
to machine A, but
only to send or receive mail. Other services may or may not be
Packet Filtering allows some control, but it is a dangerous
2. Application-level gateway - represents the opposite extreme
design. Rather than using a general purpose mechanism to allow
different kinds of traffic to flow, special purpose code can
be used for
each desired application. Although this seems wasteful, it is
likely to be
far more secure than any of the alternatives. One need not worry
interactions among different sets of filter rules, nor about
thousands of hosts offering nominally secure services to the
Application gateways allow for logging of all incoming and
In other words an application firewall allows an SA to turn
off all the
applications associated with the server, i.e.
All these services can be turned off using the application gateway
3. The last and most secure configuration is Stateful Inspection.
Stateful Inspection technology accesses and analyzes data
derived from all
communication layers. This "state" and "context"
data is stored and updated
dynamically, providing virtual session information for tracking
connectionless protocols (e.g. RPC and UDP-based applications).
data from the communication and application states, network configuration
and security rules, are used to generate an appropriate action,
accepting, rejecting or encrypting the communication. Any traffic
explicitly allowed by the security rules is dropped by default
security alerts are generated, providing the system manager with
>I'm using a computer which passes through the corporate
firewall. I can
>use http but I can't use ftp. Can you please help me. Most
of the cool
>wares that I want downloaded use ftp downloads not http.
DUH...if you worked for me I would have you fired in a minute.
most likely a reason that you cannot FTP out of your "corporation",
were smart enough to turn off FTP.
message "subscribe hh."
This is a list devoted to *legal* hacking! If you plan yo use
information in this Digest or at our Web site to commit crime,
go away! Foo
on you! Happy Hacker is a 501 (c) (3) tax exempt organization
in the Unites
States operating under Shepherd's Fold Ministries. Yes! This
is all a plot
to save your immortal souls!
For Windows questions, please write Roger Prata; for
Macs, write Strider; and Unix, Carolyn Meinel. Editor-in-chief
is R.J. Gosselin. Webmaster is
R.J. Gosselin, Sr.
Editor-In-Chief -- Happy Hacker Digest
"There is no way you're describing our system,
she could never have gotten past our security.
But I'm going to find her and see that she's prosecuted ...
she broke the law, and she's going to pay!"
President of "Blah Blah Bank"
-->>>Does anybody ELSE see a small discrepancy
For full story (and many others), download
"External Threats to Computer Security in Networked Systems"
from Winn Schwartau's InfoWar.com bookstore @ www.infowar.com