1996-12-28 - FYI Unamailer

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@toad.com
Message Hash: 46ebea263c5ba5de2b6eec0c4383b4d1d6086bad46fe8a9a52842167161ba3f2
Message ID: <v0300786eaeea2f31fe09@[139.167.130.248]>
Reply To: N/A
UTC Datetime: 1996-12-28 02:27:46 UTC
Raw Date: Fri, 27 Dec 1996 18:27:46 -0800 (PST)

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Fri, 27 Dec 1996 18:27:46 -0800 (PST)
To: cypherpunks@toad.com
Subject: FYI Unamailer
Message-ID: <v0300786eaeea2f31fe09@[139.167.130.248]>
MIME-Version: 1.0
Content-Type: text/plain



--- begin forwarded text


Date: Fri, 27 Dec 1996 06:33:04 +0000
From: Alastair Sweeny <asweeny@sonetis.com>
Subject: FYI Unamailer
To: listmom-talk@skyweyr.com
Mime-Version: 1.0
Precedence: Bulk
Reply-To: listmom-talk@skyweyr.com

Date: Thu Dec 26 18:33:49 1996
From: brock@well.com ("Brock N. Meeks")
Subject: CWD--Unamailer Strikes on Christmas
To: cwd-l@cyberwerks.com
Reply-To: brock@well.com


CyberWire Dispatch / Copyright (c)1996/ December 26, 1996 /

Jacking in from the "Spam in the Stocking" Port:

Unamailer Delivers Christmas Grief

by Lewis Z. Koch
Special to CyberWire Dispatch

"johnny xchaotic," also known as the "Unamailer," is back, and
twenty-one individuals -- many of whom are deeply involved in the
Internet ---journalists, the heads of computer companies such as
Mircrosoft, politicians, and religious figures -- received a "denial
of
service" Christmas present they wished they didn't have.

johnny, and possible friends of johnny, effectively halted these
individuals' ability to send and receive E-mail, a denial of service
attack which may take days to restore.

Among those hit were prominent journalists including magazine
columnist
joel snyder, because, in xchaotic's words,"your last article in
'Internet World' places all the blame of my actions on an innocent
person."  Also hit was the magazine's editor Michael Neubarth because
of
his failure to "apologize" for what were termed journalistic errors.''

Political figures, such as former Presidential candidate Pat Buchanan
and U.S. Senate wannabe David Duke, also were targets.  Religious
figures such as Pat Robertson and Billy Graham were subject to e-mail
bombings, as were members of the Church of Scientology and members of
the KKK.

Mircosoft's Billl Gates, several people from the cable channel MTV
also
were among those apparently attacked.  Others hit include Carolyn
Meinel
who operates a "Happy Hacker" mailing list, the Klu Klux Klan, MTV and
the Nazi party.

All told, 21  individuals were hit, some, like Gates for the second
time.  This is the second time in six months that the work of one or
more individuals has exploited relatively simple vulnerabilities in
Internet e-mail lists.

The first attack, in August, targeted more than 40 individuals,
including Bill Clinton and Newt Gingrich and brought a torrent of
complaints from the people who found their names sent as subscribers
to
some 3,000 E- mail lists. By comparison to the Christmas attack, even
that relatively modest attack sent enough e-mail to the targeted
recipients that it effectively halted their computers' ability to
process the messages.

This attack is estimated to involve 10,139 listservs groups,  3 times
greater than the one that took place in the summer, also at xchaotic's
instigation. If each mailing list in this attack sent the targeted
individuals just a modest 10 letters to the subscribers' computer
those
individuals would receive more than 100,000 messages. If each listing
system sent 100 messages -- and many do -- then the total messages
could
tally 1,000,000.

Once again, johnny xchaotic has offered an "open letter," given to
this
reporter before it was scheduled to be posted throughout the Internet,
as a way to explain the reasons behind the attack. He also taunted the
FBI, telling the agency not to "waste tax dollars trying to track me"
because "there are a lot more dangerous people out there you should be
concentrating on."  (The complete letter will be released shortly to
the
Net by johnny.)

The open letter, and the information outlining the e-mail blast, were
give to this reporter as the "attack" was concluding. The attack began
the evening of December 24 just before midnight and took four hours,
eight minutes and twenty-nine seconds.

"They [listserv-based mailing lists] could stop this kind of attack
tomorrow," one source close to johnny said, "if they only took the
simplest of precautions --like authentication."    Authentication is a
means by which the listing system, instead of agreeing to the
''subscription'' and then automatically forwarding tens or hundreds of
letters to the subscriber, would first ask if the person really wanted
to subscribe. This ''verification'' could come as an electronic mail
message to the subscriber asking for confirmation.

If this process had been in place, someone subject to an E-mail denial
of service attack would only receive one letter from each list-- that
one being the authentication confirmation query -- do you really want
this E-mail -- before sending on 10 or 100 messages.

"They're either too lazy or too dumb to do that -- so they have to pay
a
price," this source said, indicating that the attacks would continue
until the administrators "get it right," indicating that johnny and
his
friends want to pressure administrators into authentication.

In these kinds of instances, individuals who have been hit wind up
quickly canceling their e-mail accounts, thus passing the
responsibility
for canceling the "subscription" back to the list administrator. Many
suspect the authentication-confirmation process is viewed by listserv
systems administrators as an inconvenience and confusing to the
subscriber and  so, they just avoid it.

The attack, however, may be a violation of federal law, punishable by
up
to  five years in prison, or $250,000.00 in fines or both.  While
there
are techniques for tracing this kind of attack when there is advance
warning, knowledgeable sources say that this kind of attack is very
difficult to trace once the attack has occurred.

johnny xchaotic has been labeled a 'Net terrorist,' which, according
to
some, debases the meaning of the word "terrorism."  No one knows who
johnny is.  He was misidentified earlier by Internet Underground
magazine as a well known hacker who calls himself "se7en." This
identification proved false.

One person close to "johnny xchaotic" said the FBI and Secret Service
had been contacted about the illegality of this kind of hack but said
they had no interest in this kind of "Net" attack.  "We have bigger
fish
to fry," was the response from law enforcement officials, according to
this person.  This attitude was confirmed by a former federal
prosecutor
who said the few federal investigators who understood computers and
the
Internet were stretched thin in their attempts to apprehend serious
cyber-criminals, or to pursue high profile but relatively unimportant
cases against hackers such as Kevin Mitnick. There has been a tendency
on the part of law enforcement and the media to grossly overestimate
the
monetary damage caused by hackers.

"johnny"  and those close to him made it clear that there would be a
continuation of these kinds of email "denial of service" attacks.

These same sources say those few Federal investigators with the Secret
Service and the FBI who are computer literate and savvy about hacking
are stretched thin in attempts to solve serious multimillion dollar
computer crimes, the vast majority of which are committed by insiders
against the companies they work for.

It is far easier, these sources say, to track down, arrest and jail
16-year-old hackers who brag about their exploits to friends and
fellow
hackers than to track down a true professional computer cracker on
assignment from one company to search and steal the files of a
competitor company. While it may take up to three years to investigate
and prosecute one important computer thievery case, teenage hackers
can
be arrested every few months, thus improving the "stats" by which the
FBI and other agencies make their mark and their budgets.

This repeated E-mail denial of service attack will be sure to reignite
the debate about the "moral" issues surrounding hackers and hacking.
What may be ignored -- again --is the failure to rectify the problem
after the first attack back in August. Immediately following the first
E-mail bombing attack, the Computer Emergency Response Team (CERT) was
quick to tell the media that while they had no "solution," they had
"hopes" they would be able to "limit the impact" of these kinds of
attacks.  Today's three-fold attack showed that a six month period of
study  "hoping to limit the impact" has been futile.

Vital communications do not appear to have been slowed down.  The
attack
is a major "inconvenience" to be sure.  Others argue that
"complacency"
is the only true victim of this attack.

The temporary inconvenience caused by a few days loss of E-mail
privileges might seem to pale in significance with those who were
killed
and maimed by the  terrorists' bombing of  the Federal Building, in
Oklahoma City, or at the World Trade Center in New York, or in Atlanta
at the 96 Olympics, or those who opened packages from the Unibomber
and
were killed.

Prominent government officials like U.S. Deputy Attorney General Jamie
Gorelick have called for the development of the equivalent of a
"Manhattan project" to stop hackers, though the specifics of what kind
of "bomb" Gorelick would develop and on whom she would drop "the bomb"
are vague.

Unsafe at Any Modem Speed

On December 16, a computer attack against WebCom knocked out more than
3,000 Web sites for 40 hours, curtailing Website shopping.  The attack
--a "SYN-flood" -- sent as many as 200 messages a second against the
WebCom host computer. This was the same kind of attack that brought
down
the popular New York Internet provider Panix for more than a week in
September.

While Seattle computer security consultant Joel McNamara is
sympathetic
toward WebCom's users problems, he allows less leeway to the company.
"The SYN-flood denial of service attack has been known for months, and
there are a variety of solutions for addressing it," McNamara said, "I
d
be curious as to what, if any, security measures WebCom, a large
provider, had in place to deal with a well-known SYN-flood attack. If
I
couldn't conduct business for 40 hours, I'd have some serious
questions
to ask."

McNamara believes a great deal of the responsibility for the success
of
these kinds of known attacks rests on the shoulders of managers and
systems administrators who do not fully "understand the implications
of
poor security practices.  While the industry hasn't seen this happen
yet, it's just a matter of time before a customer files a lawsuit
against a service provider because of damages caused by ineffective
security," he predicts.

FBI agents have been undergoing some education in computer related
crimes, but sources say the educated ones are few in number and
burdened
by too many cases.  On the other hand, the FBI has singled out small
but
prominent hackers for arrest and prosecution, hoping the jailing of
these individuals who are  well-known to the Net would be a deterrent
to
other younger people considering hacking.  The recent adolescent-like
hacking of the Department of Justice Web site seems to indicate that
hackers aren't all that deterred.

There are other indications that Web page hacks are going to become
more
political, and perhaps even more dangerous than in the past.  The
recent
hack of the Kriegsman Furs company  Web page by animal rights
activists
indicates one new, sophisticated path.  In this attack, the hackers
left
a manifesto, as well as links to animals rights sites throughout the
Web. How easy was it to do? "Security for the site was extremely
weak,"
says McNamara, "The commonly known PHF exploit was likely used to
retrieve a system file, which contained a series of easy to crack
passwords." Presto, chango.  Pro-fur into anti-fur.

"It's too easy to pass the blame off on hackers," McNamara says.  Like
the keys in the car or in the front door, "maintaining an insecure
site
is just an invitation to problems."  Those who were responsible for
today's denial of service attack were careful to repeatedly point out
to
this reporter how "unsophisticated" their attack was and how easily it
could have been avoided if the list managers had only taken minimal
precautions.  "It's kind of like buying new locks and getting an alarm
system after everything in the house is stolen.  Sure it will probably
prevent it from happening again, but if you took the precautions in
the
first place, the damn thing wouldn't have occurred," he concludes.

--------------------

Lew Koch can be reached at: lzkoch@mcs.net

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox,
e$, 44 Farquhar Street, Boston, MA 02131 USA
"The cost of anything is the foregone alternative" -- Walter Johnson
The e$ Home Page: http://www.vmeng.com/rah/







Thread