From: R. Snyder Date: Wed Feb 19, 2003 8:51am Subject: Re: Taking a byte out of Baghdad The popular press likes to use the term "virus" rather loosely. Given the ubiquitous usage of TCP/IP over twisted-pair ethernet, many potential vulnerabilities could be exploited without specific knowledge of computer OS's. For example, with sufficient knowledge of a printer's network interface, a trojan-horse DOS capability could be installed in the printer. A printer would be a logical candidate for such an attack, as it would be in the perfect position to become acquainted with the network addresses of all the computers printing to it. Upon observing the occurrence of a triggering condition, the printer could then begin a DOS attack on the computers on the LAN. Moreover, with more knowledge or assumptions of computer OS's, a printer would be in a position to launch attacks within the LAN via NetBIOS/NetBEUI/IPX. Even without knowledge of the printer's network interface, an additional network interface could easily be bridged across the printer's. Triggering could be conditioned upon network traffic that would be expected to occur on the network (e.g., air defense messages indicating a massive air attack), network traffic that could be induced to occur (e.g., leaking a pseudo-codeword to the enemy with the expectation that they would recite it in their network traffic), or some other phenomenon (e.g., including a radio receiver in the printer responsive to a signal transmitted during the overflight of an EW asset). All of the foregoing would be possible even on a LAN having no connection to the internet. The bottom line is that installing a compromised hardware component in a network is a bad thing, and the possibility of such installation should be met with investigation, not denial. I'm not saying that any of the above would be likely or trivial to implement, but that I see nothing that would place the proposed schemes beyond the realm of possibility given sufficient knowledge, access, and motivation. __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com 6934 From: Gregory Perry Date: Wed Feb 19, 2003 10:50am Subject: window bounce countermeasure This gadget is pretty neat, takes a standard audio source and modulates it via suction cup to any surface, $29.99. Seems with the right degree of tint and this with a pink noise source would make a great countermeasure against laser listening devices: http://www.thinkgeek.com/electronics/audio/5a15/ Gregory Perry --------------------------------- "There are a thousand hacking at the branches of evil to one who is striking at the root." -- Henry David Thoreau 6935 From: Steve Uhrig Date: Wed Feb 19, 2003 8:19pm Subject: RE: Taking byte from Baghdad On 19 Feb 2003 at 7:54, Kutlin, Josh wrote: > Ok ...thanks to this thread I went out and bought my first shortwave > (DX-399) this past weekend for $30 on closeout. Good price. Welcome to what likely will be a fascinating hobby, and the way many of us started in our careers. > The first thing I realized is that I need a better antenna. Yup. > Did some reading (and rigging) and I realized that the 25 feet of co-ax > (its all I had and the snow closed radio shack) is just not cutting it. There needs to be something at the end of the coax. Coax only couples the receiver to the antenna. Except in rare circumstances in special designs, the coax itself is not the antenna. > My question is and I apologize if it is off topic for this group, but > does any one know where I could find plans to make a cheap active > antenna? It's all radio comm technology, which we all need to know, and antennas are a critical part of this. Not off topic. You do NOT need nor should you use an active antenna. Lots of problems. In 35 years of shortwave listening, I've never used anything other than wire antennas, for both receive and transmit, and I've logged well over 100 countries. Even spoke to the Space Shuttle once, and got a confirmation QSL card (postcard) from NASA. All you need is wire on your receiver. The more the better, but a little hunk of anything will work. I'm playing with a homemade receiver here, literally made on a cakepan with some old tubes from the barn, and all I have is some clipleads tied together and strung up the wall. Am hearing wall to wall stations. Get any scrap of telephone wire, electrical, hookup, anything. The more the better. Throw it out the window. If you're on the ground floor, throw it on top of some bushes. If on an upper floor, just let it hang down. If practical, connect one end to a tree with a piece of rope or plastic something as an insulator. For receive, nothing is critical. For HF, which I presume is where you are interested, just get metal out there. 20 feet will do a lot of good. 50 feet better. 100 feet superb. Capture area is what counts for your initial efforts. That means metal out there. Doesn't have to be heavy gauge wire, either. If you're in an apartment where you need to conceal it, unwind an old transformer to get several hundred feet of very fine wire which can be nearly invisible. Be sure to scrape the varnish off one end before connecting! You don't need a tuner or anything fancy. Just connect the end of the long wire to your antenna terminal. Learn something about HF propogation. Higher frequencies, for example, tend to work better during the day. Lower frequencies open up around sunset. Each band has its own peculiarities, which change from day to day. Learning them is part of the fun. Be patient, tune carefully, and stop and listen. Don't leap all over the bands looking for loud strong stuff. You'll find it, but miss a lot of the interesting lower powered stations. If you get serious, headphones make a difference. Try listening on the amateur (ham) bands, in the evenings 3.5 - 4.0 (80/75 meter wavelength) megacycles, and maybe 7.0 - 7.3 (40 meters) evenings or days. During the day, early on, look up 20 meters and 15 meters. Any issue of the annual Radio Amateur's Handbook will be of tremendous value to you. Monitoring Times magazine (who has a website) will give you some frequencies to tune for starting. Remember to be patient. There's a lot of very fascinating stuff to hear, but you have to be tuning carefully and listening closely to hear it. Practically anyone will hear spy numbers stations and Russian jamming stations which sound like buzzsaws. Sometimes you can hear the foreign broadcast station underneath the jamming the country does not want their people to hear. See if you can find radio station HCJB in Quito, Ecuador, Radio Nederlands in Hilversum, Holland, Deutche Welle in Germany, Radio Havana in Cuba, and good old Voice of America. All are very strong, and found in several places on the dial. Let us know how it goes. Regards ... Steve WA3SWS ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 6936 From: Steve Uhrig Date: Wed Feb 19, 2003 8:26pm Subject: Re: window bounce countermeasure On 19 Feb 2003 at 10:50, Gregory Perry wrote: > This gadget is pretty neat, takes a standard audio source and > modulates it via suction cup to any surface, $29.99. Seems with the > right degree of tint and this with a pink noise source would make a > great countermeasure against laser listening devices: Yes, if you have a problem with laser listening devices. I've never seen one and have no concern about them as a hostile threat. Simpler would be just using white (pink) noise from an FM broadcast radio tuned between stations. That's an inexpensive source of nearly pure pink noise. Some years ago, Allied or one of them offered speaker drivers about the size of a fist with a threaded wood screw sticking out. You could thread the driver to sheetrock between studs, put some power in and it did a fairly decent job of reproducing the audio on the wallboard. I put a small plastic container of about 8 ounces onto the thing, fed it with 30 watts of ultrasonic (from an 807 oscillator, no less), and made an ultrasonic cleaner. Worked fine for cleaning small parts. Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 6937 From: Matt Paulsen Date: Wed Feb 19, 2003 8:57pm Subject: RE: Re: Taking a byte out of Baghdad -----Original Message----- From: R. Snyder [mailto:rds_6@y...] Sent: Wednesday, February 19, 2003 6:52 AM To: dennis.bergstrom@c... Cc: TSCM-L@yahoogroups.com Subject: [TSCM-L] Re: Taking a byte out of Baghdad The popular press likes to use the term "virus" rather loosely. Given the ubiquitous usage of TCP/IP over twisted-pair ethernet, many potential vulnerabilities could be exploited without specific knowledge of A 12 year old can take out a network. It's easy to do and there's not a whole heck of a lot anyone could do to stop it. Give someone $300,000 worth of time and training and it's not a question of if but when. Want to be secure, don't run a network, simple. C2 it. 6938 From: Matt Paulsen Date: Thu Feb 20, 2003 1:13am Subject: Does it get CNN? http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2908353930 6939 From: Hawkspirit Date: Thu Feb 20, 2003 10:20am Subject: Backdoor 11/18/2002 Entry: "NSA BACKDOOR IN EVERY MICROSOFT OPERATING SYSTEM" How NSA access was built into Windows Duncan Campbell Careless mistake reveals subversion of Windows by NSA. A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled. The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA. Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer. ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run crypographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do. Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery. A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY". Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. A third key?! But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code. Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors". According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers". "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked. Can the loophole be turned round against the snoopers? Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said. Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website. According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY." 6940 From: James M. Atkinson Date: Thu Feb 20, 2003 1:32pm Subject: ACLU asks Supreme Court to hear appeal of wiretap ruling http://www.cnn.com/2003/LAW/02/19/wiretap.appeal/index.html ACLU asks Supreme Court to hear appeal of wiretap ruling From Kevin Bohn CNN Washington Bureau WASHINGTON (CNN) --In what it calls an unprecedented action, the American Civil Liberties Union, along with a coalition of other civil liberties groups, is asking the U.S. Supreme Court to overturn new, more lenient standards for wiretaps in foreign intelligence investigations. The case is unusual because the groups are suing on behalf of people who are under surveillance by the government, but the groups don't know the identities of the people under surveillance, how many people are involved or where they are. The coalition filed its request with the nation's high court Tuesday. If it takes the case, it would be the first opportunity for the Supreme Court to rule on the constitutionality of such wiretaps, known as FISAs for the act they are named after -- the Foreign Intelligence Surveillance Act. Last November the U.S. Foreign Intelligence Surveillance Court of Review, in its first ruling, decided behind closed doors that the Justice Department could meet what the civil rights groups consider more lenient standards in deciding when this type of wiretap could be used. Before the Patriot Act, foreign intelligence had to be a "primary" purpose of the investigation. Now, foreign intelligence has to be a "significant" purpose. The court overseeing the issuance of wiretaps had ruled against that interpretation last year, saying it was too broad. Although the groups petitioning the Supreme Court are not parties to the decision, they argued in their motion they should be allowed to appeal the ruling because the issue "should not be finally adjudicated by courts that sit in secret" and by courts that "allow only the government to appear before them." Justice Department officials emphasize that under law, prosecutors still have to show the court that would grant such wiretaps probable cause that the target of the surveillance is a "foreign power" or an "agent of a foreign power," and that there has been no relaxation of the basic requirements that must be met. "We do not enter into this litigation lightly," said Ziad Asali, president of the American-Arab Anti-Discrimination Committee, one of the groups asking the Supreme Court to take the case. "We firmly believe that these expanded powers erode the functionality and checks and balances of our judicial system." -- -------------------------------------------------------------------------------------------------- The First, The Largest, The Most Popular, and The Most Complete TSCM, Bug Sweep, Spy Hunting, and Counterintelligence Site on the Internet. -------------------------------------------------------------------------------------------------- James M. Atkinson Ph: (978) 546-3803 Granite Island GroupFax: (978) 546-9467 127 Eastern Avenue #291http://www.tscm.com/ Gloucester, MA 01931-8008mailto:jmatk@t... -------------------------------------------------------------------------------------------------- Vocatus atque non vocatus deus aderit -------------------------------------------------------------------------------------------------- 6941 From: Does it matter Date: Thu Feb 20, 2003 10:17am Subject: Re: Does it get CNN? Interesting. What would you do with that? You get the land and the satellite but what can you do get free cable? listen to things in outer space? Replies are appreciated. --- In TSCM-L@yahoogroups.com, "Matt Paulsen" wrote: > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2908353930 6942 From: Stephen Pendergast Date: Thu Feb 20, 2003 1:38pm Subject: Re: Backdoor This may be a hoax. See http://hoaxinfo.com/nsacode.htm The Cryptonym web site http://www.cryptonym.com now comes up with a cryptic message "This page was left blank intentionally." Stephen L Pendergast 619 692-4400 x233 CACI Technologies 1011 Camino Del Rio South Suite 600 San Diego, CA 92108 6943 From: William Knowles Date: Thu Feb 20, 2003 2:27pm Subject: Re: Backdoor On Thu, 20 Feb 2003, Stephen Pendergast wrote: > This may be a hoax. See http://hoaxinfo.com/nsacode.htm > The Cryptonym web site http://www.cryptonym.com now comes up with a cryptic > message > > "This page was left blank intentionally." Its simple in my book, If you have the freedom to chose your operating system and don't trust Microsoft products, don't run it. :) The one necessary evil around here is M$ Office, and we're ramping up to OSX in the next few months. As for Cryptonym, try the Internet Wayback Machine... http://web.archive.org/web/*/http://www.cryptonym.com William Knowles wk@c... > Stephen L Pendergast > 619 692-4400 x233 > CACI Technologies > 1011 Camino Del Rio South Suite 600 > San Diego, CA 92108 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* 6944 From: Steve Uhrig Date: Thu Feb 20, 2003 2:45pm Subject: Re: Does it get CNN? On 20 Feb 2003 at 16:17, Does it matter u12armresl@y... wrote: > What would you do with that? You get the land and the satellite but > what can you do get free cable? listen to things in outer space? This is the antenna you need to get the ranges advertised by the spy shops for 2.4 gig wireless video transmitters and micro powered audio transmitters. Anyone should know that! Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 6945 From: Steve Uhrig Date: Thu Feb 20, 2003 2:49pm Subject: Re: ACLU asks Supreme Court to hear appeal of wiretap ruling On 20 Feb 2003 at 14:32, James M. Atkinson wrote: > Justice Department officials emphasize that under law, prosecutors > still have to show the court that would grant such wiretaps probable > cause that the target of the surveillance is a "foreign power" or an > "agent of a foreign power," and that there has been no relaxation of > the basic requirements that must be met. As anyone who has been on the other side of the fence knows, all you need to do to slide through FISA is list a Hispanic surname on your long list of people in the 'Affidavit for Statement of Probable Cause'. Probably would fly with Jesus O'Brien Tortellini Moskowicz. Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 6946 From: Fernando Martins Date: Fri Feb 21, 2003 1:27am Subject: Re: Backdoor hhmmm the NSA Backdoor ... 1999? It was funny at the time that a german company became MS security partner, and while MS was explain them selfs, the german company on his site was offering solutions against that trojan. At the time I was cooperating with that german company, so I remember well that X-File story :> This is something that some crazy kid wrote in those days .... *** Subject: The Alien From Seatle (new X-File series) I wonder if you wonder what i'm wondering ... why Kitetoa and my self now, dedicated ourselfs in helping people about f00d hacks? Because its not a joke ... a joke was the answer i get from Microsoft Brasil about the NSAKey ("all X-Files is what you saying"), so this article is dedicated in his memory. Good Bless You!!!!!! (...) Following the X-Files new : The Alien from Seatle ... here it goes the resume of last episodes... 1# Alien Base in Brasil # http://www.iptvreports.mcmail.com/ic2kreport.htm#_Toc448565556102. In 1994, NSA intercepted phone calls between Thomson-CSF and Brazil concerning SIVAM, a $1.3 billion surveillance system for the Amazon rain forest. The company was alleged to have bribed members of the Brazilian government selection panel. The contract was awarded to the US Raytheon Corporation - who announced afterwards that "the Department of Commerce worked very hard in support of U.S. industry on this project".(69) Raytheon also provide maintenance and engineering services to NSA's ECHELON satellite interception station at Sugar Grove. 2# But ... what is ECHELON? ask Mulder # http://www.uol.com.br/idgnow/busca/0911b3.htm EU could start investigations about a U.S. spy net 09/11/98 The EU is considering an large investigation to find out if NSA is abusing his presence and his power of survailance over the Internet to spy private and goverment institutions. The NSA is responsable for manage a spy program codename Echelon, that came from the Could War. The Comite for Cientific and Technologic Options of European Parlement says that Echelon is a hiden spy worldwide network for communication interceptions like e-mail, phones, faxes, satellite and backbones. (!!!!!!!!!!!) It's all reported in a document "An Avaliation of Political Control Technologies", showing how NSA send intercepted information by satellite to Fort Meade, in Maryland U.S., from a hub based on Menwith Hill (near London UK) Daniel Verton - Federal Computer Week 3# What's a little spying between friends? # http://www.nandotimes.com/technology/story/body/0,1634,89923-142316-981920-0 ,00.html 4# Yeah ... and there is a lunatic spending money with that? bah ...# FY 1999 Defense Budget Documents: http://www.fas.org/man/docs/fy99/topics.htm Documents on Military Spending: http://www.fas.org/man/docs/index.html 5# OK ... now jump to the NSAKey subject or i'll shut this out # http://www.techweb.com/wire/story/TWB19990906S0003 Caspar Bowden said: "Building in a 'back up' key makes no sense unless there is a revocation method for the primary (key). There is no revocation method." http://www.fipr.org/ I don't believe them -- what kind of natural disaster are they talking about? A meteor destroying all the earth's structures?" said Privacy International director general, Simon Davies."Microsoft's argument is inconsistent with its operating procedure -- it could hold a single key in multiple locations, that is a standard security procedure." He added that to compromise user security, "it's not necessary to share access with the NSA -- simply complying with their requirements will do that." http://www.wired.com/news/news/technology/story/21589.html?wnpg=2 The _NSAKEY is one of two such keys buried deep in the cryptography source code of most Windows operating systems. In other reports, Microsoft said that the _NSAKEY is still a Microsoft-controlled key that will serve as a backup in the event that the first key is compromised. That just doesn't make sense, Fernandes said. "If they lost the first key which is the equivalent to them losing the Windows source code, then that would be okay, they could just start using the backup key." Crypto expert Marc Briceno did have another word for it: "feeble." "I must say I do not believe Microsoft's present explanation that the presence of the _NSAKEY corresponds to standard practices in software development," said Marc Briceno, director of the Smartcard Developer Association. (http://www.scard.org/) "There is no technical reason for Microsoft to include a second security module verification key in their operating system ... to mark the passing of export requirements," Briceno said. 6#Le Grand Finale (only for truely hardcore fanatics) Crypto AG: The NSA's Trojan Whore? http://caq.com/cryptogate ********* Don't loose the next episodes ... "While Alien Bill finish his Trojan2000, anonymnous sources that want to keep it that way, indeed had report from a trusted 3rd party the clame for the hack on http://www.trojan2000test.com/" the MP3 version is avaiable on the holly powerfull knowledge base www.antionline.com (tm) ********* Bacano (tm) Esoteric Pizza Research Team (tm) CopyThis8=> (c) 1999 ---------------------------------------------------------------------------- ---- 6947 From: Hawkspirit Date: Fri Feb 21, 2003 11:52am Subject: Sweep Needed Office sweep needed for Houston Texas area, contact me today Friday if possible, I will be out of the office sweeping all weekend. Roger Tolces Electronic Security Co. 323-462-1351 6948 From: James M. Atkinson Date: Fri Feb 21, 2003 10:23pm Subject: AIRLINE TALK All too rarely, airline attendants make an effort to make the in-flight "safety lecture" and their other announcements a bit more entertaining. Here are some real examples that have been heard or reported: ******************************** On a Continental Flight with a very "senior" flight attendant crew, the pilot said, "Ladies and gentlemen, we've reached cruising altitude and will be turning down the cabin lights. This is for your comfort and to enhance the appearance of your flight attendants." ******************************** On landing, the stewardess said, "Please be sure to take all of your belongings. If you're going to leave anything, please make sure it's something we'd like to have." ******************************** There may be 50 ways to leave your lover, but there are only 4 ways out of this airplane" ******************************** "Thank you for flying Delta Business Express. We hope you enjoyed giving us the business as much as we enjoyed taking you for a ride." ******************************** As the plane landed and was coming to a stop at Ronald Reagan, a lone voice came over the loudspeaker: "Whoa, big fella. WHOA!" ******************************** After a particularly rough landing during thunderstorms in Memphis, a flight attendant on a Northwest flight announced, "Please take care when opening the overhead compartments because, after a landing like that, sure as hell everything has shifted." ******************************** From a Southwest Airlines employee: "Welcome aboard Southwest Flight 245 to Tampa. To operate your seat belt, insert the metal tab into the buckle, and pull tight. It works just like every other seat belt; and, if you don't know how to operate one, you probably shouldn't be out in public unsupervised." ******************************** "In the event of a sudden loss of cabin pressure, masks will descend from the ceiling. Stop screaming, grab the mask, and pull it over your face. If you have a small child traveling with you, secure your mask before assisting with theirs. If you are traveling with more than one small child, pick your favorite." ******************************** Weather at our destination is 50 degrees with some broken clouds, but we'll try to have them fixed before we arrive. Thank you, and remember, nobody loves you, or your money, more than Southwest Airlines." ******************************** "Your seat cushions can be used for flotation; and, in the event of an emergency water landing, please paddle to shore and take them with our compliments." ******************************** "Should the cabin lose pressure, oxygen masks are in the overhead area. Please place the bag over your own mouth and nose before assisting children .. or other adults acting like children." ******************************** "As you exit the plane, make sure to gather all of your belongings. Anything left behind will be distributed evenly among the flight attendants. Please do not leave children or spouses." ******************************** And from the pilot during his welcome message: "Delta airlines is pleased to have some of the best flight attendants in the industry. Unfortunately, none of them are on this flight!" ******************************** Heard on Southwest Airlines just after a very hard landing in Salt Lake City: The flight attendant came on the intercom and said, "That was quite a bump, and I know what y'all are thinking. I'm here to tell you it wasn't the airline's fault, it wasn't the pilot's fault, it wasn't the flight attendant's fault ...it was the asphalt." ******************************** Overheard on an American Airlines flight into Amarillo, Texas, on a particularly windy and bumpy day: During the final approach, the Captain was really having to fight it. After an extremely hard landing, the Flight Attendant said, "Ladies and Gentlemen, welcome to Amarillo. Please remain in your seats with your seat belts fastened while the Captain taxis what's left of our airplane to the gate!" ******************************** Another flight attendant's comment on a less than perfect landing:"We ask you to please remain seated as Captain Kangaroo bounces us to the terminal." ******************************** An airline pilot wrote that on this particular flight he had hammered his ship into the runway really hard. The airline had a policy which required the first officer to stand at the door while the Passengers exited, smile, and give them a "Thanks for flying our airline." He said that, in light of his bad landing, he had a hard time looking the passengers in the eye, thinking that someone would have a smart comment. Finally everyone had gotten off except for a little old lady walking with a cane. She said, "Sir, do you mind if I ask you a question?" "Why, no, Ma'am," said the pilot. "What is it?" The little old lady said, "Did we land, or were we shot down?" ******************************** After a real crusher of a landing in Phoenix, the Flight Attendant came on with, "Ladies and Gentlemen, please remain in your seats until Capt. Crash and the Crew have brought the aircraft to a screeching halt against the gate. And, once the tire smoke has cleared and he warning bells are silenced, we'll open the door and you can pick your way through he wreckage to the terminal." ******************************** Part of a flight attendant's arrival announcement: "We'd like to thank you folks for flying with us today. And, the next time you get the insane urge to go blasting through the skies in a pressurized metal tube, we hope you'll think of US Airways." ******************************** A plane was taking off from Kennedy Airport. After it reached comfortable cruising altitude, the captain made an announcement over the intercom, "Ladies and gentlemen, this is your captain speaking. Welcome to Flight Number 293, nonstop from New York to Los Angeles. The weather ahead is good and, therefore, we should have a smooth and uneventful flight. Now sit back and relax... OH, MY GOD!" Silence followed, and after a few minutes, the captain came back on the intercom and said, "Ladies and Gentlemen, I am so sorry if I scared you earlier. While I was talking to you, the flight attendant accidentally spilled a cup of hot coffee in my lap. You should see the front of my pants!" A passenger in Coach yelled, "That's nothing. You should see the back of mine!" ******************************** Heard on a Southwest Airline flight. "Ladies and gentlemen, if you wish to smoke, the smoking section on this airplane is on the wing and if you can light 'em, you can smoke 'em." -- -------------------------------------------------------------------------------------------------- The First, The Largest, The Most Popular, and The Most Complete TSCM, Bug Sweep, Spy Hunting, and Counterintelligence Site on the Internet. -------------------------------------------------------------------------------------------------- James M. Atkinson Ph: (978) 546-3803 Granite Island GroupFax: (978) 546-9467 127 Eastern Avenue #291http://www.tscm.com/ Gloucester, MA 01931-8008mailto:jmatk@t... -------------------------------------------------------------------------------------------------- Vocatus atque non vocatus deus aderit -------------------------------------------------------------------------------------------------- 6949 From: kondrak Date: Sat Feb 22, 2003 4:10am Subject: Heres a weird one.. Have a "customer" who's complaining of surveillance. Did the normal checking of house, work, phones, lan and vehicles... Found nothing of note until I did a UV scan of his cars and SUV. Found a dab of what appears to me to be silastic, (silicone rubber) on both the front windshield, and the back window that fluoresce under long wave Ultra-violet. They were disguised as a bug splot, (highly unusual as this is cold winter time). Both of these are highly UV reactive. I scraped them off and they are on their way to a lab, but they fluoresce under a normal long-wave blacklight, like one would see in a disco. Illuminating them with a medium power UV lamp, (at 100') I could pick them up at about a quarter mile with a rifle-scope trained on them, even though they produced negligible close up indications they were illuminated. Anyone see this stuff before? If so, whom. 6950 From: Mitch D Date: Sat Feb 22, 2003 8:31am Subject: WTB used or new CanonXL1S ( off topic) If anyone on the list has a excellent reliable source for purchasing a new, or has a good used Canon XL1S dig camcorder pls contact me off the list. Thanks Mitch __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ 6951 From: Matt Paulsen Date: Sat Feb 22, 2003 11:33am Subject: recent incident. Recently had a location that had all the suspicious signs of corporate espionage - ceo's secretary's workstation was attacking the server systems and mis's systems, but no one else. Local antivirus only picked up 1 virus and couldn't wipe it. Tools were showing that the workstation had a keystroke logger in it, as well as it attempting to email to an aol gateway and also attempting smb pipes to propagate - but only to executive and high level network administration systems. Now the first question is, what sort of virus would have a keystroke logger, mail subsystem and propagation system in this manner.. None really... So, a remote scan of the system was done, and it turned out that 4 virii were detected through this method. Long story short - scan once locally, scan twice remotely and don't get too paranoid. 6952 From: kondrak Date: Sat Feb 22, 2003 8:22pm Subject: Re: Fw: Heres a weird one.. Interesting....yes, Isopropyl 70% washed all traces off after the silicone was scraped off with a razor blade. I used surgical gloves when I removed it, so no skin contact occurred. I'll look up that dye...I'm familiar with that kind of usage, used to do ultrasound inspection of graphite materials. At 15:43 2/22/03 -0500, you wrote: >Hi Kondrak >I am a non destructive certified Inspector with General Electric Aircraft >Engines 23YRS >The dye used to be called turco P41 which is non water soluble, you need a >solvent ALCOHOL to completely remove its flurense from the windshield and >your hands. >It does not wash off with soap and water you will need surgical hand soap to >break it down what we call emulsify the chemical. >If its in your cloths it will not wash out you can take them to the dry >cleaners to have them dry cleaned which will remove the dye. > >FPI -FLURENSENT PENETRANT INSPECTION is used in the Aircraft industry to >locate cracks in metals and it can be used on some plastic. >Heat make the dye more illuminate. >The dye can be bought in a spray can easily obtainable. >ANDRE HOLMES >----- Original Message ----- >From: "kondrak" >To: >Sent: Saturday, February 22, 2003 5:10 AM >Subject: [TSCM-L] Heres a weird one.. > > > > Have a "customer" who's complaining of surveillance. > > Did the normal checking of house, work, phones, lan and vehicles... > > > > Found nothing of note until I did a UV scan of his cars and SUV. > > > > Found a dab of what appears to me to be silastic, (silicone rubber) on >both > > the front windshield, and the back window that fluoresce under long wave > > Ultra-violet. They were disguised as a bug splot, (highly unusual as this > > is cold winter time). > > > > Both of these are highly UV reactive. I scraped them off and they are on > > their way to a lab, but they fluoresce under a normal long-wave >blacklight, > > like one would see in a disco. > > > > Illuminating them with a medium power UV lamp, (at 100') I could pick >them > > up at about a quarter mile with a rifle-scope trained on them, even though > > they produced negligible close up indications they were illuminated. > > > > Anyone see this stuff before? If so, whom. > > > > > > > > > > > > > > ======================================================== > > TSCM-L Technical Security Mailing List > > "In a multitude of counselors there is strength" > > > > To subscribe to the TSCM-L mailing list visit: > > http://www.yahoogroups.com/community/TSCM-L > > > > It is by caffeine alone I set my mind in motion. > > It is by the juice of Star Bucks that thoughts acquire speed, > > the hands acquire shaking, the shaking is a warning. > > It is by caffeine alone I set my mind in motion. > > =================================================== TSKS > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > > > > 6953 From: Michael Puchol Date: Sun Feb 23, 2003 4:34am Subject: Re: recent incident. Hi Matt, Good advice - I'm going to add my own grain of sand to the paranoia scale. Last night I was at a costumer's offices, where they had reported "unusual activity" in their server and some workstations. Apparently, they had installed McAffee's VirusScan Online, which works by both a real-time system hook detection method, file-access and user-launched scans, combined with automatic updates of the engine and signature files. I've tried it and works reasonably well. In this case, the server had been infected by Code Red (always patch thy systems!), and for whatever reason VirusScan wasn't picking it up. I contacted McAfee support, and to my surprise, their antivirus does NOT support Windows 2000 Server. This seemed strange since I have another server with it installed and it appeared to do it's job - but no. Obviously I was a tad dissapointed with McAffee to even allow installation of the antivirus without any checking of the operating system version (even the most basic installers can do this), thus giving this costumer a false sense of security. Being in a bit of a hurry to get this costumer up and running again, I installed CA's InoculateIT on the server, which successfully picked up the virus (but couldn't delete it), and ran a normal scan of the system. Next week I'll install Symantec's virus scanner, which has centralised management and some other neat features (and works on servers). The moral of the story: always check system requirements before installing an antivirus, firewall, IDS or other security software. If in doubt, ask the manufacturer. If then still in doubt, try it on an isolated test machine before deploying it. Apart from this, I've seen viruses which disable firewall software, install keyloggers, propagate via SMB, etc. This is not uncommon, and it wouldn't be hard to write something which combined some of these 'features'. Regards, Mike ----- Original Message ----- From: "Matt Paulsen" To: Sent: Saturday, February 22, 2003 6:33 PM Subject: [TSCM-L] recent incident. > Recently had a location that had all the suspicious signs of corporate > espionage - ceo's secretary's workstation was attacking the server systems > and mis's systems, but no one else. Local antivirus only picked up 1 virus > and couldn't wipe it. Tools were showing that the workstation had a > keystroke logger in it, as well as it attempting to email to an aol gateway > and also attempting smb pipes to propagate - but only to executive and high > level network administration systems. > > Now the first question is, what sort of virus would have a keystroke logger, > mail subsystem and propagation system in this manner.. None really... So, a > remote scan of the system was done, and it turned out that 4 virii were > detected through this method. > > Long story short - scan once locally, scan twice remotely and don't get too > paranoid. 6954 From: Date: Thu Feb 20, 2003 9:16am Subject: Re: Backdoor In a message dated 2/20/2003 12:14:55 PM Pacific Standard Time, spendergast@c... writes: > > This may be a hoax. No good citizen always trusts his government and Microsoft. [Non-text portions of this message have been removed] 6955 From: Dave Emery Date: Thu Feb 20, 2003 2:47pm Subject: Re: Backdoor On Thu, Feb 20, 2003 at 11:38:23AM -0800, Stephen Pendergast wrote: > > This may be a hoax. See http://hoaxinfo.com/nsacode.htm > The Cryptonym web site http://www.cryptonym.com now comes up with a cryptic > message > "This page was left blank intentionally." > For what little it is worth, the story going around in the crypto research community has been that this was a second backup key provided at the suggestion of NSA (but not by NSA) to handle the contingency that Microsoft's primary code signing key had been compromised or lost. There was quite extensive discussion of this in crypto circles some time ago. -- Dave Emery N1PRE, die@d... DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18 6956 From: Dragos Ruiu Date: Fri Feb 21, 2003 4:53am Subject: GPS/GSM tracking Pertinent to an old thread on here, I thought some people here might be interested to know that this month's Circuit Cellar magazine has schematics and construction details for a small self contianed unit that sends GPS positional info with 1-25m resolution every two seconds via GSM SMS messages. cheers, --dr -- dr@k... pgp: http://dragos.com/ kyxpgp http://cansecwest.com 6957 From: Craig Snedden Date: Fri Feb 21, 2003 2:05pm Subject: GSM/Nextel and Roaming (a bit o/t) Hi all, Apologies that this post is a bit off topic, but I am having difficulty in getting an answer to this question and I am sure there is more than enough expertise in this list to provide the answer.... So here goes. I am travelling from the UK to the US (Nevada) next week and have been told (again!) that my triband gsm phone will be fine (yes roaming is enabled etc. etc.) However, I have been told that for the area that I will be in, Nextel is the best carrier. As I understand, Nextel is not a GSM based system, but iDen, therefore my GSM phone, triband or not won't work... Correct assumption? My question is this, do I simply try getting service with a GSM carrier in the area and trust to luck, or do I try to get a Nextel compatible handset and if I do, will my GSM sim chip fit in a Nextel phone...? (I want to be able to get calls in the normal way while I am away from homebase and not have to pick up voicemails by calling from another phone). Having fallen foul of this before (travelling to Florida.... "Oh yes, your phone will work all over Florida..." Only to find that the part of Florida I was in only got PCN coverage!!!) I don't want to be left in the dark again. Any suggestions? Thanks guys, Best regards. Craig --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 18/02/2003 [Non-text portions of this message have been removed] 6958 From: Ocean Group - MU TSD Date: Sat Feb 22, 2003 10:37am Subject: Bluetooth Security Hi, We've recently been working with a company who's management use wireless bluetooth access by using headsets for their mobile phones. We've been considering weather to add this to our risk evaluations. We did feel that with its power output 0.25mW or so the risk of using it in their offices and on compnay premises was somewhat acceptable. However we concluded that outside the office, in specific high risk scenario's, such as sitting in their car or on a train etc it would allow someone alot of time to work on compromising the situation. Basically I was wondering if anyone has had to deal with this threat and does anyone know of any papers on bluetooth encryption and the strenght of its security implmmentations. If I went on previous wireless implementations, such as the standard wireless lan etc I wouldn't hold alot of faith and would probably have to advise clients not to use it outside of premises etc. At least until I had seen some risk evaluations from some tech labs etc. If I remember rightly even the GSM ciphers, AS1/2? were compromised with a couple of basic PC setups, however GSM isn't on my agenda at the moment but I will revisit it later. Anyway, any thoughts or information links would be appreciated. Kind regards Oisin Ocean Group, Technical Security Division, Ireland. 6959 From: Date: Sat Feb 22, 2003 0:19pm Subject: Rif: recent incident. > Long story short - scan once locally, scan twice remotely and don't get too > paranoid. I beg to differ: the Three Laws of Paranoia clearly state: 1) Paranoia is never enough; 2) When you get sufficiently paranoic , you'll chase false alarms; 3) It's better to chase a false alarm, than not following up. :-) Ciao! Remo Cornali 6960 From: Date: Sat Feb 22, 2003 6:43pm Subject: Re: Heres a weird one.. Scan the house, windows and walls, doors, back of chairs, inside walls with widow exposures. If you have the time, scan the whole house. Scan wardrobe (especially outer garments). Check the shoes. Nothing on the tires? Email me if you need more. At 04:10 2/22/03, kondrak wrote: >Have a "customer" who's complaining of surveillance. >Did the normal checking of house, work, phones, lan and vehicles... > >Found nothing of note until I did a UV scan of his cars and SUV. > >Found a dab of what appears to me to be silastic, (silicone rubber) on both >the front windshield, and the back window that fluoresce under long wave >Ultra-violet. They were disguised as a bug splot, (highly unusual as this >is cold winter time). > >Both of these are highly UV reactive. I scraped them off and they are on >their way to a lab, but they fluoresce under a normal long-wave blacklight, >like one would see in a disco. > >Illuminating them with a medium power UV lamp, (at 100') I could pick them >up at about a quarter mile with a rifle-scope trained on them, even though >they produced negligible close up indications they were illuminated. > >Anyone see this stuff before? If so, whom. > > > > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. >=================================================== TSKS > >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 6961 From: Valance Date: Sun Feb 23, 2003 0:57pm Subject: Re: recent incident. which strain of Code Red did you identify on this server? and just curious, given you ID'd it before McAfee could try, what was the telling symptom that let you know the server was infected? a root.exe file or a hacked index.asp? could netstat find a backdoor on a listening port? the reasons i am curious is that the later Code Red strain is a trojan and anti-virus suites are very limited in their trojan functions. few people know this and think trojans are actually virii and that good ole McAfee will take care of everything. generally, trojans need to be removed manually by editing the registry and deleting the individual polymorphically named files that the registry has generated. and as far as detecting their presence, AV suites are not the best choice. you really need to use an anti-trojan suite like TDS (Trojan Defense Suite), learn the function of all the TCP and UDP ports and how to monitor the ports' behavior on the server. the best site around, i think, to start is: http://tds.diamondcs.com.au/html/danger.htm - you will be able to download trial versions of their software and learn about vulnerable ports and over 20,000 strains of trojans. it's fun. but you know, it sounds like your McAfee guy may not have been the expert about the difference between virii and trojans and responded with anything they thought you might believe rather than actual information. i know McAfee supports Win2000 and it says so on their site: http://www.mcafee.com/myapps/vs7/default.asp#sysReq (VirusScan software system req). however, i know when i used to test trojans for their spy capabilities in the pre-911 days, we had McAfee installed on W98 and it never found any of the trojans we tested, even though some of their names did appear in McAfee's virus definitions list. we would laugh and pin a red PhD, BS sticker on their boxes :) kk --- In TSCM-L@yahoogroups.com, "Michael Puchol" wrote: > Hi Matt, > > Good advice - I'm going to add my own grain of sand to the paranoia scale. > Last night I was at a costumer's offices, where they had reported "unusual > activity" in their server and some workstations. Apparently, they had > installed McAffee's VirusScan Online, which works by both a real- time system > hook detection method, file-access and user-launched scans, combined with > automatic updates of the engine and signature files. I've tried it and works > reasonably well. > > In this case, the server had been infected by Code Red (always patch thy > systems!), and for whatever reason VirusScan wasn't picking it up. I > contacted McAfee support, and to my surprise, their antivirus does NOT > support Windows 2000 Server. This seemed strange since I have another server > with it installed and it appeared to do it's job - but no. Obviously I was a > tad dissapointed with McAffee to even allow installation of the antivirus > without any checking of the operating system version (even the most basic > installers can do this), thus giving this costumer a false sense of > security. > > Being in a bit of a hurry to get this costumer up and running again, I > installed CA's InoculateIT on the server, which successfully picked up the > virus (but couldn't delete it), and ran a normal scan of the system. Next > week I'll install Symantec's virus scanner, which has centralised management > and some other neat features (and works on servers). > > The moral of the story: always check system requirements before installing > an antivirus, firewall, IDS or other security software. If in doubt, ask the > manufacturer. If then still in doubt, try it on an isolated test machine > before deploying it. > > Apart from this, I've seen viruses which disable firewall software, install > keyloggers, propagate via SMB, etc. This is not uncommon, and it wouldn't be > hard to write something which combined some of these 'features'. > > Regards, > > Mike > > > ----- Original Message ----- > From: "Matt Paulsen" > To: > Sent: Saturday, February 22, 2003 6:33 PM > Subject: [TSCM-L] recent incident. > > > > Recently had a location that had all the suspicious signs of corporate > > espionage - ceo's secretary's workstation was attacking the server systems > > and mis's systems, but no one else. Local antivirus only picked up 1 > virus > > and couldn't wipe it. Tools were showing that the workstation had a > > keystroke logger in it, as well as it attempting to email to an aol > gateway > > and also attempting smb pipes to propagate - but only to executive and > high > > level network administration systems. > > > > Now the first question is, what sort of virus would have a keystroke > logger, > > mail subsystem and propagation system in this manner.. None really... So, > a > > remote scan of the system was done, and it turned out that 4 virii were > > detected through this method. > > > > Long story short - scan once locally, scan twice remotely and don't get > too > > paranoid. 6962 From: refmon Date: Sun Feb 23, 2003 4:17pm Subject: re: recent incident Hi, This is my first post here- the name is John Collins; I have been learning a great deal, thank you all. With regard to this virus issue outlined in this thread, while we are not PC or MAC mechanics of the most elite species, we have had some experience with odd PC behaviors and also misbehavior of antivirus programs. We are running mixes of Win95, Win98, Win2000 and using various vintages of Norton Utilities with Antivirus...oddly, the older equipment with the older versions seem much more stable in the long term....less mysteries, less hard crashes. Maybe the older equipment doesn't support the newer viruses? We have a fairly simple, high quality network consisting at this time, of two Dell 2.5GHz P4 PC's a couple of printers, and a CAD plotter in the main office AND a remote lab with two Radisys Telco 5500 server chassis running as plain PC's, 2 Dell PII 266MHz PC's and a local HP AdvanceStack hub. The remote lab prints and plots to the office. The entire system is hung on a DSL modem with a SonicWall Firewall (pretty bulletproof itself, but really poor support experiences). We have experienced several issues with piggy-backed viruses that slip in on downloads and emails...most are snagged by either my AV or Wormguard software. I currently have one PC out of service after a download carrying a fairly violent "thing" that took out all drivers, took antivirus offline, and triggered a reboot. Actually what happened is the registry was trashed and then the reboot restored things automatically except the behavior of AV was highly modified and the "thing" had heavily installed itself. At the first sign of odd behavior, we pull the network connections to isolate the problem ... hopefully. We also periodically back up the registry files in a mis-named directory with the files misnamed so viral sweeps don't find the backups...this is at best a minor help. The Modified AV protected itself from my attempts to shut it off and fought violently with me as I tried to troubleshoot. I finally rebooted in DOS and manually deleted all the AV directories and the registry files. I then rebooted and lo and behold, had a perfectly working PC (that I don't trust)...the Antivirus, to an extent, had been turned against me, or rather the PC. I have had to set up a two-PC-network and recover files of value and rescan the files for viruses, worms, spyware, and trojans. I'm coming up with quite a collection - mostly spyware, one alleged Trojan (not clear...behaves like...), several older viruses including "monkey B", which is at least 6 years old. (The current config/build on this PC is less than 1 year old). This PC will be burned to the ground and rebuilt after preliminary disk-wipes. The disk will then be hung on another scsi PC bus and wiped to a pass depth of about 6 - 8 passes. The PC will then be rebuilt. Oddly enough, all other PC's check clean and exhibit none of the odd behaviors...it seems the single Radisys was targeted. We have also found that as the paranoia level rises, we set our protections tighter and tighter. We're finding you can set too tight to the point where virus scans, cleansweeps, and registry sweeps can mistake innocent software for viruses, etc. Symptoms of this include mysterious halting of accessory operation (driver gets nabbed). I have no pat answers, to be sure, although we are revising our browsing procedures, which have been quite lax, so as to put some common sense out front... in our office we don't have the rampant personal use on the business net problem, but we have leaned very heavily on firewalls and AV and wormguard software. Our immediate goal is to reduce exposure. In addition to common sense browsing, email usage, etc, we are taking to shutting down PC's instead of allowing them to idle during unused periods. Further, we are disabling "auto update" functions in windows, antivirus, etc. Any updates will be managed manually, thus managing trips out on the internet. Additionally, as we wrestle with this stuff, we've learned that a lot of malicious code depends heavily on sharing paths...we are entirely reevaluating our shared resources setup. Obviously, there is no single fix or software package that can deal with this...I do not envy the IT guys in larger companies that do not run constant training and security sweeps. thanks for listening John Collins President, Reference Video, Inc. Oregon _________________________________________________________ Hi Matt, Good advice - I'm going to add my own grain of sand to the paranoia scale. Last night I was at a costumer's offices, where they had reported "unusual activity" in their server and some workstations. Apparently, they had installed McAffee's VirusScan Online, which works by both a real-time system hook detection method, file-access and user-launched scans, combined with automatic updates of the engine and signature files. I've tried it and works reasonably well. In this case, the server had been infected by Code Red (always patch thy systems!), and for whatever reason VirusScan wasn't picking it up. I contacted McAfee support, and to my surprise, their antivirus does NOT support Windows 2000 Server. This seemed strange since I have another server with it installed and it appeared to do it's job - but no. Obviously I was a tad dissapointed with McAffee to even allow installation of the antivirus without any checking of the operating system version (even the most basic installers can do this), thus giving this costumer a false sense of security. Being in a bit of a hurry to get this costumer up and running again, I installed CA's InoculateIT on the server, which successfully picked up the virus (but couldn't delete it), and ran a normal scan of the system. Next week I'll install Symantec's virus scanner, which has centralised management and some other neat features (and works on servers). The moral of the story: always check system requirements before installing an antivirus, firewall, IDS or other security software. If in doubt, ask the manufacturer. If then still in doubt, try it on an isolated test machine before deploying it. Apart from this, I've seen viruses which disable firewall software, install keyloggers, propagate via SMB, etc. This is not uncommon, and it wouldn't be hard to write something which combined some of these 'features'. Regards, Mike ----- Original Message ----- From: "Matt Paulsen" To: Sent: Saturday, February 22, 2003 6:33 PM Subject: [TSCM-L] recent incident. > Recently had a location that had all the suspicious signs of corporate > espionage - ceo's secretary's workstation was attacking the server systems > and mis's systems, but no one else. Local antivirus only picked up 1 virus > and couldn't wipe it. Tools were showing that the workstation had a > keystroke logger in it, as well as it attempting to email to an aol gateway > and also attempting smb pipes to propagate - but only to executive and high > level network administration systems. > > Now the first question is, what sort of virus would have a keystroke logger, > mail subsystem and propagation system in this manner.. None really... So, a > remote scan of the system was done, and it turned out that 4 virii were > detected through this method. > > Long story short - scan once locally, scan twice remotely and don't get too > paranoid.