ch20.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,184 行 · 第 1/4 页

<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Unserialize Photoshop</B></FONT></H3>
<P>Unserialize Photoshop is a standard serial number-killing utility, designed to
circumvent serial number protection on Adobe Photoshop. This utility really falls
into the traditional cracking category. I don't think that this type of activity
does much to shed light on security issues. It is basically a tool to steal software.
Therefore, I will refrain from offering any locations here. Adobe is a good company--perhaps
the only company ever to get the best of Microsoft. My position on stealing software
(though I've stated it before) is this: You want free software? Get FreeBSD or Linux
and go GNU. This way, you get quality software for free and still maintain extreme
cool.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>A large portion of the Macintosh
	community that label themselves &quot;hackers&quot; engage in piracy and unlawful
	use of copyrighted software. Newsletters and other documents containing serial numbers
	of all manners of software are posted monthly. (These documents often exceed 300KB
	in length and include hundreds of serial numbers. The most famed such distribution
	is called &quot;The Hacker's Helper,&quot; which typically comes out once a month.)
	While this is their own affair, I should relate here that this type of activity is
	the precise antithesis of hacking. The only thing worse than this (and more removed
	from hacking) would be to steal such software and claim that you wrote it. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>WordListMaker</B></FONT></H3>
<P>WordListMaker is a utility designed to manage dictionary files. This is invaluable
if you plan to crack password files of any size, or files on which the users may
speak more than one language (forcing you to use not only American English dictionaries,
but perhaps others, including British English, Italian, French, German, and so forth).
The utility is designed to merge dictionary files, a function that on a UNIX system
takes no more than a brief command line but that, on many other platforms, can be
a laborious task.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>WordListMaker is located
	at <A HREF="ftp://whacked.l0pht.com/pub/Hacking/WordListMaker1.5.sit"><TT>ftp://whacked.l0pht.com/pub/Hacking/WordListMaker1.5.sit</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Remove Passwords</B></FONT></H3>
<P>Remove Passwords is a nifty utility that removes the password protection on Stuffit
archives. Stuffit is an archiving utility much like PKZIP or GZIP. It is more commonly
seen on the Macintosh platform, but has since been ported to others, including Microsoft
Windows. You can acquire Stuffit at <A HREF="ftp://ftp.aladdinsys.com/"><TT>ftp://ftp.aladdinsys.com/</TT></A>.
Remove Passwords bypasses password protection on any archive created (and password
protected) with Stuffit.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Remove Passwords is available
	at <A HREF="http://www.yatho.com/weasel/files/RemovePasswords.sit"><TT>http://www.yatho.com/weasel/files/RemovePasswords.sit</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>RemoveIt</B></FONT></H3>
<P>RemoveIt is a utility almost identical to Remove Passwords. It strips the passwords
from Stuffit archives.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>RemoveIt is available
	at <A HREF="http://www.yatho.com/weasel/files/RemoveIt.sit.bin"><TT>http://www.yatho.com/weasel/files/RemoveIt.sit.bin</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Tools Designed Specifically for America Online</B></FONT></H2>
<P>The tools described in the following sections are designed primarily to subvert
the security of America Online. Specifically, the majority of applications in this
class steal service from AOL by creating free accounts that last for several weeks.
Use of most of these tools is illegal.
<H3><FONT COLOR="#000077"><B>Maohell.sit</B></FONT></H3>
<P>Currently available at 13 sites on the Net, Maohell.sit is the Macintosh port
(or rather, equivalent) of the famous program AOHELL. AOHELL allows you to obtain
free access to America Online services. It can create bogus accounts that are good
for several weeks at a time. The utility also comes with various tools for harassment,
including an automated mailbombing utility and some chat room utilities.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Maohell.sit is available
	at <A HREF="ftp://whacked.l0pht.com/pub/AOLCrap/Maohell.sit"><TT>ftp://whacked.l0pht.com/pub/AOLCrap/Maohell.sit</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>AOHELL and Maohell may soon be entirely
	worthless. America Online has made extensive inroads in eliminating this type of
	activity. For example, it was once a simple task to use nonexistent but &quot;valid&quot;
	credit card numbers to register with AOL. You could use an algorithm that would generate
	mathematically sound credit card numbers. Cursory checks then performed by AOL were
	insufficient to prevent such activity. That climate has since changed. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>AOL4FREE2.6v4.sit</B></FONT></H3>
<P>AOL4FREE2.6v4.sit, which manipulates the AOL system, forcing it to interpret you
as always occupying the &quot;free&quot; or demo section of AOL, has caused quite
a controversy. The author was arrested by the United States Secret Service after
being identified as the creator of the software. He currently faces very heavy fines
and perhaps a prison sentence. Here's a report from a recent news article:

<DL>
	<DD>Known online as Happy Hardcore, 20-year-old Nicholas Ryan of Yale University
	entered his plea in federal district court in Alexandria, Virginia. The felony offense
	carries a fine of up to $250,000 and five years in prison. Sentencing is set for
	March. Ryan used his illegal software, dubbed &quot;AOL4Free&quot; between June and
	December 1995. He also made it available to others. The investigation was carried
	out by the Secret Service and Justice Department's computer crime section.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The preceding paragraph
	is excerpted from the article &quot;Hacker Admits to AOL Piracy&quot; by Jeff Peline.
	It can be found online at <A HREF="http://www.news.com/News/Item/0,4,6844,00.html"><TT>http://www.news.com/News/Item/0,4,6844,00.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>One interesting document regarding the whole affair is located at <TT>wku.edu</TT>.
The author shows a series of messages between AOL personnel discussing the AOL4FREE
problem. (These messages were intercepted from e-mail accounts.) The communication
between AOL's inner staff discussed various signatures that AOL4FREE would leave
on the system during a sign-on. Having identified these sign-on signatures, the staff
were ready to &quot;...get verification from TOS and then hand [the crackers] over
to the Secret Service.&quot;


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The quote in the previous
	paragraph is excerpted from a message from MayLiang that was forwarded to Barry Appelman
	regarding AOL4FREE. That message can be found online at <A HREF="http://www.cs.wku.edu/~kat/files/CRNVOL3"><TT>http://www.cs.wku.edu/~kat/files/CRNVOL3</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>However, things did not go as well as the internal staff of AOL had hoped. Since
their e-mail was intercepted, a new version of AOL4FREE was created that fixed the
problem. Thus, the new version would continue to work, even after AOL had installed
their &quot;AOL4FREE Detector.&quot; This is discussed in the document:

<DL>
	<DD>Looks pretty bad, doesn't it, with the Secret Service and everything. But not
	to worry...with v4 of AOL4Free, you are much harder to detect! You see, what AOL4Free
	does is send the free token after every real token. When you are signing on, you
	send the &quot;Dd&quot; token with you screen name and password, and a free &quot;K1&quot;
	token is sent afterward. However, because you aren't really signed on yet, AOL sees
	the K1 token as a bug and records it in a log. All the Network Ops people had to
	do is search their logs for this bug and voil&#224;, they had their AOL4Free users.
	v4 is modified so that it doesn't send the free token after &quot;Dd&quot;.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from an article titled &quot;AOL4FREE--Can I Get Caught?&quot; which
	ran in <I>Cyber Rights Now!</I>. The article, by Sloan Seaman (<A HREF="mailto:seaman@pgh.nauticom.net"><TT>seaman@pgh.nauticom.net</TT></A>),
	can be found online at <A HREF="http://www.cs.wku.edu/~kat/files/CRNVOL3"><TT>http://www.cs.wku.edu/~kat/files/CRNVOL3</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>It will be interesting to see what happens. I have a strong feeling that new versions
of AOL4FREE are about to be released. (Don't ask me why. Call it a premonition.)
From my point of view, this would not be so bad. In my not-so-humble-opinion, AOL
has, until very recently, engaged in Information Superhighway robbery. However, that
opinion has not enough weight for me to print the location of version 4 in this book.
<H2><FONT COLOR="#000077"><B>The WebStar Controversy</B></FONT></H2>
<P>On October 15, 1995, a challenge was posted to the Internet: A Macintosh Web server
running WebStar was established and offered as a sacrificial host on the Net. If
anyone could crack that server, that person would be awarded $10,000.00. The challenge
was a demonstration of the theory that a Mac would be more secure than a UNIX box
as a Web server platform. Did anyone collect that 10 grand? No.</P>
<P>Chris Kilbourn, the president and system administrator for digital.forest, an
Internet service provider in Seattle, Washington, posted a report about that challenge.
(I will be pointing you there momentarily.) In it, he explains

<DL>
	<DD>In the 45 days the contest ran, no one was able to break through the security
	barriers and claim the prize. I generally ran the network packet analyzer for about
	3-5 hours a day to check for interesting packets destined for the Challenge server.
	I created packet filters that captured all TCP/IP network traffic in or out of the
	Challenge server. One of the more amusing things was that even with all the information
	about the technical specifications of the Challenge server posted on the server itself,
	most of the people who tried to bypass the security thought that the server was a
	UNIX box! TCP/IP services on a Macintosh lack the low-level communications that is
	available on UNIX systems, which provides additional security. If you are careful
	to keep your mail, FTP, and HTTP file spaces from overlapping, there is no way to
	pipe data from one service to another and get around security in that manner.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from Chris Kilbourn's article titled &quot;The $10,000 Macintosh World
	Wide Web Security Challenge: A Summary of the Network and the Attacks,&quot; and
	can be found online at <A HREF="http://www.forest.net/advanced/securitychallenge.html"><TT>http://www.forest.net/advanced/securitychallenge.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>So what really happened here? Did the challenge ultimately prove that a Mac is
more secure than a UNIX box as a Web server platform? Yes and no. To understand why
both answers are valid, you need to have a few particulars.</P>
<P>First, the machine included in the challenge was running only a Web server. That
is, it did not run any other form of TCP/IP server or process. (How realistic that
would be in a Mac serving as anything other than exclusively a Web server is an area
of some dispute. However, for the moment, we are dealing with a simple Web server.)</P>
<P>Therefore, the simple answer is yes, a standalone Mac Web server is more secure
than a full-fledged UNIX server running a Web daemon. However, that is not the end
of the story. For example, the UNIX server can do things that the Mac server cannot.
That includes file transfers by a dozen or more different protocols. It also includes
handling file sharing with more than a dozen platforms. The key here is this: For
a sacrificial Web server, the Mac is a better choice (that is, unless your system
administrator is very well versed in security). UNIX has just too many protocols
that are alive by default. Part of the security gained by the Mac is in the fact
that there is no command interpreter that is well known by UNIX or IBM users behind
the Web server. However, there <I>is</I> a way to crack such a server. Here's a report
from an Apple Technical article:

<DL>
	<DD>Through the power of AppleScript and Apple events, WebSTAR can communicate with
	other applications on your Macintosh to publish any information contained in those
	programs. For example, if your company information is in a FileMaker Pro database,
	Web client users can query it via HTML forms to get the data using the FileMaker
	CGI (Common Gateway Interface) for WebSTAR. It's powerful and easy to use.
</DL>

<P>The AppleScript engine is indeed an interpreter; it's just not one known intimately
by a large population of non-MacOS users. The problem must therefore be approached
by someone who is deeply familiar with TCP/IP, AppleScript, and cracking generally.
I would imagine that the list of such persons is fairly short. However, these are
the elements that would be required. So know that it is not impossible. It is simply
that the majority of cracking knowledge has been UNIX-centric. This will change rapidly
now that the Internet is becoming so incredibly popular. Apple experts advise that
security issues should remain a constant concern if you are providing remote services.
In a document designed to provide guidance in setting up an Internet server, the
folks at Apple offer this:

<DL>
	<DD>Although Mac OS-based services present a much lower security risk than services
	run on UNIX machines, security considerations can never be taken too seriously on
	the Internet. Many routers have a number of &quot;firewall&quot; features built in,
	and these features should be carefully considered, especially for larger networks.
	Although most Mac OS security issues can be addressed simply by ensuring that access
	privileges are set correctly, investigating additional security options is always