CyberWire Dispatch / Copyright (c)1996/ December 26, 1996 /

Jacking in from the "Spam in the Stocking" Port:

Unamailer Delivers Christmas Grief

by Lewis Z. Koch
Special to CyberWire Dispatch

"johnny xchaotic," also known as the "Unamailer," is back, and twenty-one individuals -- many of whom are deeply involved in the Internet ---journalists, the heads of computer companies such as Mircrosoft, politicians, and religious figures -- received a "denial of service" Christmas present they wished they didn't have.

johnny, and possible friends of johnny, effectively halted these individuals' ability to send and receive E-mail, a denial of service attack which may take days to restore.

Among those hit were prominent journalists including magazine columnist joel snyder, because, in xchaotic's words,"your last article in 'Internet World' places all the blame of my actions on an innocent person." Also hit was the magazine's editor Michael Neubarth because of his failure to "apologize" for what were termed journalistic errors.''

Political figures, such as former Presidential candidate Pat Buchanan and U.S. Senate wannabe David Duke, also were targets. Religious figures such as Pat Robertson and Billy Graham were subject to e-mail bombings, as were members of the Church of Scientology and members of the KKK.

Mircosoft's Billl Gates, several people from the cable channel MTV also were among those apparently attacked. Others hit include Carolyn Meinel who operates a "Happy Hacker" mailing list, the Klu Klux Klan, MTV and the Nazi party.

All told, 21 individuals were hit, some, like Gates for the second time. This is the second time in six months that the work of one or more individuals has exploited relatively simple vulnerabilities in Internet e-mail lists.

The first attack, in August, targeted more than 40 individuals, including Bill Clinton and Newt Gingrich and brought a torrent of complaints from the people who found their names sent as subscribers to some 3,000 E- mail lists. By comparison to the Christmas attack, even that relatively modest attack sent enough e-mail to the targeted recipients that it effectively halted their computers' ability to process the messages.

This attack is estimated to involve 10,139 listservs groups, 3 times greater than the one that took place in the summer, also at xchaotic's instigation. If each mailing list in this attack sent the targeted individuals just a modest 10 letters to the subscribers' computer those individuals would receive more than 100,000 messages. If each listing system sent 100 messages -- and many do -- then the total messages could tally 1,000,000.

Once again, johnny xchaotic has offered an "open letter," given to this reporter before it was scheduled to be posted throughout the Internet, as a way to explain the reasons behind the attack. He also taunted the FBI, telling the agency not to "waste tax dollars trying to track me" because "there are a lot more dangerous people out there you should be concentrating on." (The complete letter will be released shortly to the Net by johnny.)

The open letter, and the information outlining the e-mail blast, were give to this reporter as the "attack" was concluding. The attack began the evening of December 24 just before midnight and took four hours, eight minutes and twenty-nine seconds.

"They [listserv-based mailing lists] could stop this kind of attack tomorrow," one source close to johnny said, "if they only took the simplest of precautions --like authentication." Authentication is a means by which the listing system, instead of agreeing to the ''subscription'' and then automatically forwarding tens or hundreds of letters to the subscriber, would first ask if the person really wanted to subscribe. This ''verification'' could come as an electronic mail message to the subscriber asking for confirmation.

If this process had been in place, someone subject to an E-mail denial of service attack would only receive one letter from each list-- that one being the authentication confirmation query -- do you really want this E-mail -- before sending on 10 or 100 messages.

"They're either too lazy or too dumb to do that -- so they have to pay a price," this source said, indicating that the attacks would continue until the administrators "get it right," indicating that johnny and his friends want to pressure administrators into authentication.

In these kinds of instances, individuals who have been hit wind up quickly canceling their e-mail accounts, thus passing the responsibility for canceling the "subscription" back to the list administrator. Many suspect the authentication-confirmation process is viewed by listserv systems administrators as an inconvenience and confusing to the subscriber and so, they just avoid it.

The attack, however, may be a violation of federal law, punishable by up to five years in prison, or $250,000.00 in fines or both. While there are techniques for tracing this kind of attack when there is advance warning, knowledgeable sources say that this kind of attack is very difficult to trace once the attack has occurred.

johnny xchaotic has been labeled a 'Net terrorist,' which, according to some, debases the meaning of the word "terrorism." No one knows who johnny is. He was misidentified earlier by Internet Underground magazine as a well known hacker who calls himself "se7en." This identification proved false.

One person close to "johnny xchaotic" said the FBI and Secret Service had been contacted about the illegality of this kind of hack but said they had no interest in this kind of "Net" attack. "We have bigger fish to fry," was the response from law enforcement officials, according to this person. This attitude was confirmed by a former federal prosecutor who said the few federal investigators who understood computers and the Internet were stretched thin in their attempts to apprehend serious cyber-criminals, or to pursue high profile but relatively unimportant cases against hackers such as Kevin Mitnick. There has been a tendency on the part of law enforcement and the media to grossly overestimate the monetary damage caused by hackers.

"johnny" and those close to him made it clear that there would be a continuation of these kinds of email "denial of service" attacks.

These same sources say those few Federal investigators with the Secret Service and the FBI who are computer literate and savvy about hacking are stretched thin in attempts to solve serious multimillion dollar computer crimes, the vast majority of which are committed by insiders against the companies they work for.

It is far easier, these sources say, to track down, arrest and jail 16-year-old hackers who brag about their exploits to friends and fellow hackers than to track down a true professional computer cracker on assignment from one company to search and steal the files of a competitor company. While it may take up to three years to investigate and prosecute one important computer thievery case, teenage hackers can be arrested every few months, thus improving the "stats" by which the FBI and other agencies make their mark and their budgets.

This repeated E-mail denial of service attack will be sure to reignite the debate about the "moral" issues surrounding hackers and hacking. What may be ignored -- again --is the failure to rectify the problem after the first attack back in August. Immediately following the first E-mail bombing attack, the Computer Emergency Response Team (CERT) was quick to tell the media that while they had no "solution," they had "hopes" they would be able to "limit the impact" of these kinds of attacks. Today's three-fold attack showed that a six month period of study "hoping to limit the impact" has been futile.

Vital communications do not appear to have been slowed down. The attack is a major "inconvenience" to be sure. Others argue that "complacency" is the only true victim of this attack.

The temporary inconvenience caused by a few days loss of E-mail privileges might seem to pale in significance with those who were killed and maimed by the terrorists' bombing of the Federal Building, in Oklahoma City, or at the World Trade Center in New York, or in Atlanta at the 96 Olympics, or those who opened packages from the Unibomber and were killed.

Prominent government officials like U.S. Deputy Attorney General Jamie Gorelick have called for the development of the equivalent of a "Manhattan project" to stop hackers, though the specifics of what kind of "bomb" Gorelick would develop and on whom she would drop "the bomb" are vague.

Unsafe at Any Modem Speed

On December 16, a computer attack against WebCom knocked out more than 3,000 Web sites for 40 hours, curtailing Website shopping. The attack --a "SYN-flood" -- sent as many as 200 messages a second against the WebCom host computer. This was the same kind of attack that brought down the popular New York Internet provider Panix for more than a week in September.

While Seattle computer security consultant Joel McNamara is sympathetic toward WebCom's users problems, he allows less leeway to the company. "The SYN-flood denial of service attack has been known for months, and there are a variety of solutions for addressing it," McNamara said, "I d be curious as to what, if any, security measures WebCom, a large provider, had in place to deal with a well-known SYN-flood attack. If I couldn't conduct business for 40 hours, I'd have some serious questions to ask."

McNamara believes a great deal of the responsibility for the success of these kinds of known attacks rests on the shoulders of managers and systems administrators who do not fully "understand the implications of poor security practices. While the industry hasn't seen this happen yet, it's just a matter of time before a customer files a lawsuit against a service provider because of damages caused by ineffective security," he predicts.

FBI agents have been undergoing some education in computer related crimes, but sources say the educated ones are few in number and burdened by too many cases. On the other hand, the FBI has singled out small but prominent hackers for arrest and prosecution, hoping the jailing of these individuals who are well-known to the Net would be a deterrent to other younger people considering hacking. The recent adolescent-like hacking of the Department of Justice Web site seems to indicate that hackers aren't all that deterred.

There are other indications that Web page hacks are going to become more political, and perhaps even more dangerous than in the past. The recent hack of the Kriegsman Furs company Web page by animal rights activists indicates one new, sophisticated path. In this attack, the hackers left a manifesto, as well as links to animals rights sites throughout the Web. How easy was it to do? "Security for the site was extremely weak," says McNamara, "The commonly known PHF exploit was likely used to retrieve a system file, which contained a series of easy to crack passwords." Presto, chango. Pro-fur into anti-fur.

"It's too easy to pass the blame off on hackers," McNamara says. Like the keys in the car or in the front door, "maintaining an insecure site is just an invitation to problems." Those who were responsible for today's denial of service attack were careful to repeatedly point out to this reporter how "unsophisticated" their attack was and how easily it could have been avoided if the list managers had only taken minimal precautions. "It's kind of like buying new locks and getting an alarm system after everything in the house is stolen. Sure it will probably prevent it from happening again, but if you took the precautions in the first place, the damn thing wouldn't have occurred," he concludes.


Lew Koch can be reached at:

Copyright © 1996 CyberWire Dispatch / Brock N. Meeks <>