Publications


Advisories

Starting in September of 1998, we began formalizing our advisories. Here are a list of advisories issued since that time. We've also got a disclosure policy.

Microsoft Windows Silent Adhoc Network Advertisement

20060114: After a 3 1/2 year lull, an advisory is released! Pity it is a lame Windows wireless bug.

Web Traversal in Critical Path inJoin V4.0 and Cross-Site Scripting in Critical Path inJoin V4.0

20020510: Cyberiad finds a couple of problems in Critical Path inJoin V4.0 Directory Server.

KeyManager Issue in ISS RealSecure on Nokia Appliances

20020319: Oops. ISS left in a default account in RealSecure on Nokia appliances which allows for remote manipulation.

OpenFile Win32 API Log Overwriting/Rewriting

20020114: Cyberiad finds both Microsoft's IIS 4 and Symantec's Norton Internet Security 2001 are vulnerable to log files being rewritten via Windows APIs.

Numerous Issues with Valicert Enterprise VA

20011204: Cyberiad and Phuzzy L0gik have some fun exploring Valicert's CGI program, including finding numerous buffer overflows, info leaking, and even weak random numbers.

Sun's NetDynamics Reuseable Session ID

20011126: Phuzzy L0gik plays with some Sun products and turns up a bug. NetDynamics session IDs can be reused, allowing session hijacking.

NetWare Enterprise Web Server and GroupWise WebAccess

20010814: Adept finds some GroupWise issues, and NMRC helps him publicize it.

Specter IDS DoS and Other Issues

20010527: hellNbak has found a number of problems with the Specter IDS, including DoS (a simple port scan can cause CPU usage problems) and remote identification of its honeypot nature (you see, it really isn't an IDS to begin with...).

File Sniffing in Netware

19991122: It has always been trivial to sniff file transfers between a server and a workstation. NMRC now automates the process in the latest version of Pandora.

HackerShield Service User

19990910: Bindview's product HackerShield is a security scanner with a number of impressive automation features that make use of a Service User to allow HackerShield to run unattended. Unfortunately, the Service User is not machine specific, making anyone who has downloaded the product including the demo vulnerable to potential attack. Here's Bindview's response.

NetWare 5 Hijack Vulnerability

19990715: Originally reported 13 months ago, some of the same spoof and hijack tricks that worked on Netware 4 work on Netware 5. This advisory simply points that fact out, as the new Pandora v4 simplifies the spoof and hijack tricks.

NetWare 4.x TTS Problem

19990512: Netware 4.x servers not running the latest patches are vulnerable to a nasty Denial of Service bug that can potentially crash multiple servers simultaneously.

NAI AntiVirus Update Problem

19990505: Under certain conditions Network Associates VirusScan NT will not properly update the virus definition file, leaving the NT server or workstation vulnerable to viral attack.

"Decryption" of RCONSOLE Password

19981006: If an intruder recovers the encrypted password used during the loading of REMOTE.NLM, it can be easily decrypted on another Netware server.

Lame NT Token Ring DoS

19980930: If you have Token Ring packets with bad data in them, you can crash NT servers and workstations. All four sites running Token Ring should apply the RIF Hot Fix from Microsoft (ask them for it, it's not on their FTP site).

GroupWise Buffer Overflow

19980923: You can overflow the POP3 and LDAP ports causing the server to crash. Unlike the last advisory, this one has generated lots of thank-yous. Hmmm, revealing user account names is bad, but crashing servers is good. At least with the latest patches only the affected NLM goes south, but we advise to simply not use it. UPDATE 06Oct98 - Novell has released a patch, look for gwia551.exe at support.novell.com. The patch is for GroupWise 5.5 only, so you are forced to upgrade before you can apply the patch.

Default NDS Rights

19980916: Most Netware installers are unaware or uncaring about how much info is revealed from a standard install. Lots of flames on this one from disgruntled sys admins having to fix things because their boss read about it. Sorry folks, some OSes (such as Unix) actually go to some trouble to keep intruders from learning account names. Netware should be this way too.

TOP


Announcements

The "Am I Owned?" Service

20030608: NMRC issues a major press release about a new service, which is real (we swear, you can trust us, right?)... Oh and we also announce our upcoming talks at Black Hat and DefCon.

April Fools Wrap-Up, 2003

20030402: Trust no one... except for us, of course.

A Step Towards Information Anarchy: A Call To Arms

20011102: hellNbak announces Information Anarchy.

Pandora 4 Beta 2.1 Announcement

19991201: The announcement of the release of Pandora 4 Beta 2.1 for Linux.

Simple Nomad at ToorCon2000

19991119: ToorCon announced last week that Simple Nomad will be the keyonote speaker at the security convention next September in San Diego.

Pandora 4 Beta 2 Announcement

19991119: The announcement of the release of Pandora 4 Beta 2, with improved drivers, improved GUI and lots of bug fixes.

Pandora 4 Announcement

19990507: The announcment of the release of the beta version of Pandora 4, made right before the Black Hat Briefings.

TOP


FAQs

Here are some hacking and informational FAQs. These are NMRC exclusives, developed from work within the lab. These FAQs are the main reason for the lab. Contributors can send hot tidbits to faq@nmrc.org.

The Hack FAQ

This FAQ is a combined NT, Netware, and Unix FAQ discussing hacking. A lot of people have been bugging us about this, so feel free to see what we have so far.

Updated 20030802.

The PowerBook Battery Hack FAQ

Many of you have wondered exactly how to hack a Macintosh Powerbook battery. Thanks to gawdawful long (tm) Netware 5 loads, read exactly how to hack that Powerbook battery. BTW we can't believe we got email about this, yes idiots, it's a joke.

Released 19980717.

The Offical NMRC FAQ

Basic questions about NMRC that might explain why your email was deleted without a response.

Updated 20030102.

TOP


In The Media

ToorCon Seattle 2008: Lightning talks

20080422, Hack A Day - jrandom's presentation on scratchcard vulnerabilities gets a special mention

Importance of Microsoft patches called understated

20041222, SearchSecurity - Mr. Nomad again bitching about Microsoft, apparently this is a fulltime job.

Why Can't Microsoft Catch Its Own Bugs?

20041026, IT Management - Mr. Nomad quoted under his real name again, this time bitching about how Microsoft's cranial/rectal inversion problem.

Microsoft sets new Patch Tuesday record

20041014, SearchSecurity - Mr. Nomad quoted under his real name again, bitching about Microsoft. Yawn.

Backdoor program gets backdoored

20040611, SecurityFocus - Mr. Nomad quoted under his real name again, this time gets in a nice zinger on Microsoft

Defenses Morph as Viruses Mutate

200404, Security Management Magazine - Mr. Nomad quoted under his real name, talking about virus stuff.

The Mind Of A Hacker

20031110, NWC Security Pipeline - Simple Nomad and a few other hacker-types are interviewed in a pseudo FUD article with a neato catchy title. Wee.

Thwarted Linux backdoor hints at smarter hacks

20031106, SecurityFocus - Kevin Poulsen's story about a backdoor inserted into the Linux kernel, with a quote from Simple Nomad.

Patch your software--it'll help secure the Net

20030804, CNET ZDNET Reviews - An article about the Qualys panel at Black Hat, with a quote from Simple Nomad.

Black Hat puts hacker on mock trial

20030731, CNET News.com - During Black Hat at Hacker Court, Weasel is put on trial. Thank god for the well hung jury -- as good as a win for poor Weasel.

Hackers look to hide communications

20030731, CNET news.com - Simple Nomad releases NCovert at Black Hat and gets some press.

Vulnerabilities Half-life is 30 Days, Says Researcher

20030731, ComputerWire News - An article on the Qualys panel at Black Hat, with a quote from Simple Nomad.

Panel Probes the Half-life of Bugs

20030730, SecurityFocus - Simple Nomad is quoted under his real name, stating the obvious about how quickly the underground works to find and reverse engineer security bugs.

Vandals menacing both sides with defacements in cyber war

20030404, The Star-Ledger - Sioda an Cailleach is quoted on the subject of cyberwar FUD and the companies that profit from it.

Cyber hype

20021205, The Guardian - Simple Nomad and Richard Thieme tell it like it is regarding the hype surrounding cyber terrorism myth.

Stakes higher for hackers

20020812, Reuters - Richard Thieme, RFP, and Simple Nomad are quoted regarding the possible higher stakes of hacking, mainly as a result of the post 9/11 knee-jerk legislation passed by the U.S. Government.

The Dark Side of Hacking Bill

20020727, Wired News - hellNbak gets a quote in about a bill in the House of Representatives that would allow copyright holders to "attack" P2P networks transmitting their copyrighted works.

Some Apache Web Servers Vulnerable To Attack (expired)

20020723, Down Jones Newswire - Simple Nomad is quoted in an article regarding an Apache flaw. He tries to keep some perspective as opposed to some of the FUD being displayed by people like Chris Rouland.

Game Consoles -- the Next Hacker Target?

20020619, SecurityFocus - hellNbak is quoted talking about the "potential" of Microsoft's broadband-ready XBox.

Shades of gray at security conference

20020502, CNet - CanSecWest 2002 was a great conference. In spite of being in Canada, the US of A feds were there in force, and Simple Nomad makes sure to give them some shit.

Consumer Group Reports Hacker Break-Ins (expired)

20011119, Newsbytes - Ralph Nader's Consumer Project on Technology had some security incidents on their Internet servers, and Simple Nomad comments.

Hackers call for info anarchy

20011107, vnunet - More of hellNbak in the news with another article on the Information Anarchy 2K01 movement.

'White Hat' Hackers Threaten Information Anarchy (expired)

20011106, Newsbytes - The Information Anarchy announcement from hellNbak gets some press, and hellNbak does an email interview.

Hackers Put A Price Tag On New Attack Tool

20011018, Newsbytes - The SSH crc32 attack uncovered last February is finally being exploited en masse as script tools begin to circulate in the underground. Simple Nomad quoted.

Terrorists' Online Methods Elusive

20010918, Washington Post - Article about steganography and terrorism. Simple Nomad is quoted under his real name.

Microsoft Releases Code Red Cleanup

20010808, Newsbytes - Microsoft releases a tool to clean up after Code Red II and Simple Nomad comments on what the tool does *not* do.

The Weakest Link (paid archive)

20010717, Interactive Week - Story that discusses upper management being a weak link in computer security. Simple Nomad is quoted under his real name.

Microsoft Sites Inaccessible

20010125, Washington Post - Questions asked about a Microsoft outage that impacted microsoft.com, msnbc.com, and hotmail.com. Simple Nomad has a couple of answers.

Secure Strategies

20000807, Information Security Magazine - A story by Al Berg that talks about the various commercial security scanners, and the vendor's R&D groups. Simple Nomad gets a mention for the BindView RAZOR team.

Specter of Web attacks looms anew (paid archive)

20000806, Inter@ctive Week - A sensationalized story that gets most of the facts correct. Simple Nomad talking about distributed attacks, not about distributed denial of service. Also note, the talk in October 1999 dealt with stealth communications to control security devices, not denial of service. Techniques used in that talk surfaced in the DDoS attacks in February. The point is that these techniques can be discovered and analyzed before they occur.

Is hacking healthy?

20000405, ZDNet UK - A short article on how healthy hacking is. Which it is. 'cause Nomad says so.

Grey Hats, Black Hats, and Script Kiddies

20000405, ZDNet UK - Another short article that talks about the different types of hackers, including a quote from Simple Nomad under his real name.

Top Hats

20000500, Inside Business Magazine - Local copy of an article that appeared in an Ohio regional magazine. Features comments from Simple Nomad.

Fighting the Dark Side

20000401, Technology Decisions - This sidebar to a magazine article quotes Simple Nomad talking about hacking, and dissing Microsoft.

It's harder to identify the bad guys online

20000328, Christian Science Monitor - Interviews with several hackers including Simple Nomad about the current state of hacking in general.

Who Can Stop Cybervandals? (paid archive)

20000228, U.S. News & World Report - Asks questions about the futile nature of trying to find decent solutions where basically none exist. A one-sentence quote from Simple Nomad.

Hackers Speak

20000221, The Standard - A large number of quotes from various hacker folk, including Simple Nomad, in an article after the wake of Denial of Service attacks.

Respite Follows Hacker Attacks (paid archive)

20000211, Washington Post - More fun as the WP asks questions about denial of service and Simple Nomad (quoted under his real name) throws in a comment.

Web Hacks: Day Three

20000209, The Standard - In the wake of all of the distributed denial of service attacks, Simple Nomad puts in his two cents' worth.

RAZOR, BindView's Newly Named Security Team, Discovers "Syskey Bug" on Microsoft NT Feature

19991222, BindView - Simple Nomad gets a new job, and the new boss releases a press release. BTW Mr. Nomad had nothing to do with the Syskey bug discovery, despite the way the press release reads. It was all Todd Sabin's work.

Microsoft recruits anti-virus vendors to fight Y2K hackers

19991101, Infoworld - Talks about Y2K virus attacks, and gets a quote from Simple Nomad.

Bane of e-commerce: 'We're secure: We allow only Web traffic through our firewall'

19990809, Infoworld - Talks about the danger of web and e-commerce, and mention's the NMRC Hack FAQ, along with other tidbits.

Black Hat conference survives a denial-of-service attack, but will it outlast attrition?

19990719, Infoworld - Summation of the Black Hat Briefings, with a reference to NMRC and Simple Nomad's presentation, including the new Pandora v4.

Worm With an Attitude (paid archive)

19990628, U.S. News & World Report talk about the Worm.ExploreZip virus and who is really to blame. Microsoft catches some heat from Simple Nomad and Aleph1. Microsoft continues their mindless lip service.

More on NetWare's Remote hack: Admin status not required to cause problems

19990524, Infoworld - Refers to NMRC as they try to clear up some of the statements their readers had problems with regarding their story on The Ruiner's remote encryption hack.

Novell's Remote encrypted password falls victim to weak security measures

19990426, Infoworld - The Ruiner makes a splash in the press with his RConsole decryption hack. The article mentions NMRC and some of our's and Shade's tools.

Do you want some proof that NetWare is alive and well? People are still hacking it

19980803, Infoworld - Attempts to figure out Pandora. They state they tested many of the tools, but they only tested four -- the spoofing ones. They had problems, and we tried to help them, but alas.... due to Novell's complete lack of disclosure, simple configuration issues make Pandora only work under certain conditions. This coupled with the fact we don't think the Infoworld security guys like us (see this article for a flavor of their opinion of guys with funny names), it's not a flattering review.

Hackers demonstrate NetWare IPX 'spoof'

19980720, Computerworld - Article mentioning Simple Nomad and Jitsu-Disk as the ethical hackers behind Pandora.

Who you gonna call?

19980720, LAN Times - Article about system adminstrator shareware, and where to get it. Mentions Pandora, along with L0phtcrack and some other mainstream resources.

Pandora pokes holes in NetWare

19980715, CNet - Reports news about Pandora, and Novell says the threat isn't that serious but they are taking it serious. Losing sight of the point, Novell implies locking up your server protects you from Pandora.

NetWare falls prey to hackers

19980713, Infoworld - NMRC lets them know about Pandora, Infoworld tells everyone how we've hacked Netware, and Novell thinks we're cool. Or at least "helpful".

Hackers Track Presidential Pagers (expired)

19980615, WFAA Dallas TX Channel 8 News - Simple Nomad is the so-called "expert" during a story about hackers nabbing FBI pages during a Presidential visit a couple of weeks ago. In the lead story Simple Nomad relies upon his savvy (web surfing some pager sites) to say yes, it is theoretically possible. Photos and hopefully an AVI will be posted soon showing more of the story. Here's a link to the audio of the broadcast (also expired).

The danger within

19980420, Infoworld - An article taking about internal threats to the network. Lots of decent quotes from Peter Shipley, a typical slue of InfoSec and Fed quotes, and a paragraph paraphrasing Simple Nomad.

Want to prevent breakins? Just ask a hacker

19980302, Computerworld - A somewhat accurate article discussing how Microsoft and Novell have interaction with white hat hackers to improve security. Simple Nomad and the NMRC web site are mentioned, and the facts are almost accurate. I like the part about how Mudge "operates" the "10pht". And they say L0pht can't spell!

Special Report: How to Improve Windows NT Security

19980201, Network VAR - An article on NT security. NMRC is mentioned, and it falsely lists (or at least implies) Nomad as the author of NT Crack and PWDump since these were on my web site. For the record, Secure Networks did NT Crack and Jeremy Allison did PWDump.

Hacker utilities threaten NDS safety

19970804, LAN Times - Pandora splashes onto the scene. Hell, they even try it out and crack a few passwords.

Nix Web-server attacks

19970804, LAN Times - Article mentioning the Hack FAQ among other references on web security.

Foil Attacks on Your Registry

19970700, Windows NT Magazine - Mentions the NMRC web site when discussing NT hack tools.

Hacker FAQ Exposes Attack Strategies

19970414, LAN Times - Article on the Netware Hack FAQ. Kind of a mini review of the FAQ. Quite positive (or negative, depending or whether you are wearing a white or black hat) as LAN Times tries some shockingly successful hacks from the FAQ, hacking the offices at LAN Times.

How Safe Is Your LAN? and Hazards of Hooking Up

19960617, LAN Times - Article and side bar featuring a "forum" interview with Bill Cheswick, Winn Schwartau, and Simple Nomad. Kind of an odd mix of people. The wasn't actually a "panel", just some email interviews.

TOP


Presentations

Compliance: The Enterprise Vulnerability Roadmap

Defcon 16 presentation by Weasel

Attend My Talk And Win A Xbox 360... In Some Other Contest!

Toorcon Seattle 2008 presentation by jrandom

Hacking the Friendly Skies

ShmooCon 2006 presentation by Simple Nomad

Free Your Mind: The NMRC Info/Warez Panel

NMRC, DefCon, 2003

Covering Your Tracks: Ncrypt and Ncovert

Simple Nomad, Black Hat, 2003

April Fools, 2003

Every year, NMRC likes to do a little something special for April Fools.

Widdershins

Simple Nomad, DefCon, 2001

Network Mapping Techniques

Simple Nomad, DefCon, 2000

Strategies for Defeating Distributed Attacks

Simple Nomad, Black Hat Briefings, 2000

TOP


Papers

Occassionally we release various papers and reports. They are listed here:

Simple Nomad's DefCon 11 Rant

Simple Nomad discusses he holy trinity of hackers -- trust, control, and truth.

Don't Be A Tool

Sioda warns how hackers are their own worst enemy when pitted against the businesses and governments that would exploit them.

Crackers and Commercial Vulnerability Scanners

This report details how easy it is to download the demo version of a commercial vulnerability scanner, and within a few minutes start mapping network vulnerabilities to systems you don't own (yet).

TOP


Reviews

We occassionally will review products, and give them the NMRC Hacker Stamp of Approval. This doesn't happen very often, mainly because we have to really want to do it, and we don't get paid for it. Very, very few products will get this stamp, because 1) as we stated we don't do this very often, and 2) the product must kick hacker butt to receive this prestigious award.

Here is a short list of Official NMRC Hacker Seal of Approval reviewed products:

AntiSniff Beta 2

L0pht Heavy Industries

Password Safe 1.7

Counterpane Systems

Books We Recommend

We also have a selection of books we recommend as part of our association with Amazon.com. Buy books from them and help fund our projects!

TOP