Publications
Advisories
Starting in September of 1998, we began formalizing our advisories. Here are a list of advisories issued since that time. We've also got a disclosure policy.
Microsoft Windows Silent Adhoc Network Advertisement
20060114: After a 3 1/2 year lull, an advisory is released! Pity it is a lame Windows wireless bug.
Web Traversal in Critical Path inJoin V4.0 and Cross-Site Scripting in Critical Path inJoin V4.0
20020510: Cyberiad finds a couple of problems in Critical Path inJoin V4.0 Directory Server.
KeyManager Issue in ISS RealSecure on Nokia Appliances
20020319: Oops. ISS left in a default account in RealSecure on Nokia appliances which allows for remote manipulation.
OpenFile Win32 API Log Overwriting/Rewriting
20020114: Cyberiad finds both Microsoft's IIS 4 and Symantec's Norton Internet Security 2001 are vulnerable to log files being rewritten via Windows APIs.
Numerous Issues with Valicert Enterprise VA
20011204: Cyberiad and Phuzzy L0gik have some fun exploring Valicert's CGI program, including finding numerous buffer overflows, info leaking, and even weak random numbers.
Sun's NetDynamics Reuseable Session ID
20011126: Phuzzy L0gik plays with some Sun products and turns up a bug. NetDynamics session IDs can be reused, allowing session hijacking.
NetWare Enterprise Web Server and GroupWise WebAccess
20010814: Adept finds some GroupWise issues, and NMRC helps him publicize it.
Specter IDS DoS and Other Issues
20010527: hellNbak has found a number of problems with the Specter IDS, including DoS (a simple port scan can cause CPU usage problems) and remote identification of its honeypot nature (you see, it really isn't an IDS to begin with...).
File Sniffing in Netware
19991122: It has always been trivial to sniff file transfers between a server and a workstation. NMRC now automates the process in the latest version of Pandora.
HackerShield Service User
19990910: Bindview's product HackerShield is a security scanner with a number of impressive automation features that make use of a Service User to allow HackerShield to run unattended. Unfortunately, the Service User is not machine specific, making anyone who has downloaded the product including the demo vulnerable to potential attack. Here's Bindview's response.
NetWare 5 Hijack Vulnerability
19990715: Originally reported 13 months ago, some of the same spoof and hijack tricks that worked on Netware 4 work on Netware 5. This advisory simply points that fact out, as the new Pandora v4 simplifies the spoof and hijack tricks.
NetWare 4.x TTS Problem
19990512: Netware 4.x servers not running the latest patches are vulnerable to a nasty Denial of Service bug that can potentially crash multiple servers simultaneously.
NAI AntiVirus Update Problem
19990505: Under certain conditions Network Associates VirusScan NT will not properly update the virus definition file, leaving the NT server or workstation vulnerable to viral attack.
"Decryption" of RCONSOLE Password
19981006: If an intruder recovers the encrypted password used during the loading of REMOTE.NLM, it can be easily decrypted on another Netware server.
Lame NT Token Ring DoS
19980930: If you have Token Ring packets with bad data in them, you can crash NT servers and workstations. All four sites running Token Ring should apply the RIF Hot Fix from Microsoft (ask them for it, it's not on their FTP site).
GroupWise Buffer Overflow
19980923: You can overflow the POP3 and LDAP ports causing the server to crash. Unlike the last advisory, this one has generated lots of thank-yous. Hmmm, revealing user account names is bad, but crashing servers is good. At least with the latest patches only the affected NLM goes south, but we advise to simply not use it. UPDATE 06Oct98 - Novell has released a patch, look for gwia551.exe at support.novell.com. The patch is for GroupWise 5.5 only, so you are forced to upgrade before you can apply the patch.
Default NDS Rights
19980916: Most Netware installers are unaware or uncaring about how much info is revealed from a standard install. Lots of flames on this one from disgruntled sys admins having to fix things because their boss read about it. Sorry folks, some OSes (such as Unix) actually go to some trouble to keep intruders from learning account names. Netware should be this way too.
Announcements
The "Am I Owned?" Service
20030608: NMRC issues a major press release about a new service, which is real (we swear, you can trust us, right?)... Oh and we also announce our upcoming talks at Black Hat and DefCon.
April Fools Wrap-Up, 2003
20030402: Trust no one... except for us, of course.
A Step Towards Information Anarchy: A Call To Arms
20011102: hellNbak announces Information Anarchy.
Pandora 4 Beta 2.1 Announcement
19991201: The announcement of the release of Pandora 4 Beta 2.1 for Linux.
Simple Nomad at ToorCon2000
19991119: ToorCon announced last week that Simple Nomad will be the keyonote speaker at the security convention next September in San Diego.
Pandora 4 Beta 2 Announcement
19991119: The announcement of the release of Pandora 4 Beta 2, with improved drivers, improved GUI and lots of bug fixes.
Pandora 4 Announcement
19990507: The announcment of the release of the beta version of Pandora 4, made right before the Black Hat Briefings.
FAQs
Here are some hacking and informational FAQs. These are NMRC exclusives, developed from work within the lab. These FAQs are the main reason for the lab. Contributors can send hot tidbits to faq@nmrc.org.
The Hack FAQ
This FAQ is a combined NT, Netware, and Unix FAQ discussing hacking. A lot of people have been bugging us about this, so feel free to see what we have so far.
Updated 20030802.
The PowerBook Battery Hack FAQ
Many of you have wondered exactly how to hack a Macintosh Powerbook battery. Thanks to gawdawful long (tm) Netware 5 loads, read exactly how to hack that Powerbook battery. BTW we can't believe we got email about this, yes idiots, it's a joke.
Released 19980717.
The Offical NMRC FAQ
Basic questions about NMRC that might explain why your email was deleted without a response.
Updated 20030102.
In The Media
ToorCon Seattle 2008: Lightning talks
20080422, Hack A Day - jrandom's presentation on scratchcard vulnerabilities gets a special mention
Importance of Microsoft patches called understated
20041222, SearchSecurity - Mr. Nomad again bitching about Microsoft, apparently this is a fulltime job.
Why Can't Microsoft Catch Its Own Bugs?
20041026, IT Management - Mr. Nomad quoted under his real name again, this time bitching about how Microsoft's cranial/rectal inversion problem.
Microsoft sets new Patch Tuesday record
20041014, SearchSecurity - Mr. Nomad quoted under his real name again, bitching about Microsoft. Yawn.
Backdoor program gets backdoored
20040611, SecurityFocus - Mr. Nomad quoted under his real name again, this time gets in a nice zinger on Microsoft
Defenses Morph as Viruses Mutate
200404, Security Management Magazine - Mr. Nomad quoted under his real name, talking about virus stuff.
The Mind Of A Hacker
20031110, NWC Security Pipeline - Simple Nomad and a few other hacker-types are interviewed in a pseudo FUD article with a neato catchy title. Wee.
Thwarted Linux backdoor hints at smarter hacks
20031106, SecurityFocus - Kevin Poulsen's story about a backdoor inserted into the Linux kernel, with a quote from Simple Nomad.
Patch your software--it'll help secure the Net
20030804, CNET ZDNET Reviews - An article about the Qualys panel at Black Hat, with a quote from Simple Nomad.
Black Hat puts hacker on mock trial
20030731, CNET News.com - During Black Hat at Hacker Court, Weasel is put on trial. Thank god for the well hung jury -- as good as a win for poor Weasel.
Hackers look to hide communications
20030731, CNET news.com - Simple Nomad releases NCovert at Black Hat and gets some press.
Vulnerabilities Half-life is 30 Days, Says Researcher
20030731, ComputerWire News - An article on the Qualys panel at Black Hat, with a quote from Simple Nomad.
Panel Probes the Half-life of Bugs
20030730, SecurityFocus - Simple Nomad is quoted under his real name, stating the obvious about how quickly the underground works to find and reverse engineer security bugs.
Vandals menacing both sides with defacements in cyber war
20030404, The Star-Ledger - Sioda an Cailleach is quoted on the subject of cyberwar FUD and the companies that profit from it.
Cyber hype
20021205, The Guardian - Simple Nomad and Richard Thieme tell it like it is regarding the hype surrounding cyber terrorism myth.
Stakes higher for hackers
20020812, Reuters - Richard Thieme, RFP, and Simple Nomad are quoted regarding the possible higher stakes of hacking, mainly as a result of the post 9/11 knee-jerk legislation passed by the U.S. Government.
The Dark Side of Hacking Bill
20020727, Wired News - hellNbak gets a quote in about a bill in the House of Representatives that would allow copyright holders to "attack" P2P networks transmitting their copyrighted works.
Some Apache Web Servers Vulnerable To Attack (expired)
20020723, Down Jones Newswire - Simple Nomad is quoted in an article regarding an Apache flaw. He tries to keep some perspective as opposed to some of the FUD being displayed by people like Chris Rouland.
Game Consoles -- the Next Hacker Target?
20020619, SecurityFocus - hellNbak is quoted talking about the "potential" of Microsoft's broadband-ready XBox.
Shades of gray at security conference
20020502, CNet - CanSecWest 2002 was a great conference. In spite of being in Canada, the US of A feds were there in force, and Simple Nomad makes sure to give them some shit.
Consumer Group Reports Hacker Break-Ins (expired)
20011119, Newsbytes - Ralph Nader's Consumer Project on Technology had some security incidents on their Internet servers, and Simple Nomad comments.
Hackers call for info anarchy
20011107, vnunet - More of hellNbak in the news with another article on the Information Anarchy 2K01 movement.
'White Hat' Hackers Threaten Information Anarchy (expired)
20011106, Newsbytes - The Information Anarchy announcement from hellNbak gets some press, and hellNbak does an email interview.
Hackers Put A Price Tag On New Attack Tool
20011018, Newsbytes - The SSH crc32 attack uncovered last February is finally being exploited en masse as script tools begin to circulate in the underground. Simple Nomad quoted.
Terrorists' Online Methods Elusive
20010918, Washington Post - Article about steganography and terrorism. Simple Nomad is quoted under his real name.
Microsoft Releases Code Red Cleanup
20010808, Newsbytes - Microsoft releases a tool to clean up after Code Red II and Simple Nomad comments on what the tool does *not* do.
The Weakest Link (paid archive)
20010717, Interactive Week - Story that discusses upper management being a weak link in computer security. Simple Nomad is quoted under his real name.
Microsoft Sites Inaccessible
20010125, Washington Post - Questions asked about a Microsoft outage that impacted microsoft.com, msnbc.com, and hotmail.com. Simple Nomad has a couple of answers.
Secure Strategies
20000807, Information Security Magazine - A story by Al Berg that talks about the various commercial security scanners, and the vendor's R&D groups. Simple Nomad gets a mention for the BindView RAZOR team.
Specter of Web attacks looms anew (paid archive)
20000806, Inter@ctive Week - A sensationalized story that gets most of the facts correct. Simple Nomad talking about distributed attacks, not about distributed denial of service. Also note, the talk in October 1999 dealt with stealth communications to control security devices, not denial of service. Techniques used in that talk surfaced in the DDoS attacks in February. The point is that these techniques can be discovered and analyzed before they occur.
Is hacking healthy?
20000405, ZDNet UK - A short article on how healthy hacking is. Which it is. 'cause Nomad says so.
Grey Hats, Black Hats, and Script Kiddies
20000405, ZDNet UK - Another short article that talks about the different types of hackers, including a quote from Simple Nomad under his real name.
Top Hats
20000500, Inside Business Magazine - Local copy of an article that appeared in an Ohio regional magazine. Features comments from Simple Nomad.
Fighting the Dark Side
20000401, Technology Decisions - This sidebar to a magazine article quotes Simple Nomad talking about hacking, and dissing Microsoft.
It's harder to identify the bad guys online
20000328, Christian Science Monitor - Interviews with several hackers including Simple Nomad about the current state of hacking in general.
Who Can Stop Cybervandals? (paid archive)
20000228, U.S. News & World Report - Asks questions about the futile nature of trying to find decent solutions where basically none exist. A one-sentence quote from Simple Nomad.
Hackers Speak
20000221, The Standard - A large number of quotes from various hacker folk, including Simple Nomad, in an article after the wake of Denial of Service attacks.
Respite Follows Hacker Attacks (paid archive)
20000211, Washington Post - More fun as the WP asks questions about denial of service and Simple Nomad (quoted under his real name) throws in a comment.
Web Hacks: Day Three
20000209, The Standard - In the wake of all of the distributed denial of service attacks, Simple Nomad puts in his two cents' worth.
RAZOR, BindView's Newly Named Security Team, Discovers "Syskey Bug" on Microsoft NT Feature
19991222, BindView - Simple Nomad gets a new job, and the new boss releases a press release. BTW Mr. Nomad had nothing to do with the Syskey bug discovery, despite the way the press release reads. It was all Todd Sabin's work.
Microsoft recruits anti-virus vendors to fight Y2K hackers
19991101, Infoworld - Talks about Y2K virus attacks, and gets a quote from Simple Nomad.
Bane of e-commerce: 'We're secure: We allow only Web traffic through our firewall'
19990809, Infoworld - Talks about the danger of web and e-commerce, and mention's the NMRC Hack FAQ, along with other tidbits.
Black Hat conference survives a denial-of-service attack, but will it outlast attrition?
19990719, Infoworld - Summation of the Black Hat Briefings, with a reference to NMRC and Simple Nomad's presentation, including the new Pandora v4.
Worm With an Attitude (paid archive)
19990628, U.S. News & World Report talk about the Worm.ExploreZip virus and who is really to blame. Microsoft catches some heat from Simple Nomad and Aleph1. Microsoft continues their mindless lip service.
More on NetWare's Remote hack: Admin status not required to cause problems
19990524, Infoworld - Refers to NMRC as they try to clear up some of the statements their readers had problems with regarding their story on The Ruiner's remote encryption hack.
Novell's Remote encrypted password falls victim to weak security measures
19990426, Infoworld - The Ruiner makes a splash in the press with his RConsole decryption hack. The article mentions NMRC and some of our's and Shade's tools.
Do you want some proof that NetWare is alive and well? People are still hacking it
19980803, Infoworld - Attempts to figure out Pandora. They state they tested many of the tools, but they only tested four -- the spoofing ones. They had problems, and we tried to help them, but alas.... due to Novell's complete lack of disclosure, simple configuration issues make Pandora only work under certain conditions. This coupled with the fact we don't think the Infoworld security guys like us (see this article for a flavor of their opinion of guys with funny names), it's not a flattering review.
Hackers demonstrate NetWare IPX 'spoof'
19980720, Computerworld - Article mentioning Simple Nomad and Jitsu-Disk as the ethical hackers behind Pandora.
Who you gonna call?
19980720, LAN Times - Article about system adminstrator shareware, and where to get it. Mentions Pandora, along with L0phtcrack and some other mainstream resources.
Pandora pokes holes in NetWare
19980715, CNet - Reports news about Pandora, and Novell says the threat isn't that serious but they are taking it serious. Losing sight of the point, Novell implies locking up your server protects you from Pandora.
NetWare falls prey to hackers
19980713, Infoworld - NMRC lets them know about Pandora, Infoworld tells everyone how we've hacked Netware, and Novell thinks we're cool. Or at least "helpful".
Hackers Track Presidential Pagers (expired)
19980615, WFAA Dallas TX Channel 8 News - Simple Nomad is the so-called "expert" during a story about hackers nabbing FBI pages during a Presidential visit a couple of weeks ago. In the lead story Simple Nomad relies upon his savvy (web surfing some pager sites) to say yes, it is theoretically possible. Photos and hopefully an AVI will be posted soon showing more of the story. Here's a link to the audio of the broadcast (also expired).
The danger within
19980420, Infoworld - An article taking about internal threats to the network. Lots of decent quotes from Peter Shipley, a typical slue of InfoSec and Fed quotes, and a paragraph paraphrasing Simple Nomad.
Want to prevent breakins? Just ask a hacker
19980302, Computerworld - A somewhat accurate article discussing how Microsoft and Novell have interaction with white hat hackers to improve security. Simple Nomad and the NMRC web site are mentioned, and the facts are almost accurate. I like the part about how Mudge "operates" the "10pht". And they say L0pht can't spell!
Special Report: How to Improve Windows NT Security
19980201, Network VAR - An article on NT security. NMRC is mentioned, and it falsely lists (or at least implies) Nomad as the author of NT Crack and PWDump since these were on my web site. For the record, Secure Networks did NT Crack and Jeremy Allison did PWDump.
Hacker utilities threaten NDS safety
19970804, LAN Times - Pandora splashes onto the scene. Hell, they even try it out and crack a few passwords.
Nix Web-server attacks
19970804, LAN Times - Article mentioning the Hack FAQ among other references on web security.
Foil Attacks on Your Registry
19970700, Windows NT Magazine - Mentions the NMRC web site when discussing NT hack tools.
Hacker FAQ Exposes Attack Strategies
19970414, LAN Times - Article on the Netware Hack FAQ. Kind of a mini review of the FAQ. Quite positive (or negative, depending or whether you are wearing a white or black hat) as LAN Times tries some shockingly successful hacks from the FAQ, hacking the offices at LAN Times.
How Safe Is Your LAN? and Hazards of Hooking Up
19960617, LAN Times - Article and side bar featuring a "forum" interview with Bill Cheswick, Winn Schwartau, and Simple Nomad. Kind of an odd mix of people. The wasn't actually a "panel", just some email interviews.
Presentations
Compliance: The Enterprise Vulnerability Roadmap
Defcon 16 presentation by Weasel
Attend My Talk And Win A Xbox 360... In Some Other Contest!
Toorcon Seattle 2008 presentation by jrandom
Hacking the Friendly Skies
ShmooCon 2006 presentation by Simple Nomad
Free Your Mind: The NMRC Info/Warez Panel
NMRC, DefCon, 2003
Covering Your Tracks: Ncrypt and Ncovert
Simple Nomad, Black Hat, 2003
April Fools, 2003
Every year, NMRC likes to do a little something special for April Fools.
Widdershins
Simple Nomad, DefCon, 2001
Network Mapping Techniques
Simple Nomad, DefCon, 2000
Strategies for Defeating Distributed Attacks
Simple Nomad, Black Hat Briefings, 2000
Papers
Occassionally we release various papers and reports. They are listed here:
Simple Nomad's DefCon 11 Rant
Simple Nomad discusses he holy trinity of hackers -- trust, control, and truth.
Don't Be A Tool
Sioda warns how hackers are their own worst enemy when pitted against the businesses and governments that would exploit them.
Crackers and Commercial Vulnerability Scanners
This report details how easy it is to download the demo version of a commercial vulnerability scanner, and within a few minutes start mapping network vulnerabilities to systems you don't own (yet).
Reviews
We occassionally will review products, and give them the NMRC Hacker Stamp of Approval. This doesn't happen very often, mainly because we have to really want to do it, and we don't get paid for it. Very, very few products will get this stamp, because 1) as we stated we don't do this very often, and 2) the product must kick hacker butt to receive this prestigious award.
Here is a short list of Official NMRC Hacker Seal of Approval reviewed products:
AntiSniff Beta 2
L0pht Heavy Industries
Password Safe 1.7
Counterpane Systems
Books We Recommend
We also have a selection of books we recommend as part of our association with Amazon.com. Buy books from them and help fund our projects!