[Full-disclosure] Paper on the law and Implantable Devices security
A new research paper from the Freedom And Law Center deals with issues that some of us keep raising these past few years, and does a good job at it - bionic hacking (or cybernetic hacking if you prefer). "Killed by Code: Software Transparency in Implantable Medical Devices" outlines some of the history of these devices and even shows some cases where devices have been recalled (likely due to software issues). Some of the paper's recommendations are especially interesting, such as to create a database of implantable devices code, so that if the vendor disappears it can still be patched (I rephrased). While unintentional, I am considered the father of this field (not that I'm complaining) and I can't even begin to tell you how excited I am that a field I have been evangelizing for some years now if finally getting more attention -- even if from the legal standpoint with the main concern of liability. Still, I can't help but maintain some skepticism that before some disaster happens (to us or others) this won't be taken too seriously. The paper can be found here: http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html Here's a 2007 Wired article covering the subject from a talk I gave, covering the subject from a different perspective: http://www.wired.com/threatlevel/2007/08/will-the-bionic/ Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Economist, cyber war issue
The upcoming issue will be about cyber war. Check out the front page image: http://sphotos.ak.fbcdn.net/hphotos-ak-snc3/hs488.snc3/26668_410367784059_6013004059_4296972_499550_n.jpg Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A socio-psychological analysis of the first internet war (Estonia)
Hi, In the past year I have been working in collaboration with psychologists Robert Cialdini and Rosanna Guadagno on a paper analyzing some of what I saw from the social perspective in Estonia, when I wrote the post-mortem analysis for the 2007 attacks, but didn't understand at the time. We analyze how the Russian-speaking population online was manipulated to attack Estonia (and Georgia) in the "cyber war" incidents, and how it could happen again (regardless of if any actor is behind it). Article on El Reg: http://www.theregister.co.uk/2010/04/28/web_war_one_anonymity/ Paper (for download with pay :( ): http://www.liebertonline.com/doi/abs/10.1089/cyber.2009.0134 Thanks, and any comments appreciated, Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fingerprinting Paper with Laser
I saw this release today, and just had to share it with anyone I could find. "Every paper, plastic, metal and ceramic surface is microscopically different and has its own 'fingerprint'. Professor Cowburn's LSA system uses a laser to read this naturally occurring 'fingerprint'. The accuracy of measurement is often greater than that of DNA with a reliability of at least one million trillion." I love it when old technologies and science are used in interesting new ways to impact the future. http://nanotechwire.com/news.asp?nid=2254 Expect to see this technology at an airport near you, in five years or so. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Chuck Norris Botnet and Broadband Routers
Adrian, thank you for sharing this with us. Gadi. On 2/24/10 12:20 AM, Adrian P. wrote: > It's no secret that there are tons of broadband routers/modems with > exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak > credentials. > > While the Chuck Norris botnet is interesting in that it shows that the > problem is real, it shouldn't surprise anyone who has researched the > security of broadband embedded devices. > > It's also not the first time an incident of this nature has happened. > I'm sure a lot of the list readers remember the mass-phishing attack > launched November 2007 [1] against several popular 2Wire broadband > routers in Mexico. The attack was accomplished by means of changing > the router's DNS settings via a CSRF hole on the web interface. > > A similar issue used to exist on the BT Home Hub and was reported in > October 2007 [2] (a month earlier) where it was possible to compromise > the router by tricking a user to visit a malicious page. The payload > [3] would then exploit an authentication bypass and CSRF vulnerability > in order to enable the "remote assistance" feature. (The intended > purpose of this feature was to allow BT engineers to remotely > troubleshoot home routers.) The attacker could then login remotely to > the router with admin privileges using a password of his choice (set > in the actual exploit payload). > > And of course there is the infamous BeThere backdoor admin account > reported in February 2007 which you mentioned in your article [4]. > > The security of home-grade embedded devices has a long way to go. I > think that the home router hacking challenge [5] [6] confirmed this by > showing that many of these devices are affected by serious > vulnerabilities, many of which are trivially exploitable. > > I couldn't agree more that ISPs do need to take responsibility and > ensure that new modem/router builds are audited for common security > issues before being distributed to their broadband customers. > > > ap > > [1] http://www.hispasec.com/unaaldia/3313 > [2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/ > [3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/ > [4] http://blogs.securiteam.com/index.php/archives/826 > [5] http://www.gnucitizen.org/projects/router-hacking-challenge/ > [6] http://marc.info/?l=bugtraq&m=120441195905480&w=2 > > On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron wrote: >> Last week Czech researchers released information on a new worm which >> exploits CPE devices (broadband routers) by means such as default passwords, >> constructing a large DDoS botnet. Today this story hit international news. >> >> Original Czech: >> http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network >> >> English: >> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html >> >> When I raised this issue before in 2007 on NANOG, some other vetted mailing >> lists and on CircleID, the consensus was that the vendors will not change >> their position on default settings unless "something happens", I guess this >> is it, but I am not optimistic on seeing activity from vendors on this now, >> either. >> >> CircleID story 1: >> http://www.circleid.com/posts/broadband_routers_botnets/ >> >> CircleID story 2: >> http://www.circleid.com/posts/broadband_router_insecurity/ >> >> The spread of insecure broadband modems (DSL and Cable) is extremely >> wide-spread, with numerous ISPs, large and small, whose entire (read >> significant portions of) broadband population is vulnerable. In tests Prof. >> Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not >> been promising. >> >> Further, many of these devices world wide serve as infection mechanisms for >> the computers behind them, with hijacked DNS that points end-users to >> malicious web sites. >> >> On the ISPs end, much like in the early days of botnets, many service >> providers did not see these devices as their responsibility -- even though >> in many cases they are the providers of the systems, and these posed a >> potential DDoS threat to their networks. As a mind-set, operationally taking >> responsibility for devices located at the homes of end users made no sense, >> and therefore the stance ISPs took on this issue was understandable, if >> irresponsible. >> >> As we can't rely on the vendors, ISPs should step up, and at the very least >> ensure that devices they provide to their end users are properly set up (a
[Full-disclosure] Chuck Norris Botnet and Broadband Routers
Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. Today this story hit international news. Original Czech: http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network English: http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html When I raised this issue before in 2007 on NANOG, some other vetted mailing lists and on CircleID, the consensus was that the vendors will not change their position on default settings unless "something happens", I guess this is it, but I am not optimistic on seeing activity from vendors on this now, either. CircleID story 1: http://www.circleid.com/posts/broadband_routers_botnets/ CircleID story 2: http://www.circleid.com/posts/broadband_router_insecurity/ The spread of insecure broadband modems (DSL and Cable) is extremely wide-spread, with numerous ISPs, large and small, whose entire (read significant portions of) broadband population is vulnerable. In tests Prof. Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not been promising. Further, many of these devices world wide serve as infection mechanisms for the computers behind them, with hijacked DNS that points end-users to malicious web sites. On the ISPs end, much like in the early days of botnets, many service providers did not see these devices as their responsibility -- even though in many cases they are the providers of the systems, and these posed a potential DDoS threat to their networks. As a mind-set, operationally taking responsibility for devices located at the homes of end users made no sense, and therefore the stance ISPs took on this issue was understandable, if irresponsible. As we can't rely on the vendors, ISPs should step up, and at the very least ensure that devices they provide to their end users are properly set up (a significant number of iSPs already pre-configure them for support purposes). The Czech researchers have done a good job and I'd like to thank them for sharing their research with us. In this article by Robert McMillan, some details are shared in English: -- Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic. The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films such as "The Way of the Dragon" and "Missing in Action." Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs. It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link Systems devices, Vykopal said in an e-mail interview. A D-Link spokesman said he was not aware of the botnet, and the company did not immediately have any comment on the issue. Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can infect an MIPS-based device running the Linux operating system if its administration interface has a weak username and password, he said. This MIPS/Linux combination is widely used in routers and DSL modems, but the botnet also attacks satellite TV receivers. -- Read more here: http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html I will post updates on this as I discover them on my blog, under this same post, here: http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Corporate espionage in the news: Hilton and the Oil industry
Corporate espionage in the news, and not just because of Google: Hilton and the Oil industry. Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war. Two news stories of computerized espionage reached me today. The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read. US oil industry hit by cyberattacks: Was China involved? http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved "At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage." Starwood Charges That Top Hilton Execs Abetted Espionage http://www.meetings-conventions.com/article_ektid31918.aspx "Starwood's claim points to a "mountain of undisputed evidence," including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, "This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous."" As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves. [ Source on naming France: http://samvak.tripod.com/pp144.html ] But.. here are a few questions: - My dog barked, was China involved? - The traffic light turned red, was China involved? - I am tired. Is China involved? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
[I have given this some thought, edited my argument, and am moving this message to its own thread.] Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough? My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule). Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Israelis, take note
Hi all, this message is for the Israeli community. :o) בואו לשתות בירה עם מנכ"ל SANS. תשלחו לי אימייל אם אתם רוצים לבוא גם גדי. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] can someone please try and explain to me....
Gadi Evron's Cholesterol wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > How in fact does the Internet work? Alright: http://darkreading.com/blog/archives/2009/07/ddos_cyber_warf.html Gadi. > > On Thu, 09 Jul 2009 11:25:32 -0400 Gadi Evron > wrote: >> Why people call this so-called Korea DDoS a cyber war? Don't >> people know >> how the Internet works yet? >> >> Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] can someone please try and explain to me....
Why people call this so-called Korea DDoS a cyber war? Don't people know how the Internet works yet? Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] a simple race condition and how you'd solve it
A friend recently demonstrated on his blog a simple race condition he encountered. He also challenged folks to solve the problem. http://www.algorithm.co.il/blogs/index.php/programming/a-simple-race-condition/ There's an interesting discussion in the comments which is worth a quick read. Also, maybe someone here will come up with a cuter idea? Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CFP: ISOI 7 - Sept 17, 18 - San Diego
The 7th ISOI (Internet Security Operations and Intelligence) will take place on September 17th and 18th in San Diego, California. ISOI 7 is kindly hosted by Websense and ESET. The evening reception is graciously hosted by Facebook. An early draft agenda can be found here: http://isotf.org/isoi7.html While attendance is very limited as explained below, it is free of charge. For previous agendas, please take a look at: http://isotf.org/isoi6.html (hosted by University of Texas, Dallas, Baylor and Sunbelt) http://isotf.org/isoi5.html (hosted by Estonian CERT with reception by Norman) http://isotf.org/isoi4.html (hosted by Yahoo!) http://isotf.org/isoi3.html (hosted by ISOC, Afilias and ICANN) http://isotf.org/isoi2.html (hosted by Microsoft with reception by Trendmicro) http://isotf.org/isoi.html (hosted by Cisco with reception by ISC) CFP: We solicit proposals for presentations from the public. A short abstract (with data to back it up) can be sent to cont...@isotf.org. The main topics of interest are Internet infrastructure defense, cyber crime, online fraud, phishing, DDoS and botnets. We also solicit proposals for debates. While the conference and groups are vetted, we believe in public involvement and making information public whenever possible. Therefore, we once again keep a couple of agenda slots open for the public. Background: --- ISOI is a closed conference for members of the different Internet security operations communities, bringing different groups together (such as MWP, nsp-sec, MAAWG, etc.) In the conference you will find professionals from many industries: network operators, anti virus researchers, law enforcement, academia and government officials from around the world. Personal note: -- It's time to let ISOI fly free, I will not be attending this one. I would like to use this opportunity to thank Randy Vaughn, Dan Hubbard and Jeff Debrosse for their efforts in making ISOI 7 happen. Cordially yours, Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] one shot remote root for linux?
Sometimes news finds us in mysterious yet obvious ways. HD set a status which I noticed on my twitter: @hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/ I asked him about it on IM, wondering if it is real: "looks like that but requires a sctp app to be running" Naturally, I retweeted. Signed, @gadievron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phishing attacks against ISPs (also with Google translations)
M.B.Jr. wrote: > Dear Gadi, > > > On Wed, Mar 25, 2009 at 9:40 AM, Gadi Evron wrote: >> While we have seen ISP phishing and Hebrew phishing before, these >> attacks started when Google added translation into Hebrew. > > > How exactly did you establish such a certain connection between > Google's Hebrew translation service's debut and these phishing attacks > you're referring to? > > If you're going to provide us with dates, please point out trustable > probative sources. Dear Mr. M.B.Jr., While I cannot show conclusive evidence between the two concurrent events, the causality in this case seems pretty obvious for the following reasons: 1. The two (phishing and translation module) occurred at around the same time frame. 2. Previously, this was not happening. 3. The imperfect Hebrew looks like a machine translation. 4. In fact, the only new element I can discern being added to the game was the new Google module. Google is not at fault, they provide a valuable and good service. Criminals abuse the same tools we use. I concede that it is not outside the realm of possibility some crappy Hebrew translator suddenly started working with the phishing gangs, but it doesn't seem likely. Conversely, do note I did not state it was Google's translation engine that was abused, but rather asked if others see this as well and can confirm. I say it now, it is the most likely conclusion. I'd be happy if someone has other ideas to help us reach a better conclusion? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phishing attacks against ISPs (also with Google translations)
In this email message I'd like to discuss two subjects: a. Phishing against ISPs. b. Phishing in different languages against ISPs as soon as Google adds a new translation module. [My apologies to those who receive this email more than once. I am approaching several different industries on this matter] In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board. In all these cases, the phishing email is in Hebrew. While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew. Is this a trend? Have other countries (or populations) been targeted when Google added a translation module for more languages? Notes: a. Some Israeli ISPs emailed their clients warning against such attacks. Saying they'd never ask for their password, etc. b. While I was certainly heavily involved with phishing originally and even started the first coordination group to deal with the issue, I am somewhat removed from it now, dealing more with phishing/banking Trojan horses. Can anyone educate me as to how often ISPs get phished, if at all? c. If you get phished, what strategies if any have you taken to prevent the attacks/respond to them/educate your clients? What worked? d. I wonder if these translation misuses could eventually translate into some intelligence we will see in Google security reports, such as on malware. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Suggesting a new defcon event: Hackers Parliamentary Debate or HPD
Hi all, We posted a suggestion for a new defcon event on the defcon forums -- a debate tournament! https://forum.defcon.org/showthread.php?p=103437 If you think this is a good idea, support us on the forum. :) We'd also be happy to answer any question in email. To avoid list clutter, off-list replied are requested. Organizers: Gadi Evron Dan Kaminsky Steve Llano Highlights from proposal: British Parliamentary Debate is a style of debating based on the how the British conduct business at their Parliament. Two teams consisting of two members each, face off against each other trying to defend or attack a certain proposition. Then another two teams pick up where they left. This is done in an organized fashion as detailed below. Example propositions: This house will ban the use of firewalls This house will make hacking illegal This house will legalize mandatory full disclosure This house believes the source of evil in this world is Windows This house will support giving guns to hackers This house believes script kiddies should be shot Hacking saves lives Ninjas are better than Pirates Family guy is better than The Simpsons Kids who play video games kill people Star Trek is better than Star Wars Pluto is a planet Beer should be free Coke is better than Pepsi RFID will put the economy in recession Parliamentary debate has become increasingly popular in recent years. It differs from the regular college Policy Debate in that the participants have only 15 minutes prep time after learning of what motion (resolution) they are going to work with. It requires thinking on your feet and agile minds. Rules: 1. Be professional. 2. Follow parliamentary procedure. 3. No swearing. 4. Have fun! 5. [Optional] Defcon rule addition: drink alcohol. (judging team my enforce drinking when buzzwords, empty slogans and logical fallacies are used) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Psychology
I just came across a post telling of the Security and Human Behavior workshop (or conference). http://www.crypto.com/blog/shb08/ Other posts about it: http://www.lightbluetouchpaper.org/2008/06/30/security-psychology/ http://www.schneier.com/blog/archives/2008/06/security_and_hu.html As some of you may be away, I've been researching this subject for about two years now, and I am very excited that a conference has now happened! It means I did not waste the last two years of my life after all! :) This is very exciting, and I am very thankful to these guys for making it happen. Here's a post I wrote about something similar, although syndicated from early on with an ancient post, in my exploration of the subject matter: http://gadievron.blogspot.com/2008/09/im-interested-but-in-you.html I hope that more researchers will start looking into this subject, which as of the last six months I've been calling Humexp. I am currently engaged in research looking into the Estonian cyber war from a social psychology perspective, which turned out to be quite interesting. More on that when I can share, though. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ISOI 6, Dallas, TX - January 29, 30
Hi all. ISOI is once again happening, and back to the States. Almost final agenda: http://isotf.org/isoi6.html As usual, while attendance is limited to the folks who are busy "saving the Internet"/"fighting crime", it is free of charge. Once again we offer the public at-large the opportunity to attend without such membership. The process is: you submit a relevant talk, get vetted and get accepted. We have two slots reserved for such a purpose. Subjects of interest: case studies, attacks, botnets, fraud, ... To submit email your talk idea to [EMAIL PROTECTED] Is it time to say merry Xmas yet? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BNP (british national party) membership list has been leaked
BNP (British National Party) membership (supposedly) has been leaked. I don't want to link to the URL here. You can find it in my blog post: http://gadievron.blogspot.com/2008/11/bnp-british-national-party-membership.html Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [funsec] ICANN Terminates EstDomains' Registrar Accreditation (fwd)
-- Forwarded message -- Date: Tue, 28 Oct 2008 20:47:48 -0700 From: Paul Ferguson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [funsec] ICANN Terminates EstDomains' Registrar Accreditation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Dear Mr. Tsastsin, "Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (customer No. 919, IANA No. 943) is terminated..." Via ICANN.org: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJB9zaq1pz9mNUZTMRAiNOAKCKGwfwxJxnCxR/5zo4wU77enGQRACeKCY7 Sc2Bwob4aRRtRocYArtoVtU= =ggSS -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pause for reflection
On Tue, 7 Oct 2008, Tonnerre Lombard wrote: > Salut, Gadi Evron, > > On Sun, 5 Oct 2008 03:32:03 -0500 (CDT), Gadi Evron wrote: >> I have dual citizenship. Along with my homeland citizenship, I am of >> the Internet, and see it as my personal duty to try and make the >> Internet safe. > > Poor Germans who are not allowed to have dual citizenship. ;-) :) > Tonnerre > -- > SyGroup GmbH > Tonnerre Lombard > > Solutions Systematiques > Tel:+41 61 333 80 33 G?terstrasse 86 > Fax:+41 61 383 14 67 4053 Basel > Web:www.sygroup.ch[EMAIL PROTECTED] > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pause for reflection
On Mon, 6 Oct 2008, rholgstad wrote: > you are more delusional than n3td3v and Dan combined Dear anonymous flamer, While looking back now that a few days have passed and feeling that I should puke at all this ars poetica of mine, the feeling as well as thought behind the words, are still genuine, and I am happy I wrote them. Thank you for your time, Gadi. > Gadi Evron wrote: >> I started answering an email an hour ago, and it was important enough to >> spend time on. It also ended up being too long, so I dumped it in a blog >> post if you prfer reading in a web browser. >> http://gadievron.blogspot.com/2008/10/time-for-self-reflection.html >> >> Time for self reflection >> In case you don't read any of what I have to say below, read this: I have >> dual citizenship. Along with my homeland citizenship, I am of the Internet, >> and see it as my personal duty to try and make the Internet safe. >> >> Atrivo (also known as Intercage), is a network known to host criminal >> activity for many years, is no more. >> >> Not being sarcastic for once, this is time for some self reflection. >> >> I wish I was one of those who sleep soundly tonight. Being clear in my >> conviction that Atrivo should be out of business, and being positive my >> decision to help that happen was sound--While I would do it again, I am >> sad. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] pause for reflection
al privacy, online we have no privacy, however much it helps us to lie to ourselves that something we do publicly (read, on the Internet) is private. I accepted that, but that is because I am in the trenches for years. Others live better not knowing. But it doesn't mean I won't work diligently to make it remain.. functional. Indeed, taking a step back from my niche in security, and seeing how bad things truly are--people can still surf for porn, and argue over who the best Star Trek captain is. Cyber crime, in all its immense activity of billions of incidents an hour, is background noise. But the background noise continually increases. When will it overflow? All I really want is to maintain the functionality we have, regardless of the abuse. And yet... Going back to Atrivo, they made enough money by now. And regardless once more, their criminal clients are already back online elsewhere--in some places possibly hosted by what seems like Atrivo, only under a different name. We did not win, but boy does it feel good to have a victory once in a while for morale's sake. We halted the machine, even if only just for a short time. That, my friends, also has strategic implications as far as our ability is to influence networks running clean on the Internet, although only time will determine if I am right on that. Enough whining though. Who is next on the target list? :) More seriously, why do I care so much? I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe. Gadi Evron, Of the Internet. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Estonian Cyber Security Strategy document -- now available online
Hello. The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting. Those who wish to download the document:: http://www.mod.gov.ee/?op=body&id=518 My contact there specified she'd be happy to answer any questions. To avoid spam of her inbox, email me for her address. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Disintegrate! Gust of wind! Can we get back to saving the world already?
I've recently been involved in an email thread which, partly by my doing, unfortunately degraded into a dirty flame war for a few hours. Whenever meta discussion takes over real discussion, frustration builds up inside me. This comic strip from today which a friend just sent me, seems to explain the concept much better than I can. FD trolls, take a look. Order of the Stick: http://www.giantitp.com/comics/oots0595.html Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] community real-time BGP hijack notification service
Hi, WatchMy.Net is a new community service to alert you when your prefix has been hijacked, in real-time. Following the discussion on NANOG a couple of weeks ago on what to do if your prefix is hijacked, people mentioned that detection-wise, free services are limited (to certain communities or by not being real-time). The current fully public and free services will alert you with a few hours delay. Over labor day weekend we built a free real-time service. We invite people to try it out during our beta stage. Register for alerts at: http://www.watchmy.net/ We hope you find it useful, Avi Freedman, Andrew Fried && Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] reviving the botnets@ mailing list: a new statregy in fighting cyber crime
The public botnets@ mailing list, where malicious activity on the Internet can be openly shared, has been revived, and boy is it active. Warning: live samples and malicious URLs are openly shared there. Mailing list URL: http://www.whitestar.linuxbox.org/mailman/listinfo/botnets Reasons, thinking and explanations: http://gadievron.blogspot.com/2008/08/public-sharing-and-new-statregy-in.html Excerpt: -- A couple of years ago I started a mailing list where folks not necessarily involved with the vetted, trusted, closed and snobbish circles of cyber crime fighting (some founded by me) could share information and be informed of threats. In this post I explore some of the history behind information sharing online, and explain the concept behind the botnets mailing list. Feel free to skip ahead if you find the history boring. Also, do note the history in this post is mixed with my own opinions. As I am one of the only people who where there in the beginning though and lived through all of it, I feel free to do so (in my own blog post). As I conclude, we may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain. .. .. To fight a war, you have to be involved and engaged. On the Internet that is very difficult, but the Russians found a way. It is a fact that while we made much progress in our efforts fighting cyber crime, we had nearly no effect what-so-ever on the criminals and the attackers. Non. They maintain their business and we play at writing analysis and whack-a-mole. Using the botnets mailing list, I am burrowing a page from the apparent Russian cyber war doctrine, getting people involved, engaged. Personally aware and a part of what's going on. It can't hurt us, and perhaps now, four years over-due and two years after the previous attempt, we may be ready to give it a go and test the concept. --- Gadi Evron. -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] weev, baby
Tea Baggins tebaggins at gmail.com Teatime from Pratchett and Bilbo Baggins from Tolkien? Nice touch. No idea what the rest of the trolling means. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ISOI 5 (Tallinn) agenda is now online
Greetings! The agenda for the ISOI conference (held on the 11th and 12th of September 2008, in Tallinn Estonia) has just been made public. You can find it here: http://www.isotf.org/isoi5.html Suggested hotel is the Viru: http://www.viru.ee/ Our kind host is the Estonian CERT (Hillar) who is also planning a special after-hours event for us to enjoy. We have the option of moving to a bigger room if necessary, so you can RSVP when you like (although we'd appreciate notice, and our confirmation is required). Best regards, Randy Vaughn and Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [funsec] Estonia similarities begin to manifest (fwd)
It seems like the online Russian population is getting mobilized. Like a meme spreading on the blogosphere, the mob is forming and starting to "riot", attacking Georgia. This seems very similar to the Estonian incident, only my current guess is natural evolution rather than grass-roots implanted--but I am getting more and more convinced of the similarities as more information becomes available. Determining exactly when the use of scripts by regular users started, is key to this determination. So, this may possibly be in copy-cat fashion, filling in for the missing coordination that existed in Estonia's case, or a duplicate after all. It is still too early to come to conclusions. This information was recieved from Shadowserver, which posted a reduced public report on this subject on their wiki: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080813 Great work from Shadowserver! My Colleague Randy Vaughn, came up with the following theory, which is contradictory to my own: "I would say more like the result of past training. That is, the .ee attacks served to set a behavioral response that will automatically trigger during any real or perceived conflict." Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
On Tue, 12 Aug 2008, Paul Ferguson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- Gadi Evron <[EMAIL PROTECTED]> wrote: > >> People need to realize it's quite possible these are just kids who > attacked Georgia, and what that means. >> > > Certainly -- anything is possible. > > I would note, however, that if it _is_ "kids", then they have access > to the same servers/services being used by other "known" criminal > elements. Russian speaking elements who live there, read the papers, etc. We are all dissidents in our own way. Gadi. > - - ferg > > -BEGIN PGP SIGNATURE- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFIohKqq1pz9mNUZTMRArkhAKD7uqnFEai2aGW1rkxkHIYfF0y3TACfekM/ > Pl9LCRceBBFmAtZ+2jLldMk= > =0TXm > -END PGP SIGNATURE- > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
People need to realize it's quite possible these are just kids who attacked Georgia, and what that means. On Mon, 11 Aug 2008, Paul Ferguson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- Gadi Evron <[EMAIL PROTECTED]> wrote: > >> In the last days news and government web sites in Georgia suffered DDoS > attacks. While these attacks seem to affect the Georgian Internet, it is > still > there. >> > > Also, I wish to say: > > "It is clear that there are anti-Georgian forces at work on the > Internet." > > "Who they are, and what their motivations are 9at this point), > remains to be seen." > > - - ferg > > -BEGIN PGP SIGNATURE- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFIn+HCq1pz9mNUZTMRAg5bAKC14z8wNBom1TASstp9D6n3fL4bLwCfSzxU > cQcPfvWSi7j3Bwpgy1hPZJM= > =5lFT > -END PGP SIGNATURE- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet attacks against Georgian web sites
This is an update of my previous post on the subject. To be honest here, no one truly knows whats going on in Georgia's Internet except for what can be glimpsed from outside, and what has been written by the Georgians on their blog (http://georgiamfa.blogspot.com/2008/08/cyber-attacks-disable-georgian-websites.html outside their country). They are probably a bit busy avoiding kinetic bombing. As mentioned in the previous post, Renesys has been following the Georgian links, which seem to be there, but occasionally drop due to possibly power failures. Renesys URL here: http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml Shadowserver and others have been following the botnets attacking the Georgians web sites, and that is confirmed as happening. Shadowserver was quoted, here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112399&intsrc=hm_list According to Dancho Danchev, there have also been some defacements, which he describes here, along with other conclusions I don't necessarily agree with: http://blogs.zdnet.com/security/?p=1670 So--it is clear their web sites are under attack, and that Internet visibility-wise, the impact is real for the Georgians. And yet, it is simply too early and there is not enough information to call this an Internet war. It is too early to establish motive or who the perpetrator is, however much we may want to point fingers. Following every and any political or ethnic tension, world-wide, an online aftermath comes, in the form of attacks, defacements, and enthusiast hackers swearing at the other side (which soon does the same, back). While Georgia's suffering is real, such attacks are nothing but routine here in Israel. When I ran the defense for the Israeli government Internet operation and then the Israeli government CERT, such attacks would occur daily. Hackers on the other side would band together, talk, coordinate a date, exchange tools, and attack. While I apologize for the analogy, post-9/11 Israelis were shocked. We were sympathizing and crying for the victims. What we did not understand was why people were still shocked ten minutes past, as this was a normal every-day life happening for us over here. The same applies for cyber-space, the Internet--we are used to this. The difference in this attack was that the Georgian authorities, like numerous others around the world still aren't, were not prepared to face and fend against such an attack. In my article "Fighting Botnets and Online Mobs" for the Georgetown Journal of International Affairs covering the Internet war in Estonia, I state how our opponents will no longer be just countries, or even organizations as Martin van Creveld once predicted ahead of his time, but that on the Internet playing field any individual or loosely affiliated group can be a player, affecting countries and yes, corporations as well. My article can be found here: http://www.ciaonet.org/journals/gjia/v9i1/699.pdf The best article describing the events so far is by John Markoff at the New York Times: http://www.nytimes.com/2008/08/13/technology/13cyber.html?em Gadi Evron. On Mon, 11 Aug 2008, Gadi Evron wrote: In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Facts: 1. There are botnet attacks against .ge websites. 2. These attacks affect the .ge Internet infrastructure, but it's reachable. 3. It doesn't seem Internet infrastructure is directly attacked. 4. Every other political tension in the past 10 years, from a comic of the Prophet Muhammad to the war in Iraq, were followed by online supporters attacking targets which seem affiliated with the opposing side, and vise-versa. Up to the Estonian war, such attacks would be called "hacker enthusiast attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a political nature seems to get the "information warfare" tag. When 300 Lithuanian web sites were defaced last month, "cyber war" was the buzzword. Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine, and just by speaking on them in the local news outlets I started bigger so-called "wars" when enthusiasts responded in the story comments and then attacks the "other side". Not every fighting is warfare. While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online after-math by fans. Political tensions are always followed by online attacks by sympathizers. Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eli
[Full-disclosure] Internet attacks against Georgian web sites
In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Facts: 1. There are botnet attacks against .ge websites. 2. These attacks affect the .ge Internet infrastructure, but it's reachable. 3. It doesn't seem Internet infrastructure is directly attacked. 4. Every other political tension in the past 10 years, from a comic of the Prophet Muhammad to the war in Iraq, were followed by online supporters attacking targets which seem affiliated with the opposing side, and vise-versa. Up to the Estonian war, such attacks would be called "hacker enthusiast attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a political nature seems to get the "information warfare" tag. When 300 Lithuanian web sites were defaced last month, "cyber war" was the buzzword. Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine, and just by speaking on them in the local news outlets I started bigger so-called "wars" when enthusiasts responded in the story comments and then attacks the "other side". Not every fighting is warfare. While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online after-math by fans. Political tensions are always followed by online attacks by sympathizers. Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. Coulda, shoulda⦠the nature of what's going on isn't clear, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters. It is too early to say for sure what this is and who is behind it. The RBN blog (following the Russian Business Network) is of a different opinion: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html and: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html Also, Renesys has been following the situation and provides with some data: http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml (Thanks to Paul Ferguson for the URLs) DDoS attacks harm the Internet itself rather than just this or that web site, so soon this may require some of us in the Internet security operations community getting involved in mitigating the attacks, if they don't just drop on their own. Gadi Evron. -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] facebook messages worm
On Thu, 7 Aug 2008, Juha-Matti Laurio wrote: > It has the following mechanism according to McAfee: > http://vil.nai.com/vil/content/v_148955.htm > > They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally > discovered this threat) uses name Net-Worm.Win32.Koobface.b. This is going to *possibly* cause support line bottlenecks tomorrow. This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670 The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate. The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading. All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days. For now, while users may get infected, their information is safe (UNLESS the worm has a secondary contact C&C which I have not verified yet). It seems like some users may have learned not to click on links in email, but any other medium does not compute. Gadi. > More information here too: > http://www.pcmag.com/article2/0,2817,2327272,00.asp > > Juha-Matti > > "John C. A. Bambenek, GCIH, CISSP" [EMAIL PROTECTED] kirjoitti: >> What's the infection vector? URL Link? Rouge Facebook app? >> >> On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: >> >> > Hi all. >> > >> > There's a facebook (possibly worm) something malicious sending fake >> > messages from real users (friends). >> > >> > The sample also has a remote drop site (verified by someone who shall >> > remain nameless). >> > >> > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his >> help. >> > >> > Infection sites seen so far are on .pl domains. >> > >> > The AV industry will soon add detection. >> > Facebook's security folks are very capable, so I am not worried on that >> > front. >> > >> > It's not that we didn't expect this for a long time now, but... >> > Be careful. Some users know to be careful in email.. but not on facebook. >> > >> > Note: unlike 2003 when we called everything a worm and the 90s when >> > everything was a virus--this is a bot which also spreads/infects on >> > facebook. >> > >> >Gadi. >> > >> > >> > -- >> > "You don't need your firewalls! Gadi is Israel's firewall." >> > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the >> > Accountant General, >> >Israel's Ministry of Finance, at the government's CIO conference, >> > 2005. >> > >> > (after two very funny self-deprication quotes, time to even things >> up!) >> > >> > My profile and resume: >> > http://www.linkedin.com/in/gadievron > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] facebook messages worm
Hi all. There's a facebook (possibly worm) something malicious sending fake messages from real users (friends). The sample also has a remote drop site (verified by someone who shall remain nameless). This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. Infection sites seen so far are on .pl domains. The AV industry will soon add detection. Facebook's security folks are very capable, so I am not worried on that front. It's not that we didn't expect this for a long time now, but... Be careful. Some users know to be careful in email.. but not on facebook. Note: unlike 2003 when we called everything a worm and the 90s when everything was a virus--this is a bot which also spreads/infects on facebook. Gadi. -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] facebook messages worm
I am constantly updating on this on my twitter account to avoid list clutter: http://twitter.com/gadievron You can watch the infection live on a web counter from the hosting provider that the worm points to. This thing is fast-spreading. Gadi. On Wed, 6 Aug 2008, Gadi Evron wrote: > Hi all. > > There's a facebook (possibly worm) something malicious sending fake > messages from real users (friends). > > The sample also has a remote drop site (verified by someone who shall > remain nameless). > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > Infection sites seen so far are on .pl domains. > > The AV industry will soon add detection. > Facebook's security folks are very capable, so I am not worried on that > front. > > It's not that we didn't expect this for a long time now, but... > Be careful. Some users know to be careful in email.. but not on facebook. > > Note: unlike 2003 when we called everything a worm and the 90s when > everything was a virus--this is a bot which also spreads/infects on facebook. > > Gadi. > > > -- > "You don't need your firewalls! Gadi is Israel's firewall." > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant > General, >Israel's Ministry of Finance, at the government's CIO conference, 2005. > > (after two very funny self-deprication quotes, time to even things up!) > > My profile and resume: > http://www.linkedin.com/in/gadievron > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] facebook messages worm
http://www.kaspersky.com/news?id=20757567 7 days of seeding to impact. Gadi. On Wed, 6 Aug 2008, Gadi Evron wrote: > Hi all. > > There's a facebook (possibly worm) something malicious sending fake > messages from real users (friends). > > The sample also has a remote drop site (verified by someone who shall > remain nameless). > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > Infection sites seen so far are on .pl domains. > > The AV industry will soon add detection. > Facebook's security folks are very capable, so I am not worried on that > front. > > It's not that we didn't expect this for a long time now, but... > Be careful. Some users know to be careful in email.. but not on facebook. > > Note: unlike 2003 when we called everything a worm and the 90s when > everything was a virus--this is a bot which also spreads/infects on facebook. > > Gadi. > > > -- > "You don't need your firewalls! Gadi is Israel's firewall." > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant > General, >Israel's Ministry of Finance, at the government's CIO conference, 2005. > > (after two very funny self-deprication quotes, time to even things up!) > > My profile and resume: > http://www.linkedin.com/in/gadievron > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Stop The 70% Lie
On Thu, 17 Jul 2008, The Security Community wrote: > http://70percenters.googlepages.com/ > > "The FBI estimates that about 70 percent of all computer security > breaches are perpetrated by insiders." > > For years this lie and variations on the same theme have been > spreading through the Internet and the industry press. > > Year after year journalists, security marketers, bloggers, and other > media types continue to publish this nonsense as though it were the > Gospel Truth when the truth is the FBI has never published any survey, > study, or statistical analysis that supports this claim. Not reading the post below, I can tell you the numbers are based on real research, but it is so old my memory fails me. It is a case of a number being repeated and copied so many times over it gains credibility and immortality. There are some decent numbers from the CSI/FBI annual survey. Also, when counting incidents, it really matters what types of incidents are included. Gadi. > Inspired by http://blogs.zdnet.com/careers/?p=127 > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Announcement && CFP: ISOI 5, Tallinn Estonia
The internet Security Operations and Intelligence (ISOI) 5th workshop will take place on the 11th and 12th of September, 2008. Venue: Tallinn, Estonia. Host: Estonian CERT (www.cert.ee). Attendance: While payment is not required, to attend you must be a member of one of the vetted operational communities, or contact us directly for special consideration. CFP information: The topics for the CFP include operational nsp security, Internet incident response, Internet fraud, cyber crime investigations and general case studies. You can email your suggestions, including a title, short abstract and prefered day and time to me personally up to the 28th of July. Late submissions for turbo-talks is possible. For more information you can check out the web pages for previous ISOI workshops: Yahoo - http://isotf.org/isoi44html ICANN/ISOC/Afilias - http://isotf.org/isoi3.html Microsoft - http://isotf.org/isoi2.html Cisco - http://isotf.org/isoi.html A perliminary program will become available in a few weeks on: http://isotf.org/isoi5.html Gadi Evron && Randy Vaughn. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IOS rootkits (fwd)
In this email to I summarise the discussion thread. One thing we did not do in these threads is to thank Core Security and Sebastian Muniz for the work, and releasing it to help make the world safer. Gadi. Date: Sun, 25 May 2008 05:27:36 -0500 (CDT) From: Gadi Evron To: Joel Jaeggli Subject: Re: IOS rootkits On Sun, 18 May 2008, Joel Jaeggli wrote: > Dragos Ruiu wrote: > >> First of all about prevention, I'm not at all sure about this being >> covered by existing router security planning / BCP. >> I don't believe most operators reflash their routers periodically, nor >> check existing images (particularly because the tools for this >> integrity verification don't even exist). If I'm wrong about this I >> would love to be corrected with pointers to the tools. > > I have 6 years worth of rancid logs for every time the reported number > of blocks in use on my flash changes, I imagine others do as well. > That's hardly the silver bullet however. Cisco considerably updated its rootkits page (which was 3 lines, yes, just 3 lines, last week, you might think it was a previously unknown threat). Last Updated 2008 May 22 1600 UTC (GMT) For Public Release 2008 May 16 0400 UTC (GMT) Some update! The new page gives a lot of information on best practices, MD5 verifications, etc. Very good as a security best practices page but still not much of an "anti rootkit" page. Well worth taking a look: http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml Again, very good page even if it in no way addresses the threat. Last week my opinions were well-formed after a few years of thinking on the subject. I decided to re-examine my take as I may have just stagnated on the issue and the landscape changed. I reached the same conclusions. Still no decent response on why they never spoke to their clients on Trojan horses on IOS, rootkits on IOS.. or practically, what tools they provide to deal with them or what their plans are to help us protect ourselves and our infrastructure. One could guess they have non. As someone recently mentioned to me, after the Michael Lynn talk they started admitting to remote code execution vulnerabilities being more than just DoS in their announcements. Maybe that is a trend and we will get more information from them in the future, now that rootkits as a threat to IOS is a publis issue. Cisco's "threats don't exist until our clients already know of them" strategy is running out of steam, and will soon outlive its usefulness. Cisco is acting pretty much like Microsoft did 10 years ago, they shouldn't be surprised if security research treats them the same way as it treated Microsoft. I know what their treatment made _me_ do psychologically, it made me not want to reach out to them. It seems like the Michael Lynn way is the only way to go with their current attitude--full disclosure. As to the risk itself, it is my personal belief IOS rootkits are currently a threat as a targeted attack. Therefore, although of serious concern it is not yet something I fear on the Internet scale. Pure FUD, Cisco provided us with no real data: I do however dread the day XR gains some popularity, then it is as bad as Windows XP exploitability-wise. 2003, year of the worm. 2013, year of the Cisco worms? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] An account of the Estonian Internet War
On Tue, 20 May 2008, Viktor Larionov wrote: > Hi Gadi and all the rest of a community, > > I work and live in Estonia, and I was a witness to all happening here, > especially on the cyber-sphere starting the first day. > > Let's skip the details on the political context of your story, which from my > point of view is far from being neutral, and pass-on to technical part of > it. > > First of all, neither I, nor (well as far as I know) anybody here have seen > any evidence that attacks have originated from Russia. I certainly have no > doubt that there may have been adresses located in Russian IP-pools > attacking our government networks, but well we are professionals here, and > we do understand what do botnets mean, do we ? > What concerns the story about blogs and forum activities, well pardon, CNN > also showed pictures of happening in Estonia, so did BBC, EuroNews, MTV3 > that gives me no arguments to claim that CNN is behind all that :) > > More of that, living here, and working in the IT sector for a half of my > life I have noticed none of increasing hacker activity on my servers. (also > the company servers) > Neither did a lot of my friends here. In fact, yet I have not seen anyone, > except for some political party though, who would have suffered from so > called "cyber-war". > All those stories about banks going offline, etc. etc. etc. - well may I > tell you that my visa was working properly all the time, and my bank was > 24/7 available. > > This all led me to the conclusion, that all the hush is about a couple (ok, > maybe tens or hundreds) of DDoS attacks being done. > Tell me, how many attacks or ok, attack attempts does your corporate network > suffer during the day ? > > What concerns that student you wrote about, well, Gadi please, as far as I > know that was a ping-of-death he commited against the server of one > political party. > And well, if your server goes offline due to a ping of death, the please, > you have security issues, and serious ones... And for me, the story about > "ugly russian hackers" in this context sounds more than hillarious for me. > The more ridiculous it gets if one tries to make an international disaster > of one "lazy admin forgetting to install a firewall". > Give me a break... > > In general, a lot of IT experts around here, are concerned that no > "cyber-war" has never happened, everything was going about a couple, maybe > 10-20 DDoS attacks which took place, and sleeping admins off duty. > And what concerns the security situation here in Estonia, well I should > agree with you that, yes, our banks have the security which we may trust, > well at least from my point of view. But if we go to the goverment level, > then please... > You don't even need to be a cracker know-it-all of any kind, a plain > skript-kiddie skill will do the trick...e.g. recently checking out one > software package for security breaches we have found a key to a some of 100 > Estonian goverment websites + web server user priveleges on the boxes > itself...it took us 15 minutes not even being a security-expert of any sort. > Fortunatelly for the goverment we are the good guys. :) > > Generally, pardon Gadi but, your story copies 1:1 the story the officials > tell everybody, and well sorry but mr. Toomas Hendrik-Ilves'es IT skills > leave me in a very grand doubt. So does the story he has no evidence for. > So far the online community has seen none of the evidence the government was > boasting about, a year has gone by - and personally I consider all this a > one big bluff. Dear Viktor. thank you for sharing your experience and your personal point of view, I appreciate that. As to the banks, indeed actual, eventual, down-time was non consequential (for some, 2 hours) while others still did not process credit card requests a month later. All-in-all incident response made sure people in the streets only found out about certain issues through the press. As to the technical evidence, indeed, the attacks, while sizable (c'mon, 4mpps is still big) is almost insignificant when compared with size of attacks we have seen in the past. Very small in comparison. I refuse to take a stand or offer an opinion (amymore) on if it was Russia or not, I convey only what I can prove, which on that regard is absolutely nothing except for the fact it was organized, ad-hoc or by an entity, you can decide for yourself. It is not my place to take sides or comment politicially, DDoS hurts the `net, no matter who is under attack, and that is why the Internet security operations community and the CERTs community got involved, as well as myself. Thanks again, Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] An account of the Estonian Internet War
About a year ago after coming back from Estonia I promised I'd send in an account of the Estonian "war". The postmortem analysis and recommendations I later wrote for the Estonian CERT are not yet public. A few months ago I wrote an article for the Georgetown Journal of International Affairs, covering the story of what happened there, in depth. The journal owns the copyright so I had no way of sending that along either. I wasn't about to email saying "go buy a copy". Mostly silly articles kept popping up with misguided to wrong information about what happened in Estonia, and when an Estonian student was arrested for participating, some in our community even jumped up to say "it was just some student". Ridiculous. This is the "war" that made politicians aware of cyber security and entire countries scared, NATO to "respond" and the US to send in "help". It deserved a better understanding for that alone, whatever actually happened there. I was there to help, but I just deliver the account. The heroes of the story are the Estonian ISP and banking security professionals and the CERT (Hillar Aarelaid and Aivar Jaakson). Apparently the Journal made my article available in PDF form by a third party: Battling Botnets and Online Mobs Estonia's Defense Efforts during the Internet War URL: http://www.ciaonet.org/journals/gjia/v9i1/699.pdf It is not technical, I hope you find it useful. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IOS rootkits (fwd)
Embarassing typo. -- Forwarded message -- Date: Fri, 16 May 2008 20:07:51 -0500 (CDT) From: Gadi Evron <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: IOS rootkits At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS rootkit. skip below for the news item itself. We've had discussions on this before, here and elsewhere. I've been heavily attacked on the subject of considering router security as an issue when compared to routing security. I have a lot to say about this, looking into this threat for a few years now and having engaged different organizations within Cisco on the subject in the past. Due to what I refer to as an "NDA of honour" I will just relay the following until it is "officially" public, then consider what should be made public, including: 1. Current defense startegies possible with Cisco gear 2. Third party defense strategies (yes, they now exist) 2. Cisco response (no names or exact quotes will likely be given) 3. A bet on when such a rootkit would be public, and who won it (participants are.. "relevant people"). From: http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html "A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic. Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London. " Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] a song about me? :P [was: Vulnerability Release: CKFD001-CHATX]
At first I thought having a fan blog of someone who hates me was cool. Then I thought the comic strip was cool, but man... I like the guitar, even if the guy does like Hitler. I am sending this to all my friends who are not profanity sensitive. Gadi. P.S. rapidshare sucks. It's too painful to download. > TITLE: My Name is Gadi Evron > > FILENAME: ckfd001-chatx-my_name_is_gadi_evron.mp3 > > DOWNLOAD: > http://rapidshare.com/files/107868234/ckfd001-chatx-my_name_is_gadi_evron.mp3.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] hacking a pacemaker
Almost a year ago I gave a talk at the CCC Camp in Germany I called "hacking the bionic man". It even made Wired, in some fashion. http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html In the talk, among other things such as the DNA and scripting languages, medical doctors and reverse engineers... was about cybernetic hacking. I gave some predictions, some for 2 years, others 40 years. Some again were pure science fiction. I was wrong on the 2 years, it's here. Today, this came up in the news (hat tip to Paul Ferguson on the funsec mailing list): http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=1&oref=slogin " The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal . if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory. " Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] On Topic Off Topic: How To Behave On An Internet Forum
http://www.videojug.com/film/how-to-behave-on-an-internet-forum :) Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] in Memory of Dude VanWinkle / Justin Plazzo
I was just woken up with the news of Justin's death and am unsure what to think or how to respond--I need to. I feel things are left unfinished, a light just disappeared without warning, and all I can think of is what I said to him, when and where. Was I nice? Was I respectful? Did I always treat him right? What could I do differently? What will our small corner of the universe look like without him? What's clear is that he was a good guy who strove to always do better and was not afraid of voicing his opinion or making himself heard. He was also quick to apologize when necessary. His opinions never stopped him from seeing the person on the other side. He took subjects he discussed seriously, but never lost sight of the fun. He never stopped learning and he evolved a great deal over the past couple of years in which I had the opportunity to know him. One day, I was hoping to meet him. He was a good guy. He became an integral part of our community and only now I realize how much that is true. He cared. I care. He is missed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Tue, 15 Jan 2008, crazy frog crazy frog wrote: > nick, > ur not getting my point,the url is techicorner.com/{random string > here},i have already mentioned it in previous posts. > i have read the link sent by denis,and i would have to conclude that: > 1)The problem does not occurs always,instead it occurs randomly based > on IP or something like tht. In recent kits, it is more likely it is user-agent based. > 2)if u look at the pages on techicorner.com u will not find any > malicious code,so its possible that the server is compromised and its > an LKM > please refer to these links: > http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis] > > Thanks again everyone for your valuable suggestion,i posted here to > share this stuff with everyone and may be u can learn from it. > > regards, > _CF > > On Jan 15, 2008 12:15 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote: >> crazy frog crazy frog wrote: >> >>> well, >>> i received many response but no one is perfact.i checked the files and >>> didn't find anything embeded in my scripts or pages.still i have to >>> figure out why my antivirus randomly popsup?i mean most of the times >>> it doesnt detect any infection but then suddenly this thing happnes >>> and then everything seems ok. >>> i dont think its a problem with my script otherwise i could have find >>> the code or it should be repeating consistly.has any one still facing >>> this issue in the techicorner.com or on tubeley.com or on >>> secgeeks.com? >>> >>> let me know i m trying hard to digg this issue. >> >> If you would tell us the _actual_ URL where this behaviour is being >> seen we would have a reasonable chance of actually diagnosing it. As >> it is, we're having to guess based on matching your half-arsed >> descriptions of what you think is happening with our knowledge of what >> has been seen going on out there. >> >> This may surprise you, but many thousands and thousands of sites are >> compromised each day to display "similar" activity to what you've asked >> to us to diagnose (aka "guess"). >> >> If we could look at the actual site and see what is really happening >> should have a better (if not perfect) chance of success. >> >> >> Regards, >> >> Nick FitzGerald >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > advertise on secgeeks? > http://secgeeks.com/Advertising_on_Secgeeks.com > http://newskicks.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
> Hi, > > Recently on opening one of my site,my antivirus pops up saying that it > has found on malicious script.the url is random and i have managed to > get tht script.it is using some flaw in apple quick time. > u can get the zip file for java script here: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? I did not look at the malware, but it is pretty obvious you have been compromised. Defacements today (unless for specific reason of being "seen") are about leaving the site the same way you find it, and infecteing its user base/visitors. A second option is that you are secure but a "partner" such as ad sites has been compromised and infects your users. Naturally, a compromise can come from anywhere, but in most cases it is something like RFI... Taosecurity linked to three great papers on the subject of web botnets / cross-platform web malware: http://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html Linking also to my original article here: http://blogs.securiteam.com/index.php/archives/815 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]
On Wed, 21 Nov 2007, Paul Schmehl wrote: > If Yahoo was able to fix the problem quickly, then it would appear that Yahoo > had a compromised domain server or servers. We all get pwned at one point or another, how we respond is what matters. > > -- > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eBay redirects: next step in fake blogs and web search abuse
You try and go here: http://hushmail-901.blogspot.com/2007/11/hushmail-tryig-to-delet-contacts-in.html You get here: http://search-desc.ebay.com/hushmail_W0QQ_trksidZm37QQcatrefZC6QQfromZR10QQftsZ2QQsacatZQ2d1QQsargnZQ2d1QQsaslcZ2QQsbrftogZ1QQsofocusZunknown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] the heart of the problem [was: RE: mac trojan in-the-wild]
On Thu, 1 Nov 2007, Thor (Hammer of God) wrote: > But more importantly, let's look at things from the other side. Let's > say I'm wrong, and that Gadi is right on target with his "hit hard" I'd say we are both right. You look at it from a security researcher stand-point. There is nothing interesting about user-interaction, and it is even kind of lame. >From a reasonable perspective, we refuse to believe people will act so .. silly. > prediction and that we should be very concerned with this. Given the Not predicting, assessing. Criminal elements have a very clear cost/benefit calculation. For example, they won't release a 0day such as WMF or ANI as long as their revenue goals are met with published ones. They collect statistics on OS, browser, language, which exploit got how many, etc. They have thousands on thousands of sites infecting users who surf (some of them ad-based on real sites, or defaced sites such as forums that remain with the same content only now infect people). Then there is also spam directing people to these sites. Now, a criminal gang (could be the mob could be one guy) targets the mac. So much so that they serve different malware by OS-type. As a security researcher looking at code, bits and bytes, you are simply not usually following what's going on in operational security where things are bleak. >From an operational security standpoint, this equates to what happened in the world of the Internet back when Windows 98 was around. Not what security features it had. > requirements here, that again being flagrant ignorance where all the > above steps are executed (including the explicit admin part)-- what > exactly are we supposed to do? If people are willing and able to go > through the motions above what can we as security people do to prevent > it? Far too many people in this industry are far too quick to point out > how desperate the situation is at all turns, but I don't see many people > offering real solutions. But you know, I have to say... If we are Things are in fact FUBAR. We need new ideas and new solutions as honestly, although we want to feel we make a difference by taking care of this or that malware or this and that C&C we are powerless and have not made a real difference in the past 6 years while things got worse. We need new solutions and new ideas, and would be more than happy to have new people exploring operational security. The current state of Internet security is you get slapped -- BAM! -- and you write an analysis about it. (when speaking at ISOI I actually slapped myself -- HARD -- when I said it on stage, not a good idea for future reference). > really going to consider this "serious," and we are really going to > define part of our jobs as being responsible for stopping people who > have absolutely no concerns for what they do and are willing to enter > their admin credentials into any box that asks for it, then I'd say that > there is a *serious* misunderstanding about what security is, and what > can be done about it-- either that, or I'm just in the wrong business. > > t Well, we can't choose the risks. They choose us. Sometimes they are cool, sometimes they're not. I often start emails by saying "first off, this is not the end of the world, the Sun will rise tomorrow and the Internet won't die today". I tire of it. Of course the Internet won't die today, but it is Mac season. Apple is very much correct by not investing in security first until now -- from a BUSINESS standpoint, however much we as security people in our niche can't get behind it. Things are different now and unfortunately they have a backlog to deal with. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Thu, 1 Nov 2007, Jim Harrison wrote: > While Apple-oriented threats may not get either the validation or the > publicity (on hardly equals the other) that Windows attacks do, it's hardly > accurate (much less fair) to make those comparisons. > For all those comparative points, my Kaypro-4 running ZCPR is more secure > than any Apple OS. > The comparison is of the Microsoft eco-system in the security realm when Windows 98 was out. Whether by lack of visibility, unpatched exploits or organized criminal interest. That is the significant part. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] re MAC trojan (fwd)
There have been many threads on this subject, but I believe this post below covers what some of us are trying to say on why this issue is significant. Obviously some people are far more articulate than me. -- Forwarded message -- Date: Thu, 1 Nov 2007 16:47:17 -0400 From: PinkFreud <[EMAIL PROTECTED]> To: Gary Flynn <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: [botnets] re MAC trojan To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- [My apologies if this has already been covered - I started this email a few hours ago, and haven't had a chance to finish it until now.] I think the point Gadi (and Alex of Sunbelt Software, in his original blog entry) is trying to make is that professional malware authors have begun to take notice of Apple. As a piece of malware goes, this trojan is nothing remarkable in itself, other than the fact that it's aimed at Mac users. As Gadi mentioned, there are a number of known issues that Apple has yet to address. If the professional malware authors are now taking aim at Mac users, Apple appears to be making it easy for them. There are a few comments that I've seen in this thread that are rather worrisome: ::: Interspace System Department > Relax. MAC users are not that stupid as MS users... Are you a Mac user? If so, you just proved yourself wrong with that statement. :) Users are users, and their knowledge of computers varies greatly from one to the next. I've supported a number of Mac users who tend to be clueless when it comes to computers, and I've supported Mac users who know quite a bit about the machines they use. Like any Windows or *nix user, Mac users can - and will - fall prey to this kind of scheme. Again, the trojan is not what's important here. The fact that it was written for Macs is particularly noteworthy, however. ::: Jeremy Chatfield > InfoSec is there to make sure that I can run my business, not as an end in > itself. It *prevents* profit making activity by having effort expended on > internal needs. So if the Mac hasn't *needed* higher level of security > hoops, previously, that's good. So long as weaknesses are fixed *when > needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac, > I'll be disappointed, but it's not a uniquely Mac situation to be in... If > the failure was an obvious weakness, I'm actually still pretty sanguine, > because it hasn't yet been exploited, despite being "well known". Security issues should be fixed as soon as feasable, not 'when needed'. If all security vulnerabilities were fixed 'when needed', the malware authors would be having a field day (which, of course, implies they're not already... h.). Apple has a history of badly-written software. As far as recent examples go, take a look at tar and rsync on Tiger (10.4) - they've been modified to support extended attributes like ACLs and resource forks, and they're quite broken - extended attribute support introduces a serious memory leak. If that doesn't quite hit home, you can get a further idea of how their software is written by taking a look at the man page for sharing(1), on OS X Server (for those of you without access to OS X Server, take a look at http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html ). Pay particular attention to the description for the -s, -g, and -i options - do their developers (or tech writers) know the difference between AND and OR? :) On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus: > This is nothing more than simple downloadable malware exacerbated > somewhat by permissive configuration settings. It exploits no > security defects. > > As I understand it, the operator is given multiple opportunities > to refuse the program: > > http://www.jmu.edu/computing/security/#macmalware > > (I'm only subscribed to the archive so I apologize if this > has been already pointed out or already proven incorrect > today) > > -- > Gary Flynn > Security Engineer > James Madison University > www.jmu.edu/computing/security -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mac trojan in-the-wild
For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: I hate you
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Rhino9 is back
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Transvestites
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SNOSOFT: Remote OpenSSH 0day! (yuck)
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Molested
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Damn trolls
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Holocaust denial
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Queers
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fifty Hitler
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] My youth
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: My fro
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Rainbow tables
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Why?
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fifty Hitler
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Russian whores
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] French frogs jump over the fog
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DailyGadi: Cyberwar alert, mass disruption coming
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Perl or python: the debate
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fifty Hitler
-- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] defining 0day
On Wed, 26 Sep 2007, Charles Miller wrote: > On 26/09/2007, at 5:02 AM, Gadi Evron wrote: > >> Okay. I think we exhausted the different views, and maybe we are now able >> to come to a conlusion on what we WANT 0day to mean. >> >> What do you, as professional, believe 0day should mean, regardless of >> previous definitions? > > As a professional, I would be happy to see terms like '0day' banished from > the lexicon entirely. It's an essentially meaningless -- all third-party > exploits are zero-day to _somebody_ -- term of boast co-opted from the warez > scene, and we can do perfectly well without it. > > Quibbling over its precise definition seems a ridiculous waste of bytes. > It would if we are to stay stuck in our niche, but you need to remember - security is about niches, we are all experts -- but in very specific fields. These past 2 years we faced multiple targeted attacks with previously unknown vulnerabilities. We experience MASSIVE exploitation of users with 0days used on web sites and ine mail, etc. As an industry, as professionals, it is time to get our act together on the basics. I am operations manager for ZERT, and for me, this is indeed at the very heart of the matter. How you define this silliness is directly linked to how you do two of the most essential parts of security: 1. Vulnerability disclosure - for researchers. 2. Incident response - for.. responders. If a vulnerabiliy is fully disclosed, unpatched, being actively exploited, etc. caused real confusion, and non of us, or any of the written material, can agree on the basics. It's not about fighting on what 0day means as much as it is about how we as an industry, a community, conduct ourselves and can reach a common language, which directly impacts operations. So, if WMF was disclosed today after being actively exploited itw for a while, what would you call it? How would you respond to it? How long would it stay unpatched and when will you realize its importance? > C Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] defining 0day
On Tue, 25 Sep 2007, Brian Loe wrote: > On 9/25/07, Gadi Evron <[EMAIL PROTECTED]> wrote: > >> Okay. I think we exhausted the different views, and maybe we are now able >> to come to a conlusion on what we WANT 0day to mean. >> >> What do you, as professional, believe 0day should mean, regardless of >> previous definitions? > > > Seems to me that definitions, and language itself, is a product of > evolution. You can't just remove all previous meanings. Its better > anyway to stick to the most accepted, acknowledged and DOCUMENTED > definitions: No longer good enough. We can get a press scare over a public vuln release, or a wake-up call. I think we can do better as an industry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] defining 0day
On Tue, 25 Sep 2007, Thor (Hammer of God) wrote: > For the record, the original term "O-Day" was coined by a dyslexic > security engineer who listened to too much Harry Belafonte while working > all night on a drink of rum. It's true. Really. > > t Okay. I think we exhausted the different views, and maybe we are now able to come to a conlusion on what we WANT 0day to mean. What do you, as professional, believe 0day should mean, regardless of previous definitions? Obviously, the term has become charged in the past couple of years with the targeted office vulnerabilities attacks, WMF, ANI, etc. We require a term to address these, just as much as we do "unpatched vulnerability" or "fully disclosed vulnerability". What other such descriptions should we consider before proceeding? non-disclosure? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] defining 0day
On Tue, 25 Sep 2007, Thor (Hammer of God) wrote: > For the record, the original term "O-Day" was coined by a dyslexic > security engineer who listened to too much Harry Belafonte while working > all night on a drink of rum. It's true. Really. > > t Okay. I think we exhausted the different views, and maybe we are now able to come to a conlusion on what we WANT 0day to mean. What do you, as professional, believe 0day should mean, regardless of previous definitions? Obviously, the term has become charged in the past couple of years with the targeted office vulnerabilities attacks, WMF, ANI, etc. We require a term to address these, just as much as we do "unpatched vulnerability" or "fully disclosed vulnerability". What other such descriptions should we consider before proceeding? non-disclosure? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Tue, 25 Sep 2007, J. Oquendo wrote: > In a strategic war, most countries aim to eliminate supply points and > mission critical infrastructure as quickly as possible. In a > cyberwarfare situation me personally, I would aim to 1) disrupt/stop via > a coordinated attack whether its via a botnet or something perhaps along > the lines of a physical cut to a nation's fiber lines. Just go watch Die Hard 4. :) Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Tue, 25 Sep 2007, Jason wrote: > You present a valid position but fall short of seeing the whole picture. > > As an attacker, nation state or otherwise, my goal being to cripple > communications, 0day is the way to go. Resource exhaustion takes > resources, something the 0day can deprive the enemy of. > > Knocking out infrastructure with attacks is a far more effective > strategy. You can control it's timing, launch it with minimal resources, > from anywhere, coordinate it, and be gone before it can be thwarted. The > botnet would only serve as cover while the real attack happens. > > I am more inclined to believe that botnets in use today really only > serve as cover, thuggish retribution, and extortion tools, not as > effective tools of warfare. No real warfare threat would risk exposing > themselves through the use of or construction of a botnet. > There is a difference between Sun Tsu-like stealth and civil war-like "throw bodies at it". I quite agree 0days would be important tools, but not necessarily the only tool. Then, it would only be a fascilitating technology. A known vulnerability is also useful in many cases. About botnets, they are at the very heart of the matter--not necessarily for being used in this fashion, but rather because the Internet is perfect for plausible deniability, and then, of course, there is the matter of a /fifth column/, inside your network. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Thu, 20 Sep 2007, Joey Mengele wrote: > Dear Fatboy, > > Let's put aside for a minute the fact that you have no idea what You like people on the heavy side? Psst... call me. > you are talking about and let's also, for the benefit of this very > valuable debate, assume your definition is correct. First, please > prove this bug was never used in the wild. After that, please prove > your credibility in the realm of defining words related to illegal > computer hacking. Thanks. > > J > > P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2 > > ___ > "If today I stand here as a revolutionary, it is as a revolutionary > against the Revolution." > > > On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron <[EMAIL PROTECTED]> > wrote: >> Impressive vulnerability, new. Not a 0day. >> >> Not to start an argument again, but fact is, people stop calling >> everything a 0day unless it is, say WMF, ANI, etc. exploited in >> the wild >> without being known. >> >> I don't like the mis-use of this buzzword. >> >> Gadi. >> >> >> On Thu, 20 Sep 2007, pdp (architect) wrote: >> >>> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows >>> >>> I am closing the season with the following HIGH Risk >> vulnerability: >>> Adobe Acrobat/Reader PDF documents can be used to compromise >> your >>> Windows box. Completely!!! Invisibly and unwillingly!!! All it >> takes >>> is to open a PDF document or stumble across a page which embeds >> one. >>> >>> The issue is quite critical given the fact that PDF documents >> are in >>> the core of today's modern business. This and the fact that it >> may >>> take a while for Adobe to fix their closed source product, are >> the >>> reasons why I am not going to publish any POCs. You have to take >> my >>> word for it. The POCs will be released when an update is >> available. >>> >>> Adobe's representatives can contact me from the usual place. My >> advise >>> for you is not to open any PDF files (locally or remotely). >> Other PDF >>> viewers might be vulnerable too. The issues was verified on >> Windows XP >>> SP2 with the latest Adobe Reader 8.1, although previous versions >> and >>> other setups are also affected. >>> >>> A formal summary and conclusion of the GNUCITIZEN bug hunt to be >> expected soon. >>> >>> cheers >>> >>> -- >>> pdp (architect) | petko d. petkov >>> http://www.gnucitizen.org >>> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Click now for accounting software that's a huge plus! > http://tagline.hushmail.com/fc/Ioyw6h4eooFnoPRHh77yKi8qPMTyf03wCE9icEun2cA0zQJXBBid3w/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: > http://www.gnucitizen.org/blog/0day-pdf-pwns-windows > > I am closing the season with the following HIGH Risk vulnerability: > Adobe Acrobat/Reader PDF documents can be used to compromise your > Windows box. Completely!!! Invisibly and unwillingly!!! All it takes > is to open a PDF document or stumble across a page which embeds one. > > The issue is quite critical given the fact that PDF documents are in > the core of today's modern business. This and the fact that it may > take a while for Adobe to fix their closed source product, are the > reasons why I am not going to publish any POCs. You have to take my > word for it. The POCs will be released when an update is available. > > Adobe's representatives can contact me from the usual place. My advise > for you is not to open any PDF files (locally or remotely). Other PDF > viewers might be vulnerable too. The issues was verified on Windows XP > SP2 with the latest Adobe Reader 8.1, although previous versions and > other setups are also affected. > > A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected > soon. > > cheers > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
Every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for: - Reverse engineering for vulnerabilities, as a study tool. - Testing fuzzers Some of these exist, but I asked my employer, Beyond Security, to release our test application, specific for testing fuzzing (built for the beSTORM fuzzer). They agreed to release the HTTP version, following their agreement to release our ANI XML specification. The GUI allows you to choose what port your want to run it on, as well as which vulnerabilities should be "active". It is called Simple Web Server or SWS, and has the following vulnerabilities: 1. Off-By-One in Content-Length (Integer overflow/malloc issue) 2. Overflow in User-Agent 3. Overflow in Method 4. Overflow in URI 5. Overflow in Host 6. Overflow in Version 7. Overflow in complete packet 8. Off By One in Receive function (linefeed/carriage return issue) 9. Overflow in Authorization Type 10. Overflow in Base64 decoded 11. Overflow in Username of authorization 12. Overflow in Password of authorization 13. Overflow in Body 14. Cross site scripting It can be found on Beyond Security's website, here: http://www.beyondsecurity.com/sws_overview.html Thanks, Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fake blogs and search engines
Thank you for your kind words and advice. On Thu, 6 Sep 2007, Bee Binger wrote: > How often do you google search for yourself? Do you > run across all the posts of people ridiculing you for > being an idoit? if not matasano's blog would be a good > start. > > Maybe you should instead spend your time learning to > exploit basic vulnerabilities so next time a sendmail > like bug comes around you dont embarass yourself > again. > > Its going to be a sad day for you when the irc bots > move to silc and you cant just run wireshark and you > will have to learn assembly and how to operate a hex > editor. > > > > > > > > Looking for a deal? Find great prices on flights and hotels with Yahoo! > FareChase. > http://farechase.yahoo.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] fake blogs and search engines
URLs in this post should be considered as unsafe. Fake sites and SE poisoning are nothing new. The use of blogs for this is far from new, either. Thousands of new fake blogs pop up every day on blogspot, livejournal, etc. Web spam is a subject I have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself. A new fake blog which looks like blogspot, but has its own "domain", recently popped up in a Google alert on my name. I get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages. This time around they really over-did it. The page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?) Then the site shows the YouTube video which can be found under my name. Following that is a post I made to a mailing list recently (poorly formatted). Then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again). They finish the page off by adding comments, which are actually some old securiteam posts by me. Heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. Their auto-creation tools seem to be getting more impressive, and I believe we will see much improved believable sites, soon. Google Blog Search displays this site as (nasty words replaced with beep): Gadi Evron 2 Sep 2007 Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, ... Untitled - h ttp://n ewadult.celeberia.com/ URL: h ttp://n ewadult.celeberia.com/Gadi-Evron Again, I am unsure if these URLs are safe. For those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. Search engine ranking, indexing, etc. helps them advance their own sites (or their clients'). Then of course, there is advertising and Google ads. It works. And the advertising space on unrelated key words is a plus. The concept is very similar to comment spam. Comment spam may not contribute to SE ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that's all the bad guys care about. Nofollow is crap, and what shows up when you search is what matters. As an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://gevron.livejournal.com/8859.html for the example). He left a URL for his legitimate Python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title 'A Jew in a German Camp' (about the CCC Camp in Germany). He is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [mwp] (Fwd) barclays.co.uk securiy contact
Someone is taking care of you, and at the very least, you will hear a response. > > --- Forwarded message follows --- > From: Gavin Atkinson <[EMAIL PROTECTED]> > To: full-disclosure@lists.grok.org.uk > Date sent:Wed, 29 Aug 2007 18:58:56 +0100 > Subject: [Full-disclosure] barclays.co.uk securiy contact > > > Hey, > > Does anyone have any security contact information for barclays.co.uk? > So far, nobody contacted have responded, and the (serious) issue still > exists many months after it was first reported. > > Gavin > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Community input/questions for ISOI 3?
Hi, like last time, we are looking for community input and questions for the Internet security operations community, to be discussed during ISOI 3. ISOI is happening this Monday and Tuesday, we will likely compile the responses in a few weeks. We will reply to people personally on issues which bother them, and compile a short text with answers to the community itself. We tried to do this last time around, and encountered a problem with classifying which material the presenters allow for public consumtion, and which is to remain private due to obvious concerns. This time around we ask them ahead of time. The current topics being discussed at ISOI 3 can be located on the schedule: http://isotf.org/isoi3.html We may be off though, so feel free to ask on any issue which you find to be relevant. Thanks, we appreciate the community's participation. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] joe jobs on FD and OpenBSD
Hey, don't worry Gaydi, we'll see you at CCC. HUGS AND KISSES. ;PppPpPPpPpp - goudatr0n Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] joe jobs on FD and OpenBSD
Hey, don't worry Gaydi, we'll see you at CCC. HUGS AND KISSES. ;PppPpPPpPpp - goudatr0n = -- Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote hole in OpenBSD 4.1
Sorry, I don't know who [EMAIL PROTECTED] is, but it wasn't me. I'd suggest emailing Rocky, he likes big guys. :) Thanks, Gadi. On Mon, 6 Aug 2007, monikerd wrote: > Gadi Evron wrote: >> I formerly had a great deal of respect, bordering on admiration, for Theo >> deRaadt's refusals to compromise his open source principles, even in the >> face of stiff opposition. Although he has occasionally gone over-the-top, >> recommended some frankly very dubious changes to OpenBSD, and is regularly >> arrogant (which is even more annoying because he's so often right!), he's >> always remained consistent in his devotion to the cause of GNU/Free Software. >> >> Notice "formerly": my confidence in deRaadt has been soundly shaken by his >> latest round of unfounded aspersions cast against Intel's Core 2 line of >> CPUs. Instead of getting the facts with careful analysis and study, deRaadt >> has jumped the gun by trying to preempt proper research with posts to the >> openbsd-misc mailing list. This in itself wouldn't be so bad, but his only >> proper citation is a 404 page, and his only other source is an old summary >> of unverified errata from a hobbyist website. >> >> The lack of fact-checking and complete absence of any credible sources for >> his allegations is suspicious in itself, but he compounds it into a complete >> boner by making an equally unsupported claim that the supposed (in fact >> non-existent) CPU problems are security flaws: >> >> As I said before, hiding in this list are 20-30 bugs that cannot be worked >> around by operating systems, and will be potentially exploitable. I would >> bet a lot of money that at least 2-3 of them are. >> >> Without real references to backup his exaggerated concerns, deRaadt's post >> crosses the line into outright libel and scare-mongering. It's obvious when >> you know what to look for: the subtle use of neurolinguistic priming in >> emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39, >> AI90, AI99 scare the hell out of us", "Open source operating systems are >> largely left in the cold", "hiding in this list", and so forth. This does >> not lead me to share Theo's purported fears; instead it leads me to believe >> that he's trying to unduly influence Intel's reputation with lies. >> >> I have an idea of why. It's the same reason deRaadt feels comfortable in >> saying that he'd "bet a lot of money" on Intel's Core 2 processors having >> multiple (not one, but several) security flaws originating from these >> errata. Namely, one of Intel's largest competitors has supplied the OpenBSD >> project with a substantial amount of monetary support since 2004, presumably >> because they can't compete even in the open source market without propping >> it up with a flow of money. They cannot maintain their position on the >> processor front, so they're resorting to buying out open source software >> developers. It's regrettably cheap to do so, even if they have deRaadt's >> prestige, because their business models stifle income and so a monolith such >> as AMD can trivially tempt them with greater incentives. In fact deRaadt is >> an easier target for "donations" because he makes it clear that he has no >> business model for OpenBSD. >> >> Intel, by contrast, have no discernable incentive to deceive or play down >> security flaws in their products; the consecutive f00f and FDIV bugs of the >> past have taught Intel that their best course of action is to face up to >> their errors and offer speedy fixes. >> >> DeRaadt's claim that Intel must "be come [sic] more transparent" is most >> unfounded, especially when one considers who stands to benefit from this >> anti-Intel arrangement; the connections between the AMD-ATI leviathan and >> deRaadt-driven projects are not hard to find. AMD make a point of >> emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already >> mentioned, lends its deep pockets to deRaadt's grasp. And the connections go >> both ways too: deRaadt has a blatant chip on his shoulder regarding Intel. >> >> Ultimately, it hasn't been enough for deRaadt to level unsubstantiated >> libels at Intel, or to elicit spurious security fears about its solidly >> tested products. He's added an extra layer of hypocrisy on top by attacking >> Intel for being opaque and complaining about made-up fatal flaws in their >> Core 2 system. I would go
[Full-disclosure] joe jobs on FD and OpenBSD
So, after they acted out and the goons took over, I eventually had to physically "disable" Rocky (gobbles and possey)) at defcon. For some reason he decided to attempt an agressive physical act which was somewhat homosexual, on me. Bad call by him, I'd think. After disabling him with a.. gentle touch, I added a smack to the back of his head as a parting gift. Rocky and his kiddie friends wanted to feel good about themselves by emailing under a fake name. We have to understand, they never learned how to vent frustrations in a constructive fashion. All messages sent to this list other than about TRsec were not sent by me. It's a joe job. One should not respond to a joe job, but apologizing is a must whether it is you or not. If I had a problem with Theo, he would have heard me by now. I am somewhat loud. In fact, he heard me in the past. I appreciate all his work. Only messages from [EMAIL PROTECTED] are from me. I don't know who [EMAIL PROTECTED] is. Theo, beer is on me at the camp beginning tomorrow whenever you like. They likely picked on OpenBSD because I mentioned at my Estonia information warfare talk at defcon how an OpenBSD firewall system is the only one which survived without any issues through-out the entire Estonian "Internet war". So, I'm out for another week of partying at CCC, defcon is over. Peace, Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Remote hole in OpenBSD 4.1
I formerly had a great deal of respect, bordering on admiration, for Theo deRaadt's refusals to compromise his open source principles, even in the face of stiff opposition. Although he has occasionally gone over-the-top, recommended some frankly very dubious changes to OpenBSD, and is regularly arrogant (which is even more annoying because he's so often right!), he's always remained consistent in his devotion to the cause of GNU/Free Software. Notice "formerly": my confidence in deRaadt has been soundly shaken by his latest round of unfounded aspersions cast against Intel's Core 2 line of CPUs. Instead of getting the facts with careful analysis and study, deRaadt has jumped the gun by trying to preempt proper research with posts to the openbsd-misc mailing list. This in itself wouldn't be so bad, but his only proper citation is a 404 page, and his only other source is an old summary of unverified errata from a hobbyist website. The lack of fact-checking and complete absence of any credible sources for his allegations is suspicious in itself, but he compounds it into a complete boner by making an equally unsupported claim that the supposed (in fact non-existent) CPU problems are security flaws: As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are. Without real references to backup his exaggerated concerns, deRaadt's post crosses the line into outright libel and scare-mongering. It's obvious when you know what to look for: the subtle use of neurolinguistic priming in emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us", "Open source operating systems are largely left in the cold", "hiding in this list", and so forth. This does not lead me to share Theo's purported fears; instead it leads me to believe that he's trying to unduly influence Intel's reputation with lies. I have an idea of why. It's the same reason deRaadt feels comfortable in saying that he'd "bet a lot of money" on Intel's Core 2 processors having multiple (not one, but several) security flaws originating from these errata. Namely, one of Intel's largest competitors has supplied the OpenBSD project with a substantial amount of monetary support since 2004, presumably because they can't compete even in the open source market without propping it up with a flow of money. They cannot maintain their position on the processor front, so they're resorting to buying out open source software developers. It's regrettably cheap to do so, even if they have deRaadt's prestige, because their business models stifle income and so a monolith such as AMD can trivially tempt them with greater incentives. In fact deRaadt is an easier target for "donations" because he makes it clear that he has no business model for OpenBSD. Intel, by contrast, have no discernable incentive to deceive or play down security flaws in their products; the consecutive f00f and FDIV bugs of the past have taught Intel that their best course of action is to face up to their errors and offer speedy fixes. DeRaadt's claim that Intel must "be come [sic] more transparent" is most unfounded, especially when one considers who stands to benefit from this anti-Intel arrangement; the connections between the AMD-ATI leviathan and deRaadt-driven projects are not hard to find. AMD make a point of emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already mentioned, lends its deep pockets to deRaadt's grasp. And the connections go both ways too: deRaadt has a blatant chip on his shoulder regarding Intel. Ultimately, it hasn't been enough for deRaadt to level unsubstantiated libels at Intel, or to elicit spurious security fears about its solidly tested products. He's added an extra layer of hypocrisy on top by attacking Intel for being opaque and complaining about made-up fatal flaws in their Core 2 system. I would go as far as to posit that it is in fact deRaadt's system for running the OpenBSD project which has a fatal flaw. This escapade proves that deRaadt -- and by extension the OpenBSD project -- is simply too vulnerable to external influence from corporations with a vested interest and lots of lucre. Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Computer literate?
YOUNG MAN WANTED for correspondence and/or possible long term relationship. Prefer guys under 21 who are computer literate or have a desire to learn and are honest and nonviolent in their relations. Especially interested in thin, smooth, young men. Drop me a line (and a bare as you dare photo if you wish) at: Gadi Evron <[EMAIL PROTECTED]>. Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Proposed secure network using pre-existing infrastructure
Network Working Group J. Evers Internet-Draft Bantown Consulting, Inc. Intended status: Standards Track November 2006 Expires: May 5, 2007 A Standard for the Transmission of IP Datagrams Using the Negro darknet.txt Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC 2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 5, 2007. Evers Expires May 5, 2007 [Page 1] Internet-Draft DarkNet November 2006 Abstract This document presents a novel new technique for the transmission of IP Datagrams using the dark-skinned Negroid race as a physical-layer transport. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . ancho 2. Frame Encoding and Transmission . . . . . . . . . . . . . . ancho 2.1. Encryption and Encapsulation . . . . . . . . . . . . . ancho 2.2. Ready to Send . . . . . . . . . . . . . . . . . . . . . ancho 2.3. Transmission . . . . . . . . . . . . . . . . . . . . . ancho 2.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . ancho 3. Technical Notes . . . . . . . . . . . . . . . . . . . . . . ancho 3.1. TTL . . . . . . . . . . . . . . . . . . . . . . . . . . ancho 3.2. NAT Traversal . . . . . . . . . . . . . . . . . . . . . ancho 4. Security Considerations . . . . . . . . . . . . . . . . . . ancho 5. Normative References . . . . . . . . . . . . . . . . . . . ancho Author's Address . . . . . . . . . . . . . . . . . . . . . . . 0 Evers Expires May 5, 2007 [Page 2] Internet-Draft DarkNet November 2006 1. Background Since nearly the discovery of the dark-skinned Negroid race [Negro], the white man has found this race to be incalculably useful in many commercial endeavors from cotton picking to producing "hip" and "urban" music. It has come to the attention of the Authors that the time may be ripe to introduce a viable new system of transmitting Internet Protocol Datagrams using this hardy and industrious race of dark-skinned commodity. Evers Expires May 5, 2007 [Page 3] Internet-Draft DarkNet November 2006 2. Frame Encoding and Transmission Sending a Datagram using a Negro is a complicated business, and it may place considerable strain on systems not accustomed to dealing with large amounts of Negroes, particularly at institutions of higher education, polite society and Libraries. There are multiple steps which must be taken to encode and prepare the Datagram for transmission, which are as follows. 2.1. Encryption and Encapsulation Firstly, to prepare the IP Datagram for transmission, it must be encoded so as to provide end-to-end encryption of the contents of the data. To encode the datagram, simply have it bound into a story- book. This simple transformation will leave the Negro clueless as to its contents, and it will be disinclined to scan its pages as Negroes have a well-known natural dislike for books. While the authors acknowledge that the book-binding time increases the latency of transmission, they contend that it is necessary to provide the highest level of security and it necessary to fully utilize all aspects of the Negroid, much as the Red-man once utilized all the parts of the Buffalo and White man. Evers Expires May 5, 2007 [Page 4] Internet-Draft DarkNet November 2006 The Negro, baffled by the bound novel ___ ___ ___ |__ \|__ \|__ \ ) | ) | ) | / / / / / / |_| |_| |_| (_) (_) (_) - ///#\\\ /##00##
[Full-disclosure] Proposed secure network using pre-existing infrastructure
Network Working Group J. Evers Internet-Draft Bantown Consulting, Inc. Intended status: Standards Track November 2006 Expires: May 5, 2007 A Standard for the Transmission of IP Datagrams Using the Negro darknet.txt Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC 2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 5, 2007. Evers Expires May 5, 2007 [Page 1] Internet-Draft DarkNet November 2006 Abstract This document presents a novel new technique for the transmission of IP Datagrams using the dark-skinned Negroid race as a physical-layer transport. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . ancho 2. Frame Encoding and Transmission . . . . . . . . . . . . . . ancho 2.1. Encryption and Encapsulation . . . . . . . . . . . . . ancho 2.2. Ready to Send . . . . . . . . . . . . . . . . . . . . . ancho 2.3. Transmission . . . . . . . . . . . . . . . . . . . . . ancho 2.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . ancho 3. Technical Notes . . . . . . . . . . . . . . . . . . . . . . ancho 3.1. TTL . . . . . . . . . . . . . . . . . . . . . . . . . . ancho 3.2. NAT Traversal . . . . . . . . . . . . . . . . . . . . . ancho 4. Security Considerations . . . . . . . . . . . . . . . . . . ancho 5. Normative References . . . . . . . . . . . . . . . . . . . ancho Author's Address . . . . . . . . . . . . . . . . . . . . . . . 0 Evers Expires May 5, 2007 [Page 2] Internet-Draft DarkNet November 2006 1. Background Since nearly the discovery of the dark-skinned Negroid race [Negro], the white man has found this race to be incalculably useful in many commercial endeavors from cotton picking to producing "hip" and "urban" music. It has come to the attention of the Authors that the time may be ripe to introduce a viable new system of transmitting Internet Protocol Datagrams using this hardy and industrious race of dark-skinned commodity. Evers Expires May 5, 2007 [Page 3] Internet-Draft DarkNet November 2006 2. Frame Encoding and Transmission Sending a Datagram using a Negro is a complicated business, and it may place considerable strain on systems not accustomed to dealing with large amounts of Negroes, particularly at institutions of higher education, polite society and Libraries. There are multiple steps which must be taken to encode and prepare the Datagram for transmission, which are as follows. 2.1. Encryption and Encapsulation Firstly, to prepare the IP Datagram for transmission, it must be encoded so as to provide end-to-end encryption of the contents of the data. To encode the datagram, simply have it bound into a story- book. This simple transformation will leave the Negro clueless as to its contents, and it will be disinclined to scan its pages as Negroes have a well-known natural dislike for books. While the authors acknowledge that the book-binding time increases the latency of transmission, they contend that it is necessary to provide the highest level of security and it necessary to fully utilize all aspects of the Negroid, much as the Red-man once utilized all the parts of the Buffalo and White man. Evers Expires May 5, 2007 [Page 4] Internet-Draft DarkNet November 2006 The Negro, baffled by the bound novel ___ ___ ___ |__ \|__ \|__ \ ) | ) | ) | / / / / / / |_| |_| |_| (_) (_) (_) - ///#\\\ /##00##
Re: [Full-disclosure] Internet Explorer 0day exploit
On Sat, 14 Jul 2007, Dragos Ruiu wrote: > On Tuesday 10 July 2007 08:53, Gadi Evron wrote: >> To paraphrase Guninski, this is still not a 0day. It is a vulnerability >> being disclosed. > > You're being pedantic Gadi. :-) > > We have to accept the term "0day" has passed into > the realm of meaningless nebulousness along with > "hacker" and other misused terms. > > If we are to be pedantic, the original meaning of > 0day is new warez release :-). I think there is still hope for us buddy, at least when professionals make releases. For example, instead of saying I'm being pedantic on this (which I am), you could (also, in addition) reply and say "yep" or "nope", thus contributing to some discussion. Meaning, we would either make a stand for our profession or at the very least get educated as we go along. Some people believe the way to reach a "mature industry" is time, others believe it's training or in a more specific fashion, certifications. I don't know what the answer is, and I am sure it isn't terminology (or certifications, hehe). I do know though, what a 0day is, and don't intend to compromise it for the sake of what the press makes of it. It's a strong term and concept which shouldn't be abused. That or we can decide on a new term for what 0day used to mean. How about "blubla"? >From professionals, we can expect good language and for their work to speak for them. We shouldn't compromise on silly things like what 0day means. Maybe I will give this up next year, but for now, advisories named "0day" have disapeared lately. Maybe peer pressure does have some effect. The above is over-thinking and some could consider it very silly, but for now, I believe in it. It's just like I resent those among consultants who conduct themselves in a fashion that makes me ashamed of my profession, as a far-off analogy. > cheers, > --dr > > -- > World Security Pros. Cutting Edge Training, Tools, and Techniques > Tokyo, Japan November 29/30 - 2007http://pacsec.jp > pgpkey http://dragos.com/ kyxpgp > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer 0day exploit
On Tue, 10 Jul 2007, Thor Larholm wrote: > There is a URL protocol handler command injection vulnerability in Internet Thor, thank you for sharing. Nice work. To paraphrase Guninski, this is still not a 0day. It is a vulnerability being disclosed. > Explorer for Windows that allows you to execute shell commands with arbitrary > arguments. This vulnerability can be triggered without user interaction > simply by visiting a webpage. > > When Internet Explorer encounters a reference to content inside a registered > URL protocol handler scheme it calls ShellExecute with the EXE image path and > passes the entire request URI without any input validation. For the sake of > demonstration I have constructed an exploit that bounces through Firefox via > the FirefoxURL protocol handler. The full advisory and a working Proof of > Concept exploit can be found at > > http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ > > Cheers > Thor Larholm > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/