Re: clamav and magic byte

[Florian Weimer]

* Geoff Crompton:

> Anyone know if clamav is vulnerable to the magic byte detection evasion
> issue discussed at http://www.securityfocus.com/bid/15189?
>
> Or alternatively, can anyone work out if it is vulnerable?

It is vulnerable only in the sense that it doesn't detect viruses for
which there aren't any signatures yet.

In , Andrey Bayora just
describes one way to create new viruses, there are countless others.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

clamav and magic byte

[Geoff Crompton]

Anyone know if clamav is vulnerable to the magic byte detection evasion
issue discussed at http://www.securityfocus.com/bid/15189?

Or alternatively, can anyone work out if it is vulnerable?
-- 
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: whitehat

[alex black]

Perhaps I should rephrase:

Is there any company or individual on this list that provides 
penetration testing services, can provide a sample report and sample 
engagement contract with specific terms, has performed penetration 
testing on debian servers running public-facing applications in the 
past, and can provide (3) or more references upon request that would be 
willing to send me a proposal for:


	-Penetration testing of a single IP address which has a representative 
profile of other IPs on my network

-Reporting on any findings (see "sample report" above)

As always, please cc: my address directly.

thanks,

_alex


--
alex black, founder
the turing studio, inc.

510.666.0074
[EMAIL PROTECTED]
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: whitehat

[Alvin Oga]

hi ya alex

- lots of options .. too too too many ...
  but bottom line ... you have to do the work .. not the 
  outside white-hat you're looking for

On Wed, 2 Nov 2005, alex black wrote:

> Not much, frankly. The idea here is to have someone that is not 
> malicious, but is skilled, to attempt to crack the box. If they can, 
> I'd like to know how. The box is not running a full production 
> application at the moment, there is zero valuable data on it. Also, see 
> below...

"skilled [cr|h]ackers will probably be working at corps that
has job descriptions that prevent them from free-lancing
for liability reasons if they like their current job status

> You are free to contact both me (by phone or email), and my provider, 
> Aktiom Networks: [EMAIL PROTECTED] and ask them about me. I have provided 
> a complete sig with an address, phone number, business name, etc. Do a 
> search for my name and 'binarycloud', I appear a lot. Uhm, come to my 
> office and meet me if you're in the bay area, CA :)

all that is good and dandy, however, it won't hold up in court
unless its in writting etc, etc, etc

where in the bay area .. it'd be at least fun to ramble and rumble :-)
 
> Security by obscurity has never proven very useful, and if I was a 
> wannabe-skriptkiddie

you'd be very surprized how useful it is to stop script kiddies
for the simplest "5 seconds" of work ... to tweek a few trinkets
here and there to stop them ... assuming that they even manage
to get in in the first place, which would in turn amplify you
have a major problem anyway

- limit the damage of what they can do once they are inside
  and ALWAYS assume that a malicious [cr|h]acker is already inside
  but you haven't found them yet, as it will in fact also take
  time to do so, at which point it is too late that you found them

> one would think I wouldn't post here claiming to 
> be who I am, provide a phone number, and... there are a lot better 
> places for me to look if I was interested in that.

- ahh .. you haven't been burnt before  :-) ...

> I will ask them to sign a contractor agreement with my company, which 
> requires a fax. I will ask for references, which are hard to construct 
> from nothing. I will offer payment, which requires details of an 
> address, phone number, and social security number. It's really not that 
> hard.

see the above, about "things that should hold up in court"
and all else is not worth a penny ...  the "pink hats" will be
looking for "get out of jail" cards or total avoidance of it
as their first and foremost issues

- breaking in to them might be easy whereas, getting
good docs, specifications and expectations is not as
easily defined ..
 
> Yes. Also the idea is not to offer the machine as a honeypot. I want an 
> individual or preferably an individual associated with an organization 
> to attempt to crack a box with my permission under the terms of a 
> contract. So the idea is not to crack a box and then see if they can 
> launch a DDos with it - just to see if they can get in.

just because xxx at white-hat-inc cannot get in, but another 
more experienced "pink hat" (yyy) at the same white-hat-inc probably can

more even white-hat-inc competitors 

- there are lots of these professional "pin-hat-inc" that provide
  varing degree of "security tests"
- security assessment
- risk analysiss
- loss analysis
- probability analysis
- security prevention/hardening
- security process and proceedure
- netork topology for security purposes
- pen-test ..
- security audits
- on-n-on ...

- in order to "crack the box" ..
- it may take 10 minutes ... it may take 10hrs ... it may take 10
days or 10 weeks

- if someone wanted to get in, i assume, with 99% certainty
that they will get in 

- the question is what do they get for spending their
time, energy, efforts and resources and what do i/we have that
they want it so badly

> The whole point of the test will be for me to monitor what's happening 

that you should already be seeing all the attacks you are already
getitng just by the generic background white-noise-attacks
- and its free ... and doesn't take any time/energy/effort
other than to watch and see what they did and how they're
trying to get in

c ya
alvin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: whitehat to test a security config

[Bernd Eckenfels]

In article <[EMAIL PROTECTED]> you wrote:
> I'm looking for (preferably) a company, or individual, to attempt to 
> breach a standard config I have created to deploy client applications 
> in production. It is intentionally a minimal config which is tightly 
> locked down and audited daily.

I think it is very bad efficiency to do black-box testing. Because it
requires a very good attacker and much time to find a problem. And if you
dont find one, you can't be shure you are secure. It is much better to let
the external auditor verify your configuration. Give them access to all
config files and documentation, your risk matrix etc. This is much cheaper
and much more sucessfull.

Gruss
Bernd


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Patrina Graham?

[keith]

Hello,

My name is Keith Smith.

I seek info on debt transfer and debt termination.

Can you assist me?

Thanks

Keith Smith
240 353-7893
BlackBerry service provided by Nextel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: whitehat

[alex black]

--- Alvin Oga <[EMAIL PROTECTED]> wrote:
> questions for you
> - what else is in the goals for the security test,
> where i'm not
>   using audit, pen-test, assessments and other
> "security words"

Just to see if you can get in, that's all.

> - what is the consequence if some
> whitehat/grayhat/blackhat/malicioushat
>   does get into the box, what is the
> process/proceedure/consequences
>   and follow up costs to cleanup vs shutdown/change
> the product line

Not much, frankly. The idea here is to have someone that is not 
malicious, but is skilled, to attempt to crack the box. If they can, 
I'd like to know how. The box is not running a full production 
application at the moment, there is zero valuable data on it. Also, see 
below...



1. How do we know know Mr Black is who he says he is?


You are free to contact both me (by phone or email), and my provider, 
Aktiom Networks: [EMAIL PROTECTED] and ask them about me. I have provided 
a complete sig with an address, phone number, business name, etc. Do a 
search for my name and 'binarycloud', I appear a lot. Uhm, come to my 
office and meet me if you're in the bay area, CA :)



2. How can we confirm the machine details he supplies
are actually details of a machine that he owns?


See response to #1


3. How can I prove that he is not actually a skid
trying to learn how to crack a debian box (which he
has set up) so that he can then go on to crack some he
has ssh passwords to after successfully brute forcing
some on a network somewhere.


Security by obscurity has never proven very useful, and if I was a 
wannabe-skriptkiddie, one would think I wouldn't post here claiming to 
be who I am, provide a phone number, and... there are a lot better 
places for me to look if I was interested in that.



1. How will you know that whoever replies to your
email isn't a lurking cracker. I am sure there are
plenty on this list considering the topic.


I will ask them to sign a contractor agreement with my company, which 
requires a fax. I will ask for references, which are hard to construct 
from nothing. I will offer payment, which requires details of an 
address, phone number, and social security number. It's really not that 
hard.



2. In the event that they are is the machine
sufficiently isolated that it being compromised will
not affect the rest of your or anyone elses network.


Yes. Also the idea is not to offer the machine as a honeypot. I want an 
individual or preferably an individual associated with an organization 
to attempt to crack a box with my permission under the terms of a 
contract. So the idea is not to crack a box and then see if they can 
launch a DDos with it - just to see if they can get in.



3. Do you have a procedure to wipe the machine after
the tests are done in a timely fashion. You asked for
a summary of what took place on the machine, perhaps
you should be monitoring the activity on the machine
yourself.


No, DUH really? I thought I would just have someone do the test and not 
bother to login to the machine and watch what's happening. I'm a total 
n00b idiot and I'm looking for a l33t haxx0r to teach me evv43t1ng I 
nned to kn0.


The whole point of the test will be for me to monitor what's happening 
in cooperation with the whitehat, but not offer any resistance to the 
attack. My threshold for success is that the config is not crackable by 
itself, without any defense or assistance from me as root during an 
attack, even though in a "real" attack I would act as such.


I think i've sealed the config so tight that it is not vulnerable to 
any known/public exploits, and besides all the happy scanning tools and 
all that, I'd like to have the opinion or someone with excellent 
knowledge of debian security.



*** Please cc me on any responses.  ***

thanks,

_alex


--
alex black, founder
the turing studio, inc.

510.666.0074
[EMAIL PROTECTED]
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation

[Michael Schultheiss]

Norbert Tretkowski wrote:
> * Martin Schulze wrote:
> > A bug in gallery has been discoverd that grants all registrated
> > postnuke users full access to the gallery.
>   
> Huh?

This bugs is with regards to the integration of Gallery into a Postnuke
site.

-- 

Michael Schultheiss
E-mail: [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: whitehat to test a security config

[Rob Burgers]

- Original Message - 
From: "Harry" <[EMAIL PROTECTED]>

To: <>
Sent: Tuesday, November 01, 2005 10:48 AM
Subject: Re: whitehat to test a security config



--- Alvin Oga <[EMAIL PROTECTED]> wrote:

questions for you

- what else is in the goals for the security test,
where i'm not
  using audit, pen-test, assessments and other
"security words"

- what is the consequence if some
whitehat/grayhat/blackhat/malicioushat
  does get into the box, what is the
process/proceedure/consequences
  and follow up costs to cleanup vs shutdown/change
the product line


Perhaps the following questions should be asked first

1. How do we know know Mr Black is who he says he is?

2. How can we confirm the machine details he supplies
are actually details of a machine that he owns?

3. How can I prove that he is not actually a skid
trying to learn how to crack a debian box (which he
has set up) so that he can then go on to crack some he
has ssh passwords to after successfully brute forcing
some on a network somewhere.

blah, blah, blah.

And for Mr Black.

1. How will you know that whoever replies to your
email isn't a lurking cracker. I am sure there are
plenty on this list considering the topic.

2. In the event that they are is the machine
sufficiently isolated that it being compromised will
not affect the rest of your or anyone elses network.

3. Do you have a procedure to wipe the machine after
the tests are done in a timely fashion. You asked for
a summary of what took place on the machine, perhaps
you should be monitoring the activity on the machine
yourself.

blah, blah, blah.

H.

agreed these are all very good questions.

Naraki.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation

[Jose Marrero]

Why every gallery update breaks the customizations one has done to it?  I
am referring to skins, headers, etc.

On Wed, November 2, 2005 6:01 am, Norbert Tretkowski said:
> * Martin Schulze wrote:
>> A bug in gallery has been discoverd that grants all registrated
>> postnuke users full access to the gallery.
>   
> Huh?
>
> Norbert
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>


-- 
-JM. “Estos días azules y este sol de la infancia “(Antonio Machado-1939)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation

[Emmanuel Lacour]

On Wed, Nov 02, 2005 at 03:01:54PM +0100, Norbert Tretkowski wrote:
> * Martin Schulze wrote:
> > A bug in gallery has been discoverd that grants all registrated
> > postnuke users full access to the gallery.
>   
> Huh?
> 
Gallery can be easily embedded in postnuke, phpnike, mambo, ...

-- 
Emmanuel Lacour  Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76
mailto:[EMAIL PROTECTED]   -http://www.easter-eggs.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation

[Norbert Tretkowski]

* Martin Schulze wrote:
> A bug in gallery has been discoverd that grants all registrated
> postnuke users full access to the gallery.
  
Huh?

Norbert


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Unknown sevice runing on debian machin

[TOPMANN (Torben Pollmann)]

[EMAIL PROTECTED] wrote:


[EMAIL PROTECTED] wrote:


plese help me stop this scrvice

 PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
2284 debuser   16   0 51144  10m  48m S 41.0  4.2 110:14.86 amor



 



kill -9 2284 ? but apt-cache search amor says :
amor - a KDE creature for your desktop

garf.


A creature? Yes, probably GARFIELD himself :-)))



--
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstoesst
gegen §1 UWG und §823 I BGB (Beschluss des LG Berlin vom 2.8.1998, Az:
16 O 201/98).Jede kommerzielle Nutzung der uebermittelten persoenlichen
Daten sowie deren Weitergabe an Dritte ist ausdruecklich untersagt!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]