Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
Michal Zalewski escribió: On Fri, 31 Mar 2006 [EMAIL PROTECTED] wrote: If the website then presents you with the Logon failed page, you are possibly on a legitimate website, so you may proceed with logging in using your correct credentials. If it gets you right through - it is definitely a phishing attempt. Note to self: design my next phishing website to always display logon failed. Just as most of the phishing sites already do. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
Marcos Agüero wrote: Michal Zalewski escribió: On Fri, 31 Mar 2006 [EMAIL PROTECTED] wrote: If the website then presents you with the Logon failed page, you are possibly on a legitimate website, so you may proceed with logging in using your correct credentials. If it gets you right through - it is definitely a phishing attempt. Note to self: design my next phishing website to always display logon failed. Just as most of the phishing sites already do. Really? I thought they somehow magically knew enough about you to sign you in properly and display all the correct details ;) Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? -- Jasper Bryant-Greene General Manager Album Limited http://www.album.co.nz/ 0800 4 ALBUM [EMAIL PROTECTED] 021 708 334 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
On Fri, 31 Mar 2006, [ISO-8859-1] Marcos Agüero wrote: Note to self: design my next phishing website to always display logon failed. Just as most of the phishing sites already do. Forgive me my ignorance; to my defense, I usually don't enter valid credentials on phishing sites. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
On Fri, 31 Mar 2006, Jasper Bryant-Greene wrote: Just as most of the phishing sites already do. Really? I thought they somehow magically knew enough about you to sign you in properly and display all the correct details ;) No, but the reasonable practice would be not to alert the customer (and have him possibly, say, panic and call the bank in question) - but rather, display something along the lines of Thank you for successfully verifying your Frob Mutual account data. Bye. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
Marcos Agüero wrote: Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. Phishing scams are public in nature. They aren't trying to avoid detection :) and the IP address would of course be spoofed. -- Jasper Bryant-Greene General Manager Album Limited http://www.album.co.nz/ 0800 4 ALBUM [EMAIL PROTECTED] 021 708 334 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow
just in case someone would be watching the logs (we all know noone does that) happy phishing. - Original Message - From: Marcos Agüero [EMAIL PROTECTED] To: Jasper Bryant-Greene [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Friday, March 31, 2006 11:10 AM Subject: Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows Help Heap Overflow
http://www.open-security.org/advisories/15 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] (no subject)
n3td3v, its not that we doubt that you're one of the best hackers in the ENTIRE world, nor do we doubt that your list is the finest around. its justthat we dont care. will you please just get off the fucking list. Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3vSent: 31 March 2006 00:11To: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] (no subject) Funny you should think FD isn't already moderated, our main [EMAIL PROTECTED] address has been moderated for months, hence the reason we're using [EMAIL PROTECTED] . This might be an interesting read for you "freedom of speech" Americans, who are currently bombing the hell out of the middle east to uphold, yet on FD, there is no democracy and freedom of _expression_... http://groups.google.com/group/n3td3v/browse_thread/thread/34e8f243bbddaf3e/ac7e9f73de66f10f http://groups.google.com/group/n3td3v/browse_thread/thread/64a322968d71fe3b/d3db5e88d9f91d88 http://groups.google.com/group/n3td3v/msg/5b3d7afe80dde4d3 Someone tell George W Bush todrop a bomb on John Cartwright's head, since he doesn't believe in "freedom", he must be aterrorist ;-) We ask John Cartwright to unmoderate [EMAIL PROTECTED] or you must be with the terrorists... and if you don't then someone might need to tell [EMAIL PROTECTED] and then you might get mentioned on his press conferences or radio addresses as being part of the "axis of evil". On 3/30/06, Anders B Jansson [EMAIL PROTECTED] wrote: Stan Bubrouski wrote: Name one powerful hacker kicked out of here?Just one.And you don't count (niether do I but I've never claimed to be an expert or important).Kicked from a public un-moderated mailing list?How?Now, if you don't like the noise, why don't you just shut the fuck up instead of answering the trolls?The noise isn't the idiot mailings, the noise is people who should know better answering the morons. _don't answer morons_ it serves no porpose.If someone posts something that is misguided or bad, then sure correct me (or us).But if someone posts something moronic, then please ignore.You're only helping the moron. I again refrain to the best proverb I've heard (and he's windows guru, shudder)"Don't argue with an idiot, he'll just drag the discussion to his level and beat you with experience."So, if someone post something silly or moronic, giggle, groan and delete. Do _not_ respond to prove that he (or remotely possibly she) is a moron,If we haven't got that already we have ourself to blame.Oh, and of course, this is for 'us', boring grayhats who want to read a clean list of the latest expliots every morning. Non-grayhats who want to annoy us are of course free to do so, after all, it is un-moderated and it's full-disclosure.So configure your frikken filters and stop responsing to idiots.// hdw___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow
Jasper Bryant-Greene wrote: Marcos Agüero wrote: Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. Phishing scams are public in nature. They aren't trying to avoid detection :) and the IP address would of course be spoofed. No it wouldn't. IP address spoofing is easy over UDP but incredibly difficult over TCP. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Move to Remove
Guys, Please don't turn this into spam/flame/troll. This isa quick note to say, wouldall those who'd like n3td3v (the worlds greatest hacker andlegend in his own mind) to unsubscribe from this list, and not post again,please make it known. Thanks Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
you may not agree or like n3td3v, but the right to post regardless of content belongs to everyone. the right to filter also belongs to everyone. let n3td3v be. Edward Pearson wrote: Guys, Please don't turn this into spam/flame/troll. This isa quick note to say, wouldall those who'd like n3td3v (the worlds greatest hacker andlegend in his own mind) to unsubscribe from this list, and not post again,please make it known. Thanks Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 btw someone maybe know the fastest way to report a phish to yahoo ? Because I have identified forwarded some phish to them via http://add.yahoo.com/fast/help/abuse/cgi_abuse but it took them around 3-4 days to stop them , so is this the correct link to report a from yahoo phish or if anyone has the correct email address , thank you. ADovi Dave Korn wrote: Jasper Bryant-Greene wrote: Marcos Agüero wrote: Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. Phishing scams are public in nature. They aren't trying to avoid detection :) and the IP address would of course be spoofed. No it wouldn't. IP address spoofing is easy over UDP but incredibly difficult over TCP. cheers, DaveK -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFELTffFJS99fNfR+YRAg0tAKDHIleVWUM+eSj3TNfoC0AjgJsqCACfZ2TE 6LflUqoU7HwXf7+37Hug+7s= =h+0A -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
On Friday 31 March 2006 14:50, Edward Pearson wrote: Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. An observation; by my calculations there have been 876 posts referencing n3td3v, of which only 230 belong to n3td3v. If everyone configured filters to suit their tastes (this is f-d and should therefore NOT be filtered at source), we'd be down by 646 emails. The point is that those of you who complain about him are as much of the problem as he is or isn't since you increase the noise on the wire. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.machine.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Root password change
Trivial to defeat. Just boot in to single user mode with these kernel options: single init=/bin/bash Again .. only due to initial misconfiguration. Nobody should allow alternate switches to be passed to the kernel at boot .. either by password-protecting the bootloader, or via firmware (as with OpenBoot). /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Claroline = 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod
I just wanted to comment rgod's Claroline = 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit: http://www.milw0rm.com/exploits/1627 http://retrogod.altervista.org/claroline_174_incl_xpl.html http://secunia.com/advisories/19461/ The file inclusion vulnerability just affects the 1.7 branch, however when installing claroline it says to turn register_globals on and older versions were _just_ working with register_globals set to on (if i remember well), so huh.. many are probably vuln. About the xss, it is an xss in the php error message, there are many php functions returning errors without filtering them, anybody noted that? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
What do you guys think about these products for secure browsing / internet use? http://www.download.com/3120-20_4-0.html?tag=srchqt=bufferzonetg=dl-20search.x=0search.y=0search=+Go%21 I'm hesitant to install on my dev machine because I'm not sure it will play nice with VS 2005. Anybody use these products? Thanks for your input. Joe Ciechanowski Sr.Web Developer InnisMaggiore 4715 Whipple Ave. Canton, Ohio 44718 (330) 492-5500 - Original Message - From: Dinis Cruz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; SC-L@securecoding.org; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 26, 2006 9:22 PM Subject: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Hi Jeff, comments inline Jeff Williams wrote: Great topics. I'm a huge fan of sandboxes, but Dinis is right, the market hasn't really gotten there yet. No question that it would help if it was possible to run complex software like a browser inside a sandbox that restricted its ability to do bad things, even if there are vulnerabilities (or worse -- malicious code) in them. Absolutely, and do you see any other alternative? (or we should just continue to TRUST every bit of code that is executed in our computers? and TRUST every single developer/entity that had access to that code during its development and deployment?) I'm terrified about the epidemic use of libraries that are just downloaded from wherever (in both client and server applications). All that code can do *whatever* it wants in your environments folks! Yes they can, and one of my original questions was 'When considering the assets, is there REALLY any major differences between running code as normal user versus as an administrator? Sandboxes are finally making some headway. Most of the Java application servers (Tomcat included) now run with their sandbox enabled (albeit with a weak policy). And I think the Java Web Start system also has the sandbox enabled. So maybe we're making progress. True, but are these really secure sandboxes? I am not a Java expert so I can't give you specific examples, but on the .Net Framework a Partially Trusted 'Sandbox' which contains an UnamanagedCode, MemberAccess Reflection or SkipVerification Permission, should not be called a 'Sandbox' since it can be easily compromised. But, if you've ever tried to configure the Java security policy file, use JAAS, or implement the SecurityManager interface, you know that it's *way* too hard to implement a tight policy this way. And .Net has exactly the same problem. It is super complex to create a .Net application that can be executed in a secure Partially Trusted Sandbox. You end up granting all kinds of privileges because it's too difficult to do it right. And the new VS2005 makes this allocation of privileges very easy: Mr. developer, your application crashed because it didn't have the required permissions, Do you want to add these permissions, Yes No? (developer clicks yes) ... You are adding the permission UnamanagedCodePermission, do you sure, Yes No? ... (developer clicks yes (with support from application architect and confident that all competitor Applications require similar permissions)) And only the developer of the software could reasonably attempt it, which is backwards, because it's the *user* who really needs it right. Yes, it is the user's responsibility (i.e. its IT Security and Server Admin staff) to define the secure environment (i.e the Sandbox) that 3rd party or internal-developed applications are allocated inside their data center, It's possible that sandboxes are going the way of multilevel security (MLS). A sort of ivory tower idea that's too complex to implement or use. I don't agree that the problem is too complex. What we have today is very complex architectures / systems with too many interconnections. Simplify the lot, get enough resources with the correct focus involved, are you will see that it is doable. But it seems like a really good idea that we should try to make practical. But even if they do start getting used, we can't just give up on getting software developers to produce secure code. There will always be security problems that sandboxes designed for the platform cannot help with. Of course, I am not saying that developers should produce insecure code, I am the first to defend that developers must have a firm and solid understanding of the tools and technologies that they use, and also as important, the security implications of their code. I'm with Dinis that the only way to get people to care is to fix the externalities in the software market and put the burden on those who can most easily avoid the costs -- the people who build the software. Maybe then the business case will be more clear.
RE: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow
I have seen one phishing site which did exactly that- It tried to login to the real site with the credentials you supplied; if it returned a successful login, the userid/password was logged. If it returned a 'access denied' the userid/password was not logged. Ross Thomson | Capgemini | Southbank Anti-Virus Content Management | Outsourcing Int: 700 3621 | Ext: + 44 (0)870 904 3621 [EMAIL PROTECTED] | www.capgemini.com 95-97 Wandsworth Road, London. SW8 2HG Join the Collaborative Business Experience -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jasper Bryant-Greene Sent: 31 March 2006 09:11 To: Marcos Agüero Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow Marcos Agüero wrote: Michal Zalewski escribió: On Fri, 31 Mar 2006 [EMAIL PROTECTED] wrote: If the website then presents you with the Logon failed page, you are possibly on a legitimate website, so you may proceed with logging in using your correct credentials. If it gets you right through - it is definitely a phishing attempt. Note to self: design my next phishing website to always display logon failed. Just as most of the phishing sites already do. Really? I thought they somehow magically knew enough about you to sign you in properly and display all the correct details ;) Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? -- Jasper Bryant-Greene General Manager Album Limited http://www.album.co.nz/ 0800 4 ALBUM [EMAIL PROTECTED] 021 708 334 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
Quoting Edward Pearson [EMAIL PROTECTED]: Guys, Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. let him stay. If I don't stick up for his right to post whatever, who will stick up for my right to post once I have alienated you? everyone is allowed to speak. everyone is allowed to filter. t - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
Edward Pearson [EMAIL PROTECTED] wrote: Guys, Please don't turn this into spam/flame/troll. This isa quick note to say, wouldall those who'd like n3td3v (the worlds greatest hacker andlegend in his own mind) to unsubscribe from this list, and not post again,please make it known. Thanks Ed+1. To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: A Move to Remove
Steve Russell [EMAIL PROTECTED] wrote: +1. Hey, I have an idea! Let's vote someone off the list 'cause y'all don't know how to set up mail filters in Outlook Express or whatever lameass mail client you can barely figure out how to use. ...and people wonder the security industry is in such a sad state. Please, go ahead and vote in broadcast to the list. At least then those interested in free discourse will know which ones of you to blacklist. -- Riad S. Wahby [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: A Move to Remove
Riad S. Wahby wrote: Steve Russell [EMAIL PROTECTED] wrote: +1. Hey, I have an idea! Let's vote someone off the list 'cause y'all don't know how to set up mail filters in Outlook Express or whatever lameass mail client you can barely figure out how to use. ...and people wonder the security industry is in such a sad state. Please, go ahead and vote in broadcast to the list. At least then those interested in free discourse will know which ones of you to blacklist. When did FD become a public version of Survivor? -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: A Move to Remove
"Riad S. Wahby" [EMAIL PROTECTED] wrote: Steve Russell <[EMAIL PROTECTED]> wrote:+1.Hey, I have an idea! Let's vote someone off the list 'cause y'all don'tknow how to set up mail filters in Outlook Express or whatever lameassmail client you can barely figure out how to useand people wonder the security industry is in such a sad state.Please, go ahead and vote in broadcast to the list. At least then thoseinterested in free discourse will know which ones of you to blacklist.-- Riad S. Wahby[EMAIL PROTECTED]Obviously a sarcastic +1 is oblivious to you. If you remember (not) we've already done this.I was going to ask how sending an email explains how you know whether or not someone has filters in place, or indeed for that matter which client they use as well as their proficiency in using it. But I won't bother... To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Doctoral Thesis
Wouldn't it be ironic if 'someones' thesis was: Can one individual, acting as a loud-mouth Skiddy, using inflamatory speech use social engineering techniques to take down a Security site, render it useless, make most of its 'members' go somewhere else, or damage its reputation and namesake? But then, that's just me... -- pwnd.security.pwnd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
On Fri, 31 Mar 2006 21:14:58 +1200, Jasper Bryant-Greene said: Marcos Agüero wrote: Jasper Bryant-Greene escribió: Seriously though, it wouldn't be that hard to forward the POST on to the real bank website, would it? I think so, but would be very easy to detect. Logs would show lots of diferent user logging in from the same IP Address. Phishing scams are public in nature. They aren't trying to avoid detection :) and the IP address would of course be spoofed. http is a TCP connection, so you'd have to get through the 3-packet handshake. The vast majority of machines now implement RFC1948, so it's not that easy to do anymore (It's doable by somebody with sufficient technical ability - but if you're *that* good, why you wasting time running a phishing scam?) pgpoTMOUqHGKB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Root password change
On Fri, 31 Mar 2006 09:21:13 EST, Michael Holstein said: Trivial to defeat. Just boot in to single user mode with these kernel options: single init=/bin/bash Again .. only due to initial misconfiguration. Nobody should allow alternate switches to be passed to the kernel at boot .. either by password-protecting the bootloader, or via firmware (as with OpenBoot). Of course, if you're that paranoid, you *did* configure whatever the machine uses for a BIOS to only boot off the intended hard drive, right? ;) (It's amazing how many boxes I've found that forget that step, so a CD and enough time to hit the RESET button are enough to get you in. And if you have any smarts at all, you don't even need to hang around at the console after you hit reset. It's not that hard to get a Knoppix to start an sshd. :) pgpia4rq9XJY2.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Root password change
On Fri, 31 Mar 2006, [EMAIL PROTECTED] wrote: On Fri, 31 Mar 2006 09:21:13 EST, Michael Holstein said: Trivial to defeat. Just boot in to single user mode with these kernel options: single init=/bin/bash Again .. only due to initial misconfiguration. Nobody should allow alternate switches to be passed to the kernel at boot .. either by password-protecting the bootloader, or via firmware (as with OpenBoot). Of course, if you're that paranoid, you *did* configure whatever the machine uses for a BIOS to only boot off the intended hard drive, right? ;) In which case the person needs to remove the hard drive, and put it into a different system for the modifications (or mirroring). For the most part, if an attacker has physical access to the hardware itself, you just lose. -- Greg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow
On Fri, 31 Mar 2006 [EMAIL PROTECTED] wrote: If the website then presents you with the Logon failed page, you are possibly on a legitimate website, so you may proceed with logging in using your correct credentials. If it gets you right through - it is definitely a phishing attempt. MZ Note to self: design my next phishing website to always display logon MZ failed. That's why the word possibly in the quoted sentence was in bold italic. :) /[EMAIL PROTECTED] signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Root password change
On Fri, 31 Mar 2006 12:33:28 EST, gboyce said: In which case the person needs to remove the hard drive, and put it into a different system for the modifications (or mirroring). Time constraints. The amount of time needed to pop in a disk and hit reboot is (or should be, in this case) a lot shorter than the amount of time it takes to pull a rack-mount box out and pop the lid and play with the drives. And if your server has a lockable faceplate like most Dell rack-mounts, that can add a lot to the challenge right there (as it stops any quick snarf a hot-swap drive and run scheme). For the most part, if an attacker has physical access to the hardware itself, you just lose. Almost, but not quite right. If the attacker has physical access *for long enough*, you lose. Even the specs for a GSA Class 5 security container (usually referred to as a crypto safe), which is the highest level, only specify entry protection of 10 man-minutes forced entry, 20 man-hours surreptitious entry, and 30 man-minutes covert entry, with specified man-portable tools. Forced entry means We don't care *how* much noise the drills and explosives and torches make, while covert means without making noise, and surreptitious means without leaving noticable marks when you're done. And of course, the testing is done by an expert locksmith with special expertise in this sort of attack The reason this is so is because if the safe will hold for 30 minutes, then you just need a Marine with live ammo and instructions to shoot first walk by every 15 minutes, or get there in 5 minutes after the alarms go off pgpdJ8Xz2QSVP.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Root password change
On Fri, 31 Mar 2006, [EMAIL PROTECTED] wrote: On Fri, 31 Mar 2006 12:33:28 EST, gboyce said: In which case the person needs to remove the hard drive, and put it into a different system for the modifications (or mirroring). Time constraints. The amount of time needed to pop in a disk and hit reboot is (or should be, in this case) a lot shorter than the amount of time it takes to pull a rack-mount box out and pop the lid and play with the drives. And if your server has a lockable faceplate like most Dell rack-mounts, that can add a lot to the challenge right there (as it stops any quick snarf a hot-swap drive and run scheme). For the most part, if an attacker has physical access to the hardware itself, you just lose. Almost, but not quite right. If the attacker has physical access *for long enough*, you lose. I wasn't quite clear enough I think. By Physical Access to the hardware, I meant unencoumbered physical access. If a system is in a locked rack, safe, or has a locking case then it is indeed much more difficult. Good point about the time though. Even an unlocked rack mount server without hot swappable drives will take some time to unrack and disassemble in order to ge the drives out and back in again. -- Greg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY
On Fri, 31 Mar 2006 19:06:29 +0100, n3td3v said: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=3D-1 Given that you allegedly posted that particular response, I take it you spilled your Starbucks in shock that somebody would claim to be you? The original article is at http://news.com.com/2100-1029-6056317.html?tag=tb In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad pgpmJg0CQN67r.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Claroline = 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod
My bad, i didn't check well, the xss isn't in an error message for this one. I had one example, when an invalid function is called (if its name is based on user supplied data, yes some people code like this.. i saw one example in a famous portal), there was an xss in the error message, however i checked now and this was fixed in php 5.1.2 with other ones, maybe there are still some though. i know nobody cares about xss when they're not permanent, but if it's in php itself.. Le Ven 31 mars 2006 11:57, Siegfried a écrit : I just wanted to comment rgod's Claroline = 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit: http://www.milw0rm.com/exploits/1627 http://retrogod.altervista.org/claroline_174_incl_xpl.html http://secunia.com/advisories/19461/ The file inclusion vulnerability just affects the 1.7 branch, however when installing claroline it says to turn register_globals on and older versions were _just_ working with register_globals set to on (if i remember well), so huh.. many are probably vuln. About the xss, it is an xss in the php error message, there are many php functions returning errors without filtering them, anybody noted that? -- Zone-H Admin [EMAIL PROTECTED] www.zone-h.org www.zone-h.fr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY
What you mean phishers don't know after every 50 attempts to login on the same host address that you're revoked, and to write a script to ask your 100,000 botnet harvested firstly from the unpatched IE flaw a few days ago, and then use that same 0-day to hack your bank info with via fake BBC news articles is such a difficult thing for a dumb phisher to carry out. Yes! Dude, I was on Yahoo when they first locked out brute force login attacks back in 2001, I think i'm comfortable with the techology by now. On 3/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Fri, 31 Mar 2006 19:06:29 +0100, n3td3v said: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=3D-1 Given that you allegedly posted that particular response, I take it you spilledyour Starbucks in shock that somebody would claim to be you?The original article is at http://news.com.com/2100-1029-6056317.html?tag=tbIn any case, it's clear that the person who posted that response has *no idea*how most bank's anti-fraud systems work.First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnetzombies - hits for more than a few dozen different accounts from the same IPin the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims havegiven them reasonably good data (unless the victim is a dweeb who can't entertheir DoB or account number correctly).On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactionswill succeed - and the fact that they're trying lots of different bad data willagain hopefully trigger an alert.If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take youa lot longer to figure out which ones are good and which ones are bad ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and in-game crash in Zdaemon 1.08.01
### Luigi Auriemma Application: Zdaemon http://www.zdaemon.org (and also X-Doom http://www.doom2.net/~xdoom/) Versions: = 1.08.01 Platforms:Windows and Linux Bugs: A] buffer-overflow in is_client_wad_ok B] Invalid memory access in ZD_MissingPlayer, ZD_UseItem and ZD_LoadNewClientLevel/ZD_ValidClient Exploitation: A] remote, versus server B] remote, versus server (in-game) Date: 31 Mar 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Zdaemon is the most played Doom engine on Internet with tons of servers available online and many players. X-Doom instead is an old server-only port focused on Linux/BSD and is/was based on the latest Zdaemon source code which was available before becoming closed source. ### === 2) Bugs === -- A] buffer-overflow in is_client_wad_ok -- When a client joins the match, the server checks if the wad files (the maps) used on the client are the same it has. So the client sends the name of each wad used on the server followed by the local md5 hash of the file, the server gets the received filename and copies it in a buffer of 256 bytes using strcpy(). The resulted buffer-overflow is limited by the my_strupr function which converts all the chars in their capital case but during my tests with GDB I was able to overwrite a return address with the original string using a longer filename. The attacker needs to know the right keyword if the server is protected by password. IP banning doesn't protect versus this attack because it's a subsequent check and so an attacker can exploit any server on which he is banned. From server/src/w_wad.cpp (X-Doom / Zdaemon 1.06): char *wad_check::is_client_wad_ok(const char *fname,const byte *csum) { int i; chartemp[256]; static char errmsg[512]; strcpy(temp,plain_filename(fname)); my_strupr(temp); if ( (i=find(fname)) 0 ) { sprintf(errmsg,\nYou should not load \%s\ on this server.\nGet rid of it!\n,temp); return errmsg; } ... B] Invalid memory access in ZD_MissingPlayer, ZD_UseItem and ZD_LoadNewClientLevel/ZD_ValidClient Zdaemon supports many commands for playing, like changing the player name, chatting, moving, selecting weapons and so on... just like any common multiplayer game. The functions ZD_MissingPlayer, ZD_UseItem and ZD_ValidClient (exploitable through ZD_LoadNewClientLevel) read an 8 bits number from the client which is used to select a specific player slot or item and then doing some operations. The server uses 16 slots (MAXPLAYERS) and less than 40 items (NUMARTIFACTS) so if an attacker uses an invalid number the server crashes immediately after trying to access an invalid memory zone. This is an in-game bug so must be respected all the requirements for accessing the server (correct md5 hashes of the wads, password and no banning) or it can't be exploited. From server/src/sv_main.cpp (X-Doom / Zdaemon 1.06): void ZD_MissingPlayer(void) { int pnum = ZD_ReadByte(); // the player that our client is missing int cl = parse_cl; player_t* player = players[pnum]; if (!playeringame[pnum]) { Printf(ZD_MissingPlayer: BIG PROBLEM!!\n); return; } ZDOP.Init(); if (player-isbot) ... void ZD_UseItem(void) { int which = ZD_ReadByte(); int i; // None left! if (players[parse_cl].inventory[which] = 0) ... static void ZD_LoadNewClientLevel(char *levelname, int i) { player_s*pli; if (!ZD_ValidClient(i)) return; ... bool ZD_ValidClient(int i) { return (playeringame[i] !players[i].isbot); } ### === 3) The Code === A] http://aluigi.altervista.org/poc/zdaebof.zip B] Add the following code at line 179 of my Zdaemon Fake Players DoS: for(i = 0; i 256; i++) { p = buff; *p++ = 0xff; *p++ = cl_missingplayer;// cl_useitem cl_wantnewlevel *p++ = i; len = send_recv(sd, buff, p - buff,
Re: [Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY
It was back in 2001 when programs were written to rotate proxies... this is never a problem for a phisher. Do you think a phisher would really carry out a world-wide phishing attack, without knowing everything behind the issue? The guys are going to have a large amount of data to harvest, for experts to think for a spit second that that was ever going to be done manually is just beyond me. And the figure of 300 within a phishers data pool is just laughable as well, it goes way higher than that. On 3/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Fri, 31 Mar 2006 19:06:29 +0100, n3td3v said: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=3D-1 Given that you allegedly posted that particular response, I take it you spilledyour Starbucks in shock that somebody would claim to be you?The original article is at http://news.com.com/2100-1029-6056317.html?tag=tbIn any case, it's clear that the person who posted that response has *no idea*how most bank's anti-fraud systems work.First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnetzombies - hits for more than a few dozen different accounts from the same IPin the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims havegiven them reasonably good data (unless the victim is a dweeb who can't entertheir DoB or account number correctly).On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactionswill succeed - and the fact that they're trying lots of different bad data willagain hopefully trigger an alert.If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take youa lot longer to figure out which ones are good and which ones are bad ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow
http://www.hexview.com/sdp/node/24 (Show this article to your computer-illiterate spouse to confuse him/her even more :) Better yet, do the right thing and implement Tip #4: Go to the secure SSL login page of your bank. Verify the URL. Verify that the SSL certificate was issued to your bank by examining its properties. Now bookmark the SSL page. Tell your computer-illiterate spouse to *always* go to the bank login via favorites with the page you just bookmarked. If there are any popup warnings from the browser [such as from certificate name mismatch], do no log in. This catches all variations of Pharming, man-in-the-middle, and type-alike sites. It offers no protection from local trojans/keyloggers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
This is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to dumb criminals. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: A Move to Remove
I was going to ask how sending an email explains how you know whether or not someone has filters in place, But I won't bother... If you had filtered out all n*td*v related mail you wouldn't have responded to this thread.. Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Why don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: For real, please keep your word. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of n3td3vSent: Friday, March 31, 2006 9:55 PMTo: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYThis is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to dumb criminals. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Title: Message If you kept your word (and didn't post my emails back to the list), it'd be better. :) -Original Message-From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 10:47 PMTo: php0t; full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYWhy don't you just "filter" me like "the experts" have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: For real, please keep your word. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of n3td3vSent: Friday, March 31, 2006 9:55 PMTo: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYThis is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to "dumb criminals". On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
Why don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, Edward Pearson [EMAIL PROTECTED] wrote: Guys, Please don't turn this into spam/flame/troll. This isa quick note to say, wouldall those who'd like n3td3v (the worlds greatest hacker andlegend in his own mind) to unsubscribe from this list, and not post again,please make it known. Thanks Ed___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Is that the same as hacking someones domain, accepting the Gmail confirmation to say you're allowed to send from a Gmail account with that hacked domain, then delete all forensic logs from the hacked domain and then go back to your Gmail account, where you can continue to send your inflamed FD comments from as [EMAIL PROTECTED]. Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: If you kept your word (and didn't post my emails back to the list), it'd be better. :) -Original Message-From: n3td3v [mailto: [EMAIL PROTECTED]] Sent: Friday, March 31, 2006 10:47 PMTo: php0t; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYWhy don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: For real, please keep your word. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of n3td3vSent: Friday, March 31, 2006 9:55 PMTo: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYThis is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to dumb criminals. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo want to lock up n3td3v
Yahoo want to lock up n3td3v but they don't have enough laws yet... http://news.com.com/Yahoo+We+need+effective+cybercrime+laws/2100-7348_3-6056523.html?tag=nefd.top ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad Consider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks / sites to utilize this. It would be rather difficult for a phisher to sort through thousands of Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience. Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
I came here to learn not follow a slanging match. For fuck sake guys knock it off! As for filtering if this shit didn't happen we wouldn't need to filter it !!! ENOUGH is ENUF!!! From: n3td3v [EMAIL PROTECTED] To: Edward Pearson [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] A Move to Remove Date: Fri, 31 Mar 2006 21:54:57 +0100 MIME-Version: 1.0 Received: from lists.grok.org.uk ([195.184.125.51]) by bay0-pamc1-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 31 Mar 2006 12:56:08 -0800 Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id 040CBBE6;Fri, 31 Mar 2006 21:55:27 +0100 (BST) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205])by lists.grok.org.uk (Postfix) with ESMTP id 6AF96869for full-disclosure@lists.grok.org.uk;Fri, 31 Mar 2006 21:54:58 +0100 (BST) Received: by zproxy.gmail.com with SMTP id l8so939790nzffor full-disclosure@lists.grok.org.uk;Fri, 31 Mar 2006 12:54:57 -0800 (PST) Received: by 10.35.127.7 with SMTP id e7mr325486pyn;Fri, 31 Mar 2006 12:54:57 -0800 (PST) Received: by 10.35.81.8 with HTTP; Fri, 31 Mar 2006 12:54:57 -0800 (PST) X-Message-Info: JGTYoYF78jEn0w4MydqQemAgFSlsJupbrUMqM/kdmzo= X-Original-To: full-disclosure@lists.grok.org.uk Delivered-To: full-disclosure@lists.grok.org.uk DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;b=VLelHS4sHMOikXMjJBrHzGprQ4NPf9Lc15WwW5YnFVsrR3c/y5SOranSmLnz3A4gZLlj5Rw5HzEXqL8RkSizwdjsvjFejLGxjWaYwFfgBq4AOMWGHOv4a270pIBEkvnY1ZC1D8cn6uEfRRM2z/U+7xNqsGf5vFlmXUGKET4mLL8= References: [EMAIL PROTECTED] X-BeenThere: full-disclosure@lists.grok.org.uk X-Mailman-Version: 2.1.5 Precedence: list List-Id: An unmoderated mailing list for the discussion of security issuesfull-disclosure.lists.grok.org.uk List-Unsubscribe: https://lists.grok.org.uk/mailman/listinfo/full-disclosure, mailto:[EMAIL PROTECTED] List-Archive: http://lists.grok.org.uk/pipermail/full-disclosure List-Post: mailto:full-disclosure@lists.grok.org.uk List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: https://lists.grok.org.uk/mailman/listinfo/full-disclosure, mailto:[EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 31 Mar 2006 20:56:08.0658 (UTC) FILETIME=[88E58B20:01C65505] Why don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, Edward Pearson [EMAIL PROTECTED] wrote: Guys, Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. Thanks Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
On Fri, 31 Mar 2006 23:17:48 +0100, Ian stuart Turnbull said: As for filtering if this shit didn't happen we wouldn't need to filter it !!! And if his parents had practiced abstinence, the failure of the condom wouldn't have mattered either. So much for filtering undesired stuff. Unfortunately, in both cases we're stuck with the results. Oddly enough, when Microsoft's Ballmer tried to blame security issues on the hackers that exploit them, the security community collectively ripped Ballmer a new one. So we as a community still need to work some on that whole consistency thing pgp01Umw1tKtN.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
At the same time, if you knew how to configure your mail client and or server, you wouldn't need to post about n3td3v because you wouldn't know about it in the first place. Its only noobs who complain about n3td3v, you know the folks who aren't actually hackers, who don't know how to setup your shit properly. On 3/31/06, Ian stuart Turnbull [EMAIL PROTECTED] wrote: I came here to learn not follow a slanging match. For fuck sake guys knockit off!As for filtering if this shit didn't happen we wouldn't need to filter it !!!ENOUGH is ENUF!!!From: n3td3v [EMAIL PROTECTED]To: Edward Pearson [EMAIL PROTECTED] ,full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] A Move to RemoveDate: Fri, 31 Mar 2006 21:54:57 +0100MIME-Version: 1.0Received: from lists.grok.org.uk ([195.184.125.51]) bybay0-pamc1-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Fri,31 Mar 2006 12:56:08 -0800Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id 040CBBE6;Fri, 31 Mar 200621:55:27 +0100 (BST)Received: from zproxy.gmail.com ( zproxy.gmail.com [64.233.162.205])bylists.grok.org.uk (Postfix) with ESMTP id 6AF96869for full-disclosure@lists.grok.org.uk;Fri, 31 Mar 2006 21:54:58 +0100 (BST)Received: by zproxy.gmail.com with SMTP id l8so939790nzffor full-disclosure@lists.grok.org.uk;Fri, 31 Mar 2006 12:54:57 -0800 (PST)Received: by 10.35.127.7 with SMTP id e7mr325486pyn;Fri, 31 Mar 200612:54:57 -0800 (PST)Received: by 10.35.81.8 with HTTP; Fri, 31 Mar 2006 12:54:57 -0800 (PST)X-Message-Info: JGTYoYF78jEn0w4MydqQemAgFSlsJupbrUMqM/kdmzo=X-Original-To: full-disclosure@lists.grok.org.ukDelivered-To: full-disclosure@lists.grok.org.ukDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta;d= gmail.com;h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;b=VLelHS4sHMOikXMjJBrHzGprQ4NPf9Lc15WwW5YnFVsrR3c/y5SOranSmLnz3A4gZLlj5Rw5HzEXqL8RkSizwdjsvjFejLGxjWaYwFfgBq4AOMWGHOv4a270pIBEkvnY1ZC1D8cn6uEfRRM2z/U+7xNqsGf5vFlmXUGKET4mLL8= References: [EMAIL PROTECTED]X-BeenThere: full-disclosure@lists.grok.org.ukX-Mailman-Version: 2.1.5Precedence: listList-Id: An unmoderated mailing list for the discussion of securityissues full-disclosure.lists.grok.org.ukList-Unsubscribe:https://lists.grok.org.uk/mailman/listinfo/full-disclosure,mailto: [EMAIL PROTECTED]?subject=unsubscribeList-Archive: http://lists.grok.org.uk/pipermail/full-disclosure List-Post: mailto:full-disclosure@lists.grok.org.ukList-Help: mailto:[EMAIL PROTECTED] ?subject=helpList-Subscribe:https://lists.grok.org.uk/mailman/listinfo/full-disclosure,mailto: [EMAIL PROTECTED]?subject=subscribeErrors-To: [EMAIL PROTECTED]Return-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 31 Mar 2006 20:56:08.0658 (UTC)FILETIME=[88E58B20:01C65505]Why don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook andThunderbird yet? Figures.On 3/31/06, Edward Pearson [EMAIL PROTECTED] wrote: Guys, Please don't turn this into spam/flame/troll. This is a quick note tosay, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, pleasemake it known. Thanks Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_ Are you using the latest version of MSN Messenger? Download MSN Messenger7.5 today! http://join.msn.com/messenger/overview ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Well I think they took a pretty neat and somewhat unique approach to the whole thing. I don't think the claim to have thought of some groundbreaking perfect solution to stop phishers. However, they are combing through over a billion e-mails a day and looking for a phishing sites. They've tied themselves into some top vendors and are working to get the sites shut down. They are actually making calls and sending e-mails that have been translated appropriately. On top of that they are flooding the sites with bogus information. How exactly they are doing that.. I don't know. Are they using different sessions and IP addresses for each bogus request they send? Are they typing in gibberish or stuff that appears completely legit? As many of us know, credit card numbers can instantly be checked to see if they are even a valid number before you even go through the process of verifying expiration, zip code, cvv, or anything else. Is this company actually taking credit card numbers that could potentiallity be legit account numbers and inserting them? If not then it would be only take seconds to sort through hundreds of fake and real account numbers. Anyway -- I am not sure how they are doing everything, but they are taking a better approach than many. Maybe some of the boneheads lurking about this mailing list and reply back and let us know if they've been thwarted by this company in any way. :-) Steven - Original Message - From: ducki3 [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, March 31, 2006 5:04 PM Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad Consider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks / sites to utilize this. It would be rather difficult for a phisher to sort through thousands of Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience. Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad Consider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks / sites to utilize this. It would be rather difficult for a phisher to sort through thousands of Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience. Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
But do you remmeber back to the Make love not spam saga? Yeah, the big players tried to attack the bad guys and look were they ended up. You, by attacking anything, forwhatever reason, with the same method as the attacker, could land you in jail. While with your attack you may lock up phishers in coordination with banks, the phishers lawyers could also claim by law, that the anti-phishing site was also breaking the law by flooding a database, even if the database is malicious or otherwise legitmate, On 3/31/06, Steven [EMAIL PROTECTED] wrote: Well I think they took a pretty neat and somewhat unique approach to thewhole thing.I don't think the claim to have thought of some groundbreaking perfect solution to stop phishers.However, they are combing through over abillion e-mails a day and looking for a phishing sites.They've tiedthemselves into some top vendors and are working to get the sites shut down. They are actually making calls and sending e-mails that have been translatedappropriately.On top of that they are flooding the sites with bogusinformation.How exactly they are doing that.. I don't know.Are they using different sessions and IP addresses for each bogus request they send?Are they typing in gibberish or stuff that appears completely legit?Asmany of us know, credit card numbers can instantly be checked to see if they are even a valid number before you even go through the process of verifyingexpiration, zip code, cvv, or anything else.Is this company actuallytaking credit card numbers that could potentiallity be legit account numbers and inserting them?If not then it would be only take seconds to sortthrough hundreds of fake and real account numbers.Anyway -- I am not sure how they are doing everything, but they are taking abetter approach than many.Maybe some of the boneheads lurking about this mailing list and reply back and let us know if they've been thwarted by thiscompany in any way. :-)Steven- Original Message -From: ducki3 [EMAIL PROTECTED]To: full-disclosure@lists.grok.org.ukSent: Friday, March 31, 2006 5:04 PMSubject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly).On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert.If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are badConsider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks /sites to utilize this.It would be rather difficult for a phisher to sort through thousandsof Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience.Duck___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
With this in mind, are the RSA say its OK to DDoS fake login pages that the public think are phishing sites with fake information to take the phishing sites down? Or maybe the RSA didn't think too far into it before making their illegal tactics public. I guess nobody in the industry learned from makelovenotspam.com and the whole Lycos affair. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: But do you remmeber back to the Make love not spam saga? Yeah, the big players tried to attack the bad guys and look were they ended up. You, by attacking anything, forwhatever reason, with the same method as the attacker, could land you in jail. While with your attack you may lock up phishers in coordination with banks, the phishers lawyers could also claim by law, that the anti-phishing site was also breaking the law by flooding a database, even if the database is malicious or otherwise legitmate, On 3/31/06, Steven [EMAIL PROTECTED] wrote: Well I think they took a pretty neat and somewhat unique approach to thewhole thing.I don't think the claim to have thought of some groundbreaking perfect solution to stop phishers.However, they are combing through over abillion e-mails a day and looking for a phishing sites.They've tiedthemselves into some top vendors and are working to get the sites shut down. They are actually making calls and sending e-mails that have been translatedappropriately.On top of that they are flooding the sites with bogusinformation.How exactly they are doing that.. I don't know.Are they using different sessions and IP addresses for each bogus request they send?Are they typing in gibberish or stuff that appears completely legit?Asmany of us know, credit card numbers can instantly be checked to see if they are even a valid number before you even go through the process of verifyingexpiration, zip code, cvv, or anything else.Is this company actuallytaking credit card numbers that could potentiallity be legit account numbers and inserting them?If not then it would be only take seconds to sortthrough hundreds of fake and real account numbers.Anyway -- I am not sure how they are doing everything, but they are taking abetter approach than many.Maybe some of the boneheads lurking about this mailing list and reply back and let us know if they've been thwarted by thiscompany in any way. :-)Steven- Original Message -From: ducki3 [EMAIL PROTECTED]To: full-disclosure@lists.grok.org.ukSent: Friday, March 31, 2006 5:04 PM Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly).On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert.If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad Consider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks /sites to utilize this.It would be rather difficult for a phisher to sort through thousands of Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience.Duck___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Well, Chris, it looks to me by the RSA publishing this information that they are encouraging anyone with a botnet to send thousands of bogus queries to a web form, which would crash a mail server or database, which belonged to a company, that the phishers had previously hacked and the company was previously unaware was being used in a phishing attempt. So now it seems the RSA are sending out information about their activities, which could infulence scriptkids/ hackers etc who own large bot nets to attack anything they see as a phish. Although, just by individuals of the public sending a single query per user to a phish login form, could cause the same affect as a malicious users bot network. On 4/1/06, Chris Umphress [EMAIL PROTECTED] wrote: On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: With this in mind, are the RSA say its OK to DDoS fake login pages that the public think are phishing sites with fake information to take the phishing sites down? Or maybe the RSA didn't think too far into it before making their illegal tactics public. I guess nobody in the industry learned from makelovenotspam.com and the whole Lycos affair. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: But do you remmeber back to the Make love not spam saga? Yeah, the big So why repeat yourself 15 minutes later? And personally, I likethe fate that one spammer in Russia met a few months ago--Chris Umphress http://daga.dyndns.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Fwd: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow
On 3/31/06, Mike Nice [EMAIL PROTECTED] wrote: http://www.hexview.com/sdp/node/24 (Show this article to your computer-illiterate spouse to confuse him/her even more :) Better yet, do the right thing and implement Tip #4: Go to the secure SSL login page of your bank. Verify the URL. Verify that the SSL certificate was issued to your bank by examining its properties. Now bookmark the SSL page. Tell your computer-illiterate spouse to *always* go to the bank login via favorites with the page you just bookmarked. If there are any popup warnings from the browser [such as from certificate name mismatch], do no log in. This catches all variations of Pharming, man-in-the-middle, and type-alike sites. It offers no protection from local trojans/keyloggers. I'll agree that Step #4 protects against one variant of the phish attack. But there are so many others: 1) Any different social engineering besides login to your bank account. For example, Chase will pay you $20 to fill out a short survey! (of course, after filling out the survey you must provide your debit card number or account login information to get the $20). Another example is spoofing a retailer's site to get debit and credit card information, or spoofing the IRS. 2) Any attack against the user's computer. Keyloggers, software that listens for an authenticated connection than inserts transactions, host file alterations. 3) Any attack that spoofs the SSL cert box (The Codefish web site had a good example...what ever happened to Codefish, anyway?...pharming, MITM, and type-alike can fit in here, too) Honestly, the only way to defeat phishing is to improve computer configurations and managment, to educate users, and to allow only smart users near the Internet. None of those is likely to happen, so we'll have to deal with phish forever. That's just like in the physical world. After thousands of years, we still have people performing con jobs. -- Although I've found many nuts, I'm back to being anonymous, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kazaa
Other than removing Kazaa and preventing installation, how else can I block it from being used? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v group slams RSA for encouraging illegal anti-phishing tactics
Round-up: But do you remmeber back to the Make love not spam saga? Yeah, the big players tried to attack the bad guys and look were they ended up. You, by attacking anything, forwhatever reason, with the same method as the attacker, could land you in jail. While with your attack you may lock up phishers in coordination with banks, the phishers lawyers could also claim by law, that the anti-phishing site was also breaking the law by flooding a database, even if the database is malicious or otherwise legitmate. With this in mind, are the RSA say its OK to DDoS fake login pages that the public think are phishing sites with fake information to take the phishing sites down? Or maybe the RSA didn't think too far into it before making their illegal tactics public. I guess nobody in the industry learned from makelovenotspam.com and the whole Lycos affair. Well, Chris, it looks to me by the RSA publishing this information that they are encouraging anyone with a botnet to send thousands of bogus queries to a web form, which would crash a mail server or database, which belonged to a company, that the phishers had previously hacked and the company was previously unaware was being used in a phishing attempt. So now it seems the RSA are sending out information about their activities, which could infulence scriptkids/ hackers etc who own large bot nets to attack anything they see as a phish. Although, just by individuals of the public sending a single query per user to a phish login form, could cause the same affect as a malicious users bot network. The above is inresponse to http://news.com.com/2100-1029-6056317.html?tag=tb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are badConsider that some of these fake accounts could also be used as Honey keys. They would of course have to work in conjunction with the banks /sites to utilize this.It would be rather difficult for a phisher to sort through thousandsof Id's when IP addresses keep getting shut off based on a Honey Key. You would have to own a lot of BOTs and a lot of patience.Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The right of All are protected and upheld
Title: The right of All are protected and upheld Bush and N3td3v both have the rights to post. What is even a greater right is ours to filter or not to. Thank You Randall M = You too can have your very own Computer! Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and malware infestations; and other unknown vulnerabilities. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The right of All are protected and upheld
On 3/31/06, Randall M [EMAIL PROTECTED] wrote: Bush and N3td3v both have the rights to post. What is even a greater right is ours to filter or not to. amen. can it be true that in 2006 there are still those who have not mastered the art of the blacklist / whitelist? tune your filters accordingly and quit bitching you whiny fucks... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v group calls on RSA to clarify their stance
As eBay attacks http://news.com.com/Phishers+set+hidden+traps+on+eBay/2100-7349_3-6056687.html?tag=nefd.topand other phishing continues world-wide we ask the RSA to clarify further their comments RSA Security's newly acquired Cyota overwhelms phishing sites with fake usernames, passwords and credit card info. http://news.com.com/Fighting+fraud+by+baiting+phishers/2100-1029_3-6056317.html?tag=myon a Cnet news article that its legally OK for the security community to join in RSA tactics by flooding phishing logins with garbage data. http://groups.google.com/group/n3td3v/browse_thread/thread/9529a0dd97661fc5/1d88d9c423f4a7c6#1d88d9c423f4a7c6 but while RSA are carrying out these attacks, is it legally OK for hackers to HELP OUT the RSA by pointing a few of our bot net's at some Yahoo and eBay fake login web pages that we know about and feed them with fake username and password data. We don't want to end up in jail, but since the RSA are doing it, sowe can tell our lawyers that the RSA recommended the tactic to us. Much regards, n3td3v international security group ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSA recommend DDoS attacks on world wide phish logins
Our coverage on the international crisis brought about by RSA: 1. http://groups.google.com/group/n3td3v/browse_thread/thread/9529a0dd97661fc5/1d88d9c423f4a7c6#1d88d9c423f4a7c6 2. http://groups.google.com/group/n3td3v/browse_thread/thread/caf7b7525510f8d0/074e178fe48388a2#074e178fe48388a2 Regards n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IEvulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
On 3/31/06, Joe Ciechanowski [EMAIL PROTECTED] wrote: What do you guys think about these products for secure browsing / internet use? http://www.download.com/3120-20_4-0.html?tag=srchqt=bufferzonetg=dl-20search.x=0search.y=0search=+Go%21 Seem like http://www.trustware.com/ make this software I find it interesting that in the SpotLight section They have a photograf of the pentagon which reads: A Government rated Trojan Horse Defense and Security System. Upon clicking on the link, I find NO information about any government institution using the application. And they do host a lot MP3s on their webserver. See: http://am.trustware.com/ (Illegal ???) I would be very wary of installing / buying such software. Here is the Netcraft Report for their website: http://toolbar.netcraft.com/site_report?url=http://www.trustware.com I would say it is pretty low ranking for a site that claims to have developed a solution that solves all security problems. -- Saqib Ali, CISSP Support http://www.capital-punishment.net --- I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection) Al-Quran 6:15 --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Title: Message Dear technically challenged netdev, 1) 'Is that the same as...' -ummm...you probablyIMAGINED a different email to which you replied to 2) The address is legit, it isn't 'hacked'. It has a story why I use it here, but it's not like anybody cares. 3) http://www.ietf.org/rfc/rfc0821.txt- the world is bigger than gmail believe it or not. 4) If I sent the email from gmail, it would show in the headers. 5) If it was a spoofed email only used for subscription,the FD posts sentto it would notget back to me 6)The email in question wasn't even anFD comment, it went straight to your inbox to avoid bugging others who still don't have you filtered (like me, until this very email). What did you do? Post it right back to the list. Nice. Sure, everybody can filter, so can I. The thing is, i never NEEDED to, because there hasn't been anybody dropping such ignorance in my mailbox so often. I was hoping that you would either turn normal or keep your word and leave the list. Since the trolling just goes on, it's grep -v for you, especially after thisstupid bullcrap you made up and decided to share with the probably not-so-interested list members. I responded this time because 1) it was a personal attack based on nothing, and 2) because it's my last email that has the word netdev in it. (sent or received ;]) - and i can keep my word, unlike 'some people'. php0t -Original Message-From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 11:12 PMTo: php0t; full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYIs that the same as hacking someones "domain", accepting the Gmail confirmation to say you're allowed to send from a Gmail account with that hacked domain, then delete all forensic logs from the hacked domain and then go back to your Gmail account, where you can continue to send your inflamed FD comments from as [EMAIL PROTECTED]. Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: If you kept your word (and didn't post my emails back to the list), it'd be better. :) -Original Message-From: n3td3v [mailto: [EMAIL PROTECTED]] Sent: Friday, March 31, 2006 10:47 PMTo: php0t; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYWhy don't you just "filter" me like "the experts" have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: For real, please keep your word. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of n3td3vSent: Friday, March 31, 2006 9:55 PMTo: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYThis is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to "dumb criminals". On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY
Sorry php0t, we can see you're a nice a guy now you are now off my suspect list of being malicious and you are now off the secret service's list of being a suspect. Take our great warmth in knowing we feel really sorry for accusing you for hacking a domain. We know you have never broken the law before, and for us to suggest you had was completely out of order. I hope you can accept this as agood-will-jesture. We hope now php0t can finally join us in calling for the American Government to leave Iraq within the next 48 hours, because more American lives depend on it, and I know how much I love the American troops. On 4/1/06, php0t [EMAIL PROTECTED] wrote: Dear technically challenged netdev, 1) 'Is that the same as...' -ummm...you probablyIMAGINED a different email to which you replied to 2) The address is legit, it isn't 'hacked'. It has a story why I use it here, but it's not like anybody cares. 3) http://www.ietf.org/rfc/rfc0821.txt- the world is bigger than gmail believe it or not. 4) If I sent the email from gmail, it would show in the headers. 5) If it was a spoofed email only used for subscription,the FD posts sentto it would notget back to me 6)The email in question wasn't even anFD comment, it went straight to your inbox to avoid bugging others who still don't have you filtered (like me, until this very email). What did you do? Post it right back to the list. Nice. Sure, everybody can filter, so can I. The thing is, i never NEEDED to, because there hasn't been anybody dropping such ignorance in my mailbox so often. I was hoping that you would either turn normal or keep your word and leave the list. Since the trolling just goes on, it's grep -v for you, especially after thisstupid bullcrap you made up and decided to share with the probably not-so-interested list members. I responded this time because 1) it was a personal attack based on nothing, and 2) because it's my last email that has the word netdev in it. (sent or received ;]) - and i can keep my word, unlike 'some people'. php0t -Original Message-From: n3td3v [mailto:[EMAIL PROTECTED] ] Sent: Friday, March 31, 2006 11:12 PMTo: php0t; full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY Is that the same as hacking someones domain, accepting the Gmail confirmation to say you're allowed to send from a Gmail account with that hacked domain, then delete all forensic logs from the hacked domain and then go back to your Gmail account, where you can continue to send your inflamed FD comments from as [EMAIL PROTECTED]. Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: If you kept your word (and didn't post my emails back to the list), it'd be better. :) -Original Message-From: n3td3v [mailto: [EMAIL PROTECTED]] Sent: Friday, March 31, 2006 10:47 PMTo: php0t; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYWhy don't you just filter me like the experts have told you to do? Or haven't you worked out the technical background architecture of Outlook and Thunderbird yet? Figures. On 3/31/06, php0t [EMAIL PROTECTED] wrote: For real, please keep your word. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of n3td3vSent: Friday, March 31, 2006 9:55 PMTo: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLYThis is funny as well, http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131539start=-1reply=true I almost choked on my big mac after reading this one, the guy thinks if you take down a site, the phisher's script doesn't deploy another premade site straight away on another host. lol, maybe the RSA have miscalculated the pre plainning and programming of a phishing attack backend before its carried out. I guess they just thought phishing was down to dumb criminals. On 3/31/06, n3td3v [EMAIL PROTECTED] wrote: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=-1 ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance
No one actually knows how RSA are carrying out their database attacks yet, hence the reason I called for clarity on the issue. But I really am suspect about the exact technical setup of the attacks that the RSA are carrying out against fake logins and their databases. Theres no way however they could carry out world wide attacks on hundreds of fake login targets, without the use of more than one ip host. And whats the definition of a bot network, isn't it more than one computer used to send data? In which case you would need to define the RSA as using a bot network to send their fake raw data to fake world wide phishing targets. And if they are, is it ok for everyone else to join in. No I didn't say I had a botnet, and I didn't say I was attacking anything, all I asked was for RSA to clarify their stance, to make it clear that its ok or not ok for everyone to join in the attacks they recommended via the Cnet news article as a good method to beat phishers. On 4/1/06, Morning Wood [EMAIL PROTECTED] wrote: *while RSA are carrying out these attacks, is it legally OK for hackers toHELP OUT the RSA by pointing a few of our bot net's at some Yahoo and eBayfake login web pages that we know about and feed them with fake usernameandpassword data. We don't want to end up in jail, but since the RSA are doingit, so we can tell our lawyers that the RSA recommended the tactic to us.* *Much regards,**n3td3v international security group*so... the n3td3v group has a few [of our ] botnetsdid I hear thisright? ( *blink* )somehow I dont think RSA is using botnets, which BTW are ILLEGAL in *most* countries( yes, including your precious UK )I just want to thank the biggest security group ( lol ) for using tehbotz!!!I am sure Yahoo-Inc, Google, EBay, Microsoft and FooBarBlehCo will thankyou publicly on CNN so we will know how n3td3v group saved us all with botnets!!!thanks b0td3v gr0upz,MW___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance
If the RSA aren't using a bot network, then are you suggesting they are sending garbage data from one single user Microsoft Windows XP computer to all the worlds phishing logins? Wake up mr se cur ity at hotmail dot com On 4/1/06, Morning Wood [EMAIL PROTECTED] wrote: *while RSA are carrying out these attacks, is it legally OK for hackers toHELP OUT the RSA by pointing a few of our bot net's at some Yahoo and eBayfake login web pages that we know about and feed them with fake usernameandpassword data. We don't want to end up in jail, but since the RSA are doingit, so we can tell our lawyers that the RSA recommended the tactic to us.* *Much regards,**n3td3v international security group*so... the n3td3v group has a few [of our ] botnetsdid I hear thisright? ( *blink* )somehow I dont think RSA is using botnets, which BTW are ILLEGAL in *most* countries( yes, including your precious UK )I just want to thank the biggest security group ( lol ) for using tehbotz!!!I am sure Yahoo-Inc, Google, EBay, Microsoft and FooBarBlehCo will thankyou publicly on CNN so we will know how n3td3v group saved us all with botnets!!!thanks b0td3v gr0upz,MW___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Group calls on n3td3v to clarify his stance
More comback's from retirement than Mike Jordan and Garth Brooks combined.On 11/16/05, n3td3v [EMAIL PROTECTED] wrote:## Security Community statement by n3td3vAs the real n3td3v I would like to join John Cartwright in his calls for calm during this difficult time. Obviously on the date mentionedwhere emotions were running high things were said that might not havebeen appropriate in retrospect of events.The carnage that followed in follow up threads have left the list in an improper state, due to individuals creating mock web pages on theirserver. It would be great if users of the list could move on withtopics of better natures to allow for better balancing of message flow in respect of the proper reason the list exists.I take full responsibility for sparking off the wave of secondarythreads and make my apologies to working professionals who have notappreciated the influx of n3td3v related hatred threads being mass produced by the lesser intellectual members of the list.## Auto Responders this WinterWith this I would like to wish all decent members of the list whonever post and just observe proceedings a very merry happy holidays during your festive breaks, which are upcoming in future weeks.Just remember to change your settings at the grok.org.uk website, sopeople posting to the list over the coming weeks, won't be attacked by your auto-responder, I'm out of office until January 10th message.## Outside InfulencesTo finish up, outside contributory factors were involved withbehaviours set by myself on said date for outrage. Not everything you see on list is the full picture of off list conditions and states ofmind with infulences of substances the user may have been taking apart in consuming of inappropriate levels within the blood stream.## Planned Suicide of n3td3v name I have already finished destroying all respect the brand name n3td3vever had by plunging the credibility of the name into distributeby acting in bad natures on this list.I now look to removing n3td3v web site, n3td3v mailing list, n3td3v blog, all n3td3v user accounts on the internet on Yahoo, MSN, Google,Digg, C|NET and others, along with messenger and e-mail list contactsof people.The suicide of the n3td3v name is complete now, as was planned to happen before the weekend, where events took place.## Prior Notification was madeAn e-mail was sent to Yahoo's core security team to notify them then3td3v name wasn't coming back and that an attempt to close it up would be made over the weekend.## Upcoming Security business venturesI now annouce the death of n3td3v, as planned by myself and others, tofurther allow the progression of a new site and direction of planned security business being setup.I will be around the security community on a professional capacity inthe future (As my real name), to better contribute to the security andinternet community.## Coffin Nailed R.I.P. n3td3vOn 11/15/05, John Cartwright [EMAIL PROTECTED] wrote: Hi If we could all make an effort to avoid further personal attacks I would appreciate it. Please resist the temptation to perpetutate the noise - I have mailed individuals privately about the current situation in an attempt to prevent further offtopic postings. As has been said before, every list member is entitled to an opinion, providing they are prepared to express it in a constructive manner. I do not wish to impose any moderation unless absolutely necessary. Cheers - John ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA HAVE CRACKED PHISHING, NO SERIOUSLY
While I have no idea if what RSA is doing works or not but I have noticed the absence of phishing emails in my in box in the last few days. I used to get maybe half a dozen or more a day since I don't run spam filters. Not a one in the last two days. The Ebay and Paypal emails seemed to stop first. Now even the ones for banks I have never heard of are no longer coming in. There must be a reason for this. Maybe the phishers decided to take a vacation. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web At 01:20 PM 3/31/2006, [EMAIL PROTECTED] wrote: On Fri, 31 Mar 2006 19:06:29 +0100, n3td3v said: Check out this article, and I really did spill my hard earned Starbucks right down my front when I looked at this article: http://news.com.com/5208-1029-0.html?forumID=1threadID=15591messageID=131433start=3D-1 Given that you allegedly posted that particular response, I take it you spilled your Starbucks in shock that somebody would claim to be you? The original article is at http://news.com.com/2100-1029-6056317.html?tag=tb In any case, it's clear that the person who posted that response has *no idea* how most bank's anti-fraud systems work. First off, the phishers *can't* just run through all the data they've gotten in just a few seconds, unless they distributed the work across a bunch of botnet zombies - hits for more than a few dozen different accounts from the same IP in the same timespan are suspicious at the very least. Secondly, the phishers can currently usually be sure that the victims have given them reasonably good data (unless the victim is a dweeb who can't enter their DoB or account number correctly). On the other hand, if the phished data has been polluted by 90% bad data, then only 1 of 10 attempted transactions will succeed - and the fact that they're trying lots of different bad data will again hopefully trigger an alert. If you only succeed every 10th time, and you get locked out after 3 attempts with different bad data, it's going to take you a lot longer to figure out which ones are good and which ones are bad ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.385 / Virus Database: 268.3.2/294 - Release Date: 3/27/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.385 / Virus Database: 268.3.4/299 - Release Date: 3/31/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] n3td3v group calls on RSA to clarify theirstance
While Im not normally one to reply to this list I cant stand to see this go on any further. Dont expect another response as I dont have the time (other than late Friday night) to sit and respond to this drivel.. n3td3v: How do you figure on this single user Microsoft Windows XP computer?? Last time I checked Windows XP was a multi-user environment Also if its not a botnet it must be Windows thats a rather childish thought. Also a botnet has negative connotations.. That is to say, its a group of PCs under the control of a single individual or group. This group of PCs (Zombies) are used mostly for illegal purposes, or on IRC networks (different sort of botnet where the name was derived from). What makes you think that RSA has a single IP thats a pretty foolhardy belief. They arent some kid on a cable modem. In fact, a quick search of ARIN, assuming only RSA Security shows they have several net blocks ---SNIP--- RSA Security Inc. RSA-SECURITY-C1 (NET-192-80-211-0-1) 192.80.211.0 - 192.80.211.255 RSA Security Inc. RSA-SECURITY (NET-216-162-240-0-1) 216.162.240.0 - 216.162.255.255 RSA Security Inc. UU-63-84-35-192-D4 (NET-63-84-35-192-1) 63.84.35.192 - 63.84.35.223 RSA SECURITY UU-65-216-28-32-D7 (NET-65-216-28-32-1) 65.216.28.32 - 65.216.28.39 RSA SECURITY UU-65-214-232-56-D3 (NET-65-214-232-56-1) 65.214.232.56 - 65.214.232.63 RSA Security UU-65-221-107 (NET-65-221-107-0-1) 65.221.107.0 - 65.221.107.255 Rsa Security Inc SBC066123220136030905 (NET-66-123-220-136-1) 66.123.220.136 - 66.123.220.143 RSA Security, Inc. QWEST-IAD-RSA1 (NET-63-150-186-0-1) 63.150.186.0 - 63.150.186.255 RSA Security, Inc. QWEST-IAD-RSA (NET-66-77-65-208-1) 66.77.65.208 - 66.77.65.223 ---SNIP--- The odds are that others involved in this will contribute machines on their networks.. and that RSA owns blocks not listed above servers setup on these blocks running the software will submit information to the pages This is not a botnet If this is a botnet then the worlds SMTP servers are a huge botnet oh yeah and the Root DNS servers must be a botnet Were not asking a lot here.. just that you think a little and approach this from at least somewhat of a technical understanding Others have already pointed out why this will work from a banks point-of-view and others on why phishers are not automated Im now showing you why this isnt some big illegal botnet and how its a completely legal operation. Id bet that by inviting hackers RSA is saying run the software Think of it as distributed computing Is that a big illegal botnet as well?? Peace, HT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Friday, March 31, 2006 11:50 PM To: Morning Wood; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] n3td3v group calls on RSA to clarify theirstance If the RSA aren't using a bot network, then are you suggesting they are sending garbage data from one single user Microsoft Windows XP computer to all the worlds phishing logins? Wake up mr se cur ity at hotmail dot com On 4/1/06, Morning Wood [EMAIL PROTECTED] wrote: *while RSA are carrying out these attacks, is it legally OK for hackers to HELP OUT the RSA by pointing a few of our bot net's at some Yahoo and eBay fake login web pages that we know about and feed them with fake username and password data. We don't want to end up in jail, but since the RSA are doing it, so we can tell our lawyers that the RSA recommended the tactic to us.* *Much regards,* *n3td3v international security group* so... the n3td3v group has a few [of our ] botnetsdid I hear this right? ( *blink* ) somehow I dont think RSA is using botnets, which BTW are ILLEGAL in *most* countries ( yes, including your precious UK ) I just want to thank the biggest security group ( lol ) for using teh botz!!! I am sure Yahoo-Inc, Google, EBay, Microsoft and FooBarBlehCo will thank you publicly on CNN so we will know how n3td3v group saved us all with botnets!!! thanks b0td3v gr0upz, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/298 - Release Date: 3/30/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/298 - Release Date: 3/30/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow
1) Any different social engineering besides login to your bank account. For example, Chase will pay you $20 to fill out a short survey! (of course, after filling out the survey you must provide your debit card number or account login information to get the $20). This should be tip #5, back to the old 'don't click on anything from your bank in an E-mail - for any reason'. 3) Any attack that spoofs the SSL cert box (The Codefish web site had a good example...what ever happened to Codefish, anyway?...pharming, MITM, and type-alike can fit in here, too) Tip #4 works precisely because it defeats pharming, MITM and type-alike. The Cert box is nearly impossible to spoof because you would have to spoof the actual bank's certificate. Any error and your browser will pop up a warning dialog that the host name on the SSL cert doesn't match the name of the host.That's only assuming that some corrupt CA hasn't issued a second SSL cert for the real bank host name. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance
On Sat, 01 Apr 2006 05:34:20 +0100, n3td3v said: against fake logins and their databases. Theres no way however they could carry out world wide attacks on hundreds of fake login targets, without the use of more than one ip host. Obviously you've never bothered to look at just how much one spam can be pumped out a single zombied machine on a cablemodem in one day, have you? ;) You'd be amazed at what one host can do, given an actual pipe bigger than the average consumer-grade skinny pipe, and some creative programming to sustain more network traffic than the average browser can put on the pipe. Remember they don't have to flood the destination host enough to kick it off the net - they only need to send it enough bogus data so the phishers can't find the real one. Several tens of thousands of bogus entries per day till it gets taken down - even if you guesstimate 10 packets per bogus connection (hint - use http keepalives to your benefit here :), you're only looking at 100K packets, over a 24 hour timespan that's only one or two packets per second. Doing in 2,000 phishing hosts only needs to sustain 2,000 packets per second, which is rough back-of-envelope calc only going to need a 100mbit or so pipe. You can't do it on a single 10mbit ethernet, that's only going to give you about 800 1500-byte packets to do the HTTP POST commands with per second. But even hosing down 2,000 hosts with 10K bad requests each is only going to take up about 25% of the pipe. If you're only hitting 500 hosts, you can probably send each one well over 100K bogus ones a day. pgpkom78Kdn7m.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linus mass killing integer overflows
unofficial C++ support for the linux kernel has been for quite a while: [1] http://netlab.ru.is/exception/LinuxCXX.shtml --quote C++ in the Linux Kernel We have implemented a complete kernel level run-time support for C++ in the Linux kernel. In particular our run-time support enables the full use of C++ exceptions in the Linux kernel, but notably also includes support for global constructors and destructors, and dynamic type checking. --quote the news is, the benevolant dictator has said let there be C++, and there is more secure, full featured, reliable and faster linux kernel written[2] mainly in C++. the official release is scheduled for 2.8 or when redhat(tm) becomes ready for the desktop[3], whichever comes first. key improvements include: a) integer overflows *were* PITA for the kernel janitors. once the classes SafeInt and SafeLong were implemented with suitable operators, the new kernel is 100% int/long too big free. the refactoring tool made this part easy. b) some clever abuse of exceptions dramatically reduces the amount of OOPS: cases like '*(SafeInt*)0=foo-bar()' are now gracefully catch()ed, killing the OOPS. c) kernel structures *were* just lame emulation of C++ objects. now they are native C++ objects. d) exceptions result in cleaner, easier to read code and almost stop the nasty abuse of goto currently there are discussions for implementing COM in the kernel and/or scripting the kernel from userland, but Linus hasn't made up his mind yet. the first public prerelease will be available from ftp://ftp.kernel.org/pub/linux/kernel soon. -- [1] http://netlab.ru.is/exception/LinuxCXX.shtml [2] written is not quite correct. the existing C codebase was refactored to C++ using a sophisticated refactoring tool based on sparse [3] http://news.zdnet.com/2100-3513_22-5101690.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/