Re: [Full-disclosure] e107 latest download link is backdoored
If that is so, being silent on the matter is not good at all... On Tue, Jan 26, 2010 at 9:28 AM, Bogdan Calin bog...@acunetix.com wrote: Here is my speculation on what happened: A few days ago, somebody found and exploited a e107 0day (for 0.7.16) on some websites. The e107 guys were informed about this and released 0.7.17 to fix this problem. However, at this point I suspect they were already hacked because they are running e107 on e107.org and they were an obvious target. The attackers waited until they released the security fix (0.7.17) and modified the zip file to include the backdoor. At this point, most e107 site owners were rushing to upgrade because of security update announcement and I suspect that many people have downloaded the backdored binary. However, this is just a speculation. I have no actual data behind it. Christian Sciberras wrote: Don't know the date at your place, but it's 25th Jan here, not 22nd. ;) On Mon, Jan 25, 2010 at 10:36 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Speaking of silent fixes... Silent? .. it's right on the news section of the e107.org front page. To wit : [http://e107.org] **SECURITY UPDATE** 0.7.17 We were recently informed of a very nasty exploit that, as far as we can see, affects almost all e107 0.7 releases. Everyone running e107 needs to get their sites updated as soon as possible. If you are a site owner and you are unable to upgrade for some reason (too much hacked core code), please contact me directly and I can help you with a quick-fix. Please get the word out to all other e107ers. If you find an e107 site out there, post on their site somewhere about this upgrade. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Bogdan Calin - bog...@acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! On 1/26/10 4:31 AM, Bipin Gautam bipin.gau...@gmail.com wrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
Here is my speculation on what happened: A few days ago, somebody found and exploited a e107 0day (for 0.7.16) on some websites. The e107 guys were informed about this and released 0.7.17 to fix this problem. However, at this point I suspect they were already hacked because they are running e107 on e107.org and they were an obvious target. The attackers waited until they released the security fix (0.7.17) and modified the zip file to include the backdoor. At this point, most e107 site owners were rushing to upgrade because of security update announcement and I suspect that many people have downloaded the backdored binary. However, this is just a speculation. I have no actual data behind it. Christian Sciberras wrote: Don't know the date at your place, but it's 25th Jan here, not 22nd. ;) On Mon, Jan 25, 2010 at 10:36 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Speaking of silent fixes... Silent? .. it's right on the news section of the e107.org front page. To wit : [http://e107.org] **SECURITY UPDATE** 0.7.17 We were recently informed of a very nasty exploit that, as far as we can see, affects almost all e107 0.7 releases. Everyone running e107 needs to get their sites updated as soon as possible. If you are a site owner and you are unable to upgrade for some reason (too much hacked core code), please contact me directly and I can help you with a quick-fix. Please get the word out to all other e107ers. If you find an e107 site out there, post on their site somewhere about this upgrade. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Bogdan Calin - bog...@acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Sat, Jan 23, 2010 at 08:57:12AM +0200, Gadi Evron wrote: ...(such as the Google attacks 0day apparently was) i hope m$ products have something to do with http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/ Oil companies hit by 'state' cyber attacks, says report Petrol reserves data targeted ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-1977-1] New python packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1977-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano January 25, 2010 http://www.debian.org/security/faq - Packages : python2.4 python2.5 Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Id : CVE-2008-2316 CVE-2009-3560 CVE-2009-3720 Debian Bug : 493797 560912 560913 Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. (CVE-2009-3560 CVE-2009-3720) This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file. In addition, this update fixes an integer overflow in the hashlib module in python2.5. This vulnerability could allow an attacker to defeat cryptographic digests. (CVE-2008-2316) It only affects the oldstable distribution (etch). For the oldstable distribution (etch), these problems have been fixed in version 2.4.4-3+etch3 for python2.4 and version 2.5-5+etch2 for python2.5. For the stable distribution (lenny), these problems have been fixed in version 2.4.6-1+lenny1 for python2.4 and version 2.5.2-15+lenny1 for python2.5. For the unstable distribution (sid), these problems have been fixed in version 2.5.4-3.1 for python2.5, and will migrate to the testing distribution (squeeze) shortly. python2.4 has been removed from the testing distribution (squeeze), and it will be removed from the unstable distribution soon. We recommend that you upgrade your python packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5-5+etch2.dsc Size/MD5 checksum: 1313 61c8f540d768731518e649f759ad1500 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3.dsc Size/MD5 checksum: 1210 647efe66b35aa00c2f0416e41920fdf8 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz Size/MD5 checksum: 9508940 f74ef9de91918f8927e75e8c3024263a http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3.diff.gz Size/MD5 checksum: 207460 c9b1b80a1aae12db910e353dab5cd0fb http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5-5+etch2.diff.gz Size/MD5 checksum: 271887 2d1944512d0eaa925a4a158b2c3a5845 http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5.orig.tar.gz Size/MD5 checksum: 11010528 2ce301134620012ad6dafb27bbcab7eb Architecture independent packages: http://security.debian.org/pool/updates/main/p/python2.5/idle-python2.5_2.5-5+etch2_all.deb Size/MD5 checksum:62226 9de6fad0cf4c106d77c4189ecf3f0fab http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch3_all.deb Size/MD5 checksum: 589766 e33c071f8e1864e1c5a63d2e39f21d2f http://security.debian.org/pool/updates/main/p/python2.5/python2.5-examples_2.5-5+etch2_all.deb Size/MD5 checksum: 645704 8732b224b59cd6488596117d074831f9 http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch3_all.deb Size/MD5 checksum:60154 8ac06e4c9ad4c1830ee90ece429690fe alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3_alpha.deb Size/MD5 checksum: 2943634 e5ab4789b18f9ac953b6b101ec897616 http://security.debian.org/pool/updates/main/p/python2.5/python2.5-dbg_2.5-5+etch2_alpha.deb Size/MD5 checksum: 6082828 772c99f5e8dc4e7c9306ba4a61837565 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch3_alpha.deb Size/MD5 checksum: 1850092 a19fd86a326d42a31ed75d1f1272d94c http://security.debian.org/pool/updates/main/p/python2.5/python2.5-minimal_2.5-5+etch2_alpha.deb Size/MD5 checksum: 849306 6c7cfd716177bc3677729ef27cd533ff http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch3_alpha.deb Size/MD5 checksum: 5248986 20d49174384d0533b25edfbc6f03
[Full-disclosure] Corporate espionage in the news: Hilton and the Oil industry
Corporate espionage in the news, and not just because of Google: Hilton and the Oil industry. Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war. Two news stories of computerized espionage reached me today. The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read. US oil industry hit by cyberattacks: Was China involved? http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. Starwood Charges That Top Hilton Execs Abetted Espionage http://www.meetings-conventions.com/article_ektid31918.aspx Starwood's claim points to a mountain of undisputed evidence, including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous. As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves. [ Source on naming France: http://samvak.tripod.com/pp144.html ] But.. here are a few questions: - My dog barked, was China involved? - The traffic light turned red, was China involved? - I am tired. Is China involved? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Google Chrome Pop-Up Block Menu Handling Vulnerability
== Secunia Research 26/01/2010 - Google Chrome Pop-Up Block Menu Handling Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Google Chrome 3.0.195.38 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Google Chrome runs web pages and applications with lightning speed.. Product Link: http://www.google.com/chrome == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Google Chrome, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by a use-after-free error when trying to display a blocked pop-up window while navigating away from the current site. Successful exploitation may allow execution of arbitrary code. == 5) Solution Upgrade to version 4.0.249.78. == 6) Time Table 30/12/2009 - Vendor notified. 30/12/2009 - Vendor response. 26/01/2010 - Public disclosure. == 7) Credits Discovered by Jakob Balle and Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-65/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Not even Linux or OSX for the matter On Tue, Jan 26, 2010 at 11:07 AM, Rafael Moraes raf...@bsd.com.br wrote: Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
Hi, Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200: The latest version of e107, version 0.7.17 contains a PHP backdoor. http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip The start page of e107.org, http://e107.org/news.php, contains suspect, probable malicious JavaScript-Code at the top,followed by many links in the format a href='/wiki/docs/html/.store/[Spamtext]-[Number].php'medical spam/a, before the DOCTYPE-Declaration. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz http://www.ceilers-it.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
Seems as if e107.org now is spreading some bad stuff: Virus/Spyware Mal/ObfJS-CB! - at least that's what Sophos is telling me Wondering why the admins of e107.org still keep this site up running - the site should have been taken down right after they saw that it ws compromised. Irresponsible from the e107.org-guys, imho... Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] e107 latest download link is backdoored
How they didn't noticed that, so obvious right? There're so many spam links on the source page. They should fix it ASAP and check logs for other possible modifications. 2010/1/26 Carsten Eilers ceilers-li...@gmx.de: Hi, Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200: The latest version of e107, version 0.7.17 contains a PHP backdoor. http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip The start page of e107.org, http://e107.org/news.php, contains suspect, probable malicious JavaScript-Code at the top,followed by many links in the format a href='/wiki/docs/html/.store/[Spamtext]-[Number].php'medical spam/a, before the DOCTYPE-Declaration. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz http://www.ceilers-it.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Corporate espionage in the news: Hilton and the Oil industry
Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war. E-spionage? =P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
If the police or spies look for determined words or sentences (presumed not encryptered), at an unknown point on an unknown layer of the disk, it will be much easier for them to find it if the rest was random data (or video or whatever) than if it was random text that can have a meaning when looking with a program, but not in front of a Court. You're forgetting that most such work is either done by salaried government employees or contractors paid by the hour .. neither of which care how long it takes. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Entropy vs zeros vs random content. Plausible deniability will only be there if there is legitimate data that looks like it's been used and the prosecutor cannot construe any of your data as that used for wiping or otherwise obscuring the data on your drive. If you don't have this you better request a trial by judge rather than jury. Now; Your best solution is to use an exterior OS on FDE, then, in a TC Hidden Disk container have a VM image that you use for 'hidden works.' You can hand over your FDE's PW and location of TC disk including the exterior password for great fed win. -Travis On Tue, Jan 26, 2010 at 10:08 AM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Oh yeah, another note: If you use a chaining block cipher than you only need to wipe the first block to make the rest of your data unrecoverable. Most FDE's actually use a pw to decrypt the actual decryption key, that block functions much the same, if you can wipe that then the rest of the data is unusable. Note, anyone who has pulled your key from memory via trojan or other means at an earlier time will be able to recover your data unless the first block of the stream has been wiped. This might be common practice in sneak and peek routines. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It would be a part of the algorithm, to make sure the overwritten file is readable. But if those machines get any smaller, I guess these would be the next generation of storage media take bluerays vs dvds for example. On Tue, Jan 26, 2010 at 5:11 PM, T Biehn tbi...@gmail.com wrote: Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Michael Holstein michael.holst...@csuohio.edu: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. Agreed, if I want to delete one file : the file will be unlinked and the zeroes will be written somewhere else. But what if I zero the whole memory, with something like dd if=/dev/zero of=/dev/disk/by-id/my_flash_device? Whatever the order and places the zeroes are written, in the end there should be zeroes everywhere. Unless there is more blocks on the chip than it reports having, or some compression is used where instead of 00...0 it would write 0 from adress 1 to last address. I'm just speculating... The only way to completely wipe a flash disk is with a hammer. That's the only reliable way, but a convenient way to erase data before lending a usb key would be nice. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Are you suggesting that consumer magnet-based storage solutions use the same technology that the recovery machines use to store more than one bit in what you consider a 'single bit location' ? I think it would be cost and space prohibitive, not dependent on any algorithm. If I'm thinking correctly, and I have no real idea how the recovery process works, the recovery machines measure minute variance in the analog magnetic signal directly pulled from the platters to figure out what bits 'used' to be on the disk in that location. I sincerely doubt that anything consumer accessible would be able to work with that. I also doubt that it is exact, and protocols probably use probabilistic methods for extraction of a given content; text for example. Given a block of bits, the signal variance from 'clean' on those bits (eg if never written) is x. x is matched with a dictionary of known text. Anyone know to confirm? -Travis On Tue, Jan 26, 2010 at 11:15 AM, Christian Sciberras uuf6...@gmail.com wrote: It would be a part of the algorithm, to make sure the overwritten file is readable. But if those machines get any smaller, I guess these would be the next generation of storage media take bluerays vs dvds for example. On Tue, Jan 26, 2010 at 5:11 PM, T Biehn tbi...@gmail.com wrote: Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, 26 Jan 2010 11:11:52 EST, T Biehn said: Overwritten files require analysis with a 'big expensive machine.' Assuming a disk drive made this century, if the block has actually been overwritten with any data even *once*, it is basically unrecoverable using any available tech. Proof: In a decade of looking, I haven't found a *single* data-recovery outfit that claimed to recover from even a single overwrite. Blown partition table? No problem. Metadata overwritten, data not? We can scavenge the blocks. Disk been in a fire? Flood? Run over by truck? Sure. We can go in and scavenge the individual intact bits with big expensive machines. Overwritten? crickets. Seriously - lot of companies can recover data by reading the magnetic fields of intact data. But anybody know of one that claims it can recover actual over-writes, as opposed to damn we erased it or damn the first part of the disk is toast? No? Nobody knows of one? I didn't think so. 20 or 25 years ago, it may still have been feasible to use gear to measure the residual magnetism in the sidebands after an over-write. However, those sidebands have shrunk drastically, as they are the single biggest problem when trying to drive densities higher. You can't afford a sideband anymore - if you have one, it's overlapping the next bit. There *may* be some guys inside the spook agencies able to recover overwrites. But you don't need to worry about any evidence so recovered ever being used against you in a court of law - as then they'd have to admit they could do it. Just like in WWII we allowed the German U-boats to sink our convoys rather than let them figure out we had broken Enigma, they'll let the prosecution fail rather than admit where the data came from. pgpYWsqcJIQfl.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Hi, Am 26. Januar schrieb Michael Holstein: No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Yes, but what if I overwrite the device with random data from the very first to the very last byte? Suppose the size of the device hasn't decreased I'd think that wear-levelling has no chance to spare blocks in this case. kind regards Stefan -- make -it ./work GnuPG-Key: B96CF8D2 s...@tanis.toppoint.de Fingerprint: D8AC D5E7 6865 19B1 385F 8850 2AB7 6A82 B96C F8D2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Yes, but what if I overwrite the device with random data from the very first to the very last byte? Suppose the size of the device hasn't decreased I'd think that wear-levelling has no chance to spare blocks in this case. Research paper on forensics for flash media : http://www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf In any case, provided you take a factory-new drive and immediately install an encrypted filesystem on it, any such orphan data would be essentially random. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I should have brought up the increased density problem Valdis, excellent points. -Travis On Tue, Jan 26, 2010 at 1:26 PM, valdis.kletni...@vt.edu wrote: On Tue, 26 Jan 2010 11:11:52 EST, T Biehn said: Overwritten files require analysis with a 'big expensive machine.' Assuming a disk drive made this century, if the block has actually been overwritten with any data even *once*, it is basically unrecoverable using any available tech. Proof: In a decade of looking, I haven't found a *single* data-recovery outfit that claimed to recover from even a single overwrite. Blown partition table? No problem. Metadata overwritten, data not? We can scavenge the blocks. Disk been in a fire? Flood? Run over by truck? Sure. We can go in and scavenge the individual intact bits with big expensive machines. Overwritten? crickets. Seriously - lot of companies can recover data by reading the magnetic fields of intact data. But anybody know of one that claims it can recover actual over-writes, as opposed to damn we erased it or damn the first part of the disk is toast? No? Nobody knows of one? I didn't think so. 20 or 25 years ago, it may still have been feasible to use gear to measure the residual magnetism in the sidebands after an over-write. However, those sidebands have shrunk drastically, as they are the single biggest problem when trying to drive densities higher. You can't afford a sideband anymore - if you have one, it's overlapping the next bit. There *may* be some guys inside the spook agencies able to recover overwrites. But you don't need to worry about any evidence so recovered ever being used against you in a court of law - as then they'd have to admit they could do it. Just like in WWII we allowed the German U-boats to sink our convoys rather than let them figure out we had broken Enigma, they'll let the prosecution fail rather than admit where the data came from. -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:026 ] openldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:026 http://www.mandriva.com/security/ ___ Package : openldap Date: January 26, 2010 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in openldap: libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not properly handle a \'\0\' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-3767). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767 ___ Updated Packages: Mandriva Linux 2008.0: 05d27c8e50b79e16c345756251c5e819 2008.0/i586/libldap2.3_0-2.3.38-3.4mdv2008.0.i586.rpm c3b564ed72214c88e4f97b754baec0d3 2008.0/i586/libldap2.3_0-devel-2.3.38-3.4mdv2008.0.i586.rpm cb184b75f27937fbf10bee2c4526ccb8 2008.0/i586/libldap2.3_0-static-devel-2.3.38-3.4mdv2008.0.i586.rpm 53a1cb617be31adf8002d03c975242df 2008.0/i586/openldap-2.3.38-3.4mdv2008.0.i586.rpm 48114cab21906ac3f736d669ea9c1a21 2008.0/i586/openldap-clients-2.3.38-3.4mdv2008.0.i586.rpm a16e2a6e65d1f68eea0989590f0057b7 2008.0/i586/openldap-doc-2.3.38-3.4mdv2008.0.i586.rpm 1184787dc8596fc25c660396d012d6eb 2008.0/i586/openldap-servers-2.3.38-3.4mdv2008.0.i586.rpm 84c2fe50106a22d3fe27b3cdba4197d9 2008.0/i586/openldap-testprogs-2.3.38-3.4mdv2008.0.i586.rpm b3facfc070aee1223d254ec984c61ab7 2008.0/i586/openldap-tests-2.3.38-3.4mdv2008.0.i586.rpm d43ec379be752a4229b996bf0212123e 2008.0/SRPMS/openldap-2.3.38-3.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: fd10ca40cbd47ac92f0fb018abeb43b0 2008.0/x86_64/lib64ldap2.3_0-2.3.38-3.4mdv2008.0.x86_64.rpm 6f70689679ee97a5c0586190b0c14fe3 2008.0/x86_64/lib64ldap2.3_0-devel-2.3.38-3.4mdv2008.0.x86_64.rpm 804c10f2e0fc978bdaff791fffdf6cb3 2008.0/x86_64/lib64ldap2.3_0-static-devel-2.3.38-3.4mdv2008.0.x86_64.rpm 2e9eaa2bc8024bab086d6719371c104b 2008.0/x86_64/openldap-2.3.38-3.4mdv2008.0.x86_64.rpm a11488a1a69f82d75bd9cbb0162810df 2008.0/x86_64/openldap-clients-2.3.38-3.4mdv2008.0.x86_64.rpm 2f8a0560815adc858f9751d50154233b 2008.0/x86_64/openldap-doc-2.3.38-3.4mdv2008.0.x86_64.rpm 82dba0aa278c64c7c588d468b910ed7f 2008.0/x86_64/openldap-servers-2.3.38-3.4mdv2008.0.x86_64.rpm 37c4c53990d046d55eb37a4c89b41421 2008.0/x86_64/openldap-testprogs-2.3.38-3.4mdv2008.0.x86_64.rpm fb880135c85355b26e2769fadacb3563 2008.0/x86_64/openldap-tests-2.3.38-3.4mdv2008.0.x86_64.rpm d43ec379be752a4229b996bf0212123e 2008.0/SRPMS/openldap-2.3.38-3.4mdv2008.0.src.rpm Mandriva Linux 2009.0: 1edb07acb66ec501f451ab12e82c701f 2009.0/i586/libldap2.4_2-2.4.11-3.2mdv2009.0.i586.rpm d89cc046166856ec10e6571646efc911 2009.0/i586/libldap2.4_2-devel-2.4.11-3.2mdv2009.0.i586.rpm d3895a847d8aad9d09446162b0ffcd8d 2009.0/i586/libldap2.4_2-static-devel-2.4.11-3.2mdv2009.0.i586.rpm 069829021563439e98d464c942f8b465 2009.0/i586/openldap-2.4.11-3.2mdv2009.0.i586.rpm d10c57b7e4b2e47350be4ed9e0653d13 2009.0/i586/openldap-clients-2.4.11-3.2mdv2009.0.i586.rpm 0e1cdfc7e0de6148feebdc28d7f957a5 2009.0/i586/openldap-doc-2.4.11-3.2mdv2009.0.i586.rpm c14ac5126b17775363da034cb68557b0 2009.0/i586/openldap-servers-2.4.11-3.2mdv2009.0.i586.rpm 07f0a85987bcd586359852b7cad8649d 2009.0/i586/openldap-testprogs-2.4.11-3.2mdv2009.0.i586.rpm 9a51e08fa565f830672328a0c00fc8e8 2009.0/i586/openldap-tests-2.4.11-3.2mdv2009.0.i586.rpm 9cf49efc39d9e3b1e33d815ce4ecbb9b 2009.0/SRPMS/openldap-2.4.11-3.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 54e430c0735f09e81cbc01f8d6d2e0cb 2009.0/x86_64/lib64ldap2.4_2-2.4.11-3.2mdv2009.0.x86_64.rpm a603ee71bb23a2482ba24d9b5aa0d441 2009.0/x86_64/lib64ldap2.4_2-devel-2.4.11-3.2mdv2009.0.x86_64.rpm d2f3bb877cdbca3a7c19694ddf998f70 2009.0/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.2mdv2009.0.x86_64.rpm d5679cdc3fe1a66c67856ff7cc820e97 2009.0/x86_64/openldap-2.4.11-3.2mdv2009.0.x86_64.rpm f9e4916cb87578bc2ee52456b1cc8612 2009.0/x86_64/openldap-clients-2.4.11-3.2mdv2009.0.x86_64.rpm 45c0453372a06e434c92ee6d6e565326 2009.0/x86_64/openldap-doc-2.4.11-3.2mdv2009.0.x86_64.rpm 3688fdc6044b0c069cfddbcafb8570dd 2009.0/x86_64/openldap-servers-2.4.11-3.2mdv2009.0.x86_64.rpm
[Full-disclosure] Paper: Weaning the Web off of Session Cookies
Hello, I've just posted a new paper some of you may be interested in: http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf While it's primarily an argument for fixing HTTP authentication, it does contain information on a few weaknesses common in browsers, including password manager issues and user interface vulnerabilities. Feedback is more than welcome. Enjoy, tim Abstract In this paper, we compare the security weaknesses and usability limitations of both cookie-based session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authentication schemes, such as digest authentication, a viable option in future application development. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, Jan 26, 2010 at 00:11, Charles Skoglund charles.skogl...@bitsec.se wrote: This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! I must suggest your experience is quite limited - the case below is not unique: http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Unknown malware? Infections recently deleted by A/V? The realm of data ownership is ridiculous. If I run an wifi AP with WEP or no auth, my router keeps no logs, and my computer is a host to malware then I would imagine that I cannot be convicted of a computer crime without verification by physical surveillance. If given the choice by a lawyer between pleading guilty and receiving a lenient punishment and pleading not-guilty to certain loss for severe punishment in the face of 'irrefutable' evidence most people will choose to plead guilty. Prosecutors, Lawyers, and defendants are largely either ignorant or apathetic to the issues around proving culpability in computer-crime. And case law would back me up. -Travis On Tue, Jan 26, 2010 at 3:11 AM, Charles Skoglund charles.skogl...@bitsec.se wrote: This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! On 1/26/10 4:31 AM, Bipin Gautam bipin.gau...@gmail.com wrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Corporate espionage in the news: Hilton and theOil industry
Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war. E-spionage? =P That is so great it is almost worth the fact that it will, eventually, start to be used Can you put that up on Facebook so I can click the Like button? :) -- David Harley BA CISSP FBCS CITP Director of Malware Intelligence, ESET ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I must suggest your experience is quite limited - the case below is not unique: Yes it is. Rarely do you get a group of 28 computer scientists to volunteer their time/money in a criminal case. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-890-4] PyXML vulnerabilities
=== Ubuntu Security Notice USN-890-4 January 26, 2010 python-xml vulnerabilities CVE-2009-3560, CVE-2009-3720 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: python2.4-xml 0.8.4-1ubuntu3.1 After a standard system upgrade you need to restart any applications that use PyXML to effect the necessary changes. Details follow: USN-890-1 fixed vulnerabilities in Expat. This update provides the corresponding updates for PyXML. Original advisory details: Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that Expat did not properly process malformed XML. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service via application crash. (CVE-2009-2625, CVE-2009-3720) It was discovered that Expat did not properly process malformed UTF-8 sequences. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service via application crash. (CVE-2009-3560) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.diff.gz Size/MD5:26092 7b735067d5b8494bfa9479a38b1f971f http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.dsc Size/MD5: 663 064ad0d03d81132088df42f78850bfd7 http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4.orig.tar.gz Size/MD5: 734751 04fc1685542b32c1948c2936dfb6ba0e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1_all.deb Size/MD5:11568 253250bca793d626d3f651a116259b00 http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel-utils_0.8.4-1ubuntu3.1_all.deb Size/MD5:25206 e73978eb774cf39690739f0908fb32dc http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel_0.8.4-1ubuntu3.1_all.deb Size/MD5:24392 e4bab68a86bd7fb0dd85d39268716a64 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_amd64.deb Size/MD5: 717460 763ab0e82cbd3767958753060145c5ab i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_i386.deb Size/MD5: 708074 e34c9a1bdaaef83eb885104360d9e94f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_powerpc.deb Size/MD5: 716638 8ee8326bb735b20b18f0335c4485aadb sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_sparc.deb Size/MD5: 706208 11751f3c1654c648dd145c88afc3002c signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1978-1] New phpgroupware packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1978-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff January 26, 2010 http://www.debian.org/security/faq - Package: phpgroupware Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2009-4414 CVE-2009-4415 CVE-2009-4416 Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4414 An SQL injection vulnerability was found in the authentication module. CVE-2009-4415 Multiple directory traversal vulnerabilities were found in the addressbook module. CVE-2009-4416 The authentication module is affected by cross-site scripting. For the stable distribution (lenny) these problems have been fixed in version 0.9.16.012+dfsg-8+lenny1. For the unstable distribution (sid) these problems have been fixed in version 0.9.16.012+dfsg-9. We recommend that you upgrade your phpgroupware packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.diff.gz Size/MD5 checksum:70541 fc805ae50cd52606578ed95e8a5bde96 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.dsc Size/MD5 checksum: 1662 0507c4e0a6be1d93a060a7c6222c84c0 Architecture independent packages: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 1167526 b7d47f4df02c98e3269fd2b8bce094f4 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:48252 80a0c4bf563e576fbad0b023fcca2f4b http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 268338 acdc243f1b2cbcea42a548408232657d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 180662 e0835bac92df72541b52912e80e1e852 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:22380 c12295c8f5f4abdf2f9d8c94ceefe4a1 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:41572 d21d4ab4ce6adbb23a46a21fd0dd67cb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:93094 dc2bcd999a4a97a0acb8a0a9b156ea03 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:95206 0faba6d54c83ac610d11a256a12eec67 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 1522130 c4ff77bb7c80222b04ccdb130f5d2db6 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:60034 b7b86ca86b431dbd7b637506db451196 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum:20228 5563f9a3d9b4835b2c89cb1ba571b23f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 4546 de306e6062f710d430704297106f192e http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny1_all.deb Size/MD5 checksum: 192062 0427388ce20eb307946c6272856313b7
[Full-disclosure] U.S. enables Chinese hacking of Google
http://edition.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Rafael, Well, either Windows will no longer exist, or Windows will be the only thing that will exist. Remember, very few people in the government have the necessary technical knowledge to evaluate operating systems accurately. Therefore, they will rely on private industry for input. In practice, this will mean that Microsoft will get to dictate the standards that every operating system must meet in order to be approved. -- Rohit Patnaik On Tue, Jan 26, 2010 at 4:07 AM, Rafael Moraes raf...@bsd.com.br wrote: Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Mon, Jan 25, 2010 at 14:11, valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? That's one issue. There are others. The real issue, though, is not how to regulate MSFT. It's how to level the playing field. Best way I can think of to do that is to specify document formats, and make them available to all. ODF may not be the right format, but it's in the right direction. If government(s) were to specify that any software they buy needs to read and write a particular set of formats, with the specifications of those formats publicly available for no more than the cost of copying them, and that they would only accept documents in those formats, then anyone could build software that meets those specifications. Then you'd see a more competitive environment. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/