Re: [Full-disclosure] Get WinScanX Pro for FREE or $10 dollars for the month of February (only 5 days left!)
I've seen better on planetsourcecode.com haha -- Founder/Activist http://fusecurity.com/ | Free Security Technology ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
On Sun, 24 Jan 2010, Dan Kaminsky wrote: It took me more than one month to write this response? Ouch! When you discover the program is designed too badly to be maintained, the best strategy is to rewrite it. No question. And how long do you think that takes? It depends. Probably in the order of several years for a big application. On the other hand, existing code is not always so bad one has to throw it out all and rewrite everything from the scratch in one giant step. Remember when Netscape decided to throw away the Navigator 4.5 codebase, in favor of Mozilla/Seamonkey? Remember how they had to do that *again* with Mozilla/Gecko? Mozilla (even the old Mozilla Application Suite known as Seamonkey today) has always been based on Gecko (aka new layout, NGLayout). The development of Gecko started in 1997 as an internal Netscape project. Old Netscape Communicator source (most of it) was released in March 1998. The decision not to use it was made in October 1998. Gecko source was released in December 1998. Mozilla 0.6 was released in December 2000, 0.9 in May 2001 and 1.0 in June 2002. This makes approximately 5 years. Firefox started as a mozilla/browser branch approximately in April 2002 (the idea is probably dating back to mid 2001). The first public version known as Phoenix 0.1 was released in September 2002, 0.9 was released in June 2004, 1.0 in November 2004. 2.5 years. To put thing into a broader perspective: MSIE 5.0 was released in March 1999, 6.0 in August 2001, 7.0 in October 2006, and 8.0 in March 2009. This makes 2.5 years from 5.0 to 6.0, 5 years to 7.0 and 2.5 years to 8.0. The development of Google Chrome is reported to have started in spring 2006 and 1.0 was released in December 2008. 2.5 years again (but they reused WebKit and other 3rd party components). Hyperturing computing power Not really sure what that means, The ability to solve problems of Turing degree [1] greater than zero. Superturing is probably a more common term although various terms starting with hyper- are used as well [2]. (Alternatively, it can relate to a certain kind of AIs in Orion's Arm universe [3] but that meaning is not relevant here. g) For the most part it is a purely theoretical notion but there is at least one kind of oracle that is more or less physically feasible: a hardware random number generator--such an oracle might look pointless but quite a lot of cryptography relies on the ability to generate numbers that cannot be guessed by an adversary. Anyway, real computer are not true Turing machines and they are not turing complete. The point of my comment, translated into a more realistic setting, is as follows: one must assume the attacker can wield much more computing power than the defender. [1] http://en.wikipedia.org/wiki/Turing_degree [2] http://en.wikipedia.org/wiki/Hypercomputation [3] http://www.orionsarm.com/eg-topic/45c54923c3496 But I do not think this case is much different from the previous one: most, if not all, of those bugs are elementary integrity violations (not prevented because the boundary between trusted and untrusted data is not clear enough) and race conditions (multithreading with locks is an idea on the same level as strcpy). Nah, it's actually a lot worse. You have to start thinking in terms of state explosion -- having turing complete access to even some of the state of a remote system creates all sorts of new states that, even if *reachable* otherwise, would never be *predictably reachable*. I dare to say it can make the analysis more complicated if the ill-defined difficulty of exploitation is taken into consideration. In many cases the ability to execute a predefined sequence of operations is everything you need to reach an arbitrary state of the system (from a known initial state). You do not need anything as strong as a Turing machine, even a finite state machine is too powerful, a single finite sequence of operations (or perhaps a finite set of them) is sufficient. I mean, use-after-free becomes ludicrously easier when you can grab a handle and cause a free. I admit use-after-free does not fit well into the two categories I mentioned. But it is still a straightforward violation of a simple property (do not deallocate memory as long as any references to it exist) and it is quite easy to avoid it (e.g. use a garbage collector). Sure. But we're not talking about what should be done before you write. We're talking about what happens when you screw up. I do not think it is reasonable to separate these two questions. After all people are supposed to learn from their mistakes and avoid them in the future. (An interesting finding regarding the renegotiation issue: [...] Eh. This was a subtle one, [...] I do not want to downplay the ingenuity of Marsh Ray and Steve Dispensa (and Martin Rex) but... Any attempt to formalize integrity properties SSL/TLS is supposed to guarantee would inevitably lead to something
Re: [Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
Sometimes the vulnerability itself is a functional requirement (or considered to be one of them). Has anyone mentioned ActiveX? Or NPAPI for the matter. Really, other then the automated-after-user-accept-installation they're both the same. On Sun, Feb 28, 2010 at 9:22 PM, Pavel Kankovsky p...@argo.troja.mff.cuni.cz wrote: On Sun, 24 Jan 2010, Dan Kaminsky wrote: It took me more than one month to write this response? Ouch! When you discover the program is designed too badly to be maintained, the best strategy is to rewrite it. No question. And how long do you think that takes? It depends. Probably in the order of several years for a big application. On the other hand, existing code is not always so bad one has to throw it out all and rewrite everything from the scratch in one giant step. Remember when Netscape decided to throw away the Navigator 4.5 codebase, in favor of Mozilla/Seamonkey? Remember how they had to do that *again* with Mozilla/Gecko? Mozilla (even the old Mozilla Application Suite known as Seamonkey today) has always been based on Gecko (aka new layout, NGLayout). The development of Gecko started in 1997 as an internal Netscape project. Old Netscape Communicator source (most of it) was released in March 1998. The decision not to use it was made in October 1998. Gecko source was released in December 1998. Mozilla 0.6 was released in December 2000, 0.9 in May 2001 and 1.0 in June 2002. This makes approximately 5 years. Firefox started as a mozilla/browser branch approximately in April 2002 (the idea is probably dating back to mid 2001). The first public version known as Phoenix 0.1 was released in September 2002, 0.9 was released in June 2004, 1.0 in November 2004. 2.5 years. To put thing into a broader perspective: MSIE 5.0 was released in March 1999, 6.0 in August 2001, 7.0 in October 2006, and 8.0 in March 2009. This makes 2.5 years from 5.0 to 6.0, 5 years to 7.0 and 2.5 years to 8.0. The development of Google Chrome is reported to have started in spring 2006 and 1.0 was released in December 2008. 2.5 years again (but they reused WebKit and other 3rd party components). Hyperturing computing power Not really sure what that means, The ability to solve problems of Turing degree [1] greater than zero. Superturing is probably a more common term although various terms starting with hyper- are used as well [2]. (Alternatively, it can relate to a certain kind of AIs in Orion's Arm universe [3] but that meaning is not relevant here. g) For the most part it is a purely theoretical notion but there is at least one kind of oracle that is more or less physically feasible: a hardware random number generator--such an oracle might look pointless but quite a lot of cryptography relies on the ability to generate numbers that cannot be guessed by an adversary. Anyway, real computer are not true Turing machines and they are not turing complete. The point of my comment, translated into a more realistic setting, is as follows: one must assume the attacker can wield much more computing power than the defender. [1] http://en.wikipedia.org/wiki/Turing_degree [2] http://en.wikipedia.org/wiki/Hypercomputation [3] http://www.orionsarm.com/eg-topic/45c54923c3496 But I do not think this case is much different from the previous one: most, if not all, of those bugs are elementary integrity violations (not prevented because the boundary between trusted and untrusted data is not clear enough) and race conditions (multithreading with locks is an idea on the same level as strcpy). Nah, it's actually a lot worse. You have to start thinking in terms of state explosion -- having turing complete access to even some of the state of a remote system creates all sorts of new states that, even if *reachable* otherwise, would never be *predictably reachable*. I dare to say it can make the analysis more complicated if the ill-defined difficulty of exploitation is taken into consideration. In many cases the ability to execute a predefined sequence of operations is everything you need to reach an arbitrary state of the system (from a known initial state). You do not need anything as strong as a Turing machine, even a finite state machine is too powerful, a single finite sequence of operations (or perhaps a finite set of them) is sufficient. I mean, use-after-free becomes ludicrously easier when you can grab a handle and cause a free. I admit use-after-free does not fit well into the two categories I mentioned. But it is still a straightforward violation of a simple property (do not deallocate memory as long as any references to it exist) and it is quite easy to avoid it (e.g. use a garbage collector). Sure. But we're not talking about what should be done before you write. We're talking about what happens when you screw up. I do not think it is reasonable to separate these two questions. After all people are
[Full-disclosure] [SECURITY] [DSA 2004-1] New samba packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2004-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 28, 2010 http://www.debian.org/security/faq - Package: samba Vulnerability : several Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-3297 CVE-2010-0547 Two local vulnerabilities have been discovered in samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3297 Ronald Volgers discovered that a race condition in mount.cifs allows local users to mount remote filesystems over arbitrary mount points. CVE-2010-0547 Jeff Layton discovered that missing input sanitising in mount.cifs allows denial of service by corrupting /etc/mtab. For the stable distribution (lenny), these problems have been fixed in version 2:3.2.5-4lenny9. For the unstable distribution (sid), these problems have been fixed in version 2:3.4.5~dfsg-2. We recommend that you upgrade your samba packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny9.dsc Size/MD5 checksum: 2470 c350b5f777685fe69e0ae2f5dcf810ed http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny9.diff.gz Size/MD5 checksum: 239988 82ad8ff6f28af236b321a7eb50d754c8 Architecture independent packages: http://security.debian.org/pool/updates/main/s/samba/samba-doc-pdf_3.2.5-4lenny9_all.deb Size/MD5 checksum: 6252746 f7df1cc363fbcd6ce2da61aaaea2e1c5 http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.2.5-4lenny9_all.deb Size/MD5 checksum: 7950496 68348d1ee83c74096ad02f05ed3b3699 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/samba/smbfs_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 1463176 dead0cf63a2ea7de8baf562e1867fe10 http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 148 80f5022f6b36cab3f2d67bb0ef4b2800 http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 638200 c3467c6d11c4b655cfe31e6a19ff0622 http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 2574222 491cfc0ee9ce90d6c98347467002c7ef http://security.debian.org/pool/updates/main/s/samba/winbind_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 3275458 c3b8ba294354a64c4b7e80ddcd7849cb http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 1941530 14d2c8ffd8544b448eff0d3790e46621 http://security.debian.org/pool/updates/main/s/samba/smbclient_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 6950754 58cffb8cebcaf30c8d8e35916a65fffe http://security.debian.org/pool/updates/main/s/samba/samba-common_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 3736204 8a467068fa6ff8ef20a61f6277b7d583 http://security.debian.org/pool/updates/main/s/samba/libwbclient0_3.2.5-4lenny9_alpha.deb Size/MD5 checksum:81568 c70797d1ea795973e6d6639cfd0410fd http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 4834334 c4114837ae9245452a8e8752f7b5343a http://security.debian.org/pool/updates/main/s/samba/samba-tools_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 5733410 59017cdc857eae1a64dcb707365ac78b http://security.debian.org/pool/updates/main/s/samba/swat_3.2.5-4lenny9_alpha.deb Size/MD5 checksum: 1080474 37190dfe1f9c11ba17aeda1377cc0304 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.2.5-4lenny9_amd64.deb Size/MD5 checksum: 1992470 93f2f6a501d8b0c354537d143c962794 http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny9_amd64.deb Size/MD5 checksum: 4781510 b3432114b15d1134e9f88ef8fd5cef8b http://security.debian.org/pool/updates/main/s/samba/smbclient_3.2.5-4lenny9_amd64.deb Size/MD5 checksum: 7006958
[Full-disclosure] Watch out weev... Honeytrap.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Auerheimer (Weev) was contacted by a honeytrap at a bar who tried to seduce him. Weev has previously alluded that it might be FBI (probably counterintelligence). This is actually only a maybe. Who says weev hasn't attracted this attention of JDL and mossad? Maybe the FBI coming to visit Andrew was because they saw from his survellience he had MOSSAD honeypots following him. Damn, they're not with us, the SF FBI office thought. Don't believe me? http://www.doubtcome.com/images/girls1.htm (mirror: http://www.webcitation.org/5ntPoRsEK) http://www.doubtcome.com/images/girls2.htm (mirror: http://www.webcitation.org/5ntQDLS9z) http://www.rense.com/general52/themossadseductress.htm (mirror: http://www.webcitation.org/5ntQM2kza) oh, yeah, and the new Dubai assassination. Weev, You are so screwed. It may sound paradoxical, but USA may be the safest place for you to be. Des Moines, even. The same people who are trying to prosecute you are bound by law to protect you, listen to what tbiehn says. Do you have anything else to say on this matter? Please dude, get the truth out here. Get your testament out. If something happens to you the truth may never be known. btw, anything new in terms of iprophet? Also, can you invest is a hidef camera? I need to add it to my miro feed. -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuLHL8ACgkQwGoky+I7EosQGgP/e9WNhXDhtxpvNWK7Wpw+PhifhvFx CHq7OC99IewsVs4yPXRihyedzF+tPqsHng3op4u5HG6FCv9W2A1e5m6/2DApwbcHHwDS FnID9VgSzM5Y6SQgYorKynGpHKkfIyajsGLY/C38wBC199B+10quUGu83w3OhUP+44Yz onievSM= =yNbp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: stealthbomb
On 26.02.2010 15:35, RandallM wrote: anyone see this and know about it? How it works and good detection? http://www.brickhousesecurity.com/pc-computer-spy.html I doubt very much in that. The matter is that USB hardware is able to transfer data only when host requests that, IOW it is the host that decides from where, to where and how much data to transfer. If that was an IEEE 1394 device, those assertions would be correct. -- Sincerely Yours, Dan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: steathbomb
Its simply using USB autorun to launch and install itself, not sure how much it is picked up but tbh you could build one yourself possibly with the features you need, just look into getting some decent bot source and go from there, would save the 130 dollars imo. Plenty source code out there to make one these, in fact, I think I will make a guide on it if I get around to it with a stripped down bot, the only thing you really need to worry about is detection, if you have the know how build yourself a decent crypter and make sure no one gets a hold of it to keep detections down. phed -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of RandallM Sent: 26 February 2010 12:36 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Fwd: steathbomb anyone see this and know about it? How it works and good detection? http://www.brickhousesecurity.com/pc-computer-spy.html -- been great, thanks RandyM a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/ Kind regards, Steven Seeley (mr_me) _ View photos of singles in your area! Browse profiles for FREE http://clk.atdmt.com/NMN/go/150855801/direct/01/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu Lucid Lynx is Big brother Ubuntu
Le jeudi 25 février 2010 23:43:54, Mark Shuttleworth a écrit : We're bringing social interaction from the web, into the desktop. We're breathing life back into the city center, as it were. We're making the desktop more human. This is our mission, our reason for loving what we do. I'm sorry if it offends you, but it's got many people int he community very excited. There's no commercial conflict of interests here - we're putting it in by default purely to delight users. I accept that you're not delighted, but I don't see any signs that this won't be one of the favorite things about the release, for most users. Well, it is hard to believe that you don't have an agenda concerning this stuff. It would mean you are a bad leader, what I am sure is not the case. I don't believe that the goal is just satisfying your users. Nothing wrong about it, of course, open source is in no way incompatible with buisiness. So your bet seems to be on cloud computing, This and the recent move to Google Docs instead of Open Office show that clearly. What's less clear to me if you are planing a buisiness model on it or if you are just following the trend Google is pushing for. It's probably both. Anyway, the result is that Ubuntu is going to be a Chrome OS like, and that's really sad. Decide what's good for the users in their place is a mistake. Internet ad Computer as we know them will disapear, leaving the place to devices without intelligence used by brainless users. The only right thing to do is to improve usability but not at the cost of functionalities, and, the most important, educate users. Computers are wonderful tools. Let's use them correctly. Many people don't want of it again : http://en.wikipedia.org/wiki/Minitel (something we had in France in the 80s, no wonder it never spread out). I hope somehow it will be heard. Best regards, -- Jean-Christophe Baptiste j...@phocean.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu Lucid Lynx is Big brother Ubuntu
The error of the future: srry ur computar doent werks lolz. brb gng two teh bathrm On Fri, Feb 26, 2010 at 5:15 PM, n...@phocean.net wrote: Le jeudi 25 février 2010 23:43:54, Mark Shuttleworth a écrit : We're bringing social interaction from the web, into the desktop. We're breathing life back into the city center, as it were. We're making the desktop more human. This is our mission, our reason for loving what we do. I'm sorry if it offends you, but it's got many people int he community very excited. There's no commercial conflict of interests here - we're putting it in by default purely to delight users. I accept that you're not delighted, but I don't see any signs that this won't be one of the favorite things about the release, for most users. Well, it is hard to believe that you don't have an agenda concerning this stuff. It would mean you are a bad leader, what I am sure is not the case. I don't believe that the goal is just satisfying your users. Nothing wrong about it, of course, open source is in no way incompatible with buisiness. So your bet seems to be on cloud computing, This and the recent move to Google Docs instead of Open Office show that clearly. What's less clear to me if you are planing a buisiness model on it or if you are just following the trend Google is pushing for. It's probably both. Anyway, the result is that Ubuntu is going to be a Chrome OS like, and that's really sad. Decide what's good for the users in their place is a mistake. Internet ad Computer as we know them will disapear, leaving the place to devices without intelligence used by brainless users. The only right thing to do is to improve usability but not at the cost of functionalities, and, the most important, educate users. Computers are wonderful tools. Let's use them correctly. Many people don't want of it again : http://en.wikipedia.org/wiki/Minitel (something we had in France in the 80s, no wonder it never spread out). I hope somehow it will be heard. Best regards, -- Jean-Christophe Baptiste j...@phocean.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu Lucid Lynx is Big brother Ubuntu
On 26/02/10 19:55, John Q Public wrote: Well considering the tone I used, Frankly, I'm surprised you even dignified that. I don't always speak in such a tone. It's just the atmosphere of the scene here. I want my system here to be pure and free. No blogcruft. Remember how XP and Vista would always come with Windows Messenger? It's the same philosophical issue. It integrates social networking too closely, and it makes me wanna go into FUD mode. I'm scared here. I'm worried to be stuck with a LTS desktop for 4 years with an experiment that should be done in the _NEXT_ 6mos, in a non-LTS. I appreciate it Mr. Shuttleworth. Our Linux communities are one of the brighter beacons of efficient development out there. Keep up the steamrolling Ubunteros. Well, a little constructive paranoia is a good thing, to keep everyone aware of the risks of abuse. We do have a big responsibility to keep moving forward, even though there is no certainty about what the future looks like, and that involves some risk. The best way I think you can help, is to try the new bits out, and give good feedback in a way that helps people understand what you really mean, and how best to balance that with everyone else's feedback too. All the best, Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo! UK and US Hiring Security and Risk management experts
yet another nice troll with a stylistic stench of n3td3v about it, judging by the fanciful misconceptions surrounding a kernel of truth (and the phony attribution to someone to whom he's taken an unreasonable disliking...) it's true that yahoo is hiring security people, though, typically not as consultants but as employees -- programmers and engineers who are clueful about security. careers.yahoo.com is a good way, in fact, to find out about those jobs. at rough count 50 jobs in the US (mostly bay area) with the word security in their abstract, and a sizeable number in india, asia, and europe accessible off separate links. also, there are particularly numerous jobs for service engineering pros, people who are good at production services delivery at a very large scale. if there are qualified applicants on this list (or your friends) who want their name put in for something particular, happy to refer them (i'd even get a referral incentive). btw, please mention the specific posted position(s) that you think would suit you. (you don't have to be 25-35. in fact, such a requirement would not be legal under US labor law...). On Feb 27, 2010, at 9:25 AM, Henri Torgemane wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://careers.yahoo.com/ Looking for a dream job? Yahoo! is hiring security consultants worldwide 25-35 to help join our new Cyber Security Task Force. We are working with the government to provide a security service for our web and messenger platforms. Especially people with experience harvesting vital intelligence, which is the life blood of our security system. All aspects of security, risk management, analysis. We embody the paranoid, professional spirit of corporatism. With delight (and muffins!) At Yahoo!, big thinking comes with the territory. When your work reaches over half a billion users--that's 1 out of every 2 people online--there's no small task. We need creative minds that can take us new places. Individuals who want to positively impact their career--and the world at large. We're looking for Big Thinkers who embody the fun, innovative, collaborative spirit that's uniquely Yahoo!. We're looking for people like you. To protect it. I look forward to seeing your applications. Let's protect our data. Let's create the future, together. Henri Torgemane -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuJVZsACgkQuR8Y8cR7pG3otgP/XF4VY9U1UAaobymiyxEdfb3FWfc1 qx/1tDAuUL7mMRzgex+Z3+IycD2BNAeDHBxXE60dq6hqIUSQJZfEqIzvncSp4QZNjg1q O63YvCE0EcjzQbaqxC/nnG2gUZjzq8WY1aJnM0nP39SKOwcCzBL8TAykNzTaBZkc4f/8 mntbvRg= =cKLr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: steathbomb
Alzo see: USB DMA. On Fri, Feb 26, 2010 at 8:29 AM, McGhee, Eddie eddie.mcg...@ncr.com wrote: Its simply using USB autorun to launch and install itself, not sure how much it is picked up but tbh you could build one yourself possibly with the features you need, just look into getting some decent bot source and go from there, would save the 130 dollars imo. Plenty source code out there to make one these, in fact, I think I will make a guide on it if I get around to it with a stripped down bot, the only thing you really need to worry about is detection, if you have the know how build yourself a decent crypter and make sure no one gets a hold of it to keep detections down. phed -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of RandallM Sent: 26 February 2010 12:36 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Fwd: steathbomb anyone see this and know about it? How it works and good detection? http://www.brickhousesecurity.com/pc-computer-spy.html -- been great, thanks RandyM a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
On 2/28/2010 2:22 PM, Pavel Kankovsky wrote: On Sun, 24 Jan 2010, Dan Kaminsky wrote: Nah, it's actually a lot worse. You have to start thinking in terms of state explosion -- having turing complete access to even some of the state of a remote system creates all sorts of new states that, even if *reachable* otherwise, would never be *predictably reachable*. Perhaps it would be more proper to say that those states really did exist beforehand but were unrecognized? We could refer to them as latent states! Even the simplest static analysis should uncover the explosion caused by scanf(%s). The problem is that there are so many other ways that a combinatorial explosion of states can exceed the capacity of static analysis it can't tell the valid ones from the exploitable ones. If you make a static analysis product, I suspect your customers will want it to somehow run in bounded time and memory. I do not want to downplay the ingenuity of Marsh Ray and Steve Dispensa (and Martin Rex) but... Oh man. We should downplay those guys whenever we get the chance. :-) Pavel and Dan, truly it is you who instruct us by your example! Did you guys catch our talk at Shmoo 2010 yet? We've got to get that online somehow. Any attempt to formalize integrity properties SSL/TLS is supposed to guarantee would inevitably lead to something along the lines of all data sent/received by a server within the context of a certain session must have been received/sent by the same client. You know, I would have thought the same thing before I tried explaining it to various people in the industry. The weird thing is that the speed (and likelihood) of a person accepting the problem in TLS was (with notable exceptions) inversely proportional to the amount they knew about TLS and crypto in general. For example, a credentialed cryptographer we explained it to maintained that there was no problem with the crypto, just how we were using it. Many felt the bug was in https for retroactively authenticating in the first place. Check out the first comment at http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html And Ben Laurie's post at http://www.links.org/?p=789 The killer point for me in the debate is the part of the spec that says that app data can be interleaved in the handshake messages of the renegotiation. Without the assumption of continuity-of-identity, that creates a whole range of ambiguous states which are not properly defined. Thus the TLS spec is, in fact, internally inconsistent. But this is reeely subtle unless you've read the spec many times (even most implementers seem to ignore it). The world was previously divided into two camps: A. (The great majority) People who didn't realize SSLv3+TLS could renegotiate at all. It hadn't occurred to these people to question if it offered the same continuity-of-identity that we had with SSLv2. B. People who were intimately familiar with TLS and knew it could theoretically reneogtiate but hadn't looked at that minor footnote of the spec hard enough (after all, it was thought to be rarely used and already encrypted). And I find it rather unplausible the problem with renegotiations would avoid detection if those properties were checked thoroughly. But the need for stating explicitly and double-checking such an obvious requirement might not have even come up. After all, it had not been explicitly checked for in various other security reviews over the years. Certainly some of those reviewers had been familiar with http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.8510 Man-in-the-Middle in Tunnelled Authentication Protocols (2002) N. Asokan, Valtteri Niemi, Kaisa Nyberg where a similar attack was described. What would have done it (I think) is if they had looked at how the APIs were defined and used by applications. Then they would have seen that the APIs remained the same from SSLv2 even as SSLv3 added a whole nother layer of abstraction through this renegotiation facility. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo! UK and US Hiring Security and Risk management experts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes. To clarify, this post was meant to be satirical. It was not written by an employee at Yahoo. I apologize for mentioning age. (In the United States, you're not allowed to mention age, creed, gender, etc. in terms of hiring new guys) However, I have a question for you Mark. What is your opinion on Andrew Wallace and n3td3v? Would Yahoo! consider vouching for him after all the high-value intel he's given you? On Sat, 27 Feb 2010 20:42:30 + mark seiden m...@yahoo-inc.com wrote: yet another nice troll with a stylistic stench of n3td3v about it, judging by the fanciful misconceptions surrounding a kernel of truth (and the phony attribution to someone to whom he's taken an unreasonable disliking...) it's true that yahoo is hiring security people, though, typically not as consultants but as employees -- programmers and engineers who are clueful about security. careers.yahoo.com is a good way, in fact, to find out about those jobs. at rough count 50 jobs in the US (mostly bay area) with the word security in their abstract, and a sizeable number in india, asia, and europe accessible off separate links. also, there are particularly numerous jobs for service engineering pros, people who are good at production services delivery at a very large scale. if there are qualified applicants on this list (or your friends) who want their name put in for something particular, happy to refer them (i'd even get a referral incentive). btw, please mention the specific posted position(s) that you think would suit you. (you don't have to be 25-35. in fact, such a requirement would not be legal under US labor law...). On Feb 27, 2010, at 9:25 AM, Henri Torgemane wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://careers.yahoo.com/ Looking for a dream job? Yahoo! is hiring security consultants worldwide 25-35 to help join our new Cyber Security Task Force. We are working with the government to provide a security service for our web and messenger platforms. Especially people with experience harvesting vital intelligence, which is the life blood of our security system. All aspects of security, risk management, analysis. We embody the paranoid, professional spirit of corporatism. With delight (and muffins!) At Yahoo!, big thinking comes with the territory. When your work reaches over half a billion users--that's 1 out of every 2 people online--there's no small task. We need creative minds that can take us new places. Individuals who want to positively impact their career--and the world at large. We're looking for Big Thinkers who embody the fun, innovative, collaborative spirit that's uniquely Yahoo!. We're looking for people like you. To protect it. I look forward to seeing your applications. Let's protect our data. Let's create the future, together. Henri Torgemane -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuJVZsACgkQuR8Y8cR7pG3otgP/XF4VY9U1UAaobymiyxEdfb3FWfc 1 qx/1tDAuUL7mMRzgex+Z3+IycD2BNAeDHBxXE60dq6hqIUSQJZfEqIzvncSp4QZNjg1 q O63YvCE0EcjzQbaqxC/nnG2gUZjzq8WY1aJnM0nP39SKOwcCzBL8TAykNzTaBZkc4f/ 8 mntbvRg= =cKLr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuLLmEACgkQuR8Y8cR7pG2RAQP7BTAWAa8UU4aTEu/hKr1YlSLZuoxc L57DqpFsP31NeX+3h7RhvLm5hyta6nmYgLZqNBKRxn7GK29l6kemP0nMOmNKpxr6MvFp s6lshDmQtmG77zy3nVDiX3d8d3+dOAEKWAR/MVo+OFx8SH+JClYqliJUXy6oJ+US5xZM IXiczyM= =iAJM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2004-1] New Linux 2.6.24 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2004-1secur...@debian.org http://www.debian.org/security/ Dann Frazier February 27, 2010 http://www.debian.org/security/faq - -- Package: linux-2.6.24 Vulnerability : privilege escalation/denial of service/sensitive memory leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2009-2691 CVE-2009-2695 CVE-2009-3080 CVE-2009-3726 CVE-2009-3889 CVE-2009-4005 CVE-2009-4020 CVE-2009-4021 CVE-2009-4138 CVE-2009-4308 CVE-2009-4536 CVE-2009-4538 CVE-2010-0003 CVE-2010-0007 CVE-2010-0291 CVE-2010-0410 CVE-2010-0415 CVE-2010-0622 NOTE: This kernel update marks the final planned kernel security update for the 2.6.24 kernel in the Debian release 'etch'. Although security support for 'etch' officially ended on Feburary 15th, 2010, this update was already in preparation before that date. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2691 Steve Beattie and Kees Cook reported an information leak in the maps and smaps files available under /proc. Local users may be able to read this data for setuid processes while the ELF binary is being loaded. CVE-2009-2695 Eric Paris provided several fixes to increase the protection provided by the mmap_min_addr tunable against NULL pointer dereference vulnerabilities. CVE-2009-3080 Dave Jones reported an issue in the gdth SCSI driver. A missing check for negative offsets in an ioctl call could be exploited by local users to create a denial of service or potentially gain elevated privileges. CVE-2009-3726 Trond Myklebust reported an issue where a malicious NFS server could cause a denial of service condition on its clients by returning incorrect attributes during an open call. CVE-2009-3889 Joe Malicki discovered an issue in the megaraid_sas driver. Insufficient permissions on the sysfs dbg_lvl interface allow local users to modify the debug logging behavior. CVE-2009-4005 Roel Kluin discovered an issue in the hfc_usb driver, an ISDN driver for Colognechip HFC-S USB chip. A potential read overflow exists which may allow remote users to cause a denial of service condition (oops). CVE-2009-4020 Amerigo Wang discovered an issue in the HFS filesystem that would allow a denial of service by a local user who has sufficient privileges to mount a specially crafted filesystem. CVE-2009-4021 Anana V. Avati discovered an issue in the fuse subsystem. If the system is sufficiently low on memory, a local user can cause the kernel to dereference an invalid pointer resulting in a denial of service (oops) and potentially an escalation of privileges. CVE-2009-4138 Jay Fenlason discovered an issue in the firewire stack that allows local users to cause a denial of service (oops or crash) by making a specially crafted ioctl call. CVE-2009-4308 Ted Ts'o discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (NULL pointer dereference). For this to be exploitable, the local user must have sufficient privileges to mount a filesystem. CVE-2009-4536 CVE-2009-4538 Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted Ethernet frames. CVE-2010-0003 Andi Kleen reported a defect which allows local users to gain read access to memory reachable by the kernel when the print-fatal-signals option is enabled. This option is disabled by default. CVE-2010-0007 Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. CVE-2010-0291 Al Viro reported several issues with the mmap/mremap system calls that allow local users to cause a denial of service (system panic) or obtain elevated privileges. CVE-2010-0410 Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service (out of memory). CVE-2010-0415 Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service (system crash) or gain
[Full-disclosure] Going underground, living out of backpack, etc?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I am interested in getting some advice from you security professionals (white hat and black hat) about going underground. I am sick of big brother, I love independence, I was to experience the world and have no commitments. I am just sick of being held down in one place. It's too easy for people to harass and stalk you. You gotta be mobile. Fancy free and foot loose. You gotta be underground. Have any advice for living out of a bag? Any stories? Any lessons? -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuLR3UACgkQRQnwIcxK0rKdJwP9Fbv4ENsN+ouzbn34owsypykpL00+ E1qCZBwZGD4EJ5QK6PKdyR3kc33hOOasqaWn+HQVX1OtdKa/bXwWCJw3b3bEbImPHHoM FSfO7mJsrifYsufZcXtgRgFOI3KA7W+cN1DHncawcBf5/7CNKrjXSVi2NewLsp7beFlM gJrMvYw= =ii33 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Going underground, living out of backpack, etc?
Start by not touching any kind of digital device. You wouldn't know how many chinese have put tracking/spy bugs inside them. Or how many modified NSA backdoors, for the matter. Using a PC probably increases risk by 1000%. On Mon, Mar 1, 2010 at 5:49 AM, Simon Garfinkle lolweb...@hush.ai wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I am interested in getting some advice from you security professionals (white hat and black hat) about going underground. I am sick of big brother, I love independence, I was to experience the world and have no commitments. I am just sick of being held down in one place. It's too easy for people to harass and stalk you. You gotta be mobile. Fancy free and foot loose. You gotta be underground. Have any advice for living out of a bag? Any stories? Any lessons? -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuLR3UACgkQRQnwIcxK0rKdJwP9Fbv4ENsN+ouzbn34owsypykpL00+ E1qCZBwZGD4EJ5QK6PKdyR3kc33hOOasqaWn+HQVX1OtdKa/bXwWCJw3b3bEbImPHHoM FSfO7mJsrifYsufZcXtgRgFOI3KA7W+cN1DHncawcBf5/7CNKrjXSVi2NewLsp7beFlM gJrMvYw= =ii33 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/