Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response, Philosophy of Information Security

[coderman]

On Sat, Jan 7, 2012 at 12:55 PM, Shyaam Sundhar  wrote:
> ...
> why are people sloppy by nature when it comes to
> security?

this is like asking for the origin of existence; a mystery to the end!



> Why is security still considered as a blanket as opposed to the
> core of any system?

build security in: a radical concept!

instead quality is conferred second rate status, lucre and expedience
trump effectiveness, and short sighted competition creates cavities of
vulnerability where only broad cooperation can protect.

an endless playground for the curious and devious to deceive, thwart,
and threaten at will.



> PS: I am totally wrong and I know that ;)

infosec is totally wrong as industry, too few know that! ;P

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 201201-03 ] Chromium, V8: Multiple vulnerabilities

[Tim Sammut]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201201-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Chromium, V8: Multiple vulnerabilities
 Date: January 08, 2012
 Bugs: #394587, #397907
   ID: 201201-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been reported in Chromium and V8, some of
which may allow execution of arbitrary code.

Background
==

Chromium is an open source web browser project. V8 is Google's open
source JavaScript engine.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-client/chromium   < 16.0.912.75   >= 16.0.912.75
  2  dev-lang/v8 < 3.6.6.11   >= 3.6.6.11
---
 2 affected packages
---

Description
===

Multiple vulnerabilities have been discovered in Chromium and V8.
Please review the CVE identifiers and release notes referenced below
for details.

Impact
==

A context-dependent attacker could entice a user to open a specially
crafted web site or JavaScript program using Chromium or V8, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or a Denial of Service condition.

The attacker could also perform URL bar spoofing.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Chromium users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-client/chromium-16.0.912.75"

All V8 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.6.6.11"

References
==

[  1 ] CVE-2011-3903
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3903
[  2 ] CVE-2011-3904
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3904
[  3 ] CVE-2011-3906
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3906
[  4 ] CVE-2011-3907
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3907
[  5 ] CVE-2011-3908
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3908
[  6 ] CVE-2011-3909
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3909
[  7 ] CVE-2011-3910
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3910
[  8 ] CVE-2011-3912
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3912
[  9 ] CVE-2011-3913
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3913
[ 10 ] CVE-2011-3914
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3914
[ 11 ] CVE-2011-3917
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3917
[ 12 ] CVE-2011-3921
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3921
[ 13 ] CVE-2011-3922
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3922
[ 14 ] Release Notes 16.0.912.63

http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html
[ 15 ] Release Notes 16.0.912.75

http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201201-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sun, 08 Jan 2012 03:28:43 +0100, Ferenc Kovacs said:

> - it should be handled the same way as QA, it's not a feature, it's a way

Actually, the problem is that it *is* handled the same way as QA.


pgpKCkPrbAJFp.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 2:42 AM,  wrote:

> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
> > imo public shaming(ie. owned by kiddies, usually they get bigger media
> > attention) can force companies to take security more seriously, but imo
> > hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while
> they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with no
> visible
> added dip due to the multiple hacks they had.  The hack at TJX didn't
> cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive -
> most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
>
> > able to secure your infrastructure, but the industry is rotten mostly
> > because it-sec isn't as high priority as it should be.
>
> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> > it is an added-value, usually bolted-on top of the screwed up legacy
> > processes/softwares, and the higher-ups expect it to be bought by money
> > alone.
>
> Remember that at the C level, *everything* is bought by money alone.
> An initiative will cost $X in capex, $Y in manpower costs, and is predicted
> to return $Z per year.  If Z is bigger than X+Y, we proceed, if not, we
> don't.
> (Of course, the fun is in nailing X Y and Z down to accurate numbers :)
>
> > company, but they won't change the flawed processes, and the bad
> priorities.
>
> Remember that computer security is almost always a cost center, not a
> profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money),
> unless
> you can demonstrate how that will impact the bottom line.  Just like I
> *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one
> that
> gets 42, and save $50 month in gas- but then have a $250/month car payment
> to
> make. That doesn't make fiscal sense, and often neither does fixing the
> flawed
> process.
>
> > of course many of them will get owned, lose a good chunk of money, some
> of
> > them even will go out of business, but until most of them can get away
> with
> > those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> You run a restaraunt, and make a bet that you can sell a fajita that's 20%
> bigger than your competitor, for 50 cents less,and still make money.  Maybe
> you're right, and you end up expanding into a nationide fajita chain. Maybe
> you're not - something like 50% of restaraunts fold in under 3 years.
>
> You manage an office building complex, and make a bet that if there's a
> fire,
> only one of the buildings will burn down and not all of them, so you don't
> insure for "everything burning down" because that's a *lot* higher premium
> per
> year and you don't really see them *all* burning as being likely.  If one
> burns
> down, you collect the insurance, rebuild, and get on with running an office
> complex.  If they all burn down, you're probably screwed.  Unless you're
> one
> lucky guy like Larry Silverstein, and they're ruled separate events at the
> WTC
> so you get paid for all the buildings anyhow:
>
>
> http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW
>
> You run a company, and make a bet that there's only a X% chance of being
> hacked, and it will probably cost you $Y, so you spend $Z.  Maybe you guess
> wrong, like Sony did, maybe you don't, and all the money you didn't spend
> on
> security becomes profit, not cost.
>
> But it's the same thing - you estimate your chances, and place your bet.
> It's
> called the way business works.
>

it seems that you are missing my point.
I don't try to say that security should be the top priority, I'm saying
that:
- it should be handled the same way as QA, it's not a feature, it's a way
of doing things, you can't just buy it from a vendor without changing
anything on your side.
- currently the efforts for it security in most cases are below what a
formal risk analysis/evaluation would identify for most of the companies
out there.

A kiddie with no formal education, or relevant experience, but with being
handy using a pc and the internet shouldn't be able to "own" companies and
create loss/stole millions of dollars.

So I would be curious what is your opinion about those two points.

btw: A Sony is a good counter-example, but we also see CA companies
recently going out of business after being hacked, usually losing customer
trust is more grave where the trust is more important to begin with.

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Sat, Jan 7, 2012 at 8:42 PM,   wrote:
> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
>> imo public shaming(ie. owned by kiddies, usually they get bigger media
>> attention) can force companies to take security more seriously, but imo
>> hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while 
> they
> were having their security issues - it was already sliding *before* PSN got 
> hacked,
> but continued sliding at the *exact same rate* for several months, with no 
> visible
> added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
(http://attrition.org/security/rant/sony_aka_sownage.html).

Adding insult to injury, Sony laid off security folks before the
spectacular breach
(http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/).

Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
privileges revoked.

> The hack at TJX didn't cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive - most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.

> [SNIP]
>
> Remember that computer security is almost always a cost center, not a profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money), unless
> you can demonstrate how that will impact the bottom line.  Just like I *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one that
> gets 42, and save $50 month in gas- but then have a $250/month car payment to
> make. That doesn't make fiscal sense, and often neither does fixing the flawed
> process.
>
>> of course many of them will get owned, lose a good chunk of money, some of
>> them even will go out of business, but until most of them can get away with
>> those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> [SNIP]
Sadly, you are right.

In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.

Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
contributions)).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:

> imo public shaming(ie. owned by kiddies, usually they get bigger media
> attention) can force companies to take security more seriously, but imo
> hiring the kiddies isn't the solution.

It matters a lot less than you think.  Go look at Sony's stock price while they
were having their security issues - it was already sliding *before* PSN got 
hacked,
but continued sliding at the *exact same rate* for several months, with no 
visible
added dip due to the multiple hacks they had.  The hack at TJX didn't cripple 
that
company either.  Cost them a bunch, but nothing they couldn't survive - most
companies that size already budget a lot more for unforseen events than the
hacks cost them.

> able to secure your infrastructure, but the industry is rotten mostly
> because it-sec isn't as high priority as it should be.

As high priority as the IT Sec people usually think it should be, or as high
priority as a cold hard-line analysis of business cost/benefts says it should
be?  IT people tend to be *really* bad at estimating actual bottom-line
costs.

> it is an added-value, usually bolted-on top of the screwed up legacy
> processes/softwares, and the higher-ups expect it to be bought by money
> alone.

Remember that at the C level, *everything* is bought by money alone.
An initiative will cost $X in capex, $Y in manpower costs, and is predicted
to return $Z per year.  If Z is bigger than X+Y, we proceed, if not, we don't.
(Of course, the fun is in nailing X Y and Z down to accurate numbers :)

> company, but they won't change the flawed processes, and the bad priorities.

Remember that computer security is almost always a cost center, not a profit
center, and one of those "bad priorities" is usually "make more money".

They aren't going to change the flawed process (which will cost money), unless
you can demonstrate how that will impact the bottom line.  Just like I *could*
replace my already-paid-off car that gets 27 miles to the gallon with one that
gets 42, and save $50 month in gas- but then have a $250/month car payment to
make. That doesn't make fiscal sense, and often neither does fixing the flawed
process.

> of course many of them will get owned, lose a good chunk of money, some of
> them even will go out of business, but until most of them can get away with
> those broken model, they won't try to fix the underlying problem.

And you know what? *Every single decision* a business makes is like that.

You run a restaraunt, and make a bet that you can sell a fajita that's 20%
bigger than your competitor, for 50 cents less,and still make money.  Maybe
you're right, and you end up expanding into a nationide fajita chain. Maybe
you're not - something like 50% of restaraunts fold in under 3 years.

You manage an office building complex, and make a bet that if there's a fire,
only one of the buildings will burn down and not all of them, so you don't
insure for "everything burning down" because that's a *lot* higher premium per
year and you don't really see them *all* burning as being likely.  If one burns
down, you collect the insurance, rebuild, and get on with running an office
complex.  If they all burn down, you're probably screwed.  Unless you're one
lucky guy like Larry Silverstein, and they're ruled separate events at the WTC
so you get paid for all the buildings anyhow:

http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW

You run a company, and make a bet that there's only a X% chance of being
hacked, and it will probably cost you $Y, so you spend $Z.  Maybe you guess
wrong, like Sony did, maybe you don't, and all the money you didn't spend on
security becomes profit, not cost.

But it's the same thing - you estimate your chances, and place your bet. It's
called the way business works.


pgpxZDFYWsgVc.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 18:24:04 CST, Laurelai said:

> Well enjoy your doomed industry then. Ill continue to take great
> pleasure as the so called experts get owned by teenagers.

I'm not sure why you consider it "doomed".  It's only "doomed" if you have
some silly notion that a company needs to have 100% security.

We've not managed to totally secure the roads, there's still bad drivers out
there.  We've not managed to totally secure the credit card system, there's
still fraud.  But neither of those are "doomed" either - we just accept there's
bad drivers and buy car insurance, and the credit card companies accept
that there will be 2% to 6% fraud write-offs and chargebacks, budget
accordingly, and get on with business.

And it's the same in computer security - if you've figured out it's going to
cost you $250K/year (remember, salary, bennies, *and* overhead) to hire a
security geek, but there's only a 5% chance you'll get hacked in a given year
and you've got a business plan on how to *recover* for $100K, and swallow the
$600K in lost sales the week your website is down, you're still better off *not
hiring the expert and risking getting hacked*.

Just like any other business - banks, gas stations, and minimarts all accept
the chance of armed robbery as part of the risk of doing business.  Most will
deploy *some* countermeasures to lower the risk (usually a video camera or two,
and tell the clerks to hand over the money and try not to get shot), and at
some point say "Meh, that's enough. Time to get back to selling stuff and
making money".  Nothing different just because it's a cyber attack rather than
a physical one.



pgprAA57LBcls.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

Looks like the discussion is taking a different direction.

Thank you.
Shyaam

On Jan 7, 2012, at 7:37 PM, Ferenc Kovacs  wrote:

> 
> 
> On Sun, Jan 8, 2012 at 1:24 AM, Laurelai  wrote:
> On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
> 
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
> 
> And the kids are going to land a $1M performance bond, how?
> 
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
> 
> their so called expertsd are full of shit, then they fire said experts
> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
> 
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
> 
> Well enjoy your doomed industry then. Ill continue to take great pleasure as 
> the so called experts get owned by teenagers.
> 
> imo public shaming(ie. owned by kiddies, usually they get bigger media 
> attention) can force companies to take security more seriously, but imo 
> hiring the kiddies isn't the solution.
> even if he/she happens to be the "superstar", who given the chance would be 
> able to secure your infrastructure, but the industry is rotten mostly because 
> it-sec isn't as high priority as it should be.
> it is an added-value, usually bolted-on top of the screwed up legacy 
> processes/softwares, and the higher-ups expect it to be bought by money alone.
> they would pay for the cert, they would pay for the hacker-proof seal, they 
> would pay for the insurance, and the decent looking it-security consulant 
> company, but they won't change the flawed processes, and the bad priorities.
> of course many of them will get owned, lose a good chunk of money, some of 
> them even will go out of business, but until most of them can get away with 
> those broken model, they won't try to fix the underlying problem.
> 
> -- 
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 1:24 AM, Laurelai  wrote:

> On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
>
>> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>>
>>> Because they pay the kids to own them in a safe manner to show that
>>>
>> It's not as simple as all that.  A good pen-tester needs more skills than
>> just
>> how to pwn a server.  You need some business smarts, and you need to be
>> *very*
>> careful about writing the rules of engagement (some pen tests that involve
>> physical attacks can literally get you shot at if you screw this part
>> up), and
>> then *sticking with them* (you find a major social engineering problem
>> while
>> doing a black-box test of some front-end servers, you better re-negotiate
>> those
>> rules of engagement before you do anything else).  Also, once a pen test
>> starts, you can't take your time and poke it with the 3 or 4 types of
>> attacks
>> that you're good at - you have 3 weeks starting at 8AM Monday to hit it
>> with
>> 37 different classes of attacks they're likely to see and another 61 types
>> of attacks they're not likely to see and aren't expecting.  And be
>> prepared to
>> work any one of those 94 from "looks like might be an issue" to something
>> you
>> can put in a report and say "You Have A Problem".
>>
>> Almost no company is stupid enough to hire a pen testing team without
>> that team
>> posting a good-sized performance bond in case of a screw-up taking out a
>> server, or a rogue pentester stealing the data. (ESPECIALLY in this case,
>> you
>> *already* caught them stealing the data once :)
>>
>> And the kids are going to land a $1M performance bond, how?
>>
>> (Hint - think this through.  Really good pentesters make *really* good
>> bucks.
>> If those kiddies had what it took to be good pentesters, they'd already be
>> making bucks as pentesters, not as kiddies)
>>
>>  their so called expertsd are full of shit, then they fire said experts
>>> and hire competent people saving time money and resources, try and
>>>
>> Doesn't scale, because there's not enough competent people out there.
>> There's
>> 140 million .coms, there aren't 140 million security experts out there.
>>
>> It's not a new idea - I've heard it every year or two since probably
>> before
>> most of the people on this list were born.  The fact that almost no
>> companies
>> actually *do* it, and that those hackers who have successfully crossed
>> over to
>> consulting are rare enough that you can name most of them, should tell you
>> something about how well it ends up working in practice.
>>
>>  Well enjoy your doomed industry then. Ill continue to take great
> pleasure as the so called experts get owned by teenagers.
>

imo public shaming(ie. owned by kiddies, usually they get bigger media
attention) can force companies to take security more seriously, but imo
hiring the kiddies isn't the solution.
even if he/she happens to be the "superstar", who given the chance would be
able to secure your infrastructure, but the industry is rotten mostly
because it-sec isn't as high priority as it should be.
it is an added-value, usually bolted-on top of the screwed up legacy
processes/softwares, and the higher-ups expect it to be bought by money
alone.
they would pay for the cert, they would pay for the hacker-proof seal, they
would pay for the insurance, and the decent looking it-security consulant
company, but they won't change the flawed processes, and the bad priorities.
of course many of them will get owned, lose a good chunk of money, some of
them even will go out of business, but until most of them can get away with
those broken model, they won't try to fix the underlying problem.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Kurt Buff]

On Sat, Jan 7, 2012 at 13:50,   wrote:
> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>
>> Although, once they have gained popularity and to a stage where a garage
>> office becomes a shop floor and a @home biz becomes a 
>> rent-a-million$-building
>> office, it is time to shift priorities.
>
> If finding people who are competent enough to secure a payroll system for a
> company of 10 people is difficult, what makes you think that it's easy to find
> people who can secure the systems for a company of 1,000?

I would think it would be easier, because a company of 1,000 is much
more likely to have an actual budget for this kind of stuff than a
company of 10, or 100. But, still not as easy as for a company of
10,000, or 100,000.

Kurt

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
>
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
>
> And the kids are going to land a $1M performance bond, how?
>
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
>
>> their so called expertsd are full of shit, then they fire said experts
>> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
>
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
>
Well enjoy your doomed industry then. Ill continue to take great 
pleasure as the so called experts get owned by teenagers.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
> Because they pay the kids to own them in a safe manner to show that

It's not as simple as all that.  A good pen-tester needs more skills than just
how to pwn a server.  You need some business smarts, and you need to be *very*
careful about writing the rules of engagement (some pen tests that involve
physical attacks can literally get you shot at if you screw this part up), and
then *sticking with them* (you find a major social engineering problem while
doing a black-box test of some front-end servers, you better re-negotiate those
rules of engagement before you do anything else).  Also, once a pen test
starts, you can't take your time and poke it with the 3 or 4 types of attacks
that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
37 different classes of attacks they're likely to see and another 61 types
of attacks they're not likely to see and aren't expecting.  And be prepared to
work any one of those 94 from "looks like might be an issue" to something you
can put in a report and say "You Have A Problem".

Almost no company is stupid enough to hire a pen testing team without that team
posting a good-sized performance bond in case of a screw-up taking out a
server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
*already* caught them stealing the data once :)

And the kids are going to land a $1M performance bond, how?

(Hint - think this through.  Really good pentesters make *really* good bucks.
If those kiddies had what it took to be good pentesters, they'd already be
making bucks as pentesters, not as kiddies)

> their so called expertsd are full of shit, then they fire said experts 
> and hire competent people saving time money and resources, try and 

Doesn't scale, because there's not enough competent people out there. There's
140 million .coms, there aren't 140 million security experts out there.

It's not a new idea - I've heard it every year or two since probably before
most of the people on this list were born.  The fact that almost no companies
actually *do* it, and that those hackers who have successfully crossed over to
consulting are rare enough that you can name most of them, should tell you
something about how well it ends up working in practice.



pgpkMacEcMBbb.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

I would agree to every response in this chain of emails.

Reason: there is no 1 perfect solution. There is no one single mindset that can 
protect against everything that people ate facing these days. Blended attacks 
and threats make things complicated. Defense is not as simple as said when it 
is attempted to be put into works and there cannot be 1 perfect solution that 
secures everything either.

Thank you.
Shyaam

On Jan 7, 2012, at 6:37 PM, Laurelai  wrote:

> On 1/7/12 5:31 PM, Ferenc Kovacs wrote:
>> 
>> 
>> 
>> On Sun, Jan 8, 2012 at 12:03 AM, Laurelai  wrote:
>> On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:
>>> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>>> 
 Although, once they have gained popularity and to a stage where a garage
 office becomes a shop floor and a @home biz becomes a 
 rent-a-million$-building
 office, it is time to shift priorities.
>>> If finding people who are competent enough to secure a payroll system for a
>>> company of 10 people is difficult, what makes you think that it's easy to 
>>> find
>>> people who can secure the systems for a company of 1,000?
>>> 
>>> As Stratfor has demonstrated, the talent pool of *really* competent security
>>> people is shallow enough that there's not even enough to secure the security
>>> companies. And it's not just Stratfor - when was the last time this list 
>>> went a
>>> week without mocking a security company for its lack of clue?  It's an 
>>> industry-wide
>>> problem - there's a *severe* shortage of experts.
>>> 
>>> And even though schools like DeVry and ITT are churning out lots of people 
>>> with
>>> entry level certifications, I'm not at all sure that helps the situation - 
>>> we
>>> end up with a lot of people who are entry level, and don't realize how much
>>> they don't know. That makes them almost more dangerous than not having 
>>> anybody
>>> at all. Sort of like if you walk alone through a scary part of town, you
>>> actually stand a good chance because you *know* you're alone and will act
>>> accordingly - but if you have a bodyguard with you, you're likely to act
>>> differently, and end up totally screwed when you find out said bodyguard 
>>> has a
>>> belt in martial arts, but zero experience in street fighting...
>>> 
>>> 
>>> 
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> Perhaps these companies should try to hire the kids owning them instead of 
>> crying to the feds.
>> 
>> why do you think that kiddies using tools like sqlmap would be able to 
>> defend them from other kids?
>> 
>> 
>> -- 
>> Ferenc Kovács
>> @Tyr43l - http://tyrael.hu
> Because they pay the kids to own them in a safe manner to show that their so 
> called expertsd are full of shit, then they fire said experts and hire 
> competent people saving time money and resources, try and remember the guys 
> with the certs are the ones getting owned by the skiddies with sqlmap so that 
> should show you how broken the infosec industry is, want to fix it? Start by 
> hiring the skids because they are still more competent than the guys they are 
> owning. If that one gets owned you hire the guy who owned him ect... until 
> you actually have to know what the hell your doing to be in infosec. Use a 
> Darwinian approach to the industry.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 5:31 PM, Ferenc Kovacs wrote:



On Sun, Jan 8, 2012 at 12:03 AM, Laurelai > wrote:


On 1/7/12 3:50 PM, valdis.kletni...@vt.edu
 wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a 
rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to 
find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list 
went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people 
with
entry level certifications, I'm not at all sure that helps the situation - 
we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having 
anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard 
has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

Perhaps these companies should try to hire the kids owning them
instead of crying to the feds.


why do you think that kiddies using tools like sqlmap would be able to 
defend them from other kids?



--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Because they pay the kids to own them in a safe manner to show that 
their so called expertsd are full of shit, then they fire said experts 
and hire competent people saving time money and resources, try and 
remember the guys with the certs are the ones getting owned by the 
skiddies with sqlmap so that should show you how broken the infosec 
industry is, want to fix it? Start by hiring the skids because they are 
still more competent than the guys they are owning. If that one gets 
owned you hire the guy who owned him ect... until you actually have to 
know what the hell your doing to be in infosec. Use a Darwinian approach 
to the industry.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 17:03:09 CST, Laurelai said:
> Perhaps these companies should try to hire the kids owning them instead
> of crying to the feds.

Most of the kids are skript kiddies, and don't really understand the *defense*
end of the security business very well.  Sure, some may be better than skript
kiddies, and may be *incredible* at finding a memory overlay or an SQL
injection, but do they know how to *secure* against *everything*?

Does that kid know anything about "continuity of operations"? How to negotiate
with network providers to guarantee diverse cable paths?  How to set up proper
audit trails so they can figure out what happened after the fact? How to deal
with physical security issues (how do you know the guy at the door works for
Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
evidence" order?  How to secure systems against insider threats and
embezzlement (still a big problem, even if hackers get more news time)? How to
ensure proper backups get done (this can be very non-trivial if you have
multiple petabytes of storage, and need to do point-in-time recoveries)? How to
do all the other things involved in actually making a data processing facility
*secure*?

For all the flak the CISSP gets, it's *still* worthwhile to wander over and
take a quick peek at *all* the subject areas it covers (18 if I remember
right), and then ask yourself "How much does the average kiddie know about all
this?"

And there's another little problem:  If you had a store, and somebody robbed
you at gunpoint, would you feel good about offering them a job because they
obviously need the money?  Or would you tend to avoid that person as an
employee, because they've already proven they don't want to follow the rules?
And even if you're willing to give a felon another shot, what do you say to the
other employees when they say "You hired WHO? That guy shot Fred in the knee,
I'm outta here".

And why should your answer be any different just because the attack involved a
computer rather than a 9mm?



pgpgOVFuTcQdJ.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 12:03 AM, Laurelai  wrote:

>  On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:
>
> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>
>
>  Although, once they have gained popularity and to a stage where a garage
> office becomes a shop floor and a @home biz becomes a rent-a-million$-building
> office, it is time to shift priorities.
>
>  If finding people who are competent enough to secure a payroll system for a
> company of 10 people is difficult, what makes you think that it's easy to find
> people who can secure the systems for a company of 1,000?
>
> As Stratfor has demonstrated, the talent pool of *really* competent security
> people is shallow enough that there's not even enough to secure the security
> companies. And it's not just Stratfor - when was the last time this list went 
> a
> week without mocking a security company for its lack of clue?  It's an 
> industry-wide
> problem - there's a *severe* shortage of experts.
>
> And even though schools like DeVry and ITT are churning out lots of people 
> with
> entry level certifications, I'm not at all sure that helps the situation - we
> end up with a lot of people who are entry level, and don't realize how much
> they don't know. That makes them almost more dangerous than not having anybody
> at all. Sort of like if you walk alone through a scary part of town, you
> actually stand a good chance because you *know* you're alone and will act
> accordingly - but if you have a bodyguard with you, you're likely to act
> differently, and end up totally screwed when you find out said bodyguard has a
> belt in martial arts, but zero experience in street fighting...
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>  Perhaps these companies should try to hire the kids owning them instead
> of crying to the feds.
>

why do you think that kiddies using tools like sqlmap would be able to
defend them from other kids?


-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Perhaps these companies should try to hire the kids owning them instead 
of crying to the feds.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:

> Although, once they have gained popularity and to a stage where a garage
> office becomes a shop floor and a @home biz becomes a rent-a-million$-building
> office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



pgpYKxYUHzibN.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

Completely agreed. Availability and business is top priority for managers. 
Although, once they have gained popularity and to a stage where a garage office 
becomes a shop floor and a @home biz becomes a rent-a-million$-building office, 
it is time to shift priorities. But again, I have no say in that, and it is 
what it is.

Thank you.
Shyaam

On Jan 7, 2012, at 4:08 PM, valdis.kletni...@vt.edu wrote:

> On Sat, 07 Jan 2012 15:55:28 EST, Shyaam Sundhar said:
> 
>> My question(s) would be: why are people sloppy by nature when it comes to
>> security? Why is security still considered as a blanket as opposed to the 
>> core
>> of any system?
> 
> In most shops, the level of competence is barely sufficient to make sure that
> the payroll system prints a check for every employee with the correct number 
> on
> it. Trying to keep the system running *and* secure is beyond their competence
> level, so you have to choose one - running or secure.  Most managers will
> choose 'running', because if they choose 'secure', *they* don't get a paycheck
> either...
> 
> (Vastly oversimplified, but that's pretty much it in a nutshell).
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Sat, Jan 7, 2012 at 3:48 PM, Ferenc Kovacs  wrote:
>
>
> On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:
>>
>> http://bolt.thexfil.es/84e9h!t was an interesting link - it
>> demonstrated the pwnage.
>>
>> It looks like these folks gained access via PHP. Stratfor was using a
>> Linux based system system, but PHP was version 1.8
>> from 2009 (perhaps with some back patches). Current version of PHP is
>> 5.3.8 (http://www.php.net/).
>
>
> O really? PHP 1.8? how would you compile that on a modern linux distro?
> how would you run drupal on top of it?
>
> // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
> that is a line from the default drupal config file.
I stand corrected (thank you).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 15:55:28 EST, Shyaam Sundhar said:

> My question(s) would be: why are people sloppy by nature when it comes to
> security? Why is security still considered as a blanket as opposed to the core
> of any system?

In most shops, the level of competence is barely sufficient to make sure that
the payroll system prints a check for every employee with the correct number on
it. Trying to keep the system running *and* secure is beyond their competence
level, so you have to choose one - running or secure.  Most managers will
choose 'running', because if they choose 'secure', *they* don't get a paycheck
either...

(Vastly oversimplified, but that's pretty much it in a nutshell).



pgpeFEEvw04Gi.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

All this is true. From time to time, these things happen to businesses that do 
not take security as bread and butter. Although, I call that statement 
incorrect as well, because security firms themselves get targeted most of the 
time.

My question(s) would be: why are people sloppy by nature when it comes to 
security? Why is security still considered as a blanket as opposed to the core 
of any system? 

PS: I am totally wrong and I know that ;)

Thank you.
Shyaam

On Jan 7, 2012, at 3:48 PM, Ferenc Kovacs  wrote:

> 
> 
> On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:
> http://bolt.thexfil.es/84e9h!t was an interesting link - it
> demonstrated the pwnage.
> 
> It looks like these folks gained access via PHP. Stratfor was using a
> Linux based system system, but PHP was version 1.8
> from 2009 (perhaps with some back patches). Current version of PHP is
> 5.3.8 (http://www.php.net/).
> 
> O really? PHP 1.8? how would you compile that on a modern linux distro?
> how would you run drupal on top of it?
> 
> // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
> that is a line from the default drupal config file.
> 
> I agree that the php app was the most likely source of the intrusion, I would 
> guess that they didn't kept the drupal core and the contrib modules 
> up-to-date, and they were owned through some old vulnerability.
> 
> -- 
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 2:48 PM, Ferenc Kovacs wrote:



On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton > wrote:


http://bolt.thexfil.es/84e9h!t 
was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).


O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, 
I would guess that they didn't kept the drupal core and the contrib 
modules up-to-date, and they were owned through some old vulnerability.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
And again it makes me wonder how many other so called security companies 
are just as vulnerable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:

> http://bolt.thexfil.es/84e9h!t was an interesting link - it
> demonstrated the pwnage.
>
> It looks like these folks gained access via PHP. Stratfor was using a
> Linux based system system, but PHP was version 1.8
> from 2009 (perhaps with some back patches). Current version of PHP is
> 5.3.8 (http://www.php.net/).
>

O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, I
would guess that they didn't kept the drupal core and the contrib modules
up-to-date, and they were owned through some old vulnerability.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 8:51 AM, Ed Carp wrote:
> ROFL!!!
>
> -- Forwarded message --
> From:
> Date: Sat, Jan 7, 2012 at 2:33 AM
> Subject: Rate Stratfor's Incident Response
> To: e...@pobox.com
>
>
> For the video announcement, please see
> http://www.youtube.com/watch?v=oHg5SJYRHA0
> Read full press release: http://bolt.thexfil.es/84e9h!t
> Rate Stratfor's incident response:
> http://img855.imageshack.us/img855/9055/butthurtreportform.jpg
>
> Hello loyal Stratfor clients,
>
> We are still working to get our website secure and back up and running
> again as soon as possible.
>
> To show our appreciation for your continued support, we will be making
> available all of our premium content *as a free service* from now on.
>
> We would like to hear from our loyal client base as to our handling of
> the recent intrusion by those deranged, sexually deviant criminal
> hacker terrorist masterminds. Please fill out the following form and
> return it to me
>
> My mobile: 512-658-3152
> My home phone: 512-894-0125
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I still find this kind of thing hilarious.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

http://bolt.thexfil.es/84e9h!t was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).

Two lessons: (1) keep your boxes patched, and (2) don't store secrets
in the plain text, or use [unsalted] MD5 to digest secrets.

Fuck me running - that's been known for years I think Stratfor
broke all the major tenets of data security. The company deserves
everything they get in this instance.

And I like the RickRoll - it was a nice touch which really
demonstrated a level of caring not often seen.

Jeff

On Sat, Jan 7, 2012 at 9:51 AM, Ed Carp  wrote:
> ROFL!!!
>
> -- Forwarded message --
> From:  
> Date: Sat, Jan 7, 2012 at 2:33 AM
> Subject: Rate Stratfor's Incident Response
> To: e...@pobox.com
>
>
> For the video announcement, please see
> http://www.youtube.com/watch?v=oHg5SJYRHA0
> Read full press release: http://bolt.thexfil.es/84e9h!t
> Rate Stratfor's incident response:
> http://img855.imageshack.us/img855/9055/butthurtreportform.jpg
>
> Hello loyal Stratfor clients,
>
> We are still working to get our website secure and back up and running
> again as soon as possible.
>
> To show our appreciation for your continued support, we will be making
> available all of our premium content *as a free service* from now on.
>
> We would like to hear from our loyal client base as to our handling of
> the recent intrusion by those deranged, sexually deviant criminal
> hacker terrorist masterminds. Please fill out the following form and
> return it to me
>
> My mobile: 512-658-3152
> My home phone: 512-894-0125

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2382-1] ecryptfs-utils security update

[Jonathan Wiltshire]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2382-1   secur...@debian.org
http://www.debian.org/security/Jonathan Wiltshire
January 07, 2012   http://www.debian.org/security/faq
- -

Package: ecryptfs-utils
Vulnerability  : multiple
Problem type   : local
Debian-specific: no
CVE ID : CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 
 CVE-2011-1837 CVE-2011-3145 

Several problems have been discovered in ecryptfs-utils, a cryptographic
filesystem for Linux.

CVE-2011-1831

  Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
  incorrectly validated permissions on the requested mountpoint. A local
  attacker could use this flaw to mount to arbitrary locations, leading
  to privilege escalation.

CVE-2011-1832

  Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
  incorrectly validated permissions on the requested mountpoint. A local
  attacker could use this flaw to unmount to arbitrary locations, leading
  to a denial of service.

CVE-2011-1834

  Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly
  handled modifications to the mtab file when an error occurs. A local
  attacker could use this flaw to corrupt the mtab file, and possibly
  unmount arbitrary locations, leading to a denial of service.

CVE-2011-1835

  Marc Deslauriers discovered that eCryptfs incorrectly handled keys when
  setting up an encrypted private directory. A local attacker could use
  this flaw to manipulate keys during creation of a new user.

CVE-2011-1837

  Vasiliy Kulikov of Openwall discovered that eCryptfs incorrectly handled
  lock counters. A local attacker could use this flaw to possibly overwrite
  arbitrary files.

We acknowledge the work of the Ubuntu distribution in preparing patches
suitable for near-direct inclusion in the Debian package.

For the oldstable distribution (lenny), these problems have been fixed in
version 68-1+lenny1.

For the stable distribution (squeeze), these problems have been fixed in
version 83-4+squeeze1.

For the testing distribution (wheezy) and the unstable distribution (sid),
these problems have been fixed in version 95-1.

We recommend that you upgrade your ecryptfs-utils packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJPCJaDAAoJEL97/wQC1SS+eKAH/3TKaU7EDHYi53WPas0ZRH7a
HLS/BToZs2DrMHPzW8IMvCWNavFUy5WnEdRNZgpRPcULonK4Iabsp0XskUFMlJOZ
vbWrjdupnDRFYiQWdcrXdmYBM0xKVaXuwND/ZZUL6KWWGUIL5QF+q03nHE4kWSHc
sRORBQ5gqNWqYtrkVjUDntccASW9vLYaVFixGzNy8lol79ps+laRC58TTjLv5s6Q
fTsPyY/tf7Nsmm5mMyihpJ+WKDUZDOfjxkyIwnnInoomwmLJhKorMA0D6Ry6Mud7
2DLuShV/jR8sEkXBPpoa29CIIrW8P/LSvEbJKIGUi55fMDWwkz1DE7ACVU+hRK4=
=xE87
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] OP5 Monitor - Multiple Vulnerabilities

[Peter Osterberg]

Link to full advisory:
http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf


Vendor's official statement:
http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/


Remote root command execution (non-authenticated)
=
CVSS: 10
CVE: CVE-2012-0261 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0261
OSVDB: http://osvdb.org/show/osvdb/78064
Secunia: http://secunia.com/advisories/47417/
Versions: 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1

Remote root command execution (non-authenticated)
=   
CVSS: 10
CVE: CVE-2012-0262 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0262
OSVDB: http://osvdb.org/show/osvdb/78065
Secunia: http://secunia.com/advisories/47417/
Versions: 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1

Credentials leaked in detailed error message (authenticated)

CVSS: 1.4
CVE: CVE-2012-0263 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0263
Versions: 5.3.5, 5.4.0, 5.4.2

Poor session management in the web application (non-authenticated)
==
CVSS: 4.7
CVE: CVE-2012-0264 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0264
Versions: 5.3.5, 5.4.0, 5.4.2, 5.5.0

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ed Carp]

ROFL!!!

-- Forwarded message --
From:  
Date: Sat, Jan 7, 2012 at 2:33 AM
Subject: Rate Stratfor's Incident Response
To: e...@pobox.com


For the video announcement, please see
http://www.youtube.com/watch?v=oHg5SJYRHA0
Read full press release: http://bolt.thexfil.es/84e9h!t
Rate Stratfor's incident response:
http://img855.imageshack.us/img855/9055/butthurtreportform.jpg

Hello loyal Stratfor clients,

We are still working to get our website secure and back up and running
again as soon as possible.

To show our appreciation for your continued support, we will be making
available all of our premium content *as a free service* from now on.

We would like to hear from our loyal client base as to our handling of
the recent intrusion by those deranged, sexually deviant criminal
hacker terrorist masterminds. Please fill out the following form and
return it to me

My mobile: 512-658-3152
My home phone: 512-894-0125

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/