Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
So, a quote, from a book? Isn't that kinda circular? Also, there are no quotes from anyone in the room and no one is referenced except by association. Not saying it's not true, but there's nothing there that indicates it is. The only people who will know if this is 100% true were in the Oval Office at the time, and those people aren't going to be quoted in a NYTimes article. http://upload.wikimedia.org/wikipedia/commons/1/18/%22Citation_needed%22.jpg -- Joel Esler On Monday, June 4, 2012 at 2:52 PM, Jeffrey Walton wrote: > https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html > > WASHINGTON — From his first months in office, President Obama secretly > ordered increasingly sophisticated attacks on the computer systems > that run Iran’s main nuclear enrichment facilities, significantly > expanding America’s first sustained use of cyberweapons, according to > participants in the program. > Hasan Sarbakhshian/Associated Press > > Mr. Obama decided to accelerate the attacks — begun in the Bush > administration and code-named Olympic Games — even after an element of > the program accidentally became public in the summer of 2010 because > of a programming error that allowed it to escape Iran’s Natanz plant > and sent it around the world on the Internet. Computer security > experts who began studying the worm, which had been developed by the > United States and Israel, gave it a name: Stuxnet. > > At a tense meeting in the White House Situation Room within days of > the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and > the director of the Central Intelligence Agency at the time, Leon E. > Panetta, considered whether America’s most ambitious attempt to slow > the progress of Iran’s nuclear efforts had been fatally compromised. > ... > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] EUSecWest 2012 - Amsterdam, Sept 19/20 featuring Mobile PWN2OWN - CFP Deadline June 15
EUSecWest 2012, Amsterdam, September 19/20, Featuring Mobile PWN2OWN CALL FOR PAPERS - Deadline June 15 2012 AMSTERDAM, Nederland -- The seventh annual EUSecWest applied technical security conference - where the eminent figures in the international security industry get together share best practices and technology - will be held in downtown Amsterdam near Leidseplein Square on September 19/20, 2012. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. This year the EUSecWest conference will also host dedicated security coverage of mobile devices, and host the first mobile device only focused PWN2OWN competition, where researchers get to demonstrate live vulnerability attack code against designated targets and, if successful, get to keep the target hardware and cash prizes. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short walk away from several large hotels and the Leidseplein entertainment and shopping district, conveniently close to many famous museums, convenient transport, Vondel Park, and a plentitude of restaurants and bars. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, courses, and/or lightning talk proposals for selection by the EUSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your proposal submissions before June 15th, 2012. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please make your submission by mailing a plain text version of the information along with any other supporting material or formats to synopsis of the material and your biography, papers and, speaking background to "secwest12 [at] eusecwest.com" Only slides will be needed for the September paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening up the presentation guidelines to include talks not in English (particularly Dutch, Chinese, French, Russian, and Spanish) which we will offer to translate for the speaker if they are not a native English speaker. The EUSecWest 2012 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be
[Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program. Hasan Sarbakhshian/Associated Press Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet. At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised. ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 88, Issue 2 Re: NSA Cyber security program [ maybe off-topic ]
On Mon, Jun 04, 2012 at 10:45:52AM -0400, Mikhail A. Utin wrote: > > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of > full-disclosure-requ...@lists.grok.org.uk > Sent: Saturday, June 02, 2012 7:00 AM > To: full-disclosure@lists.grok.org.uk > Subject: Full-Disclosure Digest, Vol 88, Issue 2 > > Send Full-Disclosure mailing list submissions to > full-disclosure@lists.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > full-disclosure-requ...@lists.grok.org.uk > > You can reach the person managing the list at > full-disclosure-ow...@lists.grok.org.uk > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your > post appropriately. Thank you. > > > Today's Topics: > >1. Re: NSA Cyber security program [ maybe off-topic ] > (InterN0T Advisories) >2. TrueCaller Vulnerability Allows Changing Users Details > (Kuwait WhiteHat) >3. Re: NSA Cyber security program [ maybe off-topic ] > (Benjamin Kreuter) >4. Re: NSA Cyber security program [ maybe off-topic ] > (Alexander Georgiev) >5. Re: NSA Cyber security program [ maybe off-topic ] (Urlan) > > > -- > My 10 cents: > > While out of topic, the subject has touched a few people. > I worked for US Navy as information security analyst /contractor for a few > years, and had two projects with US DoT. Plus, had an interview at Let's > not to mention exact name. > I can share a few things with you guys. > First, US government employees are paid very well. There are several levels > of (as I remember around 12 - 14) starting at 25-30K and up to around > 150-170K. That is for non-managerial positions. With my MS in CS and IT and > security experience I would easy target 120K. So, the same level as in > private sector. Plus, they have numerous perks, and being just contractor I > managed to use one. Plus, low cost very good health insurance, and pretty > good pension after several years, which is much better than what the rest of > US have. > So, those are positives. There are negatives as well. First, the environment > is highly politicized, and technical upper level management is out of common > sense. All is about getting more power. One top level manager once said > during business meeting "There should be no humor during business meetings". > And this idiot was absolutely serious. The same manager later destroyed > security department and moved information security in IT department, where > one IT boy said "Even monkey can do vulnerability scanning". He was expected > to replace me and my contact had been terminated. I was really happy to quit. > BTW, it was not a dumb stupid base in the middle of nowhere. It was Naval > System Command top research center. > Often US government big projects, like current related to cloud computing, > are out of technical common sense and are driven by political will and > something I name "legal corruption". In my collection of the most stupid US > government activity cases is so named NMCI project - Naval Marine Corp > Intranet, which was not Intranet project at all. Who is interested to know > details, please email me directly. I'm writing that because being government > employee you would be involved in such stupid projects. > > Concerning hiring process, it also very specific. To be hired, you need to > file (now electronically) twenty pages of questionnaire. Plus, two stupid > tests, plus writing an essay. Does not matter if you are well-known high > level professional - you should pass that crap of tests and writing. In > general, each US government department has some specifics in hiring, but it > is pretty standard and requires some time and devotion to deal with. > > Some time ago I saw a paper that US government immediately needs > approximately 20,000 security professionals. My assumption - mostly in > activities associated with this list interests. However, I do not think the > government will do anything real to fill out this gap. NSA project in > question, which triggered this discussion, is an example. BTW, NSA build new > center in the middle of nowhere, somewhere in Mormon's country. If you like > Wild West, you can try that. > > Summary: if you want good salary, thinking about retirement, health > insurance, etc., you can try to get there. You can earch through US > government departments' sites, and there are a few head-hunting portals > listing all departments, etc. But, be ready for specifics of hiring and > internal environment. In some
[Full-disclosure] ISC Security Advisory: Handling of zero length rdata can cause named to terminate, unexpectedly
Original Message Subject:ISC Security Advisory: Handling of zero length rdata can cause named to terminate,unexpectedly Date: Mon, 04 Jun 2012 05:25:50 -0700 From: Larissa Shapiro To: bind-annou...@lists.isc.org ISC Security Advisory: Note: This email advisory is provided for your information. The most up to date advisory information will always be at: http://www.isc.org/software/bind/advisories/cve-2012-1667 please use this URL for the most up to date advisory information. Title: Handling of zero length rdata can cause named to terminate unexpectedly Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. CVE: CVE-2012-1667 Document Version: 1.0 Posting date: 4 June 2012 Program Impacted: BIND Versions affected: 9.0.x -> 9.6.x, 9.4-ESV->9.4-ESV-R5-P1, 9.6-ESV->9.6-ESV-R7, 9.7.0->9.7.6, 9.8.0->9.8.3, 9.9.0->9.9.1 Severity: Critical Exploitable: Remotely Description: This problem was uncovered while testing with experimental DNS record types. It is possible to add records to BIND with null (zero length) rdata fields. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. Impact: This issue primarily affects recursive nameservers. Authoritative nameservers will only be impacted if an administrator configures experimental record types with no data. If the server is configured this way, then secondaries can crash on restart after transferring that zone. Zone data on the master can become corrupted if the zone with those records has named configured to manage the DNSSEC key rotation. CVSS Score: 8.5 CVSS Equation: (AV:N/AC:L/Au:N/C:P/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:C) Workarounds: Workarounds are under investigation, but none are known at this time. Solution: Upgrade to one of the following versions: https://www.isc.org/software/bind/96-esv-r7-p1 https://www.isc.org/software/bind/976-p1 https://www.isc.org/software/bind/983-p1 https://www.isc.org/software/bind/991-p1 Exploit Status: No known active exploits but a public discussion of the issue has taken place on a public mailing list. Acknowledgment: Dan Luther, Level3 Communications, for finding the issue, Jeffrey A. Spain, Cincinnati Day School, for replication and testing. *Document Revision History: * 1.0 Released to Public 4 June, 2012 1.1 Updated Severity to Critical References: - Do you have questions? Questions regarding this advisory should go to security-offi...@isc.org. - ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy See our BIND Security Matrix for a complete listing of Security Vulnerabilites and versions affected. Note: ISC patches only Currently supported versions. When possible we indicate EOL versions affected. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any inferred warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. -- === Larissa Shapiro BIND and DHCP Product Manager, Internet Systems Consortium laris...@isc.org +1 650 423 1335 http://www.isc.org Need BIND or DHCP support? Look to the experts! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2485-1] imp4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2485-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 3, 2012 http://www.debian.org/security/faq - - Package: imp4 Vulnerability : cross site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-0791 Debian Bug : 659392 Multiple cross-site scripting (XSS) vulnerabilities were discovered in IMP, the webmail component in the Horde framework. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various crafted parameters. For the stable distribution (squeeze), this problem has been fixed in version 4.3.7+debian0-2.2. For the testing distribution (wheezy) and unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your imp4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPyy+/AAoJEOxfUAG2iX57r4EIALIxx6GJEVcSDlpsjIdiXXRD f5Q5UInq8nnuhyhZxZIUjr9111zTemBbccRaWtdunXm5uPb6CT1j5wOScwVQiYdz RAQFmEaoCL1jEay479gL51VIhtGvlCv0F5LLcQVfpVy5Vi7lTvT64dqz7MnNM2+o UDgOXFTgECmbPLlZcST1XGtvrdXfZ3Y8Jo6W0y3kVwAQ4qQ/+hfeOstajsnk3Jyf D4BCZxyfu+6Kv38NeTeRZu5d7f/ST8qoKb3kLdgPZifpvY1P7QugHqp/+frAppqb N+WVj7zbNzdG6EV4zSGu5GSrp3mQMWmevAAQZERFhmzi5+iguLHNSBZk0PdwiAM= =aV1g -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2484-1] nut security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2484-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 02, 2012 http://www.debian.org/security/faq - - Package: nut Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-2944 Debian Bug : 675203 Sebastian Pohle discovered that upsd, the server of Network UPS Tools (NUT) is vulnerable to a remote denial of service attack. For the stable distribution (squeeze), this problem has been fixed in version 2.4.3-1.1squeeze2. For the testing distribution (wheezy) and unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your nut packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPyghRAAoJEOxfUAG2iX57gCAH/A+MWuGLqqC2JkvcQxVvLFH0 rZiN5OyfvoL9Y416hYOJHuobowC39ubzkb8Uq5fhrF3RUrzgtfvO5u+3V9gpqkn3 xPYAw4BWrRB5JINZcLXyIZmkf0vEEyB43i0R8pKNjo/eS/CC0KFgH15nN/DakcwJ UwX1MfeH2/Uerf30LaUCq41pvJnI+ABI365YhNQblnkPZBE7gEH4PVDYhpgBhcBg vaP+PQT+P96M7GOhnBQqVWgZCQvTEuK2M+96m1neQz2UK/QRLOKcZwCSJpCG/jXS 6T8T2ZbbvoP+HwX8KYVyyJJHVbTUsbeKCz9Uuq2qtB0aay5NMSTioVGhMG30g58= =2W9p -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2482-1] libgdata security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2482-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez June 2, 2012 http://www.debian.org/security/faq - - Package: libgdata Vulnerability : insufficient certificate validation Problem type : remote Debian-specific: no CVE ID : CVE-2012-2653 Debian Bug : 664032 Vreixo Formoso discovered that libgdata, a library used to access various Google services, wasn't validating certificates against trusted system root CAs when using an https connection. For the stable distribution (squeeze), this problem has been fixed in version 0.6.4-2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 0.10.2-1. For the unstable distribution (sid), this problem has been fixed in version 0.10.2-1. We recommend that you upgrade your libgdata packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPyg+cAAoJEOxfUAG2iX570q8H/34iZgboRkiMBx82t6kaP5J+ xn0pP6ZfQqrGJUA9VeWegD3nFuNLG9LlxCmE5B+v743/+V891ctQ6UzCG2iL1xd4 z8eiij//E+2QhaZatrrd58HXBYQI+51/rPpJ3nE+5l3QxCNGwpE8P8D7dIae20SR EFS5TJ4WzwYKt+cgEJVgPOH94l4KV69MJCDIwOYy79ZgYWT5lrfJ2pQ9Mw4mVtkg Z8+pxZCeXhgEq7H5NrAZplfcjgxBb2ZiJG1naxmGhVNtuo2ybSuOHbGeTbOQ47q5 5ZSFKaafo+CzSOXXwWPzfPMbpRDBwPvdRZgpsKUaWbHLQwkDDNCi+xE5XRPB+Fo= =WCiw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2482-1] arpwatch security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2482-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez June 2, 2012 http://www.debian.org/security/faq - - Package: libgdata Vulnerability : insufficient certificate validation Problem type : remote Debian-specific: no CVE ID : CVE-2012-2653 Debian Bug : 664032 Vreixo Formoso discovered that libgdata, a library used to access various Google services, wasn't validating certificates against trusted system root CAs when using an https connection. For the stable distribution (squeeze), this problem has been fixed in version 0.6.4-2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 0.10.2-1. For the unstable distribution (sid), this problem has been fixed in version 0.10.2-1. We recommend that you upgrade your libgdata packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPygyBAAoJEOxfUAG2iX57khMIAMxbExHsAKz+hHW+0OkfbfKN IZ9JChzsA+I56DIqpUXGGw2cTFvxEjHjpDaH3JDX+zj0r7fpIhe3JvproQc6nkF0 5GVCxMglKAnL3vxLeJpLm13BdHG32W/Sa2bElZCl+Ar0s6WAFYcpjaX9VRBw3Jb+ cQ2zRQxg6UketX5w+shJkvyoqfbdo+648/qpMPiK6F+PL6j6ag/wL9pKwx8Hzy9o PvMCdeKGslHHBHkc4cgoxDXOLV+UF8eo4pWkEj+GbGTJfs8T3DwkwDkG9bhm91mA Fs0BUHuuvKk+bj78dz8R4KS1AElxpp4ssHmF1atbHqGfRfL4LBM0bWaf2bKpVJg= =yPHj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2481-1] arpwatch security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2481-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez June 2, 2012 http://www.debian.org/security/faq - - Package: arpwatch Vulnerability : fails to drop supplementary groups Problem type : remote Debian-specific: no CVE ID : CVE-2012-2653 Debian Bug : 674715 Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at least in Red Hat and Debian distributions) in order to make it drop root privileges would fail to do so and instead add the root group to the list of the daemon uses. For the stable distribution (squeeze), this problem has been fixed in version 2.1a15-1.1+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2.1a15-1.2. For the unstable distribution (sid), this problem has been fixed in version 2.1a15-1.2. We recommend that you upgrade your arpwatch packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPygvjAAoJEOxfUAG2iX57kQMH/3fZNWPAbXpbn2EYmZsZZBqc LVBPBL+qp++Ym/dNqm/TKop0+FSVeF3rGpTq1l9HOk6BNMm2jNZvVJ9/OF6vvIZD zTKEDtqYNbHPMapr/zU7py5Qb/XL2prFlFjfd3A5HXCeLc1dptuhlbyUVkJYjsga P9QJMphQ5U4CiL9EYV5xM5Co6WAlR13SFrX1cBV7il+OxpGK+lUV4NckocoQk4mG Su3ImPyCpTbxprZH5BuPjSsGqKB6M6EKIiAA7KvTPfbNyWro53WTg7fChhEJbGzO X4nZI1eQXJLOCDyYWZekdUFGKb4OsxQPAqRmZJnrURpxB66YWIAzyipE5UfeELI= =nMw+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSA Cyber security program [ maybe off-topic ]
http://www.opm.gov/oca/12tables/indexgs.asp This is the site of the Federal pay scale. It generally matches what NSA pays, though NSA uses a little different schedule. If you scroll down to the Washington DC area list you'll see the adjusted scale for what is paid around Ft. Meade. The GS 9-11 area is what is paid for new graduates in IT/CS with no experience. The GS 10-12 area is what is generally paid for those with graduate degrees or some experience. Generally management positions start in GS-13 and above. On Fri, Jun 1, 2012 at 11:22 AM, Urlan wrote: > Alexander, how much is bad for you? > > Urlan > > > 2012/6/1 Alexander Georgiev > >> I agree. BTW, i am German and here the government pays very very bad. >> What do you think the NSA pays for security experts? Do they also pay so >> bad in the public sector? >> >> >> >> On Fri, 1 Jun 2012 10:21:10 -0400, Benjamin Kreuter >> wrote: >> > On Wed, 30 May 2012 23:51:09 +0200 >> > Jann Horn wrote: >> > >> >> On Mon, May 28, 2012 at 08:06:42PM -0300, Pablo wrote: >> >> > Interesting… >> >> > >> >> > >> >> > >> >> > http://www.nsa.gov/academia/nat_cae_cyber_ops/index.shtml >> >> > >> >> > >> http://www.esecurityplanet.com/network-security/nsa-announces-cyber-security >> >> > -program-for-college-students.html >> >> > >> >> > >> >> > >> >> > This tells us that there is a lack of qualified people for this >> >> > area. >> >> >> >> What I understand there is that they have a lack of qualified people >> >> in this area *who want to work for them*. >> > >> > Or who they are willing to employ. If you were the NSA, would you >> > really want to hire someone who supports Wikileaks, considering >> > everything that has happened? I am willing to bet that a lot of >> > technically qualified people who would be willing to work for the NSA >> > are not considered as candidates for non-technical reasons. >> > >> > -- Ben >> > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Jack Slade jacksl...@byu.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full Disclosure] Unauthorized Digital Certificates Could Allow Spoofing
Thank you all for the information :) On Mon, Jun 04, 2012 at 03:06:41PM +0100, imipak wrote: > > what does this mean? > > > > m$ inadvertently gave signing rights to lusers, they got rooted or > something else? > > > > http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx > > says: > > "[..] certificates issued by our Terminal Services licensing certification > authority, which are intended to only be used for license server > verification, could also be used to sign code as Microsoft. Specifically, > when an enterprise customer requests a Terminal Services activation > license, the certificate issued by Microsoft in response to the request > allows code signing without accessing Microsoft’s internal PKI > infrastructure." > > > -i > > -- > wake up the past > and tell it to stay away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unauthorized Digital Certificates Could Allow Spoofing
This is related to the Flame malware. -- Joel Esler On Monday, June 4, 2012 at 9:51 AM, Georgi Guninski wrote: > http://technet.microsoft.com/en-us/security/advisory/2718704 > Microsoft is aware of active attacks using unauthorized digital certificates > derived from a Microsoft Certificate Authority. > > what does this mean? > > m$ inadvertently gave signing rights to lusers, they got rooted > or something else? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 88, Issue 2 Re: NSA Cyber security program [ maybe off-topic ]
-Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Saturday, June 02, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 88, Issue 2 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: NSA Cyber security program [ maybe off-topic ] (InterN0T Advisories) 2. TrueCaller Vulnerability Allows Changing UsersDetails (Kuwait WhiteHat) 3. Re: NSA Cyber security program [ maybe off-topic ] (Benjamin Kreuter) 4. Re: NSA Cyber security program [ maybe off-topic ] (Alexander Georgiev) 5. Re: NSA Cyber security program [ maybe off-topic ] (Urlan) -- My 10 cents: While out of topic, the subject has touched a few people. I worked for US Navy as information security analyst /contractor for a few years, and had two projects with US DoT. Plus, had an interview at Let's not to mention exact name. I can share a few things with you guys. First, US government employees are paid very well. There are several levels of (as I remember around 12 - 14) starting at 25-30K and up to around 150-170K. That is for non-managerial positions. With my MS in CS and IT and security experience I would easy target 120K. So, the same level as in private sector. Plus, they have numerous perks, and being just contractor I managed to use one. Plus, low cost very good health insurance, and pretty good pension after several years, which is much better than what the rest of US have. So, those are positives. There are negatives as well. First, the environment is highly politicized, and technical upper level management is out of common sense. All is about getting more power. One top level manager once said during business meeting "There should be no humor during business meetings". And this idiot was absolutely serious. The same manager later destroyed security department and moved information security in IT department, where one IT boy said "Even monkey can do vulnerability scanning". He was expected to replace me and my contact had been terminated. I was really happy to quit. BTW, it was not a dumb stupid base in the middle of nowhere. It was Naval System Command top research center. Often US government big projects, like current related to cloud computing, are out of technical common sense and are driven by political will and something I name "legal corruption". In my collection of the most stupid US government activity cases is so named NMCI project - Naval Marine Corp Intranet, which was not Intranet project at all. Who is interested to know details, please email me directly. I'm writing that because being government employee you would be involved in such stupid projects. Concerning hiring process, it also very specific. To be hired, you need to file (now electronically) twenty pages of questionnaire. Plus, two stupid tests, plus writing an essay. Does not matter if you are well-known high level professional - you should pass that crap of tests and writing. In general, each US government department has some specifics in hiring, but it is pretty standard and requires some time and devotion to deal with. Some time ago I saw a paper that US government immediately needs approximately 20,000 security professionals. My assumption - mostly in activities associated with this list interests. However, I do not think the government will do anything real to fill out this gap. NSA project in question, which triggered this discussion, is an example. BTW, NSA build new center in the middle of nowhere, somewhere in Mormon's country. If you like Wild West, you can try that. Summary: if you want good salary, thinking about retirement, health insurance, etc., you can try to get there. You can earch through US government departments' sites, and there are a few head-hunting portals listing all departments, etc. But, be ready for specifics of hiring and internal environment. In some places, like DC, you can find shocking results of equal opportunity employment. I would assume that in some places you could find good professional environment and good people to work with (I enjoyed working with navy guys of my level), but do n
Re: [Full-disclosure] Unauthorized Digital Certificates Could Allow Spoofing
Certification path of the certificate that was used to sign WUSetupV.exe used by the Flame malware [pic]: https://twitter.com/#!/mikko/status/209620723973636096 Juha-Matti Shreyas Zare [shre...@secfence.com] wrote: > On Mon, Jun 4, 2012 at 7:21 PM, Georgi Guninski wrote: > > > > http://technet.microsoft.com/en-us/security/advisory/2718704 > > Microsoft is aware of active attacks using unauthorized digital > > certificates derived from a Microsoft Certificate Authority. > > > > what does this mean? > > > > m$ inadvertently gave signing rights to lusers, they got rooted > > or something else? > > > https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx?Redirected=true > > https://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware > > > Shreyas Zare > > Sr. Information Security Researcher > Secfence Technologies > www.secfence.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unauthorized Digital Certificates Could Allow Spoofing
On Mon, Jun 4, 2012 at 7:21 PM, Georgi Guninski wrote: > > http://technet.microsoft.com/en-us/security/advisory/2718704 > Microsoft is aware of active attacks using unauthorized digital certificates > derived from a Microsoft Certificate Authority. > > what does this mean? > > m$ inadvertently gave signing rights to lusers, they got rooted > or something else? https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx?Redirected=true https://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
Paranoia. Thor I is always publicly share contacts: Adrian Lamo c/o DMH Vacavill Psychiatric Hospital Vacavill, CA (707) 449-6504 Hector Monsegur (480) 948-6377 ADDRESS IS WITHOLD John Paul (JP) 594 3rd St Beaver PA www.inspirosity.com (is Out of business moved into is Gay porn) Jesse Tuttle (http://enquirer.com/editions/2003/07/28/hacker_zoom.jpg) (480) 948-6377 ADDRESS IS WITHOLD Gary McKinnon PSC 1005 Box 25 FPO AE / Cellblock 42 Guantanamo Bay 09593 AS (is in case I am too arrested) 4340 East West Hwt Suite 350 Bethesda MD Has nothing to hid. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full Disclosure] Unauthorized Digital Certificates Could Allow Spoofing
> what does this mean? > > m$ inadvertently gave signing rights to lusers, they got rooted or something else? > http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx says: "[..] certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure." -i -- wake up the past and tell it to stay away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/security/advisory/2718704 Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. what does this mean? m$ inadvertently gave signing rights to lusers, they got rooted or something else? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/