Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Mon, Dec 30, 2013 at 10:02 AM, l...@odewijk.nl wrote: ... Since the GSM f/w controls a radio, and thus the power, it may need a FCC certification... [bad dependencies and liabilities here] alternatively, encourage a market for open hardware and firmware/software components suitable for mobile. sell SDR SoCs that pair with an open handset like a SIM. minor assembly required; less than setting clock on microwave but slightly harder than point-and-click tethered jailbreak... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Tue, Dec 10, 2013 at 10:43 AM, Sean Lynch se...@literati.org wrote: ... software-defined radios such as the HackRF are coming onto the market. My suspicion is that the legislation simply hasn't caught up to this reality yet and that these will become difficult to obtain... i hope you're wrong; although in some repressive locales this is already true? SDR as applied to highly efficient and ultra-wide band / cognitive radio has too much potential to be crippled by bureaucracy. (if not, this is a sign your governing bureaucracy has run amuk and must be corrected) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2832-1] memcached security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2832-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 01, 2014 http://www.debian.org/security/faq - - Package: memcached Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4971 CVE-2013-7239 Debian Bug : 706426 733643 Multiple vulnerabilities have been found in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2011-4971 Stefan Bucur reported that memcached could be caused to crash by sending a specially crafted packet. CVE-2013-7239 It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239 was not applied for the oldstable distribution as SASL support is not enabled in this version. This update also provides the fix for CVE-2013-0179 which was fixed for stable already. For the stable distribution (wheezy), these problems have been fixed in version 1.4.13-0.2+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your memcached packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSw/k7AAoJEAVMuPMTQ89EN9cP/2+3NUmG98Jp4GXewX4KnXeJ Us08m4dlTyNEjVu3z8vAJ9iIvu28zyiYwKp6msyyc0155D6hNmmxkNfhGI/IgDBi QPo2AZrvWvTafztNyRzyBKzQHK3DlM9LEGYZC6rOpNWEF2xv1lT6vwWDj/fZRDiA 6pqGX/iERk/9EK4WeXi1KlTNzzOJJOQkN4NeoQEeUWec5s6V0/fOKoVccbKI9pOE 8UXL1Hqz3BK9YsNu8a5qadrSZ/3fRSHcmz3Drt7pyVpmJw4jzB126TZF8UJsLspQ 28wxOYISYJJvNXBJZM5oEjjssokzZw3Y1UYljY2Jc4sTUwLcWIQxM36AvlRrZ8Yj 0YoaA3UMfYeEtcPsv24/f8r8gEZsq4cVPatHBm4Ke/rmMttYiuX3n2iVfLiYdE6S ByfMZ4Rqk17SzUf6TCjsfomU45SGjtOzIEKwXBNBSGjK6Lej8zqKffNhvCH3ZwoH t0JS4qAr5EWdSuZkLLEtAu91qTGLJlxsPZk7odWyYA+Oe6c1Mobm2+PpfXgY0v/L H0ktTng+g/glH/3pnDzvBNthjLE8mN2ioFBEH5WFBiN2hZnGck2WXGzjWG4B9cAO gqFPlp+gP0m6ZmE1CyYdhR8ZgLhb+WZ8LbldYAIDWkA303gvnE5Enmn2NXrtFbBN LM+/KdVYzK4ZrVccPtkb =tx8/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Wed, Jan 1, 2014 at 3:14 AM, Lodewijk andré de la porte l...@odewijk.nl wrote: I love being mentioned... duly noted; i aim to please! best regards, p.s. if you're looking for good high performance SDR gear, look for the Noctar/BladeRF/HackRF/USRP*/RTL-SDR/*.* equivalents of these now mostly 5-7 year old products :) - http://cryptome.org/2013/12/nsa-catalog.zip ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2833-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 01, 2014 http://www.debian.org/security/faq - - Package: openssl Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2013-6449 CVE-2013-6450 Debian Bug : 732754 732710 Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this updates disables the insecure Dual_EC_DRBG algorithm (which was unused anyway, see http://marc.info/?l=openssl-announcem=138747119822324w=2 for further information) and no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested. For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.0.1e-5. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLEBDMACgkQXm3vHE4uylpEbACg55hvNWUo8hTUtqMNoOeP986v dG0AoJXsQoWloicwYo4fM8EwkbWxjun+ =KlR6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
On Wed, Jan 1, 2014 at 4:09 AM, Moritz Muehlenhoff j...@debian.org wrote: ... In addition this update [...] no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested. no CVE for the oops you were entirely dependent on RDRAND issue, predictable. no release from OpenSSL with fix either? ... hard to check right now, i think their site had some issues lately. *cough* no list of affected packages, who may have generated potentially week long-lived keys if a future leak or other incident identifies RDRAND as mass produced and distributed vulnerable to attacks against key space / DRBG output. i know we're all fucked six ways to sunday[0], but is that sufficient excuse to slack off or conveniently shy away? best regards, 0. QFIRE Pilot Lead http://cryptome.org/2013/12/nsa-qfire.pdf extrapolate QFIRE, BULLRUN, QUANTUM* to FY 2013 and it is hard not to feel a bit hopeless... ... must find a way to detao ourselves! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tool Update: Bing-ip2hosts version 0.4
Hi All, Bing-IP2hosts version 0.4 is now released. Homepage: http://www.morningstarsecurity.com/research/bing-ip2hosts Usage -!--- $ ./bing-ip2hosts bing-ip2hosts (o.4) by Andrew Horton aka urbanadventurer Homepage: http://www.morningstarsecurity.com/research/bing-ip2hosts Useful for web intelligence and attack surface mapping of vhosts during penetration tests. Find hostnames that share an IP address with your target which can be a hostname or an IP address. This makes use of Microsoft Bing.com ability to seach by IP address, e.g. IP:210.48.71.196. Usage: ./bing-ip2hosts [OPTIONS] IP|hostname OPTIONS are: -n Turn off the progress indicator animation -t DIR Use this directory instead of /tmp. The directory must exist. -i Optional CSV output. Outputs the IP and hostname on each line, separated by a comma. -p Optional http:// prefix output. Useful for right-clicking in the shell. Changes -!-- Updated usage Fixed tmp file issue where files weren't being deleted Resolves hostnames using nslookup instead of resolveip (Thanks Xavier Mertens) I updated this because a couple of people emailed me to say it no longer worked. It always worked for me. Let me know if you have any problems. Happy New Year, Andrew Horton ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Targeted CSRF vulnerability on LinkedIn to delete posts [FIXED]
Please visit the following link to view the POC: http://techielogic.wordpress.com/2013/12/28/targetted-csrf-on-linkedin-to-delete-update/ Happy Holidays ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Jan 1, 2014 12:11 PM, coderman coder...@gmail.com wrote: On Mon, Dec 30, 2013 at 10:02 AM, l...@odewijk.nl wrote: ... Since the GSM f/w controls a radio, and thus the power, it may need a FCC certification... [bad dependencies and liabilities here] alternatively, encourage a market for open hardware and firmware/software components suitable for mobile. sell SDR SoCs that pair with an open handset like a SIM. minor assembly required; less than setting clock on microwave but slightly harder than point-and-click tethered jailbreak... I love being mentioned but that was not my statement. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2834-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2834-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 01, 2014 http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-7073 CVE-2013-7074 CVE-2013-7075 CVE-2013-7076 CVE-2013-7078 CVE-2013-7079 CVE-2013-7080 CVE-2013-7081 Debian Bug : 731999 Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, information disclosure, mass assignment, open redirection and insecure unserialize vulnerabilities and corresponds to TYPO3-CORE-SA-2013-004. For the oldstable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze9. For the stable distribution (wheezy), these problems have been fixed in version 4.5.19+dfsg1-5+wheezy2. For the testing distribution (jessie), these problems have been fixed in version 4.5.32+dfsg1-1. For the unstable distribution (sid), these problems have been fixed in version 4.5.32+dfsg1-1. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSxD/nAAoJEAVMuPMTQ89EEewP+QE0HI7cMfcvfCO2GpmSq+ZX OgE2PuiIrBaMf9NtUvrWnVWMQRJiLjyejLsFpjGA3BIZAxue9N5WpzoPG9m8Np4c wdsk9a91lzj6vppYVYUnL0U8VmlxDU8mEfzdA39cRbqBzH3R6BfXqtDlDFnuYQvp B65Dn+79Cquch6j0UjoGdCPBAQeINFBJqEk5DjRgZaxJb6kASFXdbthn1XFaXa/o h79yKub2hsXhnmZ6tB8nATPw8jIOm4gkMSNHQHaT46bQVGolgQxqLPOxRE6LMvef bxYWM8oSp/QEYDXyCfHcNwKBOJlUNWH5kjK6uGWpqQ018Ms8Xmo6fQ8qwcwUeFMb bOm5wMuoROZDOm+j5gjfThJ0gkF0A1VIhxXua5w6HkTClI/HvIyKfgCt6DODLUbq 7PgJTsw26ppRR3kvenSIxWW/fc+LvFIN/sKx31v4QnY6c4au369a34fROwpCkzAH HtoC4Fj51r8I/ArLW0+wkyZZaliwKgZQtgGpWGsv+HQ0rwmlltTIXEEFd2fgKDL3 X5KXqN7+X/MhCih3ZAQ4sDGPxAG/iYL5Inz6mnVMie1Sa156bm2t+0EM5hOhJnIj JEfI6+49d6dk4ie9QdNpJ0C35DmlbsgyPgStl0fYMJtyQsfmrH5lFXHUJNS1Gow3 H+EE3f2WZLx6/YNR9dyS =LnMg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node Severity: Low Vendor: Apache Software Foundation Project: Apache Libcloud (http://libcloud.apache.org/) Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to 0.12.3 don't include a DigitalOcean driver) Description: DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM. Libcloud doesn't explicitly send scrub_data query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them. Note: Only users who are using DigitalOcean driver are affected by this issue. References: - - http://libcloud.apache.org/security.html - - https://digitalocean.com/blog_posts/transparency-regarding-data-security - - https://github.com/fog/fog/issues/2525 Mitigation: This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean driver are strongly encouraged to upgrade to this release. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQJ8BAEBCgBmBQJSxEgAXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OTc4MjhEQzYyRjc1OUNFQTE4OUQ2NUUy QzA3NTRCMkNFMDY5MkYzAAoJECwHVLLOBpLzbRcQAJqSobMiGfjpBQCGhda8zW62 6aPEjyuStv9FZ0/eLN6bxPCV8LdxOYy6M1oehr3ntT56Dd/lZ9+gwJunTH3UqWmq ZqiwmME8JLhNTLC8tab+yE82lQlck2iXgTaJ5pZfXELFPiTEZ+DAQN26CpkA8bLO cXAlMJkskPS6BkkgLDtLfO9RHe8T0QsEcHxQSwCpursiIlQEfjG3tQqG21KEvSm6 Q31qv87cZrG2pQPXEQ7Ir59E7Yos/7vEnG57wY/Xj94wKeKpHxnBUUL37BW+/tb1 qP29zZUol628HxowsGCN7xJPlXrcc4wc37rWja/UTcBWZGUk4EKTX9xXVs1jKuPB lJqlGkEHglRcFI1AJLv9VkPBj77z6aEFu89bbJn8aZwAmPwnIBLZiJGp0LvqlVap RYgV8SdLb1D4GxTDJJN76PLghMJdo1mEUwLbinr8JGH/MXzTkTUwgMCv7ks8ww7Q hZp40rKDY+Su7VML6ONcnnvZTlAxCJM2lexD0svV8e3oXf/8lUzlnHCHQH8/TIrV 6DV4mj7Yg+HiR9Tj8+AMAAmC5l88Byl/+sJjAEdWBTKjzwiey5ocDX5s/aL12o+9 JX7vnFOWaGWf0pMeGuCl2gqtG+jFoEkr7BU7d0k7TvVFTQ0jTrrhVv9rbdIiJbK4 HXvdPzy/CBQt0tUGc6UT =8Jgs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.5
Hello participants of Mailing List. Happy New Year! After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 31st of December DAVOSET v.1.1.5 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). This is New Year Edition ;-). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.5: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.5.rar Use, don't abuse. Happy holidays ddosing. In new version there was added error handler in GetCookie(), added new services into lists of zombies and removed non-working services from lists of zombies. Since during 2013 many sites with vulnerable web applications removed these webapps or closed sites completely. But many new vulnerable sites have come, so lists of zombies can be easily extended. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/