[Full-disclosure] AusCERT2014 Call for Presentations and Tutorials
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 The AusCERT2014 Call for Presentations and Tutorials closes in 6 days on 12th January 2014. Please go to EasyChair to submit your paper: https://www.easychair.org/account/signin.cgi?conf=auscert2014 The AusCERT2014 program committee welcomes original contributions for presentations and tutorials not previously published nor submitted in parallel for publication to any other conference or workshop. Important Dates: Presentation/Tutorial Summary Submission deadline: 12th January 2014 Notification of acceptance: 6th February 2014 AusCERT2014 Conference: 12th-16th May 2014 Submissions could fall under one of the following broad categories: - - Securing Rich or Web Applications - - Network Security: wired and wireless - - Privacy and Surveillance:cloud, social networks, ehealth, nation state espionage/surveillance/sabotage - - Cybercrime:attacks, cyberwar, hacktivism, law enforcement, insider threats, forensics - - Embedded: phones tablets, medical devices, purpose-built smart devices - - Incident Response and Handling - - Industrial Control Systems (SCADA) - - Governance, Risk Management and Compliance - - Psychology of infosec: human factors - - Information Security Innovation Full details may be found at: http://conference.auscert.org.au/call-for-presentations We look forward to receiving your submission. Good luck! Regards, AusCERT2014 Program Committee -BEGIN PGP SIGNATURE- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUstkshLndAQH1ShLAQN0jRAApV+4NAoZalsB/hLjj2cXqVPg3+XoH88n rit3tk4L0xjE689tvQRpJsd1EEl3bwkm4aZPmPE/Ps2+I34wpROpAR4ZaZXQuugp tbulLQmFHhkpJKXH/2VwHWg4GUf3crPctoQORyJNhwvKdNzq9qkAZjUASwUTrDxO HLVZbxm61ztfVYw1yFun1PGuFJKAbX0Hwx3MdmOZYT6IW4tTCXOz32Hn0X71jDlk 94lha3l4D70AKnYpQd9LboMUHUk0a00wOoM4W9+jwj6EWzu2QMlZSKi4CJnPeCyZ w9zBoIR9f1udzOx+uQoMTLa5yUPYmFU51lj0WL6uxenuD/cUsTZwT6C8MiUKYxzo +CWetZDbbx8hhT+bAB/btS9uMDQXH2F5cm0ZCRACkAg0Eu3IgdekPdJVH0YQyHaH eKHtHo3QESbgs/P6HOApQJ1ohfsWn2LNrC4J1tBW1dflC0q4BFTJw/oZa7cgHT/I w1snIea/l6EungHwT9ouL8dACCBs3Dm1QzPFP5Bq51e0plDkV/BjGviW/PXm+lGx o7HVXM+JMTsVohy8CplB3R1bFRp+GjArTQUkvtFSJNgZxqMgCwVcfD/LA5xyI1hL DRveNIKPKjwFakBPOBi8S/M0b6FOKdezo9T8NGOo379IyXw4+CwJdXnQa2U6X65i gY4BYh8BnN8= =BgaK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Jan 6, 2014, at 8:14 AM, Anonymous anonym...@hoi-polloi.org wrote: GSM firmware is still not open-source though (as that would make phone not suitable for legal usage in USA) I'd like to see a law link that says you cannot legally use your own open source GSM compliant stack to communicate over a GSM network. Since the GSM f/w controls a radio, and thus the power, it may need a FCC certification. In which case you would need someone to finance the certification every time a new version of the Gnu firmware is released (FSF perhaps?). What you just described would make all software radio illegal. And I have personally seen some huge software-based deployments in GSM networks (Vanu BSCs come to mind). The components of the radio subsystem are what the FCC certifies, not the software. Closed vs Open Source makes no difference. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2837-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2837-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 07, 2014 http://www.debian.org/security/faq - - Package: openssl Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2013-4353 Anton Johannson discovered that an invalid TLS handshake package could crash OpenSSL with a NULL pointer dereference. The oldstable distribution (squeeze) is not affected. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 1.0.1f-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLMH74ACgkQXm3vHE4uylpecgCgh/5fGz8KgyptZuxcoZOXQO5S BgUAn0q4B75sgiK0AJM2HiS853RgaBoG =CAfN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2838-1] libxfont security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2838-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 07, 2014 http://www.debian.org/security/faq - - Package: libxfont Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2013-6462 It was discovered that a buffer overflow in the processing of Glyph Bitmap Distribution fonts (BDF) could result in the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.4.1-4. For the stable distribution (wheezy), this problem has been fixed in version 1:1.4.5-3. For the unstable distribution (sid), this problem has been fixed in version 1:1.4.7-1. We recommend that you upgrade your libxfont packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLMNy0ACgkQXm3vHE4uylrHYQCgzgZ09pFCzC24PWsgmTLwIVCs /Z4AnRVfiyi0BPgUFEZG7vCd99nPlWkb =mGL+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FPU-state NULL-deref exploitation (was vm86 syscall kernel-panic and some more goodies waiting to be analyzed)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 After closer examination, I found out, that the FPU-state handling errors were not specific to vm86-syscall, also normal 32-bit userspace code could bring the FPU/CPU into the same state. Just for fun, I wrote a local-root privilege escalation POC. It requires mmap_min_addr=0 on modern kernels, which should NOT be the default, unless you are are using Linux to play DOS-games from the 90' via dos-emu. I tried to do some nice tricks, e.g. use just two kernel-land writes for privilege escalation: one just adds the value 0x0001 (semaphore down_write), the other one changes 4 bytes in modprobe_path. Hence the POC just contains 12 bytes of binary code. The POC code with a little more explanation can be found here: http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ The exact analysis of the kernel bug is not yet complete, currently it is only proven to work on AMD E-350 processor, both in VirtualBox and on bare hardware. So if you were lucky to trigger at least an OOPS on another hardware, I would be interested about it. hd PS: It uses the address values from current debian-sid kernel (see System.map) and runs only on 32bit kernel, so don't ask why it won't work on your 64-bit RedHat. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLMjNkACgkQxFmThv7tq+4sMACfYVbFo2HjEdbgy/KDouxY90+q 9iQAmwSN4IrAYaxlk85f9vHmCD0EwCVk =XIwO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/