Re: [Full-disclosure] Bank of the West security contact?
RFC 2142 offers a number of well known mailboxes that should be monitored. Tyr secure@, security@, and support@. WHOIS offers technical and administrative contacts. $ whois bankofthewest.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BANKOFTHEWEST.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Status: clientTransferProhibited Updated Date: 13-jul-2013 Creation Date: 23-jan-1996 Expiration Date: 24-jan-2020 Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to ... The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: BANKOFTHEWEST.COM Registry Domain ID: Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://www.networksolutions.com/en_US/ Updated Date: 2011-01-04T00:00:00Z Creation Date: 1996-01-23T00:00:00Z Registrar Registration Expiration Date: 2020-01-25T00:00:00Z Registrar: NETWORK SOLUTIONS, LLC. Registrar IANA ID: 2 Registrar Abuse Contact Email: ab...@web.com Registrar Abuse Contact Phone: 800-333-7680 Reseller: Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: the West, Bank of Registrant Organization: Bank of the West / William Scanlin Registrant Street: 2527 Camino Ramon Registrant City: San Ramon Registrant State/Province: CA Registrant Postal Code: 94583 Registrant Country: US Registrant Phone: (925) 843-2358 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: regist...@bankofthewest.com Registry Admin ID: Admin Name: the West, Bank of Admin Organization: Bank of the West / William Scanlin Admin Street: 2527 Camino Ramon Admin City: San Ramon Admin State/Province: CA Admin Postal Code: 94583 Admin Country: US Admin Phone: (925) 843-2358 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: regist...@bankofthewest.com Registry Tech ID: Tech Name: the West, Bank of Tech Organization: Bank of the West / William Scanlin Tech Street: 2527 Camino Ramon Tech City: San Ramon Tech State/Province: CA Tech Postal Code: 94583 Tech Country: US Tech Phone: (925) 843-2358 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: regist...@bankofthewest.com Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM DNSSEC: not signed URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC The data in Networksolutions.com's WHOIS database ... On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? -- Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristian.hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com or (at)bankofthewest(dot)com you'll pull a bazillion email addresses that you can spam. Alternatively c...@bankofthewest.com c...@bankofthewest.com or kirsten.ga...@bankofthewest.com or duke.da...@bankofthewest.com as firstname.lastn...@bankofthwest.com is the apparent format. That said, unlike turbo here, I recognize you're looking for confirmed contacts, and I don't have any there. He thought you possibly didn't know how to whois, I suggested to him that he could also look up their CSR number in the phone book, because perhaps you didn't know how to do that either; of course, American banks don't actually get that +1 is a country code.. so, yeah. Best of Luck. On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? You might also try reaching out to Justin Ferguson. The impression I got is he is masterful at infosec; and he can probably put you in touch with someone in about 3 degrees - perhaps even 1 (that beats the snot out of six degrees for other famous people). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 08, 2014 at 04:21:52AM -0500, Jeffrey Walton wrote: RFC 2142 offers a number of well known mailboxes that should be monitored. Tyr secure@, security@, and support@. Doesn't look as it any of those addresses would work: RCPT TO:secur...@bankofthewest.com 550 Mailbox unavailable or access denied - secur...@bankofthewest.com RCPT TO:sec...@bankofthewest.com 550 Mailbox unavailable or access denied - sec...@bankofthewest.com RCPT TO:supp...@bankofthewest.com 550 Mailbox unavailable or access denied - supp...@bankofthewest.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com or (at)bankofthewest(dot)com you'll pull a bazillion email addresses that you can spam. Alternatively c...@bankofthewest.com c...@bankofthewest.com or kirsten.ga...@bankofthewest.com or duke.da...@bankofthewest.com as firstname.lastn...@bankofthwest.com is the apparent format. That said, unlike turbo here, I recognize you're looking for confirmed contacts, and I don't have any there. He thought you possibly didn't know how to whois, I suggested to him that he could also look up their CSR number in the phone book, because perhaps you didn't know how to do that either; of course, American banks don't actually get that +1 is a country code.. so, yeah. You should also provide some of that crack legal advice, too. Jeff On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? You might also try reaching out to Justin Ferguson. The impression I got is he is masterful at infosec; and he can probably put you in touch with someone in about 3 degrees - perhaps even 1 (that beats the snot out of six degrees for other famous people). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
i think we need valdis' expert opinion here. On Sat, Feb 8, 2014 at 6:33 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com or (at)bankofthewest(dot)com you'll pull a bazillion email addresses that you can spam. Alternatively c...@bankofthewest.com c...@bankofthewest.com or kirsten.ga...@bankofthewest.com or duke.da...@bankofthewest.com as firstname.lastn...@bankofthwest.com is the apparent format. That said, unlike turbo here, I recognize you're looking for confirmed contacts, and I don't have any there. He thought you possibly didn't know how to whois, I suggested to him that he could also look up their CSR number in the phone book, because perhaps you didn't know how to do that either; of course, American banks don't actually get that +1 is a country code.. so, yeah. You should also provide some of that crack legal advice, too. Jeff On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? You might also try reaching out to Justin Ferguson. The impression I got is he is masterful at infosec; and he can probably put you in touch with someone in about 3 degrees - perhaps even 1 (that beats the snot out of six degrees for other famous people). -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com ... Google does not allow you to search for the '@' symbol. https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o. That's why there are email harvesters out there. Perhaps you were using the amphora symbol, or you meant bankofthewest.com. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
Google does not allow you to search for the '@' symbol. funny, there is a marked difference between when you search for domain.com and @domain.com, one of which is that it includes a lot of email addresses. Google is even so kind as to link in common email address distortions. Try before you speak please, turbo. On Sat, Feb 8, 2014 at 6:57 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com ... Google does not allow you to search for the '@' symbol. https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o. That's why there are email harvesters out there. Perhaps you were using the amphora symbol, or you meant bankofthewest.com. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson j...@ownco.net wrote: Google does not allow you to search for the '@' symbol. funny, there is a marked difference between when you search for domain.com and @domain.com, one of which is that it includes a lot of email addresses. Google is even so kind as to link in common email address distortions. Try before you speak please, turbo. Oh, got it. Google's policies and rules don't apply to you. Silly me. You'll have to forgive me. I'm a slow learner at times. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
Oh, got it. Google's policies and rules don't apply to you. Silly me. feel free to try it yourself, probably takes less time than you know, reading policies they quite obviously bend. I mean, seriously, this is on the first page of hits: http://webcache.googleusercontent.com/search?q=cache:_iETEKI6kCkJ:www.sharkonline.org/index.php/take-action/contact-corporate-sponsors/1332-get-bank-of-the-west-out-of-rodeo+cd=12hl=enct=clnkgl=us This is on the second: http://webcache.googleusercontent.com/search?q=cache:h1khHCwhgBQJ:leasingnews.org/PDF/Email_Capitalwerks.pdf+cd=19hl=enct=clnkgl=us et cetera, but hey, cool story bro. You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. On Sat, Feb 8, 2014 at 7:07 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson j...@ownco.net wrote: Google does not allow you to search for the '@' symbol. funny, there is a marked difference between when you search for domain.com and @domain.com, one of which is that it includes a lot of email addresses. Google is even so kind as to link in common email address distortions. Try before you speak please, turbo. Oh, got it. Google's policies and rules don't apply to you. Silly me. You'll have to forgive me. I'm a slow learner at times. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
p.s. add an additional word, any word, for instance +the, magic happens. try also CSO http://vscso.org/pipermail/staff_vscso.org/2011-October/54.html http://nebraskafbla.org/contact-us/advisory-council/ https://www.bankofthewest.com/static_files/botw2/home/about-us/our-company/annual-reports/annual-report-current.pdf http://www.sba.gov/sites/default/files/SBA%20Lender%20List%20for%20San%20Diego%20and%20Imperial%20Counties_1.pdf http://www.oldtownchinatown.org/pdf/newsletter-2005-winter.pdf http://sdsbdcnetwork.org/sponsors/ etc some rules can be bent, others broken. On Sat, Feb 8, 2014 at 7:07 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson j...@ownco.net wrote: Google does not allow you to search for the '@' symbol. funny, there is a marked difference between when you search for domain.com and @domain.com, one of which is that it includes a lot of email addresses. Google is even so kind as to link in common email address distortions. Try before you speak please, turbo. Oh, got it. Google's policies and rules don't apply to you. Silly me. You'll have to forgive me. I'm a slow learner at times. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
That's not what I said when you were trolling offline. You could cite it if you'd like. its cool, i actually didnt click reply-all for a reason. you elected to go for group consensus, old one. On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:17 AM, Justin Ferguson j...@ownco.net wrote: That's not what I said when you were trolling offline. You could cite it if you'd like. its cool, i actually didnt click reply-all for a reason. you elected to go for group consensus, old one. I thought it was selfish keeping your cornucopia of knowledge to myself. Hence the reason I suggested Kristian engage you. Jeff On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
On Fri, Oct 12, 2007 at 6:55 PM, valdis.kletni...@vt.edu wrote: What should this hypothetical extension do if it automagically redirects http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. Hello from the future! This hypothetical extension would handle such cases...and will eventually be called HTTPS Everywhere :) [1] Keep an eye out for it in a few years... [1] https://www.eff.org/https-everywhere -- Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://google.com/+KristianHermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2857-1] libspring-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2857-1 secur...@debian.org http://www.debian.org/security/ Markus Koschany February 08, 2014 http://www.debian.org/security/faq - - Package: libspring-java Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6429 CVE-2013-6430 It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete. Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. In addition Jon Passki discovered a possible XSS vulnerability: The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. For the stable distribution (wheezy), these problems have been fixed in version 3.0.6.RELEASE-6+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 3.0.6.RELEASE-11. For the unstable distribution (sid), these problems have been fixed in version 3.0.6.RELEASE-11. We recommend that you upgrade your libspring-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlL2QfYACgkQXm3vHE4uylrKVwCgl0VC2bcFi0cw8M+ENuNdBUtN rdYAnjKXZ48KA8HONA3iDlymTMFYpogz =SI4k -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
Keep this list professional guys. I hate seeing it turn into an IRC chat room. Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you. Daniel On Feb 8, 2014, at 6:17 AM, Justin Ferguson j...@ownco.net wrote: That's not what I said when you were trolling offline. You could cite it if you'd like. its cool, i actually didnt click reply-all for a reason. you elected to go for group consensus, old one. On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
... Oh noes. Owasp guy wants to admonish me. And yes, I called your local data at rest is not encrypted despite there being no way to secure a key unless you think the subway app deserves it's own password bullshit because well it was bullshit. I was at least respectful enough to tell you that it was bullshit clogging my inbox privately instead of pulling some imaginary weight on the n3td3v all stars mailing list. There is nothing professional about F-D. But yes, from time to time when I happen to read particularly absurd piles of crap sent to me, I do respond by saying this is a giant pile of crap. In all earnest if you Google a bit, this is pretty tame, I've not once saw fit to include a picture of my bare backside. At any rate, I appreciate your maternal behavior, what the world needs is more CISSP-esque discussion on professional behavior on the internet. I'm fairly positive that at this point, anyone whose opinion I care about is well aware that I am at times outspoken, and the rest (*@owasp.com) are irrelevant. You have to be polite to random people who don't deserve it, such is life with subway app bug finders. Sincerely, Justin N. Ferguson I On Feb 8, 2014 11:32 AM, Daniel Wood daniel.w...@owasp.org wrote: Keep this list professional guys. I hate seeing it turn into an IRC chat room. Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you. Daniel On Feb 8, 2014, at 6:17 AM, Justin Ferguson j...@ownco.net wrote: That's not what I said when you were trolling offline. You could cite it if you'd like. its cool, i actually didnt click reply-all for a reason. you elected to go for group consensus, old one. On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. Jeff -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Re: Bank of the West security contact?
For the record, while the real bugs are hard crowd tries to make my private posts sound netdevish, here was my incessant trolling. There's really no need to respond further, none of this was worth this pretty lame attempt at character assassination. You're on the internet, when you say really dense crap, sometimes people say mean things. -- Forwarded message -- From: Justin Ferguson j...@ownco.net Date: Feb 8, 2014 4:31 AM Subject: Re: [Full-disclosure] Bank of the West security contact? To: noloa...@gmail.com Cc: did you really reply to an email to show that you know how to whois?? ... unsubscribe. On Sat, Feb 8, 2014 at 4:21 AM, Jeffrey Walton noloa...@gmail.com wrote: RFC 2142 offers a number of well known mailboxes that should be monitored. Tyr secure@, security@, and support@. WHOIS offers technical and administrative contacts. $ whois bankofthewest.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BANKOFTHEWEST.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Status: clientTransferProhibited Updated Date: 13-jul-2013 Creation Date: 23-jan-1996 Expiration Date: 24-jan-2020 Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to ... The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: BANKOFTHEWEST.COM Registry Domain ID: Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://www.networksolutions.com/en_US/ Updated Date: 2011-01-04T00:00:00Z Creation Date: 1996-01-23T00:00:00Z Registrar Registration Expiration Date: 2020-01-25T00:00:00Z Registrar: NETWORK SOLUTIONS, LLC. Registrar IANA ID: 2 Registrar Abuse Contact Email: ab...@web.com Registrar Abuse Contact Phone: 800-333-7680 Reseller: Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: the West, Bank of Registrant Organization: Bank of the West / William Scanlin Registrant Street: 2527 Camino Ramon Registrant City: San Ramon Registrant State/Province: CA Registrant Postal Code: 94583 Registrant Country: US Registrant Phone: (925) 843-2358 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: regist...@bankofthewest.com Registry Admin ID: Admin Name: the West, Bank of Admin Organization: Bank of the West / William Scanlin Admin Street: 2527 Camino Ramon Admin City: San Ramon Admin State/Province: CA Admin Postal Code: 94583 Admin Country: US Admin Phone: (925) 843-2358 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: regist...@bankofthewest.com Registry Tech ID: Tech Name: the West, Bank of Tech Organization: Bank of the West / William Scanlin Tech Street: 2527 Camino Ramon Tech City: San Ramon Tech State/Province: CA Tech Postal Code: 94583 Tech Country: US Tech Phone: (925) 843-2358 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: regist...@bankofthewest.com Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM DNSSEC: not signed URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC The data in Networksolutions.com's WHOIS database ... On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? -- Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristian.hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Am I not destroying my enemies when I make friends of them? -- Abraham Lincoln ___
[Full-disclosure] Fwd: Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering
And to call woody on his claim of my trolling him, here's the text there. The entire thread was four emails long, inclusive of his original post. Apparently if you say fuck the owasp nanny police gets butthurt. -- Forwarded message -- From: Justin Ferguson j...@ownco.net Date: Dec 19, 2013 12:11 PM Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering To: Daniel Wood daniel.w...@owasp.org Cc: Storing cardholder data in cleartext is not a bullshit bug - read PCI No, it's a bullshit bug. PCI doesn't regulate how the data is stored on consumer devices, perhaps *you* should read it instead of web 2.0 drone blather. What are you going to have them do, encrypt it and where the fuck are you storing the key? Oh great, so now I need to have a password for all of my 34324234324 apps? or I need to give my apps my password to a central keystore for all of my keys? ... Do you people think or just live to see your names in psuedo e-fame lights.. if you don't like OWASP or really any 'best practices' document or utilize some common sense. The problem isnt OWASP, its that its brought on an apocalypse of retarded people working in security and validated them and insanely stupid bugs like yours. Funny you should reference common sense here. Read the news lately...Target? The hack doesn't even make sense. Stay tuned. Not sure how using a publicly available app from the Apple App Store qualifies as signing an NDA, a legal document. EULA dope. It's locally exploitable, and it includes credentials. BREAKING: your computer stores sensitive data and you cannot store other sensitive data (crypto keys) next to the sensitive data it stores to secure the sensitive data. You apparently didn't read the full disclosure details carefully enough. Of course not, its a fucking local bug about data at rest being clear text on a local device where there is really no sane way to secure the data other than to make the entire device more insecure. And, its a subway application, which is a clever way of saying a crappy web-browser for people who know how to write javascript and are too lazy to write proper HTML to work with mobile web browsers. really all severity ratings are subjective anyways. The amusing part is that you saw fit to write up a fucking advisory for it. Seriously I didn't even write up an advisory for this http://marc.info/?l=openbsd-bugsm=131435177207230 even though it would've been hilarious considering the entire internet went looking for backdoors put in by the USG in that exact code like a month earlier. I'm not saying your severity rating is a joke mate, I'm saying the fucking bug is. Couldn't you be more productive and like pull apart a banks app and audit its xml-rpc interfaces or something? ... I'll give you the benefit of the doubt this time, but if you don't have anything constructive to say you'll quickly find yourself voided as irrelevant with me and within this industry. oh noes. subway doesnt crypto its data on local storage guy is worried i will be voided as irrelevant by someone whom himself is ... irrelevant and proclaims to speak for an entire industry ... Don't worry fellah, I'm sure Jeremiah Grossman still has some VC to give out welfare to you kids. On Thu, Dec 19, 2013 at 11:59 AM, Daniel Wood daniel.w...@owasp.org wrote: Justin, Storing cardholder data in cleartext is not a bullshit bug - read PCI if you don't like OWASP or really any 'best practices' document or utilize some common sense. Read the news lately...Target? Not sure how using a publicly available app from the Apple App Store qualifies as signing an NDA, a legal document. It's locally exploitable, and it includes credentials. You apparently didn't read the full disclosure details carefully enough. Maybe you should follow your own advice you posted (sic Neutron Star commentary). What the severity of this vulnerability is doesn't really matter in the long run. It was fixed by the vendor and really all severity ratings are subjective anyways. I'll give you the benefit of the doubt this time, but if you don't have anything constructive to say you'll quickly find yourself voided as irrelevant with me and within this industry. -D On Dec 19, 2013, at 9:43 AM, Justin Ferguson j...@ownco.net wrote: (a) its a bullshit bug, but whatever. air-quotes owasp ... air-quotes (b) I have yet to receive this. I asked for a copy of the allegedly signed NDA last week as well. Failure to provide a legitimate copy of my sent email with a signed NDA proves to me that they forgot to have me sign an NDA.. Actually, assuming there is one, and what I'm reading is 3rd party company X is saying its violating an NDA they signed, BUT, assuming they're just badly worded, you potentially agreed to the NDA when you installed and used the application. Either way, its a client local mobile bug, rating somewhere below XSS on a website without login credentials. golf
[Full-disclosure] Fwd: Fwd: Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering
WDH -- Forwarded message -- From: Justin Ferguson j...@ownco.net Date: Feb 9, 2014 12:48 AM Subject: [Full-disclosure] Fwd: Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering To: full-disclosure full-disclosure@lists.grok.org.uk Cc: And to call woody on his claim of my trolling him, here's the text there. The entire thread was four emails long, inclusive of his original post. Apparently if you say fuck the owasp nanny police gets butthurt. -- Forwarded message -- From: Justin Ferguson j...@ownco.net Date: Dec 19, 2013 12:11 PM Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering To: Daniel Wood daniel.w...@owasp.org Cc: Storing cardholder data in cleartext is not a bullshit bug - read PCI No, it's a bullshit bug. PCI doesn't regulate how the data is stored on consumer devices, perhaps *you* should read it instead of web 2.0 drone blather. What are you going to have them do, encrypt it and where the fuck are you storing the key? Oh great, so now I need to have a password for all of my 34324234324 apps? or I need to give my apps my password to a central keystore for all of my keys? ... Do you people think or just live to see your names in psuedo e-fame lights.. if you don't like OWASP or really any 'best practices' document or utilize some common sense. The problem isnt OWASP, its that its brought on an apocalypse of retarded people working in security and validated them and insanely stupid bugs like yours. Funny you should reference common sense here. Read the news lately...Target? The hack doesn't even make sense. Stay tuned. Not sure how using a publicly available app from the Apple App Store qualifies as signing an NDA, a legal document. EULA dope. It's locally exploitable, and it includes credentials. BREAKING: your computer stores sensitive data and you cannot store other sensitive data (crypto keys) next to the sensitive data it stores to secure the sensitive data. You apparently didn't read the full disclosure details carefully enough. Of course not, its a fucking local bug about data at rest being clear text on a local device where there is really no sane way to secure the data other than to make the entire device more insecure. And, its a subway application, which is a clever way of saying a crappy web-browser for people who know how to write javascript and are too lazy to write proper HTML to work with mobile web browsers. really all severity ratings are subjective anyways. The amusing part is that you saw fit to write up a fucking advisory for it. Seriously I didn't even write up an advisory for this http://marc.info/?l=openbsd-bugsm=131435177207230 even though it would've been hilarious considering the entire internet went looking for backdoors put in by the USG in that exact code like a month earlier. I'm not saying your severity rating is a joke mate, I'm saying the fucking bug is. Couldn't you be more productive and like pull apart a banks app and audit its xml-rpc interfaces or something? ... I'll give you the benefit of the doubt this time, but if you don't have anything constructive to say you'll quickly find yourself voided as irrelevant with me and within this industry. oh noes. subway doesnt crypto its data on local storage guy is worried i will be voided as irrelevant by someone whom himself is ... irrelevant and proclaims to speak for an entire industry ... Don't worry fellah, I'm sure Jeremiah Grossman still has some VC to give out welfare to you kids. On Thu, Dec 19, 2013 at 11:59 AM, Daniel Wood daniel.w...@owasp.org wrote: Justin, Storing cardholder data in cleartext is not a bullshit bug - read PCI if you don't like OWASP or really any 'best practices' document or utilize some common sense. Read the news lately...Target? Not sure how using a publicly available app from the Apple App Store qualifies as signing an NDA, a legal document. It's locally exploitable, and it includes credentials. You apparently didn't read the full disclosure details carefully enough. Maybe you should follow your own advice you posted (sic Neutron Star commentary). What the severity of this vulnerability is doesn't really matter in the long run. It was fixed by the vendor and really all severity ratings are subjective anyways. I'll give you the benefit of the doubt this time, but if you don't have anything constructive to say you'll quickly find yourself voided as irrelevant with me and within this industry. -D On Dec 19, 2013, at 9:43 AM, Justin Ferguson j...@ownco.net wrote: (a) its a bullshit bug, but whatever. air-quotes owasp ... air-quotes (b) I have yet to receive this. I asked for a copy of the allegedly signed NDA last week as well. Failure to provide a legitimate copy of my sent email with a signed NDA proves to me that they forgot to have me sign an NDA.. Actually, assuming there is one, and what I'm reading is 3rd party company X is saying its violating an
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 11:32 AM, Daniel Wood daniel.w...@owasp.org wrote: Keep this list professional guys. I hate seeing it turn into an IRC chat room. Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you. http://www.collegehumor.com/video/5817726/internet-bridge-troll Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
