Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy
Brad Spengler wrote: I hope you don't expect me to take you or your reply seriously. Perhaps you could provide a list of those worthy to speak to you? Might save some time. I get the impression that the list is pretty small. BB P.S. Apologies for addressing you directly, I'm sure I'm not on the list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] a song about me? :P [was: Vulnerability Release: CKFD001-CHATX]
I know... your haters are better than mine ever were. BB Gadi Evron wrote: At first I thought having a fan blog of someone who hates me was cool. Then I thought the comic strip was cool, but man... I like the guitar, even if the guy does like Hitler. I am sending this to all my friends who are not profanity sensitive. Gadi. P.S. rapidshare sucks. It's too painful to download. TITLE: My Name is Gadi Evron FILENAME: ckfd001-chatx-my_name_is_gadi_evron.mp3 DOWNLOAD: http://rapidshare.com/files/107868234/ckfd001-chatx-my_name_is_gadi_evron.mp3.html ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] a song about me? :P [was: Vulnerability Release: CKFD001-CHATX]
See what I mean? Mine are lame. BB jf wrote: wouldnt he have to get owned and then fired to be on the same scale? On Wed, 23 Apr 2008, Blue Boar wrote: Date: Wed, 23 Apr 2008 15:08:28 -0700 From: Blue Boar [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [funsec] a song about me? :P [was: Vulnerability Release: CKFD001-CHATX] I know... your haters are better than mine ever were. BB Gadi Evron wrote: At first I thought having a fan blog of someone who hates me was cool. Then I thought the comic strip was cool, but man... I like the guitar, even if the guy does like Hitler. I am sending this to all my friends who are not profanity sensitive. Gadi. P.S. rapidshare sucks. It's too painful to download. TITLE: My Name is Gadi Evron FILENAME: ckfd001-chatx-my_name_is_gadi_evron.mp3 DOWNLOAD: http://rapidshare.com/files/107868234/ckfd001-chatx-my_name_is_gadi_evron.mp3.html ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] death of Dude brings out the Rude
Randy Mueller wrote: Wow. It is amazing to read the out right disrespect for another’s life and rights. I’m stunned. Almost speechless. And yet, I like to think that JP would have enjoyed giving them one last reason to demonstrate that they have no class. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory
I remember people being all paranoid about the DMCA. They were worried security researchers would be sued for trying to release vulnerability information. But since that turned out to be unfounded, I guess we don't have to worry about the German thing. ;) BB Kevin Finisterre (lists) wrote: Would you have honestly provided *MORE* detail prior to the law being in effect? Doesn't the law refer to things that are intended to be used for illegal activity? I don't recall the advisories being any more verbose pre law Thanks. -KF On Aug 27, 2007, at 4:41 PM, Sergio Alvarez wrote: Hi 3APA3A, It was a mistake in the advisory, It should say: Integer cast around in UPX packed files parsing I ask for apologies for the mistake. Unfortunately we can't give more details about the vulnerability because the German Law (§202) Cheers, Sergio ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Persistent CSRF and The Hotlink Hell
He compromised the server(s) at the ad network we were using at the time, and simply served up his ad instead of the usual ones. BB Ryan Barnett wrote: I believe that the SecurityFocus defacement by FluffiBunni a few years back would be an example of the defacement attack that Michael listed in his article. The concept was that SF had a trust relationship with the company that was rotating their banners and FB replaced the expected image with the defaced one. I don't remember the exact details on how the banner images were fed in (vs. Hotlinking, etc...) Does anyone have specific info from that defacement? Isn't this somewhat related to the same trust issues with RSS feed attacks? On 4/16/07, pdp (architect) [EMAIL PROTECTED] wrote: http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/ http://michaeldaw.org/papers/hotlink_persistent_csrf/ I would like to bring your attention to a topic that has been rarely discussed. I am going to talk about hotlinks, redirections and of course CSRF (Cross-site Request Forgery). When we talk about CSRF we often assume that there is one kind only. After all, what else is in there when CSRF is all about making GET or POST requests on behalf of the victim? The victim needs to visit a page which launches the CSRF exploit. If the victim happens to have an established session with the exploited application, the attacker can perform the desired action like resetting the login credentials, for example. However, CSRF can be as persistent as persistent XSS (Cross-site Scripting) is and you don't need XSS to support it. Persistent CSRF is not dependent on persistent XSS. I hope that you find the post useful. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] MS Patch Coming Tuesday
http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx Larry Seltzer wrote: http://www.microsoft.com/technet/security/bulletin/advance.mspx Microsoft Security Bulletin Advance Notification Updated: April 1, 2007 As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively. In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide: * Information about the release of updated versions of the Microsoft Windows Malicious Software Removal Tool. * Information about the release of NON-SECURITY, High Priority updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days. On Tuesday 3 April 2007 Microsoft is planning to release: Security Updates * One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer. Microsoft Windows Malicious Software Removal Tool * Microsoft will not release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center on Tuesday 3 April 2007. Non-security High Priority updates on MU, WU, WSUS and SUS * Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS) on Tuesday 3 April 2007. * Microsoft will not release any NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS) on Tuesday 3 April 2007. Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released. Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below: * TechNet Webcast: Information about Microsoft's Security Bulletins * Wednesday, 11 April 2007 11:00 AM (GMT-08:00) Pacific Time (US Canada) * http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10323 27017EventCategory=4culture=en-USCountryCode=US At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 3 April 2007. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)
3APA3A wrote: First, by reading 'crack' I thought lady can recover full message by it's signature. After careful reading she can bruteforce collisions 2000 times faster. Cracking a hash would never mean recovering the full original message, except for possibly messages that were smaller than the number of bits in the hash value. There are an infinite number of messages that all hash to the same value. The best crack you can have for a hash is to be able collide with an existing hash value and be able to choose most of the message contents. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)
3APA3A wrote: I know meaning of 'hash function' term, I wrote few articles on challenge-response authentication and I did few hash functions implementations for hashtables and authentication in FreeRADIUS and 3proxy. Can I claim my right for sarcasm after calling ability to bruteforce 160-bit hash 2000 times faster 'a crack'? Fair enough, your sarcasm tags didn't render properly in my MUA. I was fooled by you stating that the birthday attack would be 150 bits. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)
My understanding that the kind of birthday attack under discussion would start at 80-bits if SHA-1 (at 160-bits) were 100% secure. The attack under discussion is reported to reduce that to the neighborhood of 60-something bits. I am not a mathematician though, so I would be perfectly willing to believe I was wrong about that. BB 3APA3A wrote: Dear Blue Boar, It's not clear if this 'crack' cam be applied to birthday attack. My in-mind computations were: because birthday attack requires ~square root of N computations where bruteforce requires ~N/2, impact of 2000 times N decrease for birthday is ~64 times faster. 64 = 2^6. Because complexity is ~square root of possible combinations, it's equivalent of traditional birthday attack, with 160-(2*6)=148 bits hash (150 is my mistake in in-mind computations). Of cause, since I completely wasted 10 years after obtaining Master degree in Mathematics and 3 years after loosing last pencil I may be completely wrong in computations :) --Wednesday, March 21, 2007, 9:48:55 PM, you wrote to [EMAIL PROTECTED]: BB 3APA3A wrote: I know meaning of 'hash function' term, I wrote few articles on challenge-response authentication and I did few hash functions implementations for hashtables and authentication in FreeRADIUS and 3proxy. Can I claim my right for sarcasm after calling ability to bruteforce 160-bit hash 2000 times faster 'a crack'? BB Fair enough, your sarcasm tags didn't render properly in my MUA. I was BB fooled by you stating that the birthday attack would be 150 bits. BB BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
K F (lists) wrote: We all know black hats are selling these sploits for =$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... Low Pay == Not getting disclosed via iDefense Maybe that's all they are worth to iDefense, since they aren't monetizing them in the same way blackhats are. Maybe for some people if they were going to just give them to Microsoft anyway, a few thousand bucks is worth it. Me, for example, if I were capable of of finding such vulns, I wouldn't sell them to the guys writing the drive-by spyware installers. I might sell it to iDefense or Tippingpoint, though. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Simon Smith wrote: Blue Boar, Simply put, and with all due respect, you're wrong. About? I see basically two assertions in my note; 1) that I would sell to iDefense or TippingPoint. Surely you're not going to tell me what I would do? And 2) That iDefense isn't doing the same thing that Blackhats are. Is the latter one the one you disagree with? Furthermore I don't appreciate you directly or indirectly suggesting that these exploits are being sold on the black market, that will never happen on my watch, ever! If you look carefully, you'll see I was replying to Kevin, who did make a comparison to selling to blackhats. I hadn't even seen your note at the point, and I wasn't replying to you, and I didn't quote anything you wrote. So I assume you think I was saying that your company is selling to blackhats. I wouldn't think you were. Certainly you don't mean to claim that, in general, the entire market never sells to blackhats, nor that you have any control over what others do. More importantly, the company that I am working with is no different than iDefense. In fact, they both sell their exploits and harvested research to the same people. The only real difference is in the amount of money that the researcher realizes when the transactions are complete. This difference is a direct result of low corporate overhead. Lastly, all transactions require that the researcher engage the company that I work with in a tight contract. This contract ensures that both parties are legitimate and also protects both parties. They don't do that on the black market do they? So, is the problem that I didn't realize you guys also bought vulns, and that you pay more? No, I had no idea that you did. I guess some better marketing is in order. The quarterly challenge thing is pretty good for publicity, maybe you guys should do one of those. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Simcard 0day.
dfklsddshd wrote: 1. Open attachment. Does this actually work on people on a security mailing list? BB Complete scanning result of Simcard.com, received in VirusTotal at 01.02.2007, 02:38:58 (CET). Antivirus Version Update Result AntiVir 7.3.0.2101.01.2007 TR/Spy.Banker.73216 Authentium 4.93.8 12.30.2006 no virus found Avast 4.7.892.0 12.30.2006 no virus found AVG 386 01.01.2007 no virus found BitDefender 7.2 01.01.2007 GenPack:Generic.Banker.OT.924A93D1 CAT-QuickHeal 8.0001.01.2007 (Suspicious) - DNAScan ClamAV devel-20060426 01.01.2007 no virus found DrWeb 4.3312.31.2006 WIN.MAIL.WORM.Virus eSafe 7.0.14.001.01.2007 Suspicious Trojan/Worm eTrust-InoculateIT 23.73.102 12.30.2006 no virus found eTrust-Vet 30.3.3289 12.29.2006 no virus found Ewido 4.0 01.01.2007 no virus found Fortinet2.82.0.001.01.2007 suspicious F-Prot 3.16f 12.30.2006 no virus found F-Prot4 4.2.1.2912.30.2006 no virus found Ikarus T3.1.0.27 01.01.2007 Trojan-Spy.Win32.Banker.axc Kaspersky 4.0.2.2401.02.2007 no virus found McAfee 492912.29.2006 no virus found Microsoft 1.1904 12.31.2006 no virus found NOD32v2 195101.01.2007 probably unknown NewHeur_PE virus Norman 5.80.02 12.31.2007 no virus found Panda 9.0.0.4 01.01.2007 Suspicious file Prevx1 V2 01.02.2007 no virus found Sophos 4.13.0 01.01.2007 no virus found Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious TheHacker 6.0.3.141 01.01.2007 no virus found VBA32 3.11.1 01.01.2007 no virus found VirusBuster 4.3.19:901.01.2007 no virus found Aditional Information File size: 73216 bytes MD5: 5f22c38e77383a68f865a2c8d9c84f0c SHA1: c1a76dc5fa43d102b447057ce16ad44e8dcf456f packers: YODA packers: YodaProt Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 18th anniversary of Internet worm a.k.a. Morris worm
[EMAIL PROTECTED] wrote: I have to conclude that before that, buffer overflows weren't even well known *inside* the security community, much less outside in the wider programming community. They were known and exploited by 1972, in at least some communities. http://csrc.nist.gov/publications/history/ande72.pdf Pages 44 and 45. http://osvdb.org/blog/?p=77 BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Honeypots
[EMAIL PROTECTED] wrote: Thanks for the responses. I'm more interested in capturing, analyzing, and collecting as many types as malware as I can, so that I may create a database for my friends and others to use. If there's one that I should use speficially for that, please let me know. Check out http://www.offensivecomputing.net/ BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How secure is software X?
Brian Eaton wrote: On 5/11/06, Blue Boar [EMAIL PROTECTED] wrote: Don't we fairly quickly arrive at all products passing all the standard tests, and passing no longer means anything? I believe that point is called success. I was thinking more like all their security efforts only went to making sure the test reports clean, and they get declared secure. Now you have two products that pass the tests regardless of relative security, or whether one of them was carefully developed with security in mind. Not my definition of success. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How secure is software X?
So pin it down a bit more for me. Do you want just public results of standardized blackbox testing? Something similar to the ICSA firewall certification? (Though, I assume you want actual public results.) Would you include source review? The Sardonix project tried to do that. Who does the testing, and who pays for the time and equipment to do that? Do all products get re-tested every time a new version of the product suite is released? Do the test suites have to be free? Do they re-test for every release of the victim software? Don't people like yourself derive some benefit from having some portion of your assessment work stay proprietary? If I'm trying to enhance the test suite with some new fuzzing, and I find a sexy bug, don't the incentives tend to lean towards me selling the bug to iDefense and hiding my fuzzer in the meantime? Don't we fairly quickly arrive at all products passing all the standard tests, and passing no longer means anything? I like the idea, but I'm wondering why people would contribute. I'm also wondering how it can it stay consumer-beneficial, and not end up being driven by product vendors. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Stan Bubrouski wrote: On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. Funny you would do such a thing when you lost your bullshit job at Security Focus over getting owned. Sadly more and more people are posting off-list messages back to the list to get themselves more attention (n3td3v). Except that I didn't. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
[EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. And what private email was that? Or did you just assume that because you didn't see Theo's reply before mine that it went just to me? I believe you'll find that it has been posted to the list now. BB P.S. It's rather amusing that YOU would complain about someone posting private emails. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Theo de Raadt wrote: But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. Hey Theo, what did you pay for all the software you started with and/or still use in your project? How much did YOU pay for Sendmail? And you guys essentially resell it, right? So does anyone owe you anything, let alone a particular process which you demand with such length? I don't know... I seem to see a lot of criticism and demands coming from your direction: http://en.wikiquote.org/wiki/Theo_de_Raadt Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Really? No one? You wrote it by yourself with no support of any kind? And are you saying that you plan to slipstream your fixes? Dear non-paying user -- please remember your place. I seem to recall having donated some money, purchased shirts... I think I've got a number of OpenBSD CDs sets around the house that I purchased. Now I realize that you consider those donations, ever though most people would consider that some degree of having paid. But I'd be willing to bet that even if we worked out some contract that had the word paid in it, that you would still not confer upon me any right to complain. That I would still need to remember my place. So I think we can eliminate payment as a variable. This simplifies your argument from Don't criticize me if you haven't paid to simply Don't criticize me. Sucks to be held accountable, even when you give stuff away for free, doesn't it? Or run something else. OK? I don't know why they don't put you in charge of the fundraising efforts more often! http://undeadly.org/cgi?action=articlesid=20060321034114 And your timing is impeccable! Buy up! http://undeadly.org/cgi?action=articlesid=20060323091020 My order is on its way. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Theo de Raadt wrote: (who are you again?) Your customer. That does not make it right for our user community to attack developers for their freely given efforts. People who get attacked might stop trying to improve the code. Attacking commercial software developers makes them write better code, attacking free software developers makes them feel bad and quit. Got it. You could run other software, you know. And you could write your software without bitching at the people who help you pay your bills. I can't see that changing real soon either. But hey, you keep being you, and I'll keep buying your stuff in spite of your attitude, because it's good software. I use DJB's software under the same circumstances, so I'm used to it. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default password database
Hochin Chen wrote: List, I am looking for a database of default accounts for various software like MS SQL, Oracle Server, IIS, etc Any links / pointers? http://www.phenoelit.de/dpl/dpl.html http://defaultpassword.com/ BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most common keystroke loggers?
Frank Knobbe wrote: snip some suggestion with actual thought behind them by Frank You can make the authentication step as secure as you like (and granted, that's what the thread is about, and what the OTP asked for) but don't forget that the 0wner of your machine still has the option to take over your transaction(s) post-authentication. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most common keystroke loggers?
Frank Knobbe wrote: That's why I emphasized that the use of tokens should not only be made for initial authentication, but also for *each transaction*. Any transaction can be hashed with a one-time code generated by a token and sent as a control with the transaction parameters. Any MITM interception and modification will invalidate that hash thus voiding the transaction. I agree. I'd also like to point out that the token has to actually do the transaction processing for it to still be secure. The PC at that point is more-or-less just another untrusted pipe. The banking industry probably should be looking into making $40 USB co-computers with a 2-line LCD display and accept/decline buttons. Reason being that the user still needs to use the compromised computer to type in what the transaction is, and for how much. The token needs to display the size and type of the transaction for approval. I.e. if Grandma says to transfer $50 to PGE, she needs to see that the token doesn't say transfer $1000 to Nigeria. And I'd STILL not be happy with how easy it would be for clueless users to authorize such a transaction. But I don't know how to fix that. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most common keystroke loggers?
Shannon Johnston wrote: Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. I don't think that's possible for all compromise situations, given today's desktop OS software. It might be possible with a Palladium-like system (and you trust that the secure side isn't compromised) and/or a hardware assist that doesn't trust the host OS (think small USB-attached computer on a stick.) However, given your query, if you simply want to play the known-threats game, you can just require that the Client have up-to-date AV and antispyware software, and scans clean. That's a little orthogonal to the issue of trying to be secure in the face of a keylogger installed, but probably a better thing to shoot for. If, for some reason, you only care about the case where a keylogger is installed, then you can go with some scheme like making the user pick numbers of a randomly-scrambled keypad on the screen, with the mouse. Note, however, that keyloggers that grab some portion of the screen surrounding the mouse pointer every time you click have already been observed in the wild. They are designed to specifically defeat this kind of mechanism. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most common keystroke loggers?
Kyle Lutze wrote: say somebody's password is foobar, on screen there would be a page that shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. so instead of typing foobar the password they would type in for that session would be hnnzck. The next time the screen came up, it would be a=n, b=l, etc. and the password they would enter would be something else. Then, if the computer had a keylogger, not too much anybody could do with that info. If the only threat in the world were keyloggers, there are many schemes you could use. My main point is that if your computer is fully compromised and the attacker can adapt, there's no scheme you can up by adding just software to the existing client computers that will help. Second, the scheme you just proposed is a monoalphabetic substitution cipher. The are considered somewhat weak, i.e. they print them in the newspaper to be solved with a pencil during your communte. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Really ODD 12 byte UDP attempts
James Lay wrote: Aug 28 06:57:01 kernel: New,invalid SRC=64.94.45.26 DST=24.116.255.102 LEN=32 PROTO=UDP SPT=11050 DPT=33440 LEN=12 Most likely someone is just tracerouting to your IP. Grab the actual packets, and check the TTLs to be sure. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/